def main(args, arch):
model = StandardModel(args["dataset"], arch, False)
model.cuda()
model.eval()
# attack related settings
if args["attack_method"] == "zoo" or args[
"attack_method"] == "autozoom_bilin":
if args["img_resize"] is None:
args["img_resize"] = model.input_size[-1]
log.info(
"Argument img_resize is not set and not using autoencoder, set to image original size:{}"
.format(args["img_resize"]))
codec = None
if args["attack_method"] == "zoo_ae" or args[
"attack_method"] == "autozoom_ae":
codec = Codec(model.input_size[-1],
IN_CHANNELS[args["dataset"]],
args["compress_mode"],
args["resize"],
use_tanh=args["use_tanh"])
codec.load_codec(args["codec_path"])
codec.cuda()
decoder = codec.decoder
args["img_resize"] = decoder.input_shape[1]
log.info(
"Loading autoencoder: {}, set the attack image size to:{}".format(
args["codec_path"], args["img_resize"]))
# setup attack
if args["attack_method"] == "zoo":
blackbox_attack = ZOO(model, args["dataset"], args)
elif args["attack_method"] == "zoo_ae":
blackbox_attack = ZOO_AE(model, args["dataset"], args, decoder)
elif args["attack_method"] == "autozoom_bilin":
blackbox_attack = AutoZOOM_BiLIN(model, args["dataset"], args)
elif args["attack_method"] == "autozoom_ae":
blackbox_attack = AutoZOOM_AE(model, args["dataset"], args, decoder)
target_str = "untargeted" if args[
"attack_type"] != "targeted" else "targeted_{}".format(
args["target_type"])
save_result_path = args[
"exp_dir"] + "/data_{}@arch_{}@attack_{}@{}_result.json".format(
args["dataset"], arch, args["attack_method"], target_str)
attack_framework = AutoZoomAttackFramework(args)
attack_framework.attack_dataset_images(args, blackbox_attack, arch, model,
codec, save_result_path)
model.cpu()
def main(args, arch):
model = StandardModel(args.dataset, arch, args.solver != "fake_zero")
model.cuda()
model.eval()
if args.init_size is None:
args.init_size = model.input_size[-1]
log.info(
"Argument init_size is not set and not using autoencoder, set to image original size:{}"
.format(args.init_size))
target_str = "untargeted" if not args.targeted else "targeted_{}".format(
args.target_type)
save_result_path = args.exp_dir + "/data_{}@arch_{}@solver_{}@{}_result.json".format(
args.dataset, arch, args.solver, target_str)
if os.path.exists(save_result_path):
model.cpu()
return
attack_framework = ZooAttackFramework(args)
attack_framework.attack_dataset_images(args, arch, model, save_result_path)
model.cpu()
print_args(args)
defaults = json.load(open(args.json_config))[args.dataset]
arg_vars = vars(args)
arg_vars = {k: arg_vars[k] for k in arg_vars if arg_vars[k] is not None}
defaults.update(arg_vars)
args = SimpleNamespace(**defaults)
if args.norm == "linf":
args.epsilon = defaults["linf_epsilon"]
args.surrogate_arch = "resnet-110" if args.dataset.startswith(
"CIFAR") else "resnet101"
surrogate_model = StandardModel(args.dataset, args.surrogate_arch, False)
trn_data_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.batch_size, is_train=True) # 生成的是训练集而非测试集
archs = []
for arch in MODELS_TRAIN_STANDARD[args.dataset]:
if StandardModel.check_arch(arch, args.dataset):
archs.append(arch)
print("It will be use {} architectures".format(",".join(archs)))
model_to_data = partition_dataset(archs, trn_data_loader,
args.total_images)
for arch in archs:
model = StandardModel(args.dataset, arch, True)
attacker = PriorRGFAttack(args.dataset, model, surrogate_model,
args.targeted, args.target_type)
log.info("Begin attack {}".format(arch))
