def test_base_attack(model, criterion, image, label): attack = attacks.FGSM(model, criterion) assert attack.name() == 'GradientSignAttack' with pytest.raises(ValueError): attack(image=image) with pytest.raises(TypeError): attack(label=label) wrong_label = label + 1 adv = attack(image=image, label=label) assert adv is None adv = attack(image=image, label=wrong_label) assert adv.shape == image.shape adv = attack(image=image, label=wrong_label, unpack=False) assert adv.image.shape == image.shape adv = Adversarial(model, criterion, image, wrong_label) adv = attack(adv) assert adv.shape == image.shape adv = Adversarial(model, criterion, image, wrong_label) with pytest.raises(ValueError): attack(adv, label=wrong_label) attack = attacks.FGSM() with pytest.raises(ValueError): attack(image=image, label=wrong_label)
def get_attack(attack, fmodel): args = [] kwargs = {} # L0 if attack == 'SAPA': A = fa.SaltAndPepperNoiseAttack() elif attack == 'PA': A = fa.L1BrendelBethgeAttack() # L2 elif 'IGD' in attack: A = fa.L2BasicIterativeAttack() elif attack == 'AGNA': A = fa.L2AdditiveGaussianNoiseAttack() elif attack == 'BA': A = fa.BoundaryAttack() elif 'DeepFool' in attack: A = fa.L2DeepFoolAttack() elif attack == 'PAL2': A = fa.L2BrendelBethgeAttack() elif attack == "CWL2": A = fa.L2CarliniWagnerAttack() # L inf elif 'FGSM' in attack and not 'IFGSM' in attack: A = fa.FGSM() elif 'PGD' in attack: A = fa.LinfPGD() elif 'IGM' in attack: A = fa.LinfBrendelBethgeAttack() else: raise Exception('Not implemented') return A, 0, 0, 0
def get_attack(attack, fmodel): args = [] kwargs = {} # L0 if attack == 'SAPA': metric = foolbox.distances.L0 A = fa.SaltAndPepperNoiseAttack(fmodel, distance = metric) elif attack == 'PA': metric = foolbox.distances.L0 A = fa.PointwiseAttack(fmodel, distance = metric) # L2 elif 'IGD' in attack: metric = foolbox.distances.MSE A = fa.L2BasicIterativeAttack(fmodel, distance = metric) # kwargs['epsilons'] = 1.5 elif attack == 'AGNA': metric = foolbox.distances.MSE kwargs['epsilons'] = np.linspace(0.5, 1, 50) A = fa.AdditiveGaussianNoiseAttack(fmodel, distance = metric) elif attack == 'BA': metric = foolbox.distances.MSE A = fa.BoundaryAttack(fmodel, distance = metric) kwargs['log_every_n_steps'] = 500001 elif 'DeepFool' in attack: metric = foolbox.distances.MSE A = fa.DeepFoolL2Attack(fmodel, distance = metric) elif attack == 'PAL2': metric = foolbox.distances.MSE A = fa.PointwiseAttack(fmodel, distance = metric) elif attack == "CWL2": metric = foolbox.distances.MSE A = fa.CarliniWagnerL2Attack(fmodel, distance = metric) # L inf elif 'FGSM' in attack and not 'IFGSM' in attack: metric = foolbox.distances.Linf A = fa.FGSM(fmodel, distance = metric) kwargs['epsilons'] = 20 elif 'PGD' in attack: metric = foolbox.distances.Linf A = fa.LinfinityBasicIterativeAttack(fmodel, distance = metric) elif 'IGM' in attack: metric = foolbox.distances.Linf A = fa.MomentumIterativeAttack(fmodel, distance = metric) else: raise Exception('Not implemented') return A, metric, args, kwargs
uses_grad=True, ), AttackTestTarget(fa.NewtonFoolAttack(steps=20), uses_grad=True), AttackTestTarget(fa.VirtualAdversarialAttack(steps=50, xi=1), 10, uses_grad=True), AttackTestTarget(fa.PGD(), Linf(1.0), uses_grad=True), AttackTestTarget(fa.L2PGD(), L2(50.0), uses_grad=True), AttackTestTarget(fa.L1PGD(), 5000.0, uses_grad=True), AttackTestTarget(fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), uses_grad=True), AttackTestTarget(fa.L2BasicIterativeAttack(), L2(50.0), uses_grad=True), AttackTestTarget(fa.L1BasicIterativeAttack(), 5000.0, uses_grad=True), AttackTestTarget(fa.SparseL1DescentAttack(), 5000.0, uses_grad=True), AttackTestTarget(fa.FGSM(), Linf(100.0), uses_grad=True), AttackTestTarget(FGSM_GE(), Linf(100.0)), AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True), AttackTestTarget(fa.L1FastGradientAttack(), 5000.0, uses_grad=True), AttackTestTarget(fa.GaussianBlurAttack(steps=10), uses_grad=True, requires_real_model=True), AttackTestTarget( fa.GaussianBlurAttack(steps=10, max_sigma=224.0), uses_grad=True, requires_real_model=True, ), AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="logits"), uses_grad=True), AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), uses_grad=True),
