Пример #1
0
def build_stadv_linf_attack(classifier_net, normalizer):
    flow_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(lp_style='inf',
                                  lp_bound=FLOW_LINF_BOUND,
                                  xform_class=st.FullSpatial,
                                  use_stadv=True))
    adv_loss = lf.CWLossF6(classifier_net, normalizer)
    st_loss = lf.PerturbationNormLoss(lp=2)

    loss_fxn = lf.RegularizedLoss({
        'adv': adv_loss,
        'st': st_loss
    }, {
        'adv': 1.0,
        'st': 0.05
    },
                                  negate=True)

    pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
    pgd_kwargs['optimizer_kwargs']['lr'] = 0.001

    pgd_attack = aa.PGD(classifier_net, normalizer, flow_threat, loss_fxn)
    params = advtrain.AdversarialAttackParameters(
        pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
    return params
Пример #2
0
def build_full_attack(classifier_net, normalizer, use_gpu):
    # L_inf + flow style attack
    delta_threat = ap.ThreatModel(
        ap.DeltaAddition,
        ap.PerturbationParameters(lp_style='inf',
                                  lp_bound=L_INF_BOUND,
                                  use_gpu=use_gpu))

    trans_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(lp_style=1,
                                  lp_bound=0.05,
                                  xform_class=st.TranslationTransform,
                                  use_gpu=use_gpu))
    flow_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(lp_style='inf',
                                  lp_bound=FLOW_LINF_BOUND,
                                  xform_class=st.FullSpatial,
                                  use_gpu=use_gpu,
                                  use_stadv=True))

    rotation_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(xform_class=st.RotationTransform,
                                  lp_style='inf',
                                  lp_bound=math.pi / 24.,
                                  use_gpu=use_gpu))

    sequence_threat = ap.ThreatModel(
        ap.SequentialPerturbation,
        [delta_threat, flow_threat, trans_threat, rotation_threat],
        ap.PerturbationParameters(norm_weights=[0.0, 1.0, 1.0, 1.0]))
    pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS)
    pgd_kwargs['optimizer_kwargs']['lr'] = 0.001

    adv_loss = lf.CWLossF6(classifier_net, normalizer)
    st_loss = lf.PerturbationNormLoss(lp=2)

    loss_fxn = lf.RegularizedLoss({
        'adv': adv_loss,
        'st': st_loss
    }, {
        'adv': 1.0,
        'st': 0.05
    },
                                  negate=True)

    pgd_attack = aar.PGD(classifier_net,
                         normalizer,
                         sequence_threat,
                         loss_fxn,
                         use_gpu=use_gpu)

    params = advtrain.AdversarialAttackParameters(
        pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
    return params
Пример #3
0
def build_stadv_rot_trans_pgd(model,
                              normalizer,
                              flow_bound=FLOW_LINF,
                              trans_bound=TRANS_LINF,
                              rot_bound=ROT_LINF,
                              use_gpu=USE_GPU,
                              verbose=False,
                              adv_loss='cw',
                              num_iter=PGD_ITER,
                              loss_convergence=LOSS_CONVERGENCE,
                              output='attack',
                              extra_attack_kwargs=None):
    # Build threat

    flow_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(lp_style='inf',
                                  lp_bound=flow_bound,
                                  xform_class=st.FullSpatial,
                                  use_gpu=use_gpu,
                                  use_stadv=True))

    trans_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(lp_style='inf',
                                  lp_bound=trans_bound,
                                  xform_class=st.TranslationTransform,
                                  use_gpu=use_gpu))
    rotation_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(xform_class=st.RotationTransform,
                                  lp_style='inf',
                                  lp_bound=rot_bound,
                                  use_gpu=use_gpu))

    sequence_threat = ap.ThreatModel(
        ap.SequentialPerturbation,
        [flow_threat, trans_threat, rotation_threat],
        ap.PerturbationParameters(norm_weights=[1.00, 1.00, 1.0, 1.0]))

    # Build loss
    assert adv_loss in ['cw', 'xentropy']
    if adv_loss == 'xentropy':
        adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
    else:
        adv_loss_obj = lf.CWLossF6(model, normalizer)

    st_loss = lf.PerturbationNormLoss(lp=2)

    loss_fxn = lf.RegularizedLoss({
        'adv': adv_loss_obj,
        'st': st_loss
    }, {
        'adv': 1.0,
        'st': 0.05
    },
                                  negate=True)

    # Build attack
    optimizer = optim.Adam
    optimizer_kwargs = {'lr': 0.001}
    pgd_attack = aar.PGD(model,
                         normalizer,
                         sequence_threat,
                         loss_fxn,
                         use_gpu=use_gpu)

    assert output in ['attack', 'params', 'eval']
    if output == 'attack':
        return pgd_attack

    pgd_kwargs = {
        'num_iterations': num_iter,
        'signed': False,
        'optimizer': optimizer,
        'optimizer_kwargs': optimizer_kwargs,
        'verbose': verbose,
        'loss_convergence': loss_convergence
    }
    if extra_attack_kwargs is not None:
        pgd_kwargs.update(extra_attack_kwargs)

    params = advtrain.AdversarialAttackParameters(
        pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})
    if output == 'params':
        return params

    to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}

    eval_result = adveval.EvaluationResult(params,
                                           model,
                                           normalizer,
                                           to_eval=to_eval,
                                           use_gpu=use_gpu)
    return eval_result
Пример #4
0
def build_stadv_pgd(model,
                    normalizer,
                    linf_bound=FLOW_LINF,
                    use_gpu=USE_GPU,
                    verbose=False,
                    adv_loss='cw',
                    num_iter=PGD_ITER,
                    loss_convergence=LOSS_CONVERGENCE,
                    use_stadv=True,
                    output='attack',
                    norm_hyperparam=0.05,
                    extra_attack_kwargs=None):

