def ifgs(model, input, target, max_iter=10, step_size=0.01, train_mode=False, mode=None, verbose=True): if train_mode: model.train() else: model.eval() pred = util.get_labels(model, input) corr = pred.eq(target) r = torch.zeros(input.size()) for _ in range(max_iter): _, ri = fgs(model, input, target, step_size, train_mode, mode, verbose=verbose) r = r + ri input = input + ri pred_xp = util.get_labels(model, input + r) status = torch.zeros(input.size(0)).long() status[corr] = 2 * pred[corr].ne(pred_xp[corr]).long() - 1 return (status, r)
def universal(model, input, target, n_classes, max_val=0.1, train_mode=False, max_iter=10, step_size=0.1, batch_size=25, data_dir=None, r=None, verbose=True): pred = util.get_labels(model, input, batch_size) if r is None: r = torch.zeros(input[0].size()) perm = torch.randperm(input.size(0)) for i in range(input.size(0)): idx = perm[i] if verbose: print('sample %d: index %d' % (i + 1, idx)) x_adv = torch.autograd.Variable((input[idx] + r)) x_adv = x_adv.expand(1, input.size(1), input.size(2), input.size(3)) output = model.forward(x_adv) _, pred_adv = output.max(1) pred_adv = pred_adv.data.cpu()[0][0] if pred[idx] == pred_adv: succ, ri = deepfool_single( model, input[idx] + r, pred[idx], n_classes, train_mode, max_iter, step_size, batch_size, data_dir) if succ: r = (r + ri).clamp(-max_val, max_val) x = input + r.expand_as(input) pred_xp = util.get_labels(model, x) status = 2 * pred_xp.ne(target).long() - 1 status[pred.ne(target)] = 0 return (status, r)
def deepfool( model, input, target, n_classes, train_mode=False, max_iter=5, step_size=0.1, batch_size=25, labels=None, ): pred = util.get_labels(model, input, batch_size) status = torch.zeros(input.size(0)).long() r = torch.zeros(input.size()) for i in range(input.size(0)): status[i], r[i] = deepfool_single( model, input[i], target[i], n_classes, train_mode, max_iter, step_size, batch_size, labels, ) status = 2 * status - 1 status[pred.ne(target)] = 0 return (status, r)
def attacking_mahalanobis_all(model, input, target, weight, loss_str, sample_mean, inv_sample_conv, ensemble_weight, bound=0, max_iter=100, step_size=0.01, kappa=0, p=2, drop_rate=0.0, train_mode=False, verbose=False): is_gpu = next(model.parameters()).is_cuda if train_mode: model.train() else: model.eval() pred = util.get_labels(model, input) corr = pred.eq(target) w = torch.autograd.Variable(input, requires_grad=True) best_w = torch.Tensor(input.size()) best_w.copy_(input) best_loss = float('inf') optimizer = torch.optim.Adam([w], lr=step_size) input_var = torch.autograd.Variable(input) input_vec = input.view(input.size(0), -1) probs = util.get_probs(model, input) _, top2 = probs.topk(2, 1) argmax = top2[:, 0] top2_index = top2[:, 1] for j in range(top2.size(0)): if argmax[j] == target[j]: argmax[j] = top2[j, 1] mahalanobis_criterion = _MahalanobisEnsembleLoss().cuda() print('attack all') for i in range(max_iter): if i > 0: w.grad.data.fill_(0) model.zero_grad() # Norm constraints if loss_str == 'l2': loss = torch.pow(w - input_var, 2).sum() elif loss_str == 'linf': loss = torch.clamp((w - input_var).abs() - bound, min=0).sum() else: raise ValueError('Unsupported loss: %s' % loss_str) recons_loss = loss.data[0] # Adversarial loss w_data = w.data w_in = torch.autograd.Variable(w_data, requires_grad=True) output, out_features = model.feature_list(w_in) for j in range(len(out_features)): out_features[j] = out_features[j].view(out_features[j].size(0), out_features[j].size(1), -1) out_features[j] = torch.mean(out_features[j], 2) for j in range(output.size(0)): loss += weight * torch.clamp( output[j][target[j]] - output[j][argmax[j]] + kappa, min=0) temp_loss = mahalanobis_criterion(out_features, sample_mean, inv_sample_conv, ensemble_weight, top2_index) adv_loss = loss.data[0] - recons_loss if is_gpu: loss = loss.cuda() loss.backward() w.grad.data.add_(w_in.grad.data) w_cpu = w.data.cpu().numpy() input_np = input.cpu().numpy() optimizer.step() total_loss = loss.data.cpu()[0] # w.data = utils.img_to_tensor(utils.transform_img(w.data), scale=False) output_vec = w.data preds = util.get_labels(model, output_vec) output_vec = output_vec.view(output_vec.size(0), -1) diff = (input_vec - output_vec).norm(2, 1).squeeze() diff = diff.div(input_vec.norm(2, 1).squeeze()) rb = diff.mean() sr = float(preds.ne(target).sum()) / target.size(0) if verbose: print('iteration %d: loss = %f, %s_loss = %f, ' 'adv_loss = %f' % (i + 1, total_loss, loss_str, recons_loss, adv_loss)) print('robustness = %f, success rate = %f' % (rb, sr)) if total_loss < best_loss: best_loss = total_loss best_w = w.data.clone() pred_xp = util.get_labels(model, best_w) status = torch.zeros(input.size(0)).long() status[corr] = 2 * pred[corr].ne(pred_xp[corr]).long() - 1 return (status, best_w)
def cw(model, input, target, weight, loss_str, bound=0, tv_weight=0, max_iter=100, step_size=0.01, kappa=0, p=2, crop_frac=1.0, drop_rate=0.0, train_mode=False, verbose=False): is_gpu = next(model.parameters()).is_cuda if train_mode: model.train() else: model.eval() pred = util.get_labels(model, input) corr = pred.eq(target) w = torch.autograd.Variable(input, requires_grad=True) best_w = torch.Tensor(input.size()) best_w.copy_(input) best_loss = float('inf') optimizer = torch.optim.Adam([w], lr=step_size) input_var = torch.autograd.Variable(input) input_vec = input.view(input.size(0), -1) to_pil = trans.ToPILImage() scale_up = trans.Resize((w.size(2), w.size(3))) scale_down = trans.Resize( (int(crop_frac * w.size(2)), int(crop_frac * w.size(3)))) to_tensor = trans.ToTensor() probs = util.get_probs(model, input) _, top2 = probs.topk(2, 1) argmax = top2[:, 0] for j in range(top2.size(0)): if argmax[j] == target[j]: argmax[j] = top2[j, 1] for i in range(max_iter): if i > 0: w.grad.data.fill_(0) model.zero_grad() if loss_str == 'l2': loss = torch.pow(w - input_var, 2).sum() elif loss_str == 'linf': loss = torch.clamp((w - input_var).abs() - bound, min=0).sum() else: raise ValueError('Unsupported loss: %s' % loss_str) recons_loss = loss.data[0] w_data = w.data if crop_frac < 1 and i % 3 == 1: w_cropped = torch.zeros(w.size(0), w.size(1), int(crop_frac * w.size(2)), int(crop_frac * w.size(3))) locs = torch.zeros(w.size(0), 4).long() w_in = torch.zeros(w.size()) for m in range(w.size(0)): locs[m] = torch.LongTensor( Crop('random', crop_frac)(w_data[m])) w_cropped = w_data[m, :, locs[m][0]:(locs[m][0] + locs[m][2]), locs[m][1]:(locs[m][1] + locs[m][3])] minimum = w_cropped.min() maximum = w_cropped.max() - minimum w_in[m] = to_tensor( scale_up(to_pil((w_cropped - minimum) / maximum))) w_in[m] = w_in[m] * maximum + minimum w_in = torch.autograd.Variable(w_in, requires_grad=True) else: w_in = torch.autograd.Variable(w_data, requires_grad=True) if drop_rate == 0 and i % 3 == 2: output = model.forward(w_in) else: output = model.forward(torch.nn.Dropout(p=drop_rate).forward(w_in)) for j in range(output.size(0)): loss += weight * torch.clamp( output[j][target[j]] - output[j][argmax[j]] + kappa, min=0) adv_loss = loss.data[0] - recons_loss if is_gpu: loss = loss.cuda() loss.backward() if crop_frac < 1 and i % 3 == 1: grad_full = torch.zeros(w.size()) grad_cpu = w_in.grad.data for m in range(w.size(0)): minimum = grad_cpu[m].min() maximum = grad_cpu[m].max() - minimum grad_m = to_tensor( scale_down(to_pil((grad_cpu[m] - minimum) / maximum))) grad_m = grad_m * maximum + minimum grad_full[m, :, locs[m][0]:(locs[m][0] + locs[m][2]), locs[m][1]:(locs[m][1] + locs[m][3])] = grad_m w.grad.data.add_(grad_full) else: w.grad.data.add_(w_in.grad.data) w_cpu = w.data.cpu().numpy() input_np = input.cpu().numpy() tv_loss = 0 if tv_weight > 0: for j in range(output.size(0)): for k in range(3): tv_loss += tv_weight * minimize_tv.tv( w_cpu[j, k] - input_np[j, k], p) grad = tv_weight * torch.from_numpy( minimize_tv.tv_dx(w_cpu[j, k] - input_np[j, k], p)) w.grad.data[j, k].add_(grad.float()) optimizer.step() total_loss = loss.data.cpu()[0] + tv_loss # w.data = utils.img_to_tensor(utils.transform_img(w.data), scale=False) output_vec = w.data preds = util.get_labels(model, output_vec) output_vec = output_vec.view(output_vec.size(0), -1) diff = (input_vec - output_vec).norm(2, 1).squeeze() diff = diff.div(input_vec.norm(2, 1).squeeze()) rb = diff.mean() sr = float(preds.ne(target).sum()) / target.size(0) if verbose: print( 'iteration %d: loss = %f, %s_loss = %f, ' 'adv_loss = %f, tv_loss = %f' % (i + 1, total_loss, loss_str, recons_loss, adv_loss, tv_loss)) print('robustness = %f, success rate = %f' % (rb, sr)) if total_loss < best_loss: best_loss = total_loss best_w = w.data.clone() pred_xp = util.get_labels(model, best_w) status = torch.zeros(input.size(0)).long() status[corr] = 2 * pred[corr].ne(pred_xp[corr]).long() - 1 return (status, best_w)
def cw(model, input, target, weight, loss_str, num_classes, max_iter=10, step_size=0.01, kappa=0.0, train_mode=False): is_gpu = next(model.parameters()).is_cuda if train_mode: model.train() else: model.eval() pred = util.get_labels(model, input) corr = pred.eq(target) w = torch.autograd.Variable(input, requires_grad=True) best_w = torch.Tensor(input.size()) best_w.copy_(input) best_loss = float('inf') optimizer = torch.optim.Adam([w], lr=step_size) input_var = torch.autograd.Variable(input) # input_vec = input.view(input.size(0), -1) # to_pil = trans.ToPILImage() # scale_up = trans.Resize((w.size(2), w.size(3))) # scale_down = trans.Resize((int(crop_frac * w.size(2)), int(crop_frac * w.size(3)))) # to_tensor = trans.ToTensor() probs = util.get_probs(model, input) if loss_str != 'l2': _, top2 = probs.topk(num_classes, 1) argmax = top2[:, 0] for j in range(top2.size(0)): if argmax[j] == target[j]: argmax[j] = top2[j, np.random.randint(1, num_classes - 1, 1)] else: _, top2 = probs.topk(2, 1) argmax = top2[:, 0] for j in range(top2.size(0)): if argmax[j] == target[j]: argmax[j] = top2[j, 1] for i in range(max_iter): if i > 0: w.grad.data.fill_(0) model.zero_grad() if loss_str == 'l2': loss = torch.pow(w - input_var, 2).sum() elif loss_str == 'linf': loss = torch.max((w - input_var).abs()) elif loss_str == 'l1': loss = torch.sum((w - input_var).abs()) elif loss_str == 'cos': cos_sim = F.cosine_similarity(w, input_var, 0) tmp_l = torch.ones(cos_sim.size(), dtype=torch.float32, device=torch.device('cuda:0')) loss = torch.sum(tmp_l - cos_sim) else: raise ValueError('Unsupported loss: %s' % loss_str) recons_loss = loss.item() # print(recons_loss) w_data = w.data # if crop_frac < 1 and i % 3 == 1: # w_cropped = torch.zeros( # w.size(0), w.size(1), int(crop_frac * w.size(2)), # int(crop_frac * w.size(3))) # locs = torch.zeros(w.size(0), 4).long() # w_in = torch.zeros(w.size()) # for m in range(w.size(0)): # locs[m] = torch.LongTensor(Crop('random', crop_frac)(w_data[m])) # w_cropped = w_data[m, :, locs[m][0]:(locs[m][0] + locs[m][2]), # locs[m][1]:(locs[m][1] + locs[m][3])] # minimum = w_cropped.min() # maximum = w_cropped.max() - minimum # w_in[m] = to_tensor(scale_up(to_pil((w_cropped - minimum) / maximum))) # w_in[m] = w_in[m] * maximum + minimum # w_in = torch.autograd.Variable(w_in, requires_grad=True) # else: w_in = torch.autograd.Variable(w_data, requires_grad=True) # if drop_rate == 0.0 and i % 3 == 2: output = model.forward(w_in) # else: # output = model.forward(torch.nn.Dropout(p=torch.FloatTensor(drop_rate).gpu()).forward(w_in)) for j in range(output.size(0)): loss = loss + weight * torch.clamp( output[j][target[j]] - output[j][argmax[j]] + kappa, min=0) adv_loss = loss.item() - recons_loss if is_gpu: loss = loss.cuda() loss.backward() # if crop_frac < 1 and i % 3 == 1: # grad_full = torch.zeros(w.size()) # grad_cpu = w_in.grad.data # for m in range(w.size(0)): # minimum = grad_cpu[m].min() # maximum = grad_cpu[m].max() - minimum # grad_m = to_tensor(scale_down( # to_pil((grad_cpu[m] - minimum) / maximum))) # grad_m = grad_m * maximum + minimum # grad_full[m, :, locs[m][0]:(locs[m][0] + locs[m][2]), # locs[m][1]:(locs[m][1] + locs[m][3])] = grad_m # w.grad.data.add_(grad_full) # else: w.grad.data.add_(w_in.grad.data) w_cpu = w.data.cpu().numpy() input_np = input.cpu().numpy() # tv_loss = 0 # if tv_weight > 0: # for j in range(output.size(0)): # for k in range(3): # tv_loss += tv_weight * minimize_tv.tv( # w_cpu[j, k] - input_np[j, k], p) # grad = tv_weight * torch.from_numpy( # minimize_tv.tv_dx(w_cpu[j, k] - input_np[j, k], p)) # w.grad.data[j, k].add_(grad.float()) optimizer.step() # total_loss = loss.data.item() + tv_loss # w.data = utils.img_to_tensor(utils.transform_img(w.data), scale=False) total_loss = loss.data.item() # output_vec = w.data # preds = util.get_labels(model, output_vec) # output_vec = output_vec.view(output_vec.size(0), -1) # diff = (input_vec - output_vec).norm(2, 1).squeeze() # diff = diff.div(input_vec.norm(2, 1).squeeze()) # rb = diff.mean() # sr = float(preds.ne(target).sum()) / target.size(0) # if verbose: # print('iteration %d: loss = %f, %s_loss = %f, ' # 'adv_loss = %f, tv_loss = %f' % ( # i + 1, total_loss, loss_str, recons_loss, adv_loss, tv_loss)) # print('robustness = %f, success rate = %f' % (rb, sr)) if total_loss < best_loss: best_loss = total_loss best_w = w.data.clone() # pred_xp = util.get_labels(model, best_w) # status = torch.zeros(input.size(0)).long() # status[corr] = 2 * pred[corr].ne(pred_xp[corr]).long() - 1 return best_w