Adversarial Attack on CIFAR-10 Using FGSM and Ensemble Methods

# Project Overview

## Attack Objective
- **Non-targeted attack on CIFAR-10 images.**

## Attack Constraint
- The adversarial perturbations are bounded by an L-infinity norm with ε fixed at 8.

## Methodologies Implemented

### FGSM (Fast Gradient Sign Method)
- A baseline adversarial attack that perturbs the image in one step.
- Benchmark performance shows an accuracy of ~59% on the proxy network.

### Iterative-FGSM
- An extension of FGSM that applies the perturbation iteratively to refine adversarial examples.

### Ensemble Attack (Iterative-FGSM on multiple models)
- Attacks are performed simultaneously on a set of proxy models (chosen from pre-trained models available in pytorchcv) to create more transferable adversarial examples.

### Attack Schema
- A black-box attack is performed by crafting adversarial examples on a proxy network.

## Dataset

### CIFAR-10
- **Classes:** 10 classes (airplane, automobile, bird, cat, deer, dog, frog, horse, ship, truck).
- **Image Details:** Each image is 32x32 RGB.
- **Evaluation:** A subset of 20 images per class is used for evaluation.

## Implementation Details

### Non-Targeted FGSM
- Implemented from scratch.
- Uses the gradient sign of the loss with respect to the input image to perturb each pixel.
- Benchmark results indicate a reduction in model accuracy to around 59%.

### Iterative-FGSM
- Repeatedly applies FGSM with small step sizes to generate stronger adversarial examples.

### Ensemble Attack
- Uses a group of proxy models to compute a combined gradient for the attack.
- The attack is applied on multiple pre-trained models (from pytorchcv) simultaneously, increasing transferability of adversarial samples.

### Performance Evaluation
- The final evaluation metric is the accuracy of the pre-trained models after the attack; lower accuracy indicates a stronger attack.
- Adversarial samples generated by each method are compressed into separate `.tgz` files for submission.

## Files Included

### Notebooks and Code
- `week12_DL_Assignment (1).ipynb` – Jupyter Notebook containing the implementation of the adversarial attack methods.

### Adversarial Image Archives
- `fgsm.tgz` – Archive of adversarial images generated using FGSM.
- `ifgsm.tgz` – Archive of adversarial images generated using Iterative-FGSM.
- `ensemble_ifgsm.tgz` – Archive of adversarial images generated using the Ensemble Iterative-FGSM attack.

### Dataset
- CIFAR-10 images (20 images per class as used in the experiments).

## Usage and Evaluation
- The code is designed to work with any pre-trained model from pytorchcv on CIFAR-10.
- The proxy network(s) used for crafting adversarial examples can be adjusted as needed.
- All attack implementations are done from scratch without relying on external adversarial attack libraries.
- The performance of the attacks is measured by the drop in accuracy on the proxy models.