A pytorch implementation of "Adversarial Examples in the Physical World"
This code is a pytorch implementation of basic iterative method(known as I-FGSM) and iterative least-likely class method.
In this code, I used above methods to fool Inception v3.
'Giant Panda' used for an example.
You can add other pictures with a folder with the label name in the 'data/imagenet'.
Also, this code shows adversarial attack is possible with a photo if an adversarial image.
- python==3.6
- numpy==1.14.2
- pytorch==1.0.0
- This paper proposed new metric(called destruction rate) to measure the influence of arbitrary trasnfromations. (p.6)
- Destruction rate is the fraction of adversarial images which are no longer misclassified after the transformations.
- Adversarial examples generated by the FGSM are the most robust to transformations.
- Iterative least-likely method is the least robust.
- Blur, noise and JPEG encoding have a higher destruction rate than brightness and contrast.
- Paper shows that, to obtain very high confidence, iterative methods are weak to survive photo transformation. (p.8-9)
- prefiltered case(clean image correctly classified, adversarial image confidently incorrectly classified) couldn't fool the model after transformations unlike average case(randomly chosen images)
- This Repository won't be updated.
- Please check the package of adversarial attacks in pytorch