def build_pgd_linf_stadv_att(classifier_net, normalizer):
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND))
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=FLOW_LINF_BOUND,
xform_class=st.FullSpatial,
use_stadv=True))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation, [delta_threat, flow_threat],
ap.PerturbationParameters(norm_weights=[0.00, 1.00]))
adv_loss = lf.CWLossF6(classifier_net, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({
'adv': adv_loss,
'st': st_loss
}, {
'adv': 1.0,
'st': 0.05
},
negate=True)
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
pgd_kwargs['optimizer_kwargs']['lr'] = 0.001
pgd_attack = aa.PGD(classifier_net, normalizer, sequence_threat, loss_fxn)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_full_attack(classifier_net, normalizer, use_gpu):
# L_inf + flow style attack
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=L_INF_BOUND,
use_gpu=use_gpu))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style=1,
lp_bound=0.05,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=FLOW_LINF_BOUND,
xform_class=st.FullSpatial,
use_gpu=use_gpu,
use_stadv=True))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=math.pi / 24.,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[delta_threat, flow_threat, trans_threat, rotation_threat],
ap.PerturbationParameters(norm_weights=[0.0, 1.0, 1.0, 1.0]))
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
pgd_kwargs['optimizer_kwargs']['lr'] = 0.001
adv_loss = lf.CWLossF6(classifier_net, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({
'adv': adv_loss,
'st': st_loss
}, {
'adv': 1.0,
'st': 0.05
},
negate=True)
pgd_attack = aar.PGD(classifier_net,
normalizer,
sequence_threat,
loss_fxn,
use_gpu=use_gpu)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def get_pgd(dataset='mnist'):
eps, normalizer = _get_settings(dataset)
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=eps,
manual_gpu=True))
return aa.PGD(classifier_net=None,
normalizer=normalizer,
threat_model=delta_threat,
loss_fxn=None,
manual_gpu=True)
def build_fgsm_attack(classifier_net, normalizer):
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND))
attack_loss = plf.VanillaXentropy(classifier_net, normalizer)
fgsm_attack = aa.FGSM(classifier_net, cifar_normer, delta_threat,
attack_loss)
attack_kwargs = {'verbose': GLOBAL_ATK_KWARGS['verbose']}
params = advtrain.AdversarialAttackParameters(
fgsm_attack,
1.0,
attack_specific_params={'attack_kwargs': attack_kwargs})
return params
def get_cw(dataset='mnist'):
eps, normalizer = _get_settings(dataset)
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=eps,
manual_gpu=True))
return aa.CarliniWagner(classifier_net=None,
normalizer=normalizer,
threat_model=delta_threat,
distance_fxn=lf.SoftLInfRegularization,
carlini_loss=lf.CWLossF6,
manual_gpu=True)
def build_pgd_linf_attack(classifier_net, normalizer, use_gpu):
# PREBUILT LOSS FUNCTION
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=L_INF_BOUND,
use_gpu=use_gpu))
attack_loss = plf.VanillaXentropy(classifier_net, normalizer=normalizer)
pgd_attack = aar.PGD(classifier_net, normalizer, delta_threat, attack_loss)
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_delta_fgsm(model,
normalizer,
linf_bound=L_INF_BOUND,
use_gpu=USE_GPU,
verbose=False,
adv_loss='xentropy',
output='attack'):
# Build threat
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=linf_bound,
use_gpu=use_gpu))
# Build loss
assert adv_loss in ['xentropy', 'cw']
if adv_loss == 'xentropy':
attack_loss = plf.VanillaXentropy(model, normalizer)
else:
cw_loss = lf.CWLossF6(model, normalizer)
attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0})
# Build attack
fgsm_attack = aar.FGSM(model,
normalizer,
delta_threat,
attack_loss,
use_gpu=use_gpu)
# Return based on output arg
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return fgsm_attack
attack_kwargs = {'verbose': verbose}
params = advtrain.AdversarialAttackParameters(
fgsm_attack,
1.0,
attack_specific_params={'attack_kwargs': attack_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=USE_GPU)
return eval_result
def build_delta_pgd(model, normalizer, linf_bound=L_INF_BOUND, manual_gpu=None,
verbose=False, adv_loss='cw', num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE, output='attack',
extra_attack_kwargs=None):
