GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → fra31 → sparse-rs

fra31 / sparse-rs

Licence: MIT license
Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks

Programming Languages

python
139335 projects - #7 most used programming language

Labels

random-searchl0adversarial-attacksblack-box-attackssparse-attacksadversarial-patchesadversarial-frames

Projects that are alternatives of or similar to sparse-rs

square-attack
Square Attack: a query-efficient black-box adversarial attack via random search [ECCV 2020]
Stars: ✭ 89 (+270.83%)
Mutual labels:  random-search, adversarial-attacks, black-box-attacks
procedural-advml
Task-agnostic universal black-box attacks on computer vision neural network via procedural noise (CCS'19)
Stars: ✭ 47 (+95.83%)
Mutual labels:  adversarial-attacks, black-box-attacks
domain-shift-robustness
Code for the paper "Addressing Model Vulnerability to Distributional Shifts over Image Transformation Sets", ICCV 2019
Stars: ✭ 22 (-8.33%)
Mutual labels:  adversarial-attacks, black-box-attacks
MCS2018 Solution
No description or website provided.
Stars: ✭ 16 (-33.33%)
Mutual labels:  adversarial-attacks
SimP-GCN
Implementation of the WSDM 2021 paper "Node Similarity Preserving Graph Convolutional Networks"
Stars: ✭ 43 (+79.17%)
Mutual labels:  adversarial-attacks
hard-label-attack
Natural Language Attacks in a Hard Label Black Box Setting.
Stars: ✭ 26 (+8.33%)
Mutual labels:  adversarial-attacks
TIGER
Python toolbox to evaluate graph vulnerability and robustness (CIKM 2021)
Stars: ✭ 103 (+329.17%)
Mutual labels:  adversarial-attacks
grb
Graph Robustness Benchmark: A scalable, unified, modular, and reproducible benchmark for evaluating the adversarial robustness of Graph Machine Learning.
Stars: ✭ 70 (+191.67%)
Mutual labels:  adversarial-attacks
FLAT
[ICCV2021 Oral] Fooling LiDAR by Attacking GPS Trajectory
Stars: ✭ 52 (+116.67%)
Mutual labels:  adversarial-attacks
KitanaQA
KitanaQA: Adversarial training and data augmentation for neural question-answering models
Stars: ✭ 58 (+141.67%)
Mutual labels:  adversarial-attacks
flowattack
Attacking Optical Flow (ICCV 2019)
Stars: ✭ 58 (+141.67%)
Mutual labels:  adversarial-attacks
AdvPC
AdvPC: Transferable Adversarial Perturbations on 3D Point Clouds (ECCV 2020)
Stars: ✭ 35 (+45.83%)
Mutual labels:  adversarial-attacks
generative adversary
Code for the unrestricted adversarial examples paper (NeurIPS 2018)
Stars: ✭ 58 (+141.67%)
Mutual labels:  adversarial-attacks
chop
CHOP: An optimization library based on PyTorch, with applications to adversarial examples and structured neural network training.
Stars: ✭ 68 (+183.33%)
Mutual labels:  adversarial-attacks
Pro-GNN
Implementation of the KDD 2020 paper "Graph Structure Learning for Robust Graph Neural Networks"
Stars: ✭ 202 (+741.67%)
Mutual labels:  adversarial-attacks
AWP
Codes for NeurIPS 2020 paper "Adversarial Weight Perturbation Helps Robust Generalization"
Stars: ✭ 114 (+375%)
Mutual labels:  adversarial-attacks
Adversarial-Patch-Training
Code for the paper: Adversarial Training Against Location-Optimized Adversarial Patches. ECCV-W 2020.
Stars: ✭ 30 (+25%)
Mutual labels:  adversarial-patches
POPQORN
An Algorithm to Quantify Robustness of Recurrent Neural Networks
Stars: ✭ 44 (+83.33%)
Mutual labels:  adversarial-attacks
adversarial-recommender-systems-survey
The goal of this survey is two-fold: (i) to present recent advances on adversarial machine learning (AML) for the security of RS (i.e., attacking and defense recommendation models), (ii) to show another successful application of AML in generative adversarial networks (GANs) for generative applications, thanks to their ability for learning (high-…
Stars: ✭ 110 (+358.33%)
Mutual labels:  adversarial-attacks
PGD-pytorch
A pytorch implementation of "Towards Deep Learning Models Resistant to Adversarial Attacks"
Stars: ✭ 83 (+245.83%)
Mutual labels:  adversarial-attacks
View All Similar Projects ➔

Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks

Francesco Croce, Maksym Andriushchenko, Naman D. Singh, Nicolas Flammarion, Matthias Hein

