Git Product home page Git Product logo

leba's Introduction

Learning Black-Box Attackers with Transferable Priors and Query Feedback

Jiancheng Yang*, Yangzhou Jiang*, Xiaoyang Huang, Bingbing Ni, Chenglong Zhao.

Neural Information Processing Systems (NeurIPS), 2020 (arXiv)

Abstract

This paper addresses the challenging black-box adversarial attack problem, where only classification confidence of a victim model is available. Inspired by consistency of visual saliency between different vision models, a surrogate model is expected to improve the attack performance via transferability. By combining transferability-based and query-based black-box attack, we propose a surprisingly simple baseline approach (named SimBA++) using the surrogate model, which significantly outperforms several state-of-the-art methods. Moreover, to efficiently utilize the query feedback, we update the surrogate model in a novel learning scheme, named High-Order Gradient Approximation (HOGA). By constructing a high-order gradient computation graph, we update the surrogate model to approximate the victim model in both forward and backward pass. The SimBA++ and HOGA result in Learnable Black-Box Attack (LeBA), which surpasses previous state of the art by large margins: the proposed LeBA reduces 34%-78% queries, while keeping higher attack success rates close to 100% in extensive ImageNet experiments, including attacking vision benchmarks and defensive models.

Implementation

Due to the size limitation of supplementary, we do not provide weights of model and datasets here. Note that our experiments setting is similar to paper Improving Black-box Adversarial Attacks with a Transfer-based Prior, including models and attack setting. Code and experiment setting will be open source after acceptance.

Requirements

The dependent package we use include: pytorch=1.2.0, pandas=0.25.1, pillow=5.4.1, opencv-python=4.1.1.26.
Note that the key package is pytorch.

Prepare Data

You can put ImageNet images and label file in dir images or try our example images in images first.
Note that you can find dataset IMGN1 in our paper in Baidu Wangpan (Password:wawy) and Google Drive.

Prepare Models

You can prepare your own model as victim model or surrogate model, and modify function get_models in data_utils.py.
We provide pretrain ImageNet model from torchvision, note that we test with pretrained models from Tensorflow-Slim in paper.

Pretrain models and model used in exps

You can find the models we used in experiments and pretrained in this folder on Baidu Wangpan(Password:r4z6) and Google Drive.

Script of Repo

LeBA2.py: Main script of LeBA attack, incluing 5 attack mode (train, test, SimBA, SimBA+, SimBA++). run_attack.py: Wrap script to run LeBA. data_utils.py: Functions to provide data, models, and log class get_result.py: Evaluate result file. defense: Contain defense method, but currently only Jpeg Compression is provided.

Run LeBA

  • RUN different (train, test, SimBA, SimBA+, SimBA++) mode in sequence with script
    Use run_attack.py, it will save all the result files to the dir like: 'note_log_all/inception_v3_Dec10_f1'. Please edit run_attack.py to specify the attack mode(train, test, SimBA, SimBA+, SimBA++), else it will run 5 attack mode in sequence.
python run_attack.py --gpu_id=0,1,2 --script=LeBA10.py --model1=inception_v3 --model2=resnet152
  • To run SimBA+ mode
python LeBA10.py --mode=simba+ --model1=inception_v3 --model2=resnet152 --input_dir=images --label=labels --out_dir="your output dir"
  • To run SimBA++ mode
python LeBA10.py --mode=simba++ --model1=inception_v3 --model2=resnet152 --input_dir=images --label=labels --out_dir="your output dir"
  • To run LeBA
python LeBA10.py --mode=train --model1=inception_v3 --model2=resnet152 --input_dir=images --label=labels --out_dir="your output dir" --pretrain_weight=""
  • To run LeBA(test) mode
    After run LeBA, use weight trained in LeBA to test on another dataset.
python LeBA10.py --mode=test --model1=inception_v3 --model2=resnet152 --input_dir=imagesset2 --label=labels --out_dir="same output dir as train" --pretrain_weight="this_weight"

To attack defensive model:

#for Jpeg Compression
python run_attack.py --gpu_id=0,1,2 --script=LeBA10.py --model1=inception_v3 --model2=resnet152 --defense_method=jpeg

To evaluate results: Modify out_dir in get_result.py and run python get_result.py result will be save in result dir.

leba's People

Contributors

jiangyangzhou avatar duducheng avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.