The CIFAR10 (ResNet50 )pre-trained model (ε = 0.0) has to be 95.25% but I got 68.51% .

This code to test the model, I used mean and std values from (https://github.com/MadryLab/robustness/blob/master/robustness/datasets.py) :

!wget https://www.dropbox.com/s/yhpp4yws7sgi6lj/cifar_nat.pt?dl=0
!mv cifar_nat.pt?dl=0 natural_model.pt

import torch
from robustness.datasets import CIFAR
from robustness.model_utils import make_and_restore_model
ds = CIFAR('./data/cifar')
model, _ = make_and_restore_model(arch='resnet50', dataset=ds,
             resume_path='natural_model.pt')

test_loader_cifar = torch.utils.data.DataLoader(datasets.CIFAR10(
    root='./data/cifar',train=False, download=True,transform=transforms.Compose(
        [transforms.ToTensor(),transforms.Normalize([0.4914, 0.4822, 0.4465], [0.2023, 0.1994, 0.2010])])), batch_size = 60)


test_acc = 0
model.eval()

for batch_idx, (data, target) in enumerate(test_loader_cifar):
  
  target = target.cuda()
  data = data.cuda()

  output, _ = model(data)
  result = np.where(output.max(1)[1].cpu() == target.cpu())
  test_acc += result[0].shape[0]

  
print(" test_acc = ", test_acc/10000)

Output :
test_acc = 0.6851

Hello,

Thanks for the useful code. The generated adversarial examples work perfectly on my model. I wonder if it's possible to release the Resnet18 pretrained model for my fine-tuning purpose?

Thanks again.

Hi,

Thank you for sharing your pre-trained models!

I am wondering if you can share your initial weights also.

Thank you.

Thanks for this work!

Any future development plans on adversarial attacks on feature importance / model explanations? For instance : https://arxiv.org/abs/1710.10547

The files datasets.py and loaders.py (pip installation on Python 3.5) both contain an f-string, which produces a syntax error since it is a Python 3.6+ feature. After editing the two lines in the package files, it seems to work fine for me.
If the package is meant to be compatible with Python 3.5, this should be changed.

I noticed that when resuming training from checkpoint using the CLI, the checkpoint weights are loaded, but the current epoch and learning schedule are not resumed.

Unless I'm missing something, it looks like it's because the checkpoint is not passed to train_model; see

Seems like an easy fix, as the infrastructure to receive the checkpoint in train_model exists -- when I pass the checkpoint myself, I only get one other error, from

Thoughts?

I got ~0.3% top-5 accuracy with the L-inf and L-2 robust pretrained models made available.
I have the same pytorch and dill versions given in the README.

I have a custom dataset. I have created a subclass of class DataSet as follows:
`
class My_dataset(DataSet):

def __init__(self, ds_name, data_path, std, mean, num_classes, transform_train, transform_test, custom_class):
    self.ds_name = ds_name
    self.data_path = data_path
    self.std = std
    self.mean = mean
    self.num_classes = num_classes
    self.transform_train = transform_train
    self.transform_test = transform_test
    self.custom_class = custom_class
	super().__init__(self.ds_name, 
                     self.data_path, 
                     std=self.std, 
                     mean=self.mean, 
                     num_classes=self.num_classes, 
                     transform_train=self.transform_train, 
                     transform_test=self.transform_test, 
                     custom_class = self.custom_class)
    
def get_model(arch, pretrained):
    self.arch = arch
    self.pretrained = pretrained
    from robustness import imagenet_models # or cifar_models
    assert not self.pretrained, "pretrained only available for ImageNet"
    return imagenet_models.__dict__[self.arch](num_classes=self.num_classes)

`
Note: Somehow the first line of the code does not appear as a code here!

I create an object of class My_dataset.
I obtain the train_loader, val_loader by running the method make_loaders() for the created object (ant_dataset).

But when I run the following code I encounter an error:
model, _ = model_utils.make_and_restore_model(arch='resnet18', dataset=ant_dataset)
Here is the error as an image.

I have tried multiple ways to pass the input and implement get_mode() function. I am not able to understand what is going wrong. Can anyone please help?

Hi, I'm trying to load some of the pretrained DenseNet models from this repository using the make_and_restore_model utility, but when I do I notice the following error

/usr/local/lib/python3.6/dist-packages/robustness/datasets.py in get_model(self, arch, pretrained)
    208         """
    209         return imagenet_models.__dict__[arch](num_classes=self.num_classes, 
--> 210                                         pretrained=pretrained)
    211 
    212 class Places365(DataSet):

TypeError: __init__() got an unexpected keyword argument 'pretrained'

after looking at the densenet.py file I notice something, for the DenseNet option that would actually point to the base DenseNet class which isn't configured as the other classes like densenet121 as an example. Looking further at the code it seems there is a simple solution which is to use _densenet instead as that seems to load a base DenseNet model using the proper arguments. What are your thoughts on this? Thanks much am a big fan of the library!

For normal PyTorch models we'd usually perform some sort of image preprocessing before inference (https://pytorch.org/docs/stable/torchvision/models.html), with a mean and a standard deviation. Do we do the same for the robust pre-trained models in this library?

This code (along with some other projects using it, such as : https://github.com/MadryLab/robust_representations/blob/master/image_inversion.ipynb) load CIFAR, Imagenet, etc from a directory structure with train/test folders etc. However, I could not find a data link for these datasets in this format. The in-built data loaders for these datasets seem to handle these very differently. Could you please point me to the exact datasets that this library intends to use when loading datasets?

I think it would be cleaner if the normalization step were baked into the underlying model rather than being performed by the AttackerModel. Conceptually, the act of normalizing inputs is not related to the AttackerModel. Combining them causes problems. For instance, I'm trying to wrap AttackerModel around a network that already does normalization. My proposed change is to make the dataset optional in the initialization of an AttackerModel:

    def __init__(self, model, dataset=None):
        super(AttackerModel, self).__init__()
        if dataset is None:
            # we can skip the normalize step if we want
            self.normalizer = ch.nn.Identity()
        else:
            self.normalizer = helpers.InputNormalize(dataset.mean, dataset.std)
        self.model = model
        self.attacker = Attacker(model, dataset)

What were the attack parameters used for evaluating the models made available, when running PGD with the L-inf norm? I tried evaluating a normal model (no adversarial training) against the PGD attack wit L-inf norm, eps = 0.03 (~8/255), and attack-lr set to 0.1, and I got ~40% accuracy on perturbed examples, while the table says it was close to zero. What am I doing wrong?

Hi, I am trying to reproduce the experiment results of one paper from your lab 'Adversarial examples are not bugs, they are features' with this repo. In the paper (Table 7), the author mentioned the robust accuracy on cifar10 for the standard training model is 4.49% (l2_bound = 0.25 (Is it the bound on (0,1) pixel space?)). But I can't achieve this accuracy with the same setting(7 steps with a step size of eps/5). (I can only get 11.3%). Do you have any suggestions to help me reproduce the result? Thanks!

For Pytorch 1.7 only:

Hi. I'm getting a UserWarning: Failed to calculate the accuracy. which results in 0 loss for training (so- presumably, an error being thrown during gradient update or something). I'm running the following command (from the examples) on Colab:

python -m robustness.main --dataset cifar --data /path/to/cifar \
   --adv-train 0 --arch resnet18 --out-dir /logs/checkpoints/dir/

Any help? Thanks

Thank authors for all the development and release of this lib. Btw, may I know do you guys use hold-out validation dataset which should be distinguished from test dataset. For example, training and testing the model on CIFAR-10 dataset, for choice and decision of hype-params, the original training dataset is divided into trainset and valset usually with the ratio 9:1. But unfortunately, I find the repo may not implement this function, just using the valset identical to testset. Thanks.

Env:
torch==1.1.0
torchvision=0.3.0
cuda=10
Command running:
python3 -m robustness.main --dataset cifar --data ./data/cifar10/by-image --adv-train 0 --arch resnet50 --out-dir ./logs/
Error got:
Traceback (most recent call last):
File "/opt/conda/lib/python3.6/runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "/opt/conda/lib/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/workspace/robustness/main.py", line 112, in
store = setup_store_with_metadata(args)
File "/workspace/robustness/main.py", line 103, in setup_store_with_metadata
store['metadata'].append_row(args_dict)
File "/opt/conda/lib/python3.6/site-packages/cox/store.py", line 296, in append_row
self.flush_row()
File "/opt/conda/lib/python3.6/site-packages/cox/store.py", line 416, in flush_row
self._HDFStore.append(self._name, df, table=True)
TypeError: append() got an unexpected keyword argument 'table'

Seems like a cox library error?

I'm trying to load the models in PyTorch.

from torchvision import models
model_load = models.resnet50()
model_robust = torch.load('robust_imagenet_models/imagenet_linf_8.pt')['model']
model_load.load_state_dict(model_robust, strict=False)

Upon doing so, I get the following error.

