EOT attack can break through this method

[problem-marker]

I reproduced this code and it has a robust accuracy of 60% on PGD20 and only 42% on EOT-PGD20, which is much lower than baseline

[2480667859]

Hello, may I ask how you achieved a PGD-20 accuracy of 60% in the evaluation, while my PGD-20 accuracy was only 38%

[UniSerj]

Hi, please check the readme for the training and evaluation setting. The pretrained models are also available on the Google Drive provided in the readme. All the results can be reproduced via the provided evaluation code and pretrained models.

For the evaluation, we follow the protocol in Double-win Quant (ICML 2021). The contribution of RPF mainly lies in a better trade-off between clean and robust accuracy due to distance preservation. It is possible that this method performs worse under stronger EOT attacks because the adversarial training strategy used in this method is a black-box one, which reduces the adversarial transferability among different paths instead of improving the adversarial robustness directly. One potential solution is to enhance the adversarial training by involving EOT-PGD.

[2480667859]

I downloaded the pretrained models in Google Drive and used the evaluation code, but the obtained robust accuracy of pgd and fgsm is 40%, which is much lower than 69.48% and 66.49% in the paper.

[problem-marker]

I just followed the readme and run the code. The following code is the key to implementing RPF for evaluation
if args.rp:
# random select a path to attack
model.module.random_rp_matrix()

    X_adv = atk(X, y)  # advtorch

    if args.rp:
        # random select a path to infer
        model.module.random_rp_matrix() 

[problem-marker]

Thank you very much for your reply. I believe that trying to use EOT attacks for adversarial training in random methods is a good idea, but this still does not guarantee that the model's robustness has genuinely improved. Perhaps this is a common issue with experience-based robustness verification methods.

[2480667859]

I just followed the readme and run the code. The following code is the key to implementing RPF for evaluation if args.rp: # random select a path to attack model.module.random_rp_matrix()

    X_adv = atk(X, y)  # advtorch

    if args.rp:
        # random select a path to infer
        model.module.random_rp_matrix() 

I set args.rp to True when I ran the evaluation code, but I still got the wrong robust accuracy. What does the code look like when reading the pre-trained model? The source code looks like this:
pretrained_model = torch.load(args.pretrain)
model.load_state_dict(pretrained_model, strict=False)
model.eval()
I think there may be some problems with it, can you share what your code is written here

[UniSerj]

Hi, @2480667859. If you have not modified the source code and followed the evaluation code in the readme:

python evaluate.py --dataset cifar10 --network ResNet18 --rp --rp_out_channel 48 --rp_block -1 -1 --save_dir eval_r18_c10 --pretrain [path_to_model]

the results in the paper can be reproduced. Would you please share the evaluation log so that I can help?

For the source code you mentioned

pretrained_model = torch.load(args.pretrain)
model.load_state_dict(pretrained_model, strict=False)
model.eval()

It loads all the weights from the pretrained model. The reason why strict=False is that a dataset normalization layer is added during evaluation, which replaces the transforms.Normalize() for a convenient evaluation using Torchattack.

[2480667859]

Thank you for your help. According to the method you just mentioned, we experimented again with the pretrained model you provided, and obtained similar results to those in the paper.
In addition, I tried to test the AT method in the literature Overfitting in ad-versarially robust deep learning (the results in the first row of the table in the picture), but the results obtained were quite different from those in the paper. Is the parameter setting of this method the same as that provided by you in the training strategy in Section 4.1 Experiment setting? If not, could you please share your parameter setting? Thank you very much!

[UniSerj]

Yes, the training recipe follows the one in Overfitting in adversarially robust deep learning. The detailed setting is provided in Section 4.1. It uses PGD-10 for 200 epochs with a multistep lr schedule. To reproduce the result of this baseline, you can try applying the AT framework provided in train.py with vanilla resnet.py.

[2480667859]

I tried the above, using the evaluation code, and made the following modifications：
parser.add_argument('--rp', action='store_true', help='if random projection') parser.add_argument('--rp_block', default=None, type=int, nargs='*', help='block schedule of rp') parser.add_argument('--rp_out_channel', default=0, type=int, help='number of rp output channels')
But the output is not good

[UniSerj]

It seems like it did not load the pretrained weights correctly since the clean accuracy is around 10%. Please note that you need to retrain the vanilla resnet.py with the AT algorithm in Overfitting in adversarially robust deep learning. Then you can replace the model in the evaluate.py to perform the evaluation. One potential issue here is that Torchattack assumes that the input image is not normalized. Thus, we add a dataset normalization layer to the resnet. Please check here.