def main_train_worker(args):
if args.gpu is not None:
print("Use GPU: {} for training".format(args.gpu))
print("=> creating model '{}'".format(args.arch))
network = MetaLearnerModelBuilder.construct_cifar_model(args.arch, args.dataset)
model_path = '{}/train_pytorch_model/real_image_model/{}@{}@epoch_{}@lr_{}@batch_{}.pth.tar'.format(
PY_ROOT, args.dataset, args.arch, args.epochs, args.lr, args.batch_size)
os.makedirs(os.path.dirname(model_path), exist_ok=True)
print("after train, model will be saved to {}".format(model_path))
network.cuda()
image_classifier_loss = nn.CrossEntropyLoss().cuda()
optimizer = RAdam(network.parameters(), args.lr, weight_decay=args.weight_decay)
cudnn.benchmark = True
train_loader = DataLoaderMaker.get_img_label_data_loader(args.dataset, args.batch_size, True)
val_loader = DataLoaderMaker.get_img_label_data_loader(args.dataset, args.batch_size, False)
for epoch in range(0, args.epochs):
# adjust_learning_rate(optimizer, epoch, args)
# train_simulate_grad_mode for one epoch
train(train_loader, network, image_classifier_loss, optimizer, epoch, args)
# evaluate_accuracy on validation set
validate(val_loader, network, image_classifier_loss, args)
# remember best acc@1 and save checkpoint
save_checkpoint({
'epoch': epoch + 1,
'arch': args.arch,
'state_dict': network.state_dict(),
'optimizer': optimizer.state_dict(),
}, filename=model_path)
def __init__(self, args, directions_generator):
self.rank_transform = not args.no_rank_transform
self.random_mask = args.random_mask
self.image_split = args.image_split
self.sub_num_sample = args.sub_num_sample
self.sigma = args.sigma
self.starting_eps = args.starting_eps
self.eps = args.epsilon
self.sample_per_draw = args.sample_per_draw
self.directions_generator = directions_generator
self.max_iter = args.max_queries
self.delta_eps = args.delta_eps
self.max_lr = args.max_lr
self.min_lr = args.min_lr
self.targeted = args.targeted
self.norm = args.norm
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(
args.dataset, 1)
self.total_images = len(self.dataset_loader.dataset)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.not_done_prob_all = torch.zeros_like(self.query_all)
self.dataset_name = args.dataset
def __init__(self, dataset_name, model, surrogate_model, meta_model,
targeted, target_type, meta_predict_steps, finetune_times,
finetune_lr):
self.dataset_name = dataset_name
self.data_loader = DataLoaderMaker.get_test_attacked_data(
args.dataset, 1)
self.image_height = IMAGE_SIZE[self.dataset_name][0]
self.image_width = IMAGE_SIZE[self.dataset_name][1]
self.in_channels = IN_CHANNELS[self.dataset_name]
self.model = model
self.surrogate_model = surrogate_model
self.model.cuda().eval()
self.surrogate_model.cuda().eval()
self.targeted = targeted # only support untargeted attack now
self.target_type = target_type
self.clip_min = 0.0
self.clip_max = 1.0
self.meta_predict_steps = meta_predict_steps
self.finetune_times = finetune_times
self.meta_model_for_q1 = meta_model
self.meta_model_for_q2 = copy.deepcopy(meta_model)
self.finetune_lr = finetune_lr
self.pretrained_meta_weights = self.meta_model_for_q1.state_dict(
).copy()
self.meta_optimizer_q1 = Adam(self.meta_model_for_q1.parameters(),
lr=self.finetune_lr)
self.meta_optimizer_q2 = Adam(self.meta_model_for_q2.parameters(),
lr=self.finetune_lr)
self.mse_loss = nn.MSELoss(reduction="mean")
def __init__(self, dataset, batch_size, targeted, target_type, epsilon, norm, lower_bound=0.0, upper_bound=1.0,
max_queries=10000):
"""
:param epsilon: perturbation limit according to lp-ball
:param norm: norm for the lp-ball constraint
:param lower_bound: minimum value data point can take in any coordinate
:param upper_bound: maximum value data point can take in any coordinate
:param max_queries: max number of calls to model per data point
:param max_crit_queries: max number of calls to early stopping criterion per data poinr
"""
assert norm in ['linf', 'l2'], "{} is not supported".format(norm)
self.epsilon = epsilon
self.norm = norm
self.max_queries = max_queries
self.lower_bound = lower_bound
self.upper_bound = upper_bound
self._proj = None
self.is_new_batch = False
# self.early_stop_crit_fct = lambda model, x, y: 1 - model(x).max(1)[1].eq(y)
self.targeted = targeted
self.target_type = target_type
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(dataset, batch_size)
self.total_images = len(self.dataset_loader.dataset)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(self.query_all) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.not_done_prob_all = torch.zeros_like(self.query_all)
self.lowest_change_ratio = 0.05 # the percentage of pixels that changes
def __init__(self,
dataset,
batch_size,
targeted,
target_type,
epsilon,
norm,
lower_bound=0.0,
upper_bound=1.0,
max_queries=10000):
assert norm in ['linf', 'l2'], "{} is not supported".format(norm)
self.epsilon = epsilon
self.norm = norm
self.max_queries = max_queries
self.lower_bound = lower_bound
self.upper_bound = upper_bound
self.targeted = targeted
self.target_type = target_type
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(
dataset, batch_size)
self.total_images = len(self.dataset_loader.dataset)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.not_done_prob_all = torch.zeros_like(self.query_all)
def __init__(self, args, dataset, targeted, target_type, epsilon, norm, lower_bound=0.0, upper_bound=1.0,
max_queries=10000):
"""
:param epsilon: perturbation limit according to lp-ball
:param norm: norm for the lp-ball constraint
:param lower_bound: minimum value data point can take in any coordinate
:param upper_bound: maximum value data point can take in any coordinate
:param max_queries: max number of calls to model per data point
:param max_crit_queries: max number of calls to early stopping criterion per data poinr
"""
assert norm in ['linf', 'l2'], "{} is not supported".format(norm)
self.epsilon = epsilon
self.norm = norm
self.max_queries = max_queries
self.lower_bound = lower_bound
self.upper_bound = upper_bound
# self.early_stop_crit_fct = lambda model, x, y: 1 - model(x).max(1)[1].eq(y)
self.targeted = targeted
self.target_type = target_type
self.data_loader = DataLoaderMaker.get_test_attacked_data(dataset, args.batch_size)
self.total_images = len(self.data_loader.dataset)
self.att_iter = args.max_queries
self.correct_all = torch.zeros(self.total_images) # number of images
