add simple spatial transform attack #80 #82
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a simple spatial transform attack was proposed at ICML2019.
I benchmarked with mnist and cifar10.
I didn't include the cifar10 trained model by resnet18 in the repository because it had 43MB (Please comment if you need to.).
It was a stronger attack in mnist than the original paper and a weaker attack in cifar10.
In the original repository, mnist and cifar10 are implemented tensorflow and imagenet is implemented PyTorch.
I used the implementation for imagenet implemented in Pytorch, since the spatial transformation was dependent on tensorflow functions.
These spatial transformations didn't match numerically, but they appear to be nearly identical in appearance.
The original implementation of cifar10 had a standardized layer attached to the model, but my implementation didn't standardize it (standardize discussion: MadryLab/cifar10_challenge#15 (comment)).
The pytest on the GPU had some errors before the change and I ignored them.