def get_attack(attack, fmodel):
args = []
kwargs = {}
# L0
if attack == 'SAPA':
A = fa.SaltAndPepperNoiseAttack()
elif attack == 'PA':
A = fa.L1BrendelBethgeAttack()
# L2
elif 'IGD' in attack:
A = fa.L2BasicIterativeAttack()
elif attack == 'AGNA':
A = fa.L2AdditiveGaussianNoiseAttack()
elif attack == 'BA':
A = fa.BoundaryAttack()
elif 'DeepFool' in attack:
A = fa.L2DeepFoolAttack()
elif attack == 'PAL2':
A = fa.L2BrendelBethgeAttack()
elif attack == "CWL2":
A = fa.L2CarliniWagnerAttack()
# L inf
elif 'FGSM' in attack and not 'IFGSM' in attack:
A = fa.FGSM()
elif 'PGD' in attack:
A = fa.LinfPGD()
elif 'IGM' in attack:
A = fa.LinfBrendelBethgeAttack()
else:
raise Exception('Not implemented')
return A, 0, 0, 0
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--steps',
type=int,
default=1000,
help='Maximum number of steps to perform')
parser.add_argument('--targeted',
action='store',
default=False,
help='For targeted attack')
args = parser.parse_args()
model = Net()
model.load_state_dict(torch.load('mnist_cnn.pt'))
model.eval()
preprocessing = dict(mean=0.1307, std=0.3081)
fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing)
fmodel = fmodel.transform_bounds((0, 1))
assert fmodel.bounds == (0, 1)
images, labels = ep.astensors(
*samples(fmodel, dataset="mnist", batchsize=10))
print('Model accuracy on clean examples: {}'.format(
accuracy(fmodel, images, labels)))
if args.targeted:
target_class = (labels + 7) % 10
criterion = fb.criteria.TargetedMisclassification(target_class)
else:
criterion = fb.criteria.Misclassification(labels)
attack = fa.L2DeepFoolAttack(steps=args.steps)
epsilons = None
raw, clipped, success = attack(fmodel, images, labels, epsilons=epsilons)
robust_accuracy = 1 - success.float32().mean()
print("Robust Accuracy", robust_accuracy.item())
dist = np.mean(fb.distances.l2(clipped, images).numpy())
print("Average perturbation norm", dist)
AttackTestTarget(fa.L2BasicIterativeAttack(), L2(50.0), uses_grad=True),
AttackTestTarget(fa.L1BasicIterativeAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.SparseL1DescentAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.FGSM(), Linf(100.0), uses_grad=True),
AttackTestTarget(FGSM_GE(), Linf(100.0)),
AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True),
AttackTestTarget(fa.L1FastGradientAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.GaussianBlurAttack(steps=10),
uses_grad=True,
requires_real_model=True),
AttackTestTarget(
fa.GaussianBlurAttack(steps=10, max_sigma=224.0),
uses_grad=True,
requires_real_model=True,
),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="logits"),
uses_grad=True),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"),
uses_grad=True),
AttackTestTarget(fa.LinfDeepFoolAttack(steps=50), uses_grad=True),
AttackTestTarget(fa.BoundaryAttack(steps=50)),
AttackTestTarget(
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
)),
AttackTestTarget(fa.SaltAndPepperNoiseAttack(steps=50),
None,
uses_grad=True),
AttackTestTarget(fa.SaltAndPepperNoiseAttack(steps=50, channel_axis=1),
regularization=0),
None,
True,
False,
),
(fa.NewtonFoolAttack(steps=20), None, True, False),
(fa.VirtualAdversarialAttack(steps=50, xi=1), 10, True, False),
(fa.PGD(), Linf(1.0), True, False),
(fa.L2PGD(), L2(50.0), True, False),
(fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), True, False),
(fa.L2BasicIterativeAttack(), L2(50.0), True, False),
(fa.FGSM(), Linf(100.0), True, False),
(fa.FGM(), L2(100.0), True, False),
(fa.GaussianBlurAttack(steps=10), None, True, True),
(fa.GaussianBlurAttack(steps=10, max_sigma=224.0), None, True, True),
(fa.L2DeepFoolAttack(steps=50, loss="logits"), None, True, False),
(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), None, True, False),
(fa.LinfDeepFoolAttack(steps=50), None, True, False),
(fa.BoundaryAttack(steps=50), None, False, False),
(
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
),
None,
False,
False,
),
(fa.SaltAndPepperNoiseAttack(steps=50), None, True, False),
(fa.SaltAndPepperNoiseAttack(steps=50, channel_axis=1), None, True, False),
AttackTestTarget(fa.L2AdamBasicIterativeAttack(), L2(50.0), uses_grad=True),
AttackTestTarget(fa.L1AdamBasicIterativeAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.SparseL1DescentAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.FGSM(), Linf(100.0), uses_grad=True),
AttackTestTarget(FGSM_GE(), Linf(100.0)),
AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True),
AttackTestTarget(fa.L1FastGradientAttack(), 5000.0, uses_grad=True),
AttackTestTarget(
fa.GaussianBlurAttack(steps=10), uses_grad=True, requires_real_model=True
),
AttackTestTarget(
fa.GaussianBlurAttack(steps=10, max_sigma=224.0),
uses_grad=True,
requires_real_model=True,
),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="logits"), uses_grad=True),
AttackTestTarget(
fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), uses_grad=True
),
AttackTestTarget(fa.LinfDeepFoolAttack(steps=50), uses_grad=True),
AttackTestTarget(fa.BoundaryAttack(steps=50)),
AttackTestTarget(
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
)
),
AttackTestTarget(
fa.SaltAndPepperNoiseAttack(steps=50),
None,
if model == "base":
checkpoint = torch.load("./models/base/ckpt.pth")
else:
checkpoint = torch.load("./models/" + model + "/robust.pth")
net.load_state_dict(checkpoint["net"])
net.eval()
preprocessing = dict(mean=[0.4914, 0.4822, 0.4465],
std=[0.2023, 0.1994, 0.2010],
axis=-3)
fmodel = PyTorchModel(net,
bounds=(0, 1),
preprocessing=preprocessing,
device=device)
attack = fa.L2DeepFoolAttack(steps=10)
adv_distances = []
location = "./models/" + model
fname = "DeepFool.png"
for images, labels in testloader:
images = images.to(device)
labels = labels.to(device)
_, advs, _ = attack(fmodel, images, labels, epsilons=None)
dist = torch.norm((advs - images).view(len(images), -1), dim=1)
dist = dist[dist > 1e-4].cpu().numpy()