self.not_done_all = torch.zeros(self.total_images) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros(self.total_images)
self.not_done_prob_all = torch.zeros(self.total_images)
self.stop_iter_all = torch.zeros(self.total_images)
self.ord = args.norm # linf, l1, l2
self.clip_min = args.clip_min
self.clip_max = args.clip_max
self.lr = args.lr
self.beta1 = args.beta1
self.loss_fn = nn.CrossEntropyLoss().cuda()
def __init__(self, dataset, batch_size, targeted, target_type, epsilon, norm, lower_bound=0.0, upper_bound=1.0,
max_queries=10000, surrogate_model_names=None):
assert norm in ['linf', 'l2'], "{} is not supported".format(norm)
self.epsilon = epsilon
self.norm = norm
self.max_queries = max_queries
self.lower_bound = lower_bound
self.upper_bound = upper_bound
self.targeted = targeted
self.target_type = target_type
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(dataset, batch_size)
self.total_images = len(self.dataset_loader.dataset)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(self.query_all) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.not_done_prob_all = torch.zeros_like(self.query_all)
# self.cos_similarity_all = torch.zeros(self.total_images, max_queries) # N, T
self.increase_loss_from_last_iter_with_1st_model_grad_record_all = OrderedDict()
self.increase_loss_from_last_iter_with_2nd_model_grad_record_all = OrderedDict()
self.increase_loss_from_last_iter_after_switch_record_all = OrderedDict()
self.surrogate_model_record_all = OrderedDict()
self.loss_x_pos_temp_record_all = OrderedDict()
self.loss_x_neg_temp_record_all = OrderedDict()
self.loss_after_switch_grad_record_all = OrderedDict()
self.surrogate_model_names = surrogate_model_names
def __init__(self,
dataset,
targeted,
target_type,
epsilon,
norm,
batch_size,
lower_bound=0.0,
upper_bound=1.0,
max_queries=10000,
max_crit_queries=np.inf):
"""
:param epsilon: perturbation limit according to lp-ball
:param norm: norm for the lp-ball constraint
:param lower_bound: minimum value data point can take in any coordinate
:param upper_bound: maximum value data point can take in any coordinate
:param max_queries: max number of calls to model per data point
:param max_crit_queries: max number of calls to early stopping criterion per data poinr
"""
assert norm in ['linf', 'l2'], "{} is not supported".format(norm)
assert not (np.isinf(max_queries) and np.isinf(max_crit_queries)
), "one of the budgets has to be finite!"
self.epsilon = epsilon
self.norm = norm
self.max_queries = max_queries
self.max_crit_queries = max_crit_queries
self.best_est_deriv = None
self.xo_t = None
self.sgn_t = None
self.h = np.zeros(batch_size).astype(np.int32)
self.i = np.zeros(batch_size).astype(np.int32)
self.exhausted = [False for _ in range(batch_size)]
self.lower_bound = lower_bound
self.upper_bound = upper_bound
self._proj = None
self.is_new_batch = False
# self.early_stop_crit_fct = lambda model, x, y: 1 - model(x).max(1)[1].eq(y)
self.targeted = targeted
self.target_type = target_type
self.data_loader = DataLoaderMaker.get_test_attacked_data(
dataset, args.batch_size)
self.total_images = len(self.data_loader.dataset)
self.image_height = IMAGE_SIZE[dataset][0]
self.image_width = IMAGE_SIZE[dataset][1]
self.in_channels = IN_CHANNELS[dataset]
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.not_done_prob_all = torch.zeros_like(self.query_all)
def __init__(self, args):
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(args.dataset, args.batch_size)
self.total_images = len(self.dataset_loader.dataset)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(self.query_all) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.not_done_loss_all = torch.zeros_like(self.query_all)
self.not_done_prob_all = torch.zeros_like(self.query_all)
def main_train_worker(args):
if args.gpu is not None:
print("Use GPU: {} for training".format(args.gpu))
if args.dataset.startswith("CIFAR"):
compress_mode = 2
use_tanh = False
resize = None
img_size = 32
if args.dataset == "ImageNet":
compress_mode = 3
use_tanh = True
resize = 128
img_size = 299
elif args.dataset in ["MNIST", "FashionMNIST"]:
compress_mode = 1
use_tanh = False
resize = None
img_size = 28
network = Codec(img_size,
IN_CHANNELS[args.dataset],
compress_mode,
resize=resize,
use_tanh=use_tanh)
model_path = '{}/train_pytorch_model/AutoZOOM/AutoEncoder_{}@compress_{}@use_tanh_{}@epoch_{}@lr_{}@batch_{}.pth.tar'.format(
PY_ROOT, args.dataset, compress_mode, use_tanh, args.epochs, args.lr,
args.batch_size)
os.makedirs(os.path.dirname(model_path), exist_ok=True)
print("Model will be saved to {}".format(model_path))
network.cuda()
mse_loss_fn = nn.MSELoss().cuda()
optimizer = RAdam(network.parameters(),
args.lr,
weight_decay=args.weight_decay)
cudnn.benchmark = True
train_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.batch_size, True, (img_size, img_size))
# val_loader = DataLoaderMaker.get_img_label_data_loader(args.dataset, args.batch_size, False)
for epoch in range(0, args.epochs):
# adjust_learning_rate(optimizer, epoch, args)
# train_simulate_grad_mode for one epoch
train(train_loader, network, mse_loss_fn, optimizer, epoch, args,
use_tanh)
# evaluate_accuracy on validation set
save_checkpoint(
{
'epoch': epoch + 1,
'encoder': network.encoder.state_dict(),
'decoder': network.decoder.state_dict(),
"compress_mode": compress_mode,
"use_tanh": use_tanh,
'optimizer': optimizer.state_dict(),
},
filename=model_path)
def __init__(self,
dataset,
batch_size,
pixel_attack,
freq_dims,
stride,
order,
max_iters,
targeted,
target_type,
norm,
pixel_epsilon,
l2_bound,
linf_bound,
lower_bound=0.0,
upper_bound=1.0):
"""
:param pixel_epsilon: perturbation limit according to lp-ball
:param norm: norm for the lp-ball constraint
:param lower_bound: minimum value data point can take in any coordinate
:param upper_bound: maximum value data point can take in any coordinate
:param max_crit_queries: max number of calls to early stopping criterion per data poinr
"""
assert norm in ['linf', 'l2'], "{} is not supported".format(norm)
self.pixel_epsilon = pixel_epsilon
self.dataset = dataset
self.norm = norm
self.pixel_attack = pixel_attack
self.lower_bound = lower_bound
self.upper_bound = upper_bound
self.freq_dims = freq_dims
self.stride = stride
self.order = order
self.linf_bound = linf_bound
self.l2_bound = l2_bound
# self.early_stop_crit_fct = lambda model, x, y: 1 - model(x).max(1)[1].eq(y)
self.max_iters = max_iters