with torch.no_grad():
attacker.attack_dataset(args, model_to_data, arch, save_dir_path)
model.cpu()
log.info("Attack {} with surrogate model {} done!".format(
arch, args.surrogate_arch))
def attack_all_images(self, args, arch, tmp_dump_path, result_dump_path):
# subset_pos用于回调函数汇报汇总统计结果
model = StandardModel(args.dataset, arch, no_grad=True)
model.cuda()
model.eval()
# 带有缩减功能的,攻击成功的图片自动删除掉
for data_idx, data_tuple in enumerate(self.dataset_loader):
if os.path.exists(tmp_dump_path):
with open(tmp_dump_path, "r") as file_obj:
json_content = json.load(file_obj)
resume_batch_idx = int(json_content["batch_idx"]) # resume
for key in [
'query_all', 'correct_all', 'not_done_all',
'success_all', 'success_query_all'
]:
if key in json_content:
setattr(
self, key,
torch.from_numpy(np.asarray(
json_content[key])).float())
if data_idx < resume_batch_idx: # resume
continue
if args.dataset == "ImageNet":
if model.input_size[-1] >= 299:
images, true_labels = data_tuple[1], data_tuple[2]
else:
images, true_labels = data_tuple[0], data_tuple[2]
else:
images, true_labels = data_tuple[0], data_tuple[1]
if images.size(-1) != model.input_size[-1]:
images = F.interpolate(images,
size=model.input_size[-1],
mode='bilinear',
align_corners=True)
# skip_batch_index_list = np.nonzero(np.asarray(chunk_skip_indexes[data_idx]))[0].tolist()
selected = torch.arange(
data_idx * args.batch_size,
min((data_idx + 1) * args.batch_size,
self.total_images)) # 选择这个batch的所有图片的index
img_idx_to_batch_idx = ImageIdxToOrigBatchIdx(args.batch_size)
images, true_labels = images.cuda(), true_labels.cuda()
first_finetune = True
finetune_queue = FinetuneQueue(args.batch_size, args.meta_seq_len,
img_idx_to_batch_idx)
prior_size = model.input_size[
-1] if not args.tiling else args.tile_size
assert args.tiling == (args.dataset == "ImageNet")
if args.tiling:
upsampler = Upsample(size=(model.input_size[-2],
model.input_size[-1]))
else:
upsampler = lambda x: x
with torch.no_grad():
logit = model(images)
pred = logit.argmax(dim=1)
query = torch.zeros(images.size(0)).cuda()
correct = pred.eq(true_labels).float() # shape = (batch_size,)
not_done = correct.clone() # shape = (batch_size,)
if args.targeted:
if args.target_type == 'random':
target_labels = torch.randint(
low=0,
high=CLASS_NUM[args.dataset],
size=true_labels.size()).long().cuda()
invalid_target_index = target_labels.eq(true_labels)
while invalid_target_index.sum().item() > 0:
target_labels[invalid_target_index] = torch.randint(
low=0,
high=logit.shape[1],
size=target_labels[invalid_target_index].shape
).long().cuda()
invalid_target_index = target_labels.eq(true_labels)
elif args.target_type == 'least_likely':
target_labels = logit.argmin(dim=1)
elif args.target_type == "increment":
target_labels = torch.fmod(true_labels + 1,
CLASS_NUM[args.dataset])
else:
raise NotImplementedError('Unknown target_type: {}'.format(
args.target_type))
else:
target_labels = None
prior = torch.zeros(images.size(0), IN_CHANNELS[args.dataset],
prior_size, prior_size).cuda()
prior_step = self.gd_prior_step if args.norm == 'l2' else self.eg_prior_step
image_step = self.l2_image_step if args.norm == 'l2' else self.linf_step
proj_step = self.l2_proj_step if args.norm == 'l2' else self.linf_proj_step # 调用proj_maker返回的是一个函数
criterion = self.cw_loss if args.data_loss == "cw" else self.xent_loss
adv_images = images.clone()
for step_index in range(1, args.max_queries + 1):
# Create noise for exporation, estimate the gradient, and take a PGD step
dim = prior.nelement() / images.size(
