Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement smoothed Vision Transformer as defense against patch evasion attacks #2171

Merged
merged 57 commits into from
Sep 18, 2023

Conversation

GiulioZizzo
Copy link
Collaborator

Description

In this PR we include functionality for Certified Patch Robustness via Smoothed Vision Transformers proposed in Salman, Hadi, et al. "Certified patch robustness via smoothed vision transformers." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022.

This algorithm achieves very strong certified performance against patch attacks against Vision Transformers by performing image ablations.

Fixes # (issue)

Type of change

Please check all relevant options.

  • Improvement (non-breaking)
  • Bug fix (non-breaking)
  • New feature (non-breaking)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Testing

Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

Tests included in: tests/estimators/certification/test_smooth_vit.py

Test Configuration:

  • MacOS/Linux
  • Python version: 3.8
  • ART version or commit number: 1.14
  • PyTorch 1.13

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@GiulioZizzo GiulioZizzo changed the base branch from main to dev_1.15.0 May 30, 2023 08:45
dev.py Fixed Show fixed Hide fixed
dev.py Fixed Show fixed Hide fixed
dev.py Fixed Show fixed Hide fixed
@codecov-commenter
Copy link

codecov-commenter commented May 30, 2023

Codecov Report

Merging #2171 (fd69156) into dev_1.16.0 (c048a5c) will increase coverage by 0.36%.
The diff coverage is 70.91%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Impacted file tree graph

@@              Coverage Diff               @@
##           dev_1.16.0    #2171      +/-   ##
==============================================
+ Coverage       85.24%   85.61%   +0.36%     
==============================================
  Files             318      323       +5     
  Lines           28716    29176     +460     
  Branches         5260     5374     +114     
==============================================
+ Hits            24480    24979     +499     
+ Misses           2921     2824      -97     
- Partials         1315     1373      +58     
Files Changed Coverage Δ
art/estimators/certification/__init__.py 100.00% <ø> (ø)
...s/certification/derandomized_smoothing/__init__.py 100.00% <ø> (ø)
...rs/certification/derandomized_smoothing/pytorch.py 58.73% <54.66%> (-20.58%) ⬇️
...certification/derandomized_smoothing/tensorflow.py 63.30% <55.84%> (-20.04%) ⬇️
...cation/derandomized_smoothing/ablators/__init__.py 75.00% <75.00%> (ø)
...ication/derandomized_smoothing/ablators/pytorch.py 86.89% <86.89%> (ø)
...tion/derandomized_smoothing/ablators/tensorflow.py 81.81% <87.09%> (ø)
...andomized_smoothing/vision_transformers/pytorch.py 93.65% <93.65%> (ø)
...fication/derandomized_smoothing/ablators/ablate.py 100.00% <100.00%> (ø)
...rtification/derandomized_smoothing/derandomized.py 100.00% <100.00%> (ø)

... and 7 files with indirect coverage changes

@beat-buesser beat-buesser changed the title Smoothed vit Implement smoothed Vision Transformer as defense against patch evasion attacks Jun 6, 2023
@beat-buesser beat-buesser self-assigned this Jun 9, 2023
@beat-buesser beat-buesser self-requested a review June 9, 2023 13:08
@beat-buesser beat-buesser added the enhancement New feature or request label Jun 14, 2023
@beat-buesser beat-buesser added this to the ART 1.15.0 milestone Jun 14, 2023
Copy link
Collaborator

@beat-buesser beat-buesser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @GiulioZizzo Thank you very much for your pull request. I have added a few suggestions above, what do you think?

Comment on lines 148 to 149
Create a ArtViT instance
:param kwargs: keyword arguments required to create the mask embedder.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add all arguments specifically.

Suggested change
Create a ArtViT instance
:param kwargs: keyword arguments required to create the mask embedder.
Create a ArtViT instance
:param kwargs: keyword arguments required to create the mask embedder.

raise ValueError("Projection layer not yet created.")


class ArtViT(VisionTransformer):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this like a model-specific or architecture-specific object detection estimator?

tests/estimators/certification/test_smooth_vit.py Outdated Show resolved Hide resolved
dev.py Fixed Show fixed Hide fixed
dev.py Fixed Show fixed Hide fixed
dev.py Fixed Show fixed Hide fixed
dev.py Fixed Show fixed Hide fixed
dev.py Fixed Show fixed Hide fixed
@beat-buesser beat-buesser modified the milestones: ART 1.15.0, ART 1.16.0 Jun 28, 2023
@GiulioZizzo GiulioZizzo changed the base branch from dev_1.15.0 to dev_1.16.0 August 3, 2023 13:13
@GiulioZizzo GiulioZizzo force-pushed the smoothed_vit branch 4 times, most recently from 7f00384 to b7f8229 Compare August 6, 2023 14:30
@GiulioZizzo GiulioZizzo marked this pull request as draft August 25, 2023 12:49
GiulioZizzo and others added 15 commits August 31, 2023 15:44
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
…in test CI pipeline

Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
…dding progress bar to tf to match pytorch

Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Co-authored-by: Beat Buesser <49047826+beat-buesser@users.noreply.github.com>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
@GiulioZizzo GiulioZizzo reopened this Aug 31, 2023
Copy link
Collaborator

@beat-buesser beat-buesser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @GiulioZizzo Thank you very much for your updates. I have added a few more items I think we should consider.

raise NotImplementedError

@abstractmethod
def ablate(self, x: np.ndarray, column_pos: int, row_pos: int) -> Union[np.ndarray, "torch.Tensor"]:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def ablate(self, x: np.ndarray, column_pos: int, row_pos: int) -> Union[np.ndarray, "torch.Tensor"]:
def ablate(self, x: np.ndarray, column_pos: int, row_pos: Optional[int] = None) -> Union[np.ndarray, "torch.Tensor"]:

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current signature type-hinting is required by mypy due to https://mypy.readthedocs.io/en/stable/common_issues.html#incompatible-overrides

I.e. we can go to a more general argument type in the subclass, but we cannot start with a more general type-hint in the the base class and go a more specific type.

cifar_labels = fix_get_cifar10_data[1][:50]

scheduler = torch.optim.lr_scheduler.MultiStepLR(art_model.optimizer, milestones=[1], gamma=0.1)
art_model.fit(cifar_data, cifar_labels, nb_epochs=1, update_batchnorm=True, scheduler=scheduler, batch_size=128)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add an assert to this test to verify the outcome of the call to fit.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assertions for test_equivalence are in the forward_features method above: this test is just to check the intermediate values are equivalent.

logger = logging.getLogger(__name__)


class PyTorchSmoothedViT:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be combined into a single class PyTorchDeRandomizedSmoothing.

Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Copy link
Collaborator

@beat-buesser beat-buesser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move the 3 binary files in tests/estimators/certification/smooth_vit/smooth_vit_results to utils/resoruces/models.

GiulioZizzo and others added 2 commits September 12, 2023 14:23
Co-authored-by: Beat Buesser <49047826+beat-buesser@users.noreply.github.com>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
beat-buesser and others added 2 commits September 14, 2023 17:23
Signed-off-by: GiulioZizzo <giulio.zizzo@yahoo.co.uk>
@beat-buesser beat-buesser merged commit cbbd91c into Trusted-AI:dev_1.16.0 Sep 18, 2023
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants