Adversarial-Information-Bottleneck - Distilling Robust and Non-Robust Features in Adversarial Examples by Information Bottleneck (NeurIPS21)

Overview

NeurIPS 2021

License: MIT

Title: Distilling Robust and Non-Robust Features in Adversarial Examples by Information Bottleneck (paper)

Authors: Junho Kim*, Byung-Kwan Lee*, and Yong Man Ro (*: equally contributed)

Affiliation: School of Electric Engineering, Korea Advanced Institute of Science and Technology (KAIST)

Email: [email protected], [email protected], [email protected]


This is official PyTorch Implementation code for the paper of "Distilling Robust and Non-Robust Features in Adversarial Examples by Information Bottleneck" published in NeurIPS 21. It provides novel method of decomposing robust and non-robust features in intermediate layer. Further, we understand the semantic information of distilled features, by directly visualizing robust and non-robust features in the feature representation space. Consequently, we reveal that both of the robust and non-robust features indeed have semantic information in terms of human-perception by themselves. For more detail, you can refer to our paper!

Alt text

Citation

If you find this work helpful, please cite it as:

@inproceedings{
kim2021distilling,
title={Distilling Robust and Non-Robust Features in Adversarial Examples by Information Bottleneck},
author={Junho Kim and Byung-Kwan Lee and Yong Man Ro},
booktitle={Advances in Neural Information Processing Systems},
editor={A. Beygelzimer and Y. Dauphin and P. Liang and J. Wortman Vaughan},
year={2021},
url={https://openreview.net/forum?id=90M-91IZ0JC}
}

Datasets


Baseline Models


Adversarial Attacks (by torchattacks)

  • Fast Gradient Sign Method (FGSM)
  • Basic Iterative Method (BIM)
  • Projected Gradient Descent (PGD)
  • Carlini & Wagner (CW)
  • AutoAttack (AA)
  • Fast Adaptive Boundary (FAB)

This implementation details are described in loader/loader.py.

    # Gradient Clamping based Attack
    if args.attack == "fgsm":
        return torchattacks.FGSM(model=net, eps=args.eps)

    elif args.attack == "bim":
        return torchattacks.BIM(model=net, eps=args.eps, alpha=1/255)

    elif args.attack == "pgd":
        return torchattacks.PGD(model=net, eps=args.eps,
                                alpha=args.eps/args.steps*2.3, steps=args.steps, random_start=True)

    elif args.attack == "cw":
        return torchattacks.CW(model=net, c=0.1, lr=0.1, steps=200)

    elif args.attack == "auto":
        return torchattacks.APGD(model=net, eps=args.eps)

    elif args.attack == "fab":
        return torchattacks.FAB(model=net, eps=args.eps, n_classes=args.n_classes)

Included Packages (for Ours)

  • Informative Feature Package (model/IFP.py)
    • Distilling robust and non-robust features in intermediate layer by Information Bottleneck
  • Visualization of robust and non-robust features (visualization/inversion.py)
  • Non-Robust Feature (NRF) and Robust Feature (RF) Attack (model/IFP.py)
    • NRF : maximizing the magnitude of non-robust feature gradients
    • NRF2 : minimizing the magnitude of non-robust feature gradients
    • RF : maximizing the magnitude of robust feature gradients
    • RF2 : minimizing the magnitude of robust feature gradients

Baseline Methods

  • Plain (Plain Training)

    • Run train_plain.py
      parser.add_argument('--lr', default=0.01, type=float, help='learning rate')
      parser.add_argument('--dataset', default='cifar10', type=str, help='dataset name')
      parser.add_argument('--network', default='vgg', type=str, help='network name')
      parser.add_argument('--gpu_id', default='0', type=str, help='gpu id')
      parser.add_argument('--data_root', default='./datasets', type=str, help='path to dataset')
      parser.add_argument('--epoch', default=60, type=int, help='epoch number')
      parser.add_argument('--batch_size', default=100, type=int, help='Batch size')
      parser.add_argument('--pretrained', default='false', type=str2bool, help='pretrained boolean')
      parser.add_argument('--batchnorm', default='true', type=str2bool, help='batchnorm boolean')
      parser.add_argument('--save_dir', default='./experiment', type=str, help='save directory')
  • AT (PGD Adversarial Training)

