def sparsefool(x_0,
net,
lb,
ub,
lambda_=3.,
max_iter=20,
epsilon=0.02,
device='cuda',
fixed_iter=False):
pred_label = torch.argmax(
net.forward(Variable(x_0, requires_grad=True)).data).item()
x_i = copy.deepcopy(x_0)
fool_im = copy.deepcopy(x_i)
fool_label = pred_label
loops = 0
if fixed_iter:
while loops < max_iter:
normal, x_adv = deepfool(x_i, net, lambda_, device=device)
x_i = linear_solver(x_i, normal, x_adv, lb, ub)
fool_im = x_0 + (1 + epsilon) * (x_i - x_0)
fool_im = clip_image_values(fool_im, lb, ub)
fool_label = torch.argmax(
net.forward(Variable(fool_im,
requires_grad=True)).data).item()
loops += 1
r = fool_im - x_0
print('Number of loops: ', loops)
return fool_im, r, pred_label, fool_label, loops
else:
while fool_label == pred_label and loops < max_iter:
normal, x_adv = deepfool(x_i, net, lambda_, device=device)
x_i = linear_solver(x_i, normal, x_adv, lb, ub)
fool_im = x_0 + (1 + epsilon) * (x_i - x_0)
fool_im = clip_image_values(fool_im, lb, ub)
fool_label = torch.argmax(
net.forward(Variable(fool_im,
requires_grad=True)).data).item()
loops += 1
r = fool_im - x_0
print('Number of loops: ', loops)
return fool_im, r, pred_label, fool_label, loops
def go_to_boundary(x_0, grad, x_b):
epsilon = 5
num_calls = 1
perturbed = x_0
if dist == 'l1' or dist == 'l2':
grads = grad
if dist == 'linf':
grads = torch.sign(grad)/torch.norm(grad)
while is_adversarial(perturbed, orig_label) == 0:
perturbed = x_0 + (num_calls*epsilon* grads[0])
perturbed = clip_image_values(perturbed, lb, ub)
num_calls += 1
if num_calls > 100:
print('falied ... ')
break
print
return perturbed, num_calls, epsilon*num_calls
def sparsefool_1(x_0, net, lb, ub, lambda_=3., max_iter=20, epsilon=0.1, device='cuda',fixed_iter=False):
pred_label = torch.argmax(net.forward(Variable(x_0, requires_grad=True)).data).item()
x_i = copy.deepcopy(x_0)
fool_im_100 = copy.deepcopy(x_i)
fool_im_40 = copy.deepcopy(x_i)
fool_im_70 = copy.deepcopy(x_i)
fool_label = pred_label
loops = 0
while loops < max_iter:
normal, x_adv = deepfool(x_i, net, lambda_, device=device)
x_i = linear_solver(x_i, normal, x_adv, lb, ub)
fool_im_100 = x_0 + (1 + epsilon) * (x_i - x_0)
fool_im_100 = clip_image_values(fool_im_100, lb, ub)
fool_label = torch.argmax(net.forward(Variable(fool_im_100, requires_grad=True)).data).item()
loops += 1
if loops == 30:
fool_im_40 = copy.deepcopy(fool_im_100)
elif loops == 45:
fool_im_70 = copy.deepcopy(fool_im_100)
r_40 = fool_im_40 -x_0
r_70 = fool_im_70 - x_0
r_100 = fool_im_100 - x_0
return fool_im_40, fool_im_70, fool_im_100, r_40, r_70, r_100, pred_label, fool_label, loops
def GeoDA(x_b, iteration, q_opt):
norms = []
q_num = 0
grad = 0
for i in range(iteration):
t1 = time.time()
random_vec_o = torch.randn(q_opt[i],3,224,224)
grad_oi, ratios = black_grad_batch(x_b, q_opt[i], sigma, random_vec_o, grad_estimator_batch_size , orig_label)
q_num = q_num + q_opt[i]
grad = grad_oi + grad
x_adv, qs, eps = go_to_boundary(x_0, grad, x_b)
q_num = q_num + qs
x_adv, bin_query = bin_search(x_0, x_adv, tol)
q_num = q_num + bin_query
x_b = x_adv
t2 = time.time()
x_adv_inv = inv_tf(x_adv.cpu().numpy()[0,:,:,:].squeeze(), mean, std)
if dist == 'l1' or dist == 'l2':
dp = 'l2'
norm_p = linalg.norm(x_adv_inv-image_fb)
if dist == 'linf':
dp = dist
norm_p = np.max(abs(x_adv_inv-image_fb))
if verbose_control == 'Yes':
message = ' (took {:.5f} seconds)'.format(t2 - t1)
print('iteration -> ' + str(i) + str(message) + ' -- ' + dp + ' norm is -> ' + str(norm_p))
x_adv = clip_image_values(x_adv, lb, ub)
return x_adv, q_num, grad
def find_random_adversarial(image, epsilon=1000):
num_calls = 1
step = 0.02
perturbed = x_0
while is_adversarial(perturbed, orig_label) == 0:
pert = torch.randn([1,3,224,224])
pert = pert.to(device)
perturbed = image + num_calls*step* pert
perturbed = clip_image_values(perturbed, lb, ub)
perturbed = perturbed.to(device)
num_calls += 1
return perturbed, num_calls
def linear_solver(x_0, normal, boundary_point, lb, ub):
input_shape = x_0.size()
coord_vec = copy.deepcopy(normal)
plane_normal = copy.deepcopy(coord_vec).view(-1)
plane_point = copy.deepcopy(boundary_point).view(-1)
x_i = copy.deepcopy(x_0)
f_k = torch.dot(plane_normal, x_0.view(-1) - plane_point)
sign_true = f_k.sign().item()
beta = 0.001 * sign_true
current_sign = sign_true
while current_sign == sign_true and coord_vec.nonzero().size()[0] > 0:
f_k = torch.dot(plane_normal, x_i.view(-1) - plane_point) + beta
pert = f_k.abs() / coord_vec.abs().max()
mask = torch.zeros_like(coord_vec)
mask[np.unravel_index(
torch.argmax(coord_vec.abs()).cpu(), input_shape)] = 1.
r_i = torch.clamp(pert, min=1e-4) * mask * coord_vec.sign()
x_i = x_i + r_i
x_i = clip_image_values(x_i, lb, ub)
f_k = torch.dot(plane_normal, x_i.view(-1) - plane_point)
current_sign = f_k.sign().item()
coord_vec[r_i != 0] = 0
return x_i
grad_l2 = gradient[0, :, :, :] / torch.norm(gradient[0, :, :, :])
k = 10
mid = 0
mint = 0
maxt = 3 * 224 * 224
dist = norm_inv_opt
multip = delt / np.sqrt(dist)
for q_ind in range(20):
mid = round((mint + maxt) / 2)
grad_sp = topk_3D(grad_l2, mid)
grad_sp = grad_sp[None, :, :, :].to(device)
image_perturbed = x_0 + 5 * grad_sp
perturbed_clip = clip_image_values(image_perturbed, lb, ub)
pert = clip_image_values(100 * grad_sp, lb, ub)
x_B = x_0 + multip * (x_adv - x_0 / torch.norm(x_adv - x_0))
grad_flatten = grad_l2.cpu().numpy().reshape(-1)
vec = perturbed_clip - x_B
vec_flatten = vec.cpu().numpy().reshape(-1)
hyperplane = np.inner(grad_flatten, vec_flatten)
if hyperplane > 0:
maxt = mid + 1
else:
mint = mid - 1
