This is the source code of PatchCensor. Including the scripts to reproduce the results in the paper.
The code was tested on Python 3.6 and PyTorch 1.4.0. The pre-trained models are obtained from the timm project (https://github.com/rwightman/pytorch-image-models).
The timm package must be installed by:
git clone https://github.com/rwightman/pytorch-image-models.git
pip install -e pytorch-image-modelstrain.py is the script for training/fine-tuning models.
The Minority Report defense requires to train models for different patch sizes.
Example usage:
python train.py --exp-name train_ResNet50_CIFAR10_mask32
--n-gpu 4 --model-arch ResNet50 --dataset CIFAR10
--num-classes 1000 --image-size 224 --mask-size 32
--data-dir /mnt/mydrive/data --output-dir /mnt/mydrive/output/patchcensortest_verified is the script to test the verified detection performance of different models.
Example usage:
python -u test_verified.py --exp-name vit_imagenet_val_mask3_verify \
--model-arch ViT_b16_224 --dataset ImageNet --num-classes 1000 \
--patch-size 16 --mask-size 48 --checkpoint-path /mnt/mydrive/output/patchcensor/save/train_vit_mask_width3/checkpoints/best.pth \
--data-dir /mnt/mydrive/data --output-dir ./output/patchcensorDetailed commands to setup environment and run experiments can be found in test_script.sh.
We refer to PatchGuard for the implementation of PatchGuard and PatchSmoothing for the implementation of (De)Randomized Smoothing for Certifiable Defense against Patch Attacks.