Update index.html

index.html

@@ -192,37 +192,6 @@
   </div>
 </section>
 
-<!-- Relations -->
-<section class="section">
-  <div class="container is-max-desktop">
-    <h2 class="title is-3">Neighborhood Relations of AEs and Clean Samples</h2>
-    <div class="columns is-centered">
-      <div class="column container-centered">
-          <img src="./static/images/relations.jpg" alt="Neighborhood Relations of Benign Examples and AEs"/>
-          <p>
-            <strong>Figure 1. Neighborhood Relations of AEs and Clean Samples.</strong>
-          </p>
-      </div>
-    </div>
-    <div class="columns is-centered">
-      <div class="column has-text-justified">
-        <p>
-          The previous method, Latent Neighbourhood Graph (LNG), represents the relationship between the input sample and the reference 
-          sample as a graph, whose nodes are embeddings extracted by DNN and edges are built according to distances between the input node 
-          and reference nodes, and train a graph neural network to detect AEs.
-        </p>
-
-        <p>
-          In this work, We explore the relationship between inputs and their test-time augmented neighbours. As shown in Figure. 1, 
-          clean samples exhibit a stronger correlation with their neighbors in terms of label consistency and representation
-          similarity. In contrast, AEs are distinctly separated from their neighbors. According to this observation, we propose <strong>BEYOND</strong>
-          to detection adversarial examples.
-        </p>
-      </div>
-    </div>
-  </div>
-</section>
-<!-- Relations -->
 
 <!-- Overview -->
 <section class="section">
@@ -245,7 +214,7 @@
 <!-- Results -->
 <section class="section">
   <div class="container is-max-desktop">
-    <h2 class="title is-3">Detection Performance</h2>
+    <h2 class="title is-3">GREAT Score Results</h2>
     <div class="columns is-centered">
       <div class="column container-centered">
         <table class="tg" border="1" style="width:100%;">
@@ -405,19 +374,37 @@
 </section>
 <!-- Results -->
 
-<!-- Adaptive Attack -->
+<!-- New Figure Section -->
+<section class="section">
+  <div class="container is-max-desktop">
+    <div class="columns is-centered">
+      <div class="column container-centered">
+        <div>
+          <img src="./static/images/new_figure_2_2.png"
+               class="method_overview"
+               alt="Comparison of local GREAT Score and CW attack"/>
+          <p>
+            <strong>Figure 2.</strong> Comparison of local GREAT Score and CW attack in L<sub>2</sub> perturbation on CIFAR-10 with Rebuffi_extra model. 
+            The x-axis is the image id. The result shows the local GREAT Score is indeed a lower bound of the perturbation level found by CW attack.
+          </p>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+<!-- New Figure Section -->
+
+<!-- Robustness Certificate Definition -->
 <section class="section">
 
   <div class="container is-max-desktop">
-    <h2 class="title is-3">Adaptive Attack</h2>
+    <h2 class="title is-3">Robustness Certificate Definition</h2>
 
     <div class="columns is-centered">
       <div class="column container formula">
         <p>
-          Attackers can design adaptive attacks to try to bypass BEYOND when the attacker knows all the parameters of the model 
-          and the detection strategy. For an SSL model with a feature extractor <i>f</i>, a projector <i>h</i>, and a classification head <i>g</i>, 
-          the classification branch can be formulated as <strong>C</strong>= <i>f</i> &deg; <i>g</i> and the representation branch as <strong>R</strong> = <i>f</i> &deg; <i>h</i>. 
-          To attack effectively, the adversary must deceive the target model while guaranteeing the label consistency and representation similarity of the SSL model. 
+          GREAT Score is designed to evaluate the global robustness of classifiers against adversarial attacks. It uses generative models to estimate a certified lower bound on true global robustness. For a K-way classifier f, we define a local robustness score g(G(z)) for a generated sample G(z), where G is a generator and z is sampled from a standard Gaussian distribution. This score measures the confidence gap between the correct class prediction and the most likely incorrect class. The GREAT Score, defined as the expectation of g(G(z)) over z, provides a certified lower bound on the true global robustness with respect to the data distribution learned by the generative model. This approach allows us to estimate global robustness without knowing the exact data distribution or minimal perturbations for each sample.
+        </p>
       </div>
     </div>
 
