REAP: A Large-Scale Realistic Adversarial Patch Benchmark

Nabeel Hingun* (UC Berkeley), Chawin Sitawarin* (UC Berkeley), Jerry Li (Microsoft), David Wagner (UC Berkeley)

Abstract

Machine learning models are known to be susceptible to adversarial perturbation. One famous attack is the adversarial patch, a sticker with a particularly crafted pattern that makes the model incorrectly predict the object it is placed on. This attack presents a critical threat to cyber-physical systems that rely on cameras such as autonomous cars. Despite the significance of the problem, conducting research in this setting has been difficult; evaluating attacks and defenses in the real world is exceptionally costly while synthetic data are unrealistic. In this work, we propose the REAP (REalistic Adversarial Patch) benchmark, a digital benchmark that allows the user to evaluate patch attacks on real images, and under real-world conditions. Built on top of the Mapillary Vistas dataset, our benchmark contains over 14,000 traffic signs. Each sign is augmented with a pair of geometric and lighting transformations, which can be used to apply a digitally generated patch realistically onto the sign. Using our benchmark, we perform the first large-scale assessments of adversarial patch attacks under realistic conditions. Our experiments suggest that adversarial patch attacks may present a smaller threat than previously believed and that the success rate of an attack on simpler digital simulations is not predictive of its actual effectiveness in practice.

TODO: Sample images

Package Dependencies

Tested with

• python >= 3.8.
• cuda >= 11.2.
• kornia >= 0.6.9.
• See requirements.txt for all packages' version.

We recommend creating a new python environment because kornia and detectron2 seem to often mess up dependencies and result in a segmentation fault.

# Install from requirements.txt file OR
pip install -r requirements.txt

# Install packages with their latest version manually, e.g.,
pip install torch torchvision torchaudio --extra-index-url https://download.pytorch.org/whl/cu116
pip install scipy pandas scikit-learn pip seaborn
pip install timm kornia opencv-python albumentations

# Detectron2 has to be installed afterward
pip install 'git+https://github.com/facebookresearch/detectron2.git'

# Install mish_cuda for DarkNet backbone of YOLO (optional). If you have
# trouble installing mish_cuda, you can rename _mish_cuda.py to mish_cuda.py to
# silence some warning from YOLOv7.
git clone https://github.com/thomasbrandon/mish-cuda
cd mish-cuda
# Uncomment this if see "fatal error: CUDAApplyUtils.cuh: No such file or directory"
# mv external/CUDAApplyUtils.cuh csrc/
python setup.py build install

# Install detrex (required for DINO)
git clone https://github.com/IDEA-Research/detrex.git
cd detrex
git submodule init
git submodule update
python -m pip install -e detectron2
pip install -e .

# Install yolof (required for YOLOF)
git clone https://github.com/chensnathan/YOLOF.git
cd YOLOF
python setup.py develop

# Install YOLOv7 (required Detectron2)
git clone https://github.com/jinfagang/yolov7_d2
cd yolov7_d2
pip install -e .
pip install alfred-py

• If there is any problem with detectron2 installation (e.g., CUDA or pytorch version mismatch), see this documentation.

Dataset Preparation

MTSD

• MTSD is used for training the traffic sign detection models and the classifier used to create REAP.
• Have not found a way to automatically download the dataset.
• prep_mtsd_for_yolo.py: Prepare MTSD dataset for YOLOv5.
• YOLO expects samples and labels in BASE_DIR/images/ and BASE_DIR/labels/, respectively. See link for more detail.
• Training set: MTSD training. Symlink to ~/data/yolo_data/(images or labels)/train.
• Validation set: MTSD validation Symlink to ~/data/yolo_data/(images or labels)/val.
• If you run into Argument list too long error, try to raise limit of argument stack size by ulimit -S -s 100000000. link

# Prepare MTSD dataset
# Dataset should be extracted to ~/data/mtsd_v2_fully_annotated
python scripts_train_detector/prep_mtsd_for_yolo.py
python prep_mtsd_for_detectron.py
# FIXME: change yolo_data
LABEL_NAME=labels_no_color
cd ~/data/ && mkdir yolo_data && mkdir yolo_data/images yolo_data/labels

cd ~/data/yolo_data/images/
ln -s ~/data/mtsd_v2_fully_annotated/images/train train
ln -s ~/data/mtsd_v2_fully_annotated/images/val val
cd ~/data/yolo_data/labels/
ln -s ~/data/mtsd_v2_fully_annotated/$LABEL_NAME/train train
ln -s ~/data/mtsd_v2_fully_annotated/$LABEL_NAME/val val

Mapillary Vistas

• prep_mapillary.py: Prepare Vistas dataset for YOLOv5 using a pre-trained classifier to determine classes of the signs. May require substantial memory to run. Insufficient memory can lead to the script getting killed with no error message.

