def project_onto_l1_ball(x: ep.Tensor, eps: ep.Tensor) -> ep.Tensor:
"""Computes Euclidean projection onto the L1 ball for a batch. [#Duchi08]_
Adapted from the pytorch version by Tony Duan:
https://gist.github.com/tonyduan/1329998205d88c566588e57e3e2c0c55
Args:
x: Batch of arbitrary-size tensors to project, possibly on GPU
eps: radius of l-1 ball to project onto
References:
..[#Duchi08] Efficient Projections onto the l1-Ball for Learning in High Dimensions
John Duchi, Shai Shalev-Shwartz, Yoram Singer, and Tushar Chandra.
International Conference on Machine Learning (ICML 2008)
"""
original_shape = x.shape
x = flatten(x)
mask = (ep.norms.l1(x, axis=1) <= eps).astype(x.dtype).expand_dims(1)
mu = ep.flip(ep.sort(ep.abs(x)), axis=-1).astype(x.dtype)
cumsum = ep.cumsum(mu, axis=-1)
arange = ep.arange(x, 1, x.shape[1] + 1).astype(x.dtype)
rho = (ep.max(
((mu * arange >
(cumsum - eps.expand_dims(1)))).astype(x.dtype) * arange,
axis=-1,
) - 1)
# samples already under norm will have to select
rho = ep.maximum(rho, 0)
theta = (cumsum[ep.arange(x, x.shape[0]),
rho.astype(ep.arange(x, 1).dtype)] - eps) / (rho + 1.0)
proj = (ep.abs(x) - theta.expand_dims(1)).clip(min_=0, max_=ep.inf)
x = mask * x + (1 - mask) * proj * ep.sign(x)
return x.reshape(original_shape)
def project_onto_l1_ball(x: ep.Tensor, eps: ep.Tensor):
"""
Compute Euclidean projection onto the L1 ball for a batch.
min ||x - u||_2 s.t. ||u||_1 <= eps
Inspired by the corresponding numpy version by Adrien Gaidon.
Adapted from the pytorch version by Tony Duan: https://gist.github.com/tonyduan/1329998205d88c566588e57e3e2c0c55
Parameters
----------
x: (batch_size, *) torch array
batch of arbitrary-size tensors to project, possibly on GPU
eps: float
radius of l-1 ball to project onto
Returns
-------
u: (batch_size, *) torch array
batch of projected tensors, reshaped to match the original
Notes
-----
The complexity of this algorithm is in O(dlogd) as it involves sorting x.
References
----------
[1] Efficient Projections onto the l1-Ball for Learning in High Dimensions
John Duchi, Shai Shalev-Shwartz, Yoram Singer, and Tushar Chandra.
International Conference on Machine Learning (ICML 2008)
"""
original_shape = x.shape
x = flatten(x)
mask = (ep.norms.l1(x, axis=1) < eps).astype(x.dtype).expand_dims(1)
mu = ep.flip(ep.sort(ep.abs(x)), axis=-1)
cumsum = ep.cumsum(mu, axis=-1)
arange = ep.arange(x, 1, x.shape[1] + 1)
rho = ep.max(
(mu * arange > (cumsum - eps.expand_dims(1))) * arange, axis=-1) - 1
theta = (cumsum[ep.arange(x, x.shape[0]), rho] - eps) / (rho + 1.0)
proj = (ep.abs(x) - theta.expand_dims(1)).clip(min_=0, max_=ep.inf)
x = mask * x + (1 - mask) * proj * ep.sign(x)
return x.reshape(original_shape)
def approximate_gradients(
self,
is_adversarial: Callable[[ep.Tensor], ep.Tensor],
x_advs: ep.Tensor,
steps: int,
delta: ep.Tensor,
) -> ep.Tensor:
# (steps, bs, ...)
noise_shape = tuple([steps] + list(x_advs.shape))
if self.constraint == "l2":
rv = ep.normal(x_advs, noise_shape)
elif self.constraint == "linf":
rv = ep.uniform(x_advs, low=-1, high=1, shape=noise_shape)
rv /= atleast_kd(ep.norms.l2(flatten(rv, keep=1), -1), rv.ndim) + 1e-12
scaled_rv = atleast_kd(ep.expand_dims(delta, 0), rv.ndim) * rv
perturbed = ep.expand_dims(x_advs, 0) + scaled_rv
perturbed = ep.clip(perturbed, 0, 1)
rv = (perturbed - x_advs) / atleast_kd(ep.expand_dims(delta + 1e-8, 0),
rv.ndim)
multipliers_list: List[ep.Tensor] = []
for step in range(steps):
decision = is_adversarial(perturbed[step])
multipliers_list.append(
ep.where(
decision,
ep.ones(
x_advs,
(len(x_advs, )),
),
-ep.ones(
x_advs,
(len(decision, )),
),
))
