def test_fgsm(self): attack = attacks.FGSMContainer(self.mc, norm=np.inf, eps=0.3, eps_step=0.1, minimal=True) adv, y_adv, x_clean, y_clean = attack.generate(count=NUM_ADV) # At least made some change from clean images self.assertFalse((adv == x_clean).all()) # test accuracy accuracy = self.mc.evaluate(adv, y_clean) logger.info('Accuracy on adv. examples: %f', accuracy) self.assertLessEqual(accuracy, 0.53) # test success rate success_rate = (y_adv != y_clean).sum() / len(y_adv) logger.info('Success rate of adv. attack: %f', success_rate) self.assertGreaterEqual(success_rate, 0.47) # sum success rate (missclassified) and accuracy (correctly classified) self.assertAlmostEqual(success_rate + accuracy, 1.0, places=4) # Check the max perturbation dif = np.max(np.abs(adv - x_clean)) logger.info('Max perturbation (L1-norm): %f', dif) self.assertLessEqual(dif, 0.3 + 1e-4) # Check bounding box self.assertLessEqual(np.max(adv), 1.0 + 1e-4) self.assertGreaterEqual(np.min(adv), 0 - 1e-4) l2 = np.max(get_l2_norm(adv, x_clean)) logger.info('L2 norm = %f', l2)
def test_fgsm_attack(self): attack = attacks.FGSMContainer(self.mc, norm=np.inf, eps=0.3, eps_step=0.1, minimal=True) blocked_indices, adv_success_rate = self.preform_attack(attack) block_rate = len(blocked_indices) / NUM_ADV self.assertGreaterEqual(block_rate, adv_success_rate * 0.6) logger.info('[%s] Block rate: %f', attack.__class__.__name__, block_rate)