def make_uv(t):
'''
Generates UV coordinates
Returns tensors of x coords and y coords each with shape matching t
'''
uvx = ep.expand_dims(ep.arange(t, 0.0, t.shape[1], 1),
axis=0).tile([t.shape[0], 1])
uvy = ep.expand_dims(ep.arange(t, 0.0, t.shape[0], 1),
axis=0).tile([t.shape[1], 1]).transpose()
return uvx, uvy
def approximate_gradients(
self,
is_adversarial: Callable[[ep.Tensor], ep.Tensor],
x_advs: ep.Tensor,
steps: int,
delta: ep.Tensor,
) -> ep.Tensor:
# (steps, bs, ...)
noise_shape = tuple([steps] + list(x_advs.shape))
if self.constraint == "l2":
rv = ep.normal(x_advs, noise_shape)
elif self.constraint == "linf":
rv = ep.uniform(x_advs, low=-1, high=1, shape=noise_shape)
rv /= atleast_kd(ep.norms.l2(flatten(rv, keep=1), -1), rv.ndim) + 1e-12
scaled_rv = atleast_kd(ep.expand_dims(delta, 0), rv.ndim) * rv
perturbed = ep.expand_dims(x_advs, 0) + scaled_rv
perturbed = ep.clip(perturbed, 0, 1)
rv = (perturbed - x_advs) / atleast_kd(ep.expand_dims(delta + 1e-8, 0),
rv.ndim)
multipliers_list: List[ep.Tensor] = []
for step in range(steps):
decision = is_adversarial(perturbed[step])
multipliers_list.append(
ep.where(
decision,
ep.ones(
x_advs,
(len(x_advs, )),
),
-ep.ones(
x_advs,
(len(decision, )),
),
))
# (steps, bs, ...)
multipliers = ep.stack(multipliers_list, 0)
vals = ep.where(
ep.abs(ep.mean(multipliers, axis=0, keepdims=True)) == 1,
multipliers,
multipliers - ep.mean(multipliers, axis=0, keepdims=True),
)
grad = ep.mean(atleast_kd(vals, rv.ndim) * rv, axis=0)
grad /= ep.norms.l2(atleast_kd(flatten(grad), grad.ndim)) + 1e-12
return grad
def test_expand_dims(t: Tensor, axis: int) -> Tensor:
return ep.expand_dims(t, axis)
def run(
self,
model: Model,
inputs: T,
criterion: Union[Criterion, T],
*,
early_stop: Optional[float] = None,
starting_points: Optional[T] = None,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
originals, restore_type = ep.astensor_(inputs)
del inputs, kwargs
verify_input_bounds(originals, model)
criterion = get_criterion(criterion)
is_adversarial = get_is_adversarial(criterion, model)
if starting_points is None:
init_attack: MinimizationAttack
if self.init_attack is None:
init_attack = LinearSearchBlendedUniformNoiseAttack(steps=50)
logging.info(
f"Neither starting_points nor init_attack given. Falling"
f" back to {init_attack!r} for initialization.")
else:
init_attack = self.init_attack
# TODO: use call and support all types of attacks (once early_stop is
# possible in __call__)
x_advs = init_attack.run(model,
originals,
criterion,
early_stop=early_stop)
else:
x_advs = ep.astensor(starting_points)
is_adv = is_adversarial(x_advs)
if not is_adv.all():
failed = is_adv.logical_not().float32().sum()
if starting_points is None:
raise ValueError(
f"init_attack failed for {failed} of {len(is_adv)} inputs")
else:
raise ValueError(
f"{failed} of {len(is_adv)} starting_points are not adversarial"
)
del starting_points
tb = TensorBoard(logdir=self.tensorboard)
# Project the initialization to the boundary.
x_advs = self._binary_search(is_adversarial, originals, x_advs)
assert ep.all(is_adversarial(x_advs))
distances = self.distance(originals, x_advs)
for step in range(self.steps):
delta = self.select_delta(originals, distances, step)
# Choose number of gradient estimation steps.
num_gradient_estimation_steps = int(
min([
self.initial_num_evals * math.sqrt(step + 1),
self.max_num_evals
]))
gradients = self.approximate_gradients(
is_adversarial, x_advs, num_gradient_estimation_steps, delta)
if self.constraint == "linf":
update = ep.sign(gradients)
else:
update = gradients
if self.stepsize_search == "geometric_progression":
# find step size.
epsilons = distances / math.sqrt(step + 1)
while True:
x_advs_proposals = ep.clip(
x_advs + atleast_kd(epsilons, x_advs.ndim) * update, 0,
1)
success = is_adversarial(x_advs_proposals)
epsilons = ep.where(success, epsilons, epsilons / 2.0)
if ep.all(success):
break
# Update the sample.
x_advs = ep.clip(
x_advs + atleast_kd(epsilons, update.ndim) * update, 0, 1)
assert ep.all(is_adversarial(x_advs))
# Binary search to return to the boundary.
x_advs = self._binary_search(is_adversarial, originals, x_advs)
assert ep.all(is_adversarial(x_advs))
elif self.stepsize_search == "grid_search":
# Grid search for stepsize.
epsilons_grid = ep.expand_dims(
ep.from_numpy(
distances,
np.logspace(
-4, 0, num=20, endpoint=True, dtype=np.float32),
),
1,
) * ep.expand_dims(distances, 0)
proposals_list = []
for epsilons in epsilons_grid:
x_advs_proposals = (
x_advs + atleast_kd(epsilons, update.ndim) * update)
x_advs_proposals = ep.clip(x_advs_proposals, 0, 1)
mask = is_adversarial(x_advs_proposals)
x_advs_proposals = self._binary_search(
is_adversarial, originals, x_advs_proposals)
# only use new values where initial guess was already adversarial
x_advs_proposals = ep.where(atleast_kd(mask, x_advs.ndim),
x_advs_proposals, x_advs)
proposals_list.append(x_advs_proposals)
proposals = ep.stack(proposals_list, 0)
proposals_distances = self.distance(
ep.expand_dims(originals, 0), proposals)
minimal_idx = ep.argmin(proposals_distances, 0)
x_advs = proposals[minimal_idx]
distances = self.distance(originals, x_advs)
# log stats
tb.histogram("norms", distances, step)
return restore_type(x_advs)