def fast_adversarial_DDN(model_name): #Saves the minimum epsilon value for successfully attacking each image via PGD based attack as an npy file in the folder corresponding to model_name #No Restarts #Done for a single batch only since batch size is supposed to be set to 1000 (first 1000 images) print (model_name) print(device) test_batches = Batches(test_set, batch_size, shuffle=False, num_workers=2, gpu_id = torch.cuda.current_device()) model = PreActResNet18().to(device) for m in model.children(): if not isinstance(m, nn.BatchNorm2d): m.float() model.load_state_dict(torch.load(model_name+".pt", map_location = device)) model.eval() for i,batch in enumerate(test_batches): x,y = batch['input'].float(), batch['target'] restarts = 1 min_norm = np.zeros((restarts, batch_size)) for i in range(restarts): try: attacker = DDN(steps=100, device=device) adv = attacker.attack(model, x, labels=y, targeted=False) except: attacker = DDN(steps=100, device=device) adv = attacker.attack(model, x, labels=y, targeted=False) delta = (adv - x) norm = norms(delta).squeeze(1).squeeze(1).squeeze(1).cpu().numpy() min_norm[i] = norm min_norm = min_norm.min(axis = 0) np.save(model_name + "/" + "DDN" + ".npy" ,min_norm) break
def fast_adversarial_DDN(model_name): #Saves the minimum epsilon value for successfully attacking each image via PGD based attack as an npy file in the folder corresponding to model_name #No Restarts #Done for a single batch only since batch size is supposed to be set to 1000 (first 1000 images) print(model_name) test_batches = DataLoader(mnist_test, batch_size=batch_size, shuffle=False) print(device) try: model_test = net().to(device) model_address = model_name + ".pt" model_test.load_state_dict( torch.load(model_address, map_location=device)) except: model_test = Model_Torch().to(device) model_address = model_name + ".pt" model_test.load_state_dict( torch.load(model_address, map_location=device)) model_test.eval() restarts = 1 for i, batch in enumerate(test_batches): x, y = batch[0].to(device), batch[1].to(device) min_norm = np.zeros((restarts, batch_size)) try: attacker = DDN(steps=100, device=device) adv = attacker.attack(model_test, x, labels=y, targeted=False) except: attacker = DDN(steps=100, device=device) adv = attacker.attack(model_test, x, labels=y, targeted=False) delta = (adv - x) norm = norms(delta).squeeze(1).squeeze(1).squeeze(1).cpu().numpy() min_norm[0] = norm min_norm = min_norm.min(axis=0) np.save(model_name + "/" + "DDN" + ".npy", min_norm) # ipdb.set_trace() print(min_norm[min_norm > 2.0].shape[0] / 1000) break
model = torch.nn.DataParallel(model) optimizer = SGD(model.parameters(), lr=args.lr, momentum=args.momentum, weight_decay=args.weight_decay) if args.adv == 0: scheduler = lr_scheduler.StepLR(optimizer, step_size=args.lr_step, gamma=args.lr_decay) else: scheduler = lr_scheduler.MultiStepLR(optimizer, milestones=[60, 120, 160], gamma=0.2) attacker = DDN(steps=args.steps, device=DEVICE) max_loss = torch.log(torch.tensor(10.)).item() # for callback best_acc = 0 best_epoch = 0 for epoch in range(args.epochs): scheduler.step() cudnn.benchmark = True model.train() requires_grad_(m, True) accs = AverageMeter() losses = AverageMeter() attack_norms = AverageMeter()
