def _check_first_dimension(x, tensor_name): message = "Tensor {} should have batch_size of 1.".format(tensor_name) if x.get_shape().as_list()[0] is None: check_batch = utils_tf.assert_equal(tf.shape(x)[0], 1, message=message) with tf.control_dependencies([check_batch]): x = tf.identity(x) elif x.get_shape().as_list()[0] != 1: raise ValueError(message)
def generate(self, x, y=None, y_target=None, eps=None, clip_min=None, clip_max=None, nb_iter=None, is_targeted=None, early_stop_loss_threshold=None, learning_rate=SPSA.DEFAULT_LEARNING_RATE, delta=0.1, spsa_samples=128, batch_size=None, spsa_iters=SPSA.DEFAULT_SPSA_ITERS, is_debug=False, epsilon=None, num_steps=None): """ Generate symbolic graph for adversarial examples. :param x: The model's symbolic inputs. Must be a batch of size 1. :param y: A Tensor or None. The index of the correct label. :param y_target: A Tensor or None. The index of the target label in a targeted attack. :param eps: The size of the maximum perturbation, measured in the L-infinity norm. :param clip_min: If specified, the minimum input value :param clip_max: If specified, the maximum input value :param nb_iter: The number of optimization steps. :param early_stop_loss_threshold: A float or None. If specified, the attack will end as soon as the loss is below `early_stop_loss_threshold`. :param learning_rate: Learning rate of ADAM optimizer. :param delta: Perturbation size used for SPSA approximation. :param spsa_samples: Number of inputs to evaluate at a single time. The true batch size (the number of evaluated inputs for each update) is `spsa_samples * spsa_iters` :param batch_size: Deprecated param that is an alias for spsa_samples :param spsa_iters: Number of model evaluations before performing an update, where each evaluation is on `spsa_samples` different inputs. :param is_debug: If True, print the adversarial loss after each update. :param epsilon: Deprecated alias for `eps` :param num_steps: Deprecated alias for `nb_iter`. :param is_targeted: Deprecated argument. Ignored. """ if epsilon is not None: if eps is not None: raise ValueError( "Should not specify both eps and its deprecated " "alias, epsilon") warnings.warn( "`epsilon` is deprecated. Switch to `eps`. `epsilon` may " "be removed on or after 2019-04-15.") eps = epsilon del epsilon if num_steps is not None: if nb_iter is not None: raise ValueError( "Should not specify both nb_iter and its deprecated " "alias, num_steps") warnings.warn("`num_steps` is deprecated. Switch to `nb_iter`. " "`num_steps` may be removed on or after 2019-04-15.") nb_iter = num_steps del num_steps assert nb_iter is not None if (y is not None) + (y_target is not None) != 1: raise ValueError( "Must specify exactly one of y (untargeted attack, " "cause the input not to be classified as this true " "label) and y_target (targeted attack, cause the " "input to be classified as this target label).") if is_targeted is not None: warnings.warn( "`is_targeted` is deprecated. Simply do not specify it." " It may become an error to specify it on or after " "2019-04-15.") assert is_targeted == y_target is not None is_targeted = y_target is not None if x.get_shape().as_list()[0] is None: check_batch = utils_tf.assert_equal(tf.shape(x)[0], 1) with tf.control_dependencies([check_batch]): x = tf.identity(x) elif x.get_shape().as_list()[0] != 1: raise ValueError( "For SPSA, input tensor x must have batch_size of 1.") if batch_size is not None: warnings.warn( 'The "batch_size" argument to SPSA is deprecated, and will ' 'be removed on 2019-03-17. ' 'Please use spsa_samples instead.') spsa_samples = batch_size optimizer = SPSAAdam(lr=learning_rate, delta=delta, num_samples=spsa_samples, num_iters=spsa_iters) def loss_fn(x, label): """ Margin logit loss, with correct sign for targeted vs untargeted loss. """ logits = self.model.get_logits(x) loss_multiplier = 1 if is_targeted else -1 return loss_multiplier * margin_logit_loss( logits, label, nb_classes=self.model.nb_classes or logits.get_shape()[-1]) y_attack = y_target if is_targeted else y adv_x = projected_optimization( loss_fn, x, y_attack, eps, num_steps=nb_iter, optimizer=optimizer, early_stop_loss_threshold=early_stop_loss_threshold, is_debug=is_debug, clip_min=clip_min, clip_max=clip_max) return adv_x