_IncompatibleKeys(missing_keys=['conv1.weight', 'bn1.weight', 'bn1.bias', 'bn1.running_mean', 'bn1.running_var', 'layer1.0.conv1.weight', 'layer1.0.bn1.weight', 'layer1.0.bn1.bias', 'layer1.0.bn1.running_mean', 'layer1.0.bn1.running_var', 'layer1.0.conv2.weight', 'layer1.0.bn2.weight', 'layer1.0.bn2.bias', 'layer1.0.bn2.running_mean', 'layer1.0.bn2.running_var', 'layer1.0.conv3.weight', 'layer1.0.bn3.weight', 'layer1.0.bn3.bias', 'layer1.0.bn3.running_mean', 'layer1.0.bn3.running_var', 'layer1.0.downsample.0.weight', 'layer1.0.downsample.1.weight', 'layer1.0.downsample.1.bias', 'layer1.0.downsample.1.running_mean', 'layer1.0.downsample.1.running_var', 'layer1.1.conv1.weight', 'layer1.1.bn1.weight', 'layer1.1.bn1.bias', 'layer1.1.bn1.running_mean', 'layer1.1.bn1.running_var', 'layer1.1.conv2.weight', 'layer1.1.bn2.weight', 'layer1.1.bn2.bias', 'layer1.1.bn2.running_mean', 'layer1.1.bn2.running_var', 'layer1.1.conv3.weight', 'layer1.1.bn3.weight', 'layer1.1.bn3.bias', 'layer1.1.bn3.running_mean', 'layer1.1.bn3.running_var', 'layer1.2.conv1.weight', 'layer1.2.bn1.weight', 'layer1.2.bn1.bias', 'layer1.2.bn1.running_mean', 'layer1.2.bn1.running_var', 'layer1.2.conv2.weight', 'layer1.2.bn2.weight', 'layer1.2.bn2.bias', 'layer1.2.bn2.running_mean', 'layer1.2.bn2.running_var', 'layer1.2.conv3.weight', 'layer1.2.bn3.weight', 'layer1.2.bn3.bias', 'layer1.2.bn3.running_mean', 'layer1.2.bn3.running_var', 'layer2.0.conv1.weight', 'layer2.0.bn1.weight', 'layer2.0.bn1.bias', 'layer2.0.bn1.running_mean', 'layer2.0.bn1.running_var', 'layer2.0.conv2.weight', 'layer2.0.bn2.weight', 'layer2.0.bn2.bias', 'layer2.0.bn2.running_mean', 'layer2.0.bn2.running_var', 'layer2.0.conv3.weight', 'layer2.0.bn3.weight', 'layer2.0.bn3.bias', 'layer2.0.bn3.running_mean', 'layer2.0.bn3.running_var', 'layer2.0.downsample.0.weight', 'layer2.0.downsample.1.weight', 'layer2.0.downsample.1.bias', 'layer2.0.downsample.1.running_mean', 'layer2.0.downsample.1.running_var', 'layer2.1.conv1.weight', 'layer2.1.bn1.weight', 'layer2.1.bn1.bias', 'layer2.1.bn1.running_mean', 'layer2.1.bn1.running_var', 'layer2.1.conv2.weight', 'layer2.1.bn2.weight', 'layer2.1.bn2.bias', 'layer2.1.bn2.running_mean', 'layer2.1.bn2.running_var', 'layer2.1.conv3.weight', 'layer2.1.bn3.weight', 'layer2.1.bn3.bias', 'layer2.1.bn3.running_mean', 'layer2.1.bn3.running_var', 'layer2.2.conv1.weight', 'layer2.2.bn1.weight', 'layer2.2.bn1.bias', 'layer2.2.bn1.running_mean', 'layer2.2.bn1.running_var', 'layer2.2.conv2.weight', 'layer2.2.bn2.weight', 'layer2.2.bn2.bias', 'layer2.2.bn2.running_mean', 'layer2.2.bn2.running_var', 'layer2.2.conv3.weight', 'layer2.2.bn3.weight', 'layer2.2.bn3.bias', 'layer2.2.bn3.running_mean', 'layer2.2.bn3.running_var', 'layer2.3.conv1.weight', 'layer2.3.bn1.weight', 'layer2.3.bn1.bias', 'layer2.3.bn1.running_mean', 'layer2.3.bn1.running_var', 'layer2.3.conv2.weight', 'layer2.3.bn2.weight', 'layer2.3.bn2.bias', 'layer2.3.bn2.running_mean', 'layer2.3.bn2.running_var', 'layer2.3.conv3.weight', 'layer2.3.bn3.weight', 'layer2.3.bn3.bias', 'layer2.3.bn3.running_mean', 'layer2.3.bn3.running_var', 'layer3.0.conv1.weight', 'layer3.0.bn1.weight', 'layer3.0.bn1.bias', 'layer3.0.bn1.running_mean', 'layer3.0.bn1.running_var', 'layer3.0.conv2.weight', 'layer3.0.bn2.weight', 'layer3.0.bn2.bias', 'layer3.0.bn2.running_mean', 'layer3.0.bn2.running_var', 'layer3.0.conv3.weight', 'layer3.0.bn3.weight', 'layer3.0.bn3.bias', 'layer3.0.bn3.running_mean', 'layer3.0.bn3.running_var', 'layer3.0.downsample.0.weight', 'layer3.0.downsample.1.weight', 'layer3.0.downsample.1.bias', 'layer3.0.downsample.1.running_mean', 'layer3.0.downsample.1.running_var', 'layer3.1.conv1.weight', 'layer3.1.bn1.weight', 'layer3.1.bn1.bias', 'layer3.1.bn1.running_mean', 'layer3.1.bn1.running_var', 'layer3.1.conv2.weight', 'layer3.1.bn2.weight', 'layer3.1.bn2.bias', 'layer3.1.bn2.running_mean', 'layer3.1.bn2.running_var', 'layer3.1.conv3.weight', 'layer3.1.bn3.weight', 'layer3.1.bn3.bias', 'layer3.1.bn3.running_mean', 'layer3.1.bn3.running_var', 'layer3.2.conv1.weight', 'layer3.2.bn1.weight', 'layer3.2.bn1.bias', 'layer3.2.bn1.running_mean', 'layer3.2.bn1.running_var', 'layer3.2.conv2.weight', 'layer3.2.bn2.weight', 'layer3.2.bn2.bias', 'layer3.2.bn2.running_mean', 'layer3.2.bn2.running_var', 'layer3.2.conv3.weight', 'layer3.2.bn3.weight', 'layer3.2.bn3.bias', 'layer3.2.bn3.running_mean', 'layer3.2.bn3.running_var', 'layer3.3.conv1.weight', 'layer3.3.bn1.weight', 'layer3.3.bn1.bias', 'layer3.3.bn1.running_mean', 'layer3.3.bn1.running_var', 'layer3.3.conv2.weight', 'layer3.3.bn2.weight', 'layer3.3.bn2.bias', 'layer3.3.bn2.running_mean', 'layer3.3.bn2.running_var', 'layer3.3.conv3.weight', 'layer3.3.bn3.weight', 'layer3.3.bn3.bias', 'layer3.3.bn3.running_mean', 'layer3.3.bn3.running_var', 'layer3.4.conv1.weight', 'layer3.4.bn1.weight', 'layer3.4.bn1.bias', 'layer3.4.bn1.running_mean', 'layer3.4.bn1.running_var', 'layer3.4.conv2.weight', 'layer3.4.bn2.weight', 'layer3.4.bn2.bias', 'layer3.4.bn2.running_mean', 'layer3.4.bn2.running_var', 'layer3.4.conv3.weight', 'layer3.4.bn3.weight', 'layer3.4.bn3.bias', 'layer3.4.bn3.running_mean', 'layer3.4.bn3.running_var', 'layer3.5.conv1.weight', 'layer3.5.bn1.weight', 'layer3.5.bn1.bias', 'layer3.5.bn1.running_mean', 'layer3.5.bn1.running_var', 'layer3.5.conv2.weight', 'layer3.5.bn2.weight', 'layer3.5.bn2.bias', 'layer3.5.bn2.running_mean', 'layer3.5.bn2.running_var', 'layer3.5.conv3.weight', 'layer3.5.bn3.weight', 'layer3.5.bn3.bias', 'layer3.5.bn3.running_mean', 'layer3.5.bn3.running_var', 'layer4.0.conv1.weight', 'layer4.0.bn1.weight', 'layer4.0.bn1.bias', 'layer4.0.bn1.running_mean', 'layer4.0.bn1.running_var', 'layer4.0.conv2.weight', 'layer4.0.bn2.weight', 'layer4.0.bn2.bias', 'layer4.0.bn2.running_mean', 'layer4.0.bn2.running_var', 'layer4.0.conv3.weight', 'layer4.0.bn3.weight', 'layer4.0.bn3.bias', 'layer4.0.bn3.running_mean', 'layer4.0.bn3.running_var', 'layer4.0.downsample.0.weight', 'layer4.0.downsample.1.weight', 'layer4.0.downsample.1.bias', 'layer4.0.downsample.1.running_mean', 'layer4.0.downsample.1.running_var', 'layer4.1.conv1.weight', 'layer4.1.bn1.weight', 'layer4.1.bn1.bias', 'layer4.1.bn1.running_mean', 'layer4.1.bn1.running_var', 'layer4.1.conv2.weight', 'layer4.1.bn2.weight', 'layer4.1.bn2.bias', 'layer4.1.bn2.running_mean', 'layer4.1.bn2.running_var', 'layer4.1.conv3.weight', 'layer4.1.bn3.weight', 'layer4.1.bn3.bias', 'layer4.1.bn3.running_mean', 'layer4.1.bn3.running_var', 'layer4.2.conv1.weight', 'layer4.2.bn1.weight', 'layer4.2.bn1.bias', 'layer4.2.bn1.running_mean', 'layer4.2.bn1.running_var', 'layer4.2.conv2.weight', 'layer4.2.bn2.weight', 'layer4.2.bn2.bias', 'layer4.2.bn2.running_mean', 'layer4.2.bn2.running_var', 'layer4.2.conv3.weight', 'layer4.2.bn3.weight', 'layer4.2.bn3.bias', 'layer4.2.bn3.running_mean', 'layer4.2.bn3.running_var', 'fc.weight', 'fc.bias'], unexpected_keys=['module.normalizer.new_mean', 'module.normalizer.new_std', 'module.model.conv1.weight', 'module.model.bn1.weight', 'module.model.bn1.bias', 'module.model.bn1.running_mean', 'module.model.bn1.running_var', 'module.model.bn1.num_batches_tracked', 'module.model.layer1.0.conv1.weight', 'module.model.layer1.0.bn1.weight', 'module.model.layer1.0.bn1.bias', 'module.model.layer1.0.bn1.running_mean', 'module.model.layer1.0.bn1.running_var', 'module.model.layer1.0.bn1.num_batches_tracked', 'module.model.layer1.0.conv2.weight', 'module.model.layer1.0.bn2.weight', 'module.model.layer1.0.bn2.bias', 'module.model.layer1.0.bn2.running_mean', 'module.model.layer1.0.bn2.running_var', 'module.model.layer1.0.bn2.num_batches_tracked', 'module.model.layer1.0.conv3.weight', 'module.model.layer1.0.bn3.weight', 'module.model.layer1.0.bn3.bias', 'module.model.layer1.0.bn3.running_mean', 'module.model.layer1.0.bn3.running_var', 'module.model.layer1.0.bn3.num_batches_tracked', 'module.model.layer1.0.downsample.0.weight', 'module.model.layer1.0.downsample.1.weight', 'module.model.layer1.0.downsample.1.bias', 'module.model.layer1.0.downsample.1.running_mean', 'module.model.layer1.0.downsample.1.running_var', 'module.model.layer1.0.downsample.1.num_batches_tracked', 'module.model.layer1.1.conv1.weight', 'module.model.layer1.1.bn1.weight', 'module.model.layer1.1.bn1.bias', 'module.model.layer1.1.bn1.running_mean', 'module.model.layer1.1.bn1.running_var', 'module.model.layer1.1.bn1.num_batches_tracked', 'module.model.layer1.1.conv2.weight', 'module.model.layer1.1.bn2.weight', 'module.model.layer1.1.bn2.bias', 'module.model.layer1.1.bn2.running_mean', 'module.model.layer1.1.bn2.running_var', 'module.model.layer1.1.bn2.num_batches_tracked', 'module.model.layer1.1.conv3.weight', 'module.model.layer1.1.bn3.weight', 'module.model.layer1.1.bn3.bias', 'module.model.layer1.1.bn3.running_mean', 'module.model.layer1.1.bn3.running_var', 'module.model.layer1.1.bn3.num_batches_tracked', 'module.model.layer1.2.conv1.weight', 'module.model.layer1.2.bn1.weight', 