Home

Awesome

On Generating Transferable Targeted Perturbations (ICCV'21)

Muzammal Naseer, Salman Khan, Munawar Hayat, Fahad Shahbaz Khan, and Fatih Porikli

Paper (arXiv), 5-min Presentation, Poster

Abstract: While the untargeted black-box transferability of adversarial perturbations has been extensively studied before, changing an unseen model's decisions to a specific `targeted' class remains a challenging feat. In this paper, we propose a new generative approach for highly transferable targeted perturbations (ours). We note that the existing methods are less suitable for this task due to their reliance on class-boundary information that changes from one model to another, thus reducing transferability. In contrast, our approach matches the perturbed image `distribution' with that of the target class, leading to high targeted transferability rates. To this end, we propose a new objective function that not only aligns the global distributions of source and target images, but also matches the local neighbourhood structure between the two domains. Based on the proposed objective, we train a generator function that can adaptively synthesize perturbations specific to a given input. Our generative approach is independent of the source or target domain labels, while consistently performs well against state-of-the-art methods on a wide range of attack settings. As an example, we achieve 32.63% target transferability from (an adversarially weak) VGG19<sub>BN</sub> to (a strong) WideResNet on ImageNet val. set, which is 4x higher than the previous best generative attack and 16x better than instance-specific iterative attack.

Updates & News

Citation

If you find our work, this repository and pretrained adversarial generators useful. Please consider giving a star :star: and cite our work.

@InProceedings{Naseer_2021_ICCV,
    author    = {Naseer, Muzammal and Khan, Salman and Hayat, Munawar and Khan, Fahad Shahbaz and Porikli, Fatih},
    title     = {On Generating Transferable Targeted Perturbations},
    booktitle = {Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV)},
    month     = {October},
    year      = {2021},
    pages     = {7708-7717}
}

Contents

  1. Contributions
  2. Target Transferability Vs Model Disparity
  3. Pretrained Targeted Generator
  4. Training
  5. Evaluation
  6. Why Augmentations boost Transferability?
  7. Why Ensemble of weak Models maximizes Transferability?
  8. Generative Vs Iterative Attacks
  9. Visual Examples
<!-- 10) [Tracking SOTA Targeted Transferability](#Tracking-SOTA-Targeted-Transferability) 11) [What Can You Do?](#What-Can-You-Do) -->

Contributions

  1. We designed a new training mechanism that allows an adversarial generator to explore augmented adversarial space during training which enhances transferability of adversarial examples during inference.
  2. We propose maximizing the mutual agreement between the given source and the target distributions. Our relaxed objective provides two crucial benifts: a) Generator can now model target ditribution by pushing global statistics between source and target domain closer in the discriminator's latent space, and b) Training is not dependent on class impressions anymore, so our method can provide targeted guidance to the generator without the need of classification boundary information. This allows an attacker to learn targeted generative perturbations from the unsupervised features.
  3. We propose a diverse and consistent experimental settings to evaluate target transferability of adversarial attacks: Unknown Target Model, Unknown Training Mechanism , and Unknown Input Processing.
  4. We provide a platform to track targeted transferability. Please see Tracking SOTA Targeted Transferability. (kindly let us know if you have a new attack method, we will add your results here)
<p align="center"> <img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/concept_fig.png" > </p>

Target Transferability Vs Model Disparity

<sup>(top)</sup> Our analysis indicates that there is a fundemental difference between Targeted and Untargeted transferability. Model disparity plays a critical role in how the targeted perturbations are transferred from one model to another. Here is an example (average transferability accross 10 targets):

<p align="center"> <img width="400" height="300" src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/resnet_within_family.png" > </p>

Pretrained Targeted Generator

<sup>(top)</sup> If you find our pretrained Adversarial Generators useful, please consider citing our work.

Class to Label Mapping

Class Number: Class Name
24: Great Grey Owl
99: Goose
245: French Bulldog
344: Hippopotamus
471: Cannon
555: Fire Engine
661: Model T
701: Parachute
802: Snowmobile
919: Street Sign       

Targeted Adversarial Generators trained against Single ImageNet Model.

This is how the pretrianed generators are saved: "netG_Discriminator_sourceDomain_epoch_targetDomain.pth" e.g., netG_vgg11_IN_19_24.pth means that generator is trained agisnt vgg11 (Discriminator) for 20 epoch by maximizing agreement between the source domain (natural images from ImageNet (IN)) and the target domain (images of Grey Owl).

Source Model2499245344471555661701802919
VGG11Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG13Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG16Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG19Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG11_BNGrey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG13_BNGrey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG16_BNGrey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
VGG19_BNGrey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
ResNet18Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
ResNet50Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
ResNet101Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
ResNet152Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
Dense121Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
Dense161Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
Dense169Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
Dense201Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign

Targeted Adversarial Generators trained against Ensemble of ImageNet Model.

