# Demo - LGV Transfer Attacks (ImageNet)

This notebook demonstrates the LGV technique from the **ECCV22** paper ["LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity"](https://arxiv.org/abs/2207.13129) by Martin Gubri, Maxime Cordy, Mike Papadakis, Yves Le Traon from the University of Luxembourg and Koushik Sen from University of California, Berkeley.

LGV can be combined with several attacks to improve the transferability of adversarial examples. 

1. First, LGV collects models along the SGD trajectory with a high learning rate.  The following figure illustrates the approach. In this notebook, we use publically available pretrained models from the original paper. Nevertheless, commented code below is available to collect new models in 10 epochs.

![](https://github.com/Framartin/lgv-geometric-transferability/raw/main/lgv/plots/diagram_lr.png?raw=true)

2. Second, we apply a standard `torchattacks` attack on one LGV model per iteration. This step does not require any modification of the existing attack, as shown below. Once the models are collected, attacking does not increase the computation cost because we attack a single model per iteration. Computing each iteration gradient on all models gives generally better results, at the expense of an increase in computations.

## 1. Installation

In [3]:
!pip install torch torchattacks tqdm

Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/


In [4]:
import os
import glob
import random
import torch
import torchvision
import numpy as np
from tqdm import tqdm
from collections import OrderedDict
from torchvision.models import resnet50
from torchvision import transforms
from torchvision import datasets
from torchattacks import LGV, BIM, MIFGSM, DIFGSM, TIFGSM

Download LGV models from the original paper. The zip file includes 3 sets of LGV collected models, corresponding to 3 random seeds starting from 3 independently trained DNNs. We will use a single one here, but you may want to report mean and standard deviation computed across several random seeds.

In [None]:
!wget -O lgv_models.zip https://figshare.com/ndownloader/files/36698862
!unzip lgv_models.zip

--2022-08-18 14:46:28--  https://figshare.com/ndownloader/files/36698862
Resolving figshare.com (figshare.com)... 52.49.60.170, 52.30.212.171, 2a05:d018:1f4:d003:5e66:753c:3d81:88f7, ...
Connecting to figshare.com (figshare.com)|52.49.60.170|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3-eu-west-1.amazonaws.com/pfigshare-u-files/36698862/models.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIYCQYOYV5JSSROOA/20220818/eu-west-1/s3/aws4_request&X-Amz-Date=20220818T144629Z&X-Amz-Expires=10&X-Amz-SignedHeaders=host&X-Amz-Signature=2c3903f1bd12bf7d80950c8b9428d7b932ac51a027caf322a2661f71a170e768 [following]
--2022-08-18 14:46:29--  https://s3-eu-west-1.amazonaws.com/pfigshare-u-files/36698862/models.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIYCQYOYV5JSSROOA/20220818/eu-west-1/s3/aws4_request&X-Amz-Date=20220818T144629Z&X-Amz-Expires=10&X-Amz-SignedHeaders=host&X-Amz-Signature=2c3903f1bd12bf7d80950c8b9428d7b932ac51a027caf32

Set up some constants.

In [5]:
PATH_LGV_MODELS="models/ImageNet/resnet50/cSGD/seed0"
DATA_PATH="/content/drive/MyDrive/data/ILSVRC2012_samples"
BATCH_SIZE_TRAIN=256  # changing batch-size to collect models might require you to tune the LGV learning rate hyperparameter
BATCH_SIZE_TEST=64
N_WORKERS=5
N_EXAMPLES=500  # increase to at least 1K if you want to publish results

In [7]:
torch.manual_seed(42)
np.random.seed(42)
random.seed(42)

## Load models

We load the surrogate and target models. 


In [8]:
def add_normalization_layer(model, mean, std):
    """
    Add a data normalization layer to a model
    """
    return torch.nn.Sequential(
        transforms.Normalize(mean=mean, std=std),
        model
    )

Load the LGV collected models.

