def validate_PGD(val_loader, model, log):
losses = AverageMeter()
top1 = AverageMeter()
top5 = AverageMeter()
# switch to evaluate mode
model.eval()
for i, (input, target) in enumerate(val_loader):
if args.use_cuda:
target = target.cuda(async=True)
input = input.cuda()
with torch.no_grad():
input_var = Variable(input)
target_var = Variable(target)
# get adv images
pgd_attack = torchattacks.PGD(model, eps=4 / 255, alpha=8 / 255)
adversarial_images = pgd_attack(input_var, target_var)
# compute output
output = model(adversarial_images)
loss = criterion(output, target_var)
# measure accuracy and record loss
prec1, prec5 = accuracy(output.data, target, topk=(1, 5))
losses.update(loss.item(), input.size(0))
top1.update(prec1.item(), input.size(0))
top5.update(prec5.item(), input.size(0))
print_log(
' **Test_pgd** Prec@1 {top1.avg:.3f} Prec@5 {top5.avg:.3f} Error@1 {error1:.3f} Loss: {losses.avg:.3f} '.format(
top1=top1, top5=top5, error1=100 - top1.avg, losses=losses), log)
return top1.avg, losses.avg
def attack_loader(args, net):
# Gradient Clamping based Attack
if args.attack == "pgd":
return torchattacks.PGD(model=net,
eps=args.eps,
alpha=args.eps / args.steps * 2.3,
steps=args.steps,
random_start=True)
elif args.attack == "auto":
return torchattacks.APGD(model=net, eps=args.eps)
elif args.attack == "fab":
return torchattacks.FAB(model=net,
eps=args.eps,
n_classes=args.n_classes)
elif args.attack == "cw":
return torchattacks.CW(model=net, c=0.1, lr=0.1, steps=200)
elif args.attack == "fgsm":
return torchattacks.FGSM(model=net, eps=args.eps)
elif args.attack == "bim":
return torchattacks.BIM(model=net, eps=args.eps, alpha=1 / 255)
elif args.attack == "deepfool":
return torchattacks.DeepFool(model=net, steps=10)
elif args.attack == "sparse":
return torchattacks.SparseFool(model=net)
elif args.attack == "gn":
return torchattacks.GN(model=net, sigma=args.eps)
def ta_pgd(x, y, model, eps=0.3, alpha=2 / 255, steps=40, random_start=False):
attack = torchattacks.PGD(model,
eps=eps,
alpha=alpha,
steps=steps,
random_start=random_start)
advs = attack(x, y)
return advs
def get_attack(eps):
if args.attack == 'no_attack':
attack = lambda images, labels: images
elif args.attack == 'pgd':
n_steps = 100
attack = torchattacks.PGD(net_adv, eps=eps, alpha=2.5 * eps/n_steps, steps=n_steps)
else:
raise NotImplementedError('Not implemented attack')
return attack
def get_atk(model, atk_name, eps, steps):
if atk_name == 'fgsm':
return torchattacks.FGSM(model, eps=eps)
elif atk_name == 'bim':
return torchattacks.BIM(model,
eps=eps,
steps=steps,
alpha=eps / (steps * .5))
elif atk_name == 'deepfool':
return torchattacks.DeepFool(model, steps=steps)
elif atk_name == 'cw':
return torchattacks.CW(model)
elif atk_name == 'pgd':
return torchattacks.PGD(model,
eps=eps,
steps=steps,
alpha=eps / (steps * .5))
elif atk_name == 'rfgsm':
return torchattacks.RFGSM(model, eps=eps, alpha=eps)
elif atk_name == 'auto-attack':
return torchattacks.AutoAttack(model, eps=eps)
elif atk_name == 'mifgsm':
return torchattacks.MIFGSM(model, eps=eps, steps=steps)
elif atk_name == 'square':
return torchattacks.Square(model, eps=eps)
elif atk_name == 'fab':
return torchattacks.FAB(model, eps=eps)
elif atk_name == 'one-pixel':
return torchattacks.OnePixel(model)
elif atk_name == 'gn':
return torchattacks.GN(model, sigma=eps)
elif atk_name == 'apgd':
return torchattacks.APGD(model, eps=eps)
elif atk_name == 'eotpgd':
return torchattacks.EOTPGD(model,
eps=eps,
steps=steps,
alpha=eps / (steps * .5))
elif atk_name == 'pgddlr':
return torchattacks.PGDDLR(model,
eps=eps,
steps=steps,
alpha=eps / (steps * .5))
elif atk_name == 'ffgsm':
return torchattacks.FFGSM(model, eps=eps, alpha=eps)
elif atk_name == 'sparsefool':
return torchattacks.SparseFool(model)
else:
print("Attack not valid")
sys.exit(-1)
def train_epoch(model, loader, optimizer):
model.train()
train_loss = []
bar = tqdm(loader)
for i, (data, target) in enumerate(bar):
optimizer.zero_grad()
if args.use_meta:
data, meta = data
data, meta, target = data.to(device), meta.to(device), target.to(device)
logits = model(data, meta)
else:
# attack 추가
epss = [1, 2, 4]
alphas = [1, 2]
atk = torchattacks.PGD(model, eps=epss[i % len(epss)] / 255, alpha=alphas[i % len(alphas)] / 255, steps=4)
data = atk(data, (target + 1) % 2)
data, target = data.to(device), target.to(device)
logits = model(data)
loss = criterion(logits, target)
if not args.use_amp:
loss.backward()
# else:
# with amp.scale_loss(loss, optimizer) as scaled_loss:
# scaled_loss.backward()
if args.image_size in [896,576]:
# 그라디언트가 너무 크면 값을 0.5로 잘라준다 (max_grad_norm=0.5)
torch.nn.utils.clip_grad_norm_(model.parameters(), 0.5)
# gradient accumulation (메모리 부족할때)
if args.accumulation_step:
if (i + 1) % args.accumulation_step == 0:
optimizer.step()
#optimizer.zero_grad()
else:
optimizer.step()
#optimizer.zero_grad()
loss_np = loss.detach().cpu().numpy()
train_loss.append(loss_np)
smooth_loss = sum(train_loss[-100:]) / min(len(train_loss), 100)
bar.set_description('loss: %.5f, smooth_loss: %.5f' % (loss_np, smooth_loss))
train_loss = np.mean(train_loss)
return train_loss
def load_attack(model, attack: str):
import torchattacks
if attack == 'PGD':
return torchattacks.PGD(model, eps=2 / 255, alpha=2 / 255, steps=7)
elif attack == 'CW':
return torchattacks.CW(model,
targeted=False,
c=1,
kappa=0,
steps=1000,
lr=0.01)
elif attack == 'BIM':
return torchattacks.BIM(model, eps=4 / 255, alpha=1 / 255, steps=0)
elif attack == 'FGSM':
return torchattacks.FGSM(model, eps=1 / 255)
else:
raise NotImplementedError()
def eval_(self):
self.model.eval()
adv_correct_1 = 0
adv_correct_2 = 0
nat_correct = 0
total = 0
for i, (image, label) in enumerate(self.testloader):
if torch.cuda.is_available():
image = image.cuda()
label = label.cuda()
image, label = Variable(image), Variable(label)
atk1 = torchattacks.PGD(self.model, eps=8 / 255, alpha=2 / 255, steps=4)
atk2 = torchattacks.PGDL2(self.model, eps=0.5, alpha=0.1, steps=7)
adversarial_images1 = atk1(image, label)
adversarial_images2 = atk2(image, label)
student_outputs = self.model(image)
student_outputs_adv1 = self.model(adversarial_images1)
student_outputs_adv2 = self.model(adversarial_images2)
# checking for attack-success acc
_, predicted = torch.max(student_outputs.data, 1)
_, adv_pred_1 = torch.max(student_outputs_adv1, dim=1)
