huanzhang12/ZOO-Attack huanzhang12/ZOO-Attack

  • Stars
    star
    163
  • Rank 229,802 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
huanzhang12/ZOO-Attack
github

huanzhang12

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks

As requested by IBM, this repository is moved to https://github.com/IBM/ZOO-Attack, but we aim to keep both repositories synced up. The code is released under Apache License v2.

ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks

ZOO is a zeroth order optimization based attack to attack deep neural networks (DNNs). We propose an effective black-box attack that only requires access to the input (images) and the output (confidence scores) of a targeted DNN. We formularize the attack as an optimization problem (similar as Carlini and Wagner's attack), and propose a new loss function suitable for the black-box setting. We use zeroth order stochastic coordinate descent to optimize on the target DNN directly, along with dimension reduction, hierarchical attack and importance sampling techniques to make the attack efficient. No transferability or substitute model is required.

There are two variants of ZOO, ZOO-ADAM and ZOO-Newton, corresponding to different solvers (ADAM and Newton) to find the best coordinate update. In practice ZOO-ADAM usually works better with fine-tuned parameters, but ZOO-Newton is more stable when close to the optimal solution.

The experiment code is based on Carlini and Wagner's L2 attack, with zeroth order optimizer added in l2_attack_black.py. The inception model is updated to a new version (inception_v3_2016_08_28.tar.gz), and an unified interface test_all.py is added.

For more details, please see our paper:

ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks without Training Substitute Models by Pin-Yu Chen*, Huan Zhang*, Yash Sharma, Jinfeng Yi, Cho-Jui Hsieh

* Equal contribution

Setup and train models

The code is tested with python3 and TensorFlow v1.2 and v1.3. The following packages are required:

sudo apt-get install python3-pip
sudo pip3 install --upgrade pip
sudo pip3 install pillow scipy numpy tensorflow-gpu keras h5py numba

Prepare the MNIST and CIFAR-10 data and models for attack:

python3 train_models.py

To download the inception model:

python3 setup_inception.py

To prepare the ImageNet dataset, download and unzip the following archive:

http://download.huan-zhang.com/datasets/adv/img.tar.gz

and put the imgs folder in ../imagenetdata. This path can be changed in setup_inception.py.

Run attacks

An unified attack interface, test_all.py is provided. Run python3 test_all.py -h to get a list of arguments and help.

The following are some examples of attacks:

Run ZOO black-box targeted attack, on the mnist dataset with 200 images, with ZOO-ADAM solver, search for best regularization constant for 9 iterations, and save attack images to folder black_results. To run on the CIFAR-10 dataset, replace 'mnist' with 'cifar10'.

python3 test_all.py -a black -d mnist -n 200 --solver adam -b 9 -s "black_results"

Run Carlini and Wagner's white-box targeted attack, on the mnist dataset with 200 images, using the Z (logits) value in objective (only available in white-box setting), search for best regularization constant for 9 iterations, and save attack images to folder white_results.

python3 test_all.py -a white -d mnist -n 200 --use_zvalue -b 9 -s "white_results"

Run ZOO black-box untargeted attack, on the imagenet dataset with 150 images, with ZOO-ADAM solver, do not binary search the regularization parameter (i.e., search only 1 time), and set the initial regularization parameter to a fixed value (10.0). Use attack-space dimension reduction with image resizing, and reset ADAM states when the first attack is found. Run a maximum of 1500 iterations, and print out loss every 10 iterations. Save attack images to folder imagenet_untargeted.

python3 test_all.py --untargeted -a black -d imagenet -n 150 --solver adam -b 1 -c 10.0 --use_resize --reset_adam -m 1500 -p 10 -s "imagenet_untargeted"

Run ZOO black-box targeted attack, on the imagenet dataset, with the 69th image only. Set the regularization parameter to 10.0 and do not binary search. Use attack-space dimension reduction and hierarchical attack with image resizing, and reset ADAM states when the first attack is found. Run a maximum of 20000 iterations, and print out loss every 10 iterations. Save attack images to folder imagenet_all_tricks_img69.

python3 test_all.py -a black --solver adam -d imagenet -f 69 -n 1 -c 10.0 --use_resize --reset_adam -m 20000 -p 10 -s "imagenet_all_tricks_img69"

Importance sampling is on by default for ImageNet data, and can be turned off by --uniform option. To change the hierarchical attack dimension scheduling, change l2_attack_black.py, near line 580.