self.targeted = targeted
self.target_type = target_type
self.data_loader = DataLoaderMaker.get_test_attacked_data(
dataset, batch_size)
self.total_images = len(self.data_loader.dataset)
self.image_height = IMAGE_SIZE[dataset][0]
self.image_width = IMAGE_SIZE[dataset][1]
self.in_channels = IN_CHANNELS[dataset]
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
def __init__(self, dataset_name, targeted):
self.dataset_name = dataset_name
self.num_classes = CLASS_NUM[self.dataset_name]
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(
dataset_name, 1)
self.total_images = len(self.dataset_loader.dataset)
self.targeted = targeted
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
def __init__(self, dataset_name, model, surrogate_model, targeted, target_type):
self.dataset_name = dataset_name
self.data_loader = DataLoaderMaker.get_test_attacked_data(args.dataset, 1)
self.image_height = IMAGE_SIZE[self.dataset_name][0]
self.image_width =IMAGE_SIZE[self.dataset_name][1]
self.in_channels = IN_CHANNELS[self.dataset_name]
self.model = model
self.surrogate_model = surrogate_model
self.model.cuda().eval()
self.surrogate_model.cuda().eval()
self.targeted = targeted # only support untargeted attack now
self.target_type = target_type
self.clip_min = 0.0
self.clip_max = 1.0
def __init__(self, function, config, device):
self.config = config
self.batch_size = config['batch_size']
self.function = function
self.model = function.model
self.device = device
self.epsilon = self.config['epsilon']
self.gp = attack_bayesian_EI.Attack(
f=self,
dim=4,
max_evals=1000,
verbose=True,
use_ard=True,
max_cholesky_size=2000,
n_training_steps=30,
device=device,
dtype="float32",
)
self.query_limit = self.config['query_limit']
self.max_iters = self.config['max_iters']
self.init_iter = self.config["init_iter"]
self.init_batch = self.config["init_batch"]
self.memory_size = self.config["memory_size"]
self.channels = self.config["channels"]
self.image_height = self.config["image_height"]
self.image_width = self.config["image_width"]
self.gp_emptyX = torch.zeros((1, 4), device=device)
self.gp_emptyfX = torch.zeros((1), device=device)
self.local_forget_threshold = self.config['local_forget_threshold']
self.lr = self.config['lr']
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(
args.dataset, args.batch_size)
self.total_images = len(self.dataset_loader.dataset)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
self.maximum_queries = self.config["max_queries"]
def __init__(self,
pop_size=5,
generations=1000,
cross_rate=0.7,
mutation_rate=0.001,
max_queries=2000,
epsilon=8. / 255,
iters=10,
ensemble_models=None,
targeted=False):
self.loss_fn = nn.CrossEntropyLoss()
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(
args.dataset, 1)
self.total_images = len(self.dataset_loader.dataset)
# parameters about evolution algorithm
self.pop_size = pop_size
self.generations = generations
self.cross_rate = cross_rate
self.mutation_rate = mutation_rate
# parameters about attack
self.epsilon = epsilon
self.clip_min = 0
self.clip_max = 1
# ensemble MI-FGSM parameters, use ensemble MI-FGSM attack generate adv as initial population
self.ensemble_models = ensemble_models
self.iters = iters
self.targeted = targeted
self.max_queries = max_queries
self.idx = np.random.choice(np.arange(self.pop_size),
size=2,
replace=False)
self.is_change = np.zeros(self.pop_size)
self.pop_fitness = np.zeros(self.pop_size)
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
def __init__(self, dataset_name, targeted):
self.dataset_name = dataset_name
self.num_classes = CLASS_NUM[self.dataset_name]
self.dataset_loader = DataLoaderMaker.get_test_attacked_data(
dataset_name, 1)
log.info("label index dict data build begin")
# if self.dataset_name == "TinyImageNet":
# self.candidate_loader = DataLoaderMaker.get_candidate_attacked_data(dataset_name, 1)
# self.dataset = self.candidate_loader.dataset
# else:
self.dataset = self.dataset_loader.dataset
self.label_data_index_dict = self.get_label_dataset(self.dataset)
log.info("label index dict data build over!")
self.total_images = len(self.dataset_loader.dataset)
self.targeted = targeted
self.query_all = torch.zeros(self.total_images)
self.correct_all = torch.zeros_like(self.query_all) # number of images
self.not_done_all = torch.zeros_like(
self.query_all
) # always set to 0 if the original image is misclassified
self.success_all = torch.zeros_like(self.query_all)
self.success_query_all = torch.zeros_like(self.query_all)
def generate(datasetname, batch_size):
save_dir_path = "{}/data_adv_defense/guided_denoiser".format(PY_ROOT)
os.makedirs(save_dir_path, exist_ok=True)
set_log_file(save_dir_path + "/generate_{}.log".format(datasetname))
data_loader = DataLoaderMaker.get_img_label_data_loader(datasetname, batch_size, is_train=True)
attackers = []
for model_name in MODELS_TRAIN_STANDARD[datasetname] + MODELS_TEST_STANDARD[datasetname]:
model = StandardModel(datasetname, model_name, no_grad=False)
model = model.cuda().eval()
linf_PGD_attack =LinfPGDAttack(model, loss_fn=nn.CrossEntropyLoss(reduction="sum"), eps=0.031372, nb_iter=30,
eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)
l2_PGD_attack = L2PGDAttack(model, loss_fn=nn.CrossEntropyLoss(reduction="sum"),eps=4.6,
nb_iter=30,clip_min=0.0, clip_max=1.0, targeted=False)
FGSM_attack = FGSM(model, loss_fn=nn.CrossEntropyLoss(reduction="sum"))
momentum_attack = MomentumIterativeAttack(model, loss_fn=nn.CrossEntropyLoss(reduction="sum"), eps=0.031372, nb_iter=30,
eps_iter=0.01, clip_min=0.0, clip_max=1.0, targeted=False)
attackers.append(linf_PGD_attack)
attackers.append(l2_PGD_attack)
attackers.append(FGSM_attack)
attackers.append(momentum_attack)
log.info("Create model {} done!".format(model_name))
generate_and_save_adv_examples(datasetname, data_loader, attackers, save_dir_path)
def main():
parser = argparse.ArgumentParser(
description='Square Attack Hyperparameters.')
parser.add_argument('--norm',
type=str,
required=True,
choices=['l2', 'linf'])
parser.add_argument('--dataset', type=str, required=True)
parser.add_argument(
'--gpu',
type=str,
required=True,
help='GPU number. Multiple GPUs are possible for PT models.')
parser.add_argument(
'--p',
type=float,
default=0.05,
help=
'Probability of changing a coordinate. Note: check the paper for the best values. '
'Linf standard: 0.05, L2 standard: 0.1. But robust models require higher p.'
)
parser.add_argument('--epsilon', type=float, help='Radius of the Lp ball.')
parser.add_argument('--max_queries', type=int, default=1000)
parser.add_argument(
'--json-config',
type=str,
default=
'/home1/machen/meta_perturbations_black_box_attack/configures/square_attack_conf.json',
help='a configures file to be passed in instead of arguments')
parser.add_argument('--batch_size', type=int, default=100)
parser.add_argument('--targeted', action="store_true")
parser.add_argument('--target_type',
type=str,
default='random',
choices=['random', 'least_likely', "increment"])
parser.add_argument('--loss', type=str)
args = parser.parse_args()
os.environ["CUDA_DEVICE_ORDER"] = "PCI_BUS_ID"
os.environ["CUDA_VISIBLE_DEVICES"] = args.gpu
if args.json_config:
# If a json file is given, use the JSON file as the base, and then update it with args
defaults = json.load(open(args.json_config))[args.dataset][args.norm]
arg_vars = vars(args)
arg_vars = {
k: arg_vars[k]
for k in arg_vars if arg_vars[k] is not None
}
defaults.update(arg_vars)
args = SimpleNamespace(**defaults)
if args.targeted and args.dataset == "ImageNet":
args.max_queries = 10000
save_dir_path = "{}/data_square_attack/{}/{}".format(
PY_ROOT, args.dataset,
"targeted_attack" if args.targeted else "untargeted_attack")
os.makedirs(save_dir_path, exist_ok=True)
loss_type = "cw" if not args.targeted else "xent"
args.loss = loss_type
log_path = osp.join(
save_dir_path,
get_log_path(args.dataset, loss_type, args.norm, args.targeted,
args.target_type))
set_log_file(log_path)
log.info('Command line is: {}'.format(' '.join(sys.argv)))
log.info("Log file is written in {}".format(log_path))
log.info('Called with args:')
print_args(args)
trn_data_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.batch_size, is_train=True)
models = []
for arch in MODELS_TRAIN_STANDARD[args.dataset]:
if StandardModel.check_arch(arch, args.dataset):
model = StandardModel(args.dataset, arch, True)
model = model.eval()
models.append({"arch_name": arch, "model": model})
model_data_dict = defaultdict(list)
for images, labels in trn_data_loader:
model_info = random.choice(models)
arch = model_info["arch_name"]
model = model_info["model"]
if images.size(-1) != model.input_size[-1]:
images = F.interpolate(images,
size=model.input_size[-1],
mode='bilinear',
align_corners=True)
model_data_dict[(arch, model)].append((images, labels))
log.info("Assign data to multiple models over!")
attacker = SquareAttack(args.dataset,
args.targeted,
args.target_type,
args.epsilon,
args.norm,
max_queries=args.max_queries)
attacker.attack_all_images(args, model_data_dict, save_dir_path)
log.info("All done!")
def generate_attacked_dataset(dataset, num_sample, models):
selected_images = []
selected_images_big = []
selected_true_labels = []
selected_img_id = []
total_count = 0
data_loader = DataLoaderMaker.get_imgid_img_label_data_loader(dataset, 500, False, seed=1234)
print("begin select")
if dataset != "ImageNet":
for image_id, images, labels in data_loader:
images_gpu = images.cuda()
pred_eq_true_label = []
for model in models:
with torch.no_grad():
logits = model(images_gpu)
pred = logits.max(1)[1]
correct = pred.detach().cpu().eq(labels).long()
pred_eq_true_label.append(correct.detach().cpu().numpy())
pred_eq_true_label = np.stack(pred_eq_true_label).astype(np.uint8) # M, B
pred_eq_true_label = np.bitwise_and.reduce(pred_eq_true_label, axis=0) # 1,0,1,1,1
current_select_count = len(np.where(pred_eq_true_label)[0])
total_count += current_select_count
selected_image = images.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]]
selected_images.append(selected_image)
selected_true_labels.append(labels.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]])
selected_img_id.append(image_id.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]])
if total_count >= num_sample:
break
else:
for image_id, images, images_big, labels in data_loader:
images_gpu = images.cuda()
pred_eq_true_label = []
for model in models:
with torch.no_grad():
logits = model(images_gpu)
pred = logits.max(1)[1]
correct = pred.detach().cpu().eq(labels).long()
pred_eq_true_label.append(correct.detach().cpu().numpy())
pred_eq_true_label = np.stack(pred_eq_true_label).astype(np.uint8) # M, B
pred_eq_true_label = np.bitwise_and.reduce(pred_eq_true_label, axis=0) # 1,0,1,1,1
current_select_count = len(np.where(pred_eq_true_label)[0])
total_count += current_select_count
selected_image = images.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]]
selected_images.append(selected_image)
selected_image_big = images_big.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]]
selected_images_big.append(selected_image_big)
selected_true_labels.append(labels.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]])
selected_img_id.append(image_id.detach().cpu().numpy()[np.where(pred_eq_true_label)[0]])
if total_count >= num_sample:
break
selected_images = np.concatenate(selected_images, 0)
if dataset=="ImageNet":
selected_images_big = np.concatenate(selected_images_big, 0)
selected_images_big = selected_images_big[:num_sample]
selected_true_labels = np.concatenate(selected_true_labels, 0)
selected_img_id = np.concatenate(selected_img_id, 0)
selected_images = selected_images[:num_sample]
selected_true_labels = selected_true_labels[:num_sample]
selected_img_id = selected_img_id[:num_sample]
return selected_images, selected_images_big, selected_true_labels, selected_img_id
def main():
global args
global state
os.environ['CUDA_VISIBLE_DEVICES'] = args.gpu
model = FeatureDefenseModel(args.dataset, args.arch, no_grad=False)
model = model.cuda()
model_path = '{}/train_pytorch_model/adversarial_train/pl_loss/pcl_pgd_adv_train_{}@{}.pth.tar'.format(
PY_ROOT, args.dataset, args.arch)
set_log_file(
os.path.dirname(model_path) +
"/adv_train_{}_{}.log".format(args.dataset, args.arch))
log.info('Command line is: {}'.format(' '.join(sys.argv)))
log.info('Called with args:')
print_args(args)
log.info(
"After trained over, the model will be saved to {}".format(model_path))
train_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.train_batch, True)
test_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.test_batch, False)
use_gpu = torch.cuda.is_available()
num_classes = CLASS_NUM[args.dataset]
criterion_xent = nn.CrossEntropyLoss()
criterion_prox_1024 = Proximity(num_classes=num_classes,
feat_dim=1024,
use_gpu=use_gpu)
criterion_prox_256 = Proximity(num_classes=num_classes,
feat_dim=256,
use_gpu=use_gpu)
criterion_conprox_1024 = Con_Proximity(num_classes=num_classes,
feat_dim=1024,
use_gpu=use_gpu)
criterion_conprox_256 = Con_Proximity(num_classes=num_classes,
feat_dim=256,
use_gpu=use_gpu)
optimizer_model = torch.optim.SGD(model.parameters(),
lr=args.lr_model,
weight_decay=1e-04,
momentum=0.9)
optimizer_prox_1024 = torch.optim.SGD(criterion_prox_1024.parameters(),
lr=args.lr_prox)
optimizer_prox_256 = torch.optim.SGD(criterion_prox_256.parameters(),
lr=args.lr_prox)
optimizer_conprox_1024 = torch.optim.SGD(
criterion_conprox_1024.parameters(), lr=args.lr_conprox)
optimizer_conprox_256 = torch.optim.SGD(criterion_conprox_256.parameters(),
lr=args.lr_conprox)
softmax_model_path = '{}/train_pytorch_model/adversarial_train/pl_loss/benign_image_{}@{}.pth.tar'.format(
PY_ROOT, args.dataset, args.arch)
assert os.path.exists(softmax_model_path), "{} does not exist!".format(
softmax_model_path)
state_dict = torch.load(softmax_model_path,
map_location=lambda storage, location: storage)
model.cnn.load_state_dict(state_dict["state_dict"])
optimizer_model.load_state_dict(state_dict["optimizer"])
log.info("Load softmax pretrained model from {} done".format(
softmax_model_path))
start_time = time.time()
resume_epoch = 0
if os.path.exists(model_path):
state_dict = torch.load(model_path,
map_location=lambda storage, location: storage)
resume_epoch = state_dict["epoch"]
model.load_state_dict(state_dict["state_dict"])
optimizer_model.load_state_dict(state_dict["optimizer_model"])
optimizer_prox_1024.load_state_dict(state_dict["optimizer_prox_1024"])
optimizer_prox_256.load_state_dict(state_dict["optimizer_prox_256"])
optimizer_conprox_1024.load_state_dict(
state_dict["optimizer_conprox_1024"])
optimizer_conprox_256.load_state_dict(
state_dict["optimizer_conprox_256"])
log.info("Load model from {} (epoch:{})".format(
model_path, resume_epoch))
for epoch in range(resume_epoch, args.max_epoch):
adjust_learning_rate(args, optimizer_model, epoch)
adjust_learning_rate_prox(args, optimizer_prox_1024, epoch)
adjust_learning_rate_prox(args, optimizer_prox_256, epoch)
adjust_learning_rate_conprox(args, optimizer_conprox_1024, epoch)
adjust_learning_rate_conprox(args, optimizer_conprox_256, epoch)
train(args, model, criterion_xent, criterion_prox_1024,
criterion_prox_256, criterion_conprox_1024,
criterion_conprox_256, optimizer_model, optimizer_prox_1024,
optimizer_prox_256, optimizer_conprox_1024,
optimizer_conprox_256, train_loader, use_gpu, num_classes, epoch)
if args.eval_freq > 0 and (epoch + 1) % args.eval_freq == 0 or (
epoch + 1) == args.max_epoch:
log.info("==> Test") # Tests after every 10 epochs
acc, err = test(model, test_loader)
log.info("Accuracy (%): {}\t Error rate (%): {}".format(acc, err))
state_ = {
'epoch': epoch + 1,
'state_dict': model.state_dict(),
'optimizer_model': optimizer_model.state_dict(),
'optimizer_prox_1024': optimizer_prox_1024.state_dict(),
'optimizer_prox_256': optimizer_prox_256.state_dict(),
'optimizer_conprox_1024': optimizer_conprox_1024.state_dict(),
'optimizer_conprox_256': optimizer_conprox_256.state_dict(),
}
torch.save(state_, model_path)
elapsed = round(time.time() - start_time)
elapsed = str(datetime.timedelta(seconds=elapsed))
log.info("Finished epoch {}. Total elapsed time (h:m:s): {}".format(
epoch + 1, elapsed))
test_model_list_path = "{}/train_pytorch_model/real_image_model/{}-pretrained/checkpoints/{}*.pth".format(
PY_ROOT, args.dataset, arch)
test_model_list_path = list(glob.glob(test_model_list_path))
if len(test_model_list_path
) == 0: # this arch does not exists in args.dataset
continue
archs.append(arch)
else:
assert args.arch is not None
archs = [args.arch]
args.arch = ", ".join(archs)
log.info('Command line is: {}'.format(' '.join(sys.argv)))
log.info("Log file is written in {}".format(log_file_path))
log.info('Called with args:')
print_args(args)
data_loader = DataLoaderMaker.get_test_attacked_data(args.dataset, 1)
for arch in archs:
if args.attack_defense:
save_result_path = args.exp_dir + "/{}_{}_result.json".format(
arch, args.defense_model)
else:
save_result_path = args.exp_dir + "/{}_result.json".format(arch)
if os.path.exists(save_result_path):
continue
log.info("Begin attack {} on {}, result will be saved to {}".format(
arch, args.dataset, save_result_path))
if args.attack_defense:
model = DefensiveModel(args.dataset,
arch,
no_grad=True,
defense_model=args.defense_model)
save_name = "train_pytorch_model/TREMBA/{}_{}_generator.pth.tar".format(
args.dataset, targeted_str)
else:
save_name = "train_pytorch_model/TREMBA/{}_{}_generator.pth.tar".format(
args.dataset, targeted_str)
set_log_file(
os.path.dirname(save_name) +
"/train_{}_{}.log".format(args.dataset, targeted_str))
with open(args.config) as config_file:
state = json.load(config_file)["train"][targeted_str]
state = SimpleNamespace(**state)
state.targeted = args.targeted
state.dataset = args.dataset
state.batch_size = args.batch_size
device = torch.device(args.gpu)
train_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, state.batch_size, True)
val_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, state.batch_size, False)
nets = []
log.info("Initialize pretrained models.")
for model_name in MODELS_TRAIN_STANDARD[args.dataset]:
pretrained_model = StandardModel(args.dataset,
model_name,
no_grad=False)
# pretrained_model.cuda()
pretrained_model.eval()
nets.append(pretrained_model)
log.info("Initialize over!")
model = nn.Sequential(ImagenetEncoder(), ImagenetDecoder(args.dataset))
model = model.cuda()
optimizer_G = torch.optim.SGD(model.parameters(),
def main():
parser = argparse.ArgumentParser(description='PyTorch ImageNet Training')
parser.add_argument('--arch', type=str, required=True, help="The arch used to generate adversarial images for testing")
parser.add_argument("--gpu",type=str,required=True)
parser.add_argument("--dataset", type=str, required=True)
parser.add_argument('--test_mode', default=0, type=int, choices=list(range(10)))
# parser.add_argument('--model', default='res', type=str)
parser.add_argument('--n_epoch', default=200, type=int)
parser.add_argument('--batch_size', default=128, type=int)
parser.add_argument('--test_batch_size', default=10, type=int)
parser.add_argument('--lambd', default=0.0001, type=float)
parser.add_argument('--noise_dev', default=20.0, type=float)
parser.add_argument('--Linfinity', default=8/255, type=float)
parser.add_argument('--binary_threshold', default=0.5, type=float)
parser.add_argument('--lr_mode', default=0, type=int)
parser.add_argument('--test_interval', default=100, type=int)
parser.add_argument('--lr', default=1e-3, type=float)
parser.add_argument("--use_res_net",action="store_true")
args = parser.parse_args()
os.environ["CUDA_DEVICE_ORDER"] = "PCI_BUS_ID"
os.environ['CUDA_VISIBLE_DEVICES'] = str(args.gpu)
cudnn.deterministic = True
model_path = '{}/train_pytorch_model/adversarial_train/com_defend/{}@{}@epoch_{}@batch_{}.pth.tar'.format(
PY_ROOT, args.dataset, args.arch, args.n_epoch, args.batch_size)
os.makedirs(os.path.dirname(model_path), exist_ok=True)
set_log_file(os.path.dirname(model_path) + "/train_{}.log".format(args.dataset))
log.info('Command line is: {}'.format(' '.join(sys.argv)))
log.info('Called with args:')
print_args(args)
in_channels = IN_CHANNELS[args.dataset]
# if args.use_res_net:
# if args.test_mode == 0:
# com_defender = ModelRes(in_channels=in_channels, com_disable=True,rec_disable=True)
# args.save_model = 'normal'
# elif args.test_mode == 1:
# com_defender = ModelRes(in_channels=in_channels, n_com=1,n_rec=3,com_disable=False,rec_disable=True)
# args.save_model = '1_on_off'
# elif args.test_mode == 2:
# com_defender = ModelRes(in_channels=in_channels, n_com=2,n_rec=3,com_disable=False,rec_disable=True)
# args.save_model = '2_on_off'
# elif args.test_mode == 3:
# com_defender = ModelRes(in_channels=in_channels, n_com=3,n_rec=3,com_disable=False,rec_disable=True)
# args.save_model = '3_on_off'
# elif args.test_mode == 4:
# com_defender = ModelRes(in_channels=in_channels, n_com=3,n_rec=1,com_disable=True,rec_disable=False)
# args.save_model = 'off_on_1'
# elif args.test_mode == 5:
# com_defender = ModelRes(in_channels=in_channels, n_com=3,n_rec=2,com_disable=True,rec_disable=False)
# args.save_model = 'off_on_2'
# elif args.test_mode == 6:
# com_defender = ModelRes(in_channels=in_channels, n_com=3,n_rec=3,com_disable=True,rec_disable=False)
# args.save_model = 'off_on_3'
# elif args.test_mode == 7:
# com_defender = ModelRes(in_channels=in_channels, n_com=1,n_rec=1,com_disable=False,rec_disable=False)
# args.save_model = '1_1'
# elif args.test_mode == 8:
# com_defender = ModelRes(in_channels=in_channels, n_com=2,n_rec=2,com_disable=False,rec_disable=False)
# args.save_model = '2_2'
# elif args.test_mode == 9:
# com_defender = ModelRes(in_channels=in_channels, n_com=3,n_rec=3,com_disable=False,rec_disable=False)
# args.save_model = '3_3'
# else:
com_defender = ComDefend(in_channels, args.noise_dev)
args.save_model = "normal_network"
log.info('test mode: {}, model name: {}'.format(args.test_mode, args.save_model))
if args.gpu is not None:
log.info("Use GPU: {} for training".format(args.gpu))
log.info("=> creating model '{}'".format(args.arch))
log.info("after train, model will be saved to {}".format(model_path))
com_defender.cuda()
cudnn.benchmark = True
train_loader = DataLoaderMaker.get_imgid_img_label_data_loader(args.dataset, args.batch_size, True, seed=1234)
test_attack_dataset_loader = DataLoaderMaker.get_test_attacked_data(args.dataset, args.batch_size)
log.info("Begin generate the adversarial examples.")
target_model, adv_images, adv_true_labels = test_attack(args.Linfinity, args.arch, args.dataset,
test_attack_dataset_loader) # 这些图片被用来验证
log.info("Generate adversarial examples done!")
best_acc = torch.zeros(1)
for epoch in range(0, args.n_epoch):
train(args, train_loader, com_defender, epoch, target_model, adv_images, adv_true_labels,best_acc, model_path)
if args.test_archs:
if args.attack_defense:
log_file_path = os.path.join(
args.exp_dir, 'run_defense_{}.log'.format(args.defense_model))
else:
log_file_path = os.path.join(args.exp_dir, 'run.log')
elif args.arch is not None:
if args.attack_defense:
log_file_path = os.path.join(
args.exp_dir,
'run_defense_{}_{}.log'.format(args.arch, args.defense_model))
else:
log_file_path = os.path.join(args.exp_dir,
'run_{}.log'.format(args.arch))
set_log_file(log_file_path)
DataLoaderMaker.setup_seed(args.seed)
archs = []
dataset = args.dataset
if args.test_archs:
if dataset == "CIFAR-10" or dataset == "CIFAR-100":
for arch in MODELS_TEST_STANDARD[dataset]:
test_model_path = "{}/train_pytorch_model/real_image_model/{}-pretrained/{}/checkpoint.pth.tar".format(
PY_ROOT, dataset, arch)
if os.path.exists(test_model_path):
archs.append(arch)
else:
log.info(test_model_path + " does not exists!")