'module.model.layer1.2.bn1.bias', 'module.model.layer1.2.bn1.running_mean', 'module.model.layer1.2.bn1.running_var', 'module.model.layer1.2.bn1.num_batches_tracked', 'module.model.layer1.2.conv2.weight', 'module.model.layer1.2.bn2.weight', 'module.model.layer1.2.bn2.bias', 'module.model.layer1.2.bn2.running_mean', 'module.model.layer1.2.bn2.running_var', 'module.model.layer1.2.bn2.num_batches_tracked', 'module.model.layer1.2.conv3.weight', 'module.model.layer1.2.bn3.weight', 'module.model.layer1.2.bn3.bias', 'module.model.layer1.2.bn3.running_mean', 'module.model.layer1.2.bn3.running_var', 'module.model.layer1.2.bn3.num_batches_tracked', 'module.model.layer2.0.conv1.weight', 'module.model.layer2.0.bn1.weight', 'module.model.layer2.0.bn1.bias', 'module.model.layer2.0.bn1.running_mean', 'module.model.layer2.0.bn1.running_var', 'module.model.layer2.0.bn1.num_batches_tracked', 'module.model.layer2.0.conv2.weight', 'module.model.layer2.0.bn2.weight', 'module.model.layer2.0.bn2.bias', 'module.model.layer2.0.bn2.running_mean', 'module.model.layer2.0.bn2.running_var', 'module.model.layer2.0.bn2.num_batches_tracked', 'module.model.layer2.0.conv3.weight', 'module.model.layer2.0.bn3.weight', 'module.model.layer2.0.bn3.bias', 'module.model.layer2.0.bn3.running_mean', 'module.model.layer2.0.bn3.running_var', 'module.model.layer2.0.bn3.num_batches_tracked', 'module.model.layer2.0.downsample.0.weight', 'module.model.layer2.0.downsample.1.weight', 'module.model.layer2.0.downsample.1.bias', 'module.model.layer2.0.downsample.1.running_mean', 'module.model.layer2.0.downsample.1.running_var', 'module.model.layer2.0.downsample.1.num_batches_tracked', 'module.model.layer2.1.conv1.weight', 'module.model.layer2.1.bn1.weight', 'module.model.layer2.1.bn1.bias', 'module.model.layer2.1.bn1.running_mean', 'module.model.layer2.1.bn1.running_var', 'module.model.layer2.1.bn1.num_batches_tracked', 'module.model.layer2.1.conv2.weight', 'module.model.layer2.1.bn2.weight', 'module.model.layer2.1.bn2.bias', 'module.model.layer2.1.bn2.running_mean', 'module.model.layer2.1.bn2.running_var', 'module.model.layer2.1.bn2.num_batches_tracked', 'module.model.layer2.1.conv3.weight', 'module.model.layer2.1.bn3.weight', 'module.model.layer2.1.bn3.bias', 'module.model.layer2.1.bn3.running_mean', 'module.model.layer2.1.bn3.running_var', 'module.model.layer2.1.bn3.num_batches_tracked', 'module.model.layer2.2.conv1.weight', 'module.model.layer2.2.bn1.weight', 'module.model.layer2.2.bn1.bias', 'module.model.layer2.2.bn1.running_mean', 'module.model.layer2.2.bn1.running_var', 'module.model.layer2.2.bn1.num_batches_tracked', 'module.model.layer2.2.conv2.weight', 'module.model.layer2.2.bn2.weight', 'module.model.layer2.2.bn2.bias', 'module.model.layer2.2.bn2.running_mean', 'module.model.layer2.2.bn2.running_var', 'module.model.layer2.2.bn2.num_batches_tracked', 'module.model.layer2.2.conv3.weight', 'module.model.layer2.2.bn3.weight', 'module.model.layer2.2.bn3.bias', 'module.model.layer2.2.bn3.running_mean', 'module.model.layer2.2.bn3.running_var', 'module.model.layer2.2.bn3.num_batches_tracked', 'module.model.layer2.3.conv1.weight', 'module.model.layer2.3.bn1.weight', 'module.model.layer2.3.bn1.bias', 'module.model.layer2.3.bn1.running_mean', 'module.model.layer2.3.bn1.running_var', 'module.model.layer2.3.bn1.num_batches_tracked', 'module.model.layer2.3.conv2.weight', 'module.model.layer2.3.bn2.weight', 'module.model.layer2.3.bn2.bias', 'module.model.layer2.3.bn2.running_mean', 'module.model.layer2.3.bn2.running_var', 'module.model.layer2.3.bn2.num_batches_tracked', 'module.model.layer2.3.conv3.weight', 'module.model.layer2.3.bn3.weight', 'module.model.layer2.3.bn3.bias', 'module.model.layer2.3.bn3.running_mean', 'module.model.layer2.3.bn3.running_var', 'module.model.layer2.3.bn3.num_batches_tracked', 'module.model.layer3.0.conv1.weight', 'module.model.layer3.0.bn1.weight', 'module.model.layer3.0.bn1.bias', 'module.model.layer3.0.bn1.running_mean', 'module.model.layer3.0.bn1.running_var', 'module.model.layer3.0.bn1.num_batches_tracked', 'module.model.layer3.0.conv2.weight', 'module.model.layer3.0.bn2.weight', 'module.model.layer3.0.bn2.bias', 'module.model.layer3.0.bn2.running_mean', 'module.model.layer3.0.bn2.running_var', 'module.model.layer3.0.bn2.num_batches_tracked', 'module.model.layer3.0.conv3.weight', 'module.model.layer3.0.bn3.weight', 'module.model.layer3.0.bn3.bias', 'module.model.layer3.0.bn3.running_mean', 'module.model.layer3.0.bn3.running_var', 'module.model.layer3.0.bn3.num_batches_tracked', 'module.model.layer3.0.downsample.0.weight', 'module.model.layer3.0.downsample.1.weight', 'module.model.layer3.0.downsample.1.bias', 'module.model.layer3.0.downsample.1.running_mean', 'module.model.layer3.0.downsample.1.running_var', 'module.model.layer3.0.downsample.1.num_batches_tracked', 'module.model.layer3.1.conv1.weight', 'module.model.layer3.1.bn1.weight', 'module.model.layer3.1.bn1.bias', 'module.model.layer3.1.bn1.running_mean', 'module.model.layer3.1.bn1.running_var', 'module.model.layer3.1.bn1.num_batches_tracked', 'module.model.layer3.1.conv2.weight', 'module.model.layer3.1.bn2.weight', 'module.model.layer3.1.bn2.bias', 'module.model.layer3.1.bn2.running_mean', 'module.model.layer3.1.bn2.running_var', 'module.model.layer3.1.bn2.num_batches_tracked', 'module.model.layer3.1.conv3.weight', 'module.model.layer3.1.bn3.weight', 'module.model.layer3.1.bn3.bias', 'module.model.layer3.1.bn3.running_mean', 'module.model.layer3.1.bn3.running_var', 'module.model.layer3.1.bn3.num_batches_tracked', 'module.model.layer3.2.conv1.weight', 'module.model.layer3.2.bn1.weight', 'module.model.layer3.2.bn1.bias', 'module.model.layer3.2.bn1.running_mean', 'module.model.layer3.2.bn1.running_var', 'module.model.layer3.2.bn1.num_batches_tracked', 'module.model.layer3.2.conv2.weight', 'module.model.layer3.2.bn2.weight', 'module.model.layer3.2.bn2.bias', 'module.model.layer3.2.bn2.running_mean', 'module.model.layer3.2.bn2.running_var', 'module.model.layer3.2.bn2.num_batches_tracked', 'module.model.layer3.2.conv3.weight', 'module.model.layer3.2.bn3.weight', 'module.model.layer3.2.bn3.bias', 'module.model.layer3.2.bn3.running_mean', 'module.model.layer3.2.bn3.running_var', 'module.model.layer3.2.bn3.num_batches_tracked', 'module.model.layer3.3.conv1.weight', 'module.model.layer3.3.bn1.weight', 'module.model.layer3.3.bn1.bias', 'module.model.layer3.3.bn1.running_mean', 'module.model.layer3.3.bn1.running_var', 'module.model.layer3.3.bn1.num_batches_tracked', 'module.model.layer3.3.conv2.weight', 'module.model.layer3.3.bn2.weight', 'module.model.layer3.3.bn2.bias', 'module.model.layer3.3.bn2.running_mean', 'module.model.layer3.3.bn2.running_var', 'module.model.layer3.3.bn2.num_batches_tracked', 'module.model.layer3.3.conv3.weight', 'module.model.layer3.3.bn3.weight', 'module.model.layer3.3.bn3.bias', 'module.model.layer3.3.bn3.running_mean', 'module.model.layer3.3.bn3.running_var', 'module.model.layer3.3.bn3.num_batches_tracked', 'module.model.layer3.4.conv1.weight', 'module.model.layer3.4.bn1.weight', 'module.model.layer3.4.bn1.bias', 'module.model.layer3.4.bn1.running_mean', 'module.model.layer3.4.bn1.running_var', 'module.model.layer3.4.bn1.num_batches_tracked', 'module.model.layer3.4.conv2.weight', 'module.model.layer3.4.bn2.weight', 'module.model.layer3.4.bn2.bias', 'module.model.layer3.4.bn2.running_mean', 'module.model.layer3.4.bn2.running_var', 'module.model.layer3.4.bn2.num_batches_tracked', 'module.model.layer3.4.conv3.weight', 'module.model.layer3.4.bn3.weight', 'module.model.layer3.4.bn3.bias', 'module.model.layer3.4.bn3.running_mean', 'module.model.layer3.4.bn3.running_var', 'module.model.layer3.4.bn3.num_batches_tracked', 'module.model.layer3.5.conv1.weight', 'module.model.layer3.5.bn1.weight', 'module.model.layer3.5.bn1.bias', 'module.model.layer3.5.bn1.running_mean', 'module.model.layer3.5.bn1.running_var', 'module.model.layer3.5.bn1.num_batches_tracked', 'module.model.layer3.5.conv2.weight', 'module.model.layer3.5.bn2.weight', 'module.model.layer3.5.bn2.bias', 'module.model.layer3.5.bn2.running_mean', 'module.model.layer3.5.bn2.running_var', 'module.model.layer3.5.bn2.num_batches_tracked', 'module.model.layer3.5.conv3.weight', 'module.model.layer3.5.bn3.weight', 'module.model.layer3.5.bn3.bias', 'module.model.layer3.5.bn3.running_mean', 'module.model.layer3.5.bn3.running_var', 'module.model.layer3.5.bn3.num_batches_tracked', 'module.model.layer4.0.conv1.weight', 'module.model.layer4.0.bn1.weight', 'module.model.layer4.0.bn1.bias', 'module.model.layer4.0.bn1.running_mean', 'module.model.layer4.0.bn1.running_var', 'module.model.layer4.0.bn1.num_batches_tracked', 'module.model.layer4.0.conv2.weight', 'module.model.layer4.0.bn2.weight', 'module.model.layer4.0.bn2.bias', 'module.model.layer4.0.bn2.running_mean', 'module.model.layer4.0.bn2.running_var', 'module.model.layer4.0.bn2.num_batches_tracked', 'module.model.layer4.0.conv3.weight', 