"Make your AI Robust."
MAIR is a PyTorch-based adversarial training framework. The goal of MAIR is to (1) provide an easy implementation of adversarial training methods and (2) make it easier to evaluate the adversarial robustness of deep learning models.
Adversarial training has become the de-facto standard method for improving the robustness of models against adversarial examples. However, during the writing of our paper, we realized that there is no framework integrating adversarial training methods. Therefore, to promote reproducibility and transparency in the field of deep learning, we integrated the algorithms, tools, and pre-trained models.
Citation: If you use this package, please cite the following BibTex (GoogleScholar):
@inproceedings{
kim2023fantastic,
title={Fantastic Robustness Measures: The Secrets of Robust Generalization},
author={Hoki Kim and Jinseong Park and Yujin Choi and Jaewook Lee},
booktitle={Thirty-seventh Conference on Neural Information Processing Systems},
year={2023},
url={https://openreview.net/forum?id=AGVBqJuL0T}
}
Benchmarks on several adversarially trained models are available at our notion.
pip install git+https://github.com/Harry24k/MAIR.git
import mairStep1. Load model as follows:
model = ...
rmodel = mair.RobModel(model, n_classes=10).cuda()Step2. Set trainer as follows:
from mair.defenses import AT
# Set adversarial training method: [Strandard, AT, TRADES, MART].
trainer = AT(rmodel, eps=EPS, alpha=ALPHA, steps=STEPS)
# Set recording information.
trainer.record_rob(train_loader, val_loader, eps=EPS, alpha=2/255, steps=10, std=0.1)
# Set detail training methods.
trainer.setup(optimizer="SGD(lr=0.1, momentum=0.9)",
scheduler="Step(milestones=[100, 150], gamma=0.1)",
scheduler_type="Epoch",
minimizer=None, # or "AWP(rho=5e-3)",
n_epochs=200
)Step3. Fit model as follows:
trainer.fit(train_loader=train_loader,
n_epochs=200,
save_path='./models/',
save_best={"Clean(Val)":"HBO", "PGD(Val)":"HB"},
# 'save_best': model with high PGD are chosen,
# while in similar cases, model with high Clean are selected.
save_type="Epoch",
save_overwrite=False,
record_type="Epoch"
)Step1. Transform model as follows:
model = ...
rmodel = mair.RobModel(model, n_classes=10).cuda()Step2. Evaluate model as follows:
rmodel.eval_accuracy(test_loader) # clean accuracy
rmodel.eval_rob_accuracy_gn(test_loader) # gaussian noise accuracy
rmodel.eval_rob_accuracy_fgsm(test_loader, eps) # FGSM accuracy
rmodel.eval_rob_accuracy_pgd(test_loader, eps, alpha, steps) # PGD accuracyPlease refer to demo for details.
Here is our (selected) benchmark on popular techniques in adversarial training frameworks.
Note that all robustness (or robust accuracy) are measured on CIFAR-10 test dataset against PGD10. Therefore, we should aware that some models might exhibit over-estimated robustness, which should be further verified w/ stronger attacks such as AutoAttack.
Through our notion, you can check more detailed benchmarks.
| Method | Architecture | AWP | Extra Data | Best Robustness | Remark |
|---|---|---|---|---|---|
| AT | ResNet18 | ❌ | ❌ | 52.73 | |
| MART | ResNet18 | ❌ | ❌ | 54.73 | |
| TRADES | ResNet18 | ❌ | ❌ | 53.47 | |
| AT | ResNet18 | ✔️ | ❌ | 55.52 | |
| MART | ResNet18 | ✔️ | ❌ | 57.64 | |
| TRADES | ResNet18 | ✔️ | ❌ | 55.91 | |
| AT | ResNet18 | ✔️ | ✔️ | 56.52 | |
| MART | ResNet18 | ✔️ | ✔️ | 57.93 | 👑 |
| TRADES | ResNet18 | ✔️ | ✔️ | 55.51 |
| Method | Architecture | AWP | Extra Data | Best Robustness | Remark |
|---|---|---|---|---|---|
| AT | WRN28-10 | ❌ | ❌ | 56.00 | |
| MART | WRN28-10 | ❌ | ❌ | 57.69 | |
| TRADES | WRN28-10 | ❌ | ❌ | 56.81 | |
| AT | WRN28-10 | ✔️ | ❌ | 58.70 | |
| MART | WRN28-10 | ✔️ | ❌ | 60.39 | |
| TRADES | WRN28-10 | ✔️ | ❌ | 59.50 | |
| AT | WRN28-10 | ✔️ | ✔️ | 62.65 | |
| MART | WRN28-10 | ✔️ | ✔️ | 63.51 | 👑 |
| TRADES | WRN28-10 | ✔️ | ✔️ | 61.81 |
| Method | Architecture | AWP | Extra Data | Best Robustness | Remark |
|---|---|---|---|---|---|
| AT | WRN34-10 | ❌ | ❌ | 56.19 | |
| MART | WRN34-10 | ❌ | ❌ | 57.56 | |
| TRADES | WRN34-10 | ❌ | ❌ | 56.67 | |
| AT | WRN34-10 | ✔️ | ❌ | 59.63 | |
| MART | WRN34-10 | ✔️ | ❌ | 10.00 | |
| TRADES | WRN34-10 | ✔️ | ❌ | 59.50 | |
| AT | WRN34-10 | ✔️ | ✔️ | 63.30 | |
| MART | WRN34-10 | ✔️ | ✔️ | 64.04 | 👑 |
| TRADES | WRN34-10 | ✔️ | ✔️ | 62.07 |
Based on our notion, we built a hub module to support the direct use of our pretrained models.
from mair.hub import load_pretrained
rmodel = load_pretrained("CIFAR10_ResNet18_AT(eps=8, alpha=2, steps=10)", flag='Best', save_dir="./")Please refer to demo for details.
Or you can use Google-drive.
In each folder, we upload four different files:
log.txt: training log during training.last.pth: model at the end of epoch.init.pth: model at the start of epoch.best.pth: best model selected by the argmentsave_bestintrainer.fit.
To load model,
rmodel.load_dict('./models/.../best.pth')We are excited to share modes with the community, but we've run into a storage limitation on Google Drive. Any help would be greatly appreciated!
We welcome all contribution to MAIR in many forms 😃. Especially, we are looking for diverse adversarial training methods beyond AT, TRADES, and MART.
- Merge measures.
- Generalize attacks gathered from torchattacks.
- ...
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent