This is the source code for our SP'23 paper "StyleFool: Fooling Video Classification Systems via Style Transfer", partly based on style transfer code by Manuel Ruder https://github.com/manuelruder/artistic-videos.
Our algorithm uses style transfer for video black-box attacks, and ensures the indistinguishability and consistency of the adversarial video.
Tested with Ubuntu 18.04.
bash models/download_models.sh to download the VGG model.bash ./list/convert_video_to_images.sh ./UCF-101_images 5 to decode the video into images.python png2npy.py to generate npy files for the dataset.We use the pre-trained C3D model from here.
Targeted attack
Run python prepare.py --model C3D --dataset UCF101 --target.
Untargeted attack
Run python prepare.py --model C3D --dataset UCF101.
The processes of generating styles, calculating color themes and calculating target class confidence are needed only once. If you have finished those processes, run python prepare.py --model C3D --dataset UCF101 --generate-styles --color --superposition --target for targeted attack preparation and python prepare.py --model C3D --dataset UCF101 --generate-styles --color --superposition for untargeted attack preparation.
Then, you will find 'batch_command_target.sh' and 'batch_command_untarget.sh' in your directory.
Basic arguments:
--model: The attacked model. Default: C3D--dataset: The dataset. Default: UCF101--generate-styles: Need to generate styles. Default: True--color: Need to calculate the color themes. Default: True--superposition: Need to calculate the target class confidence. Default: True--style-folder: Path to save all the style images.--prepare-save-path: Path to save color themes and target class confidence.--gpu: ID of the GPU to use; for CPU mode set -gpu to -1, but CPU is not recommended.--dataset-img-path: The path of dataset in png forms.--dataset-video-path: The path of dataset in avi forms. --attack-id: Attack_id. You can change it to other numbers.--random-seed: Random_seed when choosing target label. You can change it to other numbers.--target: Target attack or untarget attack (default). Default: FalseTargeted attack
Run sh ./batch_command_target.sh.
Untargeted attack
Run sh ./batch_command_untarget.sh.
Targeted attack
Run python attack_prepare.py --model C3D --dataset UCF101 --target.
Untargeted attack
Run python attack_prepare.py --model C3D --dataset UCF101.
Basic arguments:
--model: The attacked model. Default: C3D--dataset: The dataset. Default: UCF101--dataset-npy-path: The path of dataset in npy forms.--gpu: ID of the GPU to use; for CPU mode set -gpu to -1, but CPU is not recommended.--styled-npy-path: The path of styled_npy.--output-npy-path: The path of output adversarial_npy.--target: Target attack or untarget attack (default). Default: FalseThen, you will find 'target_attack_batch.sh' and 'untarget_attack_batch.sh' in your directory.
Targeted attack
Run sh ./target_attack_batch.sh.
Untargeted attack
Run sh ./untarget_attack_batch.sh.
If you want to visualize the adversarial video and the initial video, run python generate_videos.py.
Basic arguments:
--output-npy-path: The path of output adversarial_npy.--output-video-path: The path of output adversarial videos.If you use this code or its parts in your research, please cite the following paper:
@inproceedings{cao2023stylefool,
title={StyleFool: Fooling Video Classification Systems via Style Transfer},
author={Cao, Yuxin and Xiao, Xi and Sun, Ruoxi and Wang, Derui and Xue, Minhui and Wen, Sheng},
booktitle={2023 IEEE Symposium on Security and Privacy (SP)},
year={2023},
organization={IEEE},
address={San Francisco, CA, USA},
month={May}
}