'module.model.layer4.0.bn3.weight', 'module.model.layer4.0.bn3.bias', 'module.model.layer4.0.bn3.running_mean', 'module.model.layer4.0.bn3.running_var', 'module.model.layer4.0.bn3.num_batches_tracked', 'module.model.layer4.0.downsample.0.weight', 'module.model.layer4.0.downsample.1.weight', 'module.model.layer4.0.downsample.1.bias', 'module.model.layer4.0.downsample.1.running_mean', 'module.model.layer4.0.downsample.1.running_var', 'module.model.layer4.0.downsample.1.num_batches_tracked', 'module.model.layer4.1.conv1.weight', 'module.model.layer4.1.bn1.weight', 'module.model.layer4.1.bn1.bias', 'module.model.layer4.1.bn1.running_mean', 'module.model.layer4.1.bn1.running_var', 'module.model.layer4.1.bn1.num_batches_tracked', 'module.model.layer4.1.conv2.weight', 'module.model.layer4.1.bn2.weight', 'module.model.layer4.1.bn2.bias', 'module.model.layer4.1.bn2.running_mean', 'module.model.layer4.1.bn2.running_var', 'module.model.layer4.1.bn2.num_batches_tracked', 'module.model.layer4.1.conv3.weight', 'module.model.layer4.1.bn3.weight', 'module.model.layer4.1.bn3.bias', 'module.model.layer4.1.bn3.running_mean', 'module.model.layer4.1.bn3.running_var', 'module.model.layer4.1.bn3.num_batches_tracked', 'module.model.layer4.2.conv1.weight', 'module.model.layer4.2.bn1.weight', 'module.model.layer4.2.bn1.bias', 'module.model.layer4.2.bn1.running_mean', 'module.model.layer4.2.bn1.running_var', 'module.model.layer4.2.bn1.num_batches_tracked', 'module.model.layer4.2.conv2.weight', 'module.model.layer4.2.bn2.weight', 'module.model.layer4.2.bn2.bias', 'module.model.layer4.2.bn2.running_mean', 'module.model.layer4.2.bn2.running_var', 'module.model.layer4.2.bn2.num_batches_tracked', 'module.model.layer4.2.conv3.weight', 'module.model.layer4.2.bn3.weight', 'module.model.layer4.2.bn3.bias', 'module.model.layer4.2.bn3.running_mean', 'module.model.layer4.2.bn3.running_var', 'module.model.layer4.2.bn3.num_batches_tracked', 'module.model.fc.weight', 'module.model.fc.bias', 'module.attacker.normalize.new_mean', 'module.attacker.normalize.new_std', 'module.attacker.model.conv1.weight', 'module.attacker.model.bn1.weight', 'module.attacker.model.bn1.bias', 'module.attacker.model.bn1.running_mean', 'module.attacker.model.bn1.running_var', 'module.attacker.model.bn1.num_batches_tracked', 'module.attacker.model.layer1.0.conv1.weight', 'module.attacker.model.layer1.0.bn1.weight', 'module.attacker.model.layer1.0.bn1.bias', 'module.attacker.model.layer1.0.bn1.running_mean', 'module.attacker.model.layer1.0.bn1.running_var', 'module.attacker.model.layer1.0.bn1.num_batches_tracked', 'module.attacker.model.layer1.0.conv2.weight', 'module.attacker.model.layer1.0.bn2.weight', 'module.attacker.model.layer1.0.bn2.bias', 'module.attacker.model.layer1.0.bn2.running_mean', 'module.attacker.model.layer1.0.bn2.running_var', 'module.attacker.model.layer1.0.bn2.num_batches_tracked', 'module.attacker.model.layer1.0.conv3.weight', 'module.attacker.model.layer1.0.bn3.weight', 'module.attacker.model.layer1.0.bn3.bias', 'module.attacker.model.layer1.0.bn3.running_mean', 'module.attacker.model.layer1.0.bn3.running_var', 'module.attacker.model.layer1.0.bn3.num_batches_tracked', 'module.attacker.model.layer1.0.downsample.0.weight', 'module.attacker.model.layer1.0.downsample.1.weight', 'module.attacker.model.layer1.0.downsample.1.bias', 'module.attacker.model.layer1.0.downsample.1.running_mean', 'module.attacker.model.layer1.0.downsample.1.running_var', 'module.attacker.model.layer1.0.downsample.1.num_batches_tracked', 'module.attacker.model.layer1.1.conv1.weight', 'module.attacker.model.layer1.1.bn1.weight', 'module.attacker.model.layer1.1.bn1.bias', 'module.attacker.model.layer1.1.bn1.running_mean', 'module.attacker.model.layer1.1.bn1.running_var', 'module.attacker.model.layer1.1.bn1.num_batches_tracked', 'module.attacker.model.layer1.1.conv2.weight', 'module.attacker.model.layer1.1.bn2.weight', 'module.attacker.model.layer1.1.bn2.bias', 'module.attacker.model.layer1.1.bn2.running_mean', 'module.attacker.model.layer1.1.bn2.running_var', 'module.attacker.model.layer1.1.bn2.num_batches_tracked', 'module.attacker.model.layer1.1.conv3.weight', 'module.attacker.model.layer1.1.bn3.weight', 'module.attacker.model.layer1.1.bn3.bias', 'module.attacker.model.layer1.1.bn3.running_mean', 'module.attacker.model.layer1.1.bn3.running_var', 'module.attacker.model.layer1.1.bn3.num_batches_tracked', 'module.attacker.model.layer1.2.conv1.weight', 'module.attacker.model.layer1.2.bn1.weight', 'module.attacker.model.layer1.2.bn1.bias', 'module.attacker.model.layer1.2.bn1.running_mean', 'module.attacker.model.layer1.2.bn1.running_var', 'module.attacker.model.layer1.2.bn1.num_batches_tracked', 'module.attacker.model.layer1.2.conv2.weight', 'module.attacker.model.layer1.2.bn2.weight', 'module.attacker.model.layer1.2.bn2.bias', 'module.attacker.model.layer1.2.bn2.running_mean', 'module.attacker.model.layer1.2.bn2.running_var', 'module.attacker.model.layer1.2.bn2.num_batches_tracked', 'module.attacker.model.layer1.2.conv3.weight', 'module.attacker.model.layer1.2.bn3.weight', 'module.attacker.model.layer1.2.bn3.bias', 'module.attacker.model.layer1.2.bn3.running_mean', 'module.attacker.model.layer1.2.bn3.running_var', 'module.attacker.model.layer1.2.bn3.num_batches_tracked', 'module.attacker.model.layer2.0.conv1.weight', 'module.attacker.model.layer2.0.bn1.weight', 'module.attacker.model.layer2.0.bn1.bias', 'module.attacker.model.layer2.0.bn1.running_mean', 'module.attacker.model.layer2.0.bn1.running_var', 'module.attacker.model.layer2.0.bn1.num_batches_tracked', 'module.attacker.model.layer2.0.conv2.weight', 'module.attacker.model.layer2.0.bn2.weight', 'module.attacker.model.layer2.0.bn2.bias', 'module.attacker.model.layer2.0.bn2.running_mean', 'module.attacker.model.layer2.0.bn2.running_var', 'module.attacker.model.layer2.0.bn2.num_batches_tracked', 'module.attacker.model.layer2.0.conv3.weight', 'module.attacker.model.layer2.0.bn3.weight', 'module.attacker.model.layer2.0.bn3.bias', 'module.attacker.model.layer2.0.bn3.running_mean', 'module.attacker.model.layer2.0.bn3.running_var', 'module.attacker.model.layer2.0.bn3.num_batches_tracked', 'module.attacker.model.layer2.0.downsample.0.weight', 'module.attacker.model.layer2.0.downsample.1.weight', 'module.attacker.model.layer2.0.downsample.1.bias', 'module.attacker.model.layer2.0.downsample.1.running_mean', 'module.attacker.model.layer2.0.downsample.1.running_var', 'module.attacker.model.layer2.0.downsample.1.num_batches_tracked', 'module.attacker.model.layer2.1.conv1.weight', 'module.attacker.model.layer2.1.bn1.weight', 'module.attacker.model.layer2.1.bn1.bias', 'module.attacker.model.layer2.1.bn1.running_mean', 'module.attacker.model.layer2.1.bn1.running_var', 'module.attacker.model.layer2.1.bn1.num_batches_tracked', 'module.attacker.model.layer2.1.conv2.weight', 'module.attacker.model.layer2.1.bn2.weight', 'module.attacker.model.layer2.1.bn2.bias', 'module.attacker.model.layer2.1.bn2.running_mean', 'module.attacker.model.layer2.1.bn2.running_var', 'module.attacker.model.layer2.1.bn2.num_batches_tracked', 'module.attacker.model.layer2.1.conv3.weight', 'module.attacker.model.layer2.1.bn3.weight', 'module.attacker.model.layer2.1.bn3.bias', 'module.attacker.model.layer2.1.bn3.running_mean', 'module.attacker.model.layer2.1.bn3.running_var', 'module.attacker.model.layer2.1.bn3.num_batches_tracked', 'module.attacker.model.layer2.2.conv1.weight', 'module.attacker.model.layer2.2.bn1.weight', 'module.attacker.model.layer2.2.bn1.bias', 'module.attacker.model.layer2.2.bn1.running_mean', 'module.attacker.model.layer2.2.bn1.running_var', 'module.attacker.model.layer2.2.bn1.num_batches_tracked', 'module.attacker.model.layer2.2.conv2.weight', 'module.attacker.model.layer2.2.bn2.weight', 'module.attacker.model.layer2.2.bn2.bias', 'module.attacker.model.layer2.2.bn2.running_mean', 'module.attacker.model.layer2.2.bn2.running_var', 'module.attacker.model.layer2.2.bn2.num_batches_tracked', 'module.attacker.model.layer2.2.conv3.weight', 'module.attacker.model.layer2.2.bn3.weight', 'module.attacker.model.layer2.2.bn3.bias', 'module.attacker.model.layer2.2.bn3.running_mean', 'module.attacker.model.layer2.2.bn3.running_var', 'module.attacker.model.layer2.2.bn3.num_batches_tracked', 'module.attacker.model.layer2.3.conv1.weight', 'module.attacker.model.layer2.3.bn1.weight', 'module.attacker.model.layer2.3.bn1.bias', 'module.attacker.model.layer2.3.bn1.running_mean', 'module.attacker.model.layer2.3.bn1.running_var', 'module.attacker.model.layer2.3.bn1.num_batches_tracked', 'module.attacker.model.layer2.3.conv2.weight', 'module.attacker.model.layer2.3.bn2.weight', 'module.attacker.model.layer2.3.bn2.bias', 'module.attacker.model.layer2.3.bn2.running_mean', 'module.attacker.model.layer2.3.bn2.running_var', 'module.attacker.model.layer2.3.bn2.num_batches_tracked', 'module.attacker.model.layer2.3.conv3.weight', 