Simple, production-ready compositional robustness testing for vision models
Project description
VisProbe
Rank your vision model against the RobustBench leaderboard under their exact protocol — then find the failure modes the leaderboard doesn't measure.
Every robust-vision paper reports a "robust accuracy" number, and few are directly comparable unless the protocol matches exactly. Different sample counts. Different attack subsets. Different epsilons. Different test-time augmentations. The published rankings on RobustBench mean something specific — and your evaluation only matches them if you ran the exact same thing.
VisProbe does two things: a defensible rank, plus the failure modes the rank misses.
- Compute a leaderboard rank under strict protocol enforcement. You either match the RobustBench protocol byte-for-byte and get a comparable rank, or VisProbe refuses to produce one. No silent disagreement with the published numbers.
- Sweep that same model across
environment × attack × severity. A model that ranks well on pristine images can collapse on inputs a real camera produces — those failure modes don't show up on the leaderboard. The rank tells you where you sit on paper; the sweep tells you what your users will actually hit.
1. Where do I sit on the leaderboard?
from visprobe import robustbench_eval, CompositionalResults
# CIFAR-10 ~5h, ~$15 on A100 | ImageNet ~25h, ~$70. confirm=True is required so you see the cost first.
result = robustbench_eval(model, "cifar10", "Linf", confirm=True)
results = CompositionalResults()
results.add_result("my_model", "none", 0.0, result)
print(results.compare_to_leaderboard("my_model", "cifar10", "Linf"))
RobustBench cifar10/Linf — my_model
====================================
Rank: 14 of 99 (top 14.1%)
Robust acc: 0.6789
Protocol: autoattack-standard, eps=8/255 (full RobustBench Linf)
Snapshot: 2026-05-27
Neighbors above (better):
#11 Wang2024Foo 0.6912 (+1.23 pp)
#12 Bai2024Bar 0.6856 (+0.67 pp)
#13 Cui2023Baz 0.6823 (+0.34 pp)
Neighbors below (worse):
#15 Gowal2023Qux 0.6745 (-0.44 pp)
#16 Rebuffi2022Quux 0.6710 (-0.79 pp)
#17 Carmon2021Corge 0.6680 (-1.09 pp)
That's the number you can put in a paper and defend.
Why the protocol matters
"Robust accuracy under AutoAttack" varies between papers in ways that quietly destroy comparability:
- APGD-CE only, or the full AutoAttack suite (4 sub-attacks). APGD-CE typically reports 1-3 pp higher.
- 1000 samples, or 10000. Standard error scales with √N.
- eps=8/255, eps=4/255, or something else entirely.
- With or without test-time augmentation.
"I beat the leaderboard" stops meaning what it sounds like. It becomes "I beat my version of it."
VisProbe pins the protocol per (dataset, threat) pair and validates it on every rank call.
The protocols
Each RobustBench leaderboard has its own fixed evaluation:
| Leaderboard | Attack | eps | Samples | Ships in v3? |
|---|---|---|---|---|
cifar10 / Linf |
autoattack-standard | 8/255 | 10000 | ✓ |
cifar100 / Linf |
autoattack-standard | 8/255 | 10000 | ✓ |
imagenet / Linf |
autoattack-standard | 4/255 | 5000 | ✓ |
cifar10 / L2 |
autoattack-standard | 0.5 | 10000 | later |
cifar10 / corruptions |
no attack — uses CIFAR-10-C | n/a | per corruption | later |
autoattack-standard is the full AutoAttack suite (APGD-CE + APGD-DLR + FAB + Square). The corruptions threat is a different evaluation entirely — the model is graded on pre-computed corrupted images rather than an adversary — so its protocol shape is fundamentally different and v3 doesn't cover it yet.
What the gate checks
On every compare_to_leaderboard() call, VisProbe validates your EvaluationResult against the protocol for the requested (dataset, threat):
metadata.protocol == "robustbench"— onlyrobustbench_eval()sets this, so arbitraryCompositionalExperimentoutputs can't accidentally claim a rank.attackmatches the expected attack for that threat.epsmatches the threat's eps (within float tolerance).n_samplesmatches the protocol sample count.
Any mismatch raises ProtocolError with the full list of violations and no attempt to approximate:
ProtocolError: Cannot rank against RobustBench cifar10/Linf — protocol mismatch:
- attack='autoattack-apgd-ce', expected 'autoattack-standard'
- n_samples=1000, expected 10000
- eps=0.0156862745, expected 0.0313725490
Fix: use robustbench_eval(model, dataset='cifar10', threat='Linf') to produce
a protocol-compliant result, or check that result.metadata survived any
serialization round-trip that might have stripped it.