# Build threat
delta_threat = ap.ThreatModel(ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=linf_bound,
manual_gpu=manual_gpu))
# Build loss
assert adv_loss in ['xentropy', 'cw']
if adv_loss == 'xentropy':
attack_loss = plf.VanillaXentropy(model, normalizer)
else:
cw_loss = lf.CWLossF6(model, normalizer)
attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0},
negate=True)
# Build attack
pgd_attack = aa.PGD(model, normalizer, delta_threat,
attack_loss, manual_gpu=manual_gpu)
# Return based on output arg
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
extra_attack_kwargs = extra_attack_kwargs or {}
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.01}
pgd_kwargs = {'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence}
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(pgd_attack, 1.0,
attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval= {'top1': 'top1',
'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
to_eval=to_eval, manual_gpu=manual_gpu)
return eval_result
def build_rotation_translation_attack(classifier_net, normalizer, use_gpu):
# L_inf + flow style attack
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=L_INF_BOUND,
use_gpu=use_gpu))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style=1,
lp_bound=0.05,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=math.pi / 24.,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[delta_threat, trans_threat, rotation_threat])
pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
pgd_kwargs['optimizer_kwargs']['lr'] = 0.001
loss_fxn = plf.VanillaXentropy(classifier_net, normalizer)
pgd_attack = aar.PGD(classifier_net,
normalizer,
sequence_threat,
loss_fxn,
use_gpu=use_gpu)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
return params
def build_stadv_rot_trans_pgd(model,
normalizer,
flow_bound=FLOW_LINF,
trans_bound=TRANS_LINF,
rot_bound=ROT_LINF,
use_gpu=USE_GPU,
verbose=False,
adv_loss='cw',
num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
output='attack',
extra_attack_kwargs=None):
# Build threat
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=flow_bound,
xform_class=st.FullSpatial,
use_gpu=use_gpu,
use_stadv=True))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=trans_bound,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=rot_bound,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[flow_threat, trans_threat, rotation_threat],
ap.PerturbationParameters(norm_weights=[1.00, 1.00, 1.0, 1.0]))
# Build loss
assert adv_loss in ['cw', 'xentropy']
if adv_loss == 'xentropy':
adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
else:
adv_loss_obj = lf.CWLossF6(model, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({
'adv': adv_loss_obj,
'st': st_loss
}, {
'adv': 1.0,
'st': 0.05
},
negate=True)
# Build attack
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.001}
pgd_attack = aar.PGD(model,
normalizer,
sequence_threat,
loss_fxn,
use_gpu=use_gpu)
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
pgd_kwargs = {
'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence
}
if extra_attack_kwargs is not None:
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=use_gpu)
return eval_result
def build_delta_rot_trans_pgd(model,
normalizer,
delta_bound=L_INF_BOUND,
trans_bound=TRANS_LINF,
rot_bound=ROT_LINF,
use_gpu=USE_GPU,
verbose=False,
adv_loss='cw',
num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
output='attack',
extra_attack_kwargs=None):
# Build threat
delta_threat = ap.ThreatModel(
ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=delta_bound,
use_gpu=use_gpu))
trans_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=trans_bound,
xform_class=st.TranslationTransform,
use_gpu=use_gpu))
rotation_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(xform_class=st.RotationTransform,
lp_style='inf',
lp_bound=rot_bound,
use_gpu=use_gpu))
sequence_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[delta_threat, trans_threat, rotation_threat])
# Build loss
assert adv_loss in ['xentropy', 'cw']
if adv_loss == 'xentropy':
attack_loss = plf.VanillaXentropy(model, normalizer)
else:
cw_loss = lf.CWLossF6(model, normalizer)
attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0},
negate=True)
# Build attack
pgd_attack = aar.PGD(model,
normalizer,
sequence_threat,
attack_loss,
use_gpu=use_gpu)
