-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathbpda_eot_attack.json
53 lines (53 loc) · 2.39 KB
/
bpda_eot_attack.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{
"_comment": "BPDA + EOT PGD ATTACK AGAINST EBM PURIFICATION DEFENSE",
"_comment": "------------------------------------------------------",
"_comment": "===== EXPERIMENT PARAMETERS =====",
"_comment": "type of data for experiment (cifar10, cifar100, svhn)",
"data_type": "cifar10",
"_comment": "name for experiment folder",
"exp_dir": "out_attack/eot_bpda/",
"_comment": "number of images for each attack batch",
"batch_size": 10,
"_comment": "first batch from test set to attack",
"start_batch": 1,
"_comment": "final batch from test set to attack",
"end_batch": 100,
"_comment": "use random images for subset or not",
"subset_shuffle": true,
"_comment": "seed for random numbers",
"seed": 123,
"_comment": "===== CLASSIFIER AND ENERGY NETWORKS =====",
"_comment": "location of clf trained weights",
"clf_weight_path": "CIFAR10_MODEL.pt",
"_comment": "location of ebm trained weights",
"ebm_weight_path": "./net_weights/ebm.pth",
"_comment": "===== ATTACK PARAMETERS =====",
"_comment": "l_p norm for attack (use l_inf or l_2)",
"adv_norm": "l_inf",
"_comment": "number of attack steps",
"adv_steps": 50,
"_comment": "l_p ball size of image perturbation for pixels in [0, 255]",
"adv_eps": 8.0,
"_comment": "gradient step size in l_p norm of adv. update for pixels in [0, 255]",
"adv_eta": 20.0,
"_comment": "use random start in l_p ball around images (otherwise start at original image)",
"adv_rand_start": true,
"_comment": "use BPDA + EOT attack against purifier and classifier or get attack grads from classifier only",
"use_bpda_eot": true,
"_comment": "number parallel samples for EOT attack (==1 for non-eot attack, >1 for eot attack)",
"eot_attack_reps": 15,
"_comment": "method for averaging the output of parallel chains for EOT attack",
"eot_attack_ave": "logits",
"_comment": "===== PURIFICATION PARAMETERS =====",
"_comment": "number of purification steps (0 for attack vs. classifier only)",
"langevin_steps": 0,
"_comment": "langevin noise magnitude",
"langevin_eps": 1e-2,
"_comment": "number of parallel purification trials for verifying successful attacks with EOT defense",
"eot_defense_reps": 150,
"_comment": "method for averaging the output of parallel chains for EOT defense prediction",
"eot_defense_ave": "logits",
"_comment": "===== LOGGING =====",
"_comment": "frequency of printing attack results",
"log_freq": 5
}