0) # nelement() --> total number of elements
exp_noise = args.exploration * torch.randn_like(prior) / (
dim**0.5
) # parameterizes the exploration to be done around the prior
exp_noise = exp_noise.cuda()
q1 = upsampler(
prior + exp_noise
) # 这就是Finite Difference算法, prior相当于论文里的v,这个prior也会更新,把梯度累积上去
q2 = upsampler(
prior -
exp_noise) # prior 相当于累积的更新量,用这个更新量,再去修改image,就会变得非常准
# Loss points for finite difference estimator
q1_images = adv_images + args.fd_eta * q1 / self.norm(q1)
q2_images = adv_images + args.fd_eta * q2 / self.norm(q2)
predict_by_target_model = False
if (step_index <= args.warm_up_steps or
(step_index - args.warm_up_steps) % args.meta_predict_steps
== 0):
log.info("predict from target model")
predict_by_target_model = True
with torch.no_grad():
q1_logits = model(q1_images)
q2_logits = model(q2_images)
q1_logits = q1_logits / torch.norm(
q1_logits, p=2, dim=-1,
keepdim=True) # 加入normalize
q2_logits = q2_logits / torch.norm(
q2_logits, p=2, dim=-1, keepdim=True)
finetune_queue.append(q1_images.detach(),
q2_images.detach(),
q1_logits.detach(),
q2_logits.detach())
if step_index >= args.warm_up_steps:
q1_images_seq, q2_images_seq, q1_logits_seq, q2_logits_seq = finetune_queue.stack_history_track(
)
finetune_times = args.finetune_times if first_finetune else random.randint(
3, 5) # FIXME
log.info("begin finetune for {} times".format(
finetune_times))
self.meta_finetuner.finetune(
q1_images_seq, q2_images_seq, q1_logits_seq,
q2_logits_seq, finetune_times, first_finetune,
img_idx_to_batch_idx)
first_finetune = False
else:
with torch.no_grad():
q1_logits, q2_logits = self.meta_finetuner.predict(
q1_images, q2_images, img_idx_to_batch_idx)
q1_logits = q1_logits / torch.norm(
q1_logits, p=2, dim=-1, keepdim=True)
q2_logits = q2_logits / torch.norm(
q2_logits, p=2, dim=-1, keepdim=True)
l1 = criterion(q1_logits, true_labels, target_labels)
l2 = criterion(q2_logits, true_labels, target_labels)
# Finite differences estimate of directional derivative
est_deriv = (l1 - l2) / (args.fd_eta * args.exploration
) # 方向导数 , l1和l2是loss
# 2-query gradient estimate
est_grad = est_deriv.view(-1, 1, 1,
1) * exp_noise # B, C, H, W,
# Update the prior with the estimated gradient
prior = prior_step(
prior, est_grad,
args.online_lr) # 注意,修正的是prior,这就是bandit算法的精髓
grad = upsampler(prior) # prior相当于梯度
## Update the image:
adv_images = image_step(
adv_images,
grad * correct.view(-1, 1, 1, 1), # 注意correct也是删减过的
args.image_lr) # prior放大后相当于累积的更新量,可以用来更新
adv_images = proj_step(images, args.epsilon, adv_images)
adv_images = torch.clamp(adv_images, 0, 1)
with torch.no_grad():
adv_logit = model(adv_images) #
adv_pred = adv_logit.argmax(dim=1)
adv_prob = F.softmax(adv_logit, dim=1)
adv_loss = criterion(adv_logit, true_labels, target_labels)
## Continue query count
if predict_by_target_model:
query = query + 2 * not_done
if args.targeted:
not_done = not_done * (
1 - adv_pred.eq(target_labels).float()
).float() # not_done初始化为 correct, shape = (batch_size,)
else:
not_done = not_done * adv_pred.eq(
true_labels).float() # 只要是跟原始label相等的,就还需要query,还没有成功
success = (1 - not_done) * correct
success_query = success * query
not_done_loss = adv_loss * not_done
not_done_prob = adv_prob[torch.arange(adv_images.size(0)),
true_labels] * not_done
log.info('Attacking image {} - {} / {}, step {}'.format(
data_idx * args.batch_size,
(data_idx + 1) * args.batch_size, self.total_images,
step_index))
log.info(' not_done: {:.4f}'.format(
