attacker = BP(steps=100, device=DEVICE) #attacker = DDN(steps=1000, device=DEVICE) ori_image = [] ori_label = [] adv_image = [] adv_preds = [] requires_grad_(model, False) model.eval() for i, (images, labels) in enumerate(tqdm.tqdm(test_loader, ncols=80)): t_images, t_labels = images.to(DEVICE), labels.to(DEVICE) cadv,adv = attacker.attack(model, t_images, t_labels) adv_pred = model(adv).argmax(1) ori_image.append(images) ori_label.append(labels) adv_image.append(adv.cpu()) adv_preds.append(adv_pred.cpu()) ori_image = torch.cat(ori_image, 0).numpy() ori_label = torch.cat(ori_label, 0).numpy() adv_image = torch.cat(adv_image, 0).numpy() adv_preds = torch.cat(adv_preds, 0).numpy() # Compute metrics with numpy as PyTorch had some problems with sums on large tensors success_rate = np.mean(adv_preds != ori_label) norms = np.linalg.norm((adv_image - ori_image).reshape(ori_image.shape[0], -1), axis=1)
mean = [0.485, 0.456, 0.406] std = [0.229, 0.224, 0.225] preprocess_layer = Preprocessing_Layer(mean, std) model = nn.Sequential(preprocess_layer, inception) model.cuda() model.eval() top1 = AverageMeter('Acc@1', ':6.2f') adv1 = AverageMeter('Adv@1', ':6.2f') Norml2 = AverageMeter('Pnorml2@1', ':6.2f') progress = ProgressMeter(len(val_loader), [top1, adv1, Norml2], prefix='Test: ') begin = time.time() for i, (images, target) in enumerate(val_loader): images = images.cuda() target = target.cuda() currnt_adv, adv = attacker.attack(model, images, target) norm = np.sum((images.data.cpu().detach().numpy() - adv.data.cpu().detach().numpy())**2, axis=(1, 2, 3))**.5 Norml2.update(np.mean(norm), images.size(0)) torch.cuda.empty_cache() output = model(images) output_adv = model(adv) acc1, acc5 = accuracy(output, target, topk=(1, 5)) acc11, acc55 = accuracy(output_adv, target, topk=(1, 5)) top1.update(acc1.cpu().detach().numpy()[0], images.size(0)) adv1.update(acc11.cpu().detach().numpy()[0], images.size(0)) del acc11, acc1, output, output_adv, acc5, acc55 torch.cuda.empty_cache() progress.display(i) print(time.time() - begin)
attacker = BP(steps=100, device=DEVICE) #attacker = DDN(steps=100, device=DEVICE) requires_grad_(model, True) model.eval() ori_image = np.zeros((10000, 3, 32, 32)) ori_label = np.zeros((10000, 1)) adv_image = np.zeros((10000, 3, 32, 32)) adv_label = np.zeros((10000, 1)) #requires_grad_(model, False) for i, (images, labels) in enumerate(tqdm.tqdm(test_loader, ncols=80)): images, labels = images.to(DEVICE), labels.to(DEVICE) #best_x = attacker.attack(model, images, labels) adv, best_x = attacker.attack(model, images, labels) adv_pred = model(best_x).argmax(1) i_sta = i * 50 i_end = (i + 1) * 50 ori_label[i_sta:i_end] = labels.cpu().detach().numpy().reshape((50, 1)) ori_image[i_sta:i_end] = images.cpu().detach().numpy() adv_image[i_sta:i_end] = best_x.cpu().detach().numpy() adv_label[i_sta:i_end] = adv_pred.cpu().detach().numpy().reshape((50, 1)) # Compute success_rate = np.mean(adv_label != ori_label) norms = np.linalg.norm((adv_image - ori_image).reshape(ori_image.shape[0], -1), axis=1) mean_l2 = np.mean(norms) median_l2 = np.median(norms)