def normalize_lp_norms(x: ep.Tensor, *, p: float) -> ep.Tensor:
assert 0 < p < ep.inf
norms = flatten(x).norms.lp(p=p, axis=-1)
norms = ep.maximum(norms, 1e-12) # avoid divsion by zero
factor = 1 / norms
factor = atleast_kd(factor, x.ndim)
return x * factor
def clip_lp_norms(x: ep.Tensor, *, norm: float, p: float) -> ep.Tensor:
assert 0 < p < ep.inf
norms = flatten(x).norms.lp(p=p, axis=-1)
norms = ep.maximum(norms, 1e-12) # avoid divsion by zero
factor = ep.minimum(1, norm / norms) # clipping -> decreasing but not increasing
factor = atleast_kd(factor, x.ndim)
return x * factor
def run(
self,
model: Model,
inputs: T,
criterion: Union[Criterion, Any] = None,
*,
epsilon: float,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
x, restore_type = ep.astensor_(inputs)
del inputs, criterion, kwargs
min_, max_ = model.bounds
target = min_ + self.target * (max_ - min_)
direction = target - x
norms = ep.norms.l2(flatten(direction), axis=-1)
scale = epsilon / atleast_kd(norms, direction.ndim)
scale = ep.minimum(scale, 1)
x = x + scale * direction
x = x.clip(min_, max_)
return restore_type(x)
def run(
self,
model: Model,
inputs: T,
criterion: Union[Misclassification, TargetedMisclassification, T],
*,
early_stop: Optional[float] = None,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
x, restore_type = ep.astensor_(inputs)
criterion_ = get_criterion(criterion)
del inputs, criterion, kwargs
N = len(x)
if isinstance(criterion_, Misclassification):
targeted = False
classes = criterion_.labels
change_classes_logits = self.confidence
elif isinstance(criterion_, TargetedMisclassification):
targeted = True
classes = criterion_.target_classes
change_classes_logits = -self.confidence
else:
raise ValueError("unsupported criterion")
def is_adversarial(perturbed: ep.Tensor,
logits: ep.Tensor) -> ep.Tensor:
if change_classes_logits != 0:
logits += ep.onehot_like(logits,
classes,
value=change_classes_logits)
return criterion_(perturbed, logits)
if classes.shape != (N, ):
name = "target_classes" if targeted else "labels"
raise ValueError(
f"expected {name} to have shape ({N},), got {classes.shape}")
bounds = model.bounds
to_attack_space = partial(_to_attack_space, bounds=bounds)
to_model_space = partial(_to_model_space, bounds=bounds)
x_attack = to_attack_space(x)
reconstsructed_x = to_model_space(x_attack)
rows = range(N)
def loss_fun(
delta: ep.Tensor, consts: ep.Tensor
) -> Tuple[ep.Tensor, Tuple[ep.Tensor, ep.Tensor]]:
assert delta.shape == x_attack.shape
assert consts.shape == (N, )
x = to_model_space(x_attack + delta)
logits = model(x)
if targeted:
c_minimize = best_other_classes(logits, classes)
c_maximize = classes # target_classes
else:
c_minimize = classes # labels
c_maximize = best_other_classes(logits, classes)
is_adv_loss = logits[rows, c_minimize] - logits[rows, c_maximize]
assert is_adv_loss.shape == (N, )
is_adv_loss = is_adv_loss + self.confidence
is_adv_loss = ep.maximum(0, is_adv_loss)
is_adv_loss = is_adv_loss * consts
squared_norms = flatten(x - reconstsructed_x).square().sum(axis=-1)
loss = is_adv_loss.sum() + squared_norms.sum()
return loss, (x, logits)
loss_aux_and_grad = ep.value_and_grad_fn(x, loss_fun, has_aux=True)
consts = self.initial_const * np.ones((N, ))
lower_bounds = np.zeros((N, ))
upper_bounds = np.inf * np.ones((N, ))
best_advs = ep.zeros_like(x)
best_advs_norms = ep.full(x, (N, ), ep.inf)
# the binary search searches for the smallest consts that produce adversarials
for binary_search_step in range(self.binary_search_steps):
if (binary_search_step == self.binary_search_steps - 1
and self.binary_search_steps >= 10):
# in the last binary search step, repeat the search once
consts = np.minimum(upper_bounds, 1e10)
# create a new optimizer find the delta that minimizes the loss
delta = ep.zeros_like(x_attack)
optimizer = AdamOptimizer(delta)
# tracks whether adv with the current consts was found
found_advs = np.full((N, ), fill_value=False)
loss_at_previous_check = np.inf
consts_ = ep.from_numpy(x, consts.astype(np.float32))
for step in range(self.steps):
loss, (perturbed,
logits), gradient = loss_aux_and_grad(delta, consts_)
delta += optimizer(gradient, self.stepsize)
if self.abort_early and step % (np.ceil(self.steps / 10)) == 0:
# after each tenth of the overall steps, check progress
if not (loss <= 0.9999 * loss_at_previous_check):
break # stop Adam if there has been no progress
loss_at_previous_check = loss
found_advs_iter = is_adversarial(perturbed, logits)
found_advs = np.logical_or(found_advs, found_advs_iter.numpy())
norms = flatten(perturbed - x).norms.l2(axis=-1)
closer = norms < best_advs_norms
new_best = ep.logical_and(closer, found_advs_iter)
new_best_ = atleast_kd(new_best, best_advs.ndim)
best_advs = ep.where(new_best_, perturbed, best_advs)
best_advs_norms = ep.where(new_best, norms, best_advs_norms)
upper_bounds = np.where(found_advs, consts, upper_bounds)
lower_bounds = np.where(found_advs, lower_bounds, consts)
consts_exponential_search = consts * 10
consts_binary_search = (lower_bounds + upper_bounds) / 2
consts = np.where(np.isinf(upper_bounds),
consts_exponential_search, consts_binary_search)
return restore_type(best_advs)
def run(
self,
model: Model,
inputs: T,
criterion: Union[Misclassification, T],
*,
epsilon: float,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
x, restore_type = ep.astensor_(inputs)
criterion_ = get_criterion(criterion)
del inputs, criterion, kwargs
N = len(x)
if isinstance(criterion_, Misclassification):
classes = criterion_.labels
else:
raise ValueError("unsupported criterion")
if classes.shape != (N,):
raise ValueError(
f"expected labels to have shape ({N},), got {classes.shape}"
)
bounds = model.bounds
def loss_fun(delta: ep.Tensor, logits: ep.Tensor) -> ep.Tensor:
assert x.shape[0] == logits.shape[0]
assert delta.shape == x.shape
x_hat = x + delta
logits_hat = model(x_hat)
loss = ep.kl_div_with_logits(logits, logits_hat).sum()
return loss
value_and_grad = ep.value_and_grad_fn(x, loss_fun, has_aux=False)
clean_logits = model(x)
# start with random vector as search vector
d = ep.normal(x, shape=x.shape, mean=0, stddev=1)
for it in range(self.steps):
# normalize proposal to be unit vector
d = d * self.xi / atleast_kd(ep.norms.l2(flatten(d), axis=-1), x.ndim)
# use gradient of KL divergence as new search vector
_, grad = value_and_grad(d, clean_logits)
d = grad
# rescale search vector
d = (bounds[1] - bounds[0]) * d
if ep.any(ep.norms.l2(flatten(d), axis=-1) < 1e-64):
raise RuntimeError( # pragma: no cover
"Gradient vanished; this can happen if xi is too small."
