def main():
parser = argparse.ArgumentParser()
parser.add_argument('--steps',
type=int,
default=10000,
help='Iteration of BA')
parser.add_argument('--targeted',
action='store',
default=False,
help='For targeted attack')
args = parser.parse_args()
model = Net()
model.load_state_dict(torch.load('mnist_cnn.pt'))
model.eval()
preprocessing = dict(mean=0.1307, std=0.3081)
fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing)
fmodel = fmodel.transform_bounds((0, 1))
assert fmodel.bounds == (0, 1)
images, labels = ep.astensors(
*samples(fmodel, dataset="mnist", batchsize=10))
print('Model accuracy on clean examples: {}'.format(
accuracy(fmodel, images, labels)))
epsilons = np.linspace(0.01, 10, 20)
boundary_attack = fa.BoundaryAttack(steps=args.steps, tensorboard=None)
_, _, ba_success = boundary_attack(fmodel,
images,
labels,
epsilons=epsilons)
ba_robust_accuracy = 1 - ba_success.float32().mean(axis=-1)
random_attack = fa.L2RepeatedAdditiveGaussianNoiseAttack(
repeats=args.steps)
_, _, ra_success = random_attack(fmodel, images, labels, epsilons=epsilons)
ra_robust_accuracy = 1 - ra_success.float32().mean(axis=-1)
legends = ["Boundary Attack", "Random Attack"]
plt.plot(epsilons, ba_robust_accuracy.numpy())
plt.plot(epsilons, ra_robust_accuracy.numpy())
plt.legend(legends, loc='upper right')
plt.xlabel("Perturbation Norm (L2)")
plt.ylabel("Robust Accuracy")
plt.title("{} Queries".format(args.steps))
plt.savefig('mnist_robust_acc.jpg')
plt.show()
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--min_norm', type=float, default=0.01,
help='Minimum perturbation norm')
parser.add_argument('--max_norm', type=float, default=15,
help='Maximum perturbation norm')
parser.add_argument('--num', type=int, default=12,
help='Number of norms to evaluate on')
args = parser.parse_args()
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# For Colab
# class args:
# # repeats = 1000
# min_norm = 0.01
# max_norm = 15
# num = 12
# List of max query count
queries = [10, 100, 1000, 5000]
# Load the pretrained model
model = Net()
model.load_state_dict(torch.load('mnist_cnn.pt'))
model.eval()
# preprocess the model inputs and set pixel bound in [0, 1]
preprocessing = dict(mean=0.1307, std=0.3081)
fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing)
fmodel = fmodel.transform_bounds((0, 1))
assert fmodel.bounds == (0, 1)
# Set the perturbation norm space
epsilons = np.linspace(args.min_norm, args.max_norm, args.num)
test_loader = torch.utils.data.DataLoader(
datasets.MNIST('../data', train=False, download=True,
transform=transforms.ToTensor()),
batch_size=10000, shuffle=True)
total = 0 # total input count
successful = torch.zeros(args.num, device=device) # success for each norm
legends = []
start = time()
for query in queries:
for images, labels in test_loader:
images = images.to(device)
labels = labels.to(device)
ep.astensor_(images)
ep.astensor_(labels)
# Additive Gaussian noise attack with L2 norm
attack = fa.L2RepeatedAdditiveGaussianNoiseAttack(repeats=query)
raw, clipped, success = attack(fmodel, images, labels,
epsilons=epsilons)
# Add the total number of successful attacks for each norm value
successful += success.sum(axis=1)
total += len(labels)
robust_accuracy = (1 - 1.0 * successful / total).cpu()
