This repository contains the scripts that allow the reproduction of the comparative results in the manuscript "An Empirical Study of Derivative Free Optimization Algorithms for Targeted Black Box Attacks in Deep Neural Networks".
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.
pip install -r requirements.txt
Alternatively, one can directly uplaod one of the following conda environments according to the accessability to a GPU.
# With GPU
conda env create -f Adv_Attacks_GPU.yml
# Without GPU
conda env create -f Adv_Attacks_CPU.yml
Note that if using the CPUs, the robustness package has to be modified to allow it to load with the cpu device. To do this, open the robustness/model_utils.py documnet and in the fucntion make_and_restore_model comment out the line
model = model.cuda()
and modify the line
checkpoint = ch.load(resume_path, pickle_module=dill)
to
checkpoint = ch.load(resume_path, pickle_module=dill,map_location=ch.device('cpu'))
For MNIST and CIFAR it is necessary to run the following comand
CHECKPOINT_DATA=./Data
mkdir ${CHECKPOINT_DATA}
python Setups/Data_and_Model/save_MNIST_CIFAR_data.py
To download the ImageNet dataset
CHECKPOINT_DIR=./Data/ImageNet
mkdir ${CHECKPOINT_DIR}
wget http://jaina.cs.ucdavis.edu/datasets/adv/imagenet/img.tar.gz
tar -xvf img.tar.gz -C ./Data/ImageNet
rm img.tar.gz
mv ./Data/ImageNet/imgs ./Data/ImageNet/images
rm ./Data/ImageNet/imgs
We first have to make the directory for the mdoels via
CHECKPOINT_DIR=./Models
mkdir ${CHECKPOINT_DIR}
and then the adversarially trained nets for CIFAR and ImageNet are downloaded directly from a link.
We considered the ε = 8/255 for the cifar10 case a link and also the ε = 8/255 in the ImageNet case a link.
The nets for the non-adversarial case are inbuilt in Py-Torch.
There is a unique script whihc will run all of the different attacks that we might consider. This script has to be called with different flags that either specify the considered setup, or the parameters of the attack.
- 'dataset' -- Defines the dataset on which the nets are trained and is either 'cifar10' or 'ImageNet'
- 'attack' -- Defines the kind of attack considered. For the BOBYQA choose 'boby', For the Parsimonious choose 'combi', for Square choose 'square', for Frank-Wolfe choose 'FW', and for GenAttack consider 'gene'.
- 'test_size' -- Number of test images.
- 'max_evals' -- 'Maximum number of function evaluations.
- 'print_every' -- number of iterations at which the attack function has to print out.
- 'seed' -- random seed.
- 'Adversary_trained' -- Use the adversarially trained nets.
- 'description' -- Further description to include while saving the results.
- 'eps' -- perturbation energy.
- 'batch_size' -- 'Dimension of the optimisation domain.
- 'subspace_attack' -- Attack only a fixed number of pixels with highest variability.
- 'subspace_dimension' -- Dimension of the subspace optimisation domain when doing subspace attack.
- 'save' -- If saving the results.
- 'interpolation' -- Interpolation inbetween grod elements in the BOBYQA attack. It is either 'block' or 'linear'. # This is not active as an option at the moment.
- 'use_resize' -- if using hierarchical approach.
- 'n_channels' -- n channels in the perturbation grid.
- 'max_f' -- Maximum number of function evaluations in the BOBYQA attack,
$\kappa$ in the paper. - 'over' -- Kind of interpolation within block in the BOBYQA attack. This is either 'over' or 'linaer'.
- 'rounding' -- If to include the rounding possibility in the attacks, i.e. checking that the the perturbation projected to the boundaries is better or not.
- 'asset_dir' --directory assets.
- 'targeted' -- bool on targeted.
- 'max_iters' -- maximum iterations.
- 'block_size' -- blck size.
- 'no_hier' -- bool on hierarchical attack.
- 'dim_image' -- Dimension of the image that we feed as an input.
- 'num_channels' -- Channels of the image that we feed as an input.
- 'p_init' -- dimension of the blocks.
- 'mutation_rate' -- Mutation rate.
- 'alpha' -- Step size.
- 'pop_size' -- Population size.
- 'resize_dim' -- Reduced dimension for dimensionality reduction.
- 'adaptive' -- Turns on the dynamic scaling of mutation prameters.
- 'att_iter' -- Attack_Iterations.
- 'grad_est_batch_size' -- Dimension of batch for gradient estimation.
- 'l_r' -- Learning Rate.
- 'delta' -- radius on which gradient is learnt.
- 'beta1' -- Momentum Parameters.
- 'sensing_type' -- sensing type.
The following is an example on how to run an attack on ImageNet with the BOBYQA method with the maximum perturbation energy being
python Setups/Attacks.py --dataset=ImageNet --attack=boby --eps=0.1 --test_size=1 --Adversary_trained=False
With the functions in ./Analysis_Results it is possible to generate the graphs in Figure 1 and 9 of the manuscript once the data are generated.
We suggest to check the normal attack to inception v3 if somone want to check in more detail the implementation of the attack as this is the most cleaned implementation