This is the unofficial repository of Fudan University's class Artificial Intelligence Security
The whole project is heavily based on pytorch_image_classification, but due to the original codes only support those well-known open-source datasets, which called via the torch.dataset function, and didn't update the repository anymore. So at the beginning, I tried to implement new dataset class which is abel to train self-made dataset and is based on csv file. At that time I didn't know anythings about torchvision.datasets.ImageFolder,so in the following update it's used in the training of MSTAR dataset, which is a standard Synthetic Aperture Radar(SAR) dataset. More detailed information is recorded in self_made_train markdown file.
As for the model weights, resnet110 with MNIST is available. For 3-category weight, path is ./experiments/mnist/resnet/exp00/checkpoint_00160.pth
; for 10-category weight, path is ./experiments/mnist/resnet/exp06/checkpoint_00160.pth
; for badnet weight path, it exists in ./experiments/mnist/resnet/badnet04/checkpoint_00012.pth
. However, I trained resnext model on MSTAR dataset, which is too big to upload the model weight. Therefore, if you need the weight file, please let me know and I will provide Baidu Netdisk or Google Drive for you.
The CW algorithm is completely reproduced in this project, the corresponding result is in attack.ipynb
. And the implementation of torch-attack's CW is also in the file.
For poison task, I selected FCA method and thoroughly reproduced it, which is available at poison.ipynb
and fca_poison_test.py
.
For this task, according to the paper there's no complex algorithm or architecture. All I did is select a small image as the icon to fine-tuning a resnet model to combine the icon with the specific category. The fine-tuning process and corresponding result is in badnet.ipynb
.
DeepSigns method need retrain the model and need an isolate project matrix to extract the watermark information in target feature layer, whose path is ./watermark/projection_matrix.npy
,and the complete code is in watermark.ipynb
.
Deep Leakage From Gradients is a classical white-box data theft method. However, it's a great pity that I didn't finish it on this framework, instead, a very simple network is created to reproduce the algorithm. You can check the content in DLG.ipynb
. I will also port this to the native model later, just keep looking forward.
If you have any problem or suggestion, feel free to get in touch with me!!