'module.attacker.model.layer2.3.bn3.weight', 'module.attacker.model.layer2.3.bn3.bias', 'module.attacker.model.layer2.3.bn3.running_mean', 'module.attacker.model.layer2.3.bn3.running_var', 'module.attacker.model.layer2.3.bn3.num_batches_tracked', 'module.attacker.model.layer3.0.conv1.weight', 'module.attacker.model.layer3.0.bn1.weight', 'module.attacker.model.layer3.0.bn1.bias', 'module.attacker.model.layer3.0.bn1.running_mean', 'module.attacker.model.layer3.0.bn1.running_var', 'module.attacker.model.layer3.0.bn1.num_batches_tracked', 'module.attacker.model.layer3.0.conv2.weight', 'module.attacker.model.layer3.0.bn2.weight', 'module.attacker.model.layer3.0.bn2.bias', 'module.attacker.model.layer3.0.bn2.running_mean', 'module.attacker.model.layer3.0.bn2.running_var', 'module.attacker.model.layer3.0.bn2.num_batches_tracked', 'module.attacker.model.layer3.0.conv3.weight', 'module.attacker.model.layer3.0.bn3.weight', 'module.attacker.model.layer3.0.bn3.bias', 'module.attacker.model.layer3.0.bn3.running_mean', 'module.attacker.model.layer3.0.bn3.running_var', 'module.attacker.model.layer3.0.bn3.num_batches_tracked', 'module.attacker.model.layer3.0.downsample.0.weight', 'module.attacker.model.layer3.0.downsample.1.weight', 'module.attacker.model.layer3.0.downsample.1.bias', 'module.attacker.model.layer3.0.downsample.1.running_mean', 'module.attacker.model.layer3.0.downsample.1.running_var', 'module.attacker.model.layer3.0.downsample.1.num_batches_tracked', 'module.attacker.model.layer3.1.conv1.weight', 'module.attacker.model.layer3.1.bn1.weight', 'module.attacker.model.layer3.1.bn1.bias', 'module.attacker.model.layer3.1.bn1.running_mean', 'module.attacker.model.layer3.1.bn1.running_var', 'module.attacker.model.layer3.1.bn1.num_batches_tracked', 'module.attacker.model.layer3.1.conv2.weight', 'module.attacker.model.layer3.1.bn2.weight', 'module.attacker.model.layer3.1.bn2.bias', 'module.attacker.model.layer3.1.bn2.running_mean', 'module.attacker.model.layer3.1.bn2.running_var', 'module.attacker.model.layer3.1.bn2.num_batches_tracked', 'module.attacker.model.layer3.1.conv3.weight', 'module.attacker.model.layer3.1.bn3.weight', 'module.attacker.model.layer3.1.bn3.bias', 'module.attacker.model.layer3.1.bn3.running_mean', 'module.attacker.model.layer3.1.bn3.running_var', 'module.attacker.model.layer3.1.bn3.num_batches_tracked', 'module.attacker.model.layer3.2.conv1.weight', 'module.attacker.model.layer3.2.bn1.weight', 'module.attacker.model.layer3.2.bn1.bias', 'module.attacker.model.layer3.2.bn1.running_mean', 'module.attacker.model.layer3.2.bn1.running_var', 'module.attacker.model.layer3.2.bn1.num_batches_tracked', 'module.attacker.model.layer3.2.conv2.weight', 'module.attacker.model.layer3.2.bn2.weight', 'module.attacker.model.layer3.2.bn2.bias', 'module.attacker.model.layer3.2.bn2.running_mean', 'module.attacker.model.layer3.2.bn2.running_var', 'module.attacker.model.layer3.2.bn2.num_batches_tracked', 'module.attacker.model.layer3.2.conv3.weight', 'module.attacker.model.layer3.2.bn3.weight', 'module.attacker.model.layer3.2.bn3.bias', 'module.attacker.model.layer3.2.bn3.running_mean', 'module.attacker.model.layer3.2.bn3.running_var', 'module.attacker.model.layer3.2.bn3.num_batches_tracked', 'module.attacker.model.layer3.3.conv1.weight', 'module.attacker.model.layer3.3.bn1.weight', 'module.attacker.model.layer3.3.bn1.bias', 'module.attacker.model.layer3.3.bn1.running_mean', 'module.attacker.model.layer3.3.bn1.running_var', 'module.attacker.model.layer3.3.bn1.num_batches_tracked', 'module.attacker.model.layer3.3.conv2.weight', 'module.attacker.model.layer3.3.bn2.weight', 'module.attacker.model.layer3.3.bn2.bias', 'module.attacker.model.layer3.3.bn2.running_mean', 'module.attacker.model.layer3.3.bn2.running_var', 'module.attacker.model.layer3.3.bn2.num_batches_tracked', 'module.attacker.model.layer3.3.conv3.weight', 'module.attacker.model.layer3.3.bn3.weight', 'module.attacker.model.layer3.3.bn3.bias', 'module.attacker.model.layer3.3.bn3.running_mean', 'module.attacker.model.layer3.3.bn3.running_var', 'module.attacker.model.layer3.3.bn3.num_batches_tracked', 'module.attacker.model.layer3.4.conv1.weight', 'module.attacker.model.layer3.4.bn1.weight', 'module.attacker.model.layer3.4.bn1.bias', 'module.attacker.model.layer3.4.bn1.running_mean', 'module.attacker.model.layer3.4.bn1.running_var', 'module.attacker.model.layer3.4.bn1.num_batches_tracked', 'module.attacker.model.layer3.4.conv2.weight', 'module.attacker.model.layer3.4.bn2.weight', 'module.attacker.model.layer3.4.bn2.bias', 'module.attacker.model.layer3.4.bn2.running_mean', 'module.attacker.model.layer3.4.bn2.running_var', 'module.attacker.model.layer3.4.bn2.num_batches_tracked', 'module.attacker.model.layer3.4.conv3.weight', 'module.attacker.model.layer3.4.bn3.weight', 'module.attacker.model.layer3.4.bn3.bias', 'module.attacker.model.layer3.4.bn3.running_mean', 'module.attacker.model.layer3.4.bn3.running_var', 'module.attacker.model.layer3.4.bn3.num_batches_tracked', 'module.attacker.model.layer3.5.conv1.weight', 'module.attacker.model.layer3.5.bn1.weight', 'module.attacker.model.layer3.5.bn1.bias', 'module.attacker.model.layer3.5.bn1.running_mean', 'module.attacker.model.layer3.5.bn1.running_var', 'module.attacker.model.layer3.5.bn1.num_batches_tracked', 'module.attacker.model.layer3.5.conv2.weight', 'module.attacker.model.layer3.5.bn2.weight', 'module.attacker.model.layer3.5.bn2.bias', 'module.attacker.model.layer3.5.bn2.running_mean', 'module.attacker.model.layer3.5.bn2.running_var', 'module.attacker.model.layer3.5.bn2.num_batches_tracked', 'module.attacker.model.layer3.5.conv3.weight', 'module.attacker.model.layer3.5.bn3.weight', 'module.attacker.model.layer3.5.bn3.bias', 'module.attacker.model.layer3.5.bn3.running_mean', 'module.attacker.model.layer3.5.bn3.running_var', 'module.attacker.model.layer3.5.bn3.num_batches_tracked', 'module.attacker.model.layer4.0.conv1.weight', 'module.attacker.model.layer4.0.bn1.weight', 'module.attacker.model.layer4.0.bn1.bias', 'module.attacker.model.layer4.0.bn1.running_mean', 'module.attacker.model.layer4.0.bn1.running_var', 'module.attacker.model.layer4.0.bn1.num_batches_tracked', 'module.attacker.model.layer4.0.conv2.weight', 'module.attacker.model.layer4.0.bn2.weight', 'module.attacker.model.layer4.0.bn2.bias', 'module.attacker.model.layer4.0.bn2.running_mean', 'module.attacker.model.layer4.0.bn2.running_var', 'module.attacker.model.layer4.0.bn2.num_batches_tracked', 'module.attacker.model.layer4.0.conv3.weight', 'module.attacker.model.layer4.0.bn3.weight', 'module.attacker.model.layer4.0.bn3.bias', 'module.attacker.model.layer4.0.bn3.running_mean', 'module.attacker.model.layer4.0.bn3.running_var', 'module.attacker.model.layer4.0.bn3.num_batches_tracked', 'module.attacker.model.layer4.0.downsample.0.weight', 'module.attacker.model.layer4.0.downsample.1.weight', 'module.attacker.model.layer4.0.downsample.1.bias', 'module.attacker.model.layer4.0.downsample.1.running_mean', 'module.attacker.model.layer4.0.downsample.1.running_var', 'module.attacker.model.layer4.0.downsample.1.num_batches_tracked', 'module.attacker.model.layer4.1.conv1.weight', 'module.attacker.model.layer4.1.bn1.weight', 'module.attacker.model.layer4.1.bn1.bias', 'module.attacker.model.layer4.1.bn1.running_mean', 'module.attacker.model.layer4.1.bn1.running_var', 'module.attacker.model.layer4.1.bn1.num_batches_tracked', 'module.attacker.model.layer4.1.conv2.weight', 'module.attacker.model.layer4.1.bn2.weight', 'module.attacker.model.layer4.1.bn2.bias', 'module.attacker.model.layer4.1.bn2.running_mean', 'module.attacker.model.layer4.1.bn2.running_var', 'module.attacker.model.layer4.1.bn2.num_batches_tracked', 'module.attacker.model.layer4.1.conv3.weight', 'module.attacker.model.layer4.1.bn3.weight', 'module.attacker.model.layer4.1.bn3.bias', 'module.attacker.model.layer4.1.bn3.running_mean', 'module.attacker.model.layer4.1.bn3.running_var', 'module.attacker.model.layer4.1.bn3.num_batches_tracked', 'module.attacker.model.layer4.2.conv1.weight', 'module.attacker.model.layer4.2.bn1.weight', 'module.attacker.model.layer4.2.bn1.bias', 'module.attacker.model.layer4.2.bn1.running_mean', 'module.attacker.model.layer4.2.bn1.running_var', 'module.attacker.model.layer4.2.bn1.num_batches_tracked', 'module.attacker.model.layer4.2.conv2.weight', 'module.attacker.model.layer4.2.bn2.weight', 'module.attacker.model.layer4.2.bn2.bias', 'module.attacker.model.layer4.2.bn2.running_mean', 'module.attacker.model.layer4.2.bn2.running_var', 'module.attacker.model.layer4.2.bn2.num_batches_tracked', 'module.attacker.model.layer4.2.conv3.weight', 'module.attacker.model.layer4.2.bn3.weight', 'module.attacker.model.layer4.2.bn3.bias', 'module.attacker.model.layer4.2.bn3.running_mean', 'module.attacker.model.layer4.2.bn3.running_var', 'module.attacker.model.layer4.2.bn3.num_batches_tracked', 'module.attacker.model.fc.weight', 'module.attacker.model.fc.bias'])