# Return based on output arg
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
extra_attack_kwargs = extra_attack_kwargs or {}
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.01}
pgd_kwargs = {
'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence
}
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=USE_GPU)
return eval_result
def build_stadv_pgd(model,
normalizer,
linf_bound=FLOW_LINF,
use_gpu=USE_GPU,
verbose=False,
adv_loss='cw',
num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
use_stadv=True,
output='attack',
norm_hyperparam=0.05,
extra_attack_kwargs=None):
# Build threat
flow_threat = ap.ThreatModel(
ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=linf_bound,
xform_class=st.FullSpatial,
use_gpu=use_gpu,
use_stadv=use_stadv))
# Build loss
assert adv_loss in ['xentropy', 'cw']
if adv_loss == 'xentropy':
adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
else:
adv_loss_obj = lf.CWLossF6(model, normalizer)
st_loss = lf.PerturbationNormLoss(lp=2)
attack_loss = lf.RegularizedLoss({
'adv': adv_loss_obj,
'st': st_loss
}, {
'adv': 1.0,
'st': norm_hyperparam
},
negate=True)
# Build attack
pgd_attack = aar.PGD(model,
normalizer,
flow_threat,
attack_loss,
use_gpu=use_gpu)
# Return based on output arg
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
extra_attack_kwargs = extra_attack_kwargs or {}
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.01}
pgd_kwargs = {
'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence
}
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(
pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
model,
normalizer,
to_eval=to_eval,
use_gpu=USE_GPU)
return eval_result
'lp_bound': [8 / 255, 8 / 255, 8 / 255], # [epsilon_1, epsilon_2, epsilon_3]
'xform_params': {
'resolution_x': 25, # R_1
'resolution_y': 25, # R_2
'resolution_z': 25, # R_3
},
'use_smooth_loss': False,
})
additive_threat = ap.ThreatModel(ap.DeltaAddition, {
'lp_style': 'inf',
'lp_bound': 8 / 255,
})
combined_threat = ap.ThreatModel(
ap.SequentialPerturbation,
[recoloradv_threat, additive_threat],
ap.PerturbationParameters(norm_weights=[1.0, 0.0]),
)
if args.noise_type==0:
noise = combined_threat()
elif args.noise_type==1:
noise = recoloradv_threat()
elif args.noise_type == 2:
noise = additive_threat()
####criterion
criterion = [
TripletLoss(0.5, args.num_instances, False).cuda(),
nn.CrossEntropyLoss().cuda()
def build_delta_stadv_pgd(model, normalizer, delta_bound=L_INF_BOUND,
flow_bound=FLOW_LINF, manual_gpu=None,
verbose=False, adv_loss='cw', num_iter=PGD_ITER,
loss_convergence=LOSS_CONVERGENCE,
output='attack',
extra_attack_kwargs=None):
# Build threat
delta_threat = ap.ThreatModel(ap.DeltaAddition,
ap.PerturbationParameters(lp_style='inf',
lp_bound=delta_bound,
manual_gpu=manual_gpu))
flow_threat = ap.ThreatModel(ap.ParameterizedXformAdv,
ap.PerturbationParameters(lp_style='inf',
lp_bound=flow_bound,
xform_class=st.FullSpatial,
manual_gpu=manual_gpu,
use_stadv=True))
sequence_threat = ap.ThreatModel(ap.SequentialPerturbation,
[delta_threat, flow_threat],
ap.PerturbationParameters(norm_weights=[0.00, 1.00]))
# Build loss
assert adv_loss in ['cw', 'xentropy']
if adv_loss == 'xentropy':
adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
adv_loss_scale = -1.0
else:
adv_loss_obj = lf.CWLossF6(model, normalizer)
adv_loss_scale = 1.0
st_loss = lf.PerturbationNormLoss(lp=2)
loss_fxn = lf.RegularizedLoss({'adv': adv_loss_obj, 'st':st_loss},
{'adv': adv_loss_scale, 'st': 0.05},
negate=True)
# Build attack
optimizer = optim.Adam
optimizer_kwargs = {'lr': 0.001}
pgd_attack = aa.PGD(model, normalizer, sequence_threat, loss_fxn, manual_gpu=manual_gpu)
assert output in ['attack', 'params', 'eval']
if output == 'attack':
return pgd_attack
pgd_kwargs = {'num_iterations': num_iter,
'signed': False,
'optimizer': optimizer,
'optimizer_kwargs': optimizer_kwargs,
'verbose': verbose,
'loss_convergence': loss_convergence}
if extra_attack_kwargs is not None:
pgd_kwargs.update(extra_attack_kwargs)
params = advtrain.AdversarialAttackParameters(pgd_attack, 1.0,
attack_specific_params={'attack_kwargs': pgd_kwargs})
if output == 'params':
return params
to_eval= {'top1': 'top1',
'lpips': 'avg_successful_lpips'}
eval_result = adveval.EvaluationResult(params,
to_eval=to_eval, manual_gpu=manual_gpu)
return eval_result