University of Tübingen and EPFL

Paper: https://arxiv.org/abs/2006.12834

AAAI 2022

Abstract

Sparse adversarial perturbations received much less attention in the literature compared to L2- and Linf-attacks. However, it is equally important to accurately assess the robustness of a model against sparse perturbations. Motivated by this goal, we propose a versatile framework based on random search, Sparse-RS, for score-based sparse targeted and untargeted attacks in the black-box setting. Sparse-RS does not rely on substitute models and achieves state-of-the-art success rate and query efficiency for multiple sparse attack models: L0-bounded perturbations, adversarial patches, and adversarial frames. Unlike existing methods, the L0-version of untargeted Sparse-RS achieves almost 100% success rate on ImageNet by perturbing only 0.1% of the total number of pixels, outperforming all existing white-box attacks including L0-PGD. Moreover, our untargeted Sparse-RS achieves very high success rates even for the challenging settings of 20x20 adversarial patches and 2-pixel wide adversarial frames for 224x224 images. Finally, we show that Sparse-RS can be applied for universal adversarial patches where it significantly outperforms transfer-based approaches.

About the paper

Our proposed Sparse-RS framework is based on random search. Its main advantages are its simplicity and its wide applicability to multiple threat models:

We illustrate the versatility of the Sparse-RS framework by generating various sparse perturbations: L0-bounded, adversarial patches, and adversarial frames:

Sparse-RS also can successfully generate black-box universal attacks in sparse threat models without requiring a surrogate model:

In all these threat models, Sparse-RS improves over the existing approaches:

Moreover, for L0-perturbations Sparse-RS can even outperform existing white-box methods such as L0 PGD.

Code of Sparse-RS

The code is tested under Python 3.8.5 and PyTorch 1.8.0. It automatically downloads the pretrained models (either VGG-16-BN or ResNet-50) and requires access to ImageNet validation set.

The following are examples of how to run the attacks in the different threat models.

L0-bounded (pixel and feature space)

In this case k represents the number of pixels to modify. For untargeted attacks

CUDA_VISIBLE_DEVICES=0 python eval.py --norm=L0 \
	--model=[pt_vgg | pt_resnet] --n_queries=10000 --alpha_init=0.3 \
	--data_path=/path/to/validation/set --k=150 --n_ex=500

and for targeted attacks please use --targeted --n_queries=100000 --alpha_init=0.1. The target class is randomly chosen for each point.

To use an attack in the feature space please add --use_feature_space (in this case k indicates the number of features to modify).

As additional options the flag --constant_schedule uses a constant schedule for alpha instead of the piecewise constant decreasing one, while with --seed=N it is possible to set a custom random seed.

Image-specific patches and frames

For untargeted image- and location-specific patches of size 20x20 (with k=400)

CUDA_VISIBLE_DEVICES=0 python eval.py --norm=patches \
	--model=[pt_vgg | pt_resnet] --n_queries=10000 --alpha_init=0.4 \
	--data_path=/path/to/validation/set --k=400 --n_ex=100

For targeted patches (size 40x40) please use --targeted --n_queries=50000 --alpha_init=0.1 --k=1600. The target class is randomly chosen for each point.

For untargeted image-specific frames of width 2 pixels (with k=2)

CUDA_VISIBLE_DEVICES=0 python eval.py --norm=frames \
	--model=[pt_vgg | pt_resnet] --n_queries=10000 --alpha_init=0.5 \
	--data_path=/path/to/validation/set --k=2 --n_ex=100

For targeted frames (width of 3 pixels) please use --targeted --n_queries=50000 --alpha_init=0.5 --k=3. The target class is randomly chosen for each point.

Universal patches and frames

For targeted universal patches of size 50x50 (with k=2500)

CUDA_VISIBLE_DEVICES=0 python eval.py \
	--norm=patches_universal --model=[pt_vgg | pt_resnet] \
	--n_queries=100000 --alpha_init=0.3 \
	--data_path=/path/to/validation/set --k=2500 \
	--n_ex=30 --targeted --target_class=530

and for targeted universal frames of width 6 pixels (k=6)

CUDA_VISIBLE_DEVICES=0 python eval.py \
	--norm=frames_universal --model=[pt_vgg | pt_resnet] \
	--n_queries=100000 --alpha_init=1.667 \
	--data_path=/path/to/validation/set --k=6 \
	--n_ex=30 --targeted --target_class=530

The argument --target_class specifies the number corresponding to the target label. To generate universal attacks we use batches of 30 images resampled every 10000 queries.

Visualizing resulting images

We provide a script vis_images.py to visualize the images produced by the attacks. To use it please run

python vis_images --path_data=/path/to/saved/results

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].