A repository containing evaluation of various universal adversarial perturbations against various defense mechanisms (part of our paper Generalizable Data-free Objective for Crafting Universal Adversarial Perturbations).
UAPs are quite a big threat to anyone using deep learning, be it muggles or wizards. They are indeed the perfect curse that someone might use against your Deep model. In this repository we evaluated some of the recent defence techniques for various UAPs.
The following 3 Universal Adversarial attacks were evaluated:
-
Universal Adversarial Perturbations: Paper.
-
Generalizable Objective for Universal Adversarial Perturbations: Paper.
-
Network for Adversarial generation: Paper.
I Look forward to anyone willing to contribute more perturbations to test ( UAPs specifically).
The following defenses were evaluated:
-
Prediction using multiple crops of input (Not implemented in this repo.)
-
Gaussian smoothing, Median smoothing, and Bilateral Filtering.
-
JPEG Compression: Paper
-
BIT compression: Paper
-
TV-minimization: Paper
-
Image-quilting: Paper
-
Perturbation rectification network: Paper
Of course, you can contribute your defenses.
Note: Quilting is still to be properly integrated. Till then, the code provide by the authors can be used here. For Perturbation Rectification Network, code provided by the authors here can be used.
Note: The numbers reported in this are from using the various author provided code only(For defence 5, 6, and 7).
-
Firstly, there is a long list of things to be installed, (specially for
tvm
andquilting
). Instead of paraphrasing it here, I would recommend the user follow the instructions given by the authors here. -
After installation, download the weights for the networks,
# uncomment as required in the sourced file
cd weights
source download_weights.sh
- Now, download the perturbations.
- GD-UAP: Link
- NAG: UAP can be generated from here (link to crafted perturbations will be added soon.)
- UAP: Link. Note: The UAP provided in this repository is for a different googlenet instance.
- Evaluating the defence use:
python evaluate.py --network googlenet --adv_im perturbations/GD_UAP_perts/best_fool_rate_googlenet_with_data_sat_diff_reg_0.0.npy --img_list utils/ilsvrc_test.txt --gt_labels utils/ilsvrc_test_gt.txt --batch_size 10 --defence tvm
The various defences can be used by changing the arguement for defence
to Gaussian
, Median
, Bilateral
, Bit_Compression
, JPEG
, tvm
and quilting
. Each defence can be configured in the defence_config.py
file. (Look at tensorflow-classification/misc/utils.py
for closer look at the defence code.)
- For quilting you need to create patches. This can be done using the following code:
# all the parameters are specified in defence_config.py file
python index_patches.py
- Finish Quilting
- Add the perturbations from NAG and UAP
Add results from paper.