Many defenses against adversarial attacks (e.g., robust classifiers, randomization, or image purification) use countermeasures put to work only after the attack has been crafted. We adopt a different perspective to introduce
In your preferred folder <dir>, clone the git repo, e.g.:
mkdir <dir>/A5
cd <dir>/A5
git clone [email protected]:NVlabs/A5.git
To facilitate the distribution and use of the code among researchers, we suggest using docker. Once in the A5 folder, you should first create the docker image:
cd <dir>/A5/A5
cd docker
nvidia-docker image build -t A5 .
cd ..
To run the docker image:
nvidia-docker run --gpus all --ipc=host --ulimit memlock=-1 --ulimit stack=67108864 -it -v <dir>/A5:/mount/A5 A5
Notice that we are launching docker with a shared volume that includes the code got from git. When running docker, you can easily navigate to this folder as:
cd ~/mount/A5
From here you can launch all the
To facilitate the use of the same code across different datasets, we use for all of them the webdataset format. We provide a script to convert the desired dataset into webdataset format for MNIST, CIFAR10, FashionMNIST, Tinyimagenet, and the Fonts dataset used in our CVPR paper. If you want to add more datasets, feel free to modify the convert_dataset.py script. To get help and convert (as an example) the MNIST dataset into the webdataset format used in
python convert_dataset.py --help
python convert_dataset.py --dataset-name mnist --output-folder webdataset_mnist
The syntax for the other datasets is similar.
Important note: Each user is responsible for checking the content of datasets and the applicable licenses and determining if suitable for the intended use and applicable links before the script runs and the data is placed in the user machine.
Detailed information about
Generally, we use
- Offline data robustification, known ground truth, legacy classifier (
- On-the-fly data robustification, unknown ground truth, legacy classifier (
- On-the-fly data robustification, unknown ground truth, re-trained classifier (
- Offline physical object robustification, known ground truth, legacy classifier (
- Offline physical object robustification, known ground truth, re-trained classifier (
The script a5.py allows training a standard classifier, a robust classifier, a robustifier, or finding defensive auugmentations for physical objects or for a dataset. Training for each of these elements can be done together with the other ones, to generate different
python a5.py --help
usage: a5.py [-h] [--train-prototypes] [--train-robustifier]
[--train-classifier] [--test] [--no-autoattack]
[--robustifier-arch {mnist,cifar10,tinyimagenet,identity}]
[--acquisition-arch {identity,camera}]
[--classifier-arch {mnist,cifar10,tinyimagenet,fonts}]
[--training-dataset-folder TRAINING_DATASET_FOLDER]
[--validation-dataset-folder VALIDATION_DATASET_FOLDER]
[--test-dataset-folder TEST_DATASET_FOLDER]
[--prototypes-dataset-folder PROTOTYPES_DATASET_FOLDER]
[--batch-size BATCH_SIZE] [--epochs EPOCHS] [--lr LR]
[--lr-scheduler-milestones LR_SCHEDULER_MILESTONES [LR_SCHEDULER_MILESTONES ...]]
[--lr-scheduler-gamma LR_SCHEDULER_GAMMA]
[--x-epsilon-attack-scheduler-name {LinearScheduler,AdaptiveScheduler,SmoothedScheduler,FixedScheduler}]
[--x-epsilon-attack-scheduler-opts X_EPSILON_ATTACK_SCHEDULER_OPTS]
[--x-augmentation-mnist] [--x-augmentation-cifar10]
[--save-interval SAVE_INTERVAL]
[--batch-multiplier BATCH_MULTIPLIER]
[--test-multiplier TEST_MULTIPLIER]
[--load-classifier LOAD_CLASSIFIER]
[--load-robustifier LOAD_ROBUSTIFIER] [--log-dir LOG_DIR]
[--x-epsilon-attack-training X_EPSILON_ATTACK_TRAINING]
[--x-epsilon-attack-testing X_EPSILON_ATTACK_TESTING]
[--w-epsilon-attack-training W_EPSILON_ATTACK_TRAINING]
[--w-epsilon-attack-testing W_EPSILON_ATTACK_TESTING]
[--x-epsilon-defense X_EPSILON_DEFENSE]
[--w-epsilon-defense W_EPSILON_DEFENSE]
[--bound-type {IBP,CROWN-IBP,CROWN,CROWN-FAST}] [--verbose]
And here is a detailed explanation of all the parameters that can be passed as input.
- [--train-prototypes] [--train-robustifier] [--train-classifier] Indicate the task for
- [--test] [--no-autoattack] The test option is used to test the trained elements on the test dataset. It can be used together with the training task, keep in mind that the test will run after training is complete. The no-autoattack option does not compute the autoattack error (faster).
- [--robustifier-arch {mnist,cifar10,tinyimagenet,identity}] [--acquisition-arch {identity,camera}] [--classifier-arch {mnist,cifar10,tinyimagenet,fonts}] These parameters indicate the architectures of the modules in
- [--training-dataset-folder TRAINING_DATASET_FOLDER] [--validation-dataset-folder VALIDATION_DATASET_FOLDER] [--test-dataset-folder TEST_DATASET_FOLDER] [--prototypes-dataset-folder PROTOTYPES_DATASET_FOLDER] These indicate the folders with the datasets. Notice that the prototypes-dataset-folder is used to indicate a pre-trained robustified dataset, that generally lies in the logdir/w folder.