I can't seem to be able to load the pre-trained models CIFAR10 models. While the model corresponding to Eps=0.0 (standard training) loads, I get an error message stating AttributeError: Can't get attribute 'main' on <module 'builtins' (built-in)> with the non-zero epsilon models. I tried importing the ResNet and resnet50 classes, since other sources on the internet seem to indicate that this might have to do with the pickle.load() function requiring the explicit class definition but that did not work either. I'd be grateful for any directions on this.

import torch
from torchvision.models import resnet50

if torch.cuda.is_available():
    device='gpu'
else:
    device='cpu'

mod_nat=torch.load('trained_models_cifar/cifar_nat.pt', map_location=device) #Works
mod_eps_01=torch.load('trained_models_cifar/cifar_l2_1_0.pt', map_location=device) #Error

Traceback (most recent call last):
  File "/home/nayantara/anaconda2/envs/py3/lib/python3.7/site-packages/IPython/core/interactiveshell.py", line 3326, in run_code
    exec(code_obj, self.user_global_ns, self.user_ns)
  File "<ipython-input-6-a37045f836d2>", line 12, in <module>
    mod_eps_01=torch.load('trained_models_cifar/cifar_l2_1_0.pt', map_location=device)
  File "/home/nayantara/anaconda2/envs/py3/lib/python3.7/site-packages/torch/serialization.py", line 426, in load
    return _load(f, map_location, pickle_module, **pickle_load_args)
  File "/home/nayantara/anaconda2/envs/py3/lib/python3.7/site-packages/torch/serialization.py", line 613, in _load
    result = unpickler.load()
AttributeError: Can't get attribute '__main__' on <module 'builtins' (built-in)>

Below error happens when I load pretrained model (ResNet50, CIFAR10 L2-norm: ε = 0.25 or ε = 1.0):

Traceback (most recent call last):
  File "/home/geyao/robust_analyse/test_AR_lib.py", line 32, in <module>
    final_model = main(args, store=store)
  File "/home/geyao/.local/lib/python3.8/site-packages/robustness/main.py", line 49, in main
    model, checkpoint = make_and_restore_model(arch=args.arch,
  File "/home/geyao/.local/lib/python3.8/site-packages/robustness/model_utils.py", line 93, in make_and_restore_model
    checkpoint = ch.load(resume_path, pickle_module=dill)
  File "/home/geyao/.conda/envs/gy_env/lib/python3.8/site-packages/torch/serialization.py", line 585, in load
    return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)
  File "/home/geyao/.conda/envs/gy_env/lib/python3.8/site-packages/torch/serialization.py", line 765, in _legacy_load
    result = unpickler.load()
  File "/home/geyao/.local/lib/python3.8/site-packages/dill/_dill.py", line 473, in load
    obj = StockUnpickler.load(self)
TypeError: an integer is required (got type bytes)

It's ok when I load other models trained by CIFAR10. Do you have any idea?

Thank for this nice work
I don't know why use mean() on loss

And I can't understand in the train.py which function call _model_loop
In this function we can call train and val , but val can use loss.backward()?
Hope someone can answer me,thanks~

Hi and thank you for putting this package together.

It's very helpful to have the pretrained models linked on the repo README.

Can you please just confirm:
those models were all trained with the TRAINING_DEFAULTS from robustness.defaults?

