def gen_adv():
mse = 0
original_files = get_original_file(input_dir + val_list)
#下一个图片的初始梯度方向为上一代的最后的值
global momentum
momentum = 0
for filename, label in original_files:
img_path = input_dir + filename
print("Image: {0} ".format(img_path))
img = process_img(img_path)
#adv_img = attack_nontarget_by_ensemble(img, label,origdict[label],label)
adv_img, m = attack_nontarget_by_ensemble(img, label, origdict[label],
label, momentum)
#m为上一个样本最后一次梯度值
momentum = m
#adv_img 已经经过转换了,范围是0-255
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
save_adv_image(adv_img, output_dir + image_name + '.png')
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
print("Image:{0}, mase = {1} ".format(img_path, score))
mse += score
print("ADV {} files, AVG MSE: {} ".format(len(original_files),
mse / len(original_files)))
def gen_adv():
mse = 0
original_files = get_original_file(input_dir + val_list)
num = 1
cout = 0
print("the model is {}".format(model_name))
for filename, label in original_files:
img_path = input_dir + filename
print("Image: {0} ".format(img_path))
img = process_img(img_path)
#print(img.shape)
result = exe.run(eval_program,
fetch_list=[out],
feed={input_layer.name: img})
result = result[0][0]
o_label = np.argsort(result)[::-1][:1][0]
print("原始标签为{0}".format(o_label))
if o_label == int(label):
adv_img = attack_nontarget_by_FGSM(img, label)
#adv_img = attack_nontarget_by_PGD(img, label)
else:
print("{0}个样本已为对抗样本, name为{1}".format(num, filename))
img = tensor2img(img)
#print(img.shape)
image_name, image_ext = filename.split('.')
save_adv_image(img, output_dir + image_name + '.png')
num += 1
cout += 1
continue
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
save_adv_image(adv_img, output_dir + image_name + '.png')
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
mse += score
num += 1
print("成功attack的有 {}".format(120 - cout))
print("ADV {} files, AVG MSE: {} ".format(len(original_files),
mse / len(original_files)))
def gen_adv():
mse = 0
original_files = get_original_file(input_dir + val_list)
for filename, gt_label in original_files:
img_path = input_dir + filename
img = process_img(img_path)
image_name, image_ext = filename.split('.')
adv_img = attack_driver(img, gt_label, filename)
save_adv_image(adv_img, output_dir + image_name + '.png')
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
print(score)
mse += score
print("ADV {} files, AVG MSE: {} ".format(len(original_files), mse / len(original_files)))
def gen_adv():
mse = 0
original_files = get_original_file('input_image/' + val_list)
for filename, label in original_files:
img_path = input_dir + filename.split('.')[0] + '.png'
print("Image: {0} ".format(img_path))
img = process_img(img_path)
adv_img = attack_nontarget_by_SINIFGSM(img, label)
image_name, image_ext = filename.split('.')
# Save adversarial image(.png)
save_adv_image(adv_img, output_dir + image_name + '.png')
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
mse += score
print("ADV {} files, AVG MSE: {} ".format(len(original_files),
mse / len(original_files)))
def gen_adv():
mse = 0
original_files = get_original_file('./input_image/' + val_list)
target_label_list = [
76, 18, 104, 36, 72, 72, 47, 92, 113, 5, 84, 74, 82, 34, 42, 84, 70,
98, 29, 87, 104, 94, 103, 61, 21, 83, 108, 104, 26, 112, 84, 107, 104,
45, 72, 19, 72, 75, 55, 104, 54, 104, 72, 74, 91, 25, 68, 107, 91, 41,
116, 21, 104, 56, 102, 51, 46, 87, 113, 19, 113, 85, 24, 93, 110, 102,
24, 84, 27, 38, 48, 43, 10, 32, 68, 87, 54, 12, 84, 29, 3, 13, 26, 2,
3, 106, 105, 34, 118, 66, 19, 74, 63, 42, 9, 113, 21, 6, 40, 40, 21,
104, 86, 23, 40, 12, 37, 20, 40, 12, 79, 15, 9, 48, 74, 51, 91, 79, 46,
