Transferable Unrestricted Adversarial Examples
This is the PyTorch implementation of the
- Arxiv paper: Towards Transferable Unrestricted Adversarial Examples with Minimum Changes,
- No.1 solution of of CVPR’21 Security AI Challenger: Unrestricted Adversarial Attacks on ImageNet Competition.
Main Results
In this work, we propose a geometry-aware framework to generate transferable unrestricted adversarial examples with minimum changes.
Intuition of our geometry-aware framework
The perturbation budgets required for transfer-based attack are different for distinct images.
Fooling adversarially trained robust models by transfer-based black-box attacks
GA-DMI-FSA generates semantic-preserving unrestricted adversarial examples by adjusting the images' color, texture, etc.
Requirements
- Python >= 3.6
- Pytorch >= 1.0
- timm = 0.4.12
- einops = 0.3.2
- perceptual_advex = 0.2.6
- Numpy
- CUDA
Data and Pretrained Models
The workspace is like this
├── assets
├── attacks
├── Competition
│ ├── code
│ ├── input_dir
│ │ └── images
│ └── output_dir
├── data
│ ├── ckpts
│ └── images
├── scripts
└── utils
You could download the data/images
dataset from google drive (140M) and the data/ckpts
from google drive (1.63G).
Usage
Geometry-Aware framework
To reproduce the results of GA-DTMI-FGSM in Tab.3, run
bash scripts/run_main_ens.sh
# or with DistributedSampler
bash scripts/run_main_ens_dist.sh
To reproduce the results of GA-DMI-FSA in Tab.3, run
# with DistributedSampler
bash scripts/run_main_ens_fea_dist.sh
Benchmarking models in Tab.3 under transfer-based attacks
To run the attack on a single GPU
python main_bench_mark.py --input_path "path/of/adv_examples"
or with a DistributedSampler
, i.e.,
OMP_NUM_THREADS=1 python -m torch.distributed.launch --nproc_per_node=8 --master_port 26667 main_bench_mark.py --distributed --batch_size 40 --input_path "path/of/adv_examples"
To run the pgd-20 attack on model idx (0, 4, 7, etc.) in Tab. 3
python pgd_attack.py --source_id idx