More Repositories

1

Adversarial_Survey

Robustness vs Accuracy Survey on ImageNet
Python
99
star
2

CROWN-IBP

Certified defense to adversarial examples using CROWN and IBP. Also includes GPU implementation of CROWN verification algorithm (in PyTorch).
Python
93
star
3

alpha-beta-CROWN

alpha-beta-CROWN: An Efficient, Scalable and GPU Accelerated Neural Network Verifier (winner of VNN-COMP'21)
Python
87
star
4

lightgbm-gpu

Development Repository for GPU-accelerated GBDT training
C++
60
star
5

CLEVER

CLEVER (Cross-Lipschitz Extreme Value for nEtwork Robustness) is a robustness metric for deep neural networks
Python
58
star
6

ATLA_robust_RL

Robust Reinforcement Learning with the Alternating Training of Learned Adversaries (ATLA) framework
Python
56
star
7

ImageCaptioningAttack

Show-and-Fool: Adversarial Examples for Image Captioning task
Python
54
star
8

hogwildpp

HogWild++: A New Mechanism for Decentralized Asynchronous Stochastic Gradient Descent
C++
33
star
9

CertifiedReLURobustness

Efficient Robustness Verification for ReLU networks (this repository is outdated, don't use; checkout our new implementation at https://github.com/Verified-Intelligence/auto_LiRPA instead)
Python
30
star
10

RecurJac-and-CROWN

Reference implementations for RecurJac, CROWN, FastLin and FastLip (Neural Network verification and robustness certification algorithms) [Do not use this repo, use https://github.com/Verified-Intelligence/auto_LiRPA instead]
Python
25
star
11

SA_PPO

[NeurIPS 2020 Spotlight] State-adversarial PPO for robust deep reinforcement learning
Python
19
star
12

mpss-modules

Intel Xeon Phi MPSS Modules for Linux 4.2.0
C
17
star
13

CROWN-Robustness-Certification

CROWN: A Neural Network Robustness Certification Algorithm for General Activation Functions (This repository is outdated; use https://github.com/Verified-Intelligence/auto_LiRPA instead)
Python
16
star
14

sampling_tensor_decomp

Fast Approximate Orthogonal Tensor Decomposition Based on Importance Sampling
C++
9
star
15

SA_DDPG

[NeurIPS 2020 Spotlight] State-adversarial DDPG for robust deep reinforcement learning
Python
8
star
16

tensorflow-alexnet-model

Pretrained TensorFlow protobuf for AlexNet model
Jupyter Notebook
6
star
17

decentralized_sgd

Lua
5
star
18

tensorflow-densenet-models

Pretrained Frozen Densenet Protobuf for TensorFlow
Python
4
star
19

ECE584-SP24-assignment2

Python
4
star
20

alpha-beta-CROWN_vnncomp22

Repo for VNN-COMP submission only. For other purposes please use the latest verifier at https://abcrown.org
Python
3
star
21

passcode-fix

Fixing convergence problems in Parallel ASynchronous Stochastic dual Co-ordinate Descent (PASSCoDe)
C
2
star
22

ShowAttendAndTellModel

Jupyter Notebook
1
star
23

HotSpot-GPU

GPU accelerated version of the HotSpot simulator, a popular temperature modeling tool
C
1
star
24

vnncomp2024_tinyimagenet_benchmark

Python
1
star