Problem with Defenses (PyTorch)

[fukashi-hatake]

Describe the bug
Hello, I have an issue with the defenses of ART. After applying defense techniques like Spatial Smoothing, Feature Squeezing, the classifier still misclassified the adversarial input. For attack, I am using PGD (max_iter=20, eps_step=1, eps=0.01) which is not so strong. After applying Spatial Smoothing (window_size=3), the classifier could not predict the adversarial input correctly. Instead, Spatial Smoothing decreased the benign accuracy.

To Reproduce
Steps to reproduce the behavior:

1. Take and pre-trained model from PyTorch models (in my case ResNet50) and create ART classifier

model_resnet50 = models.resnet50(pretrained=True)  
criterion = nn.CrossEntropyLoss() 

classifier = PyTorchClassifier(
    model=model_resnet50,
    loss=criterion,
    input_shape=(3, 224, 224),
    nb_classes=1000,
    device_type='gpu'
)

2. Get any input image (I got a giant panda example image):

input_image = Image.open(DATA_DIR + '/388/3.jpeg')

input_tensor = preprocess(input_image)
input_batch = input_tensor.unsqueeze(0).numpy().astype(np.float32)

3. Generate adversarial example:

pgd_attack = ProjectedGradientDescent(classifier, max_iter=20, eps_step=1, eps=0.01)
x_test_adv = pgd_attack.generate(x=input_batch) 
predictions = classifier.predict(x_test_adv) 

4. Apply defense:

ss = SpatialSmoothing(window_size=3)  
x_art_def, _ = ss(input_batch) ## for benign image
x_art_adv_def, _ = ss(x_test_adv)  ## for adversarial image 

5. Get predictions for both benign and adversarial input:

pred_def = classifier.predict(x_art_def)
label_def = np.argmax(pred_def, axis=1)[0]
confidence_def = pred_def[:, label_def][0]

pred_adv_def = classifier.predict(x_art_adv_def)
label_adv_def = np.argmax(pred_adv_def, axis=1)[0]
confidence_adv_def = pred_adv_def[:, label_adv_def][0]

6. You can see that the model still predicts the adversarial image incorrectly and also benign image prediction accuracy decreased:

Expected behavior
I used those defense techniques with Keras and they worked perfectly. But when I am using them in PyTorch, they have problems. I also tried Spatial Smoothing with higher window sizes but it affects the quality of the image badly and after window_size=5, it starts that even the model cannot classify the benign input correctly. I used the same techniques with the same parameters in Keras but they worked perfectly but in PyTorch, I think there's an issue.

Screenshots

System information (please complete the following information):

• OS: Ubuntu
• Python version: 3.7.7
• ART version: 1.8
• PyTorch

Thank you very much for your support. I really appreciate your contributions.

[beat-buesser]

Hi @fukashi-hatake Thank you very much for using ART! After a first look at your code I have a few questions:

• Did you notice that the step size of your PGD (eps_step=1) is 100x larger than maximum perturbation (eps=0.01)?
• You are preprocessing the images (input_tensor = preprocess(input_image)) before providing them to ART. This is possible, but less convenient and error-prone. In this case the default clip values of PyTorchClassifier used above (clip_values=(0, 1)) are not correct anymore, because input_tensor is not in range [0, 1] but a different range, and clip_values needs to be updated accordingly. This means that PyTorchClassifier currently clips the negative values in your images to zero. Furthermore the input-range dependent attack parameters (eps, eps_step) need to be scaled to this new input range too because their default values are also set for range [0, 1]. I would recommend to keep input_tensor in range [0, 1] (don't run function preprocess) and provide mean and std used for preprocessing to PyTorchClassifier in its argument preprocessing=(np.array([0.485, 0.456, 0.406]), np.array([0.229, 0.224, 0.225])).