Certified defense to adversarial examples using CROWN and IBP. Also includes GPU implementation of CROWN verification algorithm (in PyTorch).
Home Page: https://openreview.net/pdf?id=Skxuk1rFwB
License: BSD 2-Clause "Simplified" License
您好!
我想用‘simple_verification.py’中代码计算的lp和Up实现您在CROWN那篇论文中实现的二分查找法,并尝试更改如下:
def test(input,model):
eps = 0
gap_gx = 100
eps_LB = -1
eps_UB = 1
counter = 0
is_pos = True
is_neg = True
# perform binary search
eps_gx_UB = 1000000.0
eps_gx_LB = 0.0
is_pos = True
is_neg = True
# eps = eps_gx_LB*2
# eps = args.eps
while eps_gx_UB - eps_gx_LB > 0.00001:
ptb = PerturbationLpNorm(norm=2, eps=eps)
image = BoundedTensor(input, ptb)
pred = model(image)
label = torch.argmax(pred, dim=1).cpu().numpy()
# for method in ['IBP', 'IBP+backward (CROWN-IBP)', 'backward (CROWN)']:
lb, ub = model.compute_bounds(x=(image,), method='IBP+backward')
gap_gx = torch.min(lb)
lb = lb.detach().cpu().numpy()
ub = ub.detach().cpu().numpy()
print("Bounding method:", method)
for i in range(N):
print("Image {} top-1 prediction {} ground-truth {}".format(i, label[i], true_label[i]))
for j in range(n_classes):
indicator = '(ground-truth)' if j == true_label[i] else ''
print("f_{j}(x_0): {l:8.3f} <= f_{j}(x_0+delta) <= {u:8.3f} {ind}".format(
j=j, l=lb[i][j], u=ub[i][j], ind=indicator))
print()
if gap_gx > 0:
if gap_gx < 0.01:
eps_gx_LB = eps
return eps
break
if is_pos: # so far always > 0, haven't found eps_UB
eps_gx_LB = eps
eps *= 10
else:
eps_gx_LB = eps
eps = (eps_gx_LB + eps_gx_UB) / 2
is_neg = False
else:
if is_neg: # so far always < 0, haven't found eps_LB
eps_gx_UB = eps
eps /= 10
else:
eps_gx_UB = eps
eps = (eps_gx_LB + eps_gx_UB) / 2
is_pos = False
counter += 1
if counter >= 500:
return eps
break
print("[L2][binary search] step = {}, eps = {:.5f}, gap_gx = {:.2f}".format(counter, eps, gap_gx))
但是得到的并不是想要的结果,请问是哪里出了问题吗?
Hi,
When I run the CROWN verified error with let's say \epsilon = 0.3, what's the exact meaning of the terms in the output like Loss, CE loss etc.? I'd like to estimate or desume a lower bound with just CROWN on some architectures+data, is it possible with this code?
p.s. the architecture has not been trained with CROWN-IBP, it is just naturally trained (or at least with adversarial robustness).
Written in other words, given an epsilon radius, I'd like to know if that n-ball is safe using just CROWN.. is it possible to do that with your code and with a naturally trained architecture that I've built by myself?
Thank you,
Best.
Hi,
Thanks so much for sharing the pytorch version CROWN-IBP code. I am really excited about the excellent result (7.02 certified accuracy) on MNIST dataset. However, after a simple try, I have some difficulty in reproducing the results. I wonder if there's something wrong in my experimental setup.