# (steps, bs, ...)
multipliers = ep.stack(multipliers_list, 0)
vals = ep.where(
ep.abs(ep.mean(multipliers, axis=0, keepdims=True)) == 1,
multipliers,
multipliers - ep.mean(multipliers, axis=0, keepdims=True),
)
grad = ep.mean(atleast_kd(vals, rv.ndim) * rv, axis=0)
grad /= ep.norms.l2(atleast_kd(flatten(grad), grad.ndim)) + 1e-12
return grad
def test_abs(t: Tensor) -> Tensor:
return ep.abs(t)
def run(
self,
model: Model,
inputs: T,
criterion: Union[Criterion, T],
perlin_param,
mask_param,
*,
early_stop: Optional[float] = None,
starting_points: Optional[T] = None,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
originals, restore_type = ep.astensor_(inputs)
initial_pict = ep.astensor(inputs)
#print('inputs', inputs.shape)
del inputs, kwargs
criterion = get_criterion(criterion)
perlin_param = perlin_param
is_adversarial = get_is_adversarial(criterion, model)
if starting_points is None:
init_attack: MinimizationAttack
if self.init_attack is None:
init_attack = LinearSearchBlendedUniformNoiseAttack(steps=50)
logging.info(
f"Neither starting_points nor init_attack given. Falling"
f" back to {init_attack!r} for initialization.")
else:
init_attack = self.init_attack
# TODO: use call and support all types of attacks (once early_stop is
# possible in __call__)
best_advs = init_attack.run(model,
originals,
criterion,
early_stop=early_stop)
else:
best_advs = ep.astensor(starting_points)
is_adv = is_adversarial(best_advs)
if not is_adv.all():
failed = is_adv.logical_not().float32().sum()
if starting_points is None:
raise ValueError(
f"init_attack failed for {failed} of {len(is_adv)} inputs")
else:
raise ValueError(
f"{failed} of {len(is_adv)} starting_points are not adversarial"
)
del starting_points
tb = TensorBoard(logdir=self.tensorboard)
N = len(originals)
ndim = originals.ndim
spherical_steps = ep.ones(originals, N) * self.spherical_step
source_steps = ep.ones(originals, N) * self.source_step
tb.scalar("batchsize", N, 0)
# create two queues for each sample to track success rates
# (used to update the hyper parameters)
stats_spherical_adversarial = ArrayQueue(maxlen=100, N=N)
stats_step_adversarial = ArrayQueue(maxlen=30, N=N)
bounds = model.bounds
for step in range(1, self.steps + 1):
converged = source_steps < self.source_step_convergance
if converged.all():
break # pragma: no cover
converged = atleast_kd(converged, ndim)
# TODO: performance: ignore those that have converged
# (we could select the non-converged ones, but we currently
# cannot easily invert this in the end using EagerPy)
unnormalized_source_directions = originals - best_advs
source_norms = ep.norms.l2(flatten(unnormalized_source_directions),
axis=-1)
source_directions = unnormalized_source_directions / atleast_kd(
source_norms, ndim)
# only check spherical candidates every k steps
check_spherical_and_update_stats = step % self.update_stats_every_k == 0
#-------------START----------------
# MASK
new_mask = ep.abs(originals - best_advs)
new_mask /= ep.max(new_mask)
new_mask = new_mask**mask_param
mask = new_mask
# Perlin Noise
#print('originals shape', originals.numpy().shape)
perlin_noise = ep.astensor(
torch.tensor([
get_perlin(originals.numpy()[0].transpose((1, 2, 0)),
perlin_param)
]).to('cuda'))
#-----------END-----------------
candidates, spherical_candidates = draw_proposals(
bounds,
originals,
best_advs,
unnormalized_source_directions,
source_directions,
source_norms,
spherical_steps,
source_steps,
mask,
perlin_noise,
)
candidates.dtype == originals.dtype
spherical_candidates.dtype == spherical_candidates.dtype
is_adv = is_adversarial(candidates)
spherical_is_adv: Optional[ep.Tensor]
if check_spherical_and_update_stats:
spherical_is_adv = is_adversarial(spherical_candidates)
stats_spherical_adversarial.append(spherical_is_adv)
# TODO: algorithm: the original implementation ignores those samples
# for which spherical is not adversarial and continues with the
# next iteration -> we estimate different probabilities (conditional vs. unconditional)
# TODO: thoughts: should we always track this because we compute it anyway
stats_step_adversarial.append(is_adv)
else:
spherical_is_adv = None
# in theory, we are closer per construction
# but limited numerical precision might break this
distances = ep.norms.l2(flatten(originals - candidates), axis=-1)
closer = distances < source_norms
is_best_adv = ep.logical_and(is_adv, closer)
is_best_adv = atleast_kd(is_best_adv, ndim)
cond = converged.logical_not().logical_and(is_best_adv)
best_advs = ep.where(cond, candidates, best_advs)
self.distances_iter[step - 1] = ep.norms.l2(
flatten(initial_pict - best_advs)).numpy() / (3 * 32 * 32)
tb.probability("converged", converged, step)
tb.scalar("updated_stats", check_spherical_and_update_stats, step)
tb.histogram("norms", source_norms, step)
tb.probability("is_adv", is_adv, step)
if spherical_is_adv is not None:
tb.probability("spherical_is_adv", spherical_is_adv, step)
tb.histogram("candidates/distances", distances, step)
tb.probability("candidates/closer", closer, step)
tb.probability("candidates/is_best_adv", is_best_adv, step)
tb.probability("new_best_adv_including_converged", is_best_adv,
step)
tb.probability("new_best_adv", cond, step)
if check_spherical_and_update_stats:
full = stats_spherical_adversarial.isfull()
tb.probability("spherical_stats/full", full, step)
if full.any():
probs = stats_spherical_adversarial.mean()
cond1 = ep.logical_and(probs > 0.5, full)
spherical_steps = ep.where(
cond1, spherical_steps * self.step_adaptation,
spherical_steps)
source_steps = ep.where(
cond1, source_steps * self.step_adaptation,
source_steps)
cond2 = ep.logical_and(probs < 0.2, full)
spherical_steps = ep.where(
cond2, spherical_steps / self.step_adaptation,
spherical_steps)
source_steps = ep.where(
cond2, source_steps / self.step_adaptation,
source_steps)
stats_spherical_adversarial.clear(
ep.logical_or(cond1, cond2))
tb.conditional_mean(
"spherical_stats/isfull/success_rate/mean", probs,
full, step)
tb.probability_ratio("spherical_stats/isfull/too_linear",
cond1, full, step)
tb.probability_ratio(
"spherical_stats/isfull/too_nonlinear", cond2, full,
step)
full = stats_step_adversarial.isfull()
tb.probability("step_stats/full", full, step)
if full.any():
probs = stats_step_adversarial.mean()
# TODO: algorithm: changed the two values because we are currently tracking p(source_step_sucess)
# instead of p(source_step_success | spherical_step_sucess) that was tracked before
cond1 = ep.logical_and(probs > 0.25, full)
source_steps = ep.where(
cond1, source_steps * self.step_adaptation,
source_steps)
cond2 = ep.logical_and(probs < 0.1, full)
source_steps = ep.where(
cond2, source_steps / self.step_adaptation,
source_steps)
stats_step_adversarial.clear(ep.logical_or(cond1, cond2))
tb.conditional_mean("step_stats/isfull/success_rate/mean",
probs, full, step)
tb.probability_ratio(
"step_stats/isfull/success_rate_too_high", cond1, full,
step)
tb.probability_ratio(
"step_stats/isfull/success_rate_too_low", cond2, full,
step)
tb.histogram("spherical_step", spherical_steps, step)
tb.histogram("source_step", source_steps, step)
tb.close()
#print(ep.norms.l2(flatten(originals - best_advs), axis=-1).numpy())
return restore_type(best_advs)
def run(
self,
model: Model,
inputs: T,
criterion: Union[Criterion, Any] = None,
*,
starting_points: Optional[ep.Tensor] = None,
early_stop: Optional[float] = None,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
del kwargs
x, restore_type = ep.astensor_(inputs)
del inputs
verify_input_bounds(x, model)
criterion_ = get_criterion(criterion)
del criterion
is_adversarial = get_is_adversarial(criterion_, model)
if starting_points is None:
init_attack: MinimizationAttack
if self.init_attack is None:
init_attack = SaltAndPepperNoiseAttack()
logging.info(
f"Neither starting_points nor init_attack given. Falling"
f" back to {init_attack!r} for initialization."
