A certifiable defense against adversarial examples by training neural networks to be provably robust

Overview

DiffAI v3 portfolio_view

High Level

DiffAI is a system for training neural networks to be provably robust and for proving that they are robust. The system was developed for the 2018 ICML paper and the 2019 ArXiV Paper.

Background

By now, it is well known that otherwise working networks can be tricked by clever attacks. For example Goodfellow et al. demonstrated a network with high classification accuracy which classified one image of a panda correctly, and a seemingly identical attack picture incorrectly. Many defenses against this type of attack have been produced, but very few produce networks for which provably verifying the safety of a prediction is feasible.

Abstract Interpretation is a technique for verifying properties of programs by soundly overapproximating their behavior. When applied to neural networks, an infinite set (a ball) of possible inputs is passed to an approximating "abstract" network to produce a superset of the possible outputs from the actual network. Provided an appropreate representation for these sets, demonstrating that the network classifies everything in the ball correctly becomes a simple task. The method used to represent these sets is the abstract domain, and the specific approximations are the abstract transformers.

In DiffAI, the entire abstract interpretation process is programmed using PyTorch so that it is differentiable and can be run on the GPU, and a loss function is crafted so that low values correspond to inputs which can be proved safe (robust).

Whats New In v3?

  • Abstract Networks: one can now customize the handling of the domains on a per-layer basis.
  • Training DSL: A DSL has been exposed to allow for custom training regimens with complex parameter scheduling.
  • Cross Loss: The box goal now uses the cross entropy style loss by default as suggested by Gowal et al. 2019
  • Conversion to Onyx: We can now export to the onyx format, and can export the abstract network itself to onyx (so that one can run abstract analysis or training using tensorflow for example).

Requirements

python 3.6.7, and virtualenv, torch 0.4.1.

Recommended Setup

$ git clone https://github.com/eth-sri/DiffAI.git
$ cd DiffAI
$ virtualenv pytorch --python python3.6
$ source pytorch/bin/activate
(pytorch) $ pip install -r requirements.txt

Note: you need to activate your virtualenv every time you start a new shell.

Getting Started

DiffAI can be run as a standalone program. To see a list of arguments, type

(pytorch) $ python . --help

At the minimum, DiffAI expects at least one domain to train with and one domain to test with, and a network with which to test. For example, to train with the Box domain, baseline training (Point) and test against the FGSM attack and the ZSwitch domain with a simple feed forward network on the MNIST dataset (default, if none provided), you would type:

(pytorch) $ python . -d "Point()" -d "Box()" -t "PGD()" -t "ZSwitch()" -n ffnn

Unless otherwise specified by "--out", the output is logged to the folder "out/".
In the folder corresponding to the experiment that has been run, one can find the saved configuration options in "config.txt", and a pickled net which is saved every 10 epochs (provided that testing is set to happen every 10th epoch).

To load a saved model, use "--test" as per the example:

(pytorch) $ alias test-diffai="python . -d Point --epochs 1 --dont-write --test-freq 1"
(pytorch) $ test-diffai -t Box --update-test-net-name convBig --test PATHTOSAVED_CONVBIG.pynet --width 0.1 --test-size 500 --test-batch-size 500

Note that "--update-test-net-name" will create a new model based on convBig and try to use the weights in the pickled PATHTOSAVED_CONVBIG.pynet to initialize that models weights. This is not always necessary, but is useful when the code for a model changes (in components) but does not effect the number or usage of weight, or when loading a model pickled by a cuda process into a cpu process.

The default specification type is the L_infinity Ball specified explicitly by "--spec boxSpec", which uses an epsilon specified by "--width"

The default specification type is the L_infinity Ball specified explicitly by "--spec boxSpec", which uses an epsilon specified by "--width"

Abstract Networks

Example Abstract Net

A cruical point of DiffAI v3 is that how a network is trained and abstracted should be part of the network description itself. In this release, we provide layers that allow one to alter how the abstraction works, in addition to providing a script for converting an abstract network to onyx so that the abstract analysis might be run in tensorflow. Below is a list of the abstract layers that we have included.

  • CorrMaxPool3D
  • CorrMaxPool2D
  • CorrFix
  • CorrMaxK
  • CorrRand
  • DecorrRand
  • DecorrMin
  • DeepLoss
  • ToZono
  • ToHZono
  • Concretize
  • CorrelateAll

Training Domain DSL

In DiffAI v3, a dsl has been provided to specify arbitrary training domains. In particular, it is now possible to train on combinations of attacks and abstract domains on specifications defined by attacks. Specifying training domains is possible in the command line using -d "DOMAIN_INITIALIZATION". The possible combinations are the classes listed in domains.py. The same syntax is also supported for testing domains, to allow for testing robustness with different epsilon-sized attacks and specifications.