@@ -425,44 +412,45 @@
       <div class="column container-centered">
         <div id="adaptive-loss-formula" class="container">
           <div id="adaptive-loss-formula-list" class="row align-items-center formula-list">
-            <a href=".label-loss" class="selected">Label Consistency Loss</a>
-            <a href=".representation-loss">Representation Similarity Loss</a>
-            <a href=".total-loss">Total Loss</a>
+            <a href=".true-global-robustness" class="selected">True Global Robustness</a>
+            <a href=".global-robustness-estimate">Global Robustness Estimate</a>
+            <a href=".local-robustness-score">Local Robustness Score</a>
             <div style="clear: both"></div>
           </div>
           <div class="row align-items-center adaptive-loss-formula-content">
-            <span class="formula label-loss formula-content">
+            <span class="formula true-global-robustness formula-content">
               $$
               \displaystyle 
-              Loss_{label} = \frac{1}{k} \sum_{i=1}^{k} \mathcal{L}\left(\mathbb{C}\left(W^i(x+\delta)  \right), y_t\right)
+              \Omega(f) = \mathbb{E}_{x\sim P}[\Delta_{min}(x)]= \int_{x \sim P} \Delta_{\min}(x) p(x)dx
               $$
             </span>
-            <span class="formula representation-loss formula-content" style="display: none;">
+            <span class="formula global-robustness-estimate formula-content" style="display: none;">
               $$
               \displaystyle
-              Loss_{repre} = \frac{1}{k} \sum_{i=1}^{k}\mathcal{S}(\mathbb{R}(W^i(x+\delta)), \mathbb{R}(x+\delta))
+              \widehat{\Omega}(f) = \mathbb{E}_{x\sim P}[g(x)]= \int_{x \sim P} g(x) p(x)dx
               $$
             </span>
-            <span class="formula total-loss formula-content" style="display: none;">
-              $$\displaystyle \mathcal{L}_C(x+\delta, y_t) + Loss_{label} - \alpha \cdot Loss_{repre}$$
+            <span class="formula local-robustness-score formula-content" style="display: none;">
+              $$
+              \displaystyle
+              g\left(G(z)\right) = \sqrt{\cfrac{\pi}{2}}  \cdot \max\{  f_c(G(z)) - \max_{k \in \{1,\ldots,K\},k\neq c} f_k(G(z)),0 \}
+              $$
             </span>
           </div>
-          </div>
+        </div>
       </div>
     </div>
 
     <div class="columns is-centered">
       <div class="column container adaptive-loss-formula-content">
-        <p class="formula label-loss formula-content">
-          where k represents the number of generated neighbors, <i>y</i><sub><i>t</i></sub> is the target class, and <strong><i>L</i></strong> is the cross entropy loss function.
+        <p class="formula true-global-robustness formula-content">
+          where f is a classifier, P is a data distribution, and Δ<sub>min</sub>(x) is the minimal perturbation for a sample x.
         </p>
-        <p class="formula representation-loss formula-content" style="display: none">
-          where k represents the number of generated neighbors, and <strong><i>S</i></strong> is the cosine similarity.
+        <p class="formula global-robustness-estimate formula-content" style="display: none">
+          where g(x) is a local robustness statistic, and this estimate is used when the exact probability density function of P and local minimal perturbations are unknown.
         </p>
-          
-        <p class="formula total-loss formula-content" style="display: none;">
-          where <strong><i>L</i></strong><sub>C</sub> indicates classifier's loss function, <i>y</i><sub><i>t</i></sub> is the targeted class, and &alpha; refers to a hyperparameter, 
-          which is a trade-off parameter between label consistency and representation similarity..
+        <p class="formula local-robustness-score formula-content" style="display: none;">
+          where G(z) is a generated data sample, f<sub>c</sub> is the confidence score for the correct class c, and f<sub>k</sub> are the confidence scores for other classes.
         </p>
       </div>
     </div>