English | 简体中文
MOS-Attack: A Scalable Multi-objective Adversarial Attack Framework
Official PyTorch implementation of MOS-Attack accepted at CVPR 2025
MOS-Attack is a novel multi-objective adversarial attack framework that effectively combines multiple surrogate loss functions to generate powerful adversarial examples.
- Python 3.12 or higher
- CUDA-compatible GPU (recommended)
- uv package manager
# Install uv package manager
pip install uv
# Sync dependencies
uv sync
# Build C extension for ACG attack
cd ./RUN_ACG/src/utils/cluster_coef_c
..\..\..\..\.venv\Scripts\python.exe setup.py build_ext -i # Windows
# or
# ../../../.venv/bin/python3 setup.py build_ext -i # LinuxRun adversarial attacks using YAML configuration files:
# Run MOS-8 attack on a single CIFAR-10 model
uv run python run_experiments.py \
--config configs/cifar10/SetAPGD_n_starts1_K1L8.yaml \
--model_id Rade2021Helper_R18_extra \
--K 5
# Run standard APGD attack with CrossEntropy loss
uv run python run_experiments.py \
--config configs/cifar10/APGD_n_restarts1_LossIdx0.yaml \
--model_id Sehwag2021ProxyMore commands: Additional experiment commands for batch processing and different attack configurations can be found in the
scripts/cifar10/andscripts/imagenet/directories.
Analyze attack results and identify synergistic loss function patterns:
# Run automated analysis to identify optimal loss combinations
uv run python run_analysis.pyThis script will:
- Load attack trajectories from
results/directory - Apply sparse optimization to identify contributing loss functions
- Generate voting statistics for loss function combinations
- Output analysis results to
ANALYZE/directory
code/
├── core/ # Core attack implementations
│ ├── attacks/ # Attack algorithms (APGD, SetAPGD, etc.)
│ │ ├── apgd.py # Standard APGD implementation
│ │ ├── set_pgd.py # MOS multi-objective attack
│ │ └── ... # Other attack variants
│ ├── loss_funcs/ # Loss function implementations
│ │ ├── DLR.py # Difference of Logits Ratio
│ │ ├── Marginal.py # Margin-based loss
│ │ ├── Loss_1.py ... Loss_4.py # Additional loss functions
│ │ └── ... # Other loss implementations
│ └── data/ # Data utilities
│
├── configs/ # YAML configuration files
│ ├── cifar10/ # CIFAR-10 attack configs
│ └── imagenet/ # ImageNet attack configs
│
├── scripts/ # Batch execution scripts
│ ├── cifar10/ # CIFAR-10 experiment scripts
│ └── imagenet/ # ImageNet experiment scripts
│
├── datasets/ # Dataset storage
│ ├── cifar10/ # CIFAR-10 data (auto-downloadable via torchvision)
│ └── imagenet/ # ImageNet data (see Dataset Preparation section below)
│
├── models/ # Pretrained robust models (auto-downloaded via RobustBench)
│ ├── cifar10/ # CIFAR-10 robust models
│ └── imagenet/ # ImageNet robust models
│
├── RUN_ACG/ # Auto-Conjugate Gradient attack subproject (adapted from original ACG repo)
│ ├── src/ # ACG source code
│ ├── res/ # ACG results
│ └── running_sh/ # ACG execution scripts
│
├── run_experiments.py # Main experiment runner
├── run_analysis.py # Post-experiment analysis
├── run_attack.py # Direct attack interface
├── prepare_imagenet.py # ImageNet dataset preparation script
├── pyproject.toml # Project dependencies
├── uv.lock # Dependency lock file
│
├── storage/ # Intermediate storage
├── results/ # Attack results (generated)
└── ANALYZE/ # Analysis outputs (generated)
CIFAR-10 dataset will be automatically downloaded when you run experiments for the first time. No manual preparation needed.
# Automatically handled by torchvision.datasets.CIFAR10
# Downloads to: ./datasets/cifar10/ImageNet validation set requires manual download and preparation. The dataset must be organized in PyTorch ImageFolder format with 1,000 class folders.
If you already have ImageNet organized in ImageFolder format (1,000 class folders named n01440764, n01443537, etc.), simply place them in:
datasets/imagenet/
├── n01440764/ (50 JPEG files)
├── n01443537/ (50 JPEG files)
├── ...
└── (1,000 class folders total)
Skip to the Verification section below.
If you have the original ImageNet validation tar files, follow these steps:
Step 1: Download Required Files
Download from the official ImageNet website:
- ILSVRC2012_img_val.tar (~6.3 GB) - Validation images
- ILSVRC2012_devkit_t12.tar.gz (~2.5 MB) - Development kit with metadata
Note: You need to register an account on ImageNet website and accept the terms of use.
Step 2: Extract Files
# Create temporary extraction directory
mkdir -p datasets/imagenet_temp
cd datasets/imagenet_temp
# Extract validation images (50,000 JPEG files)
mkdir val
tar -xf ILSVRC2012_img_val.tar -C val/
# Extract development kit
tar -xzf ILSVRC2012_devkit_t12.tar.gz
# Directory structure should be:
# datasets/imagenet_temp/
# ├── val/ (50,000 JPEG files)
# └── ILSVRC2012_devkit_t12/
# └── data/
# ├── meta.mat
# └── ILSVRC2012_validation_ground_truth.txtStep 3: Organize into PyTorch ImageFolder Format
# From the code/ root directory
uv run python prepare_imagenet.pyThis script will:
- Read class metadata from
datasets/imagenet_temp/ILSVRC2012_devkit_t12/data/meta.mat - Read ground truth labels from validation set
- Organize 50,000 validation images into 1,000 class folders
- Output to
datasets/imagenet/in PyTorch ImageFolder format
Step 4: Clean Up (Optional)
After successful preparation, you can delete the temporary directory:
rm -rf datasets/imagenet_tempExpected final structure:
datasets/imagenet/
├── n01440764/ (tench)
│ ├── ILSVRC2012_val_00000293.JPEG
│ ├── ILSVRC2012_val_00002138.JPEG
│ └── ... (~50 images per class)
├── n01443537/ (goldfish)
│ ├── ILSVRC2012_val_00000022.JPEG
│ └── ...
└── ... (1,000 class folders total)
After preparation, verify the dataset is ready:
# Check number of class folders (should be 1,000)
ls datasets/imagenet/ | grep "^n" | wc -l
# Check total number of images (should be 50,000)
find datasets/imagenet/ -maxdepth 2 -name "*.JPEG" | wc -l
# Check a sample class folder
ls datasets/imagenet/n01440764/ | head -5Attack parameters are specified in YAML configuration files (flat structure). Example:
# configs/cifar10/SetAPGD_n_starts1_K1L8.yaml
# Dataset settings
dataset: "cifar10"
batch_size: 20
# Model settings (can be overridden by --model_id)
model_id: "Rade2021Helper_R18_extra"
model_threat_model: "Linf"
# Attack settings
use_atk: "SetAPGD"
atk_type: "Linf"
atk_eps: 0.031372549 # 8/255
atk_steps: 50
n_restarts: 1
# Loss function settings
loss_num: 8 # Total number of loss functions
K: 1 # Number of loss functions to select per iteration
# APGD specific
apgd_loss_idx: 0
# Logging
setpgd_loss_log: True
results_dir: "results"
# Hardware
use_cuda: True| Method | Description | Config Prefix |
|---|---|---|
| SetAPGD | MOS multi-objective attack | SetAPGD_* |
| APGD | Standard APGD baseline | APGD_* |
| ACG | Auto-Conjugate Gradient | ACG_* |
The framework includes 8 diverse loss functions:
- CrossEntropy (CE): Standard classification loss
- DLR (Difference of Logits Ratio): Margin-based loss
- Margin Loss: Direct logit difference
- CW Loss: Carlini-Wagner style loss
- Smooth Loss: Softmax-based smooth approximation
- LogitDiff: Simplified logit difference
- Targeted Loss: For targeted attacks
- Ensemble Loss: Combined loss variants
To reproduce the main results from our CVPR 2025 paper:
- Run attacks: Use the commands in
scripts/cifar10/orscripts/imagenet/to run MOS-8, APGD, and ACG attacks on the robust models - Analyze results: After attacks complete, run
uv run python run_analysis.pyto identify optimal loss function combinations - Compare K values: Experiment with different K values (1, 3, 5) using the
--Kparameter inrun_experiments.py
Example for comparing different K values:
# Compare different K values for MOS attack
uv run python run_experiments.py --config configs/cifar10/SetAPGD_n_starts1_K1L8.yaml --model_id YOUR_MODEL --K 1
uv run python run_experiments.py --config configs/cifar10/SetAPGD_n_starts1_K1L8.yaml --model_id YOUR_MODEL --K 3
uv run python run_experiments.py --config configs/cifar10/SetAPGD_n_starts1_K1L8.yaml --model_id YOUR_MODEL --K 5You can create custom YAML configuration files in configs/ to experiment with different attack parameters and run them using run_experiments.py.
If you find MOS-Attack useful in your research, please cite our paper:
@INPROCEEDINGS {
11094834,
author = { Guo, Ping and Gong, Cheng and Lin, Xi and Liu, Fei and Lu, Zhichao and Zhang, Qingfu and Wang, Zhenkun },
booktitle = { 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) },
title = {{ MOS-Attack: A Scalable Multi-Objective Adversarial Attack Framework }},
year = {2025},
pages = {5041-5051},
doi = {10.1109/CVPR52734.2025.00475},
url = {https://doi.ieeecomputersociety.org/10.1109/CVPR52734.2025.00475},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
month = Jun
}
- Ping Guo - City University of Hong Kong
- Cheng Gong - City University of Hong Kong
- Xi Lin - City University of Hong Kong
- Fei Liu - City University of Hong Kong
- Zhichao Lu - City University of Hong Kong
- Qingfu Zhang - City University of Hong Kong (Corresponding: [email protected])
- Zhenkun Wang - Southern University of Science and Technology
This work was supported by:
- Research Grants Council of the Hong Kong SAR, China [GRF Project No. CityU11215622, CityU11212524]
- Key Basic Research Foundation of Shenzhen, China (JCYJ20220818100005011)
We thank the RobustBench team for providing standardized robust model evaluation infrastructure.
This project is licensed under the MIT License - see the LICENSE file for details.
- Paper: ArXiv, CVF
- RobustBench: https://robustbench.github.io/
- Original ACG Repo: https://github.com/yamamura-k/ACG
For questions and feedback:
- Email: [email protected]
- Issues: GitHub Issues
⭐ If you find this work helpful, please consider giving it a star! ⭐