_, adv_pred_2 = torch.max(student_outputs_adv2, dim=1)
nat_correct += (predicted == label).sum()
adv_correct_1 += (adv_pred_1 == label).sum()
adv_correct_2 += (adv_pred_2 == label).sum()
total += label.size(0)
nat_acc = float(nat_correct) / total
adv_acc_1 = float(adv_correct_1) / total
adv_acc_2 = float(adv_correct_2) / total
self._log('Natural Accuracy: {:.3f}'.format(nat_acc))
self._log('Adv Accuracy_1: {:.3f}'.format(adv_acc_1))
self._log('Adv Accuracy_2: {:.3f}'.format(adv_acc_2))
return nat_acc, adv_acc_1, adv_acc_2
def main(args):
classifier = torch.load('./saved/resnet50_cifar10.pth')
model = blackbox(classifier)
train_set, test_set = datasets.CIFAR10(root='/home/taejoon/data/CIFAR10',
normalize=False)
num_classes = 10
batch_size = 64
test_loader = torch.utils.data.DataLoader(test_set, batch_size=batch_size)
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# device = torch.device("cpu")
if args.attack == 'FGSM':
attack = torchattacks.FGSM(model, eps=float(Fraction(args.eps)))
elif args.attack == 'PGD':
attack = torchattacks.PGD(model, eps=float(Fraction(args.eps)))
elif args.attack == 'DeepFool':
attack = torchattacks.DeepFool(model)
elif args.attack == 'CW':
attack = torchattacks.CW(model, kappa=50)
elif args.attack == 'EOT':
attack = torchattacks.APGD(model, eps=float(Fraction(args.eps)))
# print (dict(torchattacks))
model = model.to(device)
model.eval()
criterion = nn.CrossEntropyLoss()
total_loss = 0
clean_acc = 0
adv_acc = 0
cp_acc = 0
tucker_acc = 0
cp_rank = int(args.cp_rank)
tucker_rank = [3, int(args.tucker_rank), int(args.tucker_rank)]
for i, (images, labels) in enumerate(test_loader):
images = images.to(device)
labels = labels.to(device)
preds = model(images)
_, prediction = preds.max(dim=1, keepdim=False)
clean_acc += (prediction == labels).sum()
adversarial_images = attack(images, labels)
preds = model(adversarial_images)
_, prediction = preds.max(dim=1, keepdim=False)
adv_acc += (prediction == labels).sum()
adversarial_images = adversarial_images.detach().cpu().numpy()
# Cp_reconstructions = np.zeros_like(adversarial_images)
Tucker_reconstructions = np.zeros_like(adversarial_images)
for j, adv in enumerate(adversarial_images):
# factors = tl.decomposition.parafac(adv,rank = cp_rank,init = 'random',tol = 1e-4,random_state = np.random.RandomState())
# cp_reconstruction = tl.kruskal_to_tensor(factors)
# Cp_reconstructions[j] = cp_reconstruction
core, tucker_factors = tucker(adv,
ranks=tucker_rank,
init='random',
tol=1e-4,
random_state=np.random.RandomState())
tucker_reconstruction = tl.tucker_to_tensor((core, tucker_factors))
Tucker_reconstructions[j] = tucker_reconstruction
# Cp_reconstructions = torch.from_numpy(Cp_reconstructions).to(device,dtype = torch.float)
# preds = model(Cp_reconstructions)
# _,prediction = preds.max(dim = 1,keepdim = False)
# cp_acc += (prediction == labels).sum()
Tucker_reconstructions = torch.from_numpy(Tucker_reconstructions).to(
device, dtype=torch.float)
preds = model(Tucker_reconstructions)
_, prediction = preds.max(dim=1, keepdim=False)
tucker_acc += (prediction == labels).sum()
# if (i%25==0):
# print ("# data %f, clean_acc %f, adv_acc %f, cp_acc %f, tucker_acc %f" %((i+1)*batch_size,clean_acc,adv_acc,cp_acc,tucker_acc))
if (i % 5 == 0):
print("# data %f, clean_acc %f, adv_acc %f, tucker_acc %f" %
((i + 1) * batch_size, clean_acc, adv_acc, tucker_acc))
clean_acc = float(clean_acc) / len(test_set)
adv_acc = float(adv_acc) / len(test_set)
# cp_acc = float(cp_acc)/len(test_set)
tucker_acc = float(tucker_acc) / len(test_set)
print("loss", total_loss, "adv acc", adv_acc, "tucker acc", tucker_acc)
f = open("./result/20200706.txt", 'a')
data = "Attack Method : " + args.attack + "\n"
data += "epsilon : " + args.eps + "\n"
data += "cp_rank : " + str(cp_rank) + ", tucker_rank : " + str(
tucker_rank) + "\n"
# data += "clean : " + str(clean_acc) + " adv_acc : " + str(adv_acc) + " cp_acc : " + str(cp_acc) + " tucker_acc : " + str(tucker_acc) + "\n"
data += "clean : " + str(clean_acc) + " adv_acc : " + str(
adv_acc) + " cp_acc : " + "None" + " tucker_acc : " + str(
tucker_acc) + "\n"
data += "=" * 50
f.write(data + '\n')
def train_model(device, dataloaders, batch_size, len_dataset, model, criterion, optimizer, scheduler, num_epochs=25):
since = time.time()
'''
* state_dict: 각 layer 를 매개변수 텐서로 매핑하는 Python 사전(dict) 객체
- layer; learnable parameters (convolutional layers, linear layers, etc.), registered buffers (batchnorm’s running_mean)
- Optimizer objects (torch.optim)
'''
best_model_wts = copy.deepcopy(model.state_dict())
best_acc = 0.0
train_loss, train_acc, valid_loss, valid_acc = [], [], [], []
for epoch in range(num_epochs):
print('Epoch {}/{}'.format(epoch, num_epochs - 1))
print('-' * 10)
# 각 epoch마다 training, validation phase 나눠줌.
for phase in ['train', 'valid']:
if phase == 'train':
model.train() # training mode
else:
model.eval() # evaluate mode
running_loss, running_corrects, num_cnt = 0.0, 0, 0
ratio_adv_ori = int((len_dataset // batch_size + 1) * 0.4) # adversarial, original data 비율 정하기
# batch 별로 나눠진 데이터 불러오기
for i, (inputs, labels) in enumerate(dataloaders[phase]):
# 설정한 비율에 따라 adversarial, original input으로 나누기
if (phase == 'train' and (i < ratio_adv_ori)) or (phase == 'valid' and i % 2 == 0):
inputs = inputs.to(device)
else:
# adversarial attack 정의
atks = [torchattacks.FGSM(model, eps=8 / 255),
torchattacks.BIM(model, eps=8 / 255, alpha=2 / 255, steps=7),
torchattacks.PGD(model, eps=8 / 255, alpha=2 / 255, steps=7),
]
inputs = atks[i % 3](inputs, labels).to(device)
# Image Processing Based Defense Methods --> tensor를 image로 변환하여 적용
for batch in range(inputs.shape[0]):
tensor2pil = transforms.ToPILImage()(inputs[batch]).convert('RGB')
# 1. Resizing
# Image.resize(size, resample=3, box=None, reducing_gap=None)
# resample(filter): PIL.Image.NEAREST, PIL.Image.BOX, PIL.Image.BILINEAR, PIL.Image.HAMMING, PIL.Image.BICUBIC
tensor2pil.resize((74, 74))
tensor2pil.resize((224, 224))
# 다시 이미지를 tensor로 바꾸기
tensor_img = transforms.ToTensor()(tensor2pil)
inputs[batch] = tensor_img
# 2. jpeg compression
tensor2numpy = inputs[batch].cpu().numpy()
cv_img = np.transpose(tensor2numpy, (1, 2, 0)) # [w, h, c]
cv_img = cv_img * 255
encode_param = [int(cv2.IMWRITE_JPEG_QUALITY), 15]
result, encimg = cv2.imencode('.jpg', cv_img, encode_param)
if False == result:
print('could not encode image!')
quit()
# decode from jpeg format
jpeg_img = cv2.imdecode(encimg, 1)
jpeg2input = np.transpose(jpeg_img, (2, 0, 1)) / 255
inputs[batch] = torch.Tensor(jpeg2input).to(device)
# # save adversarial examples
# save_inputs = inputs.cpu().numpy()
# labels = labels.cpu().numpy()
# from matplotlib.pyplot import imsave
#
# for j in range(batch_size):
# image = save_inputs[j, :, :, :]
# label = labels[j]
# if label == 0:
# imsave(
# f"C:/Users/mmclab1/Desktop/fakecheck/dataset/adv_img_examples/"
# f"fake_adversarial_image_{j}.png",
# np.transpose(image, (1, 2, 0)))
# else:
# imsave(
# f"C:/Users/mmclab1/Desktop/fakecheck/dataset/adv_img_examples/"
# f"real_adversarial_image_{j}.png",
# np.transpose(image, (1, 2, 0)))
labels = labels.to(device)
# 학습 가능한 가중치인 "optimizer 객체" 사용하여, 갱신할 변수들에 대한 모든 변화도 0으로 설정
# backward() 호출시, 변화도가 buffer 에 덮어쓰지 않고 누적되기 때문.
optimizer.zero_grad()
# forward pass
# gradient 계산하는 모드로, 학습 시에만 연산 기록을 추적
with torch.set_grad_enabled(phase == 'train'):
outputs = model(inputs) # h(x) 값, 모델의 예측 값
_, preds = torch.max(outputs, 1) # dim = 1, output의 각 sample 결과값(row)에서 max값 1개만 뽑음.
loss = criterion(outputs, labels) # h(x) 모델이 잘 예측했는지 판별하는 loss function
# training phase에서만 backward + optimize 수행
if phase == 'train':
loss.backward() # gradient 계산
optimizer.step() # parameter update
# statistics
running_loss += loss.item() * inputs.size(0) # inputs.size(0) == batch size
running_corrects += torch.sum(preds == labels.data) # True == 1, False == 0, 총 정답 수
num_cnt += len(labels) # len(labels) == batch size
if phase == 'train':
scheduler.step() # Learning Rate Scheduler
epoch_loss = float(running_loss / num_cnt)
epoch_acc = float((running_corrects.double() / num_cnt).cpu() * 100)
if phase == 'train':
train_loss.append(epoch_loss)
train_acc.append(epoch_acc)
else:
valid_loss.append(epoch_loss)
valid_acc.append(epoch_acc)
print('{} Loss: {:.2f} Acc: {:.1f}'.format(phase, epoch_loss, epoch_acc))
# deep copy the model
if phase == 'valid' and epoch_acc > best_acc:
best_idx = epoch
best_acc = epoch_acc
best_model_wts = copy.deepcopy(model.state_dict())
# best_model_wts = copy.deepcopy(model.module.state_dict())
print('==> best model saved - %d / %.1f' % (best_idx, best_acc))
time_elapsed = time.time() - since
print('Training complete in {:.0f}m {:.0f}s'.format(time_elapsed // 60, time_elapsed % 60))
print('Best valid Acc: %d - %.1f' % (best_idx, best_acc))
# load best model weights
PATH = 'pytorch_model_adv_epoch30_4_sgd_resize3_comp15.pt'
model.load_state_dict(best_model_wts)
# torch.save(model.state_dict(), PATH) # 모델 객체의 state_dict 저장
torch.save(model, PATH) # 전체모델 저장
torch.save(model.state_dict(), f'C:/Users/mmclab1/.cache/torch/hub/checkpoints/{PATH}')
print('model saved')
# train, validation의 loss, acc 그래프로 나타내기
plt.subplot(311)
plt.plot(train_loss)
plt.plot(valid_loss)
plt.ylabel('loss')
plt.xlabel('epoch')
plt.legend(['train', 'validation'], loc='upper left')
plt.subplot(313)
plt.plot(train_acc)
plt.plot(valid_acc)
plt.ylabel('acc')
plt.xlabel('epoch')
plt.legend(['train', 'validation'], loc='upper left')
plt.savefig('graph_adv_epoch30_4_sgd_resize3_comp15.png')
plt.show()
return model, best_idx, best_acc, train_loss, train_acc, valid_loss, valid_acc, inputs
def train_epoch(model, loader, optimizer):
model.train()
train_loss = []
bar = tqdm(loader)
for i, (data, target, face_name, df_method) in enumerate(bar):
optimizer.zero_grad()
if args.use_meta:
data, meta = data
data, meta, target = data.to(device), meta.to(device), target.to(
device)
logits = model(data, meta)
else:
# attack 추가
method = {
'0_PGD': [20, 70, 2],
'1_APGD': [20, 70, 2],
'2_FGSM': [2, 8],
'3_FFGSM': [4, 7, 10],
'4_MIFGSM': [3, 6],
'5_RFGSM': [4, 7, 8],
'6_BIM': [4, 10, 1],
'7_CW': [1e-4, 2e-4]
}
# 1. original data save
# img_o
# 2. small sized data
# img_s = scaling(image_o, scaling_factor=0.5)
# out_attack = attack(small_data, target~~~)
# img_gen = normalize ( scaling ((out_attack - small_data), 1/scaling_factor) + img_o)
for eps in range(2):
globals()['atk{}'.format(0)] = torchattacks.PGD(
model,
eps=method['0_PGD'][eps] / 255,
alpha=method['0_PGD'][-1] / 255,
steps=4)
globals()['atk{}'.format(1)] = torchattacks.APGD(
model,
eps=method['1_APGD'][eps] / 255,
alpha=method['1_APGD'][-1] / 255,
steps=4)
globals()['atk{}'.format(2)] = torchattacks.FGSM(
model, eps=method['2_FGSM'][eps] / 255)
globals()['atk{}'.format(3)] = torchattacks.FFGSM(
model,
eps=method['3_FFGSM'][eps] / 255,
alpha=method['3_FFGSM'][-1] / 255)
globals()['atk{}'.format(4)] = torchattacks.MIFGSM(
model, eps=method['4_MIFGSM'][eps] / 255, steps=4)
globals()['atk{}'.format(5)] = torchattacks.RFGSM(
model,
eps=method['5_RFGSM'][eps] / 255,
alpha=method['5_RFGSM'][-1] / 255,
steps=4)
globals()['atk{}'.format(6)] = torchattacks.BIM(
model,
eps=method['6_BIM'][eps] / 255,
alpha=method['6_BIM'][-1] / 255)
globals()['atk{}'.format(7)] = torchattacks.CW(
model, c=method['7_CW'][eps], steps=10)
for count in range(8):
# globals()['data_atk{}'.format(i)]
globals()['data_atk{}'.format(count)] = globals()[
'atk{}'.format(count)](data, (target + 1) % 2)
globals()['data_atk{}'.format(count)], target = (
globals()['data_atk{}'.format(count)]
).to(device), target.to(device)
logits = model(globals()['data_atk{}'.format(count)])
globals()['data_atk{}'.format(count)] = (
globals()['data_atk{}'.format(count)]).cpu().numpy()
method_keys = list(method.keys())
bat_size = args.batch_size
for j in range(bat_size):
for save_cnt in range(8):
globals()['im{}'.format(save_cnt)] = (globals()[
'data_atk{}'.format(save_cnt)])[j, :, :, :]
# imsave(
# f"./confirm_attack2img/AE-classification/{method_keys[save_cnt]}/"
# f"{target[j]}_{face_name[j]}_{i * bat_size + j}_{method_keys[save_cnt]}_eps{method[method_keys[save_cnt]][eps]}_wsbs.png",
# np.transpose(globals()['im{}'.format(save_cnt)], (1, 2, 0)))
imsave(
f"./confirm_attack2img/AE-classification/train/"
f"{target[j]}_{face_name[j]}_{df_method[j]}_{i * bat_size + j}_{method_keys[save_cnt]}_eps{method[method_keys[save_cnt]][eps]}_wsbs.png",
np.transpose(globals()['im{}'.format(save_cnt)],
(1, 2, 0)))
loss = criterion(logits, target)
if not args.use_amp:
loss.backward()
# else:
# with amp.scale_loss(loss, optimizer) as scaled_loss:
# scaled_loss.backward()
if args.image_size in [896, 576]:
# 그라디언트가 너무 크면 값을 0.5로 잘라준다 (max_grad_norm=0.5)
torch.nn.utils.clip_grad_norm_(model.parameters(), 0.5)
# gradient accumulation (메모리 부족할때)
if args.accumulation_step:
if (i + 1) % args.accumulation_step == 0:
optimizer.step()
# optimizer.zero_grad()
else:
optimizer.step()
# optimizer.zero_grad()
loss_np = loss.detach().cpu().numpy()
train_loss.append(loss_np)
smooth_loss = sum(train_loss[-100:]) / min(len(train_loss), 100)
bar.set_description('loss: %.5f, smooth_loss: %.5f' %
(loss_np, smooth_loss))
train_loss = np.mean(train_loss)
return train_loss
def train(self):
best_acc_1 = 0
best_acc_2 = 0
best_nat_acc = 0
if self.epoch < 80:
for param_group in self.optimizer.param_groups:
param_group['lr'] = 0.1
if self.epoch >= 80 and self.epoch < 120:
for param_group in self.optimizer.param_groups:
param_group['lr'] = 0.01
if self.epoch >= 120:
for param_group in self.optimizer.param_groups:
param_group['lr'] = 0.001
while self.epoch < self.args.epochs:
self.model.train()
total = 0
adv_correct_1 = 0
adv_correct_2 = 0
nat_correct = 0
for i, (image,label) in enumerate(self.trainloader):
if torch.cuda.is_available():
image = image.cuda()
label = label.cuda()
self.optimizer.zero_grad()
image, label = Variable(image), Variable(label)
#load attack method
atk1 = torchattacks.PGD(self.model, eps=8 / 255, alpha=2 / 255, steps=4)
atk2 = torchattacks.PGDL2(self.model, eps=0.5, alpha=0.1, steps=7)
adversarial_images1 = atk1(image,label)
adversarial_images2 = atk2(image,label)
outputs1 = self.T_net1(image)
outputs2 = self.T_net2(image)
student_outputs_adv1 = self.model(adversarial_images1)
student_outputs_adv2 = self.model(adversarial_images2)
student_output = self.model(image)
loss_adv1 = self.distillation(student_outputs_adv1, outputs1, label, 3, 0.9) # learn both from pgd AND
loss_adv2 = self.distillation(student_outputs_adv2, outputs2, label, 3, 0.9)
loss = loss_adv1 + loss_adv2
loss.backward()
self.optimizer.step()
#checking for attack-success acc
_, adv_pred_1 = torch.max(student_outputs_adv1, dim=1)
_, adv_pred_2 = torch.max(student_outputs_adv2, dim=1)
_, pred = torch.max(student_output, dim=1)
adv_correct_1 += (adv_pred_1 == label).sum()
adv_correct_2 += (adv_pred_2 == label).sum()
nat_correct += (pred == label).sum()
total += label.size(0)
self.epoch += 1
acc_1 = float(adv_correct_1)/total
acc_2 = float(adv_correct_2)/total
nat_acc_ = float(nat_correct)/total
mess = "{}th Epoch, nat_acc: {:.3f}, Acc_1: {:.3f}, Acc_2: {:.3f}, Loss: {:.3f}".format(self.epoch, nat_acc_, acc_1, acc_2, loss.item())
self._log(mess)
self._save_checkpoint('checkpoint.pth')
# Evaluation
nat_acc, adv_acc_1, adv_acc_2 = self.eval_()
if nat_acc + adv_acc_1 + adv_acc_2 > best_nat_acc + best_acc_1 + best_acc_2:
best_nat_acc = nat_acc
best_acc_1 = adv_acc_1
best_acc_2 = adv_acc_2
self._save_checkpoint('best_checkpoint.pth')
self._log('Best Test Accuracy: {:.3f}/{:.3f}/{:.3f}'.format(best_nat_acc, best_acc_1, best_acc_2))
self._log('=======Best Test Accuracy: {:.3f}/{:.3f}/{:.3f}======'.format(best_nat_acc, best_acc_1, best_acc_2))
def main(args):
if args.autoencoder == 'True':
autoencoder = torch.load('./saved/DAE_cifar10.pth')
else:
autoencoder = None
classifier = torch.load('./saved/resnet50_cifar10.pth')
global device
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# device = torch.device("cpu")
model = DecompNet(classifier,
Autoencoder=autoencoder,
decomposition=args.decomposition)
train_set, test_set = datasets.CIFAR10(root='/home/taejoon/data/CIFAR10',
normalize=False)
num_classes = 10
batch_size = 64
test_loader = torch.utils.data.DataLoader(test_set, batch_size=batch_size)
criterion = nn.CrossEntropyLoss()
global rank
rank = int(args.rank)
tucker_rank = [3, rank, rank]
total_loss = 0
clean_acc = 0
adv_acc = 0
adv_clf_acc = 0
cp_acc = 0
tucker_acc = 0
tl.set_backend('pytorch')
if args.attack == "BPDA":
attack = torchattacks.PGD(model, eps=float(Fraction(args.eps)))
elif args.attack == "EoT":
attack = torchattacks.APGD(model, eps=float(Fraction(args.eps)))
model.eval()
# attack_classifier = torchattacks.PGD(classifier,eps = float(Fraction(args.eps)))
for i, (images, labels) in enumerate(test_loader):
images, labels = images.to(device), labels.to(device)
preds = model(images)
_, prediction = preds.max(dim=1, keepdim=False)
clean_acc += (prediction == labels).sum()
adversarial_images = attack(images, labels)
preds = model(adversarial_images)
_, prediction = preds.max(dim=1, keepdim=False)
adv_acc += (prediction == labels).sum()
# advs = attack_classifier(images,labels)
# preds = model(advs)
# _,prediction = preds.max(dim = 1,keepdim = False)
# adv_clf_acc += (prediction == labels).sum()
#
# advs = advs.detach().cpu()
# Tucker_reconstructions = torch.zeros_like(advs)
# for j,adv in enumerate(advs):
# core,tucker_factors = tucker(adv,ranks = tucker_rank,init = 'random', tol = 1e-4, random_state=np.random.RandomState())
# tucker_reconstruction = tl.tucker_to_tensor((core,tucker_factors))
# Tucker_reconstructions[j] = tucker_reconstruction
# # Tucker_reconstructions = torch.from_numpy(Tucker_reconstructions).to(device,dtype = torch.float)
# Tucker_reconstructions = Tucker_reconstructions.to(device)
# preds2 = classifier(Tucker_reconstructions)
# _,prediction = preds2.max(dim = 1,keepdim = False)
# tucker_acc += (prediction == labels).sum()
# pdb.set_trace()
if (i % 5 == 0):
print("method %s # data %f, clean_acc %f, adv_acc %f" %
(args.decomposition,
(i + 1) * batch_size, clean_acc, adv_acc))
clean_acc = float(clean_acc) / len(test_set)
adv_acc = float(adv_acc) / len(test_set)
print("method %s # data %f, clean_acc %f, adv_acc %f" %
(args.decomposition, (i + 1) * batch_size, clean_acc, adv_acc))
print("rank %s autoencoder %s" % (args.rank, args.autoencoder))
f = open("./result/whitebox_1.txt", 'a')
data = "Attack Method : " + args.attack + "\n"
data += "Decomposition method : " + args.decomposition + "\n"
data += "Autoencoder : " + args.autoencoder + "\n"
data += "epsilon : " + args.eps + "\n"
data += "rank : " + str(rank) + "\n"
data += "clean : " + str(clean_acc) + " adv_acc : " + str(adv_acc) + "\n"
data += "=" * 50
f.write(data + '\n')
def train_epoch(model, loader, optimizer):
model.train()
train_loss = []
bar = tqdm(loader)
for i, (data, target, face_name) in enumerate(bar):
optimizer.zero_grad()
if args.use_meta:
data, meta = data
data, meta, target = data.to(device), meta.to(device), target.to(device)
logits = model(data, meta)
else:
# attack 추가
method = {
'1_PGD': [20,70,2],
'2_APGD':[20,70,2],
'3_FGSM': [2,8],
'4_FFGSM': [4,7,10],
'5_MIFGSM': [3,6],
'6_RFGSM': [4,7,8],
'7_BIM':[4,10,1],
'8_CW':[1e-4, 2e-4]}
#TODO: dataset에 original image와 attacked image모두 만들기
# 1. original data save img_o
# 2. small sized data img_s = scaling(image_o, scaling_factor=0.5)
# out_attack = attack(small_data, target~~~)
# img_gen = normalize ( scaling ((out_attack - small_data), 1/scaling_factor) + img_o)
scaling_factor = 0.5
img_origin = np.transpose(data.cpu().numpy()[i, :, :, :], (1, 2, 0))
img_small = cv2.resize(img_origin, dsize=(0, 0),
fx=scaling_factor,
fy=scaling_factor) #,interpolation=cv2.INTER_AREA
for eps in range(2):
globals()['atk{}'.format(1)] = torchattacks.PGD(model, eps=method['1_PGD'][eps] / 255, alpha=method['1_PGD'][-1] / 255, steps=4)
globals()['atk{}'.format(2)] = torchattacks.APGD(model, eps=method['2_APGD'][eps] / 255, alpha=method['2_APGD'][-1] / 255, steps=4)
globals()['atk{}'.format(3)] = torchattacks.FGSM(model, eps=method['3_FGSM'][eps] / 255)
globals()['atk{}'.format(4)] = torchattacks.FFGSM(model, eps=method['4_FFGSM'][eps] / 255, alpha=method['4_FFGSM'][-1] / 255)
globals()['atk{}'.format(5)] = torchattacks.MIFGSM(model, eps=method['5_MIFGSM'][eps] / 255, steps=4)
globals()['atk{}'.format(6)] = torchattacks.RFGSM(model, eps=method['6_RFGSM'][eps] / 255, alpha=method['6_RFGSM'][-1] / 255, steps=4)
globals()['atk{}'.format(7)] = torchattacks.BIM(model, eps=method['7_BIM'][eps] / 255, alpha=method['7_BIM'][-1] / 255)
globals()['atk{}'.format(8)] = torchattacks.CW(model, c= method['8_CW'][eps], steps=10)
for count in range(1,9):
# regularization
# torch.clamp(images + delta, min=0, max=1).detach()
# torch.from_numpy(img_small)
out_attack = globals()['atk{}'.format(count)](torch.from_numpy(img_small), (target + 1) % 2)
img_gen = torch.clamp(cv2.resize(out_attack-img_small,dsize=(0,0),fx=1/scaling_factor, fy=1/scaling_factor), min=0, max=1).detach() + img_origin
globals()['data_atk{}'.format(count)] = torch.from_numpy(img_gen)
globals()['data_atk{}'.format(count)], target = (globals()['data_atk{}'.format(count)]).to(device), target.to(device)
logits = model(globals()['data_atk{}'.format(count)])
globals()['data_atk{}'.format(count)] = (globals()['data_atk{}'.format(count)]).cpu().numpy()
method_keys = list(method.keys())
bat_size = args.batch_size
for j in range(bat_size):
# save original image
# im0 = data.cpu().numpy()[j, :, :, :]
# imsave(
# f"./confirm_attack2img/AE-real_fake/0_original/"
# f"{target[j]}_{face_name[j]}_{i * bat_size + j}_0_wsbs.png",
# np.transpose(im0, (1, 2, 0)))
# save attacked image
for save_cnt in range(1,9):
globals()['im{}'.format(save_cnt)] = (globals()['data_atk{}'.format(save_cnt)])[j, :, :, :]
# imsave(
# f"./confirm_attack2img/AE-real_fake/{method_keys[save_cnt]}/"
# f"{target[j]}_{face_name[j]}_{i * bat_size + j}_{method_keys[save_cnt]}_eps{method[method_keys[save_cnt]][eps]}_wsbs.png",
# np.transpose(globals()['im{}'.format(save_cnt)], (1, 2, 0)))
imsave(
f"./confirm_attack2img/AE-real_fake/train/"
f"{target[j]}_{face_name[j]}_{i * bat_size + j}_{method_keys[save_cnt]}_eps{method[method_keys[save_cnt]][eps]}_wsbs.png",
np.transpose(globals()['im{}'.format(save_cnt)], (1, 2, 0)))
loss = criterion(logits, target)
if not args.use_amp:
loss.backward()
# else:
# with amp.scale_loss(loss, optimizer) as scaled_loss:
# scaled_loss.backward()
if args.image_size in [896, 576]:
# 그라디언트가 너무 크면 값을 0.5로 잘라준다 (max_grad_norm=0.5)
torch.nn.utils.clip_grad_norm_(model.parameters(), 0.5)
# gradient accumulation (메모리 부족할때)
if args.accumulation_step:
if (i + 1) % args.accumulation_step == 0:
optimizer.step()
# optimizer.zero_grad()
else:
optimizer.step()
# optimizer.zero_grad()
loss_np = loss.detach().cpu().numpy()
train_loss.append(loss_np)
smooth_loss = sum(train_loss[-100:]) / min(len(train_loss), 100)
bar.set_description('loss: %.5f, smooth_loss: %.5f' % (loss_np, smooth_loss))
train_loss = np.mean(train_loss)
return train_loss
def test(self):
norm_layer = Normalize(mean=[0.4914, 0.4822, 0.4465],
std=[0.247, 0.243, 0.261])
net1 = nn.Sequential(
norm_layer, WideResNet(depth=28, widen_factor=2, num_classes=10))
net1 = net1.cuda()
checkpoint_path1 = osp.join(self.args.model_load1)
model_data1 = torch.load(checkpoint_path1)
net1.load_state_dict(model_data1['model'])
net2 = nn.Sequential(
self.norm_layer,
WideResNet(depth=28, widen_factor=2, num_classes=10))
net2 = net2.cuda()
checkpoint_path2 = osp.join(self.args.model_load2)
model_data2 = torch.load(checkpoint_path2)
net2.load_state_dict(model_data2['model'])
torch.backends.cudnn.deterministic = True
cudnn.benchmark = True
print("safely loaded models")
net1.eval()
net2.eval()
correct1 = 0
correct2 = 0
correct3 = 0
correct4 = 0
correct5 = 0
correct6 = 0
correct7 = 0
correct8 = 0
correct13 = 0
correct14 = 0
total = 0
for batch_idx, (inputs, targets) in enumerate(self.testloader):
inputs, targets = inputs.cuda(), targets.cuda()
inputs, targets = Variable(inputs), Variable(targets)
#Clean image
output1 = net1(inputs)
output2 = net2(inputs)
# net1: PGD trained, net2: GD trained
atk_pgd1 = torchattacks.PGD(
net1,
self.args.epsilon,
self.args.alpha,
self.args.attack_steps,
random_start=self.args.random_start) #noise
atk_pgd2 = torchattacks.PGD(net2,
self.args.epsilon,
self.args.alpha,
self.args.attack_steps,
random_start=self.args.random_start)
atk_gd1 = torchattacks.PGDL2(net1,
self.args.epsilon,
self.args.alpha,
self.args.attack_steps,
random_start=self.args.random_start)
atk_gd2 = torchattacks.PGDL2(net2,
self.args.epsilon,
self.args.alpha,
self.args.attack_steps,
random_start=self.args.random_start)
adversarial_images_pgd1 = atk_pgd1(inputs, targets)
adversarial_images_gd1 = atk_gd1(inputs, targets)
adversarial_images_pgd2 = atk_pgd2(inputs, targets)
adversarial_images_gd2 = atk_gd2(inputs, targets)
net1_output_pgd1, net2_output_pgd1 = net1(
adversarial_images_pgd1), net2(adversarial_images_pgd1)
net1_output_gd1, net2_output_gd1 = net1(
adversarial_images_gd1), net2(adversarial_images_gd1)
net1_output_pgd2, net2_output_pgd2 = net1(
adversarial_images_pgd2), net2(adversarial_images_pgd2)
net1_output_gd2, net2_output_gd2 = net1(
adversarial_images_gd2), net2(adversarial_images_gd2)
_, predicted1 = torch.max(net1_output_pgd1.data, 1)
_, predicted2 = torch.max(net2_output_pgd1.data, 1)
_, predicted3 = torch.max(net1_output_gd1.data, 1)
_, predicted4 = torch.max(net2_output_gd1.data, 1)
_, predicted5 = torch.max(net1_output_pgd2.data, 1)
_, predicted6 = torch.max(net2_output_pgd2.data, 1)
_, predicted7 = torch.max(net1_output_gd2.data, 1)
_, predicted8 = torch.max(net2_output_gd2.data, 1)
_, predicted_clean1 = torch.max(output1.data, 1)
_, predicted_clean2 = torch.max(output2.data, 1)
# _, predicted = torch.max(student_outputs[1].data, 1)
total += targets.size(0)
correct1 += predicted1.eq(targets.data).cpu().sum()
correct2 += predicted2.eq(targets.data).cpu().sum()
correct3 += predicted3.eq(targets.data).cpu().sum()
correct4 += predicted4.eq(targets.data).cpu().sum()
correct5 += predicted5.eq(targets.data).cpu().sum()
correct6 += predicted6.eq(targets.data).cpu().sum()
correct7 += predicted7.eq(targets.data).cpu().sum()
correct8 += predicted8.eq(targets.data).cpu().sum()
correct13 += predicted_clean1.eq(targets.data).cpu().sum()
correct14 += predicted_clean2.eq(targets.data).cpu().sum()
print('Clean Accuracy Net1: %.2f' %
(float(correct13) / float(total) * 100))
print('Clean Accuracy Net2: %.2f\n' %
(float(correct14) / float(total) * 100))
print('Noise From Net1 with PGD: Net1: %.2f Net2: %.2f' %
(float(correct1) / float(total) * 100,
float(correct2) / float(total) * 100))
print('Noise From Net1 with GD: Net1: %.2f Net2: %.2f\n' %
(float(correct3) / float(total) * 100,
float(correct4) / float(total) * 100))
print('Noise From Net2 with PGD: Net1: %.2f Net2: %.2f' %
(float(correct5) / float(total) * 100,
float(correct6) / float(total) * 100))
print('Noise From Net2 with GD: Net1: %.2f Net2: %.2f\n' %
(float(correct7) / float(total) * 100,
float(correct8) / float(total) * 100))
def train(epoch, model, optimizer, scheduler, criterion, train_loader, config,
writer, AT):
global global_step
run_config = config['run_config']
optim_config = config['optim_config']
data_config = config['data_config']
logger.info('Train {}'.format(epoch))
model.train()
loss_meter = AverageMeter()
accuracy_meter = AverageMeter()
start = time.time()
for step, (data, targets) in enumerate(train_loader):
global_step += 1
if data_config['use_mixup']:
data, targets = mixup(data, targets, data_config['mixup_alpha'],
data_config['n_classes'])
if run_config['tensorboard_train_images']:
if step == 0:
image = torchvision.utils.make_grid(data,
normalize=True,
scale_each=True)
writer.add_image('Train/Image', image, epoch)
if optim_config['scheduler'] == 'multistep':
scheduler.step(epoch - 1)
elif optim_config['scheduler'] == 'cosine':
scheduler.step()
if run_config['tensorboard']:
if optim_config['scheduler'] != 'none':
lr = scheduler.get_lr()[0]
else:
lr = optim_config['base_lr']
writer.add_scalar('Train/LearningRate', lr, global_step)
if run_config['use_gpu']:
data = data.cuda()
targets = targets.cuda()
optimizer.zero_grad()
if AT:
# all for the attack
mean = torch.FloatTensor(
np.array([0.4914, 0.4822, 0.4465])[None, :, None,
None]).cuda()
std = torch.FloatTensor(
np.array([0.2470, 0.2435, 0.2616])[None, :, None,
None]).cuda()
data = data.mul_(std).add_(mean)
atk = torchattacks.PGD(model,
eps=5 / 255,
alpha=0.5 / 255,
steps=10)
data = atk(data, targets)
data = data.sub_(mean).div_(std)
# end of attack
outputs = model(data)
loss = criterion(outputs, targets)
# SD
if optim_config['SD'] != 0.0:
loss += (outputs**2).mean() * optim_config['SD']
loss.backward()
optimizer.step()
_, preds = torch.max(outputs, dim=1)
loss_ = loss.item()
if data_config['use_mixup']:
_, targets = targets.max(dim=1)
correct_ = preds.eq(targets).sum().item()
num = data.size(0)
accuracy = correct_ / num
loss_meter.update(loss_, num)
accuracy_meter.update(accuracy, num)
if run_config['tensorboard']:
writer.add_scalar('Train/RunningLoss', loss_, global_step)
writer.add_scalar('Train/RunningAccuracy', accuracy, global_step)
if step % 100 == 0:
logger.info('Epoch {} Step {}/{} '
'Loss {:.4f} ({:.4f}) '
'Accuracy {:.4f} ({:.4f})'.format(
epoch,
step,
len(train_loader),
loss_meter.val,
loss_meter.avg,
accuracy_meter.val,
accuracy_meter.avg,
))
elapsed = time.time() - start
logger.info('Elapsed {:.2f}'.format(elapsed))
if run_config['tensorboard']:
writer.add_scalar('Train/Loss', loss_meter.avg, epoch)
writer.add_scalar('Train/Accuracy', accuracy_meter.avg, epoch)
writer.add_scalar('Train/Time', elapsed, epoch)
criterion = nn.CrossEntropyLoss()
net = InterConv_Robust(layer_num=1, hidden_num=50, class_num=2)
param_amount = 0
for p in net.named_parameters():
if not 'resnet18' in p[0]:
print(p[0])
param_amount += p[1].numel()
print('total param amount:', param_amount)
net = net.cuda()
optimizer = torch.optim.Adam(net.parameters(), lr=args.lr)
atk = torchattacks.PGD(net, eps=32 / 255, alpha=2 / 255, steps=30)
def test():
correct_num = 0.
label_num = 0.
for batch_idx, (x, target) in enumerate(test_loader):
x = x.cuda()
target = target.cuda()
target[target == 2] = 0
target[target == 7] = 1
adv_x = atk(x, target)
out = net(adv_x)
_, pred_label = torch.max(out.data, 1)
correct8 = 0
correct13 = 0
correct14 = 0
total = 0
for batch_idx, (inputs, targets) in enumerate(testloader):
inputs, targets = inputs.cuda(), targets.cuda()
inputs, targets = Variable(inputs), Variable(targets)
#Clean image
output1 = net1(inputs)
output2 = net2(inputs)
# net1: PGD trained, net2: GD trained
atk_pgd1 = torchattacks.PGD(net1, eps=8 / 255, alpha=2 / 255,
steps=4) #noise
atk_pgd2 = torchattacks.PGD(net2, eps=8 / 255, alpha=2 / 255, steps=4)
atk_gd1 = torchattacks.PGDL2(net1, eps=0.5, alpha=0.1, steps=7)
atk_gd2 = torchattacks.PGDL2(net2, eps=0.5, alpha=0.1, steps=7)
adversarial_images_pgd1 = atk_pgd1(inputs, targets)
adversarial_images_gd1 = atk_gd1(inputs, targets)
adversarial_images_pgd2 = atk_pgd2(inputs, targets)
adversarial_images_gd2 = atk_gd2(inputs, targets)
net1_output_pgd1, net2_output_pgd1 = net1(adversarial_images_pgd1), net2(
adversarial_images_pgd1)
net1_output_gd1, net2_output_gd1 = net1(adversarial_images_gd1), net2(
adversarial_images_gd1)
net1_output_pgd2, net2_output_pgd2 = net1(adversarial_images_pgd2), net2(
adversarial_images_pgd2)
net1_output_gd2, net2_output_gd2 = net1(adversarial_images_gd2), net2(
def test(epoch, model, criterion, test_loader, run_config, writer, adv=False):
logger.info('Test {}'.format(epoch))
model.eval()
loss_meter = AverageMeter()
correct_meter = AverageMeter()
start = time.time()
for step, (data, targets) in enumerate(test_loader):
if run_config['tensorboard_test_images']:
if epoch == 0 and step == 0:
image = torchvision.utils.make_grid(data,
normalize=True,
scale_each=True)
writer.add_image('Test/Image', image, epoch)
if run_config['use_gpu']:
data = data.cuda()
targets = targets.cuda()
if adv:
# all for the attack
mean = torch.FloatTensor(
np.array([0.4914, 0.4822, 0.4465])[None, :, None,
None]).cuda()
std = torch.FloatTensor(
np.array([0.2470, 0.2435, 0.2616])[None, :, None,
None]).cuda()
data = data.mul_(std).add_(mean)
atk = torchattacks.PGD(
model, eps=5 / 255, alpha=0.5 / 255,
steps=10) # for Cifar 10 with SD= 0.0 vs 0.01 --> 30 vs 67
# atk = torchattacks.PGD(model, eps=5/255, alpha=0.5/255, steps=10) # for Cifar 100 with SD= 0.0 vs 0.05 --> 14 vs 25
data = atk(data, targets)
data = data.sub_(mean).div_(std)
# end of attack
with torch.no_grad():
outputs = model(data)
loss = criterion(outputs, targets)
_, preds = torch.max(outputs, dim=1)
loss_ = loss.item()
correct_ = preds.eq(targets).sum().item()
num = data.size(0)
loss_meter.update(loss_, num)
correct_meter.update(correct_, 1)
accuracy = correct_meter.sum / len(test_loader.dataset)
logger.info('Epoch {} Loss {:.4f} Accuracy {:.4f}'.format(
epoch, loss_meter.avg, accuracy))
elapsed = time.time() - start
logger.info('Elapsed {:.2f}'.format(elapsed))
if run_config['tensorboard']:
if epoch > 0:
writer.add_scalar('Test/Loss', loss_meter.avg, epoch)
writer.add_scalar('Test/Accuracy', accuracy, epoch)
writer.add_scalar('Test/Time', elapsed, epoch)
if run_config['tensorboard_model_params']:
for name, param in model.named_parameters():
writer.add_histogram(name, param, global_step)
return accuracy
def test_model(model, phase='test'):
# phase = 'train', 'valid', 'test'
model.eval() # evaluate mode; gradient 계산 안함.
running_loss, running_corrects, num_cnt = 0.0, 0, 0
'''
with torch.no_grad(): # memory save를 위해 gradient 저장하지 않음.
보통 test를 할 때, gradient를 training 시키는 것이 아니기 때문에 위와 같은 코드를 추가한다.
grad = torch.autograd.grad(cost, images, retain_graph=False, create_graph=False)[0]
하지만, adversarial attack은 위와 같이 gradient를 토대로 data에 공격을 가하기 때문에 gradient가 필요하다.
따라서 test_adv 에는 with torch.no_grad()를 제외해야 한다.
'''
for i, (inputs, labels) in enumerate(dataloaders[phase]):
# adversarial attack 정의
atks = [
torchattacks.FGSM(model, eps=8 / 255),
torchattacks.BIM(model, eps=8 / 255, alpha=2 / 255, steps=7),
torchattacks.PGD(model, eps=8 / 255, alpha=2 / 255, steps=7),
]
adv_images = atks[0](inputs, labels).to(device)
# Image Processing Based Defense Methods --> tensor를 image로 변환하여 적용
for batch in range(inputs.shape[0]):
tensor2img = transforms.ToPILImage()(inputs[batch]).convert('RGB')
# 1. Resizing
# Image.resize(size, resample=3, box=None, reducing_gap=None)
# resample(filter): PIL.Image.NEAREST, PIL.Image.BOX, PIL.Image.BILINEAR, PIL.Image.HAMMING, PIL.Image.BICUBIC
tensor2img.resize((74, 74))
tensor2img.resize((224, 224))
# 다시 이미지를 tensor로 바꾸기
tensor_img = transforms.ToTensor()(tensor2img)
inputs[batch] = tensor_img
# 2. jpeg compression
tensor2numpy = inputs[batch].cpu().numpy()
cv_img = np.transpose(tensor2numpy, (1, 2, 0)) # [w, h, c]
cv_img = cv_img * 255
encode_param = [int(cv2.IMWRITE_JPEG_QUALITY), 15]
result, encimg = cv2.imencode('.jpg', cv_img, encode_param)
if False == result:
print('could not encode image!')
quit()
# decode from jpeg format
jpeg_img = cv2.imdecode(encimg, 1)
jpeg2input = np.transpose(jpeg_img, (2, 0, 1)) / 255
inputs[batch] = torch.Tensor(jpeg2input).to(device)
labels = labels.to(device)
outputs = model(adv_images) # forward pass
_, preds = torch.max(outputs, 1) # model이 가장 높은 확률로 예측한 label
loss = criterion(outputs, labels) # loss 계산
running_loss += loss.item() * inputs.size(0)
running_corrects += torch.sum(preds == labels.data)
num_cnt += inputs.size(0) # batch size
test_loss = running_loss / num_cnt
test_acc = running_corrects.double() / num_cnt
print('test done : loss/acc : %.2f / %.1f' %
(test_loss, test_acc * 100))
def train_epoch(model, loader, optimizer):
model.train()
train_loss = []
bar = tqdm(loader)
for i, (data, target, image_name) in enumerate(bar):
optimizer.zero_grad()
if args.use_meta:
data, meta = data
data, meta, target = data.to(device), meta.to(device), target.to(
device)
logits = model(data, meta)
else:
# attack 추가: 5,499장 --> 총 7개 attack x epsilon 2개 == 76,986
method = {
'0_FGSM': [2, 5, 8],
'1_PGD': [20, 50, 80, 2],
'2_BIM': [4, 7, 10, 1]
}
for eps in range(3):
globals()['atk{}'.format(0)] = torchattacks.FGSM(
model, eps=method['0_FGSM'][eps] / 255)
globals()['atk{}'.format(1)] = torchattacks.PGD(
model,
eps=method['1_PGD'][eps] / 255,
alpha=method['1_PGD'][-1] / 255,
steps=4)
globals()['atk{}'.format(2)] = torchattacks.BIM(
model,
eps=method['2_BIM'][eps] / 255,
alpha=method['2_BIM'][-1] / 255)
for count in range(3):
# globals()['data_atk{}'.format(i)]
globals()['data_atk{}'.format(count)] = globals()[
'atk{}'.format(count)](data, (target + 1) % 2)
globals()['data_atk{}'.format(count)], target = (
globals()['data_atk{}'.format(count)]
).to(device), target.to(device)
logits = model(globals()['data_atk{}'.format(count)])
globals()['data_atk{}'.format(count)] = (
globals()['data_atk{}'.format(count)]).cpu().numpy()
method_keys = list(method.keys())
bat_size = args.batch_size
for j in range(bat_size):
for save_cnt in range(3):
globals()['im{}'.format(save_cnt)] = (globals()[
'data_atk{}'.format(save_cnt)])[j, :, :, :]
# imsave(
# f"./confirm_attack2img/AE-classification/{method_keys[save_cnt]}/"
# f"{target[j]}_{id[j]}_{i * bat_size + j}_{method_keys[save_cnt]}_eps{method[method_keys[save_cnt]][eps]}.png",
# np.transpose(globals()['im{}'.format(save_cnt)], (1, 2, 0)))
imsave(
f"./data/Adversarial Attack/{method_keys[save_cnt]}/"
f"{image_name[j].split('.')[0]}_{method_keys[save_cnt]}_eps{method[method_keys[save_cnt]][eps]}_{i * bat_size + j}.png",
np.transpose(globals()['im{}'.format(save_cnt)],
(1, 2, 0)))
loss = criterion(logits, target)
if not args.use_amp:
loss.backward()
# else:
# with amp.scale_loss(loss, optimizer) as scaled_loss:
# scaled_loss.backward()
if args.image_size in [896, 576]:
# 그라디언트가 너무 크면 값을 0.5로 잘라준다 (max_grad_norm=0.5)
torch.nn.utils.clip_grad_norm_(model.parameters(), 0.5)
# gradient accumulation (메모리 부족할때)
if args.accumulation_step:
if (i + 1) % args.accumulation_step == 0:
optimizer.step()
# optimizer.zero_grad()
else:
optimizer.step()
# optimizer.zero_grad()
loss_np = loss.detach().cpu().numpy()
train_loss.append(loss_np)
smooth_loss = sum(train_loss[-100:]) / min(len(train_loss), 100)
bar.set_description('loss: %.5f, smooth_loss: %.5f' %
(loss_np, smooth_loss))
train_loss = np.mean(train_loss)
return train_loss
exit(1)
logger.info("loaded model and data")
CUDA_MODE = torch.cuda.is_available()
if not CUDA_MODE:
logger.warn(
"CUDA not available. Run on a CUDA enabled platform (NVIDIA GPU with compute capability >= 3) to get memory usage and timing stats (this code makes use of CUDA events to accurately measure memory and timing). Press [ENTER] to continue anyways."
)
input()
# How many images we want to test
IMG_NUM = 500
model.eval()
attacks = [
torchattacks.PGD(model),
torchattacks.DeepFool(model),
torchattacks.StepLL(model),
torchattacks.BIM(model)
]
for attack in attacks:
time = []
attack_l2 = []
peak_cuda = []
avg_cuda = []
total_success = 0
logger.info(f"Benchmarking {str(attack)} on {IMG_NUM} images")
for img_id in range(IMG_NUM):
num_classes = 10
model = coreModel()
tl.set_backend('pytorch')
batch_size = 64
train_set,test_set = datasets.CIFAR10(root = '/home/taejoon/data/CIFAR10',normalize = False)
train_loader = torch.utils.data.DataLoader(train_set,batch_size = batch_size,shuffle = True)
test_loader = torch.utils.data.DataLoader(test_set, batch_size=batch_size, shuffle=False)
criterion = nn.CrossEntropyLoss()
optimizer = torch.optim.Adam(model.parameters(), lr = 1e-4)
model.eval()
model = model.to(device)
running_loss = 0.0
attack= torchattacks.PGD(classifier, eps= float(8/255.0))
train_loss_epoch = []
train_acc_epoch = []
epoches = 50
for epoch in range(1,epoches):
total_loss = 0
total_acc = 0
for (X,y) in tqdm(train_loader):
X = X.to(device)
y = y.to(device)
optimizer.zero_grad()
try :
core = tucker_decomposition(X)
