Pytorch Adversarial Training on CIFAR-10
This repository provides simple PyTorch implementations for adversarial training methods on CIFAR-10.
This repository shows accuracies that are similar to the accuracies in the original papers.
If you have questions about this repository, please send an e-mail to me ([email protected] ) or make an issue.
The basic experiment setting used in this repository follows the setting used in Madry Laboratory .
Dataset: CIFAR-10 (10 classes)
Attack method: PGD attack
Epsilon size: 0.0314 for L-infinity bound
Epsilon size: 0.25 (for attack) or 0.5 (for training) for L2 bound
Training batch size: 128
Weight decay: 0.0002
Momentum: 0.9
Learning rate adjustment
0.1 for epoch [0, 100)
0.01 for epoch [100, 150)
0.001 for epoch [150, 200)
The ResNet-18 architecture used in this repository is smaller than Madry Laboratory, but its performance is similar.
The basic training method adopts ResNet-18 architecture proposed by Kaiming He in CVPR 2016 .
But, the architecture in this repository uses 32 X 32 inputs for CIFAR-10 (original ResNet-18 is for ImageNet).
python3 basic_training.py
This repository
Benign accuracy
95.28%
Robust accuracy (L-infinity PGD)
1.02%
2. PGD Adversarial Training
This defense method was proposed by Aleksander Madry in ICLR 2018 .
python3 pgd_adversarial_training.py
This repository
Original paper (wide)
Benign accuracy
83.53%
87.30%
Robust accuracy (L-infinity PGD)
46.07%
50.00%
3. Interpolated Adversarial Training (IAT)
This defense method was proposed by Alex Lamb in AISec 2019 .
python3 interpolated_adversarial_training.py
This repository
Original paper
Benign accuracy
91.86%
89.88%
Robust accuracy (L-infinity PGD)
44.76%
44.57%
4. Basic Training with Robust Dataset
A normal dataset can be split into a robust dataset and a non-robust dataset.
This robust dataset is conducted from an L2 adversarially trained model (epsilon = 0.5).
The construction method for a robust dataset is proposed by Andrew Ilyas in NIPS 2019 .
Dataset download: Robust Dataset
python3 basic_training_with_robust_dataset.py
This repository
Original paper (wide)
Benign accuracy
78.69%
84.10%
Robust accuracy (L2 PGD 0.25)
37.96%
48.27%
5. Basic Training with Non-robust Dataset
The normal dataset can be split into a robust dataset and a non-robust dataset.
This non-robust dataset is conducted from an L2 adversarially trained model (epsilon = 0.5).
The construction method for a non-robust dataset is proposed by Andrew Ilyas in NIPS 2019 .
Dataset download: Non-robust Dataset
python3 basic_training_with_non_robust_dataset.py
This repository
Original paper (wide)
Benign accuracy
82.00%
87.68%
Robust accuracy (L2 PGD 0.25)
0.10%
0.82%
The attack method is the PGD attack.
All pre-trained models are provided in this repository :)
python3 test.py