There's no honest way to convert a 1000-sample APGD-CE number into a 10000-sample full-AutoAttack number, so the gate just refuses. The number you publish is the number you can defend.
2. What the leaderboard rank misses
A leaderboard rank is one point in a much larger evaluation space. It says nothing about how your model behaves when the camera is noisy, when the lighting drops, when an attacker exploits both at once. Real deployments rarely give you the pristine inputs RobustBench evaluates on.
For that, sweep the same model across environment × adversarial-attack × severity and look at where it actually breaks:
from visprobe import CompositionalExperiment, get_standard_perturbations
experiment = CompositionalExperiment(
models={"my_model": model},
images=images,
labels=labels,
env_strategies=get_standard_perturbations(), # blur, noise, brightness, lowlight
attack="autoattack-apgd-ce",
severities=[0.0, 0.25, 0.5, 0.75, 1.0],
eps_fn=lambda s: (8 / 255) * s,
checkpoint_dir="./checkpoints", # auto-resumes if interrupted
)
results = experiment.run() # prints cost estimate; pass confirm=True for sweeps > ~1h or ~$5
results.save("./results")
Run both — the leaderboard rank tells you where you sit, the compositional sweep tells you what your deployment faces. In our pilot on CIFAR-10, Wang2023, the #1 ranked model on RobustBench Linf, drops from 74% robust accuracy on clean inputs to 45% once Gaussian noise is added (pilot: APGD-CE on 1000 samples — the strict-protocol leaderboard number is 71%). Gowal2020 (~#30 on the leaderboard) ties Wang2023 under that noise condition — the #1-vs-#30 distinction collapses on inputs any real camera would produce. The gap between official rank and compositional behavior is where the interesting failure modes hide. Full pilot table: pilot_grid.csv.
Install
pip install "visprobe[all]"
That pulls in AutoAttack + RobustBench, which you need for both leaderboard rank and adversarial sweeps. (Bare pip install visprobe works but only gives you PGD and environment-only eval.)
If
pip installcan't findautoattack(the PyPI package occasionally lags), install it from GitHub instead:pip install visprobe[robustbench] pip install git+https://github.com/fra31/auto-attack
Attack modes
attack= |
Use |
|---|---|
"autoattack-standard" |
Full AutoAttack. Required for robustbench_eval. |
"autoattack-apgd-ce" |
APGD-CE only. ~5x faster. For compositional sweeps; not for leaderboard rank. |
"pgd" |
Standard PGD-Linf. Debugging or speed-sensitive sweeps. |
"none" |
Identity. Environment-only robustness. |
v3.1
Head-to-head on your data. Download the top-k published robust models, re-evaluate them on your images under your compositional protocol, and rank yourself alongside. Distinct from the official rank: the output carries a data_source: user label everywhere so the two cannot be confused.
Architecture
src/visprobe/
├── experiment.py # CompositionalExperiment + robustbench_eval
├── leaderboard.py # validate_protocol + RobustBenchClient + LeaderboardComparison
├── checkpoint.py # per-cell save/resume (module functions)
├── memory.py # one model on GPU at a time, rest swapped to CPU
├── attacks.py # attacks.build(): AutoAttack standard/APGD-CE, PGD, none
├── perturbations.py # 4 environmental perturbations: blur, noise, brightness, lowlight
└── results.py # CompositionalResults: save/load, summary, ranking
Leaderboard snapshots ship in src/visprobe/data/. CI refreshes them weekly via .github/workflows/refresh-leaderboard.yml.
Examples
- examples/visprobe_walkthrough.ipynb — full compositional-eval workflow end to end.
- examples/plotting.ipynb — matplotlib recipes (faceted accuracy curves + heatmap).
License
MIT.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file visprobe-3.0.0.tar.gz.
File metadata
- Download URL: visprobe-3.0.0.tar.gz
- Upload date:
- Size: 58.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b70bc75617236d86b9191d0945057c946032d08c93de89bf2294459fd1a9dcad
|
|
| MD5 |
df3a74f76014ead1a03e12785dffa85d
|
|
| BLAKE2b-256 |
d40215389cd27645864158f1c13202c78376b1172b255d6e8cd74e4ae68f7c3d
|
File details
Details for the file visprobe-3.0.0-py3-none-any.whl.
File metadata
- Download URL: visprobe-3.0.0-py3-none-any.whl
- Upload date:
- Size: 37.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e406d846bc686d633a4b6dbd98855d747ef602f80d394ebb628917f1d3e097fb
|
|
| MD5 |
7b5f56b636704de995b0f3f2f4aff080
|
|
| BLAKE2b-256 |
dd4c43c9163d38e6ff8d969bd330f4f0027f7e6be444de86062d79ee056afed8
|