E.g. for ResNet50 trained on CIFAR10, the hyperparameters would have been:

    datasets.CIFAR: {
        "epochs": 150,
        "batch_size": 128,
        "weight_decay":5e-4,
        "step_lr": 50
    }

(from

I did test with those hyperparameters and get similar accuracy (~95%)
In case it helps anyone, I realized that ResNet models require running a few training batches through before putting the model in eval mode. Here's the script I used to check:

from pathlib import Path

import dill
import numpy as np
import robustness.defaults
from robustness.datasets import CIFAR
from robustness.cifar_models.resnet import ResNet50
from robustness.model_utils import make_and_restore_model
import torch
from torch.optim import SGD
import torch.nn as nn

def load(model, resume_path):
    checkpoint = torch.load(resume_path, pickle_module=dill)
    sd = checkpoint['model']
    sd = {k[len('module.model.'):]:v for k,v in sd.items() if k.startswith('module.model.')}
    model.load_state_dict(sd)

def get_default_device():
    if torch.cuda.is_available():
        return 'cuda'
    else:
        return 'cpu'

CIFAR10_TRAIN_DEFAULTS = robustness.defaults.TRAINING_DEFAULTS[CIFAR]

for hyperparam_name in ['lr', 'momentum']:
    val = [el[-1] for el in robustness.defaults.TRAINING_ARGS if el[0] == hyperparam_name]
    assert len(val) == 1, f'did not find single value for {hyperparam_name}, value was: {val}'
    val = val[0]
    CIFAR10_TRAIN_DEFAULTS[hyperparam_name] = val

CIFAR10_MEAN = [0.4914, 0.4822, 0.4465]
CIFAR10_STD = [0.2023, 0.1994, 0.2010]

DEVICE = get_default_device()
print(f'device: {DEVICE}')
# test pre-trained model on CIFAR10 dataset

cifar_dataset = CIFAR('/data/cifar-10-batches-py/')

resume_path = Path('data/cifar_nat.pt')

resnet = ResNet50()

load(resnet, resume_path)
resnet.to(DEVICE);

train_loader, test_loader = cifar_dataset.make_loaders(workers=4, batch_size=CIFAR10_TRAIN_DEFAULTS['batch_size'])

# run a few batches through with model in `train` mode to so `batchnorm` stats have a good value.
# see: https://discuss.pytorch.org/t/model-eval-gives-incorrect-loss-for-model-with-batchnorm-layers/7561/3
# without doing this, test set accuracy will be ~69%
N_BATCH = 100

for batch_num, batch in enumerate(train_loader):
    if batch_num > N_BATCH:
        break
    with torch.no_grad():
        x, y = batch[0].to(DEVICE), batch[1].to(DEVICE)
        out = resnet(x)

resnet.eval();

accs = []

for batch in test_loader:
    with torch.no_grad():
        x, y = batch[0].to(DEVICE), batch[1].to(DEVICE)
        out = resnet(x)
        y_pred = out.argmax(dim=1)
        accs.append(
            (y_pred == y).sum().cpu().numpy() / y.shape[0]
        )

# `robustness` repo readme claims 95.25% accuracy for this model
np.array(accs).mean()

We should add model files that are compatible with the custom arguments used by make_adv. @Hadisalman I think you have some of these?

Related is #27, which we should review and merge into develop soon.

Hi there,
Great work on this package! Forgive me if I'm missing something, but there seems to be a mismatch between how AttackerModel.forward works, and the documentation. I want to call AttackerModel.forward and just do normal inference without returning any image. I should be able to do this by setting make_adv=False and with_image=False. But as I can see here this just sets the output to None! Moreover, it still outputs a tuple with the input image as the second element.

Finally, the docstring contains a broken link: "see our detailed walkthrough <../example_usage/input_space_manipulation>".

As an addendum, you might consider making the default behavior being to just do normal inference and not attack or output an image. This may make it easier to incorporate an AttackerModel object as a step in other modules.
Thanks!
-N

Hello, I was wondering if you consider the class imbalance problem that is created in the Restricted ImageNet dataset when training the models? For example, the "Dog" superclass is made of 117 subclasses whereas the "Frog" class is made of only 3 subclasses. I don't see any special samplers or weighting in the loss functions but I may have missed something. Or, is this not a problem at all and you found that training as normal even with the class imbalance works fine?

Any response is appreciated,
Nate

I tested the eps=4 L-inf model on Imagenet. Although the accuracy on unperturbed seeds seems to match the numbers given in the README table, I got only 12.206% top-1 accuracy with attacking with Linf (eps=4/255, iters=20, attack-lr = 2.5 * (4/255) / 20), whereas the README reports 33.58%. Am I missing something?

Overriding custom class with None doesn't work, since the library takes None to mean nothing is provided:

>>> from robustness import datasets
>>> datasets.CIFAR("", custom_class=None).custom_class
<class 'torchvision.datasets.cifar.CIFAR10'>

I cant reproduce the results of standard training as claimed in the repo 95.25%. Is there a specific script can reproduce the result? Thank you!

Once again, greetings to all present! All this time, I have been studying the capabilities of the ready-made robust resnet50, presented by the authors of this work, and compared it with the classic resnet50. The features of the robust model are fantastic compared to the regular model! In addition, I was thinking about how to train VGG19 to make it even more robust in my PC environment. So, there is 3 GB of VRAM and 8 GB of RAM. The ideas so far are the following in addition to what the authors suggested to me in the last Issue:

1. Move the fully connected part to the CPU, while the convolutional part will be on the GPU. The purpose of this action is to unload video memory. Convolutional layers contain a small number of parameters, their volume is about 80 MB, but the computational complexity of convolusions is very high. Therefore, it is important to train them on the GPU. In contrast, fully connected layers have extremely low computational complexity, but the amount of memory used by the parameters is huge - almost 500 MB. In this regard, we can use the CPU and less expensive RAM.
2. Divide a large batch into small parts and make several forward and reverse passes before the optimizer step. For example, if training requires a batch size of 512, then we can perform 64 straight-back passes for batches of size 8 in a row and only then call the optimizer step. Given that there are no normalization layers in VGG, this division will not affect the learning process and its stability, but it will radically reduce the amount of memory required without compromising the quality of work.
   I would like to know the opinion of the authors and other participants on this issue.

I am unable to load some of the pretrained robust models for CIFAR10 L2-norm (ResNet50). I have downloaded the model files directly from the dropbox links and have placed them into the /home/ubuntu/Research/DomainShift_Experiment directory. Here's the code that I'm running:

from robustness.model_utils import make_and_restore_model
from robustness.datasets import CIFAR

 
model_paths_dict = {0.0: "nat.pt",
                   0.25 : "l2_0_25.pt",
                   0.5: "l2_0_5.pt",
                   1.0: "l2_1_0.pt",
                   }

DS = "ds"
NORMAL = "normal"

base_path = '/home/ubuntu/Research/DomainShift_Experiment/cifar_'

models = {}
for eps in model_paths_dict:
    # Load Madry's models
    ds = CIFAR('/tmp')
    print(model_paths_dict[eps])
    model, _ = make_and_restore_model(arch='resnet50', dataset=ds,
                 resume_path=base_path+model_paths_dict[eps])
    model.eval()

    models[eps] = model   

Here's the output I get:

nat.pt
=> loading checkpoint '/home/ubuntu/Research/DomainShift_Experiment/cifar_nat.pt'
=> loaded checkpoint '/home/ubuntu/Research/DomainShift_Experiment/cifar_nat.pt' (epoch 190)
l2_0_25.pt
=> loading checkpoint '/home/ubuntu/Research/DomainShift_Experiment/cifar_l2_0_25.pt'

Traceback (most recent call last):
  File "test_loading_models.py", line 22, in <module>
    resume_path=base_path+model_paths_dict[eps])
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/robustness/model_utils.py", line 71, in make_and_restore_model
    checkpoint = ch.load(resume_path, pickle_module=dill)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/torch/serialization.py", line 386, in load
    return _load(f, map_location, pickle_module, **pickle_load_args)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/torch/serialization.py", line 573, in _load
    result = unpickler.load()
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/dill/_dill.py", line 472, in load
    obj = StockUnpickler.load(self)
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/cox/utils.py", line 134, in __setstate__
    self.params = x
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/cox/utils.py", line 110, in __setattr__
    self.params[x.lower()] = v
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/cox/utils.py", line 101, in __getattr__
    if k not in self.params:
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/cox/utils.py", line 101, in __getattr__
    if k not in self.params:
  File "/home/ubuntu/anaconda3/lib/python3.6/site-packages/cox/utils.py", line 101, in __getattr__
    if k not in self.params:
  [Previous line repeated 325 more times]
RecursionError: maximum recursion depth exceeded

This same error occurs for when epsilon = 1. The only models that I can successfully load are for epsilon = 0, 0.5

Can someone please clarify what is returned when a pretrained CIFAR10 model is called? Two objects appear to be returned: the class prediction and an image. Is this correct? If so, what is this image? How does the make_adv boolean argument affect that output image?

Hi! Thank you for sharing good project :)

Is there a pre-trained model file for the restricted ImageNet model (10 classes)?

I could find only the adversarially trained restricted ImageNet model file.
(https://github.com/MadryLab/robust_representations)

But, I cannot find a naturally trained restricted ImageNet model file.

Do you have a code snippet to convert the pre-trained ImageNet model to be compatible with the model class in the Robustness package? Or perhaps the model itself, if you used it in your experiments post-conversion?

I'm currently following along with the notebook for input manipulation, with the exception that I'm using a model that I trained locally. I run into a several cuda-related issues when I follow the recommended steps for generating adversarial examples. I am using a GPU for training.

