{"id":13454778,"url":"https://github.com/jsikyoon/adv_attack_capsnet","last_synced_at":"2025-03-24T06:31:28.273Z","repository":{"id":104483624,"uuid":"109409681","full_name":"jsikyoon/adv_attack_capsnet","owner":"jsikyoon","description":"Tensorflow Implementation of Adversarial Attack to Capsule Networks","archived":false,"fork":false,"pushed_at":"2017-11-09T01:39:06.000Z","size":4383,"stargazers_count":174,"open_issues_count":1,"forks_count":33,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-10-08T00:02:05.763Z","etag":null,"topics":["adversarial-example","capsule-network","fgsm","tensorflow"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jsikyoon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-03T15:08:12.000Z","updated_at":"2024-08-12T03:10:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"f9ecae23-e42f-4e30-b38b-205c355aff3c","html_url":"https://github.com/jsikyoon/adv_attack_capsnet","commit_stats":null,"previous_names":["jaesik817/adv_attack_capsnet"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsikyoon%2Fadv_attack_capsnet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsikyoon%2Fadv_attack_capsnet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsikyoon%2Fadv_attack_capsnet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jsikyoon%2Fadv_attack_capsnet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jsikyoon","download_url":"https://codeload.github.com/jsikyoon/adv_attack_capsnet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245222565,"owners_count":20580185,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversarial-example","capsule-network","fgsm","tensorflow"],"created_at":"2024-07-31T08:00:57.863Z","updated_at":"2025-03-24T06:31:27.144Z","avatar_url":"https://github.com/jsikyoon.png","language":"Python","funding_links":[],"categories":["Implementations"],"sub_categories":["Tensorflow"],"readme":"Adversarial Attack to Capsule Networks\n===================================\n\nThis repo. is to research adversarial attack performance for CapsNets.\n\nIn those days, deep learning has shown an attractive results on several applications (speech / image recognization). However, from 2014, there are research papers that deep learning can be easiy fool by very low noise. In NIPS 2017 workshop, Ian Goodfellow opened adversarial non-targeted/targeted attack and defense competition for this problem, and In ICLR2018, lots of researches for adversarial examples are submitted. In this situation, we read G. Hinton's paper, Dynamic routing between capsules, and tried to validate the robustness of CapsNets on the paper to well-known adversarial attack.\n\n**The CapsNets part on this repo. is based on InnerPeace-Wu's ones, https://github.com/InnerPeace-Wu/CapsNet-tensorflow.**\n\nSettings\n----------\n\nThis implementation is on tensorflow 1.2.1, and the detailed setting is followed InnerPeace-Wu's one.\n\nAttackers\n----------------\n\n### Fast Gradient Sign Method (FGSM)\n\nFast Gradient Sign Method is to generate adversarial images with gradient information from loss function and true label.\n\nhttps://arxiv.org/pdf/1607.02533.pdf\n\n`\npython attack_gsm.py --max_iter=1\n`\n\nThis module is based on gongzhitaao's git and sample attack codes from Google Brain.\n\nhttps://github.com/gongzhitaao/tensorflow-adversarial\n\n### Basic Iteration (basic iter.)\n\nBasic Iteration is to generate adversarial images with iteratively running FGSM.