elif args.dataset == "TinyImageNet":
for arch in MODELS_TEST_STANDARD[dataset]:
test_model_list_path = "{root}/train_pytorch_model/real_image_model/{dataset}@{arch}*.pth.tar".format(
root=PY_ROOT, dataset=args.dataset, arch=arch)
arch)
if os.path.exists(save_result_path):
continue
log.info("Begin attack {} on {}, result will be saved to {}".format(
arch, args.dataset, save_result_path))
if args.attack_defense:
model = DefensiveModel(args.dataset,
arch,
no_grad=True,
defense_model=args.defense_model)
else:
model = StandardModel(args.dataset, arch, no_grad=True)
model.cuda()
model.eval()
dataset_loader = DataLoaderMaker.get_test_attacked_data(
args.dataset, args.batch_size)
success_all = torch.zeros(dataset_loader.dataset.__len__()).float()
correct_all = torch.zeros(dataset_loader.dataset.__len__()).float()
query_all = torch.zeros(dataset_loader.dataset.__len__()).float()
for batch_idx, data_tuple in enumerate(dataset_loader):
if args.dataset == "ImageNet":
if model.input_size[-1] >= 299:
images, true_labels = data_tuple[1], data_tuple[2]
else:
images, true_labels = data_tuple[0], data_tuple[2]
else:
images, true_labels = data_tuple[0], data_tuple[1]
if args.targeted:
target_labels = torch.fmod(true_labels + 1,
CLASS_NUM[args.dataset])
else:
def main():
args = get_args()
with open(args.config) as config_file:
state = json.load(config_file)["attack"][args.targeted]
state = SimpleNamespace(**state)
if args.save_prefix is not None:
state.save_prefix = args.save_prefix
if args.arch is not None:
state.arch = args.arch
if args.test_archs is not None:
state.test_archs = args.test_archs
state.OSP = args.OSP
state.targeted = args.targeted
device = torch.device(args.device if torch.cuda.is_available() else "cpu")
targeted_str = "untargeted" if not state.targeted else "targeted"
if state.targeted:
save_name = "{}/train_pytorch_model/TREMBA/{}_{}_generator.pth.tar".format(
PY_ROOT, args.dataset, targeted_str)
else:
save_name = "{}/train_pytorch_model/TREMBA/{}_{}_generator.pth.tar".format(
PY_ROOT, args.dataset, targeted_str)
weight = torch.load(save_name, map_location=device)["state_dict"]
data_loader = DataLoaderMaker.get_test_attacked_data(
args.dataset, args.batch_size)
encoder_weight = {}
decoder_weight = {}
for key, val in weight.items():
if key.startswith('0.'):
encoder_weight[key[2:]] = val
elif key.startswith('1.'):
decoder_weight[key[2:]] = val
archs = []
if args.test_archs:
if args.dataset == "CIFAR-10" or args.dataset == "CIFAR-100":
for arch in MODELS_TEST_STANDARD[args.dataset]:
test_model_path = "{}/train_pytorch_model/real_image_model/{}-pretrained/{}/checkpoint.pth.tar".format(
PY_ROOT, args.dataset, arch)
if os.path.exists(test_model_path):
archs.append(arch)
else:
log.info(test_model_path + " does not exists!")
elif args.dataset == "TinyImageNet":
for arch in MODELS_TEST_STANDARD[args.dataset]:
test_model_list_path = "{root}/train_pytorch_model/real_image_model/{dataset}@{arch}*.pth.tar".format(
root=PY_ROOT, dataset=args.dataset, arch=arch)
test_model_path = list(glob.glob(test_model_list_path))
if test_model_path and os.path.exists(test_model_path[0]):
archs.append(arch)
else:
for arch in MODELS_TEST_STANDARD[args.dataset]:
test_model_list_path = "{}/train_pytorch_model/real_image_model/{}-pretrained/checkpoints/{}*.pth".format(
PY_ROOT, args.dataset, arch)
test_model_list_path = list(glob.glob(test_model_list_path))
if len(test_model_list_path
) == 0: # this arch does not exists in args.dataset
continue
archs.append(arch)
args.arch = ",".join(archs)
else:
archs.append(args.arch)
args.exp_dir = get_exp_dir_name(args.dataset, args.norm, args.targeted,
args.target_type, args)
for arch in archs:
if args.attack_defense:
save_result_path = args.exp_dir + "/{}_{}_result.json".format(
arch, args.defense_model)
else:
save_result_path = args.exp_dir + "/{}_result.json".format(arch)
if os.path.exists(save_result_path):
continue
if args.OSP:
if state.source_model_name == "Adv_Denoise_Resnet152":
source_model = resnet152_denoise()
loaded_state_dict = torch.load((os.path.join(
'{}/train_pytorch_model/TREMBA'.format(PY_ROOT),
state.source_model_name + ".pth.tar")))
source_model.load_state_dict(loaded_state_dict)
mean = np.array([0.485, 0.456, 0.406])
std = np.array([0.229, 0.224, 0.225])
# FIXME 仍然要改改
source_model = nn.Sequential(Normalize(mean, std),
source_model)
source_model.to(device)
source_model.eval()
if args.attack_defense:
model = DefensiveModel(args.dataset,
arch,
no_grad=True,
defense_model=args.defense_model)
else:
model = StandardModel(args.dataset, arch, no_grad=True)
model.eval()
encoder = ImagenetEncoder()
decoder = ImagenetDecoder(args.dataset)
encoder.load_state_dict(encoder_weight)
decoder.load_state_dict(decoder_weight)
model.to(device)
encoder.to(device)
encoder.eval()
decoder.to(device)
decoder.eval()
F = Function(model, state.batch_size, state.margin,
CLASS_NUM[args.dataset], state.targeted)
total_success = 0
count_total = 0
queries = []
not_done = []
correct_all = []
for i, (images, labels) in enumerate(data_loader):
images = images.to(device)
labels = labels.to(device)
logits = model(images)
correct = torch.argmax(logits, dim=1).eq(labels).item()
correct_all.append(int(correct))
if correct:
if args.targeted:
if args.target_type == 'random':
target_labels = torch.randint(
low=0,
high=CLASS_NUM[args.dataset],
size=labels.size()).long().cuda()
invalid_target_index = target_labels.eq(labels)
while invalid_target_index.sum().item() > 0:
target_labels[
invalid_target_index] = torch.randint(
low=0,
high=logit.shape[1],
size=target_labels[invalid_target_index].
shape).long().cuda()
invalid_target_index = target_labels.eq(labels)
elif args.target_type == 'least_likely':
with torch.no_grad():
logit = model(images)
target_labels = logit.argmin(dim=1)
elif args.target_type == "increment":
target_labels = torch.fmod(
labels + 1, CLASS_NUM[args.dataset]).cuda()
labels = target_labels[0].item()
else:
labels = labels[0].item()
if args.OSP:
hinge_loss = MarginLossSingle(state.white_box_margin,
state.target)
images.requires_grad = True
latents = encoder(images)
for k in range(state.white_box_iters):
perturbations = decoder(latents) * state.epsilon
logits = source_model(
torch.clamp(images + perturbations, 0, 1))
loss = hinge_loss(logits, labels)
grad = torch.autograd.grad(loss, latents)[0]
latents = latents - state.white_box_lr * grad
with torch.no_grad():
success, adv, query_count = EmbedBA(
F, encoder, decoder, images[0], labels, state,
latents.view(-1))
else:
with torch.no_grad():
success, adv, query_count = EmbedBA(
F, encoder, decoder, images[0], labels, state)
not_done.append(1 - int(success))
total_success += int(success)
count_total += int(correct)
if success:
queries.append(query_count)
else:
queries.append(args.max_queries)
log.info(
"image: {} eval_count: {} success: {} average_count: {} success_rate: {}"
.format(i, F.current_counts, success, F.get_average(),
float(total_success) / float(count_total)))
F.new_counter()
else:
queries.append(0)
not_done.append(1)
log.info("The {}-th image is already classified incorrectly.".
format(i))
correct_all = np.concatenate(correct_all, axis=0).astype(np.int32)
query_all = np.array(queries).astype(np.int32)
not_done_all = np.array(not_done).astype(np.int32)
success = (1 - not_done_all) * correct_all
success_query = success * query_all
meta_info_dict = {
"query_all":
query_all.tolist(),
"not_done_all":
not_done_all.tolist(),
"correct_all":
correct_all.tolist(),
"mean_query":
np.mean(success_query[np.nonzero(success)[0]]).item(),
"max_query":
np.max(success_query[np.nonzero(success)[0]]).item(),
"median_query":
np.median(success_query[np.nonzero(success)[0]]).item(),
"avg_not_done":
np.mean(not_done_all[np.nonzero(correct_all)[0]].astype(
np.float32)).item(),
"args":
vars(args)
}
with open(save_result_path, "w") as result_file_obj:
json.dump(meta_info_dict, result_file_obj, sort_keys=True)
log.info("Done, write stats info to {}".format(save_result_path))
# settings
model_dir = args.model_dir
if not os.path.exists(model_dir):
os.makedirs(model_dir)
# setup data loader
transform_train = transforms.Compose([
transforms.RandomCrop(32, padding=4),
transforms.RandomHorizontalFlip(),
transforms.ToTensor(),
])
transform_test = transforms.Compose([
transforms.ToTensor(),
])
train_loader = DataLoaderMaker.get_imgid_img_label_data_loader(args.dataset,
args.batch_size,
True,
seed=1234)
test_loader = DataLoaderMaker.get_imgid_img_label_data_loader(args.dataset,
args.batch_size,
False,
seed=1234)
def train(args, model, device, train_loader, optimizer, epoch):
model.train()
for batch_idx, (_, data, target) in enumerate(train_loader):
data, target = data.to(device), target.to(device)
optimizer.zero_grad()
# calculate robust loss
log.info("All the data will be saved into {}".format(save_dir_path))
log.info("Using GPU {}".format(args.gpu))
log.info('Command line is: {}'.format(' '.join(sys.argv)))
log.info('Called with args:')
print_args(args)
defaults = json.load(open(args.json_config))[args.dataset]
arg_vars = vars(args)
arg_vars = {k: arg_vars[k] for k in arg_vars if arg_vars[k] is not None}
defaults.update(arg_vars)
args = SimpleNamespace(**defaults)
if args.norm == "linf":
args.epsilon = defaults["linf_epsilon"]
args.surrogate_arch = "resnet-110" if args.dataset.startswith(
"CIFAR") else "resnet101"
surrogate_model = StandardModel(args.dataset, args.surrogate_arch, False)
trn_data_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.batch_size, is_train=True) # 生成的是训练集而非测试集
archs = []
for arch in MODELS_TRAIN_STANDARD[args.dataset]:
if StandardModel.check_arch(arch, args.dataset):
archs.append(arch)
print("It will be use {} architectures".format(",".join(archs)))
model_to_data = partition_dataset(archs, trn_data_loader,
args.total_images)
for arch in archs:
model = StandardModel(args.dataset, arch, True)
attacker = PriorRGFAttack(args.dataset, model, surrogate_model,
args.targeted, args.target_type)
log.info("Begin attack {}".format(arch))
with torch.no_grad():
attacker.attack_dataset(args, model_to_data, arch, save_dir_path)
model.cpu()
args.num_classes = 10
args.image_size = 32
if args.dataset == 'TinyImageNet':
print('------------Tiny ImageNet---------')
args.num_classes = CLASS_NUM[args.dataset]
args.image_size = 64
device = 'cuda' if torch.cuda.is_available() else 'cpu'
start_epoch = 0
model_path = '{}/train_pytorch_model/adversarial_train/feature_scatter/{}@{}@epoch_{}@batch_{}.pth.tar'.format(
PY_ROOT, args.dataset, args.arch, args.max_epoch, args.batch_size_train)
print("model will be saved to {}".format(model_path))
os.makedirs(os.path.dirname(model_path), exist_ok=True)
# Data
print('==> Preparing data..')
train_loader = DataLoaderMaker.get_img_label_data_loader(
args.dataset, args.batch_size_train, True)
print('==> Building model..')
basic_net = StandardModel(args.dataset, args.arch,
no_grad=False).train().cuda()
basic_net.apply(initialize_weights)
def print_para(net):
for name, param in net.named_parameters():
if param.requires_grad:
print(name)
print(param.data)
break
])
# test_preprocessor = transforms.ToTensor()
dataset = args.dataset
if dataset == "CIFAR-10":
train_dataset = CIFAR10(IMAGE_DATA_ROOT[dataset],
train=True,
transform=train_preprocessor)
# test_dataset = CIFAR10(IMAGE_DATA_ROOT[dataset], train=False, transform=test_preprocessor)
elif dataset == "CIFAR-100":
train_dataset = CIFAR100(IMAGE_DATA_ROOT[dataset],
train=True,
transform=train_preprocessor)
# test_dataset = CIFAR100(IMAGE_DATA_ROOT[dataset], train=False, transform=test_preprocessor)
elif dataset == "ImageNet":
train_preprocessor = DataLoaderMaker.get_preprocessor(IMAGE_SIZE[dataset],
True,
center_crop=False)
# test_preprocessor = DataLoaderMaker.get_preprocessor(IMAGE_SIZE[dataset], False, center_crop=True)
train_dataset = ImageFolder(IMAGE_DATA_ROOT[dataset] + "/train",
transform=train_preprocessor)
elif dataset == "TinyImageNet":
train_dataset = TinyImageNet(IMAGE_DATA_ROOT[dataset],
train_preprocessor,
train=True)
batch_size = args.batch_size
train_loader = torch.utils.data.DataLoader(train_dataset,
batch_size=batch_size,
shuffle=True,
num_workers=0)