I import my saved model as follows:

arch = 'resnet18'
ds = CIFAR('../data/cifar/')
classifier_model = ds.get_model(arch, False) if \
                            isinstance(arch, str) else arch
model = AttackerModel(classifier_model, ds)
model.load_state_dict(ch.load(model_path))

When, I run the below code to return adversarial examples, I get the following error.

kwargs = {
    'constraint':'2',
    'eps': ATTACK_EPS,
    'step_size': ATTACK_STEPSIZE,
    'iterations': ATTACK_STEPS,
    'targeted': True,
    'do_tqdm': True
}
_, im_adv = model(im, targ, make_adv=True, **kwargs)

Otherwise, the rest of the code is as implemented in the notebook.

I also tried the following modifications to that line, which reversed the expected device error:

_, im_adv = model(im.cuda(), targ, make_adv=True, **kwargs)

Running this modified version returned the same error:

_, im_adv = model(im.cuda(), targ.cuda(), make_adv=True, **kwargs)

Do you have any advice on how to resolve this issue? I haven't been able to find many similar problems online among Pytorch users.

Is it possible to get an estimate of how much time it takes to train a robust ImageNet model, like say ResNet-50 for epsilon=4/255?

I'm running pytorch version '1.2.0+cpu'. I'm trying to get the introductory example with pretrained models to work with the CIFAR10 L2-norm (ResNet50) ε = 0.0 model, but I receive the following error

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/torch/serialization.py", line 386, in load
    return _load(f, map_location, pickle_module, **pickle_load_args)
  File "/usr/local/lib/python3.6/dist-packages/torch/serialization.py", line 573, in _load
    result = unpickler.load()
  File "/usr/local/lib/python3.6/dist-packages/dill/_dill.py", line 472, in load
    obj = StockUnpickler.load(self)
  File "/usr/local/lib/python3.6/dist-packages/torch/serialization.py", line 536, in persistent_load
    deserialized_objects[root_key] = restore_location(obj, location)
  File "/usr/local/lib/python3.6/dist-packages/torch/serialization.py", line 119, in default_restore_location
    result = fn(storage, location)
  File "/usr/local/lib/python3.6/dist-packages/torch/serialization.py", line 95, in _cuda_deserialize
    device = validate_cuda_device(location)
  File "/usr/local/lib/python3.6/dist-packages/torch/serialization.py", line 79, in validate_cuda_device
    raise RuntimeError('Attempting to deserialize object on a CUDA '
RuntimeError: Attempting to deserialize object on a CUDA device but torch.cuda.is_available() is False. If you are running on a CPU-only machine, please use torch.load with map_location=torch.device('cpu') to map your storages to the CPU.

It appears that the appropriate place to modify torch.load() is line 71` of model_utils.py.

Is there any way to train with my own custom attacks using the library, such as FGSM?

Hi, thanks for making this library!

I have a couple of questions about the epsilon budget -

1. Are epsilons budgets for linf norms (such as 8/255) in pixel space ([0,1] and before normalization with mean/std) or model input space (pixel values divided by 255. and normalized by mean/std)? If they are in the latter, model input space, why are adv. samples clamped to [0,1] in both Linfstep.project() and L2Step.project()?

2. Could you share the rationale for choices of epsilon (0, 0.5, 1., 2., 3) for l2 norm balls?

Thank you!

I would like to discuss the process of learning the robust version of VGG19 on the full ImageNet. So, I have an NVIDIA video card with 3 GB of memory and 8 GB of RAM. Is it really possible to start the learning process in such conditions(the training time is unlimited, the opportunity itself is important)?

Am I right in assuming the data output of a custom dataset has to be in the range of [0, 1] based the InputNormalizer used in AttackerModel?

You use [0.2023, 0.1994, 0.2010] as the std constant to perform normalization:

but I get different value:

from torchvision import datasets

train_set = datasets.CIFAR10(root='~/torchvision_dataset',
                             train=True, download=False)

print(train_set.data.shape)
print(train_set.data.mean(axis=(0, 1, 2)) / 255)
print(train_set.data.std(axis=(0, 1, 2)) / 255)


# --- output ---
# (50000, 32, 32, 3)
# [0.49139968 0.48215841 0.44653091]
# [0.24703223 0.24348513 0.26158784]

So, how are these values ([0.2023, 0.1994, 0.2010]) calculated？

Hello, thanks for the awesome repo.
I am currently replicating your results.
Could you please share the hyperparameter settings for adversarial training?
Currently, I am assuming the following:

CIFAR10 L2-norm (ResNet50):
Epsilon: as specified (0.25, 0.5, 1.0)
Step_size: Epsilon/5
Iterations: 7
Random start: False

CIFAR10 Linf-norm (ResNet50):
Epsilon: as specified (8/255)
Step_size: 0.01
Iterations: 7
Random start: False

ImageNet L2-norm (ResNet50):
Epsilon: as specified (3.0)
Step_size: Epsilon/5
Iterations: 7
Random start: False

ImageNet Linf-norm (ResNet50):
Epsilon: as specified (4/255, 8/255)
Step_size: 0.01
Iterations: 7
Random start: False

Are these correct?
Thanks and all the best

PyTorch version info:

pytorch                   1.6.0           py3.8_cuda10.2.89_cudnn7.6.5_0    pytorch
torchvision               0.7.0                py38_cu102    pytorch

The following code works in an environment with Python 3.7, but does not work for an equivalent environment using Python 3.8

from robustness import model_utils, datasets
ds = datasets.CIFAR('/tmp/')
model_path = "cifar_l2_1_0.pt"
model, checkpoint = model_utils.make_and_restore_model(arch='resnet50', dataset=ds, resume_path=model_path)

=> loading checkpoint 'cifar_l2_1_0.pt'

---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-4-7793053c474f> in <module>
      2 
      3 model_path = "cifar_l2_1_0.pt"
----> 4 model, checkpoint = model_utils.make_and_restore_model(arch='resnet50', dataset=ds, resume_path=model_path)

~/anaconda3/envs/raiden/lib/python3.8/site-packages/robustness/model_utils.py in make_and_restore_model(arch, dataset, resume_path, parallel, pytorch_pretrained, add_custom_forward, *_)
     91     if resume_path and os.path.isfile(resume_path):
     92         print("=> loading checkpoint '{}'".format(resume_path))
---> 93         checkpoint = ch.load(resume_path, pickle_module=dill)
     94 
     95         # Makes us able to load models saved with legacy versions

~/anaconda3/envs/raiden/lib/python3.8/site-packages/torch/serialization.py in load(f, map_location, pickle_module, **pickle_load_args)
    583                     return torch.jit.load(opened_file)
    584                 return _load(opened_zipfile, map_location, pickle_module, **pickle_load_args)
--> 585         return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)
    586 
    587 

~/anaconda3/envs/raiden/lib/python3.8/site-packages/torch/serialization.py in _legacy_load(f, map_location, pickle_module, **pickle_load_args)
    763     unpickler = pickle_module.Unpickler(f, **pickle_load_args)
    764     unpickler.persistent_load = persistent_load
--> 765     result = unpickler.load()
    766 
    767     deserialized_storage_keys = pickle_module.load(f, **pickle_load_args)

~/anaconda3/envs/raiden/lib/python3.8/site-packages/dill/_dill.py in load(self)
    471 
    472     def load(self): #NOTE: if settings change, need to update attributes
--> 473         obj = StockUnpickler.load(self)
    474         if type(obj).__module__ == getattr(_main_module, '__name__', '__main__'):
    475             if not self._ignore:

TypeError: an integer is required (got type bytes)

I have tried using the adversarial training command line tool to train a robust cifar 10 classifier as well as an external dataset (CalTech101). After 5 iteration, the network stops learning and the evaluation accuracy for natural images is only 10% (50% for accuracy 5 which i assume is top 5 accurate).
In the paper Towards Deep Learning Models Resistant to Adversarial
Attacks https://arxiv.org/pdf/1706.06083.pdf , i see a claim for accuracy of 45 to around 80% across multiple type of attacks, is the claim in the paper top 5 accuracy ?

Also, this is my command for training cifar 10:
python -m robustness.main --dataset cifar --data $PATH-CIFAR10 --adv-train 1 --arch resnet50 --out-dir $CIFAR10-ROBUST --eps 3.0 --attack-lr 0.5 --constraint 2
and for external dataset Caltech 101:
python -m robustness.main --dataset CalTech101 --data $PATH-CALTECH101 --adv-train 1 --arch resnet50 --out-dir $CALTECH-ROBUST --attack-steps 30 --constraint inf --eps 3.0 --attack-lr 0.1 --use-best 1

Thank you so much for any suggestion and help!

Thanks for your excellent work and I have three questions:

1. I notice that robustness does not support the MNIST dataset now. Do you consider adding it in the future?
2. When dealing with MNIST, do we need input normalization? I'm worried because there is no normalization operation in mnist_challenge but it exists in:
   

   robustness/robustness/attacker.py

   Line 319 in 89bdf80

   normalized_inp = self.normalizer(inp)

3. Will the above normalization of adversarial images damage the attack ability?

Hope for your answer~

Hello! Thanks for the great toolkit. I think the new update removed the ImageNetHierarchy class. Is there anything for replacement? Thanks again.

Hi. When I am using your package for getting a RestrictedImageNet dataloader, it seems that the argument of transform_train and transform_test does not affect the output image. Then I read your code and found that the construction does not use the passed-in transform but the default DA.TRANSFORM_TRAIN instead.
A small issue, but looking forward to fixing them. THX

line 177 of attacker.py probably should be

bloss = loss.clone().detach()

I've written a basic implementation for the SLIDE variant (modified L-1 PGD), and I think it may be useful to have it included it in this package. Should I go ahead and submit a PR for it?