Paper | PPT | Checkpoints | Homepage | Certificate
Official PyTorch Implementation
Sen Pei, Jiaxi Sun, Xin Zhang, Qing Li, Shuo Li
Institute of Automation, Chinese Academy of Sciences
Table of Contents
pytorch, no strict version constraint.- set
GradientConcealment()inmodel/robust_layer.pyas the top layer of your model inforward().
- Parameter-free, training-free, plug-and-play.
- Promising performance in both classification task and adversarial defense.
- Superior generalization across different model architectures, including CNN-based models and attention-based models.
- Download pre-trained models here:
- Values below are AR (Attack Robustness) metric.
| Model | Method | Top 1 Acc | FGSM Linf=8/255 | PGD L1=1600 | PGD L2=8.0 | PGD Linf=8/255 | C&W L2=8.0 |
|---|---|---|---|---|---|---|---|
| ResNet-50 | Vanilla | 77.89 | 31.77 | 0.01 | 0.01 | 0.00 | 0.21 |
| ResNet-50 | GCM | 78.57 | 95.18 | 94.82 | 94.41 | 97.38 | 95.11 |
| WideResNet-50 | Vanilla | 78.21 | 20.88 | 0.36 | 0.61 | 0.50 | 0.21 |
| WideResNet-50 | GCM | 78.08 | 96.06 | 94.46 | 94.51 | 97.69 | 95.66 |
| DenseNet-121 | Vanilla | 74.86 | 16.82 | 0.04 | 0.05 | 0.06 | 0.12 |
| DenseNet-121 | GCM | 74.71 | 94.98 | 94.31 | 94.08 | 97.16 | 95.49 |
| EfficientNet-B4 | Vanilla | 71.52 | 1.23 | 0.36 | 0.28 | 0.20 | 1.88 |
| EfficientNet-B4 | GCM | 71.76 | 94.68 | 89.95 | 90.87 | 97.97 | 93.07 |
| ViT-B/16 | Vanilla | 79.46 | 15.86 | 0.00 | 0.00 | 0.00 | 0.90 |
| ViT-B/16 | GCM | 79.47 | 92.24 | 94.94 | 95.07 | 98.24 | 93.31 |
| Swin-Transformer-S | Vanilla | 82.93 | 16.93 | 0.20 | 0.00 | 0.00 | 0.76 |
| Swin-Transformer-S | GCM | 82.79 | 94.38 | 90.71 | 91.04 | 98.77 | 92.31 |
- Backbone does matter, ConvNext is better than SeResNet.
- Randomization is efficient for defending adversarial attacks.
- Data augmentation is vital for improving the classification performance, reducing overfitting.
- Gradient concealment dramatically improves AR metric of classifiers in presence of perturbed images.
- train_phase1/images/ : 22987 images for training
- train_phase1/label.txt : ground-truth file
- track1_test1/ : 20000 images for testing
- train_p2 : 127390 images within 100 categories
data_aug.py supports the following operations currently:
- PepperSaltNoise
- ColorPointNoise
- GaussianNoise
- Mosaic in black / gray / white / color
- RGBShuffle / ColorJitter
- Rotate
- HorizontalFlip / VerticalFlip
- RandomCut
- MotionBlur / GaussianBlur / ConventionalBlur
- Rain / Snow
- Extend
- BlockShuffle
- LocalShuffle (for learning local spatial feature)
- RandomPadding (for defense of adversarial attacks)
transforms.Resize(256)transforms.RandomResizedCrop(224)Data augmentation schemes
- Adversarial training using fast gradient sign method.
- Resize and pad the input images for mitigating adversarial effects.
- Gradient concealment module for hiding the vulnerable direction of classifier's gradient.
- ConvNext(tiny) + FC + FGSM regularization + GCM(Gradient Concealment Module) + Randomization
- ConvNext(tiny) + ML Decoder + FGSM regularization + GCM(Gradient Concealment Module) + Randomization
- Training from scratch in a two-stage manner, we provide our checkpoints.
- The first stage: train ConvNext without
ResizedPaddingLayer. - The second stage: finetune ConvNext with
ResizedPaddingLayer.
python -m torch.distributed.launch --nproc_per_node=5 train.py --batch_size 64 --n_gpus=5- If you have more GPUs, you can modify the
nproc_per_nodeandn_gpusto utilize them.
- Explaining and Harnessing Adversarial Examples (NeurIPS, 2014)
- Deep Residual Learning for Image Recognition (CVPR, 2016)
- Squeeze-and-Excitation Networks (CVPR, 2018)
- Mitigating adversarial effects through randomization (ICLR, 2018)
- CutMix: Regularization Strategy to Train Strong Classifiers with Localizable Features (ICCV, 2019)
- A ConvNet for the 2020s (CVPR, 2022)
@article{Pei2022Grad,
title={Gradient Concealment: Free Lunch for Defending Adversarial Attacks},
author={Sen Pei, Jiaxi Sun, Xiaopeng Zhang and Gaofeng Meng},
archivePrefix={arXiv},
primaryClass={cs.CV},
year={2022}
}
- This work is done during the author's internship at ByteDance.
- The author would like to thank Xiaojie Jin and Ye Yuan for their support in both provided computing resources and vital discussions.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent
