Deep neural networks are vulnerable to adversarial attacks, and so does deep ranking or deep metric learning models. The project RobRank aims to study the empirical adversarial robustness of deep ranking / metric learning models. Our contribution includes (1) the definition and implementation of two new adversarial attacks, namely candidate attack and query attack; (2) two adversarial defense methods (based on adversarial training) are proposed to improve model robustness against a wide range of attacks; (3) a comprehensive empirical robustness score for quantitatively assessing adversarial robustness. In particular, an "Anti-Collapse Triplet" defense method is newly introduced in RobRank, which achieves at least 60% and at most 540% improvement in adversarial robustness compared to the ECCV work. See the preprint manuscript for details.
RobRank codebase is extended from my previous ECCV'2020 work "Adversarial Ranking Attack and Defense," with a major code refactor. You may find most functionalities of the previous codebase in this repository as well.
Note, the project name is RobRank, instead of RobBank.
Preprint-Title: "Adversarial Attack and Defense in Deep Ranking"
Preprint-Authors: Mo Zhou, Le Wang, Zhenxing Niu, Qilin Zhang, Nanning Zheng, Gang Hua
Preprint-Link: https://arxiv.org/abs/2106.03614
Keywords: Deep {Ranking, Metric Learning}, Adversarial {Attack, Defense, Robustness}
Project Status: Actively maintained.
Install-RobRank-Python-Dependency: $ pip install -r requirements.txt
Install-RobRank: $ python3 setup.py install (this is optional)
News and Updates
...
In the following tables, "N/A" denotes "no defense equipped"; EST is the defense proposed in the ECCV'2020 paper; ACT is the new defense in the preprint paper. These rows are sorted by ERS. I'm willing to add other DML defenses for comparison in these tables.
| Dataset | Model | Loss | Defense | R@1 | R@2 | mAP | NMI | ERS |
|---|---|---|---|---|---|---|---|---|
| MNIST | C2F2 | Triplet | N/A | 99.0 | 99.4 | 98.7 | 84.7 | 13.3 |
| MNIST | C2F2 | Triplet | EST | 98.3 | 99.0 | 91.3 | 80.7 | 40.5 |
| MNIST | C2F2 | Triplet | ACT | 98.6 | 99.1 | 98.1 | 86.4 | 78.6 |
| Dataset | Model | Loss | Defense | R@1 | R@2 | mAP | NMI | ERS |
|---|---|---|---|---|---|---|---|---|
| Fashion | C2F2 | Triplet | N/A | 87.6 | 92.7 | 84.9 | 77.8 | 4.5 |
| Fashion | C2F2 | Triplet | EST | 78.6 | 86.8 | 64.6 | 64.9 | 36.4 |
| Fashion | C2F2 | Triplet | ACT | 79.4 | 87.9 | 71.6 | 69.6 | 67.7 |
| Dataset | Model | Loss | Defense | R@1 | R@2 | mAP | NMI | ERS |
|---|---|---|---|---|---|---|---|---|
| CUB | RN18 | Triplet | N/A | 53.9 | 66.4 | 26.1 | 59.5 | 3.8 |
| CUB | RN18 | Triplet | EST | 8.5 | 13.0 | 2.6 | 25.2 | 5.3 |
| CUB | RN18 | Triplet | ACT | 27.5 | 38.2 | 12.2 | 43.0 | 33.9 |
| Dataset | Model | Loss | Defense | R@1 | R@2 | mAP | NMI | ERS |
|---|---|---|---|---|---|---|---|---|
| CARS | RN18 | Triplet | N/A | 62.5 | 74.0 | 23.8 | 57.0 | 3.6 |
| CARS | RN18 | Triplet | EST | 30.7 | 41.0 | 5.6 | 31.8 | 7.3 |
| CARS | RN18 | Triplet | ACT | 43.4 | 56.5 | 11.8 | 42.9 | 38.6 |
| Dataset | Model | Loss | Defense | R@1 | R@2 | mAP | NMI | ERS |
|---|---|---|---|---|---|---|---|---|
| SOP | RN18 | Triplet | N/A | 62.9 | 68.5 | 39.2 | 87.4 | 4.0 |
| SOP | RN18 | Triplet | EST | 46.0 | 51.4 | 24.5 | 84.7 | 31.7 |
| SOP | RN18 | Triplet | ACT | 47.5 | 52.6 | 25.5 | 84.9 | 50.8 |
Python library RobRank provides these functionalities: (1) training
classification or ranking (deep metric learning) models, either vanilla
or defensive; (2) perform adversarial attack against the trained models;
(3) perform batched adversarial attack. See below for detailed usage.
You can always specify the GPUs to use by export CUDA_VISIBLE_DEVICES=<GPUs>.
Training deep metric learning model or classification model, either normally or adversarially.
As pytorch-lightning is used by this project, the training process will automatically use DistributedDataParallel when more than one GPU are available.
python3 bin/train.py -C <dataset>:<model>:<loss>where
- dataset (for all available datasets see
robrank/datasets/__init__.py)- mnist, fashion, cub, cars, sop (for deep metric learning)
- mnist, cifar10 (for classification)
- model (for all available models see
robrank/models/__init__.py)- rres18: resnet 18 for deep metric learning (DML)
- rres18d: resnet 18 for DML with EST defense
- rres18p: resnet 18 for DML with ACT defense
- loss (for all available losses see
robrank/losses/__init__.py)- ptripletN: triplet using Normalized Euclidean with SPC-2 batch.
