/realadv

Code for the SAS 2021 paper Exploiting Verified Neural Networks via Floating Point Numerical Error.

Primary LanguagePython

realadv

Code for the paper Exploiting Verified Neural Networks via Floating Point Numerical Error.

Steps for reproduction

  1. Prepare the requirements: python >= 3.8, numpy, pytorch, cython and opencv. Julia and MIPVerify are also required. You may need my fork of MIPVerify unless the pull request is merged.
  2. Train the MNIST and CIFAR10 models and get the verification results following the instructions given in relu_stable. Note that the original repo only contains an MNIST model. You can apply the patches in relu_stable_patch to reproduce the training step. I have also included pre-trained model weights and verification results in data so this step can be skipped.
  3. Run the scripts step0_find_edge_input.sh, step1_find_edge_model.sh and step2_attack.sh or attack_parallel.sh to reproduce the results. Please read the scripts to get a basic understanding of what they are doing.

Attack logs and adversarial images for the experiments reported in the paper are available in result. Run python -m realadv view_attack to view adversarial images.

Citation

@inproceedings{jia2021exploiting,
    author="Jia, Kai and Rinard, Martin",
    editor="Dr{\u{a}}goi, Cezara and Mukherjee, Suvam and Namjoshi, Kedar",
    title="Exploiting Verified Neural Networks via Floating Point Numerical Error",
    booktitle="Static Analysis",
    year="2021",
    publisher="Springer International Publishing",
    address="Cham",
    pages="191--205",
    isbn="978-3-030-88806-0"
}