)
final_delta = epsilon / atleast_kd(ep.norms.l2(flatten(d), axis=-1), d.ndim) * d
x_adv = ep.clip(x + final_delta, *bounds)
return restore_type(x_adv)
def run(
self,
model: Model,
inputs: T,
criterion: Union[Criterion, T],
*,
early_stop: Optional[float] = None,
**kwargs: Any,
) -> T:
raise_if_kwargs(kwargs)
x, restore_type = ep.astensor_(inputs)
del inputs, kwargs
criterion = get_criterion(criterion)
min_, max_ = model.bounds
logits = model(x)
classes = logits.argsort(axis=-1).flip(axis=-1)
if self.candidates is None:
candidates = logits.shape[-1] # pragma: no cover
else:
candidates = min(self.candidates, logits.shape[-1])
if not candidates >= 2:
raise ValueError( # pragma: no cover
f"expected the model output to have atleast 2 classes, got {logits.shape[-1]}"
)
logging.info(f"Only testing the top-{candidates} classes")
classes = classes[:, :candidates]
N = len(x)
rows = range(N)
loss_fun = self._get_loss_fn(model, classes)
loss_aux_and_grad = ep.value_and_grad_fn(x, loss_fun, has_aux=True)
x0 = x
p_total = ep.zeros_like(x)
for _ in range(self.steps):
# let's first get the logits using k = 1 to see if we are done
diffs = [loss_aux_and_grad(x, 1)]
_, (_, logits), _ = diffs[0]
is_adv = criterion(x, logits)
if is_adv.all():
break
# then run all the other k's as well
# we could avoid repeated forward passes and only repeat
# the backward pass, but this cannot currently be done in eagerpy
diffs += [loss_aux_and_grad(x, k) for k in range(2, candidates)]
# we don't need the logits
diffs_ = [(losses, grad) for _, (losses, _), grad in diffs]
losses = ep.stack([l for l, _ in diffs_], axis=1)
grads = ep.stack([g for _, g in diffs_], axis=1)
assert losses.shape == (N, candidates - 1)
assert grads.shape == (N, candidates - 1) + x0.shape[1:]
# calculate the distances
distances = self.get_distances(losses, grads)
assert distances.shape == (N, candidates - 1)
# determine the best directions
best = distances.argmin(axis=1)
distances = distances[rows, best]
losses = losses[rows, best]
grads = grads[rows, best]
assert distances.shape == (N, )
assert losses.shape == (N, )
assert grads.shape == x0.shape
# apply perturbation
distances = distances + 1e-4 # for numerical stability
p_step = self.get_perturbations(distances, grads)
assert p_step.shape == x0.shape
p_total += p_step
# don't do anything for those that are already adversarial
x = ep.where(atleast_kd(is_adv, x.ndim), x,
x0 + (1.0 + self.overshoot) * p_total)
x = ep.clip(x, min_, max_)
return restore_type(x)
def get_perturbations(self, distances: ep.Tensor,
grads: ep.Tensor) -> ep.Tensor:
return atleast_kd(distances, grads.ndim) * grads.sign()
def get_perturbations(self, distances: ep.Tensor,
grads: ep.Tensor) -> ep.Tensor:
return (atleast_kd(
distances / (flatten(grads).norms.l2(axis=-1) + 1e-8),
grads.ndim,
) * grads)
def __call__( # noqa: F811
self,
model: Model,
inputs: T,
criterion: Any,
*,
epsilons: Union[Sequence[Union[float, None]], float, None],
**kwargs: Any,
) -> Union[Tuple[List[T], List[T], T], Tuple[T, T, T]]:
x, restore_type = ep.astensor_(inputs)
del inputs
criterion = get_criterion(criterion)
was_iterable = True
if not isinstance(epsilons, Iterable):
epsilons = [epsilons]
was_iterable = False
N = len(x)
K = len(epsilons)
for i in range(self.times):
# run the attack
xps, xpcs, success = self.attack(
model, x, criterion, epsilons=epsilons, **kwargs
)
assert len(xps) == K
assert len(xpcs) == K
for xp in xps:
assert xp.shape == x.shape
for xpc in xpcs:
assert xpc.shape == x.shape
assert success.shape == (K, N)
if i == 0:
best_xps = xps
best_xpcs = xpcs
best_success = success
continue
# TODO: test if stacking the list to a single tensor and
# getting rid of the loop is faster
for k, epsilon in enumerate(epsilons):
first = best_success[k].logical_not()
assert first.shape == (N,)
if epsilon is None:
# if epsilon is None, we need the minimum
# TODO: maybe cache some of these distances
# and then remove the else part
closer = self.distance(x, xps[k]) < self.distance(x, best_xps[k])
assert closer.shape == (N,)
new_best = ep.logical_and(success[k], ep.logical_or(closer, first))
else:
# for concrete epsilon, we just need a successful one
new_best = ep.logical_and(success[k], first)
new_best = atleast_kd(new_best, x.ndim)
best_xps[k] = ep.where(new_best, xps[k], best_xps[k])
best_xpcs[k] = ep.where(new_best, xpcs[k], best_xpcs[k])
best_success = ep.logical_or(success, best_success)
best_xps_ = [restore_type(xp) for xp in best_xps]
best_xpcs_ = [restore_type(xpc) for xpc in best_xpcs]
if was_iterable:
return best_xps_, best_xpcs_, restore_type(best_success)
else:
assert len(best_xps_) == 1
assert len(best_xpcs_) == 1
return (
best_xps_[0],
best_xpcs_[0],
restore_type(best_success.squeeze(axis=0)),
)