Awesome
Introduction
This is an official release of the paper
Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity, CVPR 2022
Abstract: Current adversarial attack research reveals the vulnerability of learning-based classifiers against carefully crafted perturbations. However, most existing attack methods have inherent limitations in cross-dataset generalization as they rely on a classification layer with a closed set of categories. Furthermore, the perturbations generated by these methods may appear in regions easily perceptible to the human visual system (HVS). To circumvent the former problem, we propose a novel algorithm that attacks semantic similarity on feature representations. In this way, we are able to fool classifiers without limiting attacks to a specific dataset. For imperceptibility, we introduce the low-frequency constraint to limit perturbations within high-frequency components, ensuring perceptual similarity between adversarial examples and originals. Extensive experiments on three datasets (CIFAR-10, CIFAR-100, and ImageNet-1K) and three public online platforms indicate that our attack can yield misleading and transferable adversarial examples across architectures and datasets. Additionally, visualization results and quantitative performance (in terms of four different metrics) show that the proposed algorithm generates more imperceptible perturbations than the state-of-the-art methods. Our code will be publicly available.
Requirements
- python ==3.6
- torch == 1.7.0
- torchvision >= 0.7
- numpy == 1.19.2
- Pillow == 8.0.1
- pywavelets
Required Dataset
- The data structure of Cifar10, Cifar100, ImageNet or any other datasets look like below. Please modify the dataloader at
SSAH-Adversarial-master/main.py/accordingly for your dataset structure.
/dataset/
├── cifar10
│ │ ├── cifar-10-python.tar.gz
├── cifar-100-python
│ │ ├── cifar-100-python.tar.gz
├── ILSVRC2012
│ ├── val
│ │ ├── n02328150
Experiments
We provide six perceptural metrics to measure imperceptibility, including l_2, l_inf, FID, SSIM, CIEDE2000, and LF.
Your can add more metrics in
/utils/
├── eval_metric_utils.py
We trained a resnet20 model with 92.6% accuracy with CIFAR1010 and a resnet20 model with 69.63% accuracy with CIFAR100. If you want to have a test, you can download our pre-trained models with the Google Drivers. If you want to use our algorithm to attack your own trained model, you can always replace our models in the file checkpoints.
If your want to calculate FID, you need to download pt_inception-2015-12-05-6726825d.pth in this Google Drive and put it in the file checkpoints.
(1)Attack the Models Trained on Cifar10
CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/cifar10-r20.sh
(2)Attack the Models Trained on Cifar100
CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/cifar100-r20.sh
(2)Attack the Models Trained on Imagenet_val
CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/Imagenet_val-r50.sh
Examples
Here we offer some experiment results. You can get more results in our paper.
Results on CIFAR10
| Name | Knowledge | ASR(%) | L2 | Linf | FID | SSIM | LF | Paper |
|---|---|---|---|---|---|---|---|---|
| BIM | White Box | 100.0 | 0.85 | 0.03 | 14.85 | 0.85 | 0.25 | ICLR2017 |
| PGD | White Box | 100.0 | 1.28 | 0.03 | 27.86 | 0.79 | 0.34 | arxiv link |
| MIM | White Box | 100.0 | 1.90 | 0.03 | 26.00 | - | 0.48 | CVPR2018 |
| AutoAttack | White Box | 100.0 | 1.91 | 0.03 | 34.93 | - | 0.61 | ICML2020 |
| AdvDrop | White Box | 99.92 | 0.90 | 0.07 | 16.34 | - | 0.34 | ICCV2021 |
| C&W | White Box | 100.0 | 0.39 | 0.06 | 8.23 | 0.98 | 0.11 | IEEE SSP2017 |
| PerC-AL | White Box | 98.29 | 0.86 | 0.18 | 9.58 | 0.97 | 0.15 | CVPR2020 |
| SSA | White Box | 99.96 | 0.29 | 0.02 | 5.73 | 0.99 | 0.07 | CVPR2022 |
| SSAH | White Box | 99.94 | 0.26 | 0.02 | 5.03 | 0.99 | 0.03 | CVPR2022 |
Results on CIFAR100
| Name | Knowledge | ASR(%) | L2 | Linf | FID | SSIM | LF | Paper |
|---|---|---|---|---|---|---|---|---|
| BIM | White Box | 99.99 | 0.85 | 0.03 | 15.26 | 0.83 | 0.32 | ICLR2017 |
| PGD | White Box | 99.99 | 1.29 | 0.03 | 27.74 | 0.77 | 0.42 | arxiv link |
| MIM | White Box | 99.99 | 1.87 | 0.03 | 26.04 | - | 0.65 | CVPR2018 |
| AutoAttack | White Box | 100 | 1.91 | 0.03 | 33.86 | - | 0.61 | ICML2020 |
| AdvDrop | White Box | 99.93 | 0.80 | 0.07 | 15.59 | - | 0.31 | ICCV2021 |
| C&W | White Box | 100 | 0.52 | 0.07 | 11.04 | 0.98 | 0.19 | IEEE SSP2017 |
| PerC-AL | White Box | 99.61 | 1.41 | 0.21 | 12.83 | 0.96 | 0.37 | CVPR2020 |
| SSA | White Box | 99.90 | 0.48 | 0.03 | 9.68 | 0.99 | 0.17 | CVPR2022 |
| SSAH | White Box | 99.80 | 0.45 | 0.03 | 9.20 | 0.99 | 0.13 | CVPR2022 |
Results on ImageNet
| Name | Knowledge | ASR(%) | L2 | Linf | FID | SSIM | LF | Paper |
|---|---|---|---|---|---|---|---|---|
| BIM | White Box | 99.98 | 26.85 | 0.03 | 51.92 | 0.73 | 11.18 | ICLR2017 |
| PGD | White Box | 99.98 | 54.97 | 0.03 | 45.51 | 0.77 | 17.41 | arxiv link |
| MIM | White Box | 99.98 | 91.78 | 0.03 | 101.88 | - | 39.42 | CVPR2018 |
| AutoAttack | White Box | 96.97 | 71.62 | 0.03 | 77.49 | - | 30.45 | ICML2020 |
| AdvDrop | White Box | 99.76 | 14.95 | 0.06 | 11.28 | - | 5.67 | ICCV2021 |
| C&W | White Box | 99.27 | 1.51 | 0.04 | 12.14 | 0.99 | 0.67 | IEEE SSP2017 |
| PerC-AL | White Box | 98.78 | 4.35 | 0.12 | 11.56 | 0.99 | 1.59 | CVPR2020 |
| SSA | White Box | 98.56 | 2.34 | 0.01 | 4.63 | 1.00 | 1.05 | CVPR2022 |
| SSAH | White Box | 98.01 | 1.81 | 0.01 | 3.90 | 1.00 | 0.06 | CVPR2022 |
Citation
if the code or method help you in the research, please cite the following paper:
@inproceedings{luo2022frequency,
title={Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity},
author={Luo, Cheng and Lin, Qinliang and Xie, Weicheng and Wu, Bizhu and Xie, Jinheng and Shen, Linlin},
booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition},
pages={15315--15324},
year={2022}
}