This repository includes the official PyTorch implementation of our paper:
@article{wang2022guided,
title={Guided diffusion model for adversarial purification},
author={Wang, Jinyi and Lyu, Zhaoyang and Lin, Dahua and Dai, Bo and Fu, Hongfei},
journal={arXiv preprint arXiv:2205.14969},
year={2022}
}
We propose a method that gives adversarial robustness to a neural network model against (stochastic) adversarial attacks by using a Guided Diffusion Model.
Run the following command to install some necessary Python 3 packages by Anaconda to run our code.
conda env create -f environment.yml
To run the experiments, enter the following command.
python main.py --config <config-file>
Train the Cifar10 classifier on a WideResNet and copy the weights `origin.t7' to
mkdir -p clf_models/run/logs/cifar10
For starting the purification process, execute
python main.py --config default.yml
Download the pretrained weights and copy them to the folder models.
For example, we provide the example configuration file configs/ImageNet_PGD.yml in the repository.
python main.py --config ImageNet_Res50.yml
To run the experiments parallelly, enter the following command.
python parallel_run.py --device 8 --rank 0 --world_size 8 --config ImageNet_Res50.yml
For example, we provide the example configuration file configs/cifar10_bpda_eot_sigma025_eot15.yml in the repository.
For adversarial attacks, the classifier PGD attack and BPDA+EOT attack are implemented in attacks/clf_pgd.py and attacks/bpda_strong.py, respectively. At the configuration file, setting the attack.attack_method into clf_pgd or bpda_strong will run these attacks, respectively.
| File name | Explanation |
|---|---|
main.py |
Execute the main code, with initializing configurations and loggers. |
runners/empirical.py |
Attacks and purifies the image to show empirical adversarial robustness. |
attacks/bpda_strong.py |
Code for BPDA+EOT attack. |
purification/adp.py |
Code for adversarial purification. |
guided_diffusion/* |
Code for DDPM on ImageNet. |
pytorch_diffusion/* |
Code for DDPM on CIFAR-10. |
networks/* |
Code for used classifier network architectures. |
utils/* |
Utility files. |
- For the configuration files, we use the pixel ranges
[0, 255]for the perturbation scaleattack.ptband the one-step attack scaleattack.alpha. And the main experiments are performed within the pixel range[0, 1]after being rescaled during execution. - For training the EBM and classifier models, we primarily used the pre-existing methods such as 256*256_pretrained_diffusion_model and WideResNet classifier. Here is the repository we used for training the WideResNet classifier.
For further details, please contact jinyi.wang@sjtu.edu.cn.
MIT
This implementation is based on / inspired by:
- https://github.com/openai/guided-diffusion (Pytorch DDPM on ImageNet)
- https://github.com/pesser/pytorch_diffusion (PyTorch helper that loads the DDPM model), and
- https://github.com/jmyoon1/adp (code structure and attack algorithms).