Light

zhengyuzhao / transferattackeval Goto Github PK

View Code? Open in Web Editor NEW

110.0 3.0 10.0 19.75 MB

Revisiting Transferable Adversarial Images (arXiv)

Home Page: https://arxiv.org/abs/2310.11850

Python 100.00%

adversarial-examples transferable-attacks

transferattackeval's Introduction

Revisiting Transferable Adversarial Images

Revisiting Transferable Adversarial Images: Systemization, Evaluation, and New Insights. Zhengyu Zhao*, Hanwei Zhang*, Renjue Li*, Ronan Sicre, Laurent Amsaleg, Michael Backes, Qi Li, Qian Wang, Chao Shen.

We identify two main problems in common evaluation practices:
(1) for attack transferability, lack of systematic, one-to-one attack comparisons and fair hyperparameter settings;
(2) for attack stealthiness, simply no evaluations.

We address these problems by
(1) introducing a complete attack categorization and conducting systematic and fair intra-category analyses on transferability;
(2) considering diverse imperceptibility metrics and finer-grained stealthiness characteristics from the perspective of attack traceback.

We draw new insights, e.g.,
(1) under a fair attack hyperparameter setting, one early attack method, DI, actually outperforms all the follow-up methods;
(2) popular diffusion-based defenses give a false sense of security since it is indeed largely bypassed by (black-box) transferable attacks;
(3) even when all attacks are bounded by the same Lp norm, they lead to dramatically different stealthiness performance, which negatively correlates with their transferability performance.

We provide the first large-scale evaluation of transferable adversarial examples on ImageNet, involving 23 representative attacks against 9 representative defenses.

We reveal that existing problematic evaluations have indeed caused misleading conclusions and missing points, and as a result, hindered the assessment of the actual progress in this field.

Evaluated Attacks and Defenses

Attack Categorization (Welcome more papers!)

Gradient Stabilization Attacks [Code for 3 representative attacks]

Input Augmentation Attacks [Code for 5 representative attacks]

Feature Disruption Attacks [Code for 5 representative attacks]

Surrogate Refinement Attacks [Code for 5 representative attacks]

Generative Modeling Attacks

Surveys/Evaluations/Explanations

transferattackeval's People

Contributors

Stargazers

Watchers

Forkers

yangbo93 psr6275 phoenixml taozeze xiongzhuozhuo guanyujiao baojuanwang zuobinxiong zzsd zouyip

transferattackeval's Issues

I run the feature_disruption_attack.py,but the success rate is 0.000,can you help me?

How can I get the datasets---val5000?

特征攻击中间层怎么选择呢，只给了resnet50的中间层，其他几个模型运行的时候怎么设置参数呢？

What factors could potentially affect the performance of NAA and FIA?

Hello, Zhengyu, thank you for your excellent work. Notice that the performance of NAA and FIA attacks in Table 5 are quite worse than their original papers. I would like to ask, what factors could potentially lead the unsuccess of those methods? Any suggestions to improve their performance? Thanks a lot.

tested

Bad link in readme.md

you should check the link in readme.md, such as

[Our implementation]

Question about implementation of admix

I noticed a potential difference between the Admix paper and the re-implementation here. The code here uses img_x + 0.2 * img_other as inputs to the model (see code below) which may be missing the $\gamma_i = 1/2^i$ factor from Eq. 3 in the paper.

...
for c in range(multi_copies):
    img_other = img[torch.randperm(img.shape[0])].view(img.size())
    logits = model(img_x + 0.2 * img_other)
    loss = nn.CrossEntropyLoss(reduction='sum')(logits,labels)
    loss.backward()
    input_grad = input_grad + img_x.grad.clone()
...

I could be totally missing something here too so please correct me if I'm wrong. Thanks!

Will the code of defense be released in the future?

Hello, zhengyu! Thank you for your excellent work. I wonder whether the code of defense will be released in the future.

Sincerely, look forward to your reply.

A question about AAI re-implementation

Hi, @ZhengyuZhao

Thank you for your nice work. I have a question for this line of AAI model. Could you explain the reason of adding nn.LeakyReLU here?

Hope you are doing well.

Best,
Gepeng.

Loaded Checkpoint of RFA

Hi,
Thanks for your excellent work!
I'd like to reproduce RFA. I noticed that you load a checkpoint model for implementation of this method. Can you kindly share this checkpoint?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.