def main(): global args args = parser.parse_args() print(args) if not os.path.exists(args.save_folder): os.mkdir(args.save_folder) device = torch.device('cuda' if torch.cuda.is_available() else 'cpu') image_mean = torch.tensor([0.4802, 0.4481, 0.3975]).view(1, 3, 1, 1) image_std = torch.tensor([0.2770, 0.2691, 0.2821]).view(1, 3, 1, 1) # create model if args.pretrained: print("=> using pre-trained model '{}'".format(args.arch)) m = models.__dict__[args.arch](pretrained=True) else: print("=> creating model '{}'".format(args.arch)) m = models.__dict__[args.arch]() model = utils.NormalizedModel(m, image_mean, image_std) model.to(device) if torch.cuda.device_count() > 1: model = torch.nn.DataParallel(model) # define loss function (criterion) and optimizer criterion = nn.CrossEntropyLoss() optimizer = torch.optim.SGD(model.parameters(), args.lr, momentum=args.momentum, weight_decay=args.weight_decay) scheduler = torch.optim.lr_scheduler.StepLR(optimizer, args.lr_step, gamma=0.1) # optionally resume from a checkpoint if args.resume: if os.path.isfile(args.resume): print("=> loading checkpoint '{}'".format(args.resume)) checkpoint = torch.load(args.resume) args.start_epoch = checkpoint['epoch'] prec1 = checkpoint['prec1'] model.load_state_dict(checkpoint['state_dict']) optimizer.load_state_dict(checkpoint['optimizer']) scheduler.last_epoch = checkpoint['epoch'] - 1 print("=> loaded checkpoint '{}' (epoch {})".format( args.resume, checkpoint['epoch'])) else: print("=> no checkpoint found at '{}'".format(args.resume)) # Data loading code train_transform = transforms.Compose([ transforms.RandomHorizontalFlip(), transforms.RandomGrayscale(p=0.05), transforms.RandomAffine(0, translate=(0.1, 0.1)), transforms.ToTensor() ]) test_transform = transforms.Compose([transforms.ToTensor()]) train_dataset = dataset.TinyImageNet(args.data, mode='train', transform=train_transform) val_dataset = dataset.TinyImageNet(args.data, mode='val', transform=test_transform) if args.visdom_port: from visdom_logger.logger import VisdomLogger callback = VisdomLogger(port=args.visdom_port) else: callback = None train_loader = torch.utils.data.DataLoader(train_dataset, batch_size=args.batch_size, shuffle=True, drop_last=True, num_workers=args.workers, pin_memory=True) val_loader = torch.utils.data.DataLoader(val_dataset, batch_size=args.batch_size, num_workers=args.workers, pin_memory=True) attack = DDN(steps=args.steps, device=device) if args.evaluate: validate(val_loader, model, criterion, device, 0, callback=callback) return for epoch in range(args.start_epoch, args.epochs): scheduler.step() print('Learning rate for epoch {}: {:.2e}'.format( epoch, optimizer.param_groups[0]['lr'])) # train for one epoch train(train_loader, model, m, criterion, optimizer, attack, device, epoch, callback) # evaluate on validation set prec1 = validate(val_loader, model, criterion, device, epoch + 1, callback) utils.save_checkpoint(state={ 'epoch': epoch + 1, 'arch': args.arch, 'state_dict': model.state_dict(), 'prec1': prec1, 'optimizer': optimizer.state_dict() }, filename=os.path.join( args.save_folder, 'checkpoint_{}.pth'.format(args.arch))) utils.save_checkpoint(state=model.state_dict(), filename=os.path.join( args.save_folder, '{}_epoch-{}.pt'.format( args.arch, epoch + 1)), cpu=True)
transform=transforms.ToTensor(), download=True) loader = data.DataLoader(dataset, shuffle=False, batch_size=16) x, y = next(iter(loader)) x = x.to(device) y = y.to(device) print('Loading model') model = SmallCNN() model.load_state_dict(torch.load(args.model_path)) model.eval().to(device) requires_grad_(model, False) print('Running DDN attack') attacker = DDN(steps=100, device=device) start = time.time() ddn_atk = attacker.attack(model, x, labels=y, targeted=False) ddn_time = time.time() - start print('Running C&W attack') cwattacker = CarliniWagnerL2(device=device, image_constraints=(0, 1), num_classes=10) start = time.time() cw_atk = cwattacker.attack(model, x, labels=y, targeted=False) cw_time = time.time() - start # Save images all_imgs = torch.cat((x, cw_atk, ddn_atk))
