-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
L¹ FGM
is wrong + extend to all p >= 1
#2381
Comments
Hi @ego-thales Thank you for this comment. Without deciding on the correctness yet, how did you notice this issue? Have you already checked which version the literature on FGM is using? |
Thanks for your answer, I've stumbled upon this because while reading FGSM paper (the reference for implementation), I thought about generalizing to |
Actually, now that I think about it, I don't see any reason why this attack is not generalized to any Let
As such, it would be a nice addition to entirely generalize |
FGM
is wrong + extend to all _p_FGM
is wrong + extend to all p >= 1
Hi @ego-thales Thank you very much for the explanation and pull request! Let me take a closer look at the required changes. Related to this issue in FGSM, what do you think about the perturbation per iteration and overall perturbation calculation for p=1 in the Projected Gradient Descent attacks in |
I'm not entirely sure but it looks to me after a quick glance that PGD was implemented as a subs class of FGSM and inherits its loss from it. |
Hello,
I'm not sure, but I think the$L¹$ norm is not correct.
FGM
extension toFrom what I can read here, it seems to me that the current version implements (essentially)
$$\text{noise direction}=\frac{\nabla}{\Vert\nabla\Vert_1}$$
$$\text{noise direction}=(0, \dots, 0, \text{sign}(a_i), 0, \dots, 0),\quad(i=\text{argmax}_j\vert\nabla_j\vert)$$ $\langle\nabla,\text{noise direction}\rangle$ for the same $L¹$ budget.
when
gives a higher inner product
Indeed, in both cases$\Vert\text{noise direction}\Vert_1=1$ while the first and second options respectively give $\Vert\nabla\Vert_2/\Vert\nabla\Vert_1$ and $\Vert\nabla\Vert_{\infty}$ . The latter is of course bigger due to Hölder's inequality.
Edit: See here for generalization to all$p\in[1, +\infty]$ .
The text was updated successfully, but these errors were encountered: