Beispiel #1
0
 ),
 AttackTestTarget(
     fa.EADAttack(binary_search_steps=3,
                  steps=20,
                  decision_rule="L1",
                  regularization=0),
     uses_grad=True,
 ),
 AttackTestTarget(fa.NewtonFoolAttack(steps=20), uses_grad=True),
 AttackTestTarget(fa.VirtualAdversarialAttack(steps=50, xi=1),
                  10,
                  uses_grad=True),
 AttackTestTarget(fa.PGD(), Linf(1.0), uses_grad=True),
 AttackTestTarget(fa.L2PGD(), L2(50.0), uses_grad=True),
 AttackTestTarget(fa.L1PGD(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.LinfBasicIterativeAttack(abs_stepsize=0.2),
                  Linf(1.0),
                  uses_grad=True),
 AttackTestTarget(fa.L2BasicIterativeAttack(), L2(50.0), uses_grad=True),
 AttackTestTarget(fa.L1BasicIterativeAttack(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.SparseL1DescentAttack(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.FGSM(), Linf(100.0), uses_grad=True),
 AttackTestTarget(FGSM_GE(), Linf(100.0)),
 AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True),
 AttackTestTarget(fa.L1FastGradientAttack(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.GaussianBlurAttack(steps=10),
                  uses_grad=True,
                  requires_real_model=True),
 AttackTestTarget(
     fa.GaussianBlurAttack(steps=10, max_sigma=224.0),
     uses_grad=True,
Beispiel #2
0
                   epochs=1,
                   validation_data=ds_test,
                   steps_per_epoch=7500 // batch_size,
                   validation_steps=2500 // batch_size,
                   callbacks=[tensorboard_callback])

for images, labels in ds_train.take(1):  # only take first element of dataset
    images_ex = ep.astensors(images)
    labels_ex = ep.astensors(labels)

fmodel = fb.TensorFlowModel(baseline_model, bounds=(0, 1))

attacks = [
    fa.FGSM(),
    fa.LinfPGD(),
    fa.LinfBasicIterativeAttack(),
    fa.LinfAdditiveUniformNoiseAttack(),
    fa.LinfDeepFoolAttack(),
]

attacks_names = [
    "FGSM", "LinfPGD", "LinfBasicIterativeAttack",
    "LinfAdditiveUniformNoiseAttack", "LinfDeepFoolAttack"
]

epsilons = [
    0.0, 0.0005, 0.001, 0.0015, 0.002, 0.003, 0.005, 0.01, 0.02, 0.03, 0.1,
    0.3, 0.5, 1.0
]

