IBM / Autozoom-Attack

Codes for reproducing query-efficient black-box attacks in “AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks” ​​​​, published at AAAI 2019
https://arxiv.org/abs/1805.11770
Apache License 2.0
57 stars 22 forks source link

What is the input image pixel's range? #10

Open machanic opened 4 years ago

machanic commented 4 years ago
  1. range issue

All other attack algorithms use [0, 1] range. But in your code : https://github.com/IBM/Autozoom-Attack/blob/master/setup_cifar.py#L55 You use (img/255)-.5 to bound to [-0.5, 0.5] range. Why? Does this means the generated adversarial image also uses [-0.5, 0.5] range?

  1. Why use atanh to transform images before process algorithm, as shown in https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L222
pinyuchen commented 4 years ago
  1. Yes. In our code, we use the scaled range [-0.5, 0.5] as a valid image pixel range (applies to both adversarial and unperturbed images), which makes the tanh transformation expression more succinct than the scaled range [0,1].

  2. the atanh function helps to convert the [-0,5,0.5] range to a real-valued range via the change-of-variable technique and hence unconstrained optimization solvers can be applied to find adversarial examples, which is first used and explained in the Carlini-Wagner paper (see https://arxiv.org/abs/1608.04644)

machanic commented 4 years ago

@pinyuchen I am re-implementing your code into pytorch version, where I use pixel range as [0,1]. However, I think in this case I cannot use arctanh, how to do that convert (maths formula?)? Can you help me.

I will open source my pytorch version of AutoZOOM attack

machanic commented 4 years ago

I mean the input data is already pre-processed into [0,1] range in my pytorch code.

pinyuchen commented 4 years ago

Hello @sharpstill Glad to know that you are implementing the PyTorch code for AutoZOOM. Looking forward to it, and we are happy to put a link of your repo

If your image range is [0,1], since atanh takes input with range [-1,1], you can modify the code by img = np.arctanh((img-0.5)*1.999999), where img of the right-hand-side is now within the range [0,1]. Note that since your scale is different than ours, there might be other parts that need to be modified as well.

machanic commented 4 years ago

@pinyuchen Because I change the image range to [0,1], I found all parts which I need to modify:

  1. Related to tanh https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L122 https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L142 https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L222 Q: How to deal with tf.tanh as above shown line? Can I delete all the tanh and arctanh code? I read the C&W paper, it said the tanh helps to convert range to (0,1)?

  2. Related to self.modifier_up and self.modifier_down: https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L232 https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L124 Q: Can I just change self.modifier_up = 0.5 - img.reshape(-1) to self.modifier_up = 1.0 - img.reshape(-1), and change self.modifier_down = -0.5 - img.reshape(-1) to self.modifier_down = 0 - img.reshape(-1) ?

chunchentu commented 4 years ago
  1. If you don't want to implement this feature, you can simply delete them. tanh works on [-1, 1]. You can do conversion to any other range after applying the function.

  2. Yes, these two variables specify the upper/lower bound of the noise allowed.

machanic commented 4 years ago

@chunchentu I still want to add the tanh functionality to fully support the original version. I want to ask another question: If I use the tanh mode, is this means that during training the auto-encoder(AE), the input image(also the ground truth) of AE must be converted to arctanh space.

Because I notice that https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L122 which means the self.img_modifier produced by AE is in arctanh space. This implies that the training ground truth natural image of AE must be converted to arctanh space before learning AE.

chunchentu commented 4 years ago

We note that the black-box classifer takes input data range from [-0.5,0.5]. So for AE training the input data should still be within the same range. Also, the decoder's output is real-valued and not condined in [-0.5,0.5]

machanic commented 4 years ago

@chunchentu Sorry, Maybe I didn't express my thought clearly. My question is very simple. If I set tanh=True, I mean whether should I call np.arctanh((img-0.5)*1.999999) on the input image (and which is also the ground-truth) , resulting a arctanh space's image for input and training Auto Encoder? This is https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L222 in your code. Besides, can you provide me more details about how to train AE? SGD optimizer? how many epochs? learning rate = ? Thank you very much, I am re-implementing your code into pytorch can you help me.

chunchentu commented 4 years ago

We used SGD with lr=0.01 with 1000 epochs. Please note that even if you the same parameters, you might not get the exact same numbers due to a lot of other uncontrollable factors.

No, we didn't convert to archtanh in our implementation as it did not make large difference.

joeybose commented 4 years ago

@machanic, did you ever finish the re-implementation in Pytorch? If so I would really like to try it out.

machanic commented 4 years ago

@joeybose I have finished it, if you want the code, I can email to you. please give the email to me

joeybose commented 4 years ago

Awesome, I would love to connect my email is: joey.bose@mail.mcgill.ca, thank you so much again.

machanic commented 4 years ago

autozoom_attack.zip This is the pytorch version of autozoom attack. However, the training part of auto-encoder is not provided by the author of paper, so I reimplemented this part using my thought. You can debug and try to fix this part.

joeybose commented 4 years ago

awesome! Can you give a few canonical commands to run it? Also, were your implementation results similar?

machanic commented 4 years ago

@joeybose the attack's process and the code exactly follows the tensorflow version, you can read the code and run it by yourself. However, the training part of auto-encoder is not provided by the author of paper, so I reimplemented this part based on my thought. you can fix this part. If you have questions, please contact me through email.