    # Build threat
    flow_threat = ap.ThreatModel(
        ap.ParameterizedXformAdv,
        ap.PerturbationParameters(lp_style='inf',
                                  lp_bound=linf_bound,
                                  xform_class=st.FullSpatial,
                                  use_gpu=use_gpu,
                                  use_stadv=use_stadv))

    # Build loss
    assert adv_loss in ['xentropy', 'cw']
    if adv_loss == 'xentropy':
        adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
    else:
        adv_loss_obj = lf.CWLossF6(model, normalizer)

    st_loss = lf.PerturbationNormLoss(lp=2)

    attack_loss = lf.RegularizedLoss({
        'adv': adv_loss_obj,
        'st': st_loss
    }, {
        'adv': 1.0,
        'st': norm_hyperparam
    },
                                     negate=True)

    # Build attack
    pgd_attack = aar.PGD(model,
                         normalizer,
                         flow_threat,
                         attack_loss,
                         use_gpu=use_gpu)

    # Return based on output arg
    assert output in ['attack', 'params', 'eval']
    if output == 'attack':
        return pgd_attack

    extra_attack_kwargs = extra_attack_kwargs or {}
    optimizer = optim.Adam
    optimizer_kwargs = {'lr': 0.01}
    pgd_kwargs = {
        'num_iterations': num_iter,
        'signed': False,
        'optimizer': optimizer,
        'optimizer_kwargs': optimizer_kwargs,
        'verbose': verbose,
        'loss_convergence': loss_convergence
    }
    pgd_kwargs.update(extra_attack_kwargs)
    params = advtrain.AdversarialAttackParameters(
        pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs})

    if output == 'params':
        return params

    to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'}

    eval_result = adveval.EvaluationResult(params,
                                           model,
                                           normalizer,
                                           to_eval=to_eval,
                                           use_gpu=USE_GPU)
    return eval_result
Пример #5
0
def build_delta_stadv_pgd(model, normalizer, delta_bound=L_INF_BOUND,
                          flow_bound=FLOW_LINF, manual_gpu=None,
                          verbose=False, adv_loss='cw', num_iter=PGD_ITER,
                          loss_convergence=LOSS_CONVERGENCE,
                          output='attack',
                          extra_attack_kwargs=None):
    # Build threat
    delta_threat = ap.ThreatModel(ap.DeltaAddition,
                                  ap.PerturbationParameters(lp_style='inf',
                                                            lp_bound=delta_bound,
                                                            manual_gpu=manual_gpu))
    flow_threat = ap.ThreatModel(ap.ParameterizedXformAdv,
                                 ap.PerturbationParameters(lp_style='inf',
                                                           lp_bound=flow_bound,
                                                           xform_class=st.FullSpatial,
                                                           manual_gpu=manual_gpu,
                                                           use_stadv=True))
    sequence_threat = ap.ThreatModel(ap.SequentialPerturbation,
                                 [delta_threat, flow_threat],
                                ap.PerturbationParameters(norm_weights=[0.00, 1.00]))

    # Build loss
    assert adv_loss in ['cw', 'xentropy']
    if adv_loss == 'xentropy':
        adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer)
        adv_loss_scale = -1.0
    else:
        adv_loss_obj = lf.CWLossF6(model, normalizer)
        adv_loss_scale = 1.0

    st_loss = lf.PerturbationNormLoss(lp=2)

    loss_fxn = lf.RegularizedLoss({'adv': adv_loss_obj, 'st':st_loss},
                                  {'adv': adv_loss_scale, 'st': 0.05},
                                  negate=True)

    # Build attack
    optimizer = optim.Adam
    optimizer_kwargs = {'lr': 0.001}
    pgd_attack = aa.PGD(model, normalizer, sequence_threat, loss_fxn, manual_gpu=manual_gpu)


    assert output in ['attack', 'params', 'eval']
    if output == 'attack':
        return pgd_attack


    pgd_kwargs = {'num_iterations': num_iter,
                  'signed': False,
                  'optimizer': optimizer,
                  'optimizer_kwargs': optimizer_kwargs,
                  'verbose': verbose,
                  'loss_convergence': loss_convergence}

    if extra_attack_kwargs is not None:
        pgd_kwargs.update(extra_attack_kwargs)

    params = advtrain.AdversarialAttackParameters(pgd_attack, 1.0,
                                       attack_specific_params={'attack_kwargs': pgd_kwargs})

    if output == 'params':
        return params

    to_eval= {'top1': 'top1',
              'lpips': 'avg_successful_lpips'}

    eval_result = adveval.EvaluationResult(params,
                                           to_eval=to_eval, manual_gpu=manual_gpu)
    return eval_result