Source Ensemble2499245344471555661701802919
VGG{11,13,16,19}<sub>BN</sub>Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
Res{18,50,101,152}Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign
Dense{121,161,169,201}Grey OwlGooseFrench BulldogHippopotamusCannonFire EngineModel TParachuteSnowmobileStreet Sign

Targeted Adversarial Generators trained against ResNet50.

We trained generator for 100 targets but for ResNet50 only. These generators are for rest of the 90 targets distributed across ImageNet Classes.

Source Model316364852697185107114130138142151162178189193207212228240260261276285291309317328340358366374390393404420430438442453464485491506513523538546569580582599605611629638646652678689707717724735748756766779786791813827836849859866879885893901929932946958963980984992
ResNet50Tiger SharkBulbulTerrapinKomodo DragonThunder SnakeTrilobiteScorpionQuailJellyfishSlugFlamingoBustardDowitcherChihuahuaBeagleWeimaranerLakeland TerrierAustralian TerrierGolden RetrieverEnglish SetterKomondorAppenzellerChowKeeshondHyenaEgyptian CatLionBeeLeafhopperSea UrchinZebraPolecatGorillaLangurEelAnemone FishAirlinerBanjoBasketballBeakerBell CoteBookcaseBuckleCD PlayerChain SawCoilCornetCrutchDomeElectric GuitarGarbage TruckGreenhouseGrocery StoreHoneycombiPodJigsaw PuzzleLipstickMaillotMazeMilitary UniformNeck BraceOverskirtPay-phonePickupPiratePonchoPurseRain BarrelRotisserieSchool BusSewing MachineShopping CartSpatulaStoveSunglassTeapotToasterTractorUmbrellaVelvetWalletWhiskey JugIce LollyPretzelCardoonHayPizzaVolcanoRapeseedAgaric

Training

  1. Source Domain dataset: You can start with paintings dataset such as described in Cross Domain Attack.
  2. Target Domain dataset: We obtain samples of a certain target domain (e.g. ImageNet class) from ImageNet training set.

Run the script with your target of choice:

 ./scripts/train.sh

Evaluation

  1. Download any or all of the pretrained generators to directory "pretrained_generators".
  2. Download ImageNet models trained with stylized ImageNet and augmentations to directory "pretrained_models"

Run the following command to evaluate transferability of a target to (black-box) model on the ImageNet-Val.

  python eval.py  --data_dir data/IN/val --source_model res50 --source_domain IN --target 24 --eps 16 --target_model vgg19_bn 

10/100-Targets (all-source)

Perturb all samples of ImageNet validation (excluding the target class samples) to each of the 10/100 targets and observe the average target transferability to (black-box) model.

  python eval_all.py  --data_dir data/IN/val --source_model res50 --source_domain IN  --eps 16 --num_targets 100 --target_model vgg19_bn 

10-Targets (sub-source)

Select the samples of 10 target classes from ImageNet validation. Perturb the samples of these classes (excluding the target class samples) to each of 10 targets and observe the average target transferability to (black-box) model.

  python eval_sub.py  --data_dir data/IN/val --source_model res50 --source_domain IN --eps 16--target_model vgg19_bn 

Why Augmentations Boost Transferability?

<sup>(top)</sup> Ilyas et al. showed that adversarial examples can be explained by features of the attacked class label. In our targeted attack case, we wish to imprint the features of the target class distribution onto the source samples within an allowed distance. However, black-box (unknown) model might apply different set of transformations (from one layer to another) to process such features and reduce the target transferability. Training on adversarial augmented samples allows the generator to capture such targeted features that are robust to transformations that may vary from one model to another.

Why Ensemble of Weak Models Maximizes Transferability?

<sup>(top)</sup> Different models of the same family of networks can exploit different information to make prediction. One such example is shown in here. Generators are trained against Dense121 and Dense169 to target Snowmobile distribution. Unrestricted generator outputs reveal that Dense121 is more focused on Snowmobile's blades while Dense169 emphasizes the background pine tree patterns to discriminate Snowmobile samples. This complementary information from different models of the same family helps the generator to capture more generic global patterns which transfer better than any of the individual models.

