Skip to content

Latest commit

 

History

History
130 lines (111 loc) · 8.82 KB

README.md

File metadata and controls

130 lines (111 loc) · 8.82 KB

Introduction

This is an official release of the paper

Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity, CVPR 2022

[Paper]

Overview

Abstract: Current adversarial attack research reveals the vulnerability of learning-based classifiers against carefully crafted perturbations. However, most existing attack methods have inherent limitations in cross-dataset generalization as they rely on a classification layer with a closed set of categories. Furthermore, the perturbations generated by these methods may appear in regions easily perceptible to the human visual system (HVS). To circumvent the former problem, we propose a novel algorithm that attacks semantic similarity on feature representations. In this way, we are able to fool classifiers without limiting attacks to a specific dataset. For imperceptibility, we introduce the low-frequency constraint to limit perturbations within high-frequency components, ensuring perceptual similarity between adversarial examples and originals. Extensive experiments on three datasets (CIFAR-10, CIFAR-100, and ImageNet-1K) and three public online platforms indicate that our attack can yield misleading and transferable adversarial examples across architectures and datasets. Additionally, visualization results and quantitative performance (in terms of four different metrics) show that the proposed algorithm generates more imperceptible perturbations than the state-of-the-art methods. Our code will be publicly available.

Requirements

  • python ==3.6
  • torch == 1.7.0
  • torchvision >= 0.7
  • numpy == 1.19.2
  • Pillow == 8.0.1
  • pywavelets

Required Dataset

  1. The data structure of Cifar10, Cifar100, ImageNet or any other datasets look like below. Please modify the dataloader at SSAH-Adversarial-master/main.py/ accordingly for your dataset structure.
/dataset/
├── cifar10
│   │   ├── cifar-10-python.tar.gz
├── cifar-100-python
│   │   ├── cifar-100-python.tar.gz
├── ILSVRC2012
│   ├── val
│   │   ├── n02328150

Experiments

We provide six perceptural metrics to measure imperceptibility, including l_2, l_inf, FID, SSIM, CIEDE2000, and LF.

Your can add more metrics in

/utils/
├── eval_metric_utils.py

We trained a resnet20 model with 92.6% accuracy with CIFAR1010 and a resnet20 model with 69.63% accuracy with CIFAR100. If you want to have a test, you can download our pre-trained models with the Google Drivers. If you want to use our algorithm to attack your own trained model, you can always replace our models in the file checkpoints. If your want to calculate FID, you need to download pt_inception-2015-12-05-6726825d.pth in this Google Drive and put it in the file checkpoints.

(1)Attack the Models Trained on Cifar10

CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/cifar10-r20.sh

(2)Attack the Models Trained on Cifar100

CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/cifar100-r20.sh

(2)Attack the Models Trained on Imagenet_val

CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/Imagenet_val-r50.sh

Examples

example

Here we offer some experiment results. You can get more results in our paper.

Results on CIFAR10

Name Knowledge ASR(%) L2 Linf FID SSIM LF Paper
BIM White Box 100.0 0.85 0.03 14.85 0.85 0.25 ICLR2017
PGD White Box 100.0 1.28 0.03 27.86 0.79 0.34 arxiv link
MIM White Box 100.0 1.90 0.03 26.00 - 0.48 CVPR2018
AutoAttack White Box 100.0 1.91 0.03 34.93 - 0.61 ICML2020
AdvDrop White Box 99.92 0.90 0.07 16.34 - 0.34 ICCV2021
C&W White Box 100.0 0.39 0.06 8.23 0.98 0.11 IEEE SSP2017
PerC-AL White Box 98.29 0.86 0.18 9.58 0.97 0.15 CVPR2020
SSA White Box 99.96 0.29 0.02 5.73 0.99 0.07 CVPR2022
SSAH White Box 99.94 0.26 0.02 5.03 0.99 0.03 CVPR2022

Results on CIFAR100

Name Knowledge ASR(%) L2 Linf FID SSIM LF Paper
BIM White Box 99.99 0.85 0.03 15.26 0.83 0.32 ICLR2017
PGD White Box 99.99 1.29 0.03 27.74 0.77 0.42 arxiv link
MIM White Box 99.99 1.87 0.03 26.04 - 0.65 CVPR2018
AutoAttack White Box 100 1.91 0.03 33.86 - 0.61 ICML2020
AdvDrop White Box 99.93 0.80 0.07 15.59 - 0.31 ICCV2021
C&W White Box 100 0.52 0.07 11.04 0.98 0.19 IEEE SSP2017
PerC-AL White Box 99.61 1.41 0.21 12.83 0.96 0.37 CVPR2020
SSA White Box 99.90 0.48 0.03 9.68 0.99 0.17 CVPR2022
SSAH White Box 99.80 0.45 0.03 9.20 0.99 0.13 CVPR2022

Results on ImageNet

Name Knowledge ASR(%) L2 Linf FID SSIM LF Paper
BIM White Box 99.98 26.85 0.03 51.92 0.73 11.18 ICLR2017
PGD White Box 99.98 54.97 0.03 45.51 0.77 17.41 arxiv link
MIM White Box 99.98 91.78 0.03 101.88 - 39.42 CVPR2018
AutoAttack White Box 96.97 71.62 0.03 77.49 - 30.45 ICML2020
AdvDrop White Box 99.76 14.95 0.06 11.28 - 5.67 ICCV2021
C&W White Box 99.27 1.51 0.04 12.14 0.99 0.67 IEEE SSP2017
PerC-AL White Box 98.78 4.35 0.12 11.56 0.99 1.59 CVPR2020
SSA White Box 98.56 2.34 0.01 4.63 1.00 1.05 CVPR2022
SSAH White Box 98.01 1.81 0.01 3.90 1.00 0.06 CVPR2022

Citation

if the code or method help you in the research, please cite the following paper:

@inproceedings{luo2022frequency,
  title={Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity},
  author={Luo, Cheng and Lin, Qinliang and Xie, Weicheng and Wu, Bizhu and Xie, Jinheng and Shen, Linlin},
  booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition},
  pages={15315--15324},
  year={2022}
}