def __init__(self, model, model_type='classification', targeted=False, reserve_ratio=0.3, sparse=True, step_size=0.5, per_bounds=0.6, c1=2.0, c2=2.0, c=2.0, pop_size=6, t_max=1000, pm=0.5, bounds=None): super(PSOAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._step_size = check_value_positive('step_size', step_size) self._per_bounds = check_value_positive('per_bounds', per_bounds) self._c1 = check_value_positive('c1', c1) self._c2 = check_value_positive('c2', c2) self._c = check_value_positive('c', c) self._pop_size = check_int_positive('pop_size', pop_size) self._pm = check_value_non_negative('pm', pm) if self._pm > 1: msg = "pm should not be greater than 1.0, but got {}.".format(self._pm) LOGGER.error(TAG, msg) raise ValueError(msg) self._bounds = bounds if self._bounds is not None: self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) self._targeted = check_param_type('targeted', targeted, bool) self._t_max = check_int_positive('t_max', t_max) self._sparse = check_param_type('sparse', sparse, bool) self._model_type = check_param_type('model_type', model_type, str) if self._model_type not in ('classification', 'detection'): msg = "Only 'classification' or 'detection' is supported now, but got {}.".format(self._model_type) LOGGER.error(TAG, msg) raise ValueError(msg) self._reserve_ratio = check_value_non_negative('reserve_ratio', reserve_ratio) if self._reserve_ratio > 1: msg = "reserve_ratio should not be greater than 1.0, but got {}.".format(self._reserve_ratio) LOGGER.error(TAG, msg) raise ValueError(msg)
def __init__(self, raw_preds, def_preds, raw_query_counts, def_query_counts, raw_query_time, def_query_time, def_detection_counts, true_labels, max_queries): self._raw_preds, self._def_preds = check_pair_numpy_param( 'raw_preds', raw_preds, 'def_preds', def_preds) self._num_samples = self._raw_preds.shape[0] self._raw_query_counts, _ = check_equal_length('raw_query_counts', raw_query_counts, 'number of sample', self._raw_preds) self._def_query_counts, _ = check_equal_length('def_query_counts', def_query_counts, 'number of sample', self._raw_preds) self._raw_query_time, _ = check_equal_length('raw_query_time', raw_query_time, 'number of sample', self._raw_preds) self._def_query_time, _ = check_equal_length('def_query_time', def_query_time, 'number of sample', self._raw_preds) self._num_adv_samples = self._raw_query_counts[ self._raw_query_counts > 0].shape[0] self._num_adv_samples = check_int_positive( 'the number of adversarial samples', self._num_adv_samples) self._num_ben_samples = self._num_samples - self._num_adv_samples self._max_queries = check_int_positive('max_queries', max_queries) self._def_detection_counts = check_numpy_param('def_detection_counts', def_detection_counts) self._true_labels = check_numpy_param('true_labels', true_labels)
def __init__(self, model, pop_size=6, mutation_rate=0.005, per_bounds=0.15, max_steps=1000, step_size=0.20, temp=0.3, bounds=(0, 1.0), adaptive=False, sparse=True): super(GeneticAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._per_bounds = check_value_positive('per_bounds', per_bounds) self._pop_size = check_int_positive('pop_size', pop_size) self._step_size = check_value_positive('step_size', step_size) self._temp = check_value_positive('temp', temp) self._max_steps = check_int_positive('max_steps', max_steps) self._mutation_rate = check_value_positive('mutation_rate', mutation_rate) self._adaptive = check_param_type('adaptive', adaptive, bool) self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) # initial global optimum fitness value self._best_fit = -1 # count times of no progress self._plateau_times = 0 # count times of changing attack step self._adap_times = 0 self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, model, step_size=0.5, per_bounds=0.6, c1=2.0, c2=2.0, c=2.0, pop_size=6, t_max=1000, pm=0.5, bounds=None, targeted=False, reduction_iters=3, sparse=True): super(PSOAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._step_size = check_value_positive('step_size', step_size) self._per_bounds = check_value_positive('per_bounds', per_bounds) self._c1 = check_value_positive('c1', c1) self._c2 = check_value_positive('c2', c2) self._c = check_value_positive('c', c) self._pop_size = check_int_positive('pop_size', pop_size) self._pm = check_value_positive('pm', pm) self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) self._targeted = check_param_type('targeted', targeted, bool) self._t_max = check_int_positive('t_max', t_max) self._reduce_iters = check_int_positive('reduction_iters', reduction_iters) self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, network, eps=1e-5, bounds=(0.0, 1.0), is_targeted=True, nb_iter=150, search_iters=30, loss_fn=None, sparse=False): super(LBFGS, self).__init__() self._network = check_model('network', network, Cell) self._eps = check_value_positive('eps', eps) self._is_targeted = check_param_type('is_targeted', is_targeted, bool) self._nb_iter = check_int_positive('nb_iter', nb_iter) self._search_iters = check_int_positive('search_iters', search_iters) if loss_fn is None: loss_fn = SoftmaxCrossEntropyWithLogits(is_grad=False, sparse=False) with_loss_cell = WithLossCell(self._network, loss_fn) self._grad_all = GradWrapWithLoss(with_loss_cell) self._dtype = None self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) self._sparse = check_param_type('sparse', sparse, bool) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) box_max, box_min = bounds if box_max < box_min: self._box_min = box_max self._box_max = box_min else: self._box_min = box_min self._box_max = box_max
def __init__(self, initial_seeds, target_model, train_dataset, const_K, mode='L', max_seed_num=1000): self.initial_seeds = initial_seeds self.target_model = check_model('model', target_model, Model) self.train_dataset = check_numpy_param('train_dataset', train_dataset) self.const_k = check_int_positive('const_k', const_K) self.mode = mode self.max_seed_num = check_int_positive('max_seed_num', max_seed_num) self.coverage_metrics = ModelCoverageMetrics(target_model, 1000, 10, train_dataset)
def __init__(self, model, segmented_num, neuron_num, train_dataset): self._model = check_model('model', model, Model) self._segmented_num = check_int_positive('segmented_num', segmented_num) self._neuron_num = check_int_positive('neuron_num', neuron_num) train_dataset = check_numpy_param('train_dataset', train_dataset) self._lower_bounds = [np.inf] * neuron_num self._upper_bounds = [-np.inf] * neuron_num self._var = [0] * neuron_num self._main_section_hits = [[0 for _ in range(self._segmented_num)] for _ in range(self._neuron_num)] self._lower_corner_hits = [0] * self._neuron_num self._upper_corner_hits = [0] * self._neuron_num self._bounds_get(train_dataset)
def __init__(self, network, num_classes, max_iters=50, overshoot=0.02, norm_level=2, bounds=None, sparse=True): super(DeepFool, self).__init__() self._network = check_model('network', network, Cell) self._network.set_grad(True) self._max_iters = check_int_positive('max_iters', max_iters) self._overshoot = check_value_positive('overshoot', overshoot) self._norm_level = check_norm_level(norm_level) self._num_classes = check_int_positive('num_classes', num_classes) self._net_grad = GradWrap(self._network) self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) self._sparse = check_param_type('sparse', sparse, bool) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float])
def batch_defense(self, inputs, labels, batch_size=32, epochs=5): """ Defense model with samples in batch. Args: inputs (numpy.ndarray): Samples based on which adversarial examples are generated. labels (numpy.ndarray): Labels of input samples. batch_size (int): Number of samples in one batch. epochs (int): Number of epochs. Returns: numpy.ndarray, loss of batch_defense operation. Raises: ValueError: If batch_size is 0. """ inputs, labels = check_pair_numpy_param('inputs', inputs, 'labels', labels) x_len = len(inputs) batch_size = check_int_positive('batch_size', batch_size) iters_per_epoch = int(x_len / batch_size) loss = None for _ in range(epochs): for step in range(iters_per_epoch): x_batch = inputs[step * batch_size:(step + 1) * batch_size] y_batch = labels[step * batch_size:(step + 1) * batch_size] loss = self.defense(x_batch, y_batch) return loss
