Attacks

How to implement a new attack

To add a new attack you need to inherit BaseAttack class and implement __call__ method. For more examples, refer to the wibench.attacks module.

Create your_attack.py file in user_plugins directory.

Custom attack

Attack class should inherit BaseAttack class and implement __call__ method.

from wibench.attacks import BaseAttack

class MyAttack(BaseAttack):
    def __init__(self, any_parameters_of_atack):
        ...

    def __call__(self, object_to_attack):
        # Attack input object here
        ...
        return attacked_object

Implemented attacks

Distortions

This block contains basic distortion attacks.

class wibench.attacks.distortions.JPEGCompression(quality: int = 50)[source]

JPEG compression attack.

Parameters

qualityint: JPEG quality factor (1-100)

name = 'jpeg'

report_name = 'jpeg'

class wibench.attacks.distortions.Rotate90(direction: Literal['clock', 'counter'] = 'clock')[source]

Rotates image by 90 degrees clockwise or counter-clockwise.

Parameters

directionLiteral[“clock”, “counter”], optional: Rotation direction, either “clock” for clockwise or “counter” for counter-clockwise. Default is “clock”.

report_name = 'rotate90'

class wibench.attacks.distortions.Rotate(angle: float, interpolation: str = 'bilinear', expand=False)[source]

Rotates image by arbitrary angle counter-clockwise.

Parameters

anglefloat: Rotation angle in degrees counter-clockwise. For clockwise rotation use negative numbers
interpolationstr, optional: Interpolation mode (‘nearest’, ‘bilinear’, ‘bicubic’). Default is ‘bilinear’.
expandbool, optional: Whether to expand output image size to fit rotated image. Default is False.

report_name = 'rotate'

class wibench.attacks.distortions.GaussianBlur(kernel_size: int)[source]

Applies Gaussian blur to image.

Parameters

kernel_sizeint: Size of Gaussian kernel (must be odd and positive)

report_name = 'gaussianblur'

class wibench.attacks.distortions.GaussianNoise(sigma: float)[source]

Adds Gaussian noise to image.

Parameters

sigmafloat: Standard deviation of Gaussian noise distribution

report_name = 'gaussiannoise'

class wibench.attacks.distortions.CenterCrop(ratio: float)[source]

Center crops image by specified area ratio.

Parameters

ratiofloat: Ratio of area to keep (0-1). For example, 0.5 keeps 50% of image area.

report_name = 'centercrop'

class wibench.attacks.distortions.Resize(x_ratio: float = 1, y_ratio: float = 1, interpolation: str = 'bilinear')[source]

Resizes image by specified width and height ratios.

Parameters

x_ratiofloat, optional: Width scaling factor. Default is 1 (no change).
y_ratiofloat, optional: Height scaling factor. Default is 1 (no change).
interpolationstr, optional: Interpolation mode (‘nearest’, ‘bilinear’, ‘bicubic’). Default is ‘bilinear’.

report_name = 'resize'

class wibench.attacks.distortions.RandomCropout(ratio: float)[source]

Randomly crops out a rectangular region of specified area ratio. Fills the remaining area with black color.

Parameters

ratiofloat: Ratio of area to keep (0-1). For example, 0.8 keeps 80% of image area.

report_name = 'randomcropout'

class wibench.attacks.distortions.Brightness(factor: float)[source]

Adjusts image brightness.

Parameters

factorfloat

Brightness adjustment factor:

1.0 returns original image,
<1.0 darkens image,
>1.0 brightens image

report_name = 'brightness'

class wibench.attacks.distortions.Contrast(factor: float)[source]

Adjusts image contrast.

Parameters

factorfloat

Contrast adjustment factor:

1.0 returns original image,
<1.0 reduces contrast,
>1.0 increases contrast

report_name = 'contrast'

class wibench.attacks.distortions.PixelShift(delta: int = 7)[source]

Shifts image pixels horizontally with edge wrapping.