)
else:
init_attack = self.init_attack
# TODO: use call and support all types of attacks (once early_stop is
# possible in __call__)
starting_points = init_attack.run(model, x, criterion_)
x_adv = ep.astensor(starting_points)
assert is_adversarial(x_adv).all()
original_shape = x.shape
N = len(x)
x_flat = flatten(x)
x_adv_flat = flatten(x_adv)
# was there a pixel left in the samples to manipulate,
# i.e. reset to the clean version?
found_index_to_manipulate = ep.from_numpy(x, np.ones(N, dtype=bool))
while ep.any(found_index_to_manipulate):
diff_mask = (ep.abs(x_flat - x_adv_flat) > 1e-8).numpy()
diff_idxs = [z.nonzero()[0] for z in diff_mask]
untouched_indices = [z.tolist() for z in diff_idxs]
untouched_indices = [
np.random.permutation(it).tolist() for it in untouched_indices
]
found_index_to_manipulate = ep.from_numpy(x, np.zeros(N, dtype=bool))
# since the number of pixels still left to manipulate might differ
# across different samples we track each of them separately and
# and manipulate the images until there is no pixel left for
# any of the samples. to not update already finished samples, we mask
# the updates such that only samples that still have pixels left to manipulate
# will be updated
i = 0
while i < max([len(it) for it in untouched_indices]):
# mask all samples that still have pixels to manipulate left
relevant_mask = [len(it) > i for it in untouched_indices]
relevant_mask = np.array(relevant_mask, dtype=bool)
relevant_mask_index = np.flatnonzero(relevant_mask)
# for each image get the index of the next pixel we try out
relevant_indices = [it[i] for it in untouched_indices if len(it) > i]
old_values = x_adv_flat[relevant_mask_index, relevant_indices]
new_values = x_flat[relevant_mask_index, relevant_indices]
x_adv_flat = ep.index_update(
x_adv_flat, (relevant_mask_index, relevant_indices), new_values
)
# check if still adversarial
is_adv = is_adversarial(x_adv_flat.reshape(original_shape))
found_index_to_manipulate = ep.index_update(
found_index_to_manipulate,
relevant_mask_index,
ep.logical_or(found_index_to_manipulate, is_adv)[relevant_mask],
)
# if not, undo change
new_or_old_values = ep.where(
is_adv[relevant_mask], new_values, old_values
)
x_adv_flat = ep.index_update(
x_adv_flat,
(relevant_mask_index, relevant_indices),
new_or_old_values,
)
i += 1
if not ep.any(found_index_to_manipulate):
break
if self.l2_binary_search:
while True:
diff_mask = (ep.abs(x_flat - x_adv_flat) > 1e-12).numpy()
diff_idxs = [z.nonzero()[0] for z in diff_mask]
untouched_indices = [z.tolist() for z in diff_idxs]
# draw random shuffling of all indices for all samples
untouched_indices = [
np.random.permutation(it).tolist() for it in untouched_indices
]
# whether that run through all values made any improvement
improved = ep.from_numpy(x, np.zeros(N, dtype=bool)).astype(bool)
logging.info("Starting new loop through all values")
# use the same logic as above
i = 0
while i < max([len(it) for it in untouched_indices]):
# mask all samples that still have pixels to manipulate left
relevant_mask = [len(it) > i for it in untouched_indices]
relevant_mask = np.array(relevant_mask, dtype=bool)
relevant_mask_index = np.flatnonzero(relevant_mask)
# for each image get the index of the next pixel we try out
relevant_indices = [
it[i] for it in untouched_indices if len(it) > i
]
old_values = x_adv_flat[relevant_mask_index, relevant_indices]
new_values = x_flat[relevant_mask_index, relevant_indices]
x_adv_flat = ep.index_update(
x_adv_flat, (relevant_mask_index, relevant_indices), new_values
)
# check if still adversarial
is_adv = is_adversarial(x_adv_flat.reshape(original_shape))
improved = ep.index_update(
improved,
relevant_mask_index,
ep.logical_or(improved, is_adv)[relevant_mask],
)
if not ep.all(is_adv):
# run binary search for examples that became non-adversarial
updated_new_values = self._binary_search(
x_adv_flat,
relevant_mask,
relevant_mask_index,
relevant_indices,
old_values,
new_values,
(-1, *original_shape[1:]),
is_adversarial,
)
x_adv_flat = ep.index_update(
x_adv_flat,
(relevant_mask_index, relevant_indices),
ep.where(
is_adv[relevant_mask], new_values, updated_new_values
),
)
improved = ep.index_update(
improved,
relevant_mask_index,
ep.logical_or(
old_values != updated_new_values,
improved[relevant_mask],
),
)
i += 1
if not ep.any(improved):
# no improvement for any of the indices
break
x_adv = x_adv_flat.reshape(original_shape)
return restore_type(x_adv)