def __init__(self, network, num_classes, box_min=0.0, box_max=1.0, theta=1.0, max_iteration=1000, max_count=3, increase=True, sparse=True): super(JSMAAttack).__init__() LOGGER.debug(TAG, "init jsma class.") self._network = check_model('network', network, Cell) self._min = check_value_non_negative('box_min', box_min) self._max = check_value_non_negative('box_max', box_max) self._num_classes = check_int_positive('num_classes', num_classes) self._theta = check_value_positive('theta', theta) self._max_iter = check_int_positive('max_iteration', max_iteration) self._max_count = check_int_positive('max_count', max_count) self._increase = check_param_type('increase', increase, bool) self._net_grad = GradWrap(self._network) self._bit_map = None self._sparse = check_param_type('sparse', sparse, bool)
def _bounds_get(self, train_dataset, batch_size=32): """ Update the lower and upper boundaries of neurons' outputs. Args: train_dataset (numpy.ndarray): Training dataset used for determine the neurons' output boundaries. batch_size (int): The number of samples in a predict batch. Default: 32. """ batch_size = check_int_positive('batch_size', batch_size) output_mat = [] batches = train_dataset.shape[0] // batch_size for i in range(batches): inputs = train_dataset[i * batch_size:(i + 1) * batch_size] output = self._model.predict(Tensor(inputs)).asnumpy() output_mat.append(output) lower_compare_array = np.concatenate( [output, np.array([self._lower_bounds])], axis=0) self._lower_bounds = np.min(lower_compare_array, axis=0) upper_compare_array = np.concatenate( [output, np.array([self._upper_bounds])], axis=0) self._upper_bounds = np.max(upper_compare_array, axis=0) if batches == 0: output = self._model.predict(Tensor(train_dataset)).asnumpy() self._lower_bounds = np.min(output, axis=0) self._upper_bounds = np.max(output, axis=0) output_mat.append(output) self._var = np.std(np.concatenate(np.array(output_mat), axis=0), axis=0)
def test_adequacy_coverage_calculate(self, dataset, bias_coefficient=0, batch_size=32): """ Calculate the testing adequacy of the given dataset. Args: dataset (numpy.ndarray): Data for fuzz test. bias_coefficient (float): The coefficient used for changing the neurons' output boundaries. Default: 0. batch_size (int): The number of samples in a predict batch. Default: 32. Examples: >>> model_fuzz_test = ModelCoverageMetrics(model, 10000, 10, train_images) >>> model_fuzz_test.test_adequacy_coverage_calculate(test_images) """ dataset = check_numpy_param('dataset', dataset) batch_size = check_int_positive('batch_size', batch_size) self._lower_bounds -= bias_coefficient * self._var self._upper_bounds += bias_coefficient * self._var intervals = (self._upper_bounds - self._lower_bounds) / self._k batches = dataset.shape[0] // batch_size for i in range(batches): self._sections_hits_count( dataset[i * batch_size:(i + 1) * batch_size], intervals)
def __init__(self, model, init_num_evals=100, max_num_evals=1000, stepsize_search='geometric_progression', num_iterations=20, gamma=1.0, constraint='l2', batch_size=32, clip_min=0.0, clip_max=1.0, sparse=True): super(HopSkipJumpAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._init_num_evals = check_int_positive('initial_num_evals', init_num_evals) self._max_num_evals = check_int_positive('max_num_evals', max_num_evals) self._batch_size = check_int_positive('batch_size', batch_size) self._clip_min = check_value_non_negative('clip_min', clip_min) self._clip_max = check_value_non_negative('clip_max', clip_max) self._sparse = check_param_type('sparse', sparse, bool) self._np_dtype = np.dtype('float32') if stepsize_search in ['geometric_progression', 'grid_search']: self._stepsize_search = stepsize_search else: msg = "stepsize_search must be in ['geometric_progression'," \ " 'grid_search'], but got {}".format(stepsize_search) LOGGER.error(TAG, msg) raise ValueError(msg) self._num_iterations = check_int_positive('num_iterations', num_iterations) self._gamma = check_value_positive('gamma', gamma) if constraint in ['l2', 'linf']: self._constraint = constraint else: msg = "constraint must be in ['l2', 'linf'], " \ "but got {}".format(constraint) LOGGER.error(TAG, msg) raise ValueError(msg) self.queries = 0 self.is_adv = True self.y_targets = None self.image_targets = None self.y_target = None self.image_target = None