I try this command:
python train.py --config config/mnist_dm-large_0.4.json
to use CROWN-IBP, the largest model, and test eps=0.3. However, after 200 epochs, the final outputs are the following:
Epoch 199, learning rate [5e-06], epsilon 0.4 - 0.4
[199: 0]: eps 0.400000 Time 0.102 (0.102) Total Loss 0.2169 (0.2169) L1 Loss 0.0000 (0.0000) CE 0.0364 (0.0364) RCE 0.3975 (0.3975) Err 0.0156 (0.0156) Rob Err 0.1055 (0.1055) Uns 2312.7 (2312.7) Dead 161882.3 (161882.3) Alive 11857.7 (11857.7) Tightness 2312.68750 (2312.68750) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) R 156.462 beta 0.000 (0.000) kappa 0.500 (0.500)
[199: 50]: eps 0.400000 Time 0.068 (0.070) Total Loss 0.1610 (0.1710) L1 Loss 0.0000 (0.0000) CE 0.0423 (0.0300) RCE 0.2797 (0.3121) Err 0.0117 (0.0093) Rob Err 0.0938 (0.0950) Uns 2163.9 (2286.2) Dead 161821.3 (161883.4) Alive 11882.7 (11852.9) Tightness 2163.91016 (2286.21722) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) R 159.006 beta 0.000 (0.000) kappa 0.500 (0.500)
[199: 100]: eps 0.400000 Time 0.072 (0.070) Total Loss 0.2200 (0.1738) L1 Loss 0.0000 (0.0000) CE 0.0582 (0.0307) RCE 0.3819 (0.3168) Err 0.0195 (0.0094) Rob Err 0.0938 (0.0956) Uns 2254.2 (2246.9) Dead 161849.0 (161882.8) Alive 11846.2 (11853.7) Tightness 2254.18359 (2246.88065) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) R 132.638 beta 0.000 (0.000) kappa 0.500 (0.500)
[199: 150]: eps 0.400000 Time 0.068 (0.070) Total Loss 0.2239 (0.1716) L1 Loss 0.0000 (0.0000) CE 0.0388 (0.0307) RCE 0.4090 (0.3126) Err 0.0156 (0.0091) Rob Err 0.1172 (0.0940) Uns 2321.2 (2255.6) Dead 161854.6 (161883.1) Alive 11836.2 (11853.0) Tightness 2321.19141 (2255.60943) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) R 143.678 beta 0.000 (0.000) kappa 0.500 (0.500)
[199: 200]: eps 0.400000 Time 0.072 (0.070) Total Loss 0.1639 (0.1730) L1 Loss 0.0000 (0.0000) CE 0.0449 (0.0311) RCE 0.2828 (0.3148) Err 0.0117 (0.0094) Rob Err 0.0977 (0.0947) Uns 2268.5 (2267.8) Dead 161935.2 (161882.4) Alive 11859.1 (11854.1) Tightness 2268.51562 (2267.80655) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) R 141.274 beta 0.000 (0.000) kappa 0.500 (0.500)
[FINAL RESULT epoch:199 eps:0.4000]: Time 0.067 (0.071) Total Loss 0.1554 (0.1728) L1 Loss 0.0000 (0.0000) CE 0.0183 (0.0307) RCE 0.2925 (0.3149) Uns 2321.958 (2266.811) Dead 161800.2 (161883.5) Alive 11835.8 (11854.5) Tight 2321.95833 (2266.81117) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) Err 0.0000 (0.0092) Rob Err 0.1354 (0.0945) R 134.250 beta 0.000 (0.000) kappa 0.500 (0.500)
layer 0 norm 1.8666208982467651
layer 2 norm 16.517566680908203
layer 4 norm 40.252685546875
layer 6 norm 159.90121459960938
layer 8 norm 115.69601440429688
layer 11 norm 655.5496826171875
layer 13 norm 56.66131591796875
Epoch time: 17.0459, Total time: 4751.4625
Evaluating...