\n\nhttps://arxiv.org/pdf/1607.02533.pdf\n\n`\npython attack_gsm.py --max_iter=\u003citer_num\u003e\n`\n\nThis module is based on gongzhitaao's git and sample attack codes from Google Brain.\n\nhttps://github.com/gongzhitaao/tensorflow-adversarial\n\n### Least-likely Class Method (step l.l)\n\nLeast-likely Class Method is to generate adversarial images by not using true label but \"least-likely\" label.\n\nhttps://arxiv.org/pdf/1607.02533.pdf\n\n`\npython attack_llcm.py --max_iter=1\n`\n\nThis module is based on gongzhitaao's git and sample attack codes from Google Brain.\n\nhttps://github.com/gongzhitaao/tensorflow-adversarial\n\n### Iterative Least-likely Class Method (iter. l.l)\n\nIterative Least-likely Class Method is to generate adversarial images with iteratively running step l.l.\n\nhttps://arxiv.org/pdf/1607.02533.pdf\n\n`\npython attack_llcm.py --max_iter=\u003citer_num\u003e\n`\n\nThis module is based on gongzhitaao's git and sample attack codes from Google Brain.\n\nhttps://github.com/gongzhitaao/tensorflow-adversarial\n\n### Adversarial Attack based on adversarial generative learning(AGL)\n\nThis module is to generate adversairal noise can make the model mis-predict data added with that.\n\nIn here it, three loss terms are as bellowed.\n\n1. reverse cross-entropy for true label (rce) =\u003e getting insight from FGSM\n2. cross-entropy for the lease label (ce_ll) =\u003e getting insight from step l.l\n3. cross-entropy for top-1 selected label exept true label (ce_s) =\u003e new things\n\n`\npython attack_gan.py\n`\n\nThe Agents\n----------------\n\n### Naiive conv model (Baseline)\n\nThis module is not consisted with adversarial prior to defense.\n\nThe structure of this is as bellowed.\n\n3 convolutional layers with Relu activation function, the kernel and feature size of which are 3 and [64,128,256], respectively.\nAfter 3 conv. layers, 2 linear layers with Relu and softmax activation function are used to get prediction of them.\n\nThe accuracy for MNIST original test data is about 99%.\n\n### Adversarial Training with adversarial examples from FGSM and Basic iter.\n\nThis module is to regularize baseline model with FGSM and Basic iter.\n\nOn each epoch, adversarial examples are repeatly generated and learned with the agent.\n\n### Adversarial Training with adversarial examples from step l.l and iter. l.l\n\nThis module is to regularize baseline model with step l.l.\n\nOn each epoch, adversarial examples are repeatly generated and learned with the agent.\n\nExperiments Results (MNIST)\n----------------------------\n\n- CapsNets is learned with 1.5K iteration, and training/test acc. are 0.995/0.991, respectively.\n\n- Epsilon is calculated with infinity norm\n\n- Max epoch is 50\n\n- Max iter. for basic iter. and iter. l.l is 5.\n\n- gif file is adversarial examples with max_epsilon from 5 to 50\n\n### FGSM\n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/fgsm.PNG)\n\nFGSM|0 |5 |10 |15 |20 |25 |30 |35 |40 |45 |50 \n----|--|--|---|---|---|---|---|---|---|---|--\nnaiive model|0.990 |0.984 |0.966 |0.941 |0.920 |0.883 |0.826 |0.759 |0.683 |0.606 |0.529 \nadv. Training with FGSM|0.992 |0.988 |0.984 |0.984 |0.979 |0.975 |0.958 |0.965 |0.960 |0.957 |0.955 \nadv. Training with basic iter.