Commit
•
43f58eb
1
Parent(s):
c5eb2e7
Update README.md
Browse files
README.md
CHANGED
|
@@ -1,3 +1,81 @@
|
|
| 1 |
---
|
| 2 |
license: mit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
---
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
---
|
| 2 |
license: mit
|
| 3 |
+
datasets:
|
| 4 |
+
- imagenet-1k
|
| 5 |
+
metrics:
|
| 6 |
+
- accuracy
|
| 7 |
+
tags:
|
| 8 |
+
- adversarial machine learning
|
| 9 |
---
|
| 10 |
+
|
| 11 |
+
|
| 12 |
+
|
| 13 |
+
## RobArch: Designing Robust Architectures against Adversarial Attacks
|
| 14 |
+
*ShengYun Peng, Weilin Xu, Cory Cornelius, Kevin Li, Rahul Duggal, Duen Horng Chau, Jason Martin*
|
| 15 |
+
|
| 16 |
+
Check https://github.com/ShengYun-Peng/RobArch for the complete code.
|
| 17 |
+
|
| 18 |
+
### Abstract
|
| 19 |
+
Adversarial Training is the most effective approach for improving the robustness of Deep Neural Networks (DNNs). However, compared to the large body of research in optimizing the adversarial training process, there are few investigations into how architecture components affect robustness, and they rarely constrain model capacity. Thus, it is unclear where robustness precisely comes from. In this work, we present the first large-scale systematic study on the robustness of DNN architecture components under fixed parameter budgets. Through our investigation, we distill 18 actionable robust network design guidelines that empower model developers to gain deep insights. We demonstrate these guidelines' effectiveness by introducing the novel Robust Architecture (RobArch) model that instantiates the guidelines to build a family of top-performing models across parameter capacities against strong adversarial attacks. RobArch achieves the new state-of-the-art AutoAttack accuracy on the RobustBench ImageNet leaderboard.
|
| 20 |
+
|
| 21 |
+
|
| 22 |
+
### Prerequisites
|
| 23 |
+
1. Register Weights & Biases [account](https://wandb.ai/site)
|
| 24 |
+
2. Prepare ImageNet via [Fast AT - Installation step 3 & 4](https://github.com/locuslab/fast_adversarial/tree/master/ImageNet)
|
| 25 |
+
> Run step 4 only if you want to use Fast-AT.
|
| 26 |
+
3. Set up venv:
|
| 27 |
+
```bash
|
| 28 |
+
make .venv_done
|
| 29 |
+
```
|
| 30 |
+
|
| 31 |
+
### Training
|
| 32 |
+
Fast-AT is much faster than standard PGD AT. For RobArch-S, Fast-AT takes ~1.5 days on 2 Nvidia A100s, but ~5 days on 4 Nvidia A100s.
|
| 33 |
+
#### Torchvision models - Fast AT (e.g., ResNet-50)
|
| 34 |
+
```bash
|
| 35 |
+
make BASE=<imagenet root dir> WANDB_ACCOUNT=<name> experiments/Torch_ResNet50/.done_test_pgd
|
| 36 |
+
```
|
| 37 |
+
If you want to test other off-the-shelf models in [torchvision](https://pytorch.org/vision/stable/models.html#classification), add the model name in [MODEL.mk](MODEL.mk), and create a new make target by following other ResNets/WideResNets in [Makefile](Makefile).
|
| 38 |
+
#### RobArch - Fast AT (e.g., RobArch-S)
|
| 39 |
+
```bash
|
| 40 |
+
make BASE=<imagenet root dir> WANDB_ACCOUNT=<name> experiments/RobArch_S/.done_test_pgd
|
| 41 |
+
```
|
| 42 |
+
|
| 43 |
+
#### RobArch - Standard PGD AT (e.g., RobArch-S)
|
| 44 |
+
```bash
|
| 45 |
+
# Training
|
| 46 |
+
make BASE=<imagenet root dir> WANDB_ACCOUNT=<name> experiments/PGDAT_RobArch_S/.done_train
|
| 47 |
+
|
| 48 |
+
# Evaluation on PGD
|
| 49 |
+
make BASE=<imagenet root dir> WANDB_ACCOUNT=<name> experiments/PGDAT_RobArch_S/.done_test_pgd
|
| 50 |
+
|
| 51 |
+
# Evaluation on AutoAttack
|
| 52 |
+
make BASE=<imagenet root dir> WANDB_ACCOUNT=<name> experiments/PGDAT_RobArch_S/.done_test_aa
|
| 53 |
+
|
| 54 |
+
# Pretrained models evaluated on AutoAttack
|
| 55 |
+
make BASE=<imagenet root dir> WANDB_ACCOUNT=<name> experiments/PGDAT_RobArch_S/.done_test_pretrained
|
| 56 |
+
```
|
| 57 |
+
|
| 58 |
+
|
| 59 |
+
### Pretrained models
|
| 60 |
+
- ImageNet $\ell_\infty$-norm
|
| 61 |
+
|
| 62 |
+
| Architecture | #Param | Natural | AutoAttack | PGD10-4 | PGD50-4 | PGD100-4 | PGD100-2 | PGD100-8 |
|
| 63 |
+
| :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: |
|
| 64 |
+
| [RobArch-S](https://huggingface.co/poloclub/RobArch/resolve/main/pretrained/robarch_s.pt) | 26M | 70.17% | 44.14% | 48.19% | 47.78% | 47.77% | 60.06% | 21.77% |
|
| 65 |
+
| [RobArch-M](https://huggingface.co/poloclub/RobArch/resolve/main/pretrained/robarch_m.pt) | 46M | 71.88% | 46.26% | 49.84% | 49.32% | 49.30% | 61.89% | 23.01% |
|
| 66 |
+
| [RobArch-L](https://huggingface.co/poloclub/RobArch/resolve/main/pretrained/robarch_l.pt) | 104M | 73.44% | 48.94% | 51.72% | 51.04% | 51.03% | 63.49% | 25.31% |
|
| 67 |
+
|
| 68 |
+
|
| 69 |
+
|
| 70 |
+
### Citation
|
| 71 |
+
|
| 72 |
+
```bibtex
|
| 73 |
+
@misc{peng2023robarch,
|
| 74 |
+
title={RobArch: Designing Robust Architectures against Adversarial Attacks},
|
| 75 |
+
author={ShengYun Peng and Weilin Xu and Cory Cornelius and Kevin Li and Rahul Duggal and Duen Horng Chau and Jason Martin},
|
| 76 |
+
year={2023},
|
| 77 |
+
eprint={2301.03110},
|
| 78 |
+
archivePrefix={arXiv},
|
| 79 |
+
primaryClass={cs.CV}
|
| 80 |
+
}
|
| 81 |
+
```
|