Attacking Perceptual Similarity Metrics
Abhijay Ghildyal, Feng Liu. In TMLR, 2023. (Featured Certification)
In this study, we systematically examine the robustness of both traditional and learned perceptual similarity metrics to imperceptible adversarial perturbations.
<img src="imgs/teaser.png" width=400>Figure (above): $I_1$ is more similar to $I_{ref}$ than $I_{0}$ according <br/> to all perceptual similarity metrics and humans. We attack <br/> $I_1$ by adding imperceptible adversarial perturbations ($\delta$) <br/> such that the metric ($f$) flips its earlier assigned rank, i.e., <br/> in the above sample, $I_0$ becomes more similar to $I_{ref}$.
<br/> <img src="" width=300 /> Figure (above): An example of the PGD attack on LPIPS(Alex)Requirements
Requires Python 3+ and PyTorch 0.4+. For evaluation, please download the data from the links below.
When starting this project, I used the requirements.txt
(link) from the LPIPS repository (link). We are grateful to the authors of various perceptual similarity metrics for making their code and data publicly accessible.
The transferable adversarial attack samples generated for our benchmark in Table 5 can be downloaded from this google drive folder (link). Please unzip
in the datasets/
Alternatively, you can use the following:
cd datasets
gdown 1gA7lD7FtvssQoMQwaaGS_6E3vPkSf66T # get <id> from google drive (see below)
In case the gdown id changes, you can obtain it from the 'shareable with anyone' link for
file in the aforementioned Google Drive folder. The id will be a substring in the shareable link, as shown here:<id>/view?usp=share_link
Download the LPIPS repo (link), outside this folder. Then, download the BAPPS dataset as mentioned here: link.
Use the following to benchmark various metrics on the transferable adversarial samples created by attacking LPIPS(Alex) on BAPPS dataset samples via stAdv and PGD.
# L2
CUDA_VISIBLE_DEVICES=0 python --metric l2 --save l2
CUDA_VISIBLE_DEVICES=0 python --metric ssim --save ssim
# ST-LPIPS(Alex)
CUDA_VISIBLE_DEVICES=0 python --metric stlpipsAlex --save stlpipsAlex
The results will be stored in the results/transferableAdv_benchmark/
Finally, use the ipython notebook results/study_results_transferableAdv_attack.ipynb
to calculate the number of flips.
Creating Transferable Adversarial Samples
The following steps were performed to create the transferable adversarial samples for our benchmark.
- Create adversarial samples by attacking LPIPS(Alex) via the spatial attack stAdv.
We perform a visual inspection of the samples before proceeding and weed out some of the samples that do not meet our criteria of imperceptibility.
Using the samples selected in step 2, we attack LPIPS(Alex) via $\ell_\infty$-bounded PGD with different max iterations.
- Finally, we combine the stAdv and PGD attacks by attacking the samples created via stAdv.
We hope the above code is able to assist and inspire additional studies to test the robustness of perceptual similarity metrics through more extensive benchmarks using various datasets and stronger adversarial attacks.
Whitebox PGD attack
To perform the whitebox PGD attack run the following
CUDA_VISIBLE_DEVICES=0 python --metric lpipsAlex --save lpipsAlex --load_size 64
The results are saved in results/whitebox_attack/
Finally, use the ipython notebook results/study_results_whitebox_attack.ipynb
to calculate the number of flips and other stats.
We provide code to perform the reverse of our attack (see Appendix F), i.e., we attack the less similar of the two distorted images to make it more similar to the reference image.
CUDA_VISIBLE_DEVICES=0 python --metric lpipsAlex --save lpipsAlex --load_size 64
<b>To add</b>. Code for FGSM attack, and Benchmark on PIEAPP dataset.
If you find this repository useful for your research, please use the following to cite our work:
title={Attacking Perceptual Similarity Metrics},
author={Abhijay Ghildyal and Feng Liu},
journal={Transactions on Machine Learning Research},