baseline_model.fit(ds_train, epochs=1, validation_data=ds_test, steps_per_epoch=7500 // batch_size, validation_steps=2500 // batch_size, callbacks=[tensorboard_callback]) for images, labels in ds_train.take(1): # only take first element of dataset images_ex = ep.astensors(images) labels_ex = ep.astensors(labels) fmodel = fb.TensorFlowModel(baseline_model, bounds=(0, 1)) attacks = [ fa.FGSM(), fa.LinfPGD(), fa.LinfBasicIterativeAttack(), fa.LinfAdditiveUniformNoiseAttack(), fa.LinfDeepFoolAttack(), ] attacks_names = [ "FGSM", "LinfPGD", "LinfBasicIterativeAttack", "LinfAdditiveUniformNoiseAttack", "LinfDeepFoolAttack" ] epsilons = [ 0.0, 0.0005, 0.001, 0.0015, 0.002, 0.003, 0.005, 0.01, 0.02, 0.03, 0.1, 0.3, 0.5, 1.0 ]
( fa.EADAttack(binary_search_steps=3, steps=20, decision_rule="L1", regularization=0), None, True, False, ), (fa.NewtonFoolAttack(steps=20), None, True, False), (fa.VirtualAdversarialAttack(steps=50, xi=1), 10, True, False), (fa.PGD(), Linf(1.0), True, False), (fa.L2PGD(), L2(50.0), True, False), (fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), True, False), (fa.L2BasicIterativeAttack(), L2(50.0), True, False), (fa.FGSM(), Linf(100.0), True, False), (fa.FGM(), L2(100.0), True, False), (fa.GaussianBlurAttack(steps=10), None, True, True), (fa.GaussianBlurAttack(steps=10, max_sigma=224.0), None, True, True), (fa.L2DeepFoolAttack(steps=50, loss="logits"), None, True, False), (fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), None, True, False), (fa.LinfDeepFoolAttack(steps=50), None, True, False), (fa.BoundaryAttack(steps=50), None, False, False), ( fa.BoundaryAttack( steps=110, init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50), update_stats_every_k=1, ), None, False,
model.fit( ds_train, epochs=1, validation_data=ds_test, callbacks=[tensorboard_callback] ) for images, labels in ds_train.take(1): images_ex = ep.astensors(images) labels_ex = ep.astensors(labels) fmodel = fb.TensorFlowModel(model, bounds=(0, 1)) attacks = [ fa.FGSM(), fa.LinfPGD(), fa.LinfBasicIterativeAttack(), fa.LinfAdditiveUniformNoiseAttack(), fa.LinfDeepFoolAttack(), ] epsilons = [ 0.0, 0.0005, 0.001, 0.0015, 0.002, 0.003, 0.005, 0.01,
def test_base_init(): assert attacks.FGSM() is not None assert attacks.FGSM(Mock()) is not None assert attacks.FGSM(None, None) is not None assert attacks.FGSM(Mock(), Mock()) is not None
def test_early_stopping(bn_model, bn_criterion, bn_image, bn_label): attack = attacks.FGSM() model = bn_model criterion = bn_criterion image = bn_image label = bn_label wrong_label = label + 1 adv = Adversarial(model, criterion, image, wrong_label) attack(adv) assert adv.distance.value == 0 assert not adv.reached_threshold() # because no threshold specified adv = Adversarial(model, criterion, image, wrong_label, threshold=1e10) attack(adv) assert adv.distance.value == 0 assert adv.reached_threshold() adv = Adversarial(model, criterion, image, label) attack(adv) assert adv.distance.value > 0 assert not adv.reached_threshold() # because no threshold specified c = adv._total_prediction_calls d = adv.distance.value large_d = 10 * d small_d = d / 2 adv = Adversarial(model, criterion, image, label, threshold=adv._distance(value=large_d)) attack(adv) assert 0 < adv.distance.value <= large_d assert adv.reached_threshold() assert adv._total_prediction_calls < c adv = Adversarial(model, criterion, image, label, threshold=large_d) attack(adv) assert 0 < adv.distance.value <= large_d assert adv.reached_threshold() assert adv._total_prediction_calls < c adv = Adversarial(model, criterion, image, label, threshold=small_d) attack(adv) assert small_d < adv.distance.value <= large_d assert not adv.reached_threshold() assert adv._total_prediction_calls == c assert adv.distance.value == d adv = Adversarial(model, criterion, image, label, threshold=adv._distance(value=large_d)) attack(adv) assert adv.reached_threshold() c = adv._total_prediction_calls attack(adv) assert adv._total_prediction_calls == c # no new calls
return ssim from foolbox.attacks import LBFGSAttack from foolbox.criteria import TargetClass # In[18]: # FGSM from foolbox.criteria import TargetClass from foolbox import attacks target_class = 22 criterion = TargetClass(target_class) attack = attacks.FGSM(fmodel) # In[17]: # # from foolbox.criteria import TargetClass # # target_class = 22 # criterion = TargetClass(target_class) # attack=foolbox.attacks.IterativeGradientSignAttack(fmodel, criterion=criterion) # In[20]: import attacker for idx in tqdm(img_pairs.index.values):