def attack(img, label, net, target=None, pixels=1, maxiter=75, popsize=400, verbose=False): # img: 1*3*W*H tensor # label: a number targeted_attack = target is not None target_calss = target if targeted_attack else label bounds = [(0,28), (0,28), (0,255)] * pixels popmul = max(1, popsize//len(bounds)) predict_fn = lambda xs: predict_classes( xs, img, target_calss, net, target is None) callback_fn = lambda x, convergence: attack_success( x, img, target_calss, net, targeted_attack, verbose) inits = np.zeros([popmul*len(bounds), len(bounds)]) for init in inits: for i in range(pixels): init[i*3+0] = np.random.random()*28 init[i*3+1] = np.random.random()*28 init[i*3+2] = np.random.normal(128,127) attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False, init=inits) attack_image = perturb_image(attack_result.x, img) attack_var = attack_image.cuda() predicted_probs = F.softmax(net(attack_var), dim=1).data.cpu().numpy()[0] predicted_class = np.argmax(predicted_probs) if (not targeted_attack and predicted_class != label) or (targeted_attack and predicted_class == target_calss): return 1, attack_result.x.astype(int), attack_image, predicted_class return 0, [None], None, None
def attack(self, img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else self.y_test[img, 0] # print("----------------------------------------------------",self.y_test[img,0]) # print("++++++++++++++++++++++++++++++++++++++++++++++++++++",target_class) # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions # bounds = [(0,dim_x), (0,dim_y), (0,256), (0,256), (0,256)] * pixel_count bounds = [(0, dim_x), (0, dim_y), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes( xs, self.x_test[img], target_class, model, target is None) # print(predict_fn) callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model, targeted_attack, verbose) # print(callback_fn) #print('模型的输入:',predict_fn,'类型为:',predict_fn.type) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution( predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0] #print('***********************************************') #print('attack_image',attack_image) temp_list = attack_image.tolist() #print('***********************************************') # Calculate the L2 norm to represent the revise size L2_img = attack_image - self.x_test[img] L2_img = np.array(L2_img) L2_img = L2_img.reshape(784) # print(L2_img) L2_norm = np.sqrt(np.sum(np.square(L2_img))) prior_probs = model.predict(np.array([self.x_test[img]]))[0] # print('-----------------------_test1', prior_probs) predicted_probs = model.predict(np.array([attack_image]))[0] # print('-----------------------_test2', predicted_probs) predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x, L2_norm,]
def attack_fix_scale(input_data, ground_truth_label, target=None, verbose=False, pixel_count=1, maxiter=5, popsize=10, seed=17): # Change the target class based on whether this is a targeted attack or not data = input_data.copy() targeted_attack = target is not None target_class = target if targeted_attack else ground_truth_label # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout bounds = [(0, int(16000 / batch_size))] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: predict_classes(xs, data, target_class) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, recombination=1, atol=-1, popsize=popsize, polish=False, seed=seed) return attack_result.x
def attack(self,img, label, net, target=None, pixels=1, maxiter=75, popsize=400, verbose=False): # img: 1*3*W*H tensor # label: a number targeted_attack = target is not None target_calss = target if targeted_attack else label image_size = 227 img_numpy = img.numpy()[0,:,:,:] img_numpy = np.reshape(img_numpy, (image_size, image_size, 3)) print(type(img_numpy),"<-------------- type ",img_numpy.shape) objs = self.roi.get_roi(img_numpy,w=8, threshold=.5) print(objs[0][1].start, objs[0][0].start, objs[0][1].stop, objs[0][0].stop) if self.img_ch==3: #bounds = [(0,image_size), (0,image_size), (0,255), (0,255), (0,255)] * pixels bounds = [(objs[0][1].start,objs[0][1].stop), (objs[0][0].start,objs[0][0].stop), (0,255), (0,255), (0,255)] * pixels elif self.img_ch==1: #bounds = [(0,image_size), (0,image_size), (0,1)] * pixels bounds = [(objs[0][1].start,objs[0][1].stop), (objs[0][0].start,objs[0][0].stop), (0,1)] * pixels popmul = max(1, popsize/len(bounds)) predict_fn = lambda xs: self.predict_classes( xs, img, target_calss, net, target is None) callback_fn = lambda x, convergence: self.attack_success( x, img, target_calss, net, targeted_attack, verbose) # print("type.popmul", type(popmul)) inits = np.zeros([int(popmul*len(bounds)), len(bounds)]) for init in inits: for i in range(pixels): if self.img_ch == 3: init[i*5+0] = np.random.random()*image_size init[i*5+1] = np.random.random()*image_size init[i*5+2] = np.random.normal(128,127) init[i*5+3] = np.random.normal(128,127) init[i*5+4] = np.random.normal(128,127) elif self.img_ch==1: init[i*3+0] = np.random.random()*image_size init[i*3+1] = np.random.random()*image_size init[i*3+2] = np.random.normal(-1,1) attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False, init=inits) attack_image = self.perturb_image(attack_result.x, img) #attack_var = Variable(attack_image, volatile=True).cuda() attack_var = Variable(attack_image, volatile=True).to(self.device) predicted_probs = F.softmax(net(attack_var)).data.cpu().numpy()[0] predicted_class = np.argmax(predicted_probs) if (not targeted_attack and predicted_class != label) or (targeted_attack and predicted_class == target_calss): return 1, attack_result.x.astype(int),attack_var return 0, [None], attack_var
def attack(img, label, net, target=None, pixels=1, maxiter=75, popsize=400, verbose=False): ''' - img: 1*3*W*H tensor - label: a number ''' targeted_attack = target is not None target_class = target if targeted_attack else label # TODO - bounds are explicitly hardcoded to CIFAR10 images bounds = [(0, 32), (0, 32), (0, 255), (0, 255), (0, 255)] * pixels popmul = max(1, popsize // len(bounds)) predict_fn = lambda xs: predict_classes(xs, img, target_class, net, target is None) callback_fn = lambda x, convergence: attack_success( x, img, target_class, net, targeted_attack, verbose) inits = np.zeros([popmul * len(bounds), len(bounds)]) for init in inits: for i in range(pixels): init[i * 5 + 0] = np.random.random() * 32 init[i * 5 + 1] = np.random.random() * 32 init[i * 5 + 2] = np.random.normal(128, 127) init[i * 5 + 3] = np.random.normal(128, 127) init[i * 5 + 4] = np.random.normal(128, 127) attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False, init=inits) attack_image = perturb_image(attack_result.x, img) # TODO - Variable is deprecated, use torch.from_numpy; by default, # `requires_grad` is False. attack_var = Variable(attack_image, volatile=True).cuda() if use_cuda \ else Variable(attack_image, volatile=True) predicted_probs = F.softmax(net(attack_var)).data.cpu().numpy()[0] predicted_class = np.argmax(predicted_probs) if (not targeted_attack and predicted_class != label) or \ (targeted_attack and predicted_class == target_class): return 1, attack_result.x.astype(int) return 0, [None]
def attack(self, img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False, preprocessing_cb=None): """ @img: index to the image you want to attack @model: the model to attack @target: the index to the target you want to aim for @pixel_count: how many pixels to have in your attack @maxiter: maximum number of iterations on optimization @popsize: size of the population to use at each iteration of the optimization @verbose: boolean, controls printing @plot: boolean, whether to plot the final results """ # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else self.y_test[img, 0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions bounds = [(0,dim_x), (0,dim_y), (0, 255), (0, 255), (0., 255)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes( xs, self.x_test[img], target_class, model, target is None, preprocessing_cb=preprocessing_cb) callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model, targeted_attack, verbose, preprocessing_cb=preprocessing_cb) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution( predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img].copy())[0] if preprocessing_cb is not None: original_img = preprocessing_cb(self.x_test[img].copy()) attack_image = preprocessing_cb(attack_image.copy()) else: original_img = self.x_test[img].copy() prior_probs = model.predict(np.array([original_img]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x]