Listed below are a few examples:

  • -t "IFGSM(k=4, w=0.1)" -t "ZNIPS(w=0.3)" Will first test with the PGD attack with an epsilon=w=0.1 and, the number of iterations k=4 and step size set to w/k. It will also test with the zonotope domain using the transformer specified in our NIPS 2018 paper with an epsilon=w=0.3.

  • -t "PGD(r=3,k=16,restart=2, w=0.1)" tests on points found using PGD with a step size of r*w/k and two restarts, and an attack-generated specification.

  • -d Point() is standard non-defensive training.

  • -d "LinMix(a=IFGSM(), b=Box(), aw=1, bw=0.1)" trains on points produced by pgd with the default parameters listed in domains.py, and points produced using the box domain. The loss is combined linearly using the weights aw and bw and scaled by 1/(aw + bw). The epsilon used for both is the ambient epsilon specified with "--width".

  • -d "DList((IFGSM(w=0.1),1), (Box(w=0.01),0.1), (Box(w=0.1),0.01))" is a generalization of the Mix domain allowing for training with arbitrarily many domains at once weighted by the given values (the resulting loss is scaled by the inverse of the sum of weights).

  • -d "AdvDom(a=IFGSM(), b=Box())" trains using the Box domain, but constructs specifications as L∞ balls containing the PGD attack image and the original image "o".

  • -d "BiAdv(a=IFGSM(), b=Box())" is similar, but creates specifications between the pgd attack image "a" and "o - (a - o)".

One domain we have found particularly useful for training is Mix(a=PGD(r=3,k=16,restart=2, w=0.1), b=BiAdv(a=IFGSM(k=5, w=0.05)), bw=0.1).

While the above domains are all deterministic (up to gpu error and shuffling orders), we have also implemented nondeterministic training domains:

  • -d "Coin(a=IFGSM(), b=Box(), aw=1, bw=0.1)" is like Mix, but chooses which domain to train a batch with by the probabilities determined by aw / (aw + bw) and bw / (aw + bw).

  • -d "DProb((IFGSM(w=0.1),1), (Box(w=0.01),0.1), (Box(w=0.1),0.01))" is to Coin what DList is to Mix.

  • -d AdvDom(a=IFGSM(), b=DList((PointB(),1), (PointA(), 1), (Box(), 0.2))) can be used to share attack images between multiple training types. Here an attack image "m" is found using PGD, then both the original image "o" and the attack image "m" are passed to DList which trains using three different ways: PointA trains with "o", PointB trains with "m", and Box trains on the box produced between them. This can also be used with Mix.

  • -d Normal(w=0.3) trains using images sampled from a normal distribution around the provided image using standard deviation w.

  • -d NormalAdv(a=IFGSM(), w=0.3) trains using PGD (but this could be an abstract domain) where perturbations are constrained to a box determined by a normal distribution around the original image with standard deviation w.

  • -d InSamp(0.2, w=0.1) uses Inclusion sampling as defined in the ArXiv paper.

There are more domains implemented than listed here, and of course more interesting combinations are possible. Please look carefully at domains.py for default values and further options.

Parameter Scheduling DSL

In place of many constants, you can use the following scheduling devices.

  • Lin(s,e,t,i) Linearly interpolates between s and e over t epochs, using s for the first i epochs.

  • Until(t,a,b) Uses a for the first t epochs, then switches to using b (telling b the current epoch starting from 0 at epoch t).

Suggested Training

LinMix(a=IFGSM(k=2), b=InSamp(Lin(0,1,150,10)), bw = Lin(0,0.5,150,10)) is a training goal that appears to work particularly well for CIFAR10 networks.

Contents

  • components.py: A high level neural network library for composable layers and operations
  • goals.py: The DSL for specifying training losses and domains, and attacks which can be used as a drop in replacement for pytorch tensors in any model built with components from components.py
  • scheduling.py: The DSL for specifying parameter scheduling.
  • models.py: A repository of models to train with which are used in the paper.
  • convert.py: A utility for converting a model with a training or testing domain (goal) into an onyx network. This is useful for exporting DiffAI abstractions to tensorflow.
  • __main__.py: The entry point to run the experiments.
  • helpers.py: Assorted helper functions. Does some monkeypatching, so you might want to be careful importing our library into your project.
  • AllExperimentsSerial.sh: A script which runs the training experiments from the 2019 ArXiv paper from table 4 and 5 and figure 5.

