# PatchAttack **Repository Path**: qwbljm/PatchAttack ## Basic Information - **Project Name**: PatchAttack - **Description**: No description available - **Primary Language**: Unknown - **License**: MIT - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2024-11-26 - **Last Updated**: 2024-11-26 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # PatchAttack: A Black-box Texture-based Attack with Reinforcement Learning
\ This is the code used in the paper [PatchAttack: A Black-box Texture-based Attack with Reinforcement Learning](https://arxiv.org/abs/2004.05682). If you use the code or find this project helpful, please consider citing our paper. ``` @article{yang2020patchattack, title={PatchAttack: A Black-box Texture-based Attack with Reinforcement Learning}, author={Yang, Chenglin and Kortylewski, Adam and Xie, Cihang and Cao, Yinzhi and Yuille, Alan}, journal={arXiv preprint arXiv:2004.05682}, year={2020} } ``` ## Requirements + python 3.6 + pytorch 1.4.0 + easydict + opencv + matplotlib + scikit-learn + tqdm + kornia 0.2.2 + jupyter (for PatchAttack_tutorial.ipynb) ## Usage ### Dictionaries We privide [TextureDict_ImageNet_0.zip](https://livejohnshopkins-my.sharepoint.com/:u:/g/personal/cyang76_jh_edu/EcKGvE7jQVJMuMxqdbSSYdEB2VLbcE24m6YQDAqb2yR9KA?e=P8RJJm), [TextureDict_ImageNet_1.zip](https://livejohnshopkins-my.sharepoint.com/:u:/g/personal/cyang76_jh_edu/EXsnVi0FETZJuf1v9CLfu6YByb79RO_vj3-5BV_RY5Wzdg?e=lRUAj1). Please download, unzip and merge the two directories, constituing the whole texture dictionary used in our [paper](https://arxiv.org/abs/2004.05682). Alternatively, you can also generate one by yourself. First, please provide the paths to the train and val folder of ImageNet dataset and set cfg.ImageNet_train_dir and cfg.ImageNet_val_dir in parser.py. Second, you can optionally adjust the parameters in PatchAttack/PatchAttack_config.py to generate textures in different settings. Then, you can use the following commands to start the generation: + Build Texture Dictionary: ```bash # for classes of a range of labels python main_build-dict.py --gpu 0 --t-data ImageNet --tdict-dir TextureDict --t-labels-range 0 1000 # for classes of some specific labels python main_build-dict.py --gpu 0 --t-data ImageNet --tdict-dir TextureDict --t-labels 23 300 900 ``` Additionally, we also provide a dictionary consisting of Adversarial Patches generated by a gradient-based method proposed in [paper](https://arxiv.org/abs/1712.09665), which is [AdvPatchDict_ImageNet.zip](https://livejohnshopkins-my.sharepoint.com/:u:/g/personal/cyang76_jh_edu/EWnq9xITghhJkbHee9cbl6cByQkDiySr9rMCrh8Z6QulsQ?e=4EZ4Me). This dictionary is generated using VGG19 and other settings are determined in PatchAttack/PatchAttack_config.py. You can change the settings and use the following commands to generate a different dictionary of white-box adversarial patches: + Build AdversarialPatch Dictionary ```bash # for classes of a range of labels python main_build-dict.py --gpu 0 --arch VGG --depth 19 --t-data ImageNet --dict AdvPatch --tdict-dir AdvPatchDict --t-labels-range 0 1000 # for classes of some specific labels python main_build-dict.py --gpu 0 --arch VGG --depth 19 --t-data ImageNet --dict AdvPatch --tdict-dir AdvPatchDict --t-labels 23 300 900 ``` ### Attacks Our implementation inludes three black-box patch attacks: Texture-based Patch Attack (TPA), MonoChrome Patch Attack (MPA) in our [paper](https://arxiv.org/abs/2004.05682); Metropolis-Hastings Attack (HPA) originally proposed in [paper](http://www.bmva.org/bmvc/2016/papers/paper137/index.html). Besides, we also implement the white-box patch attack: Adversarial Patch Attack (AP) orginally proposed in [paper](https://arxiv.org/abs/1712.09665). You can add the path to the folder 'PatchAttack' in this repository to PYTHONPATH in your local system, and use 'PatchAttack' as a package. + PatchAttack_tutorial.ipynb explains how to perform these attacks. The prerequisite of running this tutorial is to download the text file of [ImageNet_clsidx_to_labels](https://gist.github.com/yrevar/942d3a0ac09ec9e5eb3a) to the root directory of this repository. Please refer to the notebook for details. ### Defenses: In our [paper](https://arxiv.org/abs/2004.05682), we evaluate PatchAttack on two defense models: Denoise Network \[[paper](https://arxiv.org/abs/1812.03411) - [code](https://github.com/facebookresearch/ImageNet-Adversarial-Training)\] and Shape-biased Network \[[paper](https://openreview.net/forum?id=Bygh9j09KX) - [code](https://github.com/rgeirhos/texture-vs-shape)\]. ## Acknowledgements The part of Grad_CAM in this code is based on [pytorch-grad-cam](https://github.com/jacobgil/pytorch-grad-cam/blob/master/gradcam.py). A helper function comes from [pytorch-classification](https://github.com/bearpaw/pytorch-classification/blob/master/utils/eval.py).