/Adversarial-Attacks-and-Defences

A defense algorithm which utilizes the combination of an auto- encoder and block-switching architecture. Auto-coder is intended to remove any perturbations found in input images whereas block switching method is used to make it more robust against White-box attack. Attack is planned using FGSM model, and the subsequent counter-attack by the proposed architecture will take place thereby demonstrating the feasibility and security delivered by the algorithm.

Primary LanguageJupyter Notebook

Adversarial Defense using AutoEncoder, Block Switching & GradCAM

GitHub follow GitHub follow GitHub repo size GitHub stars GitHub forks


This system majorly focuses on static image input and defence architecture. Following are the characteristics of the proposed model:
  • Combination of two models to effectively defend both Black box and White Box attack.
  • Randomization method acts as a backup for filtration performed by auto-encoder there by increasing the robustness of the proposed model.
  • Grad-CAM allows the model to predict the highlighted important region based on classification.

Table of contents

Prerequisites :

    1. Anaconda ( If using Python Notebook to run )
    2. Python

Download all dataset and necessary code

!git clone https://github.com/anirudh9784/Adversarial-Defense.git

Install libraries using following commands
!pip install tensorflow
!pip install torch
!pip install keras
!pip install sklearn
!pip install cleverhans
!pip install glob
!pip install cv2

To run project runu the following command

python source_code.py

Dataset :

It is subset of Imagenet Dataset
Source : ImageNet 
           

Architecture :

        

ML Models Used :

   1. Resnet
   2. MobileNetV2
   3. Auto-Encoder
   4. DenseNet
  1. Fast Gradient Sign Method(FGSM) - Goodfellow, I. J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014b.
   def create_adversarial_pattern(input_image, input_label):
     with tf.GradientTape() as tape:
       tape.watch(input_image)
       prediction = pretrained_model(input_image)
       loss = loss_object(input_label, prediction)
     gradient = tape.gradient(loss, input_image)
     signed_grad = tf.sign(gradient)
     return signed_grad

Defense Architecture :

Module 1 : Auto Encoder
Auto-encoders can be used for Noise Filtering purpose. By feeding them noisy data as inputs and clean data as outputs, it’s possible to make them remove noise from the input image. This way, auto-encoders can serve as denoisers.
Module 2 : Randomisation
Switching block in this experiment consists of multiple channels. Each regular model is split into a lower part, containing all convolutional layer. lower parts are again combined to form single output providing parallel channels of block switching while the other parts are discarded. These models tend to have similar characteristics in terms of classification accuracy and robustness, yet different model parameters due to random initialization and stochasticity in the training process
Module 3 : Grad-CAM
Grad-CAM ( Activation Maps )uses the gradients of any target concept (say logits for “dog” or even a caption), flowing into the final convolutional layer to produce a coarse localization map highlighting the important regions in the image for predicting the concept.”

Auto Encoder :

Input – Adversarial image Output – Clean image after removing noise Auto-encoders can be used for filtration purpose. It is possible for them to remove adversarial noise from an input image.

Grad CAM :

Input – Gradients of convolutional layer Output – Activation/heat map Grad-CAM are activation maps which generate highlights on the classified image to uncover important regions. As you can see in the below example gradcam helps us to figure out why the image is predicted as corn instead of dog.

Title : An integrated Auto Encoder-Block Switching defense approach to prevent adversarial attacks

Abstract : According to the recent studies, the vulnerability of state of the art Neural Networks to adversarial input samples has increased drastically. Neural network is an intermediate path or technique by which a computer learns to perform tasks using Machine learning algorithms. Machine Learning and Artificial Intelligence model has become fundamental aspect of life, such as self-driving cars, smart home devices, so any vulnerability is a significant concern. The smallest input deviations can fool these extremely literal systems and deceive their users as well as administrator into precarious situations. This article proposes a defense algorithm which utilizes the combination of an auto- encoder and block-switching architecture. Auto-coder is intended to remove any perturbations found in input images whereas block switching method is used to make it more robust against White-box attack. Attack is planned using FGSM model, and the subsequent counter-attack by the proposed architecture will take place thereby demonstrating the feasibility and security delivered by the algorithm.

Project Organization

├── README.md                         <- The top-level README for developers using this project.
├── Resources
│   ├── AE_output.PNG                 <- Fianl output of Auto-Encoder
│   ├── Architecture.jpeg             <- Project Architecture
│   ├── metrics.PNG                   <- Result metric of out final Model
│   ├── result.PNG                    <- Final Input Output Pipeline
│   └── gradcam.PNG                   <- Grad-Cam Output
│
├── Dataset                           <- Subset of Imagenet containing more than 200 images belonging to 1000 different classes
│
├── Dataset.zip                       <- Same Dataset Compressed in ZIP file
│
├── Source_Code.py                    <- Source Code of project as Python Script
│
└── Research Paper                    <- Research Paper