perturbify is a Tensorflow adversarial machine learning attack toolkit to add perturbations and cause image recognition models to misclassify an image. The goal of an adversarial attack is to introduce minimum perturbations to an image to avoid detection while effectively causing a misclassification or significant change in prediction. Such attacks can be performed in a white, grey or black box approach.
NOTE: In this toolkit, fgsm (targeted) and deepfool attacks have been implemented
Our Tensorflow surrogate model with 3 classifications is trained using Tensorflow and Keras. Perturbify takes in an input image and outputs the perturbed image.
check.py
is automatically invoked once the adversarial image is generated to display the predictions before and after perturbations are added.
Usage:
perturbify.py -i [Input Image] -m [surrogate model] -a [attack method] -o [attack options]
Flags:
-i, --image string The target input image [Required]
-m, --model string The surrogate / attacker model [Required]
-a, --adversarial Adversarial attack type (fgsm/deepfool) [Required]
-o, --options Adversarial attack options (Refer below) [Required]
-h, --help Display the help page
FGSM Options: <epsilon (float), classification index to perturb towards (int)>
python perturbify.py -i image.jpg -m surrogate_model.h5 -a fgsm -o "0.2 2"
Deepfool Options: <max iterations (int), perturbations multiplier (int)>
python perturbify.py -i image.jpg -m surrogate_model.h5 -a deepfool -o "50 1"
NOTE: Some attributes can only be modified on the script such as num_classes
, read the added comments
The requirements.txt file should list all Python libraries required, and they will be installed using:
pip install -r requirements.txt
This tool is for educational and testing purposes only. Do not use it to exploit the vulnerability on any system that you do not own or have permission to test. The authors of this script are not responsible for any misuse or damage caused by its use.