def build_stadv_linf_attack(classifier_net, normalizer):
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=FLOW_LINF_BOUND,
xform_class=st.FullSpatial,
use_stadv=True))
adv_loss = lf.CWLossF6(classifier_net, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({
'adv': adv_loss,
'st': st_loss
}, {
'adv': 1.0,
'st': 0.05
},
negate=True)
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
pgd_kwargs['optimizer_kwargs']['lr'] = 0.001
pgd_attack = aar.PGD(classifier_net, normalizer, flow_threat, loss_fxn)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_full_attack(classifier_net, normalizer, use_gpu):
# L_inf + flow style attack
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=L_INF_BOUND,
use_gpu=use_gpu))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style=1,
lp_bound=0.05,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=FLOW_LINF_BOUND,
xform_class=st.FullSpatial,
use_gpu=use_gpu,
use_stadv=True))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=math.pi / 24.,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[delta_threat, flow_threat, trans_threat, rotation_threat],
ap.PerturbationParameters(norm_weights=[0.0, 1.0, 1.0, 1.0]))
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
pgd_kwargs['optimizer_kwargs']['lr'] = 0.001
adv_loss = lf.CWLossF6(classifier_net, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({
'adv': adv_loss,
'st': st_loss
}, {
'adv': 1.0,
'st': 0.05
},
negate=True)
pgd_attack = aar.PGD(classifier_net,
normalizer,
sequence_threat,
loss_fxn,
use_gpu=use_gpu)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_pgd_linf_attack(classifier_net, normalizer, use_gpu):
# PREBUILT LOSS FUNCTION
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=L_INF_BOUND,
use_gpu=use_gpu))
attack_loss = plf.VanillaXentropy(classifier_net, normalizer=normalizer)
pgd_attack = aar.PGD(classifier_net, normalizer, delta_threat, attack_loss)
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_rotation_translation_attack(classifier_net, normalizer, use_gpu):
# L_inf + flow style attack
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=L_INF_BOUND,
use_gpu=use_gpu))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style=1,
lp_bound=0.05,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=math.pi / 24.,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[delta_threat, trans_threat, rotation_threat])
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
pgd_kwargs['optimizer_kwargs']['lr'] = 0.001
loss_fxn = plf.VanillaXentropy(classifier_net, normalizer)
pgd_attack = aar.PGD(classifier_net,
normalizer,
sequence_threat,
loss_fxn,
use_gpu=use_gpu)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_stadv_rot_trans_pgd(model,
normalizer,
flow_bound=FLOW_LINF,
trans_bound=TRANS_LINF,
rot_bound=ROT_LINF,
use_gpu=USE_GPU,
verbose=False,
adv_loss='cw',
num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
output='attack',
extra_attack_kwargs=None):
# Build threat
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=flow_bound,
xform_class=st.FullSpatial,
use_gpu=use_gpu,
use_stadv=True))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=trans_bound,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=rot_bound,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[flow_threat, trans_threat, rotation_threat],
ap.PerturbationParameters(norm_weights=[1.00, 1.00, 1.0, 1.0]))
# Build loss
assert adv_loss in ['cw', 'xentropy']
if adv_loss == 'xentropy':
adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
else:
adv_loss_obj = lf.CWLossF6(model, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({
'adv': adv_loss_obj,
'st': st_loss
}, {
'adv': 1.0,
'st': 0.05
},
negate=True)
# Build attack
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.001}
pgd_attack = aar.PGD(model,
normalizer,
sequence_threat,
loss_fxn,
use_gpu=use_gpu)
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
pgd_kwargs = {
'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence
}
if extra_attack_kwargs is not None:
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=use_gpu)
return eval_result
def build_delta_rot_trans_pgd(model,
normalizer,
delta_bound=L_INF_BOUND,
trans_bound=TRANS_LINF,
rot_bound=ROT_LINF,
use_gpu=USE_GPU,
verbose=False,
adv_loss='cw',
num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
output='attack',
extra_attack_kwargs=None):
# Build threat
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=delta_bound,
use_gpu=use_gpu))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=trans_bound,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=rot_bound,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[delta_threat, trans_threat, rotation_threat])
# Build loss
assert adv_loss in ['xentropy', 'cw']
if adv_loss == 'xentropy':
attack_loss = plf.VanillaXentropy(model, normalizer)
else:
cw_loss = lf.CWLossF6(model, normalizer)
attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0},
negate=True)
# Build attack
pgd_attack = aar.PGD(model,
normalizer,
sequence_threat,
attack_loss,
use_gpu=use_gpu)
# Return based on output arg
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
extra_attack_kwargs = extra_attack_kwargs or {}
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.01}
pgd_kwargs = {
'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence
}
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=USE_GPU)
return eval_result
def build_stadv_pgd(model,
normalizer,
linf_bound=FLOW_LINF,
use_gpu=USE_GPU,
verbose=False,
adv_loss='cw',
num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
use_stadv=True,
output='attack',
norm_hyperparam=0.05,
extra_attack_kwargs=None):
# Build threat
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=linf_bound,
xform_class=st.FullSpatial,
use_gpu=use_gpu,
use_stadv=use_stadv))
# Build loss
assert adv_loss in ['xentropy', 'cw']
if adv_loss == 'xentropy':
adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
else:
adv_loss_obj = lf.CWLossF6(model, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
attack_loss = lf.RegularizedLoss({
'adv': adv_loss_obj,
'st': st_loss
}, {
'adv': 1.0,
'st': norm_hyperparam
},
negate=True)
# Build attack
pgd_attack = aar.PGD(model,
normalizer,
flow_threat,
attack_loss,
use_gpu=use_gpu)
# Return based on output arg
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
extra_attack_kwargs = extra_attack_kwargs or {}
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.01}
pgd_kwargs = {
'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence
}
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=USE_GPU)
return eval_result