def de_testeiteracoes(n): global DADOS_EXECUCAO global ITERACOES DADOS_EXECUCAO = [] ITERACOES = 0 return differential_evolution(rastrigin, [(-5.12, 5.12)] * n, maxiter=10000, tol=-inf, popsize=20, recombination=0.5)
def attack(img, label, net, target=None, pixels=1, maxiter=75, popsize=400, verbose=False): # img: 1*3*W*H tensor # label: a number targeted_attack = target is not None target_calss = target if targeted_attack else label image_size = 32 # bounds = [(0,28), (0,28), (0,255), (0,255), (0,255)] * pixels bounds = [(0, 28), (0, 28), (0, 1)] * pixels popmul = max(1, popsize / len(bounds)) predict_fn = lambda xs: predict_classes(xs, img, target_calss, net, target is None) callback_fn = lambda x, convergence: attack_success( x, img, target_calss, net, targeted_attack, verbose) # print("type.popmul", type(popmul)) inits = np.zeros([int(popmul * len(bounds)), len(bounds)]) # 400x5,400个种子,每个种子的维度是5,就是改变5个地方? for init in inits: for i in range(pixels): init[i * 3 + 0] = np.random.random() * 28 #[0, 31] init[i * 3 + 1] = np.random.random() * 28 init[i * 3 + 2] = np.random.normal(-1, 1) #[-127, 127] # init[i*5+3] = np.random.normal(128,127) # init[i*5+4] = np.random.normal(128,127) attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False, init=inits) attack_image = perturb_image(attack_result.x, img) attack_var = Variable(attack_image, volatile=True).cuda() predicted_probs = F.softmax(net(attack_var)).data.cpu().numpy()[0] predicted_class = np.argmax(predicted_probs) if (not targeted_attack and predicted_class != label) or ( targeted_attack and predicted_class == target_calss): return 1, attack_result.x.astype(int) return 0, [None]
def attack(self, img, model, pixel_count=1, maxiter=125, popsize=400, plot=False): # Change the target class based on whether this is a targeted attack or not target_class = self.y_test[img, 0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: model.predict( perturb_image(xs, self.x_test[img]))[0] callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0] prior_probs = model.predict(np.array([self.x_test[img]]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [ model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x ]
def attack(img, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else y_test[img] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout bounds = [(88, 255), (0, 255), (0, 255)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: predict_classes(xs, X_test[img], target_class, target is None) callback_fn = lambda x, convergence: attack_success( x, img, target_class, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = perturb_image(attack_result.x, X_test[img]) # prior_probs = y_prob.eval(feed_dict={x: X_test[img].reshape([1,256,256,1])})[0] # predicted_probs = y_prob.eval(feed_dict={x: attack_image})[0] prior_probs = get_y_prob(X_test[img])[0] predicted_probs = get_y_prob(attack_image)[0] predicted_class = np.argmax(predicted_probs) actual_class = y_test[img] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) plot_image(attack_image, actual_class, class_names, predicted_class) return [ attack_image, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x ]
def attack(img, label, net, target=None, pixels=1, maxiter=75, popsize=400, verbose=False): # img: 1*3*W*H tensor # label: a number global use_cuda targeted_attack = target is not None target_calss = target if targeted_attack else label bounds = [(0, 32), (0, 32), (0, 255), (0, 255), (0, 255)] * pixels popmul = max(1, int(popsize / len(bounds))) predict_fn = lambda xs: predict_classes(xs, img, target_calss, net, target is None) callback_fn = lambda x, convergence: attack_success( x, img, target_calss, net, targeted_attack, verbose) inits = np.zeros([popmul * len(bounds), len(bounds)]) for init in inits: for i in range(pixels): init[i * 5 + 0] = np.random.random() * 32 init[i * 5 + 1] = np.random.random() * 32 init[i * 5 + 2] = np.random.normal(128, 127) init[i * 5 + 3] = np.random.normal(128, 127) init[i * 5 + 4] = np.random.normal(128, 127) attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False, init=inits) attack_image = perturb_image(attack_result.x, img) attack_var = Variable(attack_image, volatile=True) if use_cuda: attack_var = attack_var.cuda() predicted_class = np.argmax(net(attack_var).data.cpu().numpy()[0]) return attack_image, predicted_class
