Code for Semantic Adversarial Attacks as described in the paper. We use a attribute controlled generative model to enforce a semantic constraint on adversarial examples.
Use
git clone --recursive <remote-path>
to pull the repo.
You can install the requirements using
pip install -r ./requirements.txt
Path for models: Link
The code has options to reproduce four different attack scenarios:
- Single Attribute attack with Fader Networks ( Refer attack_single_attribute.py
- Multi Attribute attack with Fader Networks ( Refer attack_fadernets.py
- Sequential multi-attribute attack with Fader Networks ( Refer attack_fadernets_seq.py
- Multi attribute attack with AttGAN ( Refer attack_attgan.py
These have been implemented in separate files for ease of use.
- Download the AttGAN model from the link above.
- Train a target model using simple_classifier.py or resnet.py.
- Run attack_attgan.py.
Usage:
python attack_attgan.py -m <path to target model> -f <path to attgan model> -o <path to save images (adversarial of otherwise)> -d <data directory containing images> -a <Path to attribute file (only required for CelebA)> -t <Attack type: optimize over attgan (att) or random sampling of attributes (rn)> -dt <Dataset used: celeba or bdd> -ct <Classifier type: simple or resnet> --proj_flag <Flag to enforce infinity ball projection on attributes> --eps <Radius of infinity ball. Only used in case of proj_flag> --nclasses <no. of classes, default=2> --attk_attributes <Choice of attack attributes. Refer below>
Choice of attack attributes for CelebA:
[
"Bald",
"Bangs",
"Black_Hair",
"Blond_Hair",
"Brown_Hair",
"Bushy_Eyebrows",
"Eyeglasses",
"Male",
"Mouth_Slightly_Open",
"Mustache",
"No_Beard",
"Pale_Skin",
"Young"
]