I used the same as t2t_vit github (https://github.com/yitu-opensource/T2T-ViT) data prepare structure on white_box_test.py . and my command is python3 white_box_test.py --data_dir imagenet --mode foolbox --model vit_small_patch16_224 --pretrained True . But I got the awful acc .Below

sample size is : 1000 clean accuracy: 0.0 % Model vit_small_patch16_224 robust accuracy for LinfPGD perturbations with Step 40, Linf norm ≤ 0.001 : 0.0 % Step 40, Linf norm ≤ 0.003 : 0.0 % Step 40, Linf norm ≤ 0.005 : 0.0 % Step 40, Linf norm ≤ 0.008 : 0.0 % Step 40, Linf norm ≤ 0.01 : 0.0 % Step 40, Linf norm ≤ 0.1 : 0.0 %

Could u tell me why I got ? and what should I do? Tks u. :))

Hi @RulinShao , thanks a lot, for your impressive work. I'm trying to reproduce some of your experiments, I notice that in this repo you use timm for the pretrained version of vit-16. When I try to do the training process like you did in train.py, it seems that I fail with loading the pretrained weights of vit_base_patch16_224_in21k. The details of error : RuntimeError: Expected hasRecord("version") to be true, but got false.

env: torch==1.9.0 torchvision==0.10.0 running on Colab

I also tried older versions of torch, they all failed with loading pretrain weights with other error information like" Only one file(not dir) is allowed in the zipfile", it seems that the problem is about the compressed weights in zip format used in timm

Could you please tell me the environment you use when implementing this work? thanks a lot!

hello , I want to ask what is the auto-attack setting in the white box, because the result of running the default value in vit_small_patch16_224 is different from the result of your paper.

my command, python3 white_box_test.py --data_dir imagenet --mode auto --model vit_small_patch16_224

my result, sample size is : 1000 clean accuracy: 73.8 % Model vit_small_patch16_224 robust accuracy for AutoAttack perturbations with Linf norm ≤ 0.001 : 28.4 % Linf norm ≤ 0.003 : 1.2 % Linf norm ≤ 0.005 : 0.0 % Linf norm ≤ 0.008 : 0.0 % Linf norm ≤ 0.01 : 0.0 % Linf norm ≤ 0.1 : 0.0 %

tks for reply.

Hi @RulinShao, it's a quite solid work. But I have some questions about adversarial training. (1) In your paper, you used ViT-B/4 but here I only see vit_base_patch2. So, your adv-training model is still ViT-B/4, right? (2) In your code, I feel little bit confused about eval. What's the purpose for it? You mean model.eval()? If so, then model.train() is applied. Can you give an explanation for it? https://github.com/RulinShao/on-the-adversarial-robustness-of-visual-transformer/blob/ff8e3b7ffadd5f6776205d1b1e2b705a75bebb57/training/train.py#L45-L46 (3) In the paper, you downsampled the weights for patch embeddings and what're the codes for such operation? I only see the modification of patch_size . https://github.com/RulinShao/on-the-adversarial-robustness-of-visual-transformer/blob/ff8e3b7ffadd5f6776205d1b1e2b705a75bebb57/training/timm_vit/vit.py#L283-L286 (4) CIFAR-10 data resolution is 32 and the model in your command line is vit_base_patch16_224_in21k . Such large patch size for CIFAR-10 could highly do harm to acc%. Did you use such model to do the experiments? I only see the results of ViT-B/4 in the paper. BTW, you always keep datasize in 32 instead of upsampling 224, right? Did you try to upsample CIFAR-10 to 224 and use patch size 16 for adversarial training?

Thanks for your help!

Thanks a lot for your interesting work!

If I see it correctly, the script white_box_test.py uses data loader defined in the function white_box_test.get_val_loader for the ViT models obtained from timm. It uses default ImageNet values mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225].

It seems that timm documentation suggests a different set of transforms for data preprocessing: https://rwightman.github.io/pytorch-image-models/models/vision-transformer/

The difference seems to be that it rescales the images to the size of 248 and uses mean=[0.5, 0.5, 0.5], std=[0.5, 0.5, 0.5] for normalization.

When I use their input transform I obtain larger clean accuracy for transformer models than the one provided in the paper. It looks similar to the one provided in the paperswithcode page: https://paperswithcode.com/lib/timm/vision-transformer

Perhaps adding the transforms from the timm package to the code could help in evaluation.

Thanks!