Notes

Not all of the datasets listed in the help message are supported. Supported datasets are:

  • CIFAR10
  • CIFAR100
  • MNIST
  • SVHN
  • FashionMNIST

Unsupported datasets will not necessarily throw errors.

Results on Standard Networks

Download all defended networks, logs, and configs

MNIST

Network Number of Neurons Number of Parameters Number ReLU Layers
FFNN 500 119910 5
ConvSmall 3604 89606 3
ConvMed 4804 166406 3
ConvBig 48064 1974762 6
ConvLargeIBP 175816 5426402 6
TruncatedVGG 151040 13109706 5

0.1

Config Log

Network Standard Accuracy MI_FGSM Accuracy HBox Provability
FFNN 93.3% 90.8% 88.9%
ConvSmall 97.8% 96.2% 95.5%
ConvMed 97.8% 96.3% 95.5%
ConvBig 98.5% 97.2% 95.6%
ConvLargeIBP 98.7% 97.5% 95.8%
TruncatedVGG 98.9% 97.7% 95.6%

0.3

Config Log

Network Standard Accuracy MI_FGSM Accuracy HBox Provability
FFNN 80.2% 73.4% 62.6%
ConvSmall 96.9% 93.6% 89.1%
ConvMed 96.6% 93.1% 89.3%
ConvBig 97.0% 95.2% 87.8%
ConvLargeIBP 97.2% 95.4% 88.8%
TruncatedVGG 96.5% 94.4% 87.6%

CIFAR10

Network Number of Neurons Number of Parameters Number ReLU Layers
FFNN 500 348710 5
ConvSmall 4852 125318 3
ConvMed 6244 214918 3
ConvBig 62464 2466858 6
ConvLargeIBP 229576 6963554 6
TruncatedVGG 197120 17043018 5

2/255

Config Log

Network Standard Accuracy MI_FGSM Accuracy HBox Provability
FFNN 45.1% 37.0% 33.1%
ConvSmall 56.1% 46.2% 42.4%
ConvMed 56.9% 46.6% 43.2%
ConvBig 61.9% 51.4% 45.0%
ConvLargeIBP 61.1% 51.4% 44.5%
TruncatedVGG 62.3% 51.4% 45.5%

8/255

Config Log

Network Standard Accuracy MI_FGSM Accuracy HBox Provability
FFNN 33.5% 23.8% 19.0%
ConvSmall 42.6% 30.5% 24.9%
ConvMed 43.6% 30.3% 24.7%
ConvBig 46.0% 34.2% 25.2%
ConvLargeIBP 46.2% 34.7% 27.2%
TruncatedVGG 45.9% 34.4% 27.0%

Reproducing Results

Download Defended Networks

All training runs from the paper can be reproduced as by the following command, in the same order as Table 6 in the appendix.

./AllExperimentsSerial.sh "-t MI_FGSM(k=20,r=2) -t HBox --test-size 10000 --test-batch-size 200 --test-freq 400 --save-freq 1 --epochs 420 --out all_experiments --write-first True --test-first False"

The training schemes can be written as follows (the names differ slightly from the presentation in the paper):

  • Baseline: LinMix(a=Point(), b=Box(w=Lin(0,0.031373,150,10)), bw=Lin(0,0.5,150,10))
  • InSamp: LinMix(a=Point(), b=InSamp(Lin(0,1,150,10)), bw=Lin(0,0.5, 150,10))
  • InSampLPA: LinMix(a=Point(), b=InSamp(Lin(0,1,150,20), w=Lin(0,0.031373, 150, 20)), bw=Lin(0,0.5, 150, 20))
  • Adv_{1}ISLPA: LinMix(a=IFGSM(w=Lin(0,0.031373,20,20), k=1), b=InSamp(Lin(0,1,150,10), w=Lin(0,0.031373,150,10)), bw=Lin(0,0.5,150,10))
  • Adv_{3}ISLPA: LinMix(a=IFGSM(w=Lin(0,0.031373,20,20), k=3), b=InSamp(Lin(0,1,150,10), w=Lin(0,0.031373,150,10)), bw=Lin(0,0.5,150,10))
  • Baseline_{18}: LinMix(a=Point(), b=InSamp(Lin(0,1,200,40)), bw=Lin(0,0.5,200,40))
  • InSamp_{18}: LinMix(a=IFGSM(w=Lin(0,0.031373,20,20)), b=InSamp(Lin(0,1,200,40)), bw=Lin(0,0.5,200,40))
  • Adv_{5}IS_{18}: LinMix(b=InSamp(Lin(0,1,200,40)), bw=Lin(0,0.5, 200, 40))
  • BiAdv_L: LinMix(a=IFGSM(k=2), b=BiAdv(a=IFGSM(k=3, w=Lin(0,0.031373, 150, 30)), b=Box()), bw=Lin(0,0.6, 200, 30))

