Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSMA never success on CIFAR10 #31

Open
amosy3 opened this issue Jul 12, 2019 · 4 comments
Open

JSMA never success on CIFAR10 #31

amosy3 opened this issue Jul 12, 2019 · 4 comments

Comments

@amosy3
Copy link

amosy3 commented Jul 12, 2019

First of all, I would like to thank you for this incredible work!
I try the following code, to attack CIFAR10 with JSMA. The attack fails all the time (the code works with other attacks).

import os
import pickle
import torch
import torchvision
import torchvision.transforms as transforms
import numpy as np
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
from tqdm import tqdm
from advertorch.utils import predict_from_logits
from advertorch_examples.utils import _imshow
from advertorch.attacks import PGDAttack, FGSM, JSMA

def get_test_loader():
transform = transforms.Compose([transforms.ToTensor()])
testset = torchvision.datasets.CIFAR10(root='./data', train=False, download=True, transform=transform)
testloader = torch.utils.data.DataLoader(testset, batch_size=10, shuffle=False, num_workers=20)
return testloader

def get_pretrain_model():
with open('../models/resnetxt_acc_87.pkl', 'rb') as f:
net = pickle.load(f)
return net.module #net is a DataParallel object

testloader = get_test_loader()
net = get_pretrain_model()
adversary = JSMA(net, num_classes=10)

data = next(iter(testloader))
images, labels = data
cln_data, true_label = images.to('cuda'), labels.to('cuda')

adv_untargeted = adversary.perturb(cln_data, true_label)
preds = net(adv_untargeted)
estimate_prob, estimate_class = torch.max(preds .data, 1)

wrong = true_label!=estimate_class
print(wrong)

#output: tensor([0, 0, 0, 0, 0, 0, 0, 0, 0, 0], device='cuda:0', dtype=torch.uint8)
@gwding
Copy link
Collaborator

gwding commented Jul 12, 2019

As the original JSMA paper does not contain experiments on CIFAR10, I'm actually not very sure about what performance should be achieved on CIFAR10. Are you trying to replicate any reported results, say from a paper?
One possibility I can think of is that JSMA on CIFAR10 might require different hyperparameters.

@tracyjin could you also comment on this?

@amosy3
Copy link
Author

amosy3 commented Jul 13, 2019

Thank you for your quick response!
I'm not trying to reproduce a result from an article. I checked mainly out of curiosity and was surprised by the result. I tried to change the hyperparameters, but I could not make it work.

@joellliu
Copy link

joellliu commented Nov 8, 2020

I am trying JSMA on CIFAR10. I guess the issue is due to JSMA is a targeted attack, so when you input true_label in adv_untargeted = adversary.perturb(cln_data, true_label), the attacker will target the adv images to the groundtruth label such that the accuracy on adv images is always (almost) 100%.

@SoEzreal
Copy link

I am trying JSMA on CIFAR10. I guess the issue is due to JSMA is a targeted attack, so when you input true_label in adv_untargeted = adversary.perturb(cln_data, true_label), the attacker will target the adv images to the groundtruth label such that the accuracy on adv images is always (almost) 100%.

I found a similar problem in the experimental comparison.I feel that even in non-targeted attacks, the second parameter of the sentence adv_untargeted = adversary.perturb (cln_data, true_label) should not be ‘true label’ but should be the result given by the target model. Do you think so?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gwding @SoEzreal @amosy3 @joellliu