Code for our NeurIPS 2019 paper Subspace Attack: Exploiting Promising Subspaces for Query-Efficient Black-box Attacks.
Our paper is also available on arxiv.
- Python 3.5
- PyTorch 1.1.0
- torchvision 0.2.2
- glog 0.3.1
We use CIFAR-10 and ImageNet in our experiment, and these two datasets should be prepared into the following structure:
subspace-attack.pytorch
└───data
├── cifar10
│ ├── cifar-10-batches-py
│ └── cifar-10-python.tar.gz
└── imagenet
├── train
└── val
For reference models, please download at this link, extract and put them into data/ directory.
To mount an untargeted l-inf attack on a WRN victim model on CIFAR-10 using AlexNet+VGGNets as references (i.e., the CIFAR-10->WRN->Ours row in Table 1 of our paper)
python3 attack.py --arch wrn-28-10-drop --attack-type untargeted --norm-type linf --dataset cifar10 --ref-arch alexnet_bn vgg11_bn vgg13_bn vgg16_bn vgg19_bn --ref-arch-train-data cifar10.1
We also provide many logs for experiments used in our paper at this link.
The following resources are very helpful for our work:
- Pretrained models and for ImageNet
- Pretrained models for CIFAR-10
- GDAS
- Official AutoAugment implementation
- ImageNet FGSM adversarially trained Inception-V3 model
- Carlini's CIFAR-10 ConvNet
Please cite our work in your publications if it helps your research:
@inproceedings{subspaceattack,
title={Subspace Attack: Exploiting Promising Subspaces for Query-Efficient Black-box Attacks},
author={Guo, Yiwen and Yan, Ziang and Zhang, Changshui},
booktitle={Advances in Neural Information Processing Systems},
pages={3820--3829},
year={2019}
}