len(
np.where(not_done.detach().cpu().numpy().astype(
np.int32) == 1)[0]) / float(args.batch_size)))
log.info(' fd_scalar: {:.9f}'.format(
(l1 - l2).mean().item()))
if success.sum().item() > 0:
log.info(' mean_query: {:.4f}'.format(
success_query[success.byte()].mean().item()))
log.info(' median_query: {:.4f}'.format(
success_query[success.byte()].median().item()))
if not_done.sum().item() > 0:
log.info(' not_done_loss: {:.4f}'.format(
not_done_loss[not_done.byte()].mean().item()))
log.info(' not_done_prob: {:.4f}'.format(
not_done_prob[not_done.byte()].mean().item()))
not_done_np = not_done.detach().cpu().numpy().astype(np.int32)
done_img_idx_list = np.where(not_done_np == 0)[0].tolist()
delete_all = False
if done_img_idx_list:
for skip_index in done_img_idx_list: # 两次循环,第一次循环先汇报出去,第二次循环删除
batch_idx = img_idx_to_batch_idx[skip_index]
pos = selected[batch_idx].item()
# 先汇报被删减的值self.query_all
for key in [
'query', 'correct', 'not_done', 'success',
'success_query', 'not_done_loss',
'not_done_prob'
]:
value_all = getattr(self, key + "_all")
value = eval(key)[skip_index].item()
value_all[pos] = value
images, adv_images, prior, query, true_labels, target_labels, correct, not_done = \
self.delete_tensor_by_index_list(done_img_idx_list, images, adv_images, prior, query,
true_labels, target_labels, correct, not_done)
img_idx_to_batch_idx.del_by_index_list(done_img_idx_list)
delete_all = images is None
if delete_all:
break
# report to all stats the rest unsuccess
for key in [
'query', 'correct', 'not_done', 'success', 'success_query',
'not_done_loss', 'not_done_prob'
]:
for img_idx, batch_idx in img_idx_to_batch_idx.proj_dict.items(
):
pos = selected[batch_idx].item()
value_all = getattr(self, key + "_all")
value = eval(key)[img_idx].item()
value_all[
pos] = value # 由于value_all是全部图片都放在一个数组里,当前batch选择出来
img_idx_to_batch_idx.proj_dict.clear()
tmp_info_dict = {
"batch_idx": data_idx + 1,
"batch_size": args.batch_size
}
for key in [
'query_all', 'correct_all', 'not_done_all', 'success_all',
'success_query_all'
]:
value_all = getattr(self, key).detach().cpu().numpy().tolist()
tmp_info_dict[key] = value_all
with open(tmp_dump_path, "w") as result_file_obj:
json.dump(tmp_info_dict, result_file_obj, sort_keys=True)
log.info('Saving results to {}'.format(result_dump_path))
meta_info_dict = {
"avg_correct":
self.correct_all.mean().item(),
"avg_not_done":
self.not_done_all[self.correct_all.byte()].mean().item(),
"mean_query":
self.success_query_all[self.success_all.byte()].mean().item(),
"median_query":
self.success_query_all[self.success_all.byte()].median().item(),
"max_query":
self.success_query_all[self.success_all.byte()].max().item(),
"correct_all":
self.correct_all.detach().cpu().numpy().astype(np.int32).tolist(),
"not_done_all":
self.not_done_all.detach().cpu().numpy().astype(np.int32).tolist(),
"query_all":
self.query_all.detach().cpu().numpy().astype(np.int32).tolist(),
"not_done_loss":
self.not_done_loss_all[self.not_done_all.byte()].mean().item(),
"not_done_prob":
self.not_done_prob_all[self.not_done_all.byte()].mean().item(),
"args":
vars(args)
}
with open(result_dump_path, "w") as result_file_obj:
json.dump(meta_info_dict, result_file_obj, sort_keys=True)
log.info("done, write stats info to {}".format(result_dump_path))
self.query_all.fill_(0)
self.correct_all.fill_(0)
self.not_done_all.fill_(0)
self.success_all.fill_(0)
self.success_query_all.fill_(0)
self.not_done_loss_all.fill_(0)
self.not_done_prob_all.fill_(0)
model.cpu()