In [9]:
# LGV surrogate
paths_models = glob.glob(f'{PATH_LGV_MODELS}/*.pt')
paths_models = sorted(paths_models)
list_models = []
for path in paths_models:
    model = resnet50()
    model.load_state_dict(torch.load(path)['state_dict'])
    model = add_normalization_layer(model=model, 
                                    mean=[0.485, 0.456, 0.406],
                                    std=[0.229, 0.224, 0.225])
    model = model.eval().cuda()
    list_models.append(model)

In [10]:
len(list_models)

40

Load the original DNN from which model collection started.

In [11]:
base_model = resnet50()
ckpt = torch.load(f'{PATH_LGV_MODELS}/original/ImageNet-ResNet50-052e7f78e4db--1564492444-1.pth.tar')['state_dict']
new_state_dict = OrderedDict()
for k, v in ckpt.items():
    name = k[7:]  # remove `module.`
    new_state_dict[name] = v

base_model.load_state_dict(new_state_dict)
base_model = add_normalization_layer(model=base_model,
                                     mean=[0.485, 0.456, 0.406], 
                                     std=[0.229, 0.224, 0.225])
base_model = base_model.eval().cuda()


Finally we load the target model, the pretrained resnet50 model provided by torchvision.

In [12]:
target_model = resnet50(pretrained=True)
target_model = add_normalization_layer(model=target_model, 
                                       mean=[0.485, 0.456, 0.406], 
                                       std=[0.229, 0.224, 0.225])
target_model = target_model.eval().cuda()

  f"The parameter '{pretrained_param}' is deprecated since 0.13 and will be removed in 0.15, "


## Dataloader

Loaders should load unnormalized data (in [0,1]). Here, the test loader is a random subset of 2K test examples. 

In [13]:
traindir = os.path.join(DATA_PATH, 'train')
transform_train = transforms.Compose([
            transforms.RandomResizedCrop(224),
            transforms.RandomHorizontalFlip(),
            transforms.ToTensor()
        ])
trainset = datasets.ImageFolder(traindir, transform_train)
trainloader = torch.utils.data.DataLoader(trainset, batch_size=BATCH_SIZE_TRAIN,
                                          shuffle=True, num_workers=N_WORKERS,
                                          pin_memory=True)
testdir = os.path.join(DATA_PATH, 'validation')
transform_test = transforms.Compose([
    transforms.Resize(256),
    transforms.CenterCrop(224),
    transforms.ToTensor()
])
testset = datasets.ImageFolder(testdir, transform_test)
indices = torch.from_numpy(np.random.choice(len(testset), size=(N_EXAMPLES,),
                                            replace=False))
# select a subset of 500 examples. The original paper selects only original 
# examples that are correctly predicted by the target model, which might explain
# why we obtain slightly different results.

testsubset = torch.utils.data.Subset(trainset, indices)
testloader = torch.utils.data.DataLoader(testsubset, batch_size=BATCH_SIZE_TEST,
                                         shuffle=False, num_workers=N_WORKERS,
                                         pin_memory=False)

## Attacks

We can easily combine LGV with attacks available out-of-the-box in `torchattacks`. Then, we report the success rates of the vanilla attacks.

In [21]:
def report_success_rate(atk):
    """
    Compute the success rate of the provided attack on test images
    """
    correct = 0
    total = 0
    for images, labels in tqdm(testloader):
        images = images.cuda()
        with torch.no_grad():
            outputs = target_model(images)
            _, predicted = torch.max(outputs.data, 1)
        adv_images = atk(images, predicted)
        with torch.no_grad():
            outputs_adv = target_model(adv_images)
            _, predicted_adv = torch.max(outputs_adv.data, 1)
        total += labels.size(0)
        correct += (predicted_adv == predicted).sum()
    print(f"Success rate of {type(atk).__name__}{'-'+atk.attack_class.__name__ if hasattr(atk, 'attack_class') else ''}: {100 - 100 * float(correct) / total}%\n")


### LGV + BIM

The most classical is to use LGV on top of BIM. 