To test a saved network as in the paper, use the following command:

python . -D CIFAR10 -n ResNetLarge_LargeCombo -d Point --width 0.031373 --normalize-layer True --clip-norm False -t 'MI_FGSM(k=20,r=2)' -t HBox --test-size 10000 --test-batch-size 200 --epochs 1 --test NAMEOFSAVEDNET.pynet 

Assorted

Citing This Framework

@inproceedings{
  title={Differentiable Abstract Interpretation for Provably Robust Neural Networks},
  author={Mirman, Matthew and Gehr, Timon and Vechev, Martin},
  booktitle={International Conference on Machine Learning (ICML)},
  year={2018},
  url={https://www.icml.cc/Conferences/2018/Schedule?showEvent=2477},
}

Contributors

License and Copyright

Comments
  • Not using cross entropy style loss when training with Mix(Point(),Box())

    Not using cross entropy style loss when training with Mix(Point(),Box())

    I trained with the following command: python . -d "Mix(a=Point(),b=Box(),aw=1,bw=0.2)" -t "Point()" -n ffnn Ideally, it will using the cross entropy style loss for the Box domain as suggested by Gowal et al. 2019, but it turns out that it still used the original loss in DiffAI paper.

    I looked through the implementation of loss in ai.py and goals.py. It seems the cross entropy style loss only works in training with -d "Box()" but does not work with Mix Domain. I don't know if this behavior is desired.

    opened by ForeverZyh 3
  • Incompatibility with torch>=0.4.1

    Incompatibility with torch>=0.4.1

    Hello,

    I've tried to reproduce the workflow described in README, but faced with the following error:

    TypeError: log_softmax() got multiple values for argument 'dim'
    

    It happens due to conflict with newest torch version. Downgrading to torch==0.4.0 resolves this issue.

    opened by ilya-palachev 2
  • RuntimeError: Subtraction, the `-` operator, with a bool tensor is not supported. If you are trying to invert a mask, use the `~` or `logical_not()` operator instead.

    RuntimeError: Subtraction, the `-` operator, with a bool tensor is not supported. If you are trying to invert a mask, use the `~` or `logical_not()` operator instead.

    Run python . -d "Point()" -d "Box()" -t "PGD()" -t "ZSwitch()" -n FFNN with the newest version of PyTorch. Encountered the error in title. Location: File "./ai.py", line 130, in creluSwitch newerr = h.ifThenElseL(should_box, 1 - should_boxer, gtz).to_dtype() * dom.errors File "[dir]/python3.8/site-packages/torch/tensor.py", line 511, in rsub return _C._VariableFunctions.rsub(self, other)

    opened by chenxi-yang 1
  • How to use the pretrained .pynet file

    How to use the pretrained .pynet file

    Hello,

    Thanks for your great work on DiffAI! I want to reproduce the experimental result and apply it to my projects. However, I'm not sure how to use ".pynet" file in the dropbox. I guess the ".pynet" file is the pretrained parameter for defended networks, however, I can't find any information about .pynet file, That is, can I convert it to .onnx or .pth file for Tensorflow or Pytorch ? Or, how to load the parameters into Pytorch ?

    Thank you in advance!

    opened by Gting6 0
  • [Snyk] Security upgrade pillow from 6.2.2 to 8.0.1

    [Snyk] Security upgrade pillow from 6.2.2 to 8.0.1

    Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • requirements.txt
    ⚠️ Warning
    torchvision 0.2.1 requires pillow, which is not installed.
    