plt.plot(epsilons, robust_accuracy.numpy())
legends.append("{} Queries".format(query))
plt.xlabel("Perturbation Norm (L2)")
plt.ylabel("Robust Accuracy")
plt.title("Gaussian Noise")
plt.legend(legends, loc='upper right')
plt.ylim([0, 1])
plt.savefig('mnist_RA_robust_acc.jpg')
plt.show()
end = time()
print("Time taken: {:.1f} minutes".format((end - start) / 60))
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
)),
AttackTestTarget(fa.SaltAndPepperNoiseAttack(steps=50),
None,
uses_grad=True),
AttackTestTarget(fa.SaltAndPepperNoiseAttack(steps=50, channel_axis=1),
None,
uses_grad=True),
AttackTestTarget(fa.LinearSearchBlendedUniformNoiseAttack(steps=50), None),
AttackTestTarget(fa.L2AdditiveGaussianNoiseAttack(), 2500.0),
AttackTestTarget(fa.L2ClippingAwareAdditiveGaussianNoiseAttack(), 500.0),
AttackTestTarget(fa.LinfAdditiveUniformNoiseAttack(), 10.0),
AttackTestTarget(
fa.L2RepeatedAdditiveGaussianNoiseAttack(check_trivial=False), 1000.0),
AttackTestTarget(
fa.L2ClippingAwareRepeatedAdditiveGaussianNoiseAttack(
check_trivial=False),
200.0,
),
AttackTestTarget(fa.L2RepeatedAdditiveGaussianNoiseAttack(), 1000.0),
AttackTestTarget(fa.L2ClippingAwareRepeatedAdditiveGaussianNoiseAttack(),
200.0),
AttackTestTarget(fa.L2RepeatedAdditiveUniformNoiseAttack(), 1000.0),
AttackTestTarget(fa.L2ClippingAwareRepeatedAdditiveUniformNoiseAttack(),
200.0),
AttackTestTarget(fa.LinfRepeatedAdditiveUniformNoiseAttack(), 3.0),
]
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
),
None,
False,
False,
),
(fa.SaltAndPepperNoiseAttack(steps=50), None, True, False),
(fa.SaltAndPepperNoiseAttack(steps=50, channel_axis=1), None, True, False),
(fa.LinearSearchBlendedUniformNoiseAttack(steps=50), None, False, False),
(fa.L2AdditiveGaussianNoiseAttack(), 2500.0, False, False),
(fa.LinfAdditiveUniformNoiseAttack(), 10.0, False, False),
(
fa.L2RepeatedAdditiveGaussianNoiseAttack(check_trivial=False),
1000.0,
False,
False,
),
(fa.L2RepeatedAdditiveGaussianNoiseAttack(), 1000.0, False, False),
(fa.L2RepeatedAdditiveUniformNoiseAttack(), 1000.0, False, False),
(fa.LinfRepeatedAdditiveUniformNoiseAttack(), 3.0, False, False),
]
@pytest.mark.parametrize("attack_eps_grad_real", attacks, ids=get_attack_id)
def test_untargeted_attacks(
fmodel_and_data_ext_for_attacks: Tuple[Tuple[fbn.Model, ep.Tensor,
ep.Tensor], bool],
attack_eps_grad_real: Tuple[fbn.Attack, Optional[float], bool, bool],
None,
uses_grad=True,
stochastic_attack=True,
),
AttackTestTarget(
fa.LinearSearchBlendedUniformNoiseAttack(steps=50), None, stochastic_attack=True
),
AttackTestTarget(
fa.L2AdditiveGaussianNoiseAttack(), 3000.0, stochastic_attack=True
),
AttackTestTarget(
fa.L2ClippingAwareAdditiveGaussianNoiseAttack(), 500.0, stochastic_attack=True
),
AttackTestTarget(fa.LinfAdditiveUniformNoiseAttack(), 10.0, stochastic_attack=True),
AttackTestTarget(
fa.L2RepeatedAdditiveGaussianNoiseAttack(check_trivial=False),
1000.0,
stochastic_attack=True,
),
AttackTestTarget(
fa.L2ClippingAwareRepeatedAdditiveGaussianNoiseAttack(check_trivial=False),
200.0,
stochastic_attack=True,
),
AttackTestTarget(
fa.L2RepeatedAdditiveGaussianNoiseAttack(), 1000.0, stochastic_attack=True
),
AttackTestTarget(
fa.L2ClippingAwareRepeatedAdditiveGaussianNoiseAttack(),
200.0,
stochastic_attack=True,