def attack(self, image, actual_class, target, pixel_count, dimensions, maxiter=75, popsize=400, verbose=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else actual_class # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = dimensions bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm def predict_fn(xs): return self.predict_classes(xs, image, target_class, target is None) def callback_fn(x, convergence): return self.attack_success(x, image, target_class, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = perturb_image(attack_result.x, image)[0] predicted_probs = self.model.predict(np.array([attack_image]))[0] return attack_image
def attack(self, img, model, label, pixel_count=1, maxiter=75, popsize=400): # Define bounds for a flat vector of x,y,r,g,b values dim_x, dim_y, channels = self.dimensions if channels == 3: bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256), (0, 256)] * pixel_count else: bounds = [(0, dim_x), (0, dim_y), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes(xs, img, label, model) callback_fn = lambda x, convergence: self.attack_success( x, img, label, model) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = self.perturb_image(attack_result.x, img)[0] prior_probs = model.predict(np.expand_dims(img, axis=0))[0] predicted_probs = model.predict(np.expand_dims(attack_image, axis=0))[0] predicted_class = np.argmax(predicted_probs) success = predicted_class != label cdiff = prior_probs[label] - predicted_probs[label] return [predicted_class, attack_image]
def attack(self, img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else self.y_test[img,0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions bounds = [(0,dim_x), (0,dim_y), (0,256), (0,256), (0,256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes( xs, self.x_test[img], target_class, model, target is None) callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution( predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0] prior_probs = model.predict(np.array([self.x_test[img]]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img,0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x]
def attack(self, i, pixel_count=1, maxiter=75, popsize=400, verbose=False): # define bounds for a flat vector, delta has format [index, value] # ensure the validity of the pixel bounds = [(0, num_input), (-0.1, 0.1)] * pixel_count # population multipliers popmul = max(1, popsize // len(bounds)) # objective function to be minimized predict_fn = lambda deltas: -self.objective(deltas, i)[0] # early stop callback_fn = lambda delta, convergence: self.attack_success(delta, i, verbose) # con = lambda deltas: 0.1 - self.objective(deltas, i)[1] # call differential evolution # cons = {'type': 'ineq', "fun": con} # evaluation attack_result = differential_evolution(predict_fn, bounds, strategy='best1bin', maxiter=maxiter, popsize=popmul, recombination=1, callback=callback_fn, polish=False, atol=1) new_measurement = helper.perturb_meas(attack_result.x, self.measurement[i]) # x_hat estimated_state = self.model.model.predict(np.reshape(self.measurement[i], (-1, num_input))) # x_tilda_hat new_estimated_state = self.model.model.predict(np.reshape(new_measurement, (-1, num_input))) # print(new_estimated_state.shape) # z_tilda_hat # print(new_estimated_measurement.shape) # print(self.measurement[i].shape) # print(new_estimated_state) # print(estimated_state) # state_diff = np.sqrt(np.sum(np.square(new_estimated_state - estimated_state), axis=1)) # print(state_diff.shape) new_estimated_measurement = self.bus.estimated_np(new_estimated_state) meas_diff = np.sqrt(np.sum(np.square(new_estimated_measurement - new_measurement), axis=1)) restore_meas_diff = np.sqrt(np.sum(np.square(restore_meas(new_estimated_measurement) - restore_meas(new_measurement)), axis=1)) restore_state_diff_mag = np.sum(np.abs(restore_state(new_estimated_state)[:, :num_bus] - restore_state(estimated_state)[:, :num_bus])) restore_state_diff_ang = np.sum(np.abs(restore_state(new_estimated_state)[:, num_bus:] - restore_state(estimated_state)[:, num_bus:])) * 180 / pi i = int(attack_result.x[0]) min_ = min_meas_np[i] max_ = max_meas_np[i] restore_injection = (attack_result.x[1])/2 * (max_ - min_) # print(new_measurement * (max_-min_) + min_) # print(new_estimated_measurement) # print(self.measurement[i] * (max_-min_) + min_) # success = (restore_state_diff_ang > 5) # if verbose: # # print("original measurement", self.measurement) # # print("new measurement", new_measurement) # print("attack vector", attack_result.x) # # print("original state", estimated_state) # # print("after attack", new_estimated_state) # print("state distortion", state_diff) # return [int(attack_result.x[0]), attack_result.x[1]] return [pixel_count, i, restore_state_diff_mag, restore_state_diff_ang, meas_diff[0], restore_meas_diff[0], int(attack_result.x[0]), attack_result.x[1], restore_injection]
def generate(self, images, labels): """Generate adversarial images """ preds = np.argmax(to_np(self.model(to_var(images))), axis=1) images = denormalize(images, self.args.dataset) * 255 #self.n_pix = int(images.size(2)*images.size(3)*self.args.gamma) bounds = [(0, images[0].size(1) - 1), (0, images[0].size(2) - 1), (0, 255), (0, 255), (0, 255)] * self.n_pix adv_images = [] adv_labels = [] for i in range(len(images)): self.image = images[i] self.label = int(preds[i]) if self.target is not None: self.label = self.target self.convergence = False if self.init == 'normal': x_loc = np.random.uniform(0, images[0].size(1), self.n_pix * self.popsize) y_loc = np.random.uniform(0, images[0].size(2), self.n_pix * self.popsize) val = np.array( np.split( np.random.normal(128, 127, self.n_pix * self.popsize * 3), 3)) init = np.array( np.split(np.vstack((x_loc, y_loc, val)), self.n_pix, axis=1)) init = np.transpose(init.reshape(-1, self.popsize)) else: init = self.init self.step = 0 if self.args.domain_restrict: self.mapping = self.create_map(self.args.gamma, self.kwargs.get('artifact')) else: self.mapping = lambda x, y: (x, y) result = differential_evolution(self.optimize, bounds, init=init, strategy=self.strategy, maxiter=self.max_iter, popsize=self.popsize, seed=self.args.seed, callback=self.callback, mutation=0.5, recombination=1, polish=False, tol=0, atol=-1) adv_image = self.perturb(result.x).squeeze(0) adv_images.append(adv_image) adv_labels.append(self.label) self.step_meter.update(self.step - 1) #print("Average step per iter: {}".format(self.step_meter.avg)) return torch.stack(adv_images), torch.LongTensor( adv_labels) #, torch.FloatTensor(steps)
def single_pixel_attack(images, labels, class_names, img_id, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False, dimensions=(32, 32)): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else labels[img_id, 0] ack = PixelAttacker([model], (images, labels), class_names) # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = dimensions bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm def predict_fn(xs): return ack.predict_classes(xs, images[img_id], target_class, model, target is None) def callback_fn(x, convergence): return ack.attack_success(x, images[img_id], target_class, model, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, images[img_id])[0] prior_probs = model.predict(np.array([images[img_id]]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = labels[img_id, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, class_names, predicted_class) return [ attack_image, model.name, pixel_count, img_id, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x ]
def de_testeiteracoes(n): global DADOS_EXECUCAO global ITERACOES DADOS_EXECUCAO = [] ITERACOES = 0 return differential_evolution(rastrigin, [(-5.12, 5.12)]*n, maxiter=10000, tol=-inf, popsize=20, recombination=0.5)