def __init__(self, model, scene, max_queries=10000, top_k=-1, num_class=10, batch_size=128, epsilon=0.3, samples_per_draw=128, momentum=0.9, learning_rate=1e-3, max_lr=5e-2, min_lr=5e-4, sigma=1e-3, plateau_length=20, plateau_drop=2.0, adv_thresh=0.25, zero_iters=10, starting_eps=1.0, starting_delta_eps=0.5, label_only_sigma=1e-3, conservative=2, sparse=True): super(NES, self).__init__() self._model = check_model('model', model, BlackModel) self._scene = scene self._max_queries = check_int_positive('max_queries', max_queries) self._num_class = check_int_positive('num_class', num_class) self._batch_size = check_int_positive('batch_size', batch_size) self._samples_per_draw = check_int_positive('samples_per_draw', samples_per_draw) self._goal_epsilon = check_value_positive('epsilon', epsilon) self._momentum = check_value_positive('momentum', momentum) self._learning_rate = check_value_positive('learning_rate', learning_rate) self._max_lr = check_value_positive('max_lr', max_lr) self._min_lr = check_value_positive('min_lr', min_lr) self._sigma = check_value_positive('sigma', sigma) self._plateau_length = check_int_positive('plateau_length', plateau_length) self._plateau_drop = check_value_positive('plateau_drop', plateau_drop) # partial information arguments self._k = top_k self._adv_thresh = check_value_positive('adv_thresh', adv_thresh) # label only arguments self._zero_iters = check_int_positive('zero_iters', zero_iters) self._starting_eps = check_value_positive('starting_eps', starting_eps) self._starting_delta_eps = check_value_positive('starting_delta_eps', starting_delta_eps) self._label_only_sigma = check_value_positive('label_only_sigma', label_only_sigma) self._conservative = check_int_positive('conservative', conservative) self._sparse = check_param_type('sparse', sparse, bool) self.target_imgs = None self.target_img = None self.target_class = None
def __init__(self, model, neuron_num, segmented_num, train_dataset): self._model = check_model('model', model, Model) self._segmented_num = check_int_positive('segmented_num', segmented_num) self._neuron_num = check_int_positive('neuron_num', neuron_num) if self._neuron_num > 1e+9: msg = 'neuron_num should be less than 1e+10, otherwise a MemoryError would occur' LOGGER.error(TAG, msg) raise ValueError(msg) train_dataset = check_numpy_param('train_dataset', train_dataset) self._lower_bounds = [np.inf] * self._neuron_num self._upper_bounds = [-np.inf] * self._neuron_num self._var = [0] * self._neuron_num self._main_section_hits = [[0 for _ in range(self._segmented_num)] for _ in range(self._neuron_num)] self._lower_corner_hits = [0] * self._neuron_num self._upper_corner_hits = [0] * self._neuron_num self._bounds_get(train_dataset)
def __init__(self, trans_model, max_k_neighbor=1000, chunk_size=1000, max_buffer_size=10000, tuning=False, fpr=0.001): super(SimilarityDetector, self).__init__() self._max_k_neighbor = check_int_positive('max_k_neighbor', max_k_neighbor) self._trans_model = check_model('trans_model', trans_model, Model) self._tuning = check_param_type('tuning', tuning, bool) self._chunk_size = check_int_positive('chunk_size', chunk_size) self._max_buffer_size = check_int_positive('max_buffer_size', max_buffer_size) self._fpr = check_param_in_range('fpr', fpr, 0, 1) self._num_of_neighbors = None self._threshold = None self._num_queries = 0 # Stores recently processed queries self._buffer = [] # Tracks indexes of detected queries self._detected_queries = []
def __init__(self, model, max_iter=1000, search_iter=10, is_targeted=False, init_attack=None, sparse=True): super(PointWiseAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._max_iter = check_int_positive('max_iter', max_iter) self._search_iter = check_int_positive('search_iter', search_iter) self._is_targeted = check_param_type('is_targeted', is_targeted, bool) if init_attack is None: self._init_attack = SaltAndPepperNoiseAttack( model, is_targeted=self._is_targeted) else: self._init_attack = init_attack self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, model, bounds=(0.0, 1.0), max_iter=100, is_targeted=False, sparse=True): super(SaltAndPepperNoiseAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._bounds = check_param_multi_types('bounds', bounds, [tuple, list]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) self._max_iter = check_int_positive('max_iter', max_iter) self._is_targeted = check_param_type('is_targeted', is_targeted, bool) self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, network, input_shape, input_bound, loss_weights=(1, 