Original ImageSource Model: Dense121, Target: SnowmobileSource Model: Dense169, Target: Snowmobile
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/original_dense.png" ><img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_dense121_802.png" ><img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_dense169_802.png" >

Generative Vs Iterative Attacks

Key Developments made by Iterative Attacks

Key Developments made by Generative Attacks

<!-- ## Tracking SOTA Targeted Transferability <sup>([top](#contents))</sup> Results on 10-Targets (sub-source) settings. * Select 500 samples belonging to 10 targets {24,99,245,344,471,555,661,701,802,919} from ImageNet validation set. * Remove the samples of the target class. You are left with 450 samples. * Run target attack to map these 450 samples to selected target (perturbation budget l_inf=16). * Repeat this process for all the 10 targets. * Report average target accuracy. ``` Updating....Meanwhile, please have a look at our paper. ``` #### Unknown Target Model <sup>([top](#contents))</sup> _Attacker has access to a pretrained discriminator trained on labeled data but has no knowledge about the architecture of the target model._ |Method| Attack type | Source Model| Target Model| Distance |24|99|245|344|471|555|661|701|802|919|Average| |---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:| [PGD](https://arxiv.org/abs/1706.06083)| Iterative | ResNet50|Dense121|16| [MI](https://arxiv.org/abs/1710.06081)| Iterative | ResNet50|Dense121|16| [DIM](https://arxiv.org/abs/1803.06978)| Iterative | ResNet50|Dense121|16| [Po-TRIP](https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_Towards_Transferable_Targeted_Attack_CVPR_2020_paper.pdf) |Iterative | ResNet50|Dense121|16| [FDA-fd](https://arxiv.org/abs/2004.12519)|Iterative | ResNet50|Dense121|16| [FDA-N](https://arxiv.org/abs/2004.14861) |Iterative | ResNet50|Dense121|16| [SGM](https://arxiv.org/abs/2002.05990)| Iterative | ResNet50|Dense121|16| [SGM+LinBP](https://arxiv.org/abs/2012.03528)| Iterative | ResNet50|Dense121|16| [GAP](https://arxiv.org/abs/1712.02328)|Generative|ResNet50|Dense121|16| [CDA](https://arxiv.org/abs/1905.11736)|Generative|ResNet50|Dense121|16| [TTP](#Citation)|Generative|ResNet50|Dense121|16| [PGD](https://arxiv.org/abs/1706.06083)| Iterative | ResNet50|Dense121|16| [MI](https://arxiv.org/abs/1710.06081)| Iterative | ResNet50|VGG19_BN|16| [DIM](https://arxiv.org/abs/1803.06978)| Iterative | ResNet50|VGG19_BN|16| [SGM](https://arxiv.org/abs/2002.05990)| Iterative | ResNet50|VGG19_BN|16| [SGM+LinBP](https://arxiv.org/abs/2012.03528)| Iterative | ResNet50|VGG19_BN|16| [GAP](https://arxiv.org/abs/1712.02328)|Generative|ResNet50|VGG19_BN|16| [CDA](https://arxiv.org/abs/1905.11736)|Generative|ResNet50|VGG19_BN|16| [TTP](#Citation)|Generative|ResNet50|VGG19_BN|16| #### Unknown Training Mechanism <sup>([top](#contents))</sup> _Attacker has knowledge about the architecture of the target model but unaware of its training mechanism._ |Method| Attack type | Source Model| Target Model| Distance |24|99|245|344|471|555|661|701|802|919|Average| |---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:| [PGD](https://arxiv.org/abs/1706.06083)| Iterative | ResNet50|SIN|16| [MI](https://arxiv.org/abs/1710.06081)| Iterative | ResNet50|SIN|16| [DIM](https://arxiv.org/abs/1803.06978)| Iterative | ResNet50|SIN|16| [Po-TRIP](https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_Towards_Transferable_Targeted_Attack_CVPR_2020_paper.pdf) |Iterative | ResNet50|SIN|16| [FDA-fd](https://arxiv.org/abs/2004.12519)|Iterative | ResNet50|SIN|16| [FDA-N](https://arxiv.org/abs/2004.14861) |Iterative | ResNet50|SIN|16| [SGM](https://arxiv.org/abs/2002.05990)| Iterative | ResNet50|SIN|16| [SGM+LinBP](https://arxiv.org/abs/2012.03528)| Iterative | ResNet50|SIN|16| [GAP](https://arxiv.org/abs/1712.02328)|Generative|ResNet50|SIN|16| [CDA](https://arxiv.org/abs/1905.11736)|Generative|ResNet50|SIN|16| [TTP](#Citation)|Generative|ResNet50|SIN|16| [MI](https://arxiv.org/abs/1710.06081)| Iterative | ResNet50|Augmix|16| [DIM](https://arxiv.org/abs/1803.06978)| Iterative | ResNet50|Augmix|16| [Po-TRIP](https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_Towards_Transferable_Targeted_Attack_CVPR_2020_paper.pdf) |Iterative | ResNet50|Augmix|16| [FDA-fd](https://arxiv.org/abs/2004.12519)|Iterative | ResNet50|Augmix|16| [FDA-N](https://arxiv.org/abs/2004.14861) | Iterative | ResNet50|Augmix|16| [SGM](https://arxiv.org/abs/2002.05990)| Iterative | ResNet50|Augmix|16| [SGM+LinBP](https://arxiv.org/abs/2012.03528)| Iterative | ResNet50|Augmix|16| [GAP](https://arxiv.org/abs/1712.02328)|Generative|ResNet50|Augmix|16| [CDA](https://arxiv.org/abs/1905.11736)|Generative|ResNet50|Augmix|16| [TTP](#Citation)|Generative|ResNet50|Augmix|16| [PGD](https://arxiv.org/abs/1706.06083)| Iterative | ResNet50|ADV|16| [MI](https://arxiv.org/abs/1710.06081)| Iterative | ResNet50|ADV|16| [DIM](https://arxiv.org/abs/1803.06978)| Iterative | ResNet50|ADV|16| [Po-TRIP](https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_Towards_Transferable_Targeted_Attack_CVPR_2020_paper.pdf) |Iterative | ResNet50|ADV|16| [FDA-fd](https://arxiv.org/abs/2004.12519)|Iterative | ResNet50|ADV|16| [FDA-N](https://arxiv.org/abs/2004.14861) |Iterative | ResNet50|ADV|16| [SGM](https://arxiv.org/abs/2002.05990)| Iterative | ResNet50|ADV|16| [SGM+LinBP](https://arxiv.org/abs/2012.03528)| Iterative | ResNet50|ADV|16| [GAP](https://arxiv.org/abs/1712.02328)|Generative|ResNet50|ADV|16| [CDA](https://arxiv.org/abs/1905.11736)|Generative|ResNet50|ADV|16| [TTP](#Citation)|Generative|ResNet50|ADV|16| #### Unknown Input Processing <sup>([top](#contents))</sup> _Attacker has knowledge about the architecture of the target model but unaware of the input processing defense._ |Method| Attack type | Source Model| Input Processing| Distance |24|99|245|344|471|555|661|701|802|919|Average| |---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:| [PGD](https://arxiv.org/abs/1706.06083)| Iterative|ResNet50|NRP|16| [MI](https://arxiv.org/abs/1710.06081)| Iterative | ResNet50|NRP|16| [DIM](https://arxiv.org/abs/1803.06978)| Iterative | ResNet50|NRP|16| [Po-TRIP](https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_Towards_Transferable_Targeted_Attack_CVPR_2020_paper.pdf) |Iterative | ResNet50|NRP|16| [FDA-fd](https://arxiv.org/abs/2004.12519)|Iterative|ResNet50|NRP|16| [FDA-N](https://arxiv.org/abs/2004.14861) |Iterative|ResNet50|NRP|16| [SGM](https://arxiv.org/abs/2002.05990)| Iterative | ResNet50|NRP|16| [SGM+LinBP](https://arxiv.org/abs/2012.03528)| Iterative | ResNet50|NRP|16| [GAP](https://arxiv.org/abs/1712.02328)|Generative|ResNet50|NRP|16| [CDA](https://arxiv.org/abs/1905.11736)|Generative|ResNet50|NRP|16| [TTP](#Citation)|Generative|ResNet50|NRP|16| ## What Can You Do? ``` We will highlight future research directions here. ``` -->

