Sweep Attacks

Armory supports running adversarial attacks which "sweep" over a range of values for specified attack parameters (e.g. "eps"). This helps automate the process of determining at what attack parameter values (i.e. perturbation budget) a defense is no longer robust. The attack returns the weakest-strength adversarial example that is successful, or the original input if the attack fails at all values.

To enable such an attack, set attack_config["type"] to "sweep". 

"attack": {
    "module": "art.attacks.evasion",
    "name": "ProjectedGradientDescent",
    ...
    "type": "sweep"
}

Next, specify which parameter(s) to perform the search over. This is done using the attack_config["sweep_params"]["kwargs"] field for kwargs passed to attack instantiation and the attack_config["sweep_params"]["generate_kwargs"] field for kwargs passed to the attack's generate() method. In the example below we sweep over the "eps" and "eps_step" parameters:

"attack": {
    "module": "art.attacks.evasion",
    "name": "ProjectedGradientDescent",
    "type": "sweep",
    "sweep_params": {
        "kwargs": {
            "eps": [0.01, 0.02, 0.03, 0.04, 0.05, 0.06, 0.07, 0.08],
            "eps_step": [0.005, 0.01, 0.015, 0.02, 0.025, 0.03, 0.035, 0.04]
        }
    }
}

Similarly, in the following example, we sweep over kwargs passed to the attack's generate() method using the "generate_kwargs" field inside attack_config["sweep_params"]:

"attack": {
    "module": "armory.art_experimental.attacks.pgd_patch",
    "name": "PGDPatch",
    "type": "sweep",
    "sweep_params": {
        "generate_kwargs": {
            "patch_height": [10, 20, 30, 40, 50],
            "patch_width": [10, 20, 30, 40, 50]
        }
    }
}

Each range of sweep parameters must be specified with a list of length N, where N > 1 is the number of desired search points. All parameters specified inside of attack_config["sweep_params"] must correspond to lists of length N, and the ith element of a given kwarg list will be used in conjunction with the ith element of all other kwarg lists (i.e. in the first example, when "eps" is 0.01, "eps_step" is 0.005 and so on). The search algorithm assumes that parameters lists are in ascending order of attack strength.

Attack parameters to be held constant should be specified in attack_config["kwargs"] and attack_config["generate_kwargs"] as per usual. If the same kwarg (or generate_kwarg) appears in attack_config["kwargs"] and attack_config["sweep_params"]["kwargs"], the former will be ignored.

Determining Attack Success

In order to identify at what point an attack is successful, it is necessary to define how attack success is measured. By default armory.utils.metrics.categorical_accuracy is used to determine whether the predicted label matches the ground-truth. For non-classification scenarios such as object detection or speech recognition, this metric doesn't apply.

Users can specify the task-relevant metric used to measure robustness via the attack_config["sweep_params"]["metric"] field. Inside this field, specify a "module" and "name" which point to the desired metric function. This can be any function f which takes positional arguments y and y_pred as such: f(y, y_pred) and returns a scalar. A "threshold" must also be specified indicating at what metric value that attack is considered successful. For non-targeted attacks, if the value is below the threshold we consider the attack successful, while the opposite is true for targeted attacks.

Additional Configuration Settings

Sweep attacks require access to either ground-truth or target labels y. If the attack is untargeted, set attack_config["use_label"] to true.

To ensure that metrics are saved on a per-example basis, set metric_config["record_metric_per_sample"] to true.