    

    Vulnerabilities that will be fixed

    By pinning:

    Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- medium severity | 581/1000
    Why? Recently disclosed, Has a fix available, CVSS 5.9 | Heap-based Buffer Overflow
    SNYK-PYTHON-PILLOW-1059090 | pillow:
    6.2.2 -> 8.0.1
    | No | No Known Exploit

    (*) Note that the real score may have changed since the PR was raised.

    Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic

    opened by snyk-bot 0
  • [Snyk] Security upgrade pillow from 6.2.2 to 8.1.0

    [Snyk] Security upgrade pillow from 6.2.2 to 8.1.0

    Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • requirements.txt
    ⚠️ Warning
    torchvision 0.2.1 requires pillow, which is not installed.
    
    

    Vulnerabilities that will be fixed

    By pinning:

    Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- high severity | 661/1000
    Why? Recently disclosed, Has a fix available, CVSS 7.5 | Buffer Overflow
    SNYK-PYTHON-PILLOW-1055461 | pillow:
    6.2.2 -> 8.1.0
    | No | No Known Exploit high severity | 661/1000
    Why? Recently disclosed, Has a fix available, CVSS 7.5 | Buffer Overflow
    SNYK-PYTHON-PILLOW-1055462 | pillow:
    6.2.2 -> 8.1.0
    | No | No Known Exploit

    (*) Note that the real score may have changed since the PR was raised.

    Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic

    opened by snyk-bot 0
  • [Snyk] Security upgrade pillow from 6.2.2 to 6.2.3

    [Snyk] Security upgrade pillow from 6.2.2 to 6.2.3

    Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • requirements.txt
    ⚠️ Warning
    torchvision 0.2.1 requires pillow, which is not installed.
    
    

    Vulnerabilities that will be fixed

    By pinning:

    Severity | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|:-------------------------|:-------------------------|:-------------------------|:------------------------- medium severity | Out-of-Bounds
    SNYK-PYTHON-PILLOW-574573 | pillow:
    6.2.2 -> 6.2.3
    | No | No Known Exploit medium severity | Out-of-bounds Read
    SNYK-PYTHON-PILLOW-574574 | pillow:
    6.2.2 -> 6.2.3
    | No | No Known Exploit medium severity | Out-of-bounds Read
    SNYK-PYTHON-PILLOW-574575 | pillow:
    6.2.2 -> 6.2.3
    | No | No Known Exploit medium severity | Out-of-bounds Read
    SNYK-PYTHON-PILLOW-574576 | pillow:
    6.2.2 -> 6.2.3
    | No | No Known Exploit medium severity | Buffer Overflow
    SNYK-PYTHON-PILLOW-574577 | pillow:
    6.2.2 -> 6.2.3
    | No | No Known Exploit

    Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic

    opened by snyk-bot 0
  • Tanh for hybridzonotope domain?

    Tanh for hybridzonotope domain?

    Hi Authors,

    May I ask if you have the implementation for tanh or other activation function operator (except ReLU) implementation for the HybridZonotope domain?

    Thanks!

    opened by chenxi-yang 0
Releases(v3.0)
  • v3.0(Apr 1, 2019)

    Version from the Arxiv paper https://arxiv.org/abs/1903.12519

    Updates

    • Added DSL to specify complex objectives and complex training scheduling.
    • Added abstract layers for increasing precision in deeper networks
    • Added onyx exporting
    • Included examples of trained nets such as ResNet34

    Abstract

    We present a training system, which can provably defend significantly larger neural networks than previously possible, including ResNet-34 and DenseNet-100. Our approach is based on differentiable abstract interpretation and introduces two novel concepts: (i) abstract layers for fine-tuning the precision and scalability of the abstraction, (ii) a flexible domain specific language (DSL) for describing training objectives that combine abstract and concrete losses with arbitrary specifications. Our training method is implemented in the DiffAI system.

    Source code(tar.gz)
    Source code(zip)
  • v1.0(Nov 14, 2018)

Owner
SRI Lab, ETH Zurich
Secure, Reliable, Intelligent Systems Lab, ETH Zurich
SRI Lab, ETH Zurich
Certifiable Outlier-Robust Geometric Perception

Certifiable Outlier-Robust Geometric Perception About This repository holds the implementation for certifiably solving outlier-robust geometric percep

null 83 Dec 31, 2022
Fast and robust certifiable relative pose estimation

Fast and Robust Relative Pose Estimation for Calibrated Cameras This repository contains the code for the relative pose estimation between two central

null 42 Dec 6, 2022
Code for the paper: Adversarial Training Against Location-Optimized Adversarial Patches. ECCV-W 2020.