80
]
# hard examples need use targeted attack
for filename, label in original_files[args.start_idx:args.end_idx]:
img_path = input_dir + filename.split('.')[0] + args.subfix
print("Image: {0} ".format(img_path))
img = process_img(img_path)
target = target_label_list[label - 1]
if IsTarget:
print('target class', target)
adv_img = attack_nontarget_by_FGSM(img, label, target)
# adv_img = attack_nontarget_by_FGSM(img, label)
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
save_adv_image(adv_img, output_dir + image_name + '.png')
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
mse += score
print('MSE %.2f' % (score))
sys.stdout.flush()
print("ADV {} files, AVG MSE: {} ".format(len(original_files),
mse / len(original_files)))
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
main_prog = fluid.default_main_program()
output_target = './datasets/output_image/'
if not os.path.exists(output_target):
os.makedirs(output_target)
IMG_NAME = 'img'
LABEL_NAME = 'label'
global_id = 0
img = fluid.layers.data(name=IMG_NAME,
shape=[3, 224, 224],
dtype='float32')
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
noise = fluid.layers.create_parameter(
name="noise",
shape=[batch_size, 3, 224, 224],
dtype='float32',
default_initializer=fluid.initializer.Constant(0.0000001))
true_image = noise + img
r_image = fluid.layers.crop(true_image,
shape=[batch_size, 1, 224, 224],
offsets=[0, 0, 0, 0],
name='r_image')
g_image = fluid.layers.crop(true_image,
shape=[batch_size, 1, 224, 224],
offsets=[0, 1, 0, 0],
name='g_image')
b_image = fluid.layers.crop(true_image,
shape=[batch_size, 1, 224, 224],
offsets=[0, 2, 0, 0],
name='b_image')
max_mean = [0.485, 0.456, 0.406]
max_std = [0.229, 0.224, 0.225]
r_max = (1 - max_mean[0]) / max_std[0]
g_max = (1 - max_mean[1]) / max_std[1]
b_max = (1 - max_mean[2]) / max_std[2]
r_min = (0 - max_mean[0]) / max_std[0]
g_min = (0 - max_mean[1]) / max_std[1]
b_min = (0 - max_mean[2]) / max_std[2]
r_image = fluid.layers.clip(x=r_image, min=r_min, max=r_max)
g_image = fluid.layers.clip(x=g_image, min=g_min, max=g_max)
b_image = fluid.layers.clip(x=b_image, min=b_min, max=b_max)
true_image = fluid.layers.concat([r_image, g_image, b_image], axis=1)
loss, outs = create_net(true_image, label)
std = fluid.layers.assign(
np.array([[[0.229]], [[0.224]], [[0.225]]]).astype('float32'))
square = fluid.layers.square(noise * std * 255.0)
# avg l2 norm
loss2 = fluid.layers.reduce_sum(square, dim=1)
loss2 = fluid.layers.sqrt(loss2)
loss2 = fluid.layers.reduce_mean(loss2)
#avg mse
# loss2 = fluid.layers.reduce_mean(square)
loss = loss + 0.005 * loss2
init_prog(main_prog)
test_prog = main_prog.clone()
lr = fluid.layers.create_global_var(shape=[1],
value=0.02,
dtype='float32',
persistable=True,
name='learning_rate_0')
opt = fluid.optimizer.Adam(learning_rate=lr)
opt.minimize(loss, parameter_list=[noise.name])
# 根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
exe.run(fluid.default_startup_program())
test_reader = paddle.batch(test_set(), batch_size=batch_size)
load_params(exe)
fail_count = 0
for block in main_prog.blocks:
for var in block.vars.keys():
if 'learning_rate' in var:
pd_lr = fluid.global_scope().find_var(var)
print(var)
if 'beta1_pow_acc' in var:
pd_noise_beta1 = fluid.global_scope().find_var(var)
print(var)
if 'moment1' in var:
pd_noise_mom1 = fluid.global_scope().find_var(var)
print(var)
if 'beta2_pow_acc' in var:
pd_noise_beta2 = fluid.global_scope().find_var(var)
print(var)
if 'moment2' in var:
pd_noise_mom2 = fluid.global_scope().find_var(var)
print(var)
print(np.array(pd_lr.get_tensor()))
for train_id, data in enumerate(test_reader()):
