This project is for the paper Towards Understanding Limitations of Pixel Discretization Against Adversarial Attacks. Some codes are from MNIST Challenge and CIFAR10 Challenge.
It is tested under Ubuntu Linux 16.04.1 and Python 3.6 environment, and requires tensorflow package to be installed:
- MNIST: included in Tensorflow.
- Fashion-MNIST: included in Tensorflow.
- CIFAR-10: unpickles the CIFAR10 dataset from a specified folder containing a pickled version following the format of Krizhevsky.
- GTSRB: download the training dataset and test dataset from the website.
- ImageNet: scripts are provided to download the dataset.
- MNIST: use fetch_model.py in the folder to download pre-trained models.
- CIFAR-10: use fetch_model.py in the folder to download pre-trained models.
- ImageNet: use download_checkpoint.sh to download pre-trained models.
- Before doing experiments, first edit config.json file to specify experiment settings.
- generate_codes.py: generate codes for discretization.
- train_nat.py: naturally train models.
- train_adv.py: adversarially train models.
- eval.py: evaluate the models trained.
Model configuration:
model_dir: contains the path to the directory of the currently trained/evaluated model.
GPU configuration:
gpu_device: which gpu device to use. Should be a string.
Data configuration:
data_path: contains the path to the directory of dataset.
Training configuration:
tf_random_seed: the seed for the RNG used to initialize the network weights.numpy_random_seed: the seed for the RNG used to pass over the dataset in random order.max_num_training_steps: the number of training steps.num_output_steps: the number of training steps between printing progress in standard output.num_summary_steps: the number of training steps between storing tensorboard summaries.num_checkpoint_steps: the number of training steps between storing model checkpoints.training_batch_size: the size of the training batch.use_pretrain: use pretrained model or not. Can betrueorfalse.base_model_dir: contains the path to the directory of pretrained model.
Evaluation configuration:
num_eval_examples: the number of CIFAR10 examples to evaluate the model on.eval_batch_size: the size of the evaluation batches.
Adversarial examples configuration:
epsilon: the maximum allowed perturbation per pixel.attack_steps: the number of PGD iterations used by the adversary.step_size: the size of the PGD adversary steps.random_start: specifies whether the adversary will start iterating from the natural example or a random perturbation of it.loss_func: the loss function used to run pgd on.xentcorresponds to the standard cross-entropy loss,cwcorresponds to the loss function of Carlini and Wagner.store_adv_path: the file in which adversarial examples are stored. Relevant for thepgd_attack.pyandrun_attack.pyscripts.alpha: the hyper-parameter in the discretization approximation function.
Discretization configuration:
codes_path: the path to the*.npyfile saving the codes generated.cluster_algorithm: the algorithm used to find the codes. Can beKDEorKM.discretize: use discretization or not. Can betrueorfalse.k: number of codes.r: the minimum distance between two codes. Used in the data-specific discretization.
After cloning the repository you can either train a new network or evaluate/attack one of the pre-trained networks.
- Start training by running:
python train.py
- Evaluate the model trained by running:
python eval.py
Please cite our work if you use the codebase:
@inproceedings{chen2019towards,
title={Towards understanding limitations of pixel discretization against adversarial attacks},
author={Chen, Jiefeng and Wu, Xi and Rastogi, Vaibhav and Liang, Yingyu and Jha, Somesh},
booktitle={2019 IEEE European Symposium on Security and Privacy (EuroS\&P)},
pages={480--495},
year={2019},
organization={IEEE}
}
Please refer to the LICENSE.