https://github.com/mayukhdeb/deep-chicken-saviour
using adversarial attacks to confuse deep-chicken-terminator :shield: :chicken:
https://github.com/mayukhdeb/deep-chicken-saviour
adversarial-attacks adversarial-examples computer-vision fgsm object-detection opencv pytorch
Last synced: 3 months ago
JSON representation
using adversarial attacks to confuse deep-chicken-terminator :shield: :chicken:
- Host: GitHub
- URL: https://github.com/mayukhdeb/deep-chicken-saviour
- Owner: Mayukhdeb
- Created: 2020-04-01T08:16:38.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2020-09-13T05:34:39.000Z (almost 5 years ago)
- Last Synced: 2025-02-28T10:34:00.683Z (4 months ago)
- Topics: adversarial-attacks, adversarial-examples, computer-vision, fgsm, object-detection, opencv, pytorch
- Language: Jupyter Notebook
- Homepage:
- Size: 4.48 MB
- Stars: 7
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# deep-chicken-saviour :shield: :chicken:
[](https://nbviewer.jupyter.org/github/Mayukhdeb/deep-chicken-saviour/tree/master/)
## Adversarial blocks generated by negative epsilon FGSM to confuse the trained deep neural network
## Before:
## After:
These blocks are made by starting out with a dark grey image and then backpropagating on the image with the pre trained network with a negative epsilon in order to minimise loss for the target class, a more negative epsilon will not necessarily give a better result. But it's a bell curve instead, and the epsilon is optimized by looking for the local target class probability maxima in the domain [`lower_limit`, `0`)
These adversarial blocks can be generated for any animal class.
## Fast Gradient Sign Method :chart_with_upwards_trend:
* `sign(data_gradients)` gives the element wise signs of the data gradient
* `epsilon` defines the "strength" of the perturbation of the image
In a nutshell, instead of **optimizing the model to reduce the loss**, we're **un-optimizing the input image to maximise loss**.
* This works primarily because of the piecewise linear nature of deep neural networks. For example, look at ReLU or at maxout functions, they're all piecewise linear. Even a carefully tuned sigmoid has an approximate linear nature when taken piecewise.
* With varying values of epsilon, we will see an approximately linear relationship between "confidence" and epsilon.
## Negative epsilon FGSM
* this can be used to turn one animal into another specific animal for the deep neural network
## How are the images "optimized" using the same FGSM ?
* The key here is to understand how FGSM actually worked.
In FGSM, we were tampering with the pixels which has a *positive* gradient and added a certain value `gradient * epsilon` to each of those pixels. This made the image deviate further and further away from the class it actually belongs to and thus maximising loss in the process. Note that this was done with a __positive epsilon__ value
But for our current objective, we will try to "optimize" the image to a different class. This can be done by:
* Doing a forward pass with an image of class `x` and with a label of `y`. Where `y` is the class to which we want to convert our image to.
* Performing a backpropagation on the network and extracting the gradients on the input image.
* Now instead of trying to maximise loss using the FGSM, we'll reduce the loss with a __negative epsilon__ FGSM.
* This will help reduce the loss of the image with respect to the target class `y`, and with a sufficiently negative epsilon value, the image gets mis-classified as the target class.
If you didn't read the boring stuff above, just remember that
* A __positive epsilon__ value will __un-optimize__ the image
* A __negative epsilon__ value will __optimize__ the image for the given label class
## Generating adversarial patches from black images
