def ada_attack(model, img, max_iter, epsilon, mask): P = [0.58395, 0.5712, 0.57375] #RGB # 数据处理过程先转换为RGB,然后resize到800,然后正则化 data = prepare_data(model, img) # tuple类型 data['img'][0] = torch.autograd.Variable(data['img'][0], requires_grad=True) # 需要可导 noise = np.zeros([800, 800, 3]) # 处理好图片的大小 finalimg = img last_loss = [] for iter_n in range(max_iter): loss = total_loss(model, data) #print(loss) if loss > 0: loss.backward() grad = data['img'][0].grad grad_np = grad.data.cpu().numpy() normalized_grad = np.sign(grad_np) else: return finalimg, NOISE last_loss.append(loss.item()) temp_list = last_loss[-5:] if temp_list[-1] > temp_list[0]: if epsilon > 1: epsilon = epsilon - 1.0 else: epsilon = 1.0 NP_P = normalized_grad * epsilon # 整个输入图片的单次扰动 noise += NP_P.squeeze().transpose(1, 2, 0) # [800,800,3] NOISE = cv2.resize(noise * P, (500, 500)) * mask NOISE = NOISE[:, :, ::-1] # 从RGB对应的数据转换为BGR finalimg = np.clip((img - NOISE), 0, 255) # 改为int32 finalimg = np.uint8(finalimg) temp_data = prepare_data(model, finalimg) data['img'][0].data = temp_data['img'][0].data return finalimg, NOISE
def singlemask(img, model): # 先获取有效分值的下坐标 with torch.no_grad(): data = prepare_data(model, img) # tuple类型 result = model(return_loss=False, rescale=True, **data) # 将rpn去掉 # 总共80个类别 index = [] for i in range(len(result)): for j in range(len(result[i])): if (result[i][j, 4] > 0.3): index.append([i, j]) # 计算每个目标最多可以贴几个种子块(将三分之二的块设置为种子块) object_num = np.min([len(index), 10]) Kflag = [] for i in range(object_num): data = prepare_data(model, img) # tuple类型 data['img'][0].requires_grad = True # 需要可导 noise = np.zeros([800, 800, 3]) result = model(return_loss=False, rescale=True, **data) # 将rpn去掉 loss = result[index[i][0]][index[i][1], 4] loss.backward() grad = data['img'][0].grad grad_np = grad.data.cpu().numpy() normalized_grad = grad_np / np.sqrt( np.sum(grad_np * grad_np, axis=(2, 3), keepdims=True)) # l2 NP_P = normalized_grad * 600 # 整个输入图片的单次扰动 noise += NP_P.squeeze().transpose(1, 2, 0) # [512,512,3] NOISE = cv2.resize(noise, (500, 500)) Kflag.append(Norm_Sel_Mask(NOISE, 20)) return Kflag
def L2_attack(yolo_model, rcnn_model, img, conf_thresh, max_iter, epsilon, mask): P = [0.58395, 0.5712, 0.57375] # RGB # yolo 部分 noise_yolo = np.zeros([608, 608, 3]) # 设置为原图大小 # 将输入图片转换到PIL格式 finalimg = Image.fromarray(cv2.cvtColor( img, cv2.COLOR_BGR2RGB)) # 500*500*3 RGB new_input = resize_big(finalimg) # noise_yolo = 0.2*np.array(new_input,dtype=np.float) # faster rcnn部分 idx = GetObject(rcnn_model, img) data = prepare_data(rcnn_model, img) # tuple类型 data['img'][0].requires_grad = True # 需要可导 noise_rcnn = np.zeros([800, 800, 3]) # 处理好图片的大小 for iter_n in range(max_iter): rloss = rcnn_L2_loss(rcnn_model, data, idx) im, yloss = yolo_loss(yolo_model, new_input, conf_thresh, use_cuda=1) tloss = 0.5 * yloss + 0.5 * rloss print(tloss.item()) if tloss > 0: # yolo tloss.backward() if (yloss > 0): grad_yolo = im.grad grad_np_yolo = grad_yolo.data.cpu().numpy() normalized_grad_yolo = grad_np_yolo / np.sqrt( np.sum(grad_np_yolo * grad_np_yolo, axis=(2, 3), keepdims=True)) # l2 else: normalized_grad_yolo = np.zeros([1, 3, 608, 608]) # faster rcnn if (rloss > 0): grad_rcnn = data['img'][0].grad grad_np_rcnn = grad_rcnn.data.cpu().numpy() normalized_grad_rcnn = grad_np_rcnn / np.sqrt( np.sum(grad_np_rcnn * grad_np_rcnn, axis=(2, 3), keepdims=True)) # l2 else: normalized_grad_rcnn = np.zeros([1, 3, 800, 800]) else: return finalimg, NOISE NP_P_yolo = normalized_grad_yolo * epsilon # 整个输入图片的单次扰动 noise_yolo += NP_P_yolo.squeeze().transpose(1, 2, 0) # [608,608,3] NP_P_rcnn = normalized_grad_rcnn * epsilon # faster rcnn 量级不一样 noise_rcnn += NP_P_rcnn.squeeze().transpose(1, 2, 0) NOISE = cv2.resize(noise_yolo, (500, 500)) * mask + cv2.resize( noise_rcnn * P, (500, 500)) * mask temp_img = np.clip((img - NOISE[:, :, ::-1]), 0, 255) # 改为int32 X = np.uint8(temp_img) finalimg = Image.fromarray(cv2.cvtColor( X, cv2.COLOR_BGR2RGB)) # 500*500*3 new_input = resize_big(finalimg) temp_data = prepare_data(rcnn_model, X) data['img'][0].data = temp_data['img'][0].data return finalimg, NOISE
def GetObject(model, img): # 先获取faster_rcnn有效分值的下坐标 with torch.no_grad(): data = prepare_data(model, img) # tuple类型 result = model(return_loss=False, rescale=True, **data) # 将rpn去掉 # 总共80个类别 index = [] for i in range(len(result)): for j in range(len(result[i])): if (result[i][j, 4] > 0.3): index.append([i, j]) return index
def L2_attack(model, img, max_iter, epsilon, mask): P = [0.58395, 0.5712, 0.57375] #RGB # 数据处理过程先转换为RGB,然后resize到800,然后正则化 data = prepare_data(model, img) # tuple类型 data['img'][0] = torch.autograd.Variable(data['img'][0], requires_grad=True) # 需要可导 noise = np.zeros([500, 500, 3]) # 处理好图片的大小 finalimg = img NOISE = np.zeros([500, 500, 3]) idx = GetObject(model, img) for iter_n in range(max_iter): loss = L2_loss(model, data, idx) ''' if iter_n==0: min_loss = loss # 当前最小的loss if (loss <min_loss): score = ((min_loss-loss)/min_loss).item() min_loss = loss NOISE += NP_P * mask * score # 加上前一次的噪声 ''' #print(loss) if loss > 0: loss.backward() grad = data['img'][0].grad grad_np = grad.data.cpu().numpy() normalized_grad = grad_np / np.sqrt( np.sum(grad_np * grad_np, axis=(2, 3), keepdims=True)) # l2 else: return finalimg, NOISE NP_P = normalized_grad * epsilon # 整个输入图片的单次扰动 NP_P = NP_P.squeeze().transpose(1, 2, 0) NP_P = cv2.resize(NP_P, (500, 500)) noise += NP_P * mask # [800,800,3] finalimg = np.clip((np.array(img, dtype=np.float) - noise[:, :, ::-1]), 0, 255) # 改为int32 NOISE = np.array(img, dtype=np.float) - finalimg finalimg = np.uint8(finalimg) temp_data = prepare_data(model, finalimg) data['img'][0].data = temp_data['img'][0].data return finalimg, NOISE