Parameters

deltaint, optional: Number of pixels to shift right. Leftmost pixels wrap around to right. Default is 7.

report_name = 'pixelshift'

class wibench.attacks.distortions.ColorInversion(*args, **kwargs)[source]

Inverts colors in image.

report_name = 'colorinversion'

SADRE

class wibench.attacks.SADRE.sadre.WPWMAttacker(pipe=None, noise_step=60, saliency_mask=None, device='cpu')[source]: Saliency-Aware Diffusion Reconstruction for Effective Invisible Watermark Removal. For more information visit the following page.

DIP

class wibench.attacks.dip_attack.dip_attack.DIPAttack(device: str = 'cpu', dtype: str = 'float32', total_iters: int = 150, lr: float = 0.01, arch: str = 'vanila')[source]

DIP-based watermark evasion attack adopted from the github repository.

NOTE: It uses slightly incorrect (non-randomized) input during DIP training. More correct version is available below.

class wibench.attacks.dip_attack.dip_attack.DIPAttackNoise(device: str = 'cpu', dtype: str = 'float32', total_iters: int = 500, lr: float = 0.001, arch: str = 'vanila', input_noise_method: str = 'n', input_noise_var: float = 0.1)[source]: DIP-based watermark evasion attack with correct noise input. It follows original DIP model input initialization from the github repository.

Adversarial

class wibench.attacks.adversarial.adversarial.AdversarialEmbedding(encoder: str = 'resnet18', device: torch.device | str = 'cpu', loss_type: str = 'l2', strength: int = 2, eps_factor: float = 0.00392156862745098, alpha_factor: float = 0.05, n_steps: int = 200, random_start: bool = True)[source]: Adversarial embedding attack from WAVES benchmark.

class wibench.attacks.adversarial.adversarial.AdversarialEmbeddingPSNR(encoder: str = 'resnet18', device: torch.device | str = 'cpu', psnr: float = 40, loss_type: str = 'l2', alpha: float = 10.0, n_steps: int = 100)[source]: Modification of adversarial embedding attack that uses PSNR instead of \(\ell_\infty\) norm to measure closeness between images.

Averaging

class wibench.attacks.averaging.averaging.Averaging(pattern_load_path: str | None = './resources/averaging/pattern_stegastamp.pth', num_images: Optional[int] = None, device: torch.device | str = 'cpu')[source]

Attack based on simple averaging from https://arxiv.org/abs/2406.09026.

Args:: pattern_load_path: the precomputed pattern needed for the attack num_images: if None use all images in the directories to compute the pattern, if =n use first n images. Defaults to None. device: device to compute on. Defaults to “cuda”.

Blur Deblur

class wibench.attacks.blur_deblur.blur_deblur.DoGBlur(alpha: float = 1.0, sigma_1: float = 1.0, sigma_2: float = 16.0, kernel_size: Optional[int] = None, num_channels: int = 3, device: str = 'cuda:0')[source]: Blur that processes only middle frequencies based on Difference of Gaussians.

class wibench.attacks.blur_deblur.blur_deblur.BlurDeblurFPNInception(*args, **kwargs)[source]: Attack that blurs the image and then restores it using deblurring architecture from DeblurGAN-v2 paper.

class wibench.attacks.blur_deblur.blur_deblur.DoGBlurDeblurFPNInception(*args, **kwargs)[source]: Attack that blurs the image with DoG blur and then restores it using deblurring architecture from DeblurGAN-v2 paper.

BM3D

class wibench.attacks.bm3d.bm3d.BM3DDenoising[source]: For more information, please refer to the following page.

VAE

class wibench.attacks.vae.vae.VAEAttack(n_avg_imgs: int = 100, noise_level: float = 0.5, device: str = 'cpu', cache_dir: Optional[str] = None)[source]

Adversarial attack using a VAE to generate noisy image reconstructions.

Encodes an image into latent space, adds Gaussian noise to the latents, then decodes multiple noisy versions. Returns the average of these reconstructions as an attacked image. Uses the FLUX.1-schnell VAE.

