Attack > Evasion > Momentum Iterative Method: major issues
eliegoudout opened this issue · comments
Stumbled upon 2 issues regarding the implementation of the momentum for Fast Gradient Method adversarial attack:
- The momentum is not computed the right way (see #2382 (comment));
- The implementation relies on in-place modification of the
momentum
variable as a side effect, which doesn't always seem to work as expected (see #2382 (comment)). As such, I believe that the current momentum iterative attack is actually only BIM!
The first issue should be fixed by #2382, while the second should be independently investigated and fixed, as it may require some refactoring. Furthermore, it could be well-advised to add a test for a different decay value.
Edit: It looks like the tensorflow framework doesn't work with the in-place modification.
Quick notes for me when I'll fix it:
ProjectedGradientDescent.__init__
doesn't havedecay
attribute (but I guess it's fine, it's inself._attack
)- TF:
_compute_tf
(has nodecay
argument) calls_compute_perturbation
withdecay=self.decay
, - Torch:
_compute_perturbation_pytorch
(name inconsistency!) doesn't havedecay
as argument (signature inconsistency!) - Numpy: Rests on
FastGradient
. Method_compute
takesdecay
as argument (signature inconsistency!) and calls_compute_perturbation
withdecay=decay
.