    • Run train_AT.py
      parser.add_argument('--lr', default=0.01, type=float, help='learning rate')
      parser.add_argument('--steps', default=10, type=int, help='adv. steps')
      parser.add_argument('--eps', default=0.03, type=float, help='max norm')
      parser.add_argument('--dataset', default='cifar10', type=str, help='dataset name')
      parser.add_argument('--network', default='vgg', type=str, help='network name')
      parser.add_argument('--gpu_id', default='0', type=str, help='gpu id')
      parser.add_argument('--data_root', default='./datasets', type=str, help='path to dataset')
      parser.add_argument('--epoch', default=60, type=int, help='epoch number')
      parser.add_argument('--batch_size', default=100, type=int, help='Batch size')
      parser.add_argument('--attack', default='pgd', type=str, help='attack type')
      parser.add_argument('--pretrained', default='false', type=str2bool, help='pretrained boolean')
      parser.add_argument('--batchnorm', default='true', type=str2bool, help='batchnorm boolean')
      parser.add_argument('--save_dir', default='./experiment', type=str, help='save directory')
  • TRADES (Recent defense method)

    • Run train_TRADES.py
      parser.add_argument('--lr', default=0.01, type=float, help='learning rate')
      parser.add_argument('--steps', default=10, type=int, help='adv. steps')
      parser.add_argument('--eps', default=0.03, type=float, help='max norm')
      parser.add_argument('--dataset', default='cifar10', type=str, help='dataset name')
      parser.add_argument('--network', default='wide', type=str, help='network name: vgg or wide')
      parser.add_argument('--gpu_id', default='0', type=str, help='gpu id')
      parser.add_argument('--data_root', default='./datasets', type=str, help='path to dataset')
      parser.add_argument('--epoch', default=60, type=int, help='epoch number')
      parser.add_argument('--batch_size', default=100, type=int, help='Batch size')
      parser.add_argument('--attack', default='pgd', type=str, help='attack type')
      parser.add_argument('--pretrained', default='false', type=str2bool, help='pretrained boolean')
      parser.add_argument('--batchnorm', default='true', type=str2bool, help='batchnorm boolean')
      parser.add_argument('--save_dir', default='./experiment', type=str, help='save directory')
  • MART (Recent defense method)

    • Run train_MART.py
      parser.add_argument('--lr', default=0.01, type=float, help='learning rate')
      parser.add_argument('--steps', default=10, type=int, help='adv. steps')
      parser.add_argument('--eps', default=0.03, type=float, help='max norm')
      parser.add_argument('--dataset', default='cifar10', type=str, help='dataset name')
      parser.add_argument('--network', default='wide', type=str, help='network name')
      parser.add_argument('--gpu_id', default='0', type=str, help='gpu id')
      parser.add_argument('--data_root', default='./datasets', type=str, help='path to dataset')
      parser.add_argument('--epoch', default=60, type=int, help='epoch number')
      parser.add_argument('--batch_size', default=100, type=int, help='Batch size')
      parser.add_argument('--attack', default='pgd', type=str, help='attack type')
      parser.add_argument('--pretrained', default='false', type=str2bool, help='pretrained boolean')
      parser.add_argument('--batchnorm', default='true', type=str2bool, help='batchnorm boolean')
      parser.add_argument('--save_dir', default='./experiment', type=str, help='save directory')

