<a href="https://colab.research.google.com/github/Sechsing/Cybersecurity/blob/main/Practical_BlackBox_Attack_Against_ML.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# **Practical BlackBox Attack Against ML : Spectrum Simulation Attack**
Machine learning models, such as deep neural networks (DNNs), can be vulnerable to adversarial examples that is  malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Most of existing adversarial attacks can only fool a black-box model with a low success rate.
Black-box attacks often face challenges due to significant differences between the substitute model and the target model, resulting in less effective attacks. While there are methods that attempt to improve attack performance by simulating multiple models using image transformations, the transformations in the spatial domain haven't proven to be very effective. To address this issue, we utilize an attack strategy consists in training a local model to substitute for the target model, using inputs synthetically generated by an adversary and labeled by the target. We also introduce a novel approach: the spectrum simulation attack (SSA). This method transforms the input in the frequency domain, aiming to craft adversarial examples that are more transferable across various models, including those with defenses. The code for our method can be found at: https://github.com/yuyang-long/SSA.



<small>Prepared by Riddhi Boodnah, Chua Sheng Xin

<small>Lab Tutor: [Yin Yin Low](mailto:yin.low@monash.edu)

### Step 1: Prepare the Models

A subsitute model is required to replace the DNN to produce samples which the attack is performed on so the pretrained PyTorch models are used in this role.
Prepare pretrained PyTorch models then put these models into ./models/ in SSA-master. Now the models already exist in the local Google Drive hence this step can be avoided. Instead, just run the code to mount the local Google Drive onto the Colab. To move more models into the local Google Drive, run the following code once:

```
# import shutil
# source_path = '/content/drive/My Drive/Colab Notebooks/pytorch_model'
# destination_directory = '/content/drive/My Drive/Colab Notebooks/SSA-master/models/'
# shutil.move(source_path, destination_directory)
```

In [None]:
# Mount Google Drive to Colab
from google.colab import drive
drive.mount('/content/drive')

Drive already mounted at /content/drive; to attempt to forcibly remount, call drive.mount("/content/drive", force_remount=True).


# Spectrum Simulation Attack

The Spectrum Simulation Attack (SSA) introduces a frequency domain-based technique to bolster transferability in adversarial attacks. Traditional adversarial methods in the spatial domain tend to result in non-diverse substitute models, limiting their efficacy. SSA's innovation lies in its utilization of spectrum transformations on input images, shifting the adversarial crafting process to the frequency domain. This approach not only produces diverse substitute models but also crafts adversarial examples with enhanced transferability across both standard and defense models. Central to SSA is the concept of the spectrum saliency map. This map highlights pivotal frequency components, guiding the adversarial perturbation process. By leveraging properties from the frequency domain, SSA ensures that adversarial examples are not only potent against a given model but also maintain their effectiveness when transferred to other models. In essence, SSA's technical differentiation stems from its shift from spatial to frequency domain, and the strategic use of spectrum saliency to target critical frequency components.


### Step 2: Prepare the Attack Method

Install and import modules and libraries that pertain to Spectrum Simulation Attack (SSA).

In [None]:
#Install the dependencies
!pip install pretrainedmodels

Collecting pretrainedmodels
  Downloading pretrainedmodels-0.7.4.tar.gz (58 kB)
[?25l     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/58.8 kB[0m [31m?[0m eta [36m-:--:--[0m[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m58.8/58.8 kB[0m [31m2.2 MB/s[0m eta [36m0:00:00[0m
[?25h  Preparing metadata (setup.py) ... [?25l[?25hdone
Collecting munch (from pretrainedmodels)
  Downloading munch-4.0.0-py2.py3-none-any.whl (9.9 kB)
Building wheels for collected packages: pretrainedmodels
  Building wheel for pretrainedmodels (setup.py) ... [?25l[?25hdone
  Created wheel for pretrainedmodels: filename=pretrainedmodels-0.7.4-py3-none-any.whl size=60943 sha256=39d3d2a8b0842b6be7e9d20107c8ed5b9541f15232cef5c8b4fc8ef777e1cfbf
  Stored in directory: /root/.cache/pip/wheels/35/cb/a5/8f534c60142835bfc889f9a482e4a67e0b817032d9c6883b64
Successfully built pretrainedmodels
Installing collected packages: munch, pretrainedmodels
Successfully installed munch-4.0.0 

### Step 3: Applying the Attack
After installing and importing everything that is needed, apply the Spectrum Simulation Attack (SSA) attack with the following code found in the research paper. A modification that is made is the batch size in the arguments for the SSA attack. As the attack does not lack in effectiveness, it is thought that by increasing the batch size from 10 to 20 can speed up the process and increase the effectiveness.

In [None]:
%cd /content/drive/MyDrive/Colab\ Notebooks/SSA-master/
!CUDA_VISIBLE_DEVICES=gpuid python attack.py --output_dir ./outputs/

/content/drive/MyDrive/Colab Notebooks/SSA-master
Downloading: "https://download.pytorch.org/models/inception_v3_google-1a9a5a14.pth" to /root/.cache/torch/hub/checkpoints/inception_v3_google-1a9a5a14.pth
100% 104M/104M [00:00<00:00, 254MB/s] 
100% 50/50 [52:19<00:00, 62.79s/it]


### Step 4: Evaluate the Attack Success Rate

Run verify.py to evaluate the attack success rate of the Spectrum Simulation Attack (SSA).

In [None]:
%cd /content/drive/MyDrive/Colab\ Notebooks/SSA-master/
!CUDA_VISIBLE_DEVICES=gpuid python verify.py --output_dir outputs

/content/drive/MyDrive/Colab Notebooks/SSA-master
tf_inception_v3  acu = 99.70%
tf_inception_v4  acu = 62.60%
tf_inc_res_v2  acu = 59.80%
tf_resnet_v2_50  acu = 57.10%
tf_resnet_v2_101  acu = 52.10%
tf_resnet_v2_152  acu = 49.20%
tf_ens3_adv_inc_v3  acu = 31.00%
tf_ens4_adv_inc_v3  acu = 32.50%
tf_ens_adv_inc_res_v2  acu = 17.40%


## Conclusion:

In this study, we utilize the Spectrum Simulation Attack (SSA), a novel approach to enhancing adversarial attacks by considering the frequency domain. The attack offers a fresh perspective on model augmentation, effectively bridging the disparity between substitute and victim models using spectrum-transformed images. When juxtaposed with conventional model augmentation attacks in the spatial domain, the method's superior efficacy becomes evident, significantly surpassing leading transfer-based attack techniques. Testing on the ImageNet dataset showed the method to be highly effective, achieving an average success rate of 95.4% against nine advanced defense models.
