Skip to content

Jeffkang-94/pytorch-adversarial-attack

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pytorch implementation of gradient-based adversarial attack

This repository covers pytorch implementation of FGSM, MI-FGSM, and PGD attack. Attacks are implemented under attack folder. To explore adversarial attack, we deal with Madry model which had been trained with PGD adversarial examples.

Preliminary

When we train the model with task-specific loss (e.g., classification), the model constructs a decision boundary and classifies given inputs based on that boundary. An adversarial attack aims to find noise distribution to cross the decision boundary within Lp ball. In order to make sure that crafted adversarial images hold imperceptibility, the magnitude of perturbation will not be significant at human-level intuition. However, those are capable of crossing the boundary, leading to misclassification.

Original image / Difference / Adversarial image

Dependency

python 3.6
pytorch >= 1.4.0
tqdm

🚀 Usage

from attack import PGD

attack_config = {
    'eps' : 8.0/255.0, 
    'attack_steps': 7,
    'attack_lr': 2.0 / 255.0, 
    'random_init': True, 
}

attack = PGD(model, attack_config)
adversarial_image = attack(image, label)

🔨 Adversarial Training

You can test out the adversarial training using following command lines.
You have to specify the configuration path before launching the files.

> mkdir data  
> ln -s <datapath> data  
> python main.py --cfg_path config/train.json # training a victim model
> python main.py --cfg_path config/eval.json  # launching an adversarial attack to evaluate the pre-trained model

Configuration

Under config file, train.json and eval.json files include the configurations to launch the training or evaluation.
You can set the different options depending on your own environment. This is the example of train.json.

{
    "mode": "train",            // we are under train mode             
    "data_root": "./data",      // You can specify the own dataset root
    "model_name" : "resnet",    // name of the model
    "model_depth": 34,          // model depth
    "model_width": 1,           // model width
    "num_class":10,             // number of class, e.g., cifar-10 : 10
    "phase": "adv",             // [clean/adv] supported
  
/* Training Configuration */
    "lr": 0.1,
    "batch_size": 256,
    "weight_decay": 0.0005,
    "epochs": 200,
    "save_interval" : 5,
    "restore": false,
    "save_path": "results",
    "spbn": false,              // Split-batchnorm training, not supported
    "resume": false,
 
 /* Attack Configuration */
    "attack": "PGD",            // attack type [FGSM, MI-FGSM, PGD] supported
    "attack_steps": 7,          // attack steps
    "attack_eps": 8.0,          // magnitude of epsilon
    "attack_lr": 2.0,           // attack learning rate
    "random_init": true,        // flag for random start
  }

This is the example of eval.json.

{
    "mode": "eval",             // we are under eval mode  
    "data_root": "./data",      // You can specify the own dataset root
    "model_name" : "ResNet",    // name of the model
    "model_depth": 34,          // model depth
    "model_width": 1,           // model width
    "num_class":10,             // number of class, e.g., cifar-10 : 10
    "phase": "adv",             // [clean/adv] supported
  
  /* Evaluation Configuration */
    "batch_size": 128,
    "save_path": "results",
    "restore": false,           // Split-batchnorm training, not supported
    "spbn": false,
  
 /* Attack Configuration */
    "attack": "PGD",            // attack type
    "attack_steps": 7,          // attack steps
    "attack_eps": 8.0,          // magnitude of epsilon
    "attack_lr": 2.0,           // attack learning rate
    "random_init": true,        // flag for random start
  }

🚴 Pre-trained model

We provide the pre-trained ResNet model which had been trained with CIFAR-10 dataset. Note that Madry model had been trained with PGD-7 adversarial examples following introduced settings. For using a pre-trained model, you can use download.sh file. It will automatically download the whole pre-trained weight files and organize them to the designated path.

sudp apt-get install curl
bash download.sh
python main.py --cfg_path config/eval.json

Or you can directly access the link as below.

ResNet : link
Madry : link

Wide-ResNet : link
Wide-Madry : link

📔 Experiment

Model Clean FGSM MI-FGSM-20 PGD-7/40
ResNet 92.24 25.7 1.05 0.65/0.00
Madry-Simple 78.10 50.02 46.97 45.01/41.06
Wide-ResNetx10 94.70 31.15 0.43 0.14/0.00
Madry-Wide 86.71 52.27 47.27 47.74/43.39

👻 Examples

We visualize each sample of adversary.

FGSM adversary

MI-FGSM 20 steps adversary

PGD 7 steps adversary

Reference

About

Implementation of gradient-based adversarial attack(FGSM,MI-FGSM,PGD)

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published