Testing Model Robustness

  • Mearsuring the robustness in baseline models trained with baseline methods
    • Run test.py

      parser.add_argument('--steps', default=10, type=int, help='adv. steps')
      parser.add_argument('--eps', default=0.03, type=float, help='max norm')
      parser.add_argument('--dataset', default='cifar10', type=str, help='dataset name')
      parser.add_argument('--network', default='vgg', type=str, help='network name')
      parser.add_argument('--data_root', default='./datasets', type=str, help='path to dataset')
      parser.add_argument('--gpu_id', default='0', type=str, help='gpu id')
      parser.add_argument('--save_dir', default='./experiment', type=str, help='save directory')
      parser.add_argument('--batch_size', default=100, type=int, help='Batch size')
      parser.add_argument('--pop_number', default=3, type=int, help='Batch size')
      parser.add_argument('--datetime', default='00000000', type=str, help='checkpoint datetime')
      parser.add_argument('--pretrained', default='false', type=str2bool, help='pretrained boolean')
      parser.add_argument('--batchnorm', default='true', type=str2bool, help='batchnorm boolean')
      parser.add_argument('--baseline', default='AT', type=str, help='baseline')

Visualizing Robust and Non-Robust Features

  • Feature Interpreation

    • Run visualize.py
    parser.add_argument('--lr', default=0.01, type=float, help='learning rate')
    parser.add_argument('--steps', default=10, type=int, help='adv. steps')
    parser.add_argument('--eps', default=0.03, type=float, help='max norm')
    parser.add_argument('--dataset', default='cifar10', type=str, help='dataset name')
    parser.add_argument('--network', default='vgg', type=str, help='network name')
    parser.add_argument('--gpu_id', default='0', type=str, help='gpu id')
    parser.add_argument('--data_root', default='./datasets', type=str, help='path to dataset')
    parser.add_argument('--epoch', default=0, type=int, help='epoch number')
    parser.add_argument('--attack', default='pgd', type=str, help='attack type')
    parser.add_argument('--save_dir', default='./experiment', type=str, help='save directory')
    parser.add_argument('--batch_size', default=1, type=int, help='Batch size')
    parser.add_argument('--pop_number', default=3, type=int, help='Batch size')
    parser.add_argument('--prior', default='AT', type=str, help='Plain or AT')
    parser.add_argument('--prior_datetime', default='00000000', type=str, help='checkpoint datetime')
    parser.add_argument('--pretrained', default='false', type=str2bool, help='pretrained boolean')
    parser.add_argument('--batchnorm', default='true', type=str2bool, help='batchnorm boolean')
    parser.add_argument('--vis_atk', default='True', type=str2bool, help='is attacked image?')

You might also like...
Deep Structured Instance Graph for Distilling Object Detectors (ICCV 2021)
Deep Structured Instance Graph for Distilling Object Detectors (ICCV 2021)

DSIG Deep Structured Instance Graph for Distilling Object Detectors Authors: Yixin Chen, Pengguang Chen, Shu Liu, Liwei Wang, Jiaya Jia. [pdf] [slide]

Distilling Motion Planner Augmented Policies into Visual Control Policies for Robot Manipulation (CoRL 2021)
Distilling Motion Planner Augmented Policies into Visual Control Policies for Robot Manipulation (CoRL 2021)

Distilling Motion Planner Augmented Policies into Visual Control Policies for Robot Manipulation [Project website] [Paper] This project is a PyTorch i

A non-linear, non-parametric Machine Learning method capable of modeling complex datasets
A non-linear, non-parametric Machine Learning method capable of modeling complex datasets

Fast Symbolic Regression Symbolic Regression is a non-linear, non-parametric Machine Learning method capable of modeling complex data sets. fastsr aim

[ICLR'21] FedBN: Federated Learning on Non-IID Features via Local Batch Normalization
[ICLR'21] FedBN: Federated Learning on Non-IID Features via Local Batch Normalization

FedBN: Federated Learning on Non-IID Features via Local Batch Normalization This is the PyTorch implemention of our paper FedBN: Federated Learning on

Unadversarial Examples: Designing Objects for Robust Vision
Unadversarial Examples: Designing Objects for Robust Vision

Unadversarial Examples: Designing Objects for Robust Vision This repository contains the code necessary to replicate the major results of our paper: U

codes for Image Inpainting with External-internal Learning and Monochromic Bottleneck
codes for Image Inpainting with External-internal Learning and Monochromic Bottleneck

