Fall 2020 CS498DL

Extra Credit: Adversarial Attacks

Due date: Wednesday, December 9th, 11:59:59PM

Credit: Junting Wang, Jeffrey Zhang

In this assignment you will implement different adversarial attacks and defenses. To start out, we strongly encourage you to implement Fast Gradient Sign described in lecture. We recommend you go through the pytorch tutorial for fast gradient sign: tutorial. You may implement anything else for more extra credit as well.

Fast Gradient Sign Method (up to 15 pts)

We want you to run FGSM on ImageNet. Rather than performing your attacks on the full imagenet dataset, which is >10G of data, we recommend running on Imagenette, which is a small subset of ImageNet that contains only 10 classes. The discription of the dataset can be found here. You can use any of the pretrained models as the model under attack. The pretrained models are trained on the whole ImageNet dataset, which has 1000 labels. To attack specific labels in those models, just select the correct output of corresponding classes that appear in the Imagenette. You may find using this helpful to select these classes.

Feel free to use the pytorch tutorial code to get started. What you submit for your report is up to you, but the more explanations, experiments, visualizations, and analysis you provide, the more extra credit you will receive!

Anything Else (up to 15 more pts)

You may implement anything else you want. Here we provide some suggestions:


  1. Iterative gradient sign
  2. Least likely class
  3. Some source/target misclassification method (maximizing response for a specific target class)
  4. Any other adversarial methods

Defenses against your own implemented adversarial attacks

  1. SafetyNet
  2. Robust architectures (feature denoising)
  3. Preprocessing inputs (Input transformations)
  4. Any other defenses

Surprise us with anything else!

  1. Study the transferability of methods between models
  2. Applying adversarial attacks to different problems (object detection, segmentation, image captioning, etc.)
  3. Implementing/running other adversarial methods

How you choose to show your work is up to you! Just be thorough with explanations and visualizations and we will be lenient with grading.

Submission Instructions

  1. All of your code (python files and any ipynb files) submitted in a single ZIP file. The filename should be netid1_netid2_ec_code.zip.
  2. A brief report in PDF format (no template, submit your results however you like). The filename you submit should be netid1_netid2_ec_report.pdf.

Please refer to course policies on collaborations, late submission, and extension requests.