- [--batch-size BATCH_SIZE] [--epochs EPOCHS] [--lr LR] [--lr-scheduler-milestones LR_SCHEDULER_MILESTONES [LR_SCHEDULER_MILESTONES ...]] [--lr-scheduler-gamma LR_SCHEDULER_GAMMA] [--batch-multiplier BATCH_MULTIPLIER] Training parameters. The batch multiplier is used to save GPU memory while training: the gradient is accumulated --batch-multipler times before performing the updating steps. This allow training with larger batches at minimum memory cost. It is however slower than using an equivalent larger batch.
- [--x-epsilon-attack-scheduler-name {LinearScheduler,AdaptiveScheduler,SmoothedScheduler,FixedScheduler}] [--x-epsilon-attack-scheduler-opts X_EPSILON_ATTACK_SCHEDULER_OPTS] Training schedulers for
- [--x-augmentation-mnist] [--x-augmentation-cifar10] use augmentation for mnist or cifar10. If other augmentation strategies are needed, they have to be added to the code.
- [--save-interval SAVE_INTERVAL] Interval (epochs) to save the models while training.
- [--test-multiplier TEST_MULTIPLIER] Increase the size of the test dataset. This is generally not used, but comes in hand when the dataset is small. For instance, when testing
- [--load-classifier LOAD_CLASSIFIER] [--load-robustifier LOAD_ROBUSTIFIER] Load a classifier / robustifier before training or testing. Please notice that to load a defended set of physical objects one has to use --prototypes-dataset-folder.
- [--log-dir LOG_DIR] folder use to store the training and testing results.
- [--x-epsilon-attack-training X_EPSILON_ATTACK_TRAINING] [--x-epsilon-attack-testing X_EPSILON_ATTACK_TESTING] [--w-epsilon-attack-training W_EPSILON_ATTACK_TRAINING] [--w-epsilon-attack-testing W_EPSILON_ATTACK_TESTING] [--x-epsilon-defense X_EPSILON_DEFENSE] [--w-epsilon-defense W_EPSILON_DEFENSE] These are all the attack magnitudes. Please notice the correct interpretation may be a function of the adopted recipe.
[--bound-type {IBP,CROWN-IBP,CROWN,CROWN-FAST}] Bound type used when calling the auto_LiRPA functions.
- [--verbose] Mostly used for profiling.
To save time and energy, our intention is to share pre-trained the models (robustifies, classifiers) mentioned in our CVPR paper to all researchers that need them. These will be published here on-demand. If you need one of our models to be made public, please send your requst to:
Please cite our work as:
@inproceedings{Fro23_a5,
author={Frosio, Iuri and Kautz, Jan},
year={2023},
title={The Best Defense is a Good Offense: Adversarial Agumentation Against Adversarial Attacks},
booktitle={CVPR},
}
“Licensor” means any person or entity that distributes its Work. “Work” means (a) the original work of authorship made available under this license, which may include software, documentation, or other files, and (b) any additions to or derivative works thereof that are made available under this license. The terms “reproduce,” “reproduction,” “derivative works,” and “distribution” have the meaning as provided under U.S. copyright law; provided, however, that for the purposes of this license, derivative works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work. Works are “made available” under this license by including in or with the Work either (a) a copyright notice referencing the applicability of this license to the Work, or (b) a copy of this license.
2.1 Copyright Grant. Subject to the terms and conditions of this license, each Licensor grants to you a perpetual, worldwide, non-exclusive, royalty-free, copyright license to use, reproduce, prepare derivative works of, publicly display, publicly perform, sublicense and distribute its Work and any resulting derivative works in any form.
3.1 Redistribution. You may reproduce or distribute the Work only if (a) you do so under this license, (b) you include a complete copy of this license with your distribution, and (c) you retain without modification any copyright, patent, trademark, or attribution notices that are present in the Work.
3.2 Derivative Works. You may specify that additional or different terms apply to the use, reproduction, and distribution of your derivative works of the Work (“Your Terms”) only if (a) Your Terms provide that the use limitation in Section 3.3 applies to your derivative works, and (b) you identify the specific derivative works that are subject to Your Terms. Notwithstanding Your Terms, this license (including the redistribution requirements in Section 3.1) will continue to apply to the Work itself.
3.3 Use Limitation. The Work and any derivative works thereof only may be used or intended for use non-commercially. Notwithstanding the foregoing, NVIDIA Corporation and its affiliates may use the Work and any derivative works commercially. As used herein, “non-commercially” means for research or evaluation purposes only.
3.4 Patent Claims. If you bring or threaten to bring a patent claim against any Licensor (including any claim, cross-claim or counterclaim in a lawsuit) to enforce any patents that you allege are infringed by any Work, then your rights under this license from such Licensor (including the grant in Section 2.1) will terminate immediately.
3.5 Trademarks. This license does not grant any rights to use any Licensor’s or its affiliates’ names, logos, or trademarks, except as necessary to reproduce the notices described in this license.
3.6 Termination. If you violate any term of this license, then your rights under this license (including the grant in Section 2.1) will terminate immediately.
THE WORK IS PROVIDED “AS IS” WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT. YOU BEAR THE RISK OF UNDERTAKING ANY ACTIVITIES UNDER THIS LICENSE.
EXCEPT AS PROHIBITED BY APPLICABLE LAW, IN NO EVENT AND UNDER NO LEGAL THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE SHALL ANY LICENSOR BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO THIS LICENSE, THE USE OR INABILITY TO USE THE WORK (INCLUDING BUT NOT LIMITED TO LOSS OF GOODWILL, BUSINESS INTERRUPTION, LOST PROFITS OR DATA, COMPUTER FAILURE OR MALFUNCTION, OR ANY OTHER DAMAGES OR LOSSES), EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Important note: Each user is responsible for checking the content of datasets and the applicable licenses and determining if suitable for the intended use and applicable links before the script runs and the data is placed in the user machine.