Excuse me, would you mind teaching me why "keep optimizing Until classif_op == _y_target"
YinYangOfDao opened this issue · 2 comments
Actually I don't understand this (shown in line 105-108, Method 1 - optimizing for noise/attack.py)
I think this should correspond to the bottom line in section 4.1 in "Intriguing properties of neural networks"? but if we stop it as long as f(x+r) == l, we cannot assure that the c||r|| is min.
Sorry if my question is stupid, and thanks for your work
Hey @YinYangOfDao Sorry for the late reply. No your question is not stupid, this is actually a short coming of my implementation.
So the paper says that while optimizing for "r" we should take care of 3 things:
- f(x+r) = new class (l)
- x+r should be between 0 and 1
- minimize l2 norm of r
For (1) I break once F(x+r) == new target ( line 106 - 108 )
For (2) I purposefully clamp x+r to be within [0,1] (line 27)
For (3) I "try" to keep the value of ||r||_2 as small as possible by incorporating a regularization term as shown in line 95-96. Apart from the cross entropy loss, I also add a mean(r**2) (also called L2 regularization) term which tries to keep the values of "r" small. I got this idea from CS231n course notes (http://cs231n.github.io/neural-networks-2/), check the L2 regularization section. So attack.py has the option to use L1/L2/No regularization which can be set in attack_mnist.py (line 23).
Let me know if you need any other help :)
Thanks for your reply. I just think it kind of strange. I think in the paper the author converted it from a constrained optimize problem to an unconstrained one: namely, from
min rr s.t. f(x+r) == l,
to
min (rr + alpha*dist(f(x+r), l) )
I just wondered whether using other methods such as ALM (augmented lagrangian) would be better.