This repository contains the code for Affine-Invariant Attack method, and this repo is modified from Translation-Invariant-Attacks.
We propose an Affine-Invariant adversarial attack (AI) which can consistently construct adversarial examples robust over a distribution of affine transformation including rotation, translation, and scaling. To further improve the efficiency of our algorithm, we propose to disentangle the affine transformation into the rotations, translations, magnifications. After reformulating the transformation in polar coordinate, we conduct the gradient estimation by convolving the gradient at the original image with derived kernels, which can be integrated with any gradient-based attack methods.
First download the models. You can also use other models by changing the model definition part in the code. Then run the following command
bash run_attack.sh input_dir output_dir 16
where original images are stored in input_dir with .png format, and the generated adversarial images are saved in output_dir.
We used the Python 2.7 and Tensorflow 1.12 versions. Python 3.6 and Tensorflow 1.15 may also work.
The models can be downloaded at Inception V3, Inception V4, Inception ResNet V2, and ResNet V2 152.
If you want to attack other models, you can replace the model definition part to your own models.
- For AI-FGSM, set
num_iter=1,momentum=0.0,prob=0.0; - For AI-BIM, set
num_iter=10,momentum=0.0,prob=0.0; - For AI-MIM, set
num_iter=10,momentum=1.0,prob=0.0; - For AI-DIM, set
num_iter=10,momentum=1.0,prob=0.7;
[1] https://github.com/dongyp13/Translation-Invariant-Attacks
[2] https://github.com/kevinzakka/spatial-transformer-network