Parameters

n_avg_imgs: int
Number of noisy reconstructions to average.

noise_level: float
Standard deviation of Gaussian noise added to latents.

device: str
Device to run the VAE on.

cache_dir: str
Directory for caching the VAE model.

StegastampInversion

class wibench.attacks.stegastamp_inversion.stegastamp_inversion.StegastampInversion(*args, **kwargs)[source]

Adversarial attack that inverts watermarks encoded by Stegastamp from here. This attack decodes the hidden watermark from a watermarked image, inverts it (1 - watermark), and re-encodes the inverted watermark back into the image. The process is designed to disrupt Stegastamp’s watermark decoding while maintaining visual similarity to the original.

Parameters

stegastamp_model_path: str

path to StegaStamp onnx model

device_id: int

ID of cuda device to run Stegastamp on

TODO:

run with GPU tensors, see the following link
convert from onnx to pytorch?

Regeneration

This block contains regeneration attacks.

class wibench.attacks.diffusion_regeneration.regeneration.DiffusionRegeneration(pipe=None, device='cpu', noise_step=60)[source]: Based on the code from here.

class wibench.attacks.VAERegeneration.regeneration.VAERegeneration(model_name='bmshj2018-factorized', quality=1, device='cpu')[source]: Based on the code from here.

Frequency Masking

class wibench.attacks.frequency_masking.frequency_masking.FrequencyMasking(normalize=True)[source]: Image-domain frequency masking attack that suppresses low-frequency components. Applies a circular mask to the Fourier spectrum of an image to remove central low-frequency information.

class wibench.attacks.frequency_masking.frequency_masking.LatentFrequencyMasking(beta: float = 0.0, mask_mode: str = 'zero', vae: Optional[AutoencoderKL] = None, mask_radius: int = 10, mask_channel: int = 0, cache_dir: Optional[str] = None, device: str = 'cpu')[source]: Latent-space frequency masking attack for diffusion model representations. Projects images into a VAE’s latent space, applies frequency masking in the Fourier domain, and reconstructs modified images. Supports various masking modes (zero, random, mean) for controlled perturbations.

Image Editing

class wibench.attacks.image_editing.ImageEditingFluxContext.ImageEditingFLuxContext(device_vl: str = 'cpu', device_flux: str = 'cpu', internvl_path: str = 'OpenGVLab/InternVL2_5-8B', fluxcontext_path: str = 'black-forest-labs/FLUX.1-Kontext-dev', prompts_path: str = './resources/flux_prompts.json', guidance_scale: float = 7.5, num_inference_steps: int = 28, is_prompts: bool = True, mode: str = 'base', custom_prompt: Optional[str] = None)[source]

Adversarial attack that edits images using instruction-guided generation.

Combines InternVL2 for natural language understanding and FLUX.1-Kontext for instruction-guided image editing. Generates textual instructions describing the input image, then uses them to guide image-to-image transformations that create adversarial outputs.

LIIF

class wibench.attacks.liif.liif_attack.LIIFAttack(*args, **kwargs)[source]

Attack using Local Implicit Image Function (LIIF) for image super-resolution.

Reconstructs images through an implicit neural representation that learns continuous image functions. The attack queries the LIIF model at specific coordinates to generate a modified version of the input image, effectively applying learned upsampling/denoising.

SEMAttack

class wibench.attacks.SemanticImprintRemoval.semantic_attack.SEMAttack(modelid_attacker: str = 'WIBE-HuggingFace/stable-diffusion-2-1-base', scheduler_attacker: str = 'DDIM', num_inference_steps_attacker: int = 50, lr: float = 0.01, steps: int = 151, seed: Optional[int] = None, device: str = 'cpu', cache_dir=None)[source]

Attack from “Black-Box Forgery Attacks on Semantic Watermarks for Diffusion Models”

code is based on https://github.com/and-mill/semantic-forgery

WMForger

class wibench.attacks.wmforger.wmforger.WMForger(*args, **kwargs)[source]

Attack from Transferable Black-Box One-Shot Forging of Watermarks via Image Preference Models.

code is based on https://github.com/facebookresearch/videoseal/blob/main/wmforger