The original dataset should have the following structure:

mapillary_vistas/
|-- testing
|   `-- images
|-- training
|   |-- images
|   |-- masks
|   `-- v2.0
|       |-- instances
|       |-- labels
|       |-- panoptic
|       `-- polygons
`-- validation
    |-- images
    |-- masks
    `-- v2.0
        |-- instances
        |-- labels
        |-- panoptic
        `-- polygons

After running all the preparation scripts, the dataset should have the following structure:

mapillary_vistas/
|-- no_color
|   `-- combined
|       |-- images
|       `-- labels
|-- testing
|   `-- images
|-- training
|   |-- images
|   |-- labels_no_color
|   |-- masks
|   `-- v2.0
|       |-- instances
|       |-- labels
|       |-- panoptic
|       `-- polygons
`-- validation
    |-- images
    |-- labels_no_color
    |-- masks
    `-- v2.0
        |-- instances
        |-- labels
        |-- panoptic
        `-- polygons

MODIFIER="no_color"

# Dataset should be extracted to ~/data/mapillary_vistas (use symlink if needed)
python prep_mapillary.py --split train --resume PATH_TO_CLASSIFIER
python prep_mapillary.py --split val --resume PATH_TO_CLASSIFIER

# Combined train and val partition into "combined"
BASE_DIR=~/data/mapillary_vistas
cd $BASE_DIR && mkdir $MODIFIER && cd $MODIFIER
mkdir combined && cd combined && mkdir images labels
ln -s $BASE_DIR/training/images/* images/
ln -s $BASE_DIR/validation/images/* images/
ln -s $BASE_DIR/training/labels_$MODIFIER/* labels/
ln -s $BASE_DIR/validation/labels_$MODIFIER/* labels/

Usage

Examples

• scripts/example_train.sh: Example training script including both normal and adversarial training.
• scripts/example_eval.sh: Example evaluation script including with and without adversarial patches (per-class, per-instance).

cp scripts/example_eval.sh my_eval_script.sh
# Make changes to my_eval_script.sh as needed
vi my_eval_script.sh
...
# Run script
bash my_eval_script.sh

Use REAP benchmark for evaluation

• reap_annotations.csv is the REAP annotation file.
• configs contains attack config files and detectron (Faster R-CNN) config files.

• To run on annotated signs only (consistent with results in the paper), use flag --annotated-signs-only. For Detectron2, the dataset cache has to be deleted before this option to really take effect.

Recreate REAP from Mapillary Vistas and MTSD

Coming soon!

• mtsd_label_metadata.csv is a mapping between the original MTSD classes to classes in REAP. It contains shapes and sizes for each MTSD class.

Computing Relighting Params

Realism Test. Run script to test out different relighting methods on the printed signs and patches.

python run_realism_test.py

After deciding on the relighting method, set variables in gen_relight_coeffs_main.py and run the script to generate the relighting coeffs for this method and then write to reap_annotations.csv.

# Script for running gen_relight_coeffs_main.py
bash scripts/gen_relight_coeffs.sh

TODOs

• NewDataset: Changes required to make an addition of new dataset possible.
• AnnoObj: Changes from keeping annotation in pd.DataFrame to a new object.
• YOLO: Implement new changes to YOLO code.
• enhancement: Minor documentation or readability improvement.
  • Change interpolation (interp) type to Enum instead of str.
• feature: New features that would benefit future attack and defense experiments.

There are signs that may appear in an image but do not have an annotation. There are multiple reasons this happens:

1. The sign do not belong to one of the 11 non-background classes. Most of the signs fall into this category, but there could be some that result from a mistake made by the classifier we trained.
2. The sign is not labeled in the Mapillary Vistas dataset. If the sign is not labeled, our annotation script will not even know it exists.
3. The sign is too small, and so it are filtered out before our annotation process since its transformation parameters would be unreliable. This type of signs likely has to be manually annotated with extra care.

All of these can be fixed by adding or modifying an entry in reap_annotations.csv, but case 2 also requires adding the missing segmentation label to Mapillary Vistas labels.

File Structure

• scripts: Example scripts for running experiments.
• scripts_gen_reap: Scripts for generating REAP dataset. Most are deprecated and only kept for reference.
  • collect_traffic_signs.py: Crops and saves traffic signs from each dataset for classification tasks.
  • prep_mtsd_for_classification.py: Prepare MTSD dataset training a classifier to get pseudo-labels on Mapillary Vistas.
  • prep_mapillary.py: Prepare Mapillary Vistas dataset for the original REAP benchmark (color, no_color versions).
  • prep_mapillary_100.py: Prepare 100-class Mapillary Vistas dataset (REAP-100) based on the original color/no_color version.

License

Our benchmark is based on the Mapillary Vistas dataset which uses Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) license. So it also shares the same license. Please see the LICENSE file or this link.

This software and/or data was deposited in the BAIR Open Research Commons repository on Feb 28, 2023.

Contact

If you have any question or suggestion, please feel free to open an issue on this repository or directly contact Chawin Sitawarin (chawins AT berkeley DOT edu) or Nabeel Hingun (nabeel126 AT berkeley DOT edu).