This is an official release of the paper
Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity, CVPR 2022
Abstract: Current adversarial attack research reveals the vulnerability of learning-based classifiers against carefully crafted perturbations. However, most existing attack methods have inherent limitations in cross-dataset generalization as they rely on a classification layer with a closed set of categories. Furthermore, the perturbations generated by these methods may appear in regions easily perceptible to the human visual system (HVS). To circumvent the former problem, we propose a novel algorithm that attacks semantic similarity on feature representations. In this way, we are able to fool classifiers without limiting attacks to a specific dataset. For imperceptibility, we introduce the low-frequency constraint to limit perturbations within high-frequency components, ensuring perceptual similarity between adversarial examples and originals. Extensive experiments on three datasets (CIFAR-10, CIFAR-100, and ImageNet-1K) and three public online platforms indicate that our attack can yield misleading and transferable adversarial examples across architectures and datasets. Additionally, visualization results and quantitative performance (in terms of four different metrics) show that the proposed algorithm generates more imperceptible perturbations than the state-of-the-art methods. Our code will be publicly available.
- python ==3.6
- torch == 1.7.0
- torchvision >= 0.7
- numpy == 1.19.2
- Pillow == 8.0.1
- pywavelets
- The data structure of Cifar10, Cifar100, ImageNet or any other datasets look like below. Please modify the dataloader at
SSAH-Adversarial-master/main.py/accordingly for your dataset structure.
/dataset/
├── cifar10
│ │ ├── cifar-10-python.tar.gz
├── cifar-100-python
│ │ ├── cifar-100-python.tar.gz
├── ILSVRC2012
│ ├── val
│ │ ├── n02328150
We provide six perceptural metrics to measure imperceptibility, including l_2, l_inf, FID, SSIM, CIEDE2000, and LF.
Your can add more metrics in
/utils/
├── eval_metric_utils.py
We trained a resnet20 model with 92.6% accuracy with CIFAR1010 and a resnet20 model with 69.63% accuracy with CIFAR100. If you want to have a test, you can download our pre-trained models with the Google Drivers. If you want to use our algorithm to attack your own trained model, you can always replace our models in the file checkpoints.
If your want to calculate FID, you need to download pt_inception-2015-12-05-6726825d.pth in this Google Drive and put it in the file checkpoints.
CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/cifar10-r20.sh
CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/cifar100-r20.sh
CUDA_VISIBLE_DEVICES=0,1 bash scripts/cifar/Imagenet_val-r50.sh
Here we offer some experiment results. You can get more results in our paper.
| Name | Knowledge | ASR(%) | L2 | Linf | FID | SSIM | LF | Paper |
|---|---|---|---|---|---|---|---|---|
| BIM | White Box | 100.0 | 0.85 | 0.03 | 14.85 | 0.85 | 0.25 | ICLR2017 |
| PGD | White Box | 100.0 | 1.28 | 0.03 | 27.86 | 0.79 | 0.34 | arxiv link |
| MIM | White Box | 100.0 | 1.90 | 0.03 | 26.00 | - | 0.48 | CVPR2018 |
| AutoAttack | White Box | 100.0 | 1.91 | 0.03 | 34.93 | - | 0.61 | ICML2020 |
| AdvDrop | White Box | 99.92 | 0.90 | 0.07 | 16.34 | - | 0.34 | ICCV2021 |
| C&W | White Box | 100.0 | 0.39 | 0.06 | 8.23 | 0.98 | 0.11 | IEEE SSP2017 |
| PerC-AL | White Box | 98.29 | 0.86 | 0.18 | 9.58 | 0.97 | 0.15 | CVPR2020 |
| SSA | White Box | 99.96 | 0.29 | 0.02 | 5.73 | 0.99 | 0.07 | CVPR2022 |
| SSAH | White Box | 99.94 | 0.26 | 0.02 | 5.03 | 0.99 | 0.03 | CVPR2022 |
| Name | Knowledge | ASR(%) | L2 | Linf | FID | SSIM | LF | Paper |
|---|---|---|---|---|---|---|---|---|
| BIM | White Box | 99.99 | 0.85 | 0.03 | 15.26 | 0.83 | 0.32 | ICLR2017 |
| PGD | White Box | 99.99 | 1.29 | 0.03 | 27.74 | 0.77 | 0.42 | arxiv link |
| MIM | White Box | 99.99 | 1.87 | 0.03 | 26.04 | - | 0.65 | CVPR2018 |
| AutoAttack | White Box | 100 | 1.91 | 0.03 | 33.86 | - | 0.61 | ICML2020 |
| AdvDrop | White Box | 99.93 | 0.80 | 0.07 | 15.59 | - | 0.31 | ICCV2021 |
| C&W | White Box | 100 | 0.52 | 0.07 | 11.04 | 0.98 | 0.19 | IEEE SSP2017 |
| PerC-AL | White Box | 99.61 | 1.41 | 0.21 | 12.83 | 0.96 | 0.37 | CVPR2020 |
| SSA | White Box | 99.90 | 0.48 | 0.03 | 9.68 | 0.99 | 0.17 | CVPR2022 |
| SSAH | White Box | 99.80 | 0.45 | 0.03 | 9.20 | 0.99 | 0.13 | CVPR2022 |
| Name | Knowledge | ASR(%) | L2 | Linf | FID | SSIM | LF | Paper |
|---|---|---|---|---|---|---|---|---|
| BIM | White Box | 99.98 | 26.85 | 0.03 | 51.92 | 0.73 | 11.18 | ICLR2017 |
| PGD | White Box | 99.98 | 54.97 | 0.03 | 45.51 | 0.77 | 17.41 | arxiv link |
| MIM | White Box | 99.98 | 91.78 | 0.03 | 101.88 | - | 39.42 | CVPR2018 |
| AutoAttack | White Box | 96.97 | 71.62 | 0.03 | 77.49 | - | 30.45 | ICML2020 |
| AdvDrop | White Box | 99.76 | 14.95 | 0.06 | 11.28 | - | 5.67 | ICCV2021 |
| C&W | White Box | 99.27 | 1.51 | 0.04 | 12.14 | 0.99 | 0.67 | IEEE SSP2017 |
| PerC-AL | White Box | 98.78 | 4.35 | 0.12 | 11.56 | 0.99 | 1.59 | CVPR2020 |
| SSA | White Box | 98.56 | 2.34 | 0.01 | 4.63 | 1.00 | 1.05 | CVPR2022 |
| SSAH | White Box | 98.01 | 1.81 | 0.01 | 3.90 | 1.00 | 0.06 | CVPR2022 |
if the code or method help you in the research, please cite the following paper:
@inproceedings{luo2022frequency,
title={Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity},
author={Luo, Cheng and Lin, Qinliang and Xie, Weicheng and Wu, Bizhu and Xie, Jinheng and Shen, Linlin},
booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition},
pages={15315--15324},
year={2022}
}
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent