def adv_scores(adv_model, dataset, scores, score, constraint='inf', eps=0.04, iterations=3,
transform=None, batch_size=20, num_workers=0, adversary_alg=None):
if constraint in ['2', 'inf']:
attack_kwargs = {
'constraint': constraint, # L-inf PGD
'eps': eps, # Epsilon constraint (L-inf norm)
'step_size': 2.*(eps/iterations), # Learning rate for PGD
'iterations': iterations, # Number of PGD steps
'targeted': False, # Targeted attack
'custom_loss': None, # Use default cross-entropy loss
'random_start': True
}
else:
attack_kwargs = {
'constraint': constraint,
'eps': eps,
'criterion': torch.nn.CrossEntropyLoss(reduction='none'),
'adversary': chop.Adversary(adversary_alg),
'iterations': iterations,
}
dataset.transform = transform
loader = DataLoader(dataset, batch_size=batch_size, shuffle=True,
num_workers=num_workers, pin_memory=False)
return adv_scores_helper(adv_model, loader, attack_kwargs, scores, score)
constraint = chop.constraints.L2Ball(alpha)
def image_constraint_prox(delta, step_size=None):
adv_img = torch.clamp(data + delta, 0, 1)
delta = adv_img - data
return delta
def prox(delta, step_size=None):
delta = constraint.prox(delta, step_size)
delta = image_constraint_prox(delta, step_size)
return delta
adversary = chop.Adversary(chop.optim.minimize_pgd_madry)
callback_L2 = Trace()
_, delta = adversary.perturb(data,
target,
model,
criterion,
prox=prox,
lmo=constraint.lmo,
max_iter=20,
step=2. / 20,
callback=callback_L2)
# Plot adversarial images
fig, ax = plt.subplots(nrows=7, ncols=batch_size, figsize=(16, 14))
# Plot clean data