0.2, 5)): self._network = check_param_type('network', network, Cell) for sub_loss_weight in loss_weights: check_value_positive('sub_loss_weight', sub_loss_weight) self._loss = InversionLoss(self._network, loss_weights) self._input_shape = check_param_type('input_shape', input_shape, tuple) for shape_dim in input_shape: check_int_positive('shape_dim', shape_dim) self._input_bound = check_param_multi_types('input_bound', input_bound, [list, tuple]) for value_bound in self._input_bound: check_param_multi_types('value_bound', value_bound, [float, int]) if self._input_bound[0] > self._input_bound[1]: msg = 'input_bound[0] should not be larger than input_bound[1], but got them as {} and {}'.format( self._input_bound[0], self._input_bound[1]) raise ValueError(msg)
def set_threshold(self, num_of_neighbors, threshold): """ Set the parameters num_of_neighbors and threshold. Args: num_of_neighbors (int): Number of the nearest neighbors. threshold (float): Detection threshold. Default: None. """ self._num_of_neighbors = check_int_positive('num_of_neighbors', num_of_neighbors) self._threshold = check_value_positive('threshold', threshold)
def __init__(self, auto_encoder, model, option="jsd", t=1, bounds=(0.0, 1.0)): super(DivergenceBasedDetector, self).__init__(auto_encoder, bounds=bounds) self._auto_encoder = auto_encoder self._model = check_model('targeted model', model, Model) self._threshold = 0.0 self._option = option self._t = check_int_positive('t', t) self._bounds = check_param_multi_types('bounds', bounds, [tuple, list]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float])
def __init__(self, model, model_type='classification', targeted=True, reserve_ratio=0.3, sparse=True, pop_size=6, mutation_rate=0.005, per_bounds=0.15, max_steps=1000, step_size=0.20, temp=0.3, bounds=(0, 1.0), adaptive=False, c=0.1): super(GeneticAttack, self).__init__() self._model = check_model('model', model, BlackModel) self._model_type = check_param_type('model_type', model_type, str) if self._model_type not in ('classification', 'detection'): msg = "Only 'classification' or 'detection' is supported now, but got {}.".format(self._model_type) LOGGER.error(TAG, msg) raise ValueError(msg) self._targeted = check_param_type('targeted', targeted, bool) self._reserve_ratio = check_value_non_negative('reserve_ratio', reserve_ratio) if self._reserve_ratio > 1: msg = "reserve_ratio should not be greater than 1.0, but got {}.".format(self._reserve_ratio) LOGGER.error(TAG, msg) raise ValueError(msg) self._sparse = check_param_type('sparse', sparse, bool) self._per_bounds = check_value_positive('per_bounds', per_bounds) self._pop_size = check_int_positive('pop_size', pop_size) self._step_size = check_value_positive('step_size', step_size) self._temp = check_value_positive('temp', temp) self._max_steps = check_int_positive('max_steps', max_steps) self._mutation_rate = check_value_non_negative('mutation_rate', mutation_rate) if self._mutation_rate > 1: msg = "mutation_rate should not be greater than 1.0, but got {}.".format(self._mutation_rate) LOGGER.error(TAG, msg) raise ValueError(msg) self._adaptive = check_param_type('adaptive', adaptive, bool) # initial global optimum fitness value self._best_fit = -np.inf # count times of no progress self._plateau_times = 0 # count times of changing attack step_size self._adap_times = 0 self._bounds = bounds if self._bounds is not None: self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) self._c = check_value_positive('c', c)
def __init__(self, num_samples, batch_size, initial_noise_multiplier=1.5, max_eps=10.0, target_delta=1e-3, noise_decay_mode='Time', noise_decay_rate=6e-4, per_print_times=50, dataset_sink_mode=False): super(ZCDPMonitor, self).__init__() check_int_positive('num_samples', num_samples) check_int_positive('batch_size', batch_size) if batch_size >= num_samples: msg = 'Batch_size must be less than num_samples.' LOGGER.error(TAG, msg) raise ValueError(msg) check_value_positive('initial_noise_multiplier', initial_noise_multiplier) if noise_decay_mode is not None: if noise_decay_mode not in ('Step', 'Time', 'Exp'): msg = "Noise decay mode must be in ('Step', 'Time', 'Exp'), but got {}.".