- Below we provide commented code to collect the models yourself if you would rather not use the pretrained collected models. Collecting new models leads to similar results.
- Ideally, you want the number of attack iterations to be greater or equal than the number of collected models (`epochs * nb_models_epoch`). Otherwise, consider increasing `n_grad`, the number of models to ensemble at each iteration (please see the last section of the notebook). As shown in the paper, 50 BIM iterations have higher success rate than 10 BIM iterations.
- Changing the surrogate architecture or the training batch-size may require you to tune the learning rate (`lr`) hyperparameter. Preliminary experiments suggested that `lr=0.1` might be slightly better than the default 0.05 for some architectures.
- If you are limited in computations or memory, consider reducing the number of epochs to 5 and the number of models per epoch to 2. It should not impact too much the success rates (cf. appendix of the original paper).

In [17]:
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, 
          wd=1e-4, attack_class=BIM, eps=4/255, alpha=4/255/10,
          steps=50, verbose=True)
atk.load_models(list_models)  # load our list of collected models

# uncomment the next 2 lines and comment the last one to collect models yourself (10 ImageNet epochs)
#atk.collect_models()
#atk.save_models('models/lgv')

report_success_rate(atk)

  0%|          | 0/8 [00:00<?, ?it/s]

Phase 2: craft adversarial examples with BIM


100%|██████████| 8/8 [03:59<00:00, 29.96s/it]


Success rate of LGV-BIM: 98.2%





## LGV with other attacks

LGV can be easily combined with other attacks provided by `torchattacks`. By default, LGV compute the gradient of a single model at each iteration (`n_grad=1`). The parameter `n_grad` should be set to `-1` for single-step attacks, such as `FGSM`, to compute its unique gradient against all available models.

If you have collected models yourself (using `LGV.collect_models()`), you may want to load the saved models to the new `LGV` instance as below:

In [None]:
#paths_models = glob.glob('models/lgv/*.pt')
#paths_models.sort()
#list_models = []
#for path in paths_models:
#  model = resnet50()
#  model.load_state_dict(torch.load(path)['state_dict'])
#  model = add_normalization_layer(model=model, mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])
#  model = model.eval().cuda()
#  list_models.append(model)

We evaluate LGV when combined with more advanced attacks than BIM.

In [19]:
print("LGV+MI")
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, wd=1e-4, attack_class=MIFGSM, eps=4/255, alpha=4/255/10, steps=50, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

print("LGV+DI")
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, wd=1e-4, attack_class=DIFGSM, eps=4/255, alpha=4/255/10, steps=50, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

print("LGV+DI+MI")
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, wd=1e-4, attack_class=DIFGSM, eps=4/255, alpha=4/255/10, steps=50, decay=1.0, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

print("LGV+TI")
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, wd=1e-4, attack_class=TIFGSM, eps=4/255, alpha=4/255/10, steps=50, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

print("LGV+TI+MI")
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, wd=1e-4, attack_class=TIFGSM, eps=4/255, alpha=4/255/10, steps=50, decay=1.0, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

LGV+MI


100%|██████████| 8/8 [04:01<00:00, 30.13s/it]



Success rate of LGV-MIFGSM: 98.8%
LGV+DI


100%|██████████| 8/8 [04:01<00:00, 30.15s/it]



Success rate of LGV-DIFGSM: 98.4%
LGV+DI+MI


100%|██████████| 8/8 [04:01<00:00, 30.16s/it]



Success rate of LGV-DIFGSM: 98.6%
LGV+TI


100%|██████████| 8/8 [04:04<00:00, 30.56s/it]



Success rate of LGV-TIFGSM: 81.0%
LGV+TI+MI


100%|██████████| 8/8 [04:04<00:00, 30.60s/it]


Success rate of LGV-TIFGSM: 84.6%





## Baselines

We can now compare with the vanilla attacks, i.e., without LGV. A simple LGV+BIM attack beats all other attacks by a large margin. 

