def generate_universal_perturbation_examples(sess, model, x, y, X, Y, attack_params, verbose, attack_log_fpath):
"""
Untargeted attack. Y is not needed.
"""
# TODO: insert a uint8 filter to f.
f, grad_fs = prepare_attack(sess, model, x, y, X, Y)
params = {'delta': 0.2,
'max_iter_uni': np.inf,
'xi': 10,
'p': np.inf,
'num_classes': 10,
'overshoot': 0.02,
'max_iter_df': 10,
}
params = override_params(params, attack_params)
if not verbose:
disablePrint(attack_log_fpath)
# X is randomly shuffled in unipert.
X_copy = X.copy()
v = universal_perturbation(X_copy, f, grad_fs, **params)
del X_copy
if not verbose:
enablePrint()
return X + v
def generate_carlini_l2_examples(sess, model, x, y, X, Y, attack_params,
verbose, attack_log_fpath):
model_wrapper = wrap_to_tohinz_model(model, X, Y)
accepted_params = [
'batch_size', 'confidence', 'targeted', 'learning_rate',
'binary_search_steps', 'max_iterations', 'abort_early', 'initial_const'
]
for k in attack_params:
if k not in accepted_params:
raise NotImplementedError("Unsuporrted params in Carlini L2: %s" %
k)
# assert batch_size <= len(X)
if 'batch_size' in attack_params and attack_params['batch_size'] > len(X):
attack_params['batch_size'] = len(X)
if 'binary_search_steps' in attack_params:
attack_params['binary_search_steps'] = int(
attack_params['binary_search_steps'])
attack = CarliniL2(sess, model_wrapper, **attack_params)
if not verbose:
disablePrint(attack_log_fpath)
# The input range is [0, 1], convert to [-0.5, 0.5] by subtracting 0.5.
# The return range is [-0.5, 0.5]. Convert back to [0,1] by adding 0.5.
X_adv = attack.attack(X - 0.5, Y) + 0.5
if not verbose:
enablePrint()
return X_adv
def generate_carlini_li_examples(sess, model, x, y, X, Y, attack_params, verbose, attack_log_fpath):
model_wrapper = wrap_to_carlini_model(model, X, Y)
if 'batch_size' in attack_params:
batch_size = attack_params['batch_size']
del attack_params['batch_size']
else:
batch_size= 10
accepted_params = ['targeted', 'learning_rate', 'max_iterations', 'abort_early', 'initial_const', 'largest_const', 'reduce_const', 'decrease_factor', 'const_factor', 'confidence']
for k in attack_params:
if k not in accepted_params:
raise NotImplementedError("Unsuporrted params in Carlini Li: %s" % k)
attack = CarliniLi(sess, model_wrapper, **attack_params)
X_adv_list = []
with click.progressbar(list(range(0, len(X))), file=sys.stderr, show_pos=True,
width=40, bar_template=' [%(bar)s] Carlini Li Attacking %(info)s',
fill_char='>', empty_char='-') as bar:
for i in bar:
if i % batch_size == 0:
X_sub = X[i:min(i+batch_size, len(X)),:]
Y_sub = Y[i:min(i+batch_size, len(X)),:]
if not verbose:
disablePrint(attack_log_fpath)
X_adv_sub = attack.attack(X_sub - 0.5, Y_sub) + 0.5
if not verbose:
enablePrint()
X_adv_list.append(X_adv_sub)
X_adv = np.vstack(X_adv_list)
return X_adv
def generate_deepfool_examples(sess, model, x, y, X, Y, attack_params, verbose,
attack_log_fpath):
"""
Untargeted attack. Y is not needed.
"""
# TODO: insert a uint8 filter to f.
f, grad_fs = prepare_attack(sess, model, x, y, X, Y)
params = {'num_classes': 10, 'overshoot': 0.02, 'max_iter': 50}
params = override_params(params, attack_params)
adv_x_list = []
aux_info = {}
aux_info['r_tot'] = []
aux_info['loop_i'] = []
aux_info['k_i'] = []
with click.progressbar(
list(range(0, len(X))),
file=sys.stderr,
show_pos=True,
width=40,
bar_template=' [%(bar)s] DeepFool Attacking %(info)s',
fill_char='>',
empty_char='-') as bar:
# Loop over the samples we want to perturb into adversarial examples
for i in bar:
image = X[i:i + 1, :, :, :]
if not verbose:
disablePrint(attack_log_fpath)
r_tot, loop_i, k_i, pert_image = deepfool(image, f, grad_fs,
**params)
if not verbose:
enablePrint()
adv_x_list.append(pert_image)
aux_info['r_tot'].append(r_tot)
aux_info['loop_i'].append(loop_i)
aux_info['k_i'].append(k_i)
return np.vstack(adv_x_list), aux_info