- ce: cross-entropy for classification
For example:
python3 bin/train.py -C mnist:cc2f2:ce --do_test
python3 bin/train.py -C mnist:rc2f2:ptripletN
python3 bin/train.py -C mnist:rc2f2p:ptripletN
python3 bin/train.py -C cub:rres18:ptripletN
python3 bin/train.py -C cub:rres18p:ptripletNTips:
- export
FAISS_CPU=1to disable NMI score calculation on GPU. This could save a little bit of video memory of you encounter CUDA OOM.
Script bin/advrank.py is the entrance for conducting adversarial attacks
against a trained model. For example, to conduct CA (w=1) with several
manually specified PGD parameters, you can do it as follows:
python3 bin/advrank.py -v -A CA:pm=+:W=1:eps=0.30196:alpha=0.011764:pgditer=32 -C <xxx.ckpt>where xxx.ckpt is the path to the trained model (saved as a pytorch-lightning checkpoint).
The arguments specific to adversarial attacks are joined with a colon ":"
in order to avoid lengthy python code based argparse module.
Please browse the bash scripts under the tools/ directory for examples
of other types of attacks discussed in the paper.
Script bin/swipe.py is used for conducting a batch of attacks against a specified
model (pytorch-lightning checkpoint), automatically. And it will save the
output in json format as <model_ckpt>.ckpt.<swipe_profile>.json.
Available swipe_profile includes rob28, rob224 for ERS score;
and pami28, pami224 for CA and QA in various settings. A full list
of possible profiles can be found in robrank/cmdline.py. You can even
customize the code and create your own profile for batched evaluation.
python3 bin/swipe.py -p rob28 -C logs_fashion-rc2f2-ptripletN/.../xxx.ckptCurrently only single-GPU mode is supported. When the batched attack is finished,
the script tools/pjswipe.py can display the content of resulting
json files and calculate the corresponding ERS.
(the following directory tree is manually edited and annotated)
.
├── requirements.txt Python deps (`pip install -r ...txt`)
├── bin/train.py Entrance script for training models.
├── bin/advrank.py Entrance script for adversarial ranking.
├── bin/swipe.py Entrance script for batched attack.
├── robrank RobRank library.
│ ├── attacks Attack Implementations.
│ │ └── advrank*.py Adversarial ranking attack (ECCV'2020).
│ ├── defenses/* Defense Implementations.
│ ├── configs/* Configurations (incl. hyper-parameters).
│ ├── datasets/* Dataset classes.
│ ├── models Models and base classes.
│ │ ├── template_classify.py Base class for classification models.
│ │ ├── template_hybrid.py Base class for Classification+DML models.
│ │ └── template_rank.py Base class for DML/ranking models.
│ ├── losses/* Deep metric learning loss functions.
│ ├── cmdline.py Command line interface implementation.
│ └── utils.py Miscellaneous utilities.
└── tools/* Miscellaneous tools for experiments.
Tested Software:
OS: Debian unstable (May 2021), Ubuntu LTS
Python: 3.8.5 (anaconda)
PyTorch: 1.7.1, 1.8.1
Mainly Tested Hardware:
CPU: Intel Xeon 6226R
GPU: Nvidia RTX3090 (24GB)
With 8 RTX3090 GPUs, most experiments can be finished within 1 day.
With older configurations (such as 4* GTX1080Ti), most experiments can be
finished within 3 days, including adversarial training.
Memory requirement: 12GB video memory is required for adversarial training of RN18, Mnas, and IBN. Additionally, adversarial training of RN50 requires 24GB.
The default data path setting for any dataset can be found in
robrank/configs/configs_dataset.py.
MNIST and Fashion-MNIST are downloaded using torchvision. The helper script
bin/download.py can download and extract the two datasets for you.
CUB-200-2011,
Cars-196, and
Stanford Online Products
can be downloaded from their correspoding websites (and then manually
extracted).
If you found the paper/code useful/inspiring, please consider citing my work:
@misc{robrank,
title={Adversarial Attack and Defense in Deep Ranking},
author={Mo Zhou and Le Wang and Zhenxing Niu and Qilin Zhang and Nanning Zheng and Gang Hua},
year={2021},
eprint={2106.03614},
archivePrefix={arXiv},
primaryClass={cs.CV}
}Bibtex of M. Zhou, et al. "Adversarial Ranking Attack and Defense," ECCV'2020. can be found in the linked page.
Reference Software Projects:
- https://github.com/Confusezius/Deep-Metric-Learning-Baselines
- https://github.com/Confusezius/Revisiting_Deep_Metric_Learning_PyTorch
- https://github.com/idstcv/SoftTriple
- https://github.com/KevinMusgrave/pytorch-metric-learning
- https://github.com/RobustBench/robustbench
- https://github.com/fra31/auto-attack
- https://github.com/KevinMusgrave/powerful-benchmarker
Copyright (C) 2019-2021, Mo Zhou <cdluminate@gmail.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.