In [22]:
print("BIM")
atk = BIM(base_model, eps=4/255, alpha=4/255/10, steps=50)
report_success_rate(atk)

print("MI")
atk = MIFGSM(base_model, eps=4/255, alpha=4/255/10, steps=50)
report_success_rate(atk)

print("DI")
atk = DIFGSM(base_model, eps=4/255, alpha=4/255/10, steps=50)
report_success_rate(atk)

print("DI+MI")
atk = DIFGSM(base_model, eps=4/255, alpha=4/255/10, steps=50, decay=1.0)
report_success_rate(atk)

print("TI")
atk = TIFGSM(base_model, eps=4/255, alpha=4/255/10, steps=50)
report_success_rate(atk)

print("TI+MI")
atk = TIFGSM(base_model, eps=4/255, alpha=4/255/10, steps=50, decay=1.0)
report_success_rate(atk)

BIM


100%|██████████| 8/8 [04:03<00:00, 30.42s/it]


Success rate of BIM: 72.6%

MI


100%|██████████| 8/8 [04:01<00:00, 30.24s/it]


Success rate of MIFGSM: 78.4%

DI


100%|██████████| 8/8 [04:01<00:00, 30.17s/it]


Success rate of DIFGSM: 90.2%

DI+MI


100%|██████████| 8/8 [04:01<00:00, 30.19s/it]


Success rate of DIFGSM: 94.2%

TI


100%|██████████| 8/8 [04:05<00:00, 30.69s/it]


Success rate of TIFGSM: 67.4%

TI+MI


100%|██████████| 8/8 [04:05<00:00, 30.66s/it]

Success rate of TIFGSM: 74.4%






## **Best**: Average LGV gradients 

Averaging the gradients of several models at every iteration is as easy as setting `n_grad` to a higher value than 1. It generally improves the attack, at the expense of increased computations and memory usage. `n_grad=-1` would compute every gradients on all available models (should be used for single-step attack like FGSM). A trade-off may be found with intermediate values such as `n_grad=10` in the following example.

In [24]:
# decrease batch-size
testloader = torch.utils.data.DataLoader(testsubset, batch_size=8,
                                         shuffle=False, num_workers=N_WORKERS,
                                         pin_memory=False)

# LGV + BIM with 10 averaged gradients per iteration 
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, 
          wd=1e-4, n_grad=10, attack_class=BIM, eps=4/255, alpha=4/255/10,
          steps=50, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

100%|██████████| 63/63 [44:47<00:00, 42.67s/it]

Success rate of LGV-BIM: 99.2%






The best attack seems to be the combination of LGV with momentum on averaged gradients.

In [43]:
print("LGV+MI on 10 averaged gradients per iteration")
atk = LGV(base_model, trainloader, lr=0.05, epochs=10, nb_models_epoch=4, 
          wd=1e-4, n_grad=10, attack_class=MIFGSM, eps=4/255, alpha=4/255/10,
          steps=50, verbose=False)
atk.load_models(list_models)
report_success_rate(atk)

LGV+MI on 10 averaged gradients per iteration


100%|██████████| 63/63 [44:45<00:00, 42.63s/it]

Success rate of LGV-MIFGSM: 99.4%






## Credits

This notebook was written by Martin Gubri. If you use this code in your research, please consider citing the LGV paper:

```
@inproceedings{,
   abstract = {We propose transferability from Large Geometric Vicinity (LGV), a new technique to increase the transferability of black-box ad-versarial attacks. LGV starts from a pretrained surrogate model and collects multiple weight sets from a few additional training epochs with a constant and high learning rate. LGV exploits two geometric properties that we relate to transferability. First, models that belong to a wider weight optimum are better surrogates. Second, we identify a subspace able to generate an effective surrogate ensemble among this wider optimum. Through extensive experiments, we show that LGV alone outper-forms all (combinations of) four established test-time transformations by 1.8 to 59.9 percentage points. Our findings shed new light on the importance of the geometry of the weight space to explain the transferability of adversarial examples.},
   author = {Martin Gubri and Maxime Cordy and Mike Papadakis and Yves Le Traon and Koushik Sen},
   keywords = {Adversarial Examples,Deep Learning,Loss Geometry,Machine Learning Security,Transferability},
   publisher = {ECCV 2022},
   title = {LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity},
   url = {https://github.com/Framartin/lgv-geometric-transferability},
}
```