Adversarial Training Against Location-Optimized Adversarial Patches arXiv | Paper | Code | Video | Slides Code for the paper: Sukrut Rao, David Stutz,

Sukrut Rao 32 Dec 13, 2022
LBK 20 Dec 2, 2022
Defending graph neural networks against adversarial attacks (NeurIPS 2020)

GNNGuard: Defending Graph Neural Networks against Adversarial Attacks Authors: Xiang Zhang ([email protected]), Marinka Zitnik (marinka@hms.

Zitnik Lab @ Harvard 44 Dec 7, 2022
ColossalAI-Examples - Examples of training models with hybrid parallelism using ColossalAI

ColossalAI-Examples This repository contains examples of training models with Co

HPC-AI Tech 185 Jan 9, 2023
transfer attack; adversarial examples; black-box attack; unrestricted Adversarial Attacks on ImageNet; CVPR2021 天池黑盒竞赛

transfer_adv CVPR-2021 AIC-VI: unrestricted Adversarial Attacks on ImageNet CVPR2021 安全AI挑战者计划第六期赛道2:ImageNet无限制对抗攻击 介绍 : 深度神经网络已经在各种视觉识别问题上取得了最先进的性能。

null 25 Dec 8, 2022
LBK 26 Dec 28, 2022
Super-Fast-Adversarial-Training - A PyTorch Implementation code for developing super fast adversarial training

Super-Fast-Adversarial-Training This is a PyTorch Implementation code for develo

LBK 26 Dec 2, 2022
Stable Neural ODE with Lyapunov-Stable Equilibrium Points for Defending Against Adversarial Attacks

Stable Neural ODE with Lyapunov-Stable Equilibrium Points for Defending Against Adversarial Attacks Stable Neural ODE with Lyapunov-Stable Equilibrium

Kang Qiyu 8 Dec 12, 2022
SLIDE : In Defense of Smart Algorithms over Hardware Acceleration for Large-Scale Deep Learning Systems

The SLIDE package contains the source code for reproducing the main experiments in this paper. Dataset The Datasets can be downloaded in Amazon-

Intel Labs 72 Dec 16, 2022
Minimal implementation of Denoised Smoothing: A Provable Defense for Pretrained Classifiers in TensorFlow.

Denoised-Smoothing-TF Minimal implementation of Denoised Smoothing: A Provable Defense for Pretrained Classifiers in TensorFlow. Denoised Smoothing is

Sayak Paul 19 Dec 11, 2022
Dcf-game-infrastructure-public - Contains all the components necessary to run a DC finals (attack-defense CTF) game from OOO

dcf-game-infrastructure All the components necessary to run a game of the OOO DC

Order of the Overflow 46 Sep 13, 2022
Dynamic Divide-and-Conquer Adversarial Training for Robust Semantic Segmentation (ICCV2021)

Dynamic Divide-and-Conquer Adversarial Training for Robust Semantic Segmentation This is a pytorch project for the paper Dynamic Divide-and-Conquer Ad

DV Lab 29 Nov 21, 2022
AugMax: Adversarial Composition of Random Augmentations for Robust Training

[NeurIPS'21] "AugMax: Adversarial Composition of Random Augmentations for Robust Training" by Haotao Wang, Chaowei Xiao, Jean Kossaifi, Zhiding Yu, Animashree Anandkumar, and Zhangyang Wang.

VITA 31 Oct 28, 2021
G-NIA model from "Single Node Injection Attack against Graph Neural Networks" (CIKM 2021)

Single Node Injection Attack against Graph Neural Networks This repository is our Pytorch implementation of our paper: Single Node Injection Attack ag

Shuchang Tao 18 Nov 21, 2022
NR-GAN: Noise Robust Generative Adversarial Networks

NR-GAN: Noise Robust Generative Adversarial Networks (CVPR 2020) This repository provides PyTorch implementation for noise robust GAN (NR-GAN). NR-GAN

Takuhiro Kaneko 59 Dec 11, 2022
Unadversarial Examples: Designing Objects for Robust Vision

Unadversarial Examples: Designing Objects for Robust Vision This repository contains the code necessary to replicate the major results of our paper: U

Microsoft 93 Nov 28, 2022
Principled Detection of Out-of-Distribution Examples in Neural Networks

ODIN: Out-of-Distribution Detector for Neural Networks This is a PyTorch implementation for detecting out-of-distribution examples in neural networks.

null 189 Nov 29, 2022