[FINAL RESULT epoch:199 eps:0.4000]: Time 0.041 (0.040) Total Loss 0.1400 (0.4073) L1 Loss 0.0000 (0.0000) CE 0.0065 (0.0641) RCE 0.2734 (0.7504) Uns 2016.938 (2200.269) Dead 161932.7 (161853.5) Alive 12006.9 (11892.8) Tight 2016.93750 (2200.26890) Bias 0.00000 (0.00000) Diff 0.00000 (0.00000) Err 0.0000 (0.0177) Rob Err 0.0625 (0.1319) R 83.985 beta 0.000 (0.000) kappa 0.500 (0.500)
layer 0 norm 1.8666208982467651
layer 2 norm 16.517566680908203
layer 4 norm 40.252685546875
layer 6 norm 159.90121459960938
layer 8 norm 115.69601440429688
layer 11 norm 655.5496826171875
layer 13 norm 56.66131591796875
saving to ./mnist_dm-large_0.4/IBP_large.pth
Total Time: 4751.4625
Model IBP_large best err 0.1313, clean err 0.0178
It seems that the robust error is large. Could you please advise me on how to correctly reproduce your results? Thank you very much!
Hi,
I try to use attack.py to test the PGD error of the SOTA models on MNIST, by running
python3 attack.py --config config/mnist_dm-large_0.4.json
The epsilon_eval=0.3. I got the result
eps = 0.1
on IBP_large
[TOTAL] clean err: 0.0165 | PGD err: 0.0207
eps = 0.2
on IBP_large
[TOTAL] clean err: 0.0165 | PGD err: 0.0245
eps = 0.30000000000000004
on IBP_large
[TOTAL] clean err: 0.0165 | PGD err: 0.0272
eps = 0.4
on IBP_large
[TOTAL] clean err: 0.0165 | PGD err: 0.0335
The PGD error is much smaller than that reported on paper, which is about 0.0605. (There must be something wrong in my testing method).
I'm very confused about it. Could you please tell me how to test the PGD error correctly? Thank you.
Hi! Thank you for the reply to the question about the 'CROWN' repository!
I want to calculate the minimum r as the same as the 'CROWN', and I tried the code as follows:
def test(input,model):
eps = 0
gap_gx = 100
eps_LB = -1
eps_UB = 1
counter = 0
is_pos = True
is_neg = True
eps_gx_UB = 1000000.0
eps_gx_LB = 0.0
is_pos = True
is_neg = True
while eps_gx_UB - eps_gx_LB > 0.00001:
ptb = PerturbationLpNorm(norm=2, eps=eps)
image = BoundedTensor(input, ptb)
pred = model(image)
label = torch.argmax(pred, dim=1).cpu().numpy()
# for method in ['IBP', 'IBP+backward (CROWN-IBP)', 'backward (CROWN)']:
lb, ub = model.compute_bounds(x=(image,), method='IBP+backward')
gap_gx = torch.min(lb)
lb = lb.detach().cpu().numpy()
ub = ub.detach().cpu().numpy()
print("Bounding method:", method)
for i in range(N):
print("Image {} top-1 prediction {} ground-truth {}".format(i, label[i], true_label[i]))
for j in range(n_classes):
indicator = '(ground-truth)' if j == true_label[i] else ''
print("f_{j}(x_0): {l:8.3f} <= f_{j}(x_0+delta) <= {u:8.3f} {ind}".format(
j=j, l=lb[i][j], u=ub[i][j], ind=indicator))
print()
if gap_gx > 0:
if gap_gx < 0.01:
eps_gx_LB = eps
return eps
break
if is_pos: # so far always > 0, haven't found eps_UB
eps_gx_LB = eps
eps *= 10
else:
eps_gx_LB = eps
eps = (eps_gx_LB + eps_gx_UB) / 2
is_neg = False
else:
if is_neg: # so far always < 0, haven't found eps_LB
eps_gx_UB = eps
eps /= 10
else:
eps_gx_UB = eps
eps = (eps_gx_LB + eps_gx_UB) / 2
is_pos = False
counter += 1
if counter >= 500:
return eps
break
print("[L2][binary search] step = {}, eps = {:.5f}, gap_gx = {:.2f}".format(counter, eps, gap_gx))
But the result is failed and the lp cannot change with the eps. I'm confused about it. Thank you!
Hi,
Could you also provide hyperparameters for training IBP models (MNIST, CIFAR) to get the same numbers as in the paper? Or pretrained models?
I would like to reproduce those numbers using the PyTorch implementation.
Thanks!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.