References

<sup>(top)</sup> Code depends on BasicSR. We thank them for their wonderful code base.

Visual Examples

<sup>(top)</sup> Here are some of the unrestricted targeted patterns found by our method (TTP). This is just for visualization purposes. It is important to note that during inference, these adversaries are projected within a valid distance (e.g l_inf<=16).

Source Model: ResNet50,         Target: Jellyfish
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_1st_pages_107.png" >
Source Model: ResNet50,         Target: Lipstick
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_1st_pages_629.png" >
Source Model: ResNet50,         Target: Stove
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_2st_pages_827.png" >
Source Model: ResNet50,         Target: Rapeseed
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_2st_pages_984.png" >
Source Model: ResNet50,         Target: Anemone Fish
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_3st_pages_393.png" >
Source Model: ResNet50,         Target: Banjo
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_3st_pages_420.png" >
Source Model: ResNet50,         Target: Sea Urchin
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_4st_pages_328.png" >
Source Model: ResNet50,         Target: Parachute
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_4st_pages_701.png" >
Source Model: ResNet50,         Target: Buckle
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_5st_pages_464.png" >
Source Model: ResNet50,         Target: iPOD
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_5st_pages_605.png" >
Source Model: ResNet50,         Target: Bookcase
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_6st_pages_453.png" >
Source Model: ResNet50,         Target: Sewing Machine
<img src="https://github.com/Muzammal-Naseer/TTP/blob/main/assets/unrestricted_adv_6st_pages_786.png" >