🎃TePA (IEEE S&P 2024)

This repository contains the PyTorch implementation of the paper "Test-Time Poisoning Attacks Against Test-Time Adaptation Models" by Tianshuo Cong, Xinlei He, Yun Shen, and Yang Zhang. In particular, we propose the first test-time poisoning attack against four mainstream test-time adaptation methods, including TTT, DUA, TENT, and RPL. Here is the workflow of TePA:

Citation ☺️

Thanks for your interest in our paper, please feel free to leave a ⭐️ or cite us through:

@inproceedings{cong2024tepa,
  title={Test-Time Poisoning Attacks Against Test-Time Adaptation Models},
  author={Tianshuo Cong and Xinlei He and Yun Shen and Yang Zhang},
  booktitle={IEEE Symposium on Security and Privacy (S\&P)},
  year={2024}
}

Requirements 🔧

TePA depends on the following requirements:

• Basic: PyTorch 1.11.0, Python 3.8, Cuda 11.3
• Others:
  • TTT: https://github.com/yueatsprograms/ttt_cifar_release
  • TENT: https://github.com/DequanWang/tent
  • DUA: https://github.com/jmiemirza/DUA

Baseline 🎯

• First, we should check the utility of the frozen target model, and the utility of the TTT (using clean i.i.d. samples), run the following code, and then we can get the results of Figure 4 and Table 1 of our paper.

python TTT/utility.py
python DUA/utility.py
python TENT/utility.py --cfg cfgs/tent_sgd.yaml
python RPL/utility.py --cfg cfgs/rpl_sgd.yaml 

Poison TTA-models 🦠

Algorithm-1 is implemented in TTA/poigen.py, here we use DIM as the transfer-based adversarial attack method. After generating poisoned samples by poigen.py, we upload the poisoned samples to target TTA-models through running:

python TTT/poison_ttt.py
python DUA/poison_dua.py
python TENT/poison_tent.py --cfg cfgs/tent_sgd.yaml
python RPL/poison_rpl.py --cfg cfgs/rpl_sgd.yaml 

Then, we can get the results of Figure 5-8.

Dataset 💾

Please download the following datasets through the official website and

• CIFAR-10 & CIFAR-100: https://www.cs.toronto.edu/~kriz/cifar.html
• CIFAR-10-C: https://zenodo.org/records/2535967
• CIFAR-100-C: https://zenodo.org/records/3555552
• CINIC-10: https://github.com/BayesWatch/cinic-10

Models 🕸

You can download the checkpoints here:

• TTT:
  • Target Models:
    • ResNet18-Y4 pre-trained on CIFAR-10
    • ResNet18-Y3 pre-trained on CIFAR-100
    • ResNet50-Y4 pre-trained on CIFAR-10
    • ResNet50-Y3 pre-trained on CIFAR-100
  • Surrogate Model:
    • ResNet18-Y3 pre-trained on CINIC-10 (without CIFAR-10)
• DUA & TENT & RPL:
  • Target Models:
    • ResNet18 pre-trained on CIFAR-10
    • ResNet18 pre-trained on CIFAR-100
    • ResNet50 pre-trained on CIFAR-10
    • ResNet50 pre-trained on CIFAR-100
  • Surrogate Model (only for poisoning TENT and RPL):
    • VGG-11 pre-trained on CINIC-10 (without CIFAR-10)

Acknowledgements 🌻

Our code is built upon the public code of the TTT, TENT, and DUA.