This repository includes the source code for "Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks", which is published in NeurIPS 2021.
We kindly ask anybody who uses this code to cite the following bibtex:
@inproceedings{
ma2021finding,
title={Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks},
author={Chen Ma and Xiangyu Guo and Li Chen and Jun-Hai Yong and Yisen Wang},
booktitle={Thirty-Fifth Conference on Neural Information Processing Systems},
year={2021},
url={https://openreview.net/forum?id=g0wang64Zjd}
}
+-- configures
| |-- HSJA.json # the hyperparameters setting of HSJA, which is also used in Tangent Attack and Generalized Tangent Attack.
+-- dataset
| |-- dataset_loader_maker.py # it returns the data loader class that includes 1000 attacks images for the experiments.
| |-- npz_dataset.py # it is the dataset class that includes 1000 attacks images for the experiments.
+-- models
| |-- defensive_model.py # the wrapper of defensive networks (e.g., AT, ComDefend, Feature Scatter), and it converts the input image's pixels to the range of 0 to 1 before feeding.
| |-- standard_model.py # the wrapper of standard classification networks, and it converts the input image's pixels to the range of 0 to 1 before feeding.
+-- tangent_attack_hemisphere # the folder of Tangent Attack (TA)
| |-- attack.py # the main class for the attack.
| |-- tangent_point_analytical_solution.py # the class for computing the optimal tagent point of the hemisphere.
+-- tangent_attack_semiellipsoid # the folder of Generailized Tangent Attack (G-TA)
| |-- attack.py # the main class for the attack.
| |-- tangent_point_analytical_solution.py # the class for computing the optimal tagent point of the semi-ellipsoid.
+-- cifar_models # this folder includes the target models of CIFAR-10, i.e., PyramidNet-272, GDAS, WRN-28, and WRN-40 networks.
|-- config.py # the main configuration of Tangent Attack.
|-- logs # all the output (logs and result stats files) are located inside this folder
|-- train_pytorch_model # the pretrained weights of target models
|-- attacked_images # the 1000 image data for evaluation
The folder of attacked_images contains the 1000 tested images, which are packaged into .npz format with the pixel range of [0-1].
This folder can be downloaded from https://drive.google.com/file/d/1NkfMPShB9dUuugyFr2T8KTKM4kdwfKC2/view?usp=sharing.
The folder of train_pytorch_model contains the pretrained weights of target models, which can be downloaded from https://drive.google.com/file/d/1VfCdU14nAhOvumXTIA-B8OC6XwGYvUml/view?usp=sharing.
In the attack, all logs are dumped to logs folder. The results of attacks are also written into the logs folder, which use the .json format.
I have uploaded the compressed zip file of the experimental results onto https://drive.google.com/file/d/1vng1Gs6YgZs3PGMvfJb-exRRIsrbo5vx/view?usp=sharing,
so that you can directly use the results of baseline methods without repeatedly running experiments.
The following command could run Tangent Attack (TA) and Generalized Tangent Attack (G-TA) on the CIFAR-10 dataset under the untargetd attack's setting:
python tangent_attack_hemisphere/attack.py --gpu 0 --norm l2 --dataset CIFAR-10 --arch resnet-50
python tangent_attack_hemisphere/attack.py --gpu 0 --norm l2 --dataset CIFAR-10 --arch gdas
python tangent_attack_semiellipsoid/attack.py --gpu 0 --norm l2 --dataset CIFAR-10 --arch resnet-50
python tangent_attack_semiellipsoid/attack.py --gpu 0 --norm l2 --dataset CIFAR-10 --arch gdas
Once the attack is running, it directly writes the log into a newly created logs folder. After attacking, the statistical result are also dumped into the same folder, which is named as *.json file.
Also, you can use the following bash shell to run the attack of different models one by one.
./tangent_attack_CIFAR_undefended_models.sh
The commmand of attacks of defense models are presented in tangent_attack_CIFAR_defense_models.sh.
- The gpu device could be specified by the
--gpu device_idargument. - the targeted attack can be specified by the
--targetedargument. If you want to perform untargeted attack, just don't pass it. - the attack of defense models uses
--attack_defense --defense_model adv_train/jpeg/com_defend/TRADESargument.
Our code is tested on the following environment (probably also works on other environments without many changes):
- Ubuntu 18.04
- Python 3.7.3
- CUDA 11.1
- CUDNN 8.0.4
- PyTorch 1.7.1
- torchvision 0.8.2
- numpy 1.18.0
- pretrainedmodels 0.7.4
- bidict 0.18.0
- advertorch 0.1.5
- glog 0.3.1
You can just type pip install -r requirements.txt to install packages.
In summary, there are three extra folders that can be downloaded, i.e., attacked_images, train_pytorch_model, and optionally logs.
The attacked_images can be downloaded from https://drive.google.com/file/d/1NkfMPShB9dUuugyFr2T8KTKM4kdwfKC2/view?usp=sharing.
Besides, the targeted attack requires a randomly selected image of the target class in the validation set, and the validation set of the ImageNet dataset can be downloaded from https://drive.google.com/file/d/1sE1i25mXApKuBChdhSqLbcFUEXTYYF9H/view?usp=sharing.
The pre-trained weights of the target models can be downloaded from https://drive.google.com/file/d/1VfCdU14nAhOvumXTIA-B8OC6XwGYvUml/view?usp=sharing.
Before running experiments, please download above files and uncompress them to this project's root path.
Also, I have uploaded the compressed zip format file that contains logs and results onto https://drive.google.com/file/d/1JswjvdDpaWMU7keGLA5HaVnZkYP3LpUO/view?usp=sharing.
You can use these experimental results directly without spending a lot of time to re-run the experiments.