\ format(noise_decay_mode) LOGGER.error(TAG, msg) raise ValueError(msg) noise_decay_rate = check_param_type('noise_decay_rate', noise_decay_rate, float) check_param_in_range('noise_decay_rate', noise_decay_rate, 0.0, 1.0) check_int_positive('per_print_times', per_print_times) check_param_type('dataset_sink_mode', dataset_sink_mode, bool) self._num_samples = num_samples self._batch_size = batch_size self._initial_noise_multiplier = initial_noise_multiplier self._max_eps = check_value_positive('max_eps', max_eps) self._target_delta = check_param_in_range('target_delta', target_delta, 0.0, 1.0) self._noise_decay_mode = noise_decay_mode self._noise_decay_rate = noise_decay_rate # initialize zcdp self._zcdp = 0 self._per_print_times = per_print_times if dataset_sink_mode: self._per_print_times = int(self._num_samples / self._batch_size)
def __init__(self, network, num_classes, box_min=0.0, box_max=1.0, bin_search_steps=5, max_iterations=1000, confidence=0, learning_rate=5e-3, initial_const=1e-2, abort_early_check_ratio=5e-2, targeted=False, fast=True, abort_early=True, sparse=True): LOGGER.info(TAG, "init CW object.") super(CarliniWagnerL2Attack, self).__init__() self._network = check_model('network', network, Cell) self._network.set_grad(True) self._num_classes = check_int_positive('num_classes', num_classes) self._min = check_param_type('box_min', box_min, float) self._max = check_param_type('box_max', box_max, float) self._bin_search_steps = check_int_positive('search_steps', bin_search_steps) self._max_iterations = check_int_positive('max_iterations', max_iterations) self._confidence = check_param_multi_types('confidence', confidence, [int, float]) self._learning_rate = check_value_positive('learning_rate', learning_rate) self._initial_const = check_value_positive('initial_const', initial_const) self._abort_early = check_param_type('abort_early', abort_early, bool) self._fast = check_param_type('fast', fast, bool) self._abort_early_check_ratio = check_value_positive( 'abort_early_check_ratio', abort_early_check_ratio) self._targeted = check_param_type('targeted', targeted, bool) self._net_grad = GradWrap(self._network) self._sparse = check_param_type('sparse', sparse, bool) self._dtype = None
def __init__(self, model, ksize=3, is_local_smooth=True, metric='l1', false_positive_ratio=0.05): super(SpatialSmoothing, self).__init__() self._ksize = check_int_positive('ksize', ksize) self._is_local_smooth = check_param_type('is_local_smooth', is_local_smooth, bool) self._model = check_model('model', model, Model) self._metric = metric self._fpr = check_param_in_range('false_positive_ratio', false_positive_ratio, 0, 1) self._threshold = None
def __init__(self, micro_batches=2, norm_bound=1.0, noise_mech=None, clip_mech=None, **kwargs): if micro_batches: self._micro_batches = check_int_positive('micro_batches', micro_batches) else: self._micro_batches = None norm_bound = check_param_type('norm_bound', norm_bound, float) norm_bound = check_value_positive('norm_bound', norm_bound) norm_bound = Tensor(norm_bound, mstype.float32) self._norm_bound = Parameter(norm_bound, 'norm_bound') opt = kwargs['optimizer'] opt_name = opt.__class__.__name__ # Check whether noise_mech and DPOptimizer are both None or not None, if so, raise ValueError. # And check whether noise_mech or DPOtimizer's mech method is adaptive while clip_mech is not None, # if so, rasie ValuerError too. if noise_mech is not None and "DPOptimizer" in opt_name: msg = 'DPOptimizer is not supported while noise_mech is not None' LOGGER.error(TAG, msg) raise ValueError(msg) if noise_mech is None: if "DPOptimizer" in opt_name: if context.get_context('mode') != context.PYNATIVE_MODE: msg = 'DPOptimizer just support pynative mode currently.' LOGGER.error(TAG, msg) raise ValueError(msg) if 'Ada' in opt._mech.__class__.__name__ and clip_mech is not None: msg = "When DPOptimizer's mech method is adaptive, clip_mech must be None." LOGGER.error(TAG, msg) raise ValueError(msg) else: msg = 'DPModel should set noise_mech or DPOptimizer configure, ' \ 'please refer to example.' LOGGER.error(TAG, msg) raise ValueError(msg) self._noise_mech = noise_mech if noise_mech is not None: if 'Ada' in noise_mech.__class__.__name__ and clip_mech is not None: msg = 'When noise_mech is Adaptive, clip_mech must be None.' LOGGER.error(TAG, msg) raise ValueError(msg) if clip_mech is None or isinstance(clip_mech, Cell): self._clip_mech = clip_mech super(DPModel, self).__init__(**kwargs)
