def test_deepfool(Attack, loss): channels = 3 batch_size = 8 h = w = 32 bounds = (0, 1) class Model(nn.Module): def forward(self, x): x = torch.mean(x, 3) x = torch.mean(x, 2) return x model = Model().eval() fmodel = PyTorchModel(model, bounds=bounds) np.random.seed(0) x = np.random.uniform(*bounds, size=(batch_size, channels, h, w)).astype(np.float32) x = torch.from_numpy(x).to(fmodel.device) y = fmodel.forward(x).argmax(axis=-1) attack = Attack(fmodel) advs = attack(x, y, loss=loss) perturbations = ep.astensor(advs - x) norms = flatten(perturbations).square().sum(axis=-1).sqrt() y_advs = fmodel.forward(advs).argmax(axis=-1) assert x.shape == advs.shape assert norms.max().item() <= 40.0 + 1e-7 assert (y_advs == y).float().mean() < 1
def test_gaussian_blur_attack(): channels = 3 batch_size = 8 h = w = 32 bounds = (0, 1) class Model(nn.Module): def forward(self, x): # instead of our usual model that's robust to the BlurAttack, # we use a slighlty different model that can be attacked x = x[:, :, 1:, :] - x[:, :, :-1, :] x = x[:, :, :, 1:] - x[:, :, :, :-1] x = torch.mean(x, 3) x = torch.mean(x, 2) return x model = Model().eval() fmodel = PyTorchModel(model, bounds=bounds) np.random.seed(0) x = np.random.uniform(*bounds, size=(batch_size, channels, h, w)).astype(np.float32) x = torch.from_numpy(x).to(fmodel.device) y = fmodel.forward(x).argmax(axis=-1) attack = GaussianBlurAttack(fmodel, channel_axis=1) advs = attack(x, y) perturbations = ep.astensor(advs - x) norms = flatten(perturbations).square().sum(axis=-1).sqrt() y_advs = fmodel.forward(advs).argmax(axis=-1) assert x.shape == advs.shape assert norms.max().item() <= 20.0 + 1e-7 assert (y_advs == y).float().mean() < 1
def test_l1_brendel_bethge_attack(): channels = 3 batch_size = 8 h = w = 32 bounds = (0, 1) class Model(nn.Module): def forward(self, x): x = torch.mean(x, 3) x = torch.mean(x, 2) return x model = Model().eval() fmodel = PyTorchModel(model, bounds=bounds) np.random.seed(0) x = np.random.uniform(*bounds, size=(batch_size, channels, h, w)).astype(np.float32) x = torch.from_numpy(x).to(fmodel.device) y = fmodel.forward(x).argmax(axis=-1) attack = L1BrendelBethgeAttack(fmodel) advs = attack(x, y, steps=100, lr_num_decay=10) perturbations = ep.astensor(advs - x) norms = flatten(perturbations).abs().sum(axis=-1) y_advs = fmodel.forward(advs).argmax(axis=-1) assert x.shape == advs.shape assert norms.max().item() <= 32 * 32 * 3 / 2 assert (y_advs == y).float().mean() < 1e-5
def test_binary_search_contrast_reduction_attack(): channels = 3 batch_size = 8 h = w = 32 bounds = (0, 1) class Model(nn.Module): def forward(self, x): x = x.clone() x[x >= 0.5] = 1.0 x[x < 0.5] = 0.0 x = torch.mean(x, 3) x = torch.mean(x, 2) return x model = Model().eval() fmodel = PyTorchModel(model, bounds=bounds) np.random.seed(0) x = np.random.uniform(*bounds, size=(batch_size, channels, h, w)).astype(np.float32) x = torch.from_numpy(x).to(fmodel.device) y = fmodel.forward(x).argmax(axis=-1) attack = BinarySearchContrastReductionAttack(fmodel) advs = attack(x, y) perturbations = ep.astensor(advs - x) norms = flatten(perturbations).square().sum(axis=-1).sqrt() y_advs = fmodel.forward(advs).argmax(axis=-1) assert (y_advs == y).float().mean() < 1 attack2 = BinarizationRefinementAttack(fmodel) advs2 = attack2(x, y, adversarials=advs, criterion=misclassification) perturbations2 = ep.astensor(advs2 - x) norms2 = flatten(perturbations2).square().sum(axis=-1).sqrt() y_advs2 = fmodel.forward(advs2).argmax(axis=-1) assert (y_advs == y_advs2).all() assert (norms2 <= norms).all() assert (norms2 < norms).any()