AdvFlow

Hadi M. Dolatabadi, Sarah Erfani, and Christopher Leckie 2020

This is the official implementation of NeurIPS 2020 paper AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows. A small part of this work, the Greedy AdvFlow, has been published in ICML Workshop on Invertible Neural Networks, Normalizing Flows, and Explicit Likelihood Models. A blog post explaining our approach can be found here.

<p align="center"> <img src="https://raw.githubusercontent.com/hmdolatabadi/hmdolatabadi.github.io/master/images/advflow/AdvFlow.gif" width="95%"> </p>

Requirements

To install requirements:

pip install -r requirements.txt

Training Normalizing Flows

To train the a flow-based model, first set mode = 'pre_training', and specify all relevant variables in config.py. Once specified, run this command:

python train.py

Attack Evaluation

To perform AdvFlow black-box adversarial attack, first set the mode = 'attack' in config.py. Also, specify the dataset, target model architecture and path by setting the dataset, target_arch, and target_weight_path variables in config.py, respectively. Once specified, run:

python attack.py

for CIFAR-10, SVHN, and CelebA. For ImageNet, however, you need to run:

python attack_imagenet.py

Finally, you can run the Greedy AdvFlow by:

python attack_greedy.py

Pre-trained Models

Pre-trained flow-based models as well as some target classifiers can be found here.

Results

Fooling Adversarial Example Detectors

The primary assumption of adversarial example detectors is that the adversaries come from a different distribution than the data. Here, we attack the CIFAR-10 and SVHN classifiers defended by well-known adversarial example detectors, and show that the adversaries generated by our model can mislead them more than the similar method of NATTACK. This suggests that we have come up with adversaries that have similar distribution to the data.

<p align="center"> <em>Table: Area under the receiver operating characteristic curve (AUROC) and accuracy of detecting adversarial examples generated by <a href="https://github.com/Cold-Winter/Nattack">NATTACK</a> and AdvFlow (un. for un-trained and tr. for pre-trained NF) using <a href="https://github.com/xingjunm/lid_adversarial_subspace_detection">LID</a>, <a href="https://github.com/pokaxpoka/deep_Mahalanobis_detector">Mahalanobis</a>, and <a href="https://github.com/EvZissel/Residual-Flow">Res-Flow</a> adversarial attack detectors.</em> </p> <table style="width:750px" align="center"> <tbody> <tr class="odd"> <th style="text-align:left" rowspan="2">Data</th> <th style="text-align:center">Metric</th> <th style="text-align:center" colspan="3">AUROC(%)</th> <th style="text-align:center" colspan="3">Detection Acc.(%)</th> </tr> <tr class="even"> <th style="text-align:center">Method</th> <th style="text-align:center">𝒩<span class="smallcaps">Attack</span></th> <th style="text-align:center">AdvFlow (un.)</th> <th style="text-align:center">AdvFlow (tr.)</th> <th style="text-align:center">𝒩<span class="smallcaps">Attack</span></th> <th style="text-align:center">AdvFlow (un.)</th> <th style="text-align:center">AdvFlow (tr.)</th> </tr> <tr class="odd"> <th style="text-align:left" rowspan="3">CIFAR-10</th> <td style="text-align:center">LID</td> <td style="text-align:center">78.69</td> <td style="text-align:center">84.39</td> <td style="text-align:center"><strong>57.59</strong></td> <td style="text-align:center">72.12</td> <td style="text-align:center">77.11</td> <td style="text-align:center"><strong>55.74</strong></td> </tr> <tr class="even"> <td style="text-align:center">Mahalanobis</td> <td style="text-align:center">97.95</td> <td style="text-align:center">99.50</td> <td style="text-align:center"><strong>66.85</strong></td> <td style="text-align:center">95.59</td> <td style="text-align:center">97.46</td> <td style="text-align:center"><strong>62.21</strong></td> </tr> <tr class="odd"> <td style="text-align:center">Res-Flow</td> <td style="text-align:center">97.90</td> <td style="text-align:center">99.40</td> <td style="text-align:center"><strong>67.03</strong></td> <td style="text-align:center">94.55</td> <td style="text-align:center">97.21</td> <td style="text-align:center"><strong>62.60</strong></td> </tr> <tr class="even"> <th style="text-align:left" rowspan="3">SVHN</th> <td style="text-align:center">LID</td> <td style="text-align:center"><strong>57.70</strong></td> <td style="text-align:center">58.92</td> <td style="text-align:center">61.11</td> <td style="text-align:center"><strong>55.60</strong></td> <td style="text-align:center">56.43</td> <td style="text-align:center">58.21</td> </tr> <tr class="odd"> <td style="text-align:center">Mahalanobis</td> <td style="text-align:center">73.17</td> <td style="text-align:center">74.67</td> <td style="text-align:center"><strong>64.72</strong></td> <td style="text-align:center">68.20</td> <td style="text-align:center">69.46</td> <td style="text-align:center"><strong>60.88</strong></td> </tr> <tr class="even"> <td style="text-align:center">Res-Flow</td> <td style="text-align:center">69.70</td> <td style="text-align:center">74.86</td> <td style="text-align:center"><strong>64.68</strong></td> <td style="text-align:center">64.53</td> <td style="text-align:center">68.41</td> <td style="text-align:center"><strong>61.13</strong></td> </tr> </tbody> </table>

Acknowledgement

This repository is mainly built upon FrEIA, the Framework for Easily Invertible Architectures, and NATTACK. We thank the authors of these two repositories.

Citation

If you have found our code or paper beneficial to your research, please consider citing them as:

@inproceedings{dolatabadi2020advflow,
  title={AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows},
  author={Hadi Mohaghegh Dolatabadi and Sarah Erfani and Christopher Leckie},
  booktitle = {Proceedings of the Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems ({NeurIPS})},
  year={2020}
}