def __init__(self, network, num_classes, model_type='classification', reserve_ratio=0.3, max_iters=50, overshoot=0.02, norm_level=2, bounds=None, sparse=True): super(DeepFool, self).__init__() self._network = check_model('network', network, Cell) self._max_iters = check_int_positive('max_iters', max_iters) self._overshoot = check_value_positive('overshoot', overshoot) self._norm_level = check_norm_level(norm_level) self._num_classes = check_int_positive('num_classes', num_classes) self._net_grad = GradWrap(self._network) self._bounds = bounds if self._bounds is not None: self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) self._sparse = check_param_type('sparse', sparse, bool) self._model_type = check_param_type('model_type', model_type, str) if self._model_type not in ('classification', 'detection'): msg = "Only 'classification' or 'detection' is supported now, but got {}.".format( self._model_type) LOGGER.error(TAG, msg) raise ValueError(msg) self._reserve_ratio = check_value_non_negative('reserve_ratio', reserve_ratio) if self._reserve_ratio > 1: msg = 'reserve_ratio should be less than 1.0, but got {}.'.format( self._reserve_ratio) LOGGER.error(TAG, msg) raise ValueError(TAG, msg)
def __init__(self, micro_batches=2, norm_clip=1.0, mech=None, **kwargs): if micro_batches: self._micro_batches = check_int_positive('micro_batches', micro_batches) else: self._micro_batches = None norm_clip = check_param_type('norm_clip', norm_clip, float) self._norm_clip = check_value_positive('norm_clip', norm_clip) if mech is not None and "DPOptimizer" in kwargs['optimizer'].__class__.__name__: raise ValueError('DPOptimizer is not supported while mech is not None') if mech is None: if "DPOptimizer" in kwargs['optimizer'].__class__.__name__: if context.get_context('mode') != context.PYNATIVE_MODE: raise ValueError('DPOptimizer just support pynative mode currently.') else: raise ValueError('DPModel should set mech or DPOptimizer configure, please refer to example.') self._mech = mech super(DPModel, self).__init__(**kwargs)
def __init__(self, network, eps=0.3, eps_iter=0.1, bounds=(0.0, 1.0), nb_iter=5, loss_fn=None): super(IterativeGradientMethod, self).__init__() self._network = check_model('network', network, Cell) self._eps = check_value_positive('eps', eps) self._eps_iter = check_value_positive('eps_iter', eps_iter) self._nb_iter = check_int_positive('nb_iter', nb_iter) self._bounds = None if bounds is not None: self._bounds = check_param_multi_types('bounds', bounds, [list, tuple]) for b in self._bounds: _ = check_param_multi_types('bound', b, [int, float]) if loss_fn is None: self._loss_grad = network else: self._loss_grad = GradWrapWithLoss(WithLossCell(self._network, loss_fn)) self._loss_grad.set_train()
def batch_generate(self, inputs, labels, batch_size=64): """ Generate adversarial examples in batch, based on input samples and their labels. Args: inputs (numpy.ndarray): Samples based on which adversarial examples are generated. labels (numpy.ndarray): Labels of samples, whose values determined by specific attacks. batch_size (int): The number of samples in one batch. Returns: numpy.ndarray, generated adversarial examples Examples: >>> inputs = Tensor([[0.2, 0.4, 0.5, 0.2], [0.7, 0.2, 0.4, 0.3]]) >>> labels = [3, 0] >>> advs = attack.batch_generate(inputs, labels, batch_size=2) """ arr_x, arr_y = check_pair_numpy_param('inputs', inputs, 'labels', labels) len_x = arr_x.shape[0] batch_size = check_int_positive('batch_size', batch_size) batchs = int(len_x / batch_size) rest = len_x - batchs * batch_size res = [] for i in range(batchs): x_batch = arr_x[i * batch_size:(i + 1) * batch_size] y_batch = arr_y[i * batch_size:(i + 1) * batch_size] adv_x = self.generate(x_batch, y_batch) # Black-attack methods will return 3 values, just get the second. res.append(adv_x[1] if isinstance(adv_x, tuple) else adv_x) if rest != 0: x_batch = arr_x[batchs * batch_size:] y_batch = arr_y[batchs * batch_size:] adv_x = self.generate(x_batch, y_batch) # Black-attack methods will return 3 values, just get the second. res.append(adv_x[1] if isinstance(adv_x, tuple) else adv_x) adv_x = np.concatenate(res, axis=0) return adv_x