No.3 solution of Tianchi ImageNet Adversarial Attack Challenge. Team member: @Equation, @LayneH
We use PGD (with learning rate decay) to attack the defense model.
Tricks:
- Trade-off between non-targeted loss and targeted loss.
- Ensemble multi-scale, flip loss.
- Ensemble multi pre-trained (adversarial training) model by averaging their logits.
Part of the attacked images:
python=3.6.9, pytorch=0.4.1, numpy=1.16.4, pandas=0.25.0
The origin tensorflow models are from Facebook:ImageNet-Adversarial-Training [1]. Corresponding pytorch models can be download from Google Drive or BaiduPan , then extract them to folder adv_denoise_model
.
The denoise pytorch models are directly got from TREMBA [2].
You just need to run:
CUDA_VISIBLE_DEVICES=0 python main.py --img_path YOUR-IMAGE-PATH
[1] Xie, Cihang, et al. "Feature denoising for improving adversarial robustness." Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2019.
[2] Huang Z, Zhang T. Black-Box Adversarial Attack with Transferable Model-based Embedding[J]. arXiv preprint arXiv:1911.07140, 2019.