transfer_methods = [
Beispiel #3
0
 AttackTestTarget(
     fa.NewtonFoolAttack(steps=20),
     uses_grad=True,
     requires_low_dimensional_input=True,
 ),
 AttackTestTarget(
     fa.VirtualAdversarialAttack(steps=50, xi=1),
     10,
     uses_grad=True,
     requires_low_dimensional_input=True,
 ),
 AttackTestTarget(fa.PGD(), Linf(1.0), uses_grad=True),
 AttackTestTarget(fa.L2PGD(), L2(50.0), uses_grad=True),
 AttackTestTarget(fa.L1PGD(), 5000.0, uses_grad=True),
 AttackTestTarget(
     fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), uses_grad=True
 ),
 AttackTestTarget(fa.L2BasicIterativeAttack(), L2(50.0), uses_grad=True),
 AttackTestTarget(fa.L1BasicIterativeAttack(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.AdamPGD(), Linf(1.0), uses_grad=True),
 AttackTestTarget(fa.L2AdamPGD(), L2(50.0), uses_grad=True),
 AttackTestTarget(fa.L1AdamPGD(), 5000.0, uses_grad=True),
 AttackTestTarget(
     fa.LinfAdamBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), uses_grad=True
 ),
 AttackTestTarget(fa.L2AdamBasicIterativeAttack(), L2(50.0), uses_grad=True),
 AttackTestTarget(fa.L1AdamBasicIterativeAttack(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.SparseL1DescentAttack(), 5000.0, uses_grad=True),
 AttackTestTarget(fa.FGSM(), Linf(100.0), uses_grad=True),
 AttackTestTarget(FGSM_GE(), Linf(100.0)),
 AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True),
Beispiel #4
0
     False,
 ),
 (
     fa.EADAttack(binary_search_steps=3,
                  steps=20,
                  decision_rule="L1",
                  regularization=0),
     None,
     True,
     False,
 ),
 (fa.NewtonFoolAttack(steps=20), None, True, False),
 (fa.VirtualAdversarialAttack(steps=50, xi=1), 10, True, False),
 (fa.PGD(), Linf(1.0), True, False),
 (fa.L2PGD(), L2(50.0), True, False),
 (fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), True, False),
 (fa.L2BasicIterativeAttack(), L2(50.0), True, False),
 (fa.FGSM(), Linf(100.0), True, False),
 (fa.FGM(), L2(100.0), True, False),
 (fa.GaussianBlurAttack(steps=10), None, True, True),
 (fa.GaussianBlurAttack(steps=10, max_sigma=224.0), None, True, True),
 (fa.L2DeepFoolAttack(steps=50, loss="logits"), None, True, False),
 (fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), None, True, False),
 (fa.LinfDeepFoolAttack(steps=50), None, True, False),
 (fa.BoundaryAttack(steps=50), None, False, False),
 (
     fa.BoundaryAttack(
         steps=110,
         init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
         update_stats_every_k=1,
     ),
Beispiel #5
0
def main():
  """ Validate -> Attack -> Revalidate """

  model = utils.load_trained_model(
    model_name="resnet", model_path=MODEL_RESNET_PATH, class_num=len(CLASS_NAMES)
  )

  preprocessing = dict(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225], axis=-3)

  dataset_loader, dataset_size = utils.load_dataset(
    dataset_path=DATASET_PATH, dataset_image_len=DATASET_IMAGE_NUM
  )

  # use GPU if available
  device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")
  model = model.to(device)

  fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing)

  # * 1/3: Validate original images.
  model_validate(fmodel, device, dataset_loader, dataset_size)

  # * 2/3: Perform adversarial attack.
  # attack = fa.LinfFastGradientAttack()
  attack = fa.LinfBasicIterativeAttack()
  # attack = fa.L2CarliniWagnerAttack()
  # attack = fa.L2DeepFoolAttack()
  eps = [THRESHOLD]

  pbar = tqdm(dataset_loader)
  pbar.set_description("Att")
  dist = []
  adversaries = []

  for image, label in pbar:
    advs, _, _ = attack(fmodel, image.to(device), label.to(device), epsilons=eps)

    for i, (single_adv, single_img) in enumerate(zip(advs[0], image.to(device))):
      perturb = (single_adv - single_img).cpu()
      _l_p = norm(perturb.flatten(), np.inf if NORM == "inf" else 2)
      _dist = fd.linf(single_img, single_adv)

      # Todo: add condition to ignore fixed epsilon attacks
      if _l_p > THRESHOLD:
        # replace adversaries with perturbations larger than threshold with original
        # images (for attacks with minimization approaches: cw, deepfool)
        # _l_p = 0.0
        advs[0][i] = single_img

      dist.append(_l_p)

    adversaries.append(advs[0])

  dist = np.asarray(dist)
  plot_distances(dist, lp_norm=NORM)
  # np.save("cw_dist_lim_1.npy", dist)

  print(
    "L_{}: min {:.4f}, mean {:.4f}, max {:.4f}".format(
      NORM, dist.min(), np.median(dist), dist.max()
    )
  )
  time.sleep(0.5)

  # * 3/3: Validate generated adversarial examples.
  model_validate(fmodel, device, dataset_loader, dataset_size, adv=adversaries)