def main(): global args args = parse_args() print(args) gpu_id = args.gpu_id if isinstance(gpu_id, int): gpu_id = [gpu_id] print("Let's use ", len(gpu_id), " GPUs!") print("gpu_ids:", gpu_id) if not os.path.exists(args.save_folder): os.mkdir(args.save_folder) device = torch.device('cuda: %d' %gpu_id[0] if torch.cuda.is_available() else 'cpu') #device = gpu_id if 'inception' in args.arch.lower(): print('Using Inception Normalization!') image_mean = torch.tensor([0.5, 0.5, 0.5]).view(1, 3, 1, 1) image_std = torch.tensor([0.5, 0.5, 0.5]).view(1, 3, 1, 1) else: print('Using Imagenet Normalization!') image_mean = torch.tensor([0.4802, 0.4481, 0.3975]).view(1, 3, 1, 1) image_std = torch.tensor([0.2770, 0.2691, 0.2821]).view(1, 3, 1, 1) # create model ''' if args.pretrained: print("=> using pre-trained model '{}'".format(args.arch)) m = models.__dict__[args.arch](pretrained=True) else: print("=> creating model '{}'".format(args.arch)) m = models.__dict__[args.arch]() ''' if args.pretrained: print("=> using pre-trained model '{}'".format(args.arch)) else: print("=> creating model '{}'".format(args.arch)) model_init = make_model(args.arch, 110, pretrained=args.pretrained) #model = utils.NormalizedModel(m, image_mean, image_std) model = utils.NormalizedModel(model_init, image_mean, image_std) print('model_struct:', model) print('model parameters:', sum(param.numel() for param in model.parameters())) ''' for param in model.parameters(): print(param.shape) print(param.numel()) ''' model.to(device) if len(gpu_id) > 1: model = torch.nn.DataParallel(model, device_ids=gpu_id) ''' if torch.cuda.device_count() > 1: model = torch.nn.DataParallel(model, device_ids=[i for i in range(torch.cuda.device_count())]) ''' # define loss function (criterion) and optimizer criterion = nn.CrossEntropyLoss() optimizer = torch.optim.SGD(model.parameters(), args.lr, momentum=args.momentum, weight_decay=args.weight_decay) scheduler = torch.optim.lr_scheduler.StepLR(optimizer, args.lr_step, gamma=0.1) # optionally resume from a checkpoint if args.resume: if os.path.isfile(args.resume): print("=> loading checkpoint '{}'".format(args.resume)) checkpoint = torch.load(args.resume) args.start_epoch = checkpoint['epoch'] prec1 = checkpoint['prec1'] from collections import OrderedDict new_state_dict = OrderedDict() for k, v in checkpoint['state_dict'].items(): name = k[7:] # remove `module.` new_state_dict[name] = v model.load_state_dict(new_state_dict,strict=True) optimizer.load_state_dict(checkpoint['optimizer']) scheduler.last_epoch = checkpoint['epoch'] - 1 print("=> loaded checkpoint '{}' (epoch {})" .format(args.resume, checkpoint['epoch'])) else: print("=> no checkpoint found at '{}'".format(args.resume)) # Data loading code input_path = args.data_path clean_path = os.path.join(input_path, 'IJCAI_2019_AAAC_train') adv_path = os.path.join(input_path, 'IJCAI_2019_AAAC_train_adv') img_clean = glob.glob(os.path.join(clean_path, "./*/*.jpg")) img_adv = glob.glob(os.path.join(adv_path, "./*/*.jpg")) filenames = img_clean + img_adv train_transform = transforms.Compose([ transforms.RandomHorizontalFlip(), transforms.Resize([args.image_size, args.image_size], interpolation=PIL.Image.BILINEAR), transforms.RandomGrayscale(p=0.05), transforms.RandomAffine(0, translate=(0.1, 0.1)), transforms.ToTensor() ]) test_transform = transforms.Compose([ transforms.Resize([args.image_size, args.image_size], interpolation=PIL.Image.BILINEAR), transforms.ToTensor() ]) all_dataset = dataset.AAAC_dataset(filenames, mode='train', transform=train_transform) #val_dataset = dataset.TinyImageNet(args.data, mode='val', transform=test_transform) train_size = int(0.8 * len(all_dataset)) val_size = len(all_dataset) - train_size train_dataset, val_dataset = torch.utils.data.random_split(all_dataset, [train_size, val_size]) ''' if args.visdom_port: from visdom_logger.logger import VisdomLogger callback = VisdomLogger(port=args.visdom_port) else: callback = None ''' callback = None train_loader = torch.utils.data.DataLoader(train_dataset, batch_size=args.batch_size, shuffle=True, drop_last=True, num_workers=args.workers, pin_memory=True) val_loader = torch.utils.data.DataLoader(val_dataset, batch_size=args.batch_size, num_workers=args.workers, pin_memory=True) attacker = DDN(steps=args.steps, device=device) if args.evaluate: validate(val_loader, model, criterion, device, 0, callback=callback) return for epoch in range(args.start_epoch, args.epochs): scheduler.step() print('Learning rate for epoch {}: {:.2e}'.format(epoch, optimizer.param_groups[0]['lr'])) # train for one epoch train(train_loader, model, model_init, criterion, optimizer, attacker, device, epoch, callback) # evaluate on validation set prec1 = validate(val_loader, model, criterion, device, epoch + 1, callback) utils.save_checkpoint( state={'epoch': epoch + 1, 'arch': args.arch, 'state_dict': model.state_dict(), 'prec1': prec1, 'optimizer': optimizer.state_dict()}, filename=os.path.join(args.save_folder, 'checkpoint_{}.pth'.format(args.arch))) utils.save_checkpoint( state=model.state_dict(), filename=os.path.join(args.save_folder, '{}_epoch-{}.pt'.format(args.arch, epoch + 1)), cpu=True )
lambda x: wrapper(normalize(x), pcl=pcl), eps=epsilon, eps_iter=epsilon / 10, ord=norm, nb_iter=10) elif args.attack == 'FGSM': adversary = GradientSignAttack(lambda x: wrapper(x, pcl=pcl), eps=epsilon) # adversary = PGDAttack(lambda x: wrapper(x, pcl=pcl), eps=epsilon, eps_iter=epsilon, nb_iter=1, ord=norm, rand_init=False) elif args.attack == 'CW': adversary = CarliniWagnerL2Attack(lambda x: wrapper(x, pcl=pcl), 10, binary_search_steps=2, max_iterations=500, initial_const=1e-1) elif args.attack == 'DDN': adversary = DDN(steps=100, device=device) ddn = True else: adversary = None criterion = torch.nn.CrossEntropyLoss() net.eval() test_acc_adv, test_loss_adv, dist_l2, dist_linf = adv_test( lambda x: wrapper(x, pcl=pcl), test_loader, criterion, adversary, epsilon, args, ddn=ddn,
model_dict5 = torch.load(weight_norm) model5.load_state_dict(model_dict5) #model.eval() #with torch.no_grad(): for i, (images, labels) in enumerate(tqdm.tqdm(test_loader, ncols=80)): images, labels = images.to(DEVICE), labels.to(DEVICE) logits = model5(images) # loss = F.cross_entropy(logits, labels) # print(logits) test_accs = AverageMeter() test_losses = AverageMeter() test_accs.append((logits.argmax(1) == labels).float().mean().item()) ################ADV######################## attacker = DDN(steps=100, device=DEVICE) attacker2 = DeepFool(device=DEVICE) adv = attacker.attack(model5, images, labels=labels, targeted=False) # deepfool = attacker2.attack(model5, images, labels=labels, targeted=False) if adv is None: adv = images # if deepfool is None: # deepfool = images test_accs2 = AverageMeter() test_losses2 = AverageMeter() logits2 = model5(adv) # logits3 = model5(deepfool) test_accs2.append((logits2.argmax(1) == labels).float().mean().item()) #print(test_accs2) # test_accs3 = AverageMeter()
t_img = t_img.to(device) assert model(t_img).argmax() == label assert black_box_model(img) == label # Load surrogate model smodel = resnext50_32x4d() smodel = NormalizedModel(smodel, image_mean, image_std) state_dict = torch.load(args.surrogate_model_path) smodel.load_state_dict(state_dict) smodel.eval().to(device) # Sanity check: image correctly labeled by surrogate classifier: assert smodel(t_img).argmax() == label surrogate_models = [smodel] attacks = [DDN(100, device=device), FGM_L2(1)] adv = attack(black_box_model, surrogate_models, attacks, img, label, targeted=False, device=device) pred_on_adv = black_box_model(adv) print('True label: {}; Prediction on the adversarial: {}'.format( label, pred_on_adv)) # Compute l2 norm in range [0, 1]