White-box Adversarial Attack challenge

Introduction

This is an in-class competition for the course COMP737022 Trustworthy Machine Learning. The aim is to develop both effective and efficient white-box adversarial attacks against Deep Neural Networks (DNNs) based image classifiers.

Do not participate if you are not enrolled in COMP737022.

Key Dates

Phase 1 Starts: 2023-10-01 00:00:00 (Beijing Time)

Phase 1 Ends: 2023-10-30 23:59:00 (Beijing Time)

Phase 2 (Final Result Release): 2023-11-01 23:59:59 (Beijing Time)

Dataset and Target Models

Dataset:  CIFAR-10 

Target Model: 

- WRN-34-10-SAT (adversarially trained using Standard Adversarial Training by Madry et al.)

- 3 hidden models (also adversarially trained)

The 2-Stage Competition (Students only need to participate the first stage)

Phase 1:

• We will use all images from the CIFAI-10 test set and 1 robustly trained DNN (WRN-34-10-SAT) to evaluate the submitted attack method.
• The total number of attack steps is limited to 100 for each sample or total 100*1000 steps (see evaluation).
• Your algorithm should finish within 10 minutes during this stage. The time constraint is measured by the server. For reference, 10 steps PGD attack (PGD-10) finishes in 1 minute. 
• Select the submission you want to use for final evaluation before the deadline, and submit it to the leaderboard.
• Your participation ends at this stage.

Phase 2 (Final Evaluation)

• We will use all CIFAR-10 test set images used in phase 1 to evaluate the submitted attack method.
• We will evaluate the attacking method against three more adversarially trained models at this stage.
• The attacking method you submitted in phase 1 will be directly transferred to this stage.
• Select your submission in Phase 1!

Submission Format

• The submission (*.zip) should contain 2 files (my_adv_attack.py, metadata). You may add helper files if needed.
• The my_adv_attack.py should have a class named as MyAdvAttack(), with __init__(self, model, eps=0.031) function. The arguments will be replaced during testing.
• You can have white-box access to the weights of the model. You can assume the model will not use gradient masking.
• MyAdvAttack() should also contain a function perturb(self, images, labels), images are input x, and labels are the ground truth, both as Tensor. Your submission should generate and output adversarial examples using images and labels for the model initialized in MyAdvAttack under the L_inf norm of eps.
• The model will have 2 functions that you can perform forward pass. forward(x) will return the output of the logits layer (prior to softmax), forward_features(x) will return features from intermediate layers in a list and the logits (Tensor) as tuple ([Tensor], Tensor). The features are sequentially constructed from shallow to deeper layers.
• Implement your attack in the perturb function. Feels free add other helper functions.
• See starting_kit for more details.
• The server runs with PyTorch1.9.0, Python3.7, CUDA-10.2.