def gen_attack(model, img, norm_ord, max_iter, epsilon, mask): P = [0.58395, 0.5712, 0.57375] #RGB # 数据处理过程先转换为RGB,然后resize到800,然后正则化 data = prepare_data(model, img) # tuple类型 data['img'][0].requires_grad = True # 需要可导 noise = np.zeros([800, 800, 3]) # 处理好图片的大小 finalimg = img for iter_n in range(max_iter): loss = total_loss(model, data) #print(loss) if loss > 0: loss.backward() grad = data['img'][0].grad grad_np = grad.data.cpu().numpy() if norm_ord == 'sign': normalized_grad = np.sign(grad_np) elif norm_ord == 'L1': normalized_grad = grad_np / np.sum( np.abs(grad_np), axis=(2, 3), keepdims=True) # l1 elif norm_ord == 'L2': normalized_grad = grad_np / np.sqrt( np.sum(grad_np * grad_np, axis=(2, 3), keepdims=True)) # l2 else: raise ValueError('This norm_ord does not support...') else: return finalimg, NOISE NP_P = normalized_grad * epsilon # 整个输入图片的单次扰动 noise += NP_P.squeeze().transpose(1, 2, 0) # [800,800,3] NOISE = cv2.resize(noise * P, (500, 500)) * mask NOISE = NOISE[:, :, ::-1] # 从RGB对应的数据转换为BGR finalimg = np.clip((img - NOISE), 0, 255) # 改为int32 finalimg = np.uint8(finalimg) temp_data = prepare_data(model, finalimg) data['img'][0].data = temp_data['img'][0].data return finalimg, NOISE
def ada_attack(yolo_model, rcnn_model, img, conf_thresh, max_iter, epsilon, mask): # yolo 部分 noise_yolo = np.zeros([608, 608, 3]) # 设置为原图大小 # 将输入图片转换到PIL格式 finalimg = Image.fromarray(cv2.cvtColor( img, cv2.COLOR_BGR2RGB)) # 500*500*3 RGB new_input = resize_big(finalimg) # noise_yolo = 0.2*np.array(new_input,dtype=np.float) # faster rcnn部分 data = prepare_data(rcnn_model, img) # tuple类型 data['img'][0].requires_grad = True # 需要可导 noise_rcnn = np.zeros([800, 800, 3]) # 处理好图片的大小 last_loss = [] NOISE = None for iter_n in range(max_iter): rloss = rcnn_loss(rcnn_model, data) im, yloss = yolo_loss(yolo_model, new_input, conf_thresh, use_cuda=1) tloss = (yloss + rloss) / 2 # faster_rcnn和yolo损失的融合 # print(tloss.item()) if tloss > 0: # yolo tloss.backward() if yloss > 0: grad_yolo = im.grad grad_np_yolo = grad_yolo.data.cpu().numpy() normalized_grad_yolo = np.sign(grad_np_yolo) else: normalized_grad_yolo = np.zeros([1, 3, 608, 608]) # faster rcnn if rloss > 0: grad_rcnn = data['img'][0].grad grad_np_rcnn = grad_rcnn.data.cpu().numpy() normalized_grad_rcnn = np.sign(grad_np_rcnn) else: normalized_grad_rcnn = np.zeros([1, 3, 800, 800]) else: return finalimg, NOISE last_loss.append(tloss.item()) temp_list = last_loss[-5:] if temp_list[-1] > temp_list[0]: if epsilon > 1: epsilon = epsilon * 0.93 else: epsilon = 1.0 NP_P_yolo = normalized_grad_yolo * epsilon # 整个输入图片的单次扰动 noise_yolo += NP_P_yolo.squeeze().transpose(1, 2, 0) # [608,608,3] NP_P_rcnn = normalized_grad_rcnn * epsilon noise_rcnn += NP_P_rcnn.squeeze().transpose(1, 2, 0) NOISE = cv2.resize(noise_yolo, (500, 500)) * mask + cv2.resize( noise_rcnn, (500, 500)) * mask ind_one = np.logical_and(NOISE >= 0, NOISE <= 1.1) ind_minus_one = np.logical_and(NOISE >= -1.1, NOISE < 0) NOISE[ind_one] = 1.1 NOISE[ind_minus_one] = -1.1 NOISE = NOISE * mask if iter_n == 0: NOISE += np.ones_like(NOISE) temp_img = np.clip((img - NOISE[:, :, ::-1]), 0, 255) # 改为int32 X = np.uint8(temp_img) finalimg = Image.fromarray(cv2.cvtColor( X, cv2.COLOR_BGR2RGB)) # 500*500*3 new_input = resize_big(finalimg) temp_data = prepare_data(rcnn_model, X) data['img'][0].data = temp_data['img'][0].data return finalimg, NOISE