Image Inpainting with External-internal Learning and Monochromic Bottleneck This repository is for the CVPR 2021 paper: 'Image Inpainting with Externa

Code for the paper:
Code for the paper: "On the Bottleneck of Graph Neural Networks and Its Practical Implications"

On the Bottleneck of Graph Neural Networks and its Practical Implications This is the official implementation of the paper: On the Bottleneck of Graph

The official repo for OC-SORT: Observation-Centric SORT on video Multi-Object Tracking. OC-SORT is simple, online and robust to occlusion/non-linear motion.
The official repo for OC-SORT: Observation-Centric SORT on video Multi-Object Tracking. OC-SORT is simple, online and robust to occlusion/non-linear motion.

OC-SORT Observation-Centric SORT (OC-SORT) is a pure motion-model-based multi-object tracker. It aims to improve tracking robustness in crowded scenes

improvement of CLIP features over the traditional resnet features on the visual question answering, image captioning, navigation and visual entailment tasks.

CLIP-ViL In our paper "How Much Can CLIP Benefit Vision-and-Language Tasks?", we show the improvement of CLIP features over the traditional resnet fea

Owner
LBK
Ph.D Candidate, KAIST EE
LBK
PyTorch source code for Distilling Knowledge by Mimicking Features

LSHFM.detection This is the PyTorch source code for Distilling Knowledge by Mimicking Features. And this project contains code for object detection wi

Guo-Hua Wang 3 May 31, 2022
A Robust Non-IoU Alternative to Non-Maxima Suppression in Object Detection

Confluence: A Robust Non-IoU Alternative to Non-Maxima Suppression in Object Detection 1. 介绍 用以替代 NMS,在所有 bbox 中挑选出最优的集合。 NMS 仅考虑了 bbox 的得分,然后根据 IOU 来

null 44 Sep 15, 2022
A certifiable defense against adversarial examples by training neural networks to be provably robust

DiffAI v3 DiffAI is a system for training neural networks to be provably robust and for proving that they are robust. The system was developed for the

SRI Lab, ETH Zurich 200 Nov 14, 2022
transfer attack; adversarial examples; black-box attack; unrestricted Adversarial Attacks on ImageNet; CVPR2021 天池黑盒竞赛

transfer_adv CVPR-2021 AIC-VI: unrestricted Adversarial Attacks on ImageNet CVPR2021 安全AI挑战者计划第六期赛道2:ImageNet无限制对抗攻击 介绍 : 深度神经网络已经在各种视觉识别问题上取得了最先进的性能。

null 26 Oct 25, 2022
Reducing Information Bottleneck for Weakly Supervised Semantic Segmentation (NeurIPS 2021)

Reducing Information Bottleneck for Weakly Supervised Semantic Segmentation (NeurIPS 2021) The implementation of Reducing Infromation Bottleneck for W

Jungbeom Lee 54 Nov 21, 2022
Official PyTorch Implementation for InfoSwap: Information Bottleneck Disentanglement for Identity Swapping

InfoSwap: Information Bottleneck Disentanglement for Identity Swapping Code usage Please check out the user manual page. Paper Gege Gao, Huaibo Huang,

Grace Hešeri 53 Nov 22, 2022
ColossalAI-Examples - Examples of training models with hybrid parallelism using ColossalAI

ColossalAI-Examples This repository contains examples of training models with Co

HPC-AI Tech 167 Nov 26, 2022
XtremeDistil framework for distilling/compressing massive multilingual neural network models to tiny and efficient models for AI at scale

XtremeDistilTransformers for Distilling Massive Multilingual Neural Networks ACL 2020 Microsoft Research [Paper] [Video] Releasing [XtremeDistilTransf

Microsoft 121 Nov 14, 2022
Code for ICCV 2021 paper "Distilling Holistic Knowledge with Graph Neural Networks"

HKD Code for ICCV 2021 paper "Distilling Holistic Knowledge with Graph Neural Networks" cifia-100 result The implementation of compared methods are ba

Wang Yucheng 29 Jul 27, 2022