|0.992 |0.989 |0.986 |0.977 |0.975 |0.974 |0.971 |0.969 |0.962 |0.964 |0.958 \nadv. Training with step l.l|0.992 |0.987 |0.978 |0.973 |0.966 |0.958 |0.955 |0.949 |0.928 |0.942 |0.934 \nadv. Training with iter l.l|0.992 |0.986 |0.980 |0.967 |0.958 |0.968 |0.961 |0.959 |0.953 |0.946 |0.942 \nCapsNet|0.991 |0.975 |0.942 |0.901 |0.854 |0.812 |0.785 |0.765 |0.749 |0.736 |0.721 \n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/FGSM.gif)\n\n### Basic iter.\n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/basic_iter.PNG)\n\nBasic iter.|0 |5 |10 |15 |20 |25 |30 |35 |40 |45 |50 \n-----------|--|--|---|---|---|---|---|---|---|---|--\nnaiive model|0.990 |0.986 |0.974 |0.952 |0.915 |0.866 |0.807 |0.736 |0.681 |0.647 |0.623 \nadv. Training with FGSM|0.992 |0.989 |0.987 |0.987 |0.982 |0.966 |0.966 |0.960 |0.959 |0.950 |0.944 \nadv. Training with basic iter.|0.992 |0.989 |0.989 |0.982 |0.979 |0.977 |0.977 |0.974 |0.971 |0.970 |0.965 \nadv. Training with step l.l|0.992 |0.989 |0.982 |0.979 |0.973 |0.966 |0.959 |0.946 |0.924 |0.934 |0.915 \nadv. Training with iter l.l|0.992 |0.988 |0.984 |0.974 |0.968 |0.972 |0.965 |0.962 |0.955 |0.947 |0.942 \nCapsNet|0.991 |0.975 |0.936 |0.877 |0.800 |0.721 |0.647 |0.579 |0.517 |0.465 |0.423 \n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/basic_iter.gif)\n\n### step l.l\n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/step_ll.PNG)\n\nstep l.l|0 |5 |10 |15 |20 |25 |30 |35 |40 |45 |50 \n--------|--|--|---|---|---|---|---|---|---|---|--\nnaiive model|0.990 |0.988 |0.982 |0.971 |0.951 |0.923 |0.883 |0.817 |0.740 |0.637 |0.511 \nadv. Training with FGSM|0.992 |0.991 |0.990 |0.991 |0.988 |0.975 |0.980 |0.983 |0.980 |0.980 |0.978 \nadv. Training with basic iter.|0.992 |0.989 |0.990 |0.984 |0.983 |0.984 |0.985 |0.981 |0.981 |0.981 |0.978 \nadv. Training with step l.l|0.992 |0.989 |0.987 |0.987 |0.985 |0.982 |0.979 |0.973 |0.967 |0.972 |0.970 \nadv. Training with iter l.l|0.992 |0.989 |0.988 |0.985 |0.983 |0.977 |0.977 |0.973 |0.971 |0.969 |0.966 \nCapsNet|0.991 |0.991 |0.979 |0.946 |0.880 |0.797 |0.702 |0.619 |0.546 |0.484 |0.431 \n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/step_ll.gif)\n\n### iter l.l\n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/iter_ll.PNG)\n\niter l.l|0 |5 |10 |15 |20 |25 |30 |35 |40 |45 |50 \n--------|--|--|---|---|---|---|---|---|---|---|--\nnaiive model|0.990 |0.989 |0.986 |0.979 |0.964 |0.942 |0.897 |0.837 |0.754 |0.650 |0.550 \nadv. Training with FGSM|0.992 |0.991 |0.991 |0.992 |0.990 |0.980 |0.985 |0.986 |0.985 |0.981 |0.978 \nadv. Training with basic iter.|0.992 |0.990 |0.991 |0.987 |0.987 |0.987 |0.988 |0.986 |0.984 |0.985 |0.983 \nadv. Training with step l.l|0.992 |0.990 |0.990 |0.989 |0.988 |0.987 |0.985 |0.977 |0.973 |0.974 |0.969 \nadv. Training with iter l.l|0.992 |0.990 |0.989 |0.987 |0.987 |0.982 |0.982 |0.980 |0.977 |0.976 |0.975 \nCapsNet|0.991 |0.991 |0.985 |0.964 |0.933 |0.895 |0.854 |0.819 |0.787 |0.755 |0.733 \n\n![alt tag](https://github.com/jaesik817/adv_attack_capsnet/blob/master/figures/iter_ll.gif)\n\nDiscussion\n-------------\n\nCapsNet also fall in the trap of every type adversarial examples. This structure can be one of the hint to solve adversarial problem, however experiment results show CapsNets is not free to adversarial attack.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjsikyoon%2Fadv_attack_capsnet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjsikyoon%2Fadv_attack_capsnet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjsikyoon%2Fadv_attack_capsnet/lists"}