def gen_adv(): mse = 0 original_files = get_original_file(input_dir + val_list) #下一个图片的初始梯度方向为上一代的最后的值 global momentum momentum = 0 for filename, label in original_files: img_path = input_dir + filename print("Image: {0} ".format(img_path)) img = process_img(img_path) #adv_img = attack_nontarget_by_ensemble(img, label,origdict[label],label) adv_img, m = attack_nontarget_by_ensemble(img, label, origdict[label], label, momentum) #m为上一个样本最后一次梯度值 momentum = m #adv_img 已经经过转换了,范围是0-255 image_name, image_ext = filename.split('.') ##Save adversarial image(.png) save_adv_image(adv_img, output_dir + image_name + '.png') org_img = tensor2img(img) score = calc_mse(org_img, adv_img) print("Image:{0}, mase = {1} ".format(img_path, score)) mse += score print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files)))
def gen_adv(): mse = 0 original_files = get_original_file(input_dir + val_list) num = 1 cout = 0 print("the model is {}".format(model_name)) for filename, label in original_files: img_path = input_dir + filename print("Image: {0} ".format(img_path)) img = process_img(img_path) #print(img.shape) result = exe.run(eval_program, fetch_list=[out], feed={input_layer.name: img}) result = result[0][0] o_label = np.argsort(result)[::-1][:1][0] print("原始标签为{0}".format(o_label)) if o_label == int(label): adv_img = attack_nontarget_by_FGSM(img, label) #adv_img = attack_nontarget_by_PGD(img, label) else: print("{0}个样本已为对抗样本, name为{1}".format(num, filename)) img = tensor2img(img) #print(img.shape) image_name, image_ext = filename.split('.') save_adv_image(img, output_dir + image_name + '.png') num += 1 cout += 1 continue image_name, image_ext = filename.split('.') ##Save adversarial image(.png) save_adv_image(adv_img, output_dir + image_name + '.png') org_img = tensor2img(img) score = calc_mse(org_img, adv_img) mse += score num += 1 print("成功attack的有 {}".format(120 - cout)) print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files)))
def gen_adv(): mse = 0 original_files = get_original_file(input_dir + val_list) for filename, gt_label in original_files: img_path = input_dir + filename img = process_img(img_path) image_name, image_ext = filename.split('.') adv_img = attack_driver(img, gt_label, filename) save_adv_image(adv_img, output_dir + image_name + '.png') org_img = tensor2img(img) score = calc_mse(org_img, adv_img) print(score) mse += score print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files)))
def gen_adv(): mse = 0 original_files = get_original_file('input_image/' + val_list) for filename, label in original_files: img_path = input_dir + filename.split('.')[0] + '.png' print("Image: {0} ".format(img_path)) img = process_img(img_path) adv_img = attack_nontarget_by_SINIFGSM(img, label) image_name, image_ext = filename.split('.') # Save adversarial image(.png) save_adv_image(adv_img, output_dir + image_name + '.png') org_img = tensor2img(img) score = calc_mse(org_img, adv_img) mse += score print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files)))
def gen_adv(): mse = 0 original_files = get_original_file('./input_image/' + val_list) target_label_list = [ 76, 18, 104, 36, 72, 72, 47, 92, 113, 5, 84, 74, 82, 34, 42, 84, 70, 98, 29, 87, 104, 94, 103, 61, 21, 83, 108, 104, 26, 112, 84, 107, 104, 45, 72, 19, 72, 75, 55, 104, 54, 104, 72, 74, 91, 25, 68, 107, 91, 41, 116, 21, 104, 56, 102, 51, 46, 87, 113, 19, 113, 85, 24, 93, 110, 102, 24, 84, 27, 38, 48, 43, 10, 32, 68, 87, 54, 12, 84, 29, 3, 13, 26, 2, 3, 106, 105, 34, 118, 66, 19, 74, 63, 42, 9, 113, 21, 6, 40, 40, 21, 104, 86, 23, 40, 12, 37, 20, 40, 12, 79, 15, 9, 48, 74, 51, 91, 79, 46, 80 ] # hard examples need use targeted attack for filename, label in original_files[args.start_idx:args.end_idx]: img_path = input_dir + filename.split('.')[0] + args.subfix print("Image: {0} ".format(img_path)) img = process_img(img_path) target = target_label_list[label - 1] if IsTarget: print('target class', target) adv_img = attack_nontarget_by_FGSM(img, label, target) # adv_img = attack_nontarget_by_FGSM(img, label) image_name, image_ext = filename.split('.') ##Save adversarial image(.png) save_adv_image(adv_img, output_dir + image_name + '.png') org_img = tensor2img(img) score = calc_mse(org_img, adv_img) mse += score print('MSE %.2f' % (score)) sys.stdout.flush() print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files)))
def main(use_cuda): """ Advbox demo which demonstrate how to use advbox. """ main_prog = fluid.default_main_program() output_target = './datasets/output_image/' if not os.path.exists(output_target): os.makedirs(output_target) IMG_NAME = 'img' LABEL_NAME = 'label' global_id = 0 img = fluid.layers.data(name=IMG_NAME, shape=[3, 224, 224], dtype='float32') label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64') noise = fluid.layers.create_parameter( name="noise", shape=[batch_size, 3, 224, 224], dtype='float32', default_initializer=fluid.initializer.Constant(0.0000001)) true_image = noise + img r_image = fluid.layers.crop(true_image, shape=[batch_size, 1, 224, 224], offsets=[0, 0, 0, 0], name='r_image') g_image = fluid.layers.crop(true_image, shape=[batch_size, 1, 224, 224], offsets=[0, 1, 0, 0], name='g_image') b_image = fluid.layers.crop(true_image, shape=[batch_size, 1, 224, 224], offsets=[0, 2, 0, 0], name='b_image') max_mean = [0.485, 0.456, 0.406] max_std = [0.229, 0.224, 0.225] r_max = (1 - max_mean[0]) / max_std[0] g_max = (1 - max_mean[1]) / max_std[1] b_max = (1 - max_mean[2]) / max_std[2] r_min = (0 - max_mean[0]) / max_std[0] g_min = (0 - max_mean[1]) / max_std[1] b_min = (0 - max_mean[2]) / max_std[2] r_image = fluid.layers.clip(x=r_image, min=r_min, max=r_max) g_image = fluid.layers.clip(x=g_image, min=g_min, max=g_max) b_image = fluid.layers.clip(x=b_image, min=b_min, max=b_max) true_image = fluid.layers.concat([r_image, g_image, b_image], axis=1) loss, outs = create_net(true_image, label) std = fluid.layers.assign( np.array([[[0.229]], [[0.224]], [[0.225]]]).astype('float32')) square = fluid.layers.square(noise * std * 255.0) # avg l2 norm loss2 = fluid.layers.reduce_sum(square, dim=1) loss2 = fluid.layers.sqrt(loss2) loss2 = fluid.layers.reduce_mean(loss2) #avg mse # loss2 = fluid.layers.reduce_mean(square) loss = loss + 0.005 * loss2 init_prog(main_prog) test_prog = main_prog.clone() lr = fluid.layers.create_global_var(shape=[1], value=0.02, dtype='float32', persistable=True, name='learning_rate_0') opt = fluid.optimizer.Adam(learning_rate=lr) opt.minimize(loss, parameter_list=[noise.name]) # 根据配置选择使用CPU资源还是GPU资源 place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace() exe = fluid.Executor(place) exe.run(fluid.default_startup_program()) test_reader = paddle.batch(test_set(), batch_size=batch_size) load_params(exe) fail_count = 0 for block in main_prog.blocks: for var in block.vars.keys(): if 'learning_rate' in var: pd_lr = fluid.global_scope().find_var(var) print(var) if 'beta1_pow_acc' in var: pd_noise_beta1 = fluid.global_scope().find_var(var) print(var) if 'moment1' in var: pd_noise_mom1 = fluid.global_scope().find_var(var) print(var) if 'beta2_pow_acc' in var: pd_noise_beta2 = fluid.global_scope().find_var(var) print(var) if 'moment2' in var: pd_noise_mom2 = fluid.global_scope().find_var(var) print(var) print(np.array(pd_lr.get_tensor())) for train_id, data in enumerate(test_reader()): images = [] labels = [] filenames = [] for i in range(batch_size): images.append(data[i][0][0]) labels.append([data[i][1]]) filenames.append(data[i][2]) # image = data[0][0] # label = data[0][1] # label = np.array([[label]]) # filename = data[0][2] images = np.array(images) labels = np.array(labels) for block in main_prog.blocks: for param in block.all_parameters(): if param.name == 'noise': pd_var = fluid.global_scope().find_var(param.name) pd_param = pd_var.get_tensor() print("load: {}, shape: {}".format(param.name, param.shape)) print("Before setting the numpy array value: {}".format( np.array(pd_param).ravel()[:5])) noise_tensor = np.zeros(param.shape).astype('float32') noise_tensor[:] = 1e-7 pd_param.set(noise_tensor, place) print("After setting the numpy array value: {}".format( np.array(pd_param).ravel()[:5])) # pd_lr.get_tensor().set(np.array([0.02]).astype('float32'), place) if batch_size > 1: pd_noise_beta1.get_tensor().set( np.array([0.9]).astype('float32'), place) pd_noise_beta2.get_tensor().set( np.array([0.999]).astype('float32'), place) pd_noise_mom1.get_tensor().set( np.zeros(shape=[batch_size, 3, 224, 224]).astype('float32'), place) pd_noise_mom2.get_tensor().set( np.zeros(shape=[batch_size, 3, 224, 224]).astype('float32'), place) i = 0 fetch_list = [true_image, lr, loss, loss2, noise] mean_np = np.array([[[[0.485]], [[0.456]], [[0.406]]]]).astype('float32') std_np = np.array([[[[0.229]], [[0.224]], [[0.225]]]]).astype('float32') ori_img = np.round((images * std_np + mean_np) * 255.0) ori_img = np.clip(ori_img, 0, 255).astype('uint8') while True: if i == 0: test_vars = exe.run(program=test_prog, feed={ 'img': images, 'label': labels }, fetch_list=outs) for m in range(batch_size): str = 'First step test network,id:{},'.format(global_id + 1) global_id += 1 adv_labels = [] for j in range(len(outs)): o = test_vars[j][m] adv_label = np.argmax(o) adv_labels.append(adv_label) str += 'adv{}:%d,'.format(j + 1) print(str % (*adv_labels, )) train_vars = exe.run(program=fluid.default_main_program(), feed={ 'img': images, 'label': labels }, fetch_list=fetch_list) n = train_vars[-1] l2 = train_vars[-2] l1 = train_vars[-3] lr1 = train_vars[-4] tr_img = train_vars[-5] adv_img = n + images adv_img = np.round((adv_img * std_np + mean_np) * 255.0) adv_img = np.clip(adv_img, 0, 255).astype('uint8') diff = adv_img.astype('float32') - ori_img.astype('float32') avg_mse = diff * diff # avg l2 norm l2_norm = np.sum(avg_mse, axis=1) l2_norm = np.sqrt(l2_norm) l2_norm = np.mean(l2_norm, axis=(1, 2)) # avg mse avg_mse = np.mean(avg_mse, axis=(1, 2, 3)) test_vars = exe.run(program=test_prog, feed={ 'img': images, 'label': labels }, fetch_list=outs) successful = batch_size * len(outs) for m in range(batch_size): str = 'batch:%d,id:{},lr:%f,loss1:%f,loss2:%f,avg_mse:%f,l2_norm:%f,'.format( train_id * batch_size + m + 1) adv_labels = [] for j in range(len(outs)): o = test_vars[j][m] adv_label = np.argmax(o) adv_labels.append(adv_label) str += 'adv{}:%d,'.format(j + 1) print(str % (i, lr1, l1, l2, avg_mse[m], l2_norm[m], *adv_labels)) for adv_label in adv_labels: if adv_label == labels[m]: successful -= 1 i += 1 if (successful >= batch_size * len(outs) - 1 and np.mean(l2_norm) < 1.0) or i == 3000: if successful >= batch_size * len(outs) - 1: print('attack successful') else: print('attack failed') fail_count += 1 break print("failed:%d" % (fail_count, )) adv_img = adv_img.astype('float32') / 255.0 adv_img = adv_img - mean_np adv_img = adv_img / std_np for m in range(batch_size): adv_image = tensor2img(adv_img[m][np.newaxis, :, :, :]) ori_image = tensor2img(images[m][np.newaxis, :, :, :]) print('id:{},mse:{}'.format(train_id * batch_size + m + 1, call_avg_mse_np(adv_image, ori_image))) save_adv_image( adv_image, os.path.join(output_target, filenames[m].split('.')[0] + '.png')) print("attack over ,failed:%d" % (fail_count, ))
def gen_adv(): mse = 0 num = 1 original_files = get_original_file(input_dir + val_list) f = open('log.txt', 'w') # log for filename, label in original_files: img_path = input_dir + filename print("Image: {0} ".format(img_path)) img = process_img(img_path) Res_result, Inception_result, Mob_result = exe.run( double_eval_program, fetch_list=[Res_out, Inception_out, Mob_out], feed={input_layer.name: img}) Res_result = Res_result[0] Inception_result = Inception_result[0] Mob_result = Mob_result[0] r_o_label = np.argsort(Res_result)[::-1][:1][0] i_o_label = np.argsort(Inception_result)[::-1][:1][0] m_o_label = np.argsort(Mob_result)[::-1][:1][0] pred_label = [r_o_label, i_o_label, m_o_label] print("原始标签为{0}".format(label)) print("Res result: %d, Inception result: %d, Mobile result: %d" % (r_o_label, i_o_label, m_o_label)) f.write("原始标签为{0}\n".format(label)) f.write("Res result: %d, Inception result: %d, Mobile result: %d\n" % (r_o_label, i_o_label, m_o_label)) if r_o_label == int(label) and i_o_label == int( label) and m_o_label == int(label): global Res_ratio, Incep_ratio, Mob_ratio Res_ratio = 30.0 / 43.0 Incep_ratio = 10.0 / 43.0 Mob_ratio = 3.0 / 43.0 adv_img = attack_nontarget_by_PGD( double_adv_program, img, pred_label, label, out=[Res_out, Inception_out, Mob_out]) image_name, image_ext = filename.split('.') ##Save adversarial image(.png) org_img = tensor2img(img) score = calc_mse(org_img, adv_img) #image_name += "MSE_{}".format(score) save_adv_image(adv_img, output_dir + image_name + '.png') mse += score elif r_o_label == int(label) and m_o_label == int( label): # Inception 预测错误 print("filename:{}, Inception failed!".format(filename)) Res_ratio = 0.9 Incep_ratio = 0 Mob_ratio = 0.1 adv_img = attack_nontarget_by_PGD(double_adv_program, img, [r_o_label, 0, m_o_label], label, out=[Res_out, Mob_out]) image_name, image_ext = filename.split('.') ##Save adversarial image(.png) org_img = tensor2img(img) score = calc_mse(org_img, adv_img) #image_name += "MSE_{}".format(score) save_adv_image(adv_img, output_dir + image_name + '.png') mse += score elif r_o_label == int(label) and i_o_label == int( label): # Mobile 预测错误 print("filename:{}, Mobile failed!".format(filename)) Res_ratio = 0.75 Incep_ratio = 0.25 Mob_ratio = 0 adv_img = attack_nontarget_by_PGD(double_adv_program, img, [r_o_label, i_o_label, 0], label, out=[Res_out, Inception_out]) image_name, image_ext = filename.split('.') ##Save adversarial image(.png) org_img = tensor2img(img) score = calc_mse(org_img, adv_img) # image_name += "MSE_{}".format(score) save_adv_image(adv_img, output_dir + image_name + '.png') mse += score elif r_o_label == int(label): # Mobile, Inception 预测错误 print("filename:{}, Mobile failed!, Inception failed!".format( filename)) Res_ratio = 1.0 Incep_ratio = 0.0 Mob_ratio = 0.0 adv_img = attack_nontarget_by_PGD(double_adv_program, img, [r_o_label, 0, 0], label, out=[Res_out]) image_name, image_ext = filename.split('.') ##Save adversarial image(.png) org_img = tensor2img(img) score = calc_mse(org_img, adv_img) # image_name += "MSE_{}".format(score) save_adv_image(adv_img, output_dir + image_name + '.png') mse += score else: print("{0}个样本已为对抗样本, name为{1}".format(num, filename)) score = 0 f.write("{0}个样本已为对抗样本, name为{1}\n".format(num, filename)) img = tensor2img(img) image_name, image_ext = filename.split('.') #image_name += "_un_adv_" save_adv_image(img, output_dir + image_name + '.png') print("this rext network weight is {0}".format(Res_ratio)) num += 1 print("the image's mse is {}".format(score)) # break print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files))) #print("ADV {} files, AVG MSE: {} ".format(len(original_files - num), mse / len(original_files - num))) f.write("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files))) f.close()