images = []
labels = []
filenames = []
for i in range(batch_size):
images.append(data[i][0][0])
labels.append([data[i][1]])
filenames.append(data[i][2])
# image = data[0][0]
# label = data[0][1]
# label = np.array([[label]])
# filename = data[0][2]
images = np.array(images)
labels = np.array(labels)
for block in main_prog.blocks:
for param in block.all_parameters():
if param.name == 'noise':
pd_var = fluid.global_scope().find_var(param.name)
pd_param = pd_var.get_tensor()
print("load: {}, shape: {}".format(param.name,
param.shape))
print("Before setting the numpy array value: {}".format(
np.array(pd_param).ravel()[:5]))
noise_tensor = np.zeros(param.shape).astype('float32')
noise_tensor[:] = 1e-7
pd_param.set(noise_tensor, place)
print("After setting the numpy array value: {}".format(
np.array(pd_param).ravel()[:5]))
# pd_lr.get_tensor().set(np.array([0.02]).astype('float32'), place)
if batch_size > 1:
pd_noise_beta1.get_tensor().set(
np.array([0.9]).astype('float32'), place)
pd_noise_beta2.get_tensor().set(
np.array([0.999]).astype('float32'), place)
pd_noise_mom1.get_tensor().set(
np.zeros(shape=[batch_size, 3, 224, 224]).astype('float32'),
place)
pd_noise_mom2.get_tensor().set(
np.zeros(shape=[batch_size, 3, 224, 224]).astype('float32'),
place)
i = 0
fetch_list = [true_image, lr, loss, loss2, noise]
mean_np = np.array([[[[0.485]], [[0.456]],
[[0.406]]]]).astype('float32')
std_np = np.array([[[[0.229]], [[0.224]],
[[0.225]]]]).astype('float32')
ori_img = np.round((images * std_np + mean_np) * 255.0)
ori_img = np.clip(ori_img, 0, 255).astype('uint8')
while True:
if i == 0:
test_vars = exe.run(program=test_prog,
feed={
'img': images,
'label': labels
},
fetch_list=outs)
for m in range(batch_size):
str = 'First step test network,id:{},'.format(global_id +
1)
global_id += 1
adv_labels = []
for j in range(len(outs)):
o = test_vars[j][m]
adv_label = np.argmax(o)
adv_labels.append(adv_label)
str += 'adv{}:%d,'.format(j + 1)
print(str % (*adv_labels, ))
train_vars = exe.run(program=fluid.default_main_program(),
feed={
'img': images,
'label': labels
},
fetch_list=fetch_list)
n = train_vars[-1]
l2 = train_vars[-2]
l1 = train_vars[-3]
lr1 = train_vars[-4]
tr_img = train_vars[-5]
adv_img = n + images
adv_img = np.round((adv_img * std_np + mean_np) * 255.0)
adv_img = np.clip(adv_img, 0, 255).astype('uint8')
diff = adv_img.astype('float32') - ori_img.astype('float32')
avg_mse = diff * diff
# avg l2 norm
l2_norm = np.sum(avg_mse, axis=1)
l2_norm = np.sqrt(l2_norm)
l2_norm = np.mean(l2_norm, axis=(1, 2))
# avg mse
avg_mse = np.mean(avg_mse, axis=(1, 2, 3))
test_vars = exe.run(program=test_prog,
feed={
'img': images,
'label': labels
},
fetch_list=outs)
successful = batch_size * len(outs)
for m in range(batch_size):
str = 'batch:%d,id:{},lr:%f,loss1:%f,loss2:%f,avg_mse:%f,l2_norm:%f,'.format(
train_id * batch_size + m + 1)
adv_labels = []
for j in range(len(outs)):
o = test_vars[j][m]
adv_label = np.argmax(o)
adv_labels.append(adv_label)
str += 'adv{}:%d,'.format(j + 1)
print(str %
(i, lr1, l1, l2, avg_mse[m], l2_norm[m], *adv_labels))
for adv_label in adv_labels:
if adv_label == labels[m]:
successful -= 1
i += 1
if (successful >= batch_size * len(outs) - 1
and np.mean(l2_norm) < 1.0) or i == 3000:
if successful >= batch_size * len(outs) - 1:
print('attack successful')
else:
print('attack failed')
fail_count += 1
break
print("failed:%d" % (fail_count, ))
adv_img = adv_img.astype('float32') / 255.0
adv_img = adv_img - mean_np
adv_img = adv_img / std_np
for m in range(batch_size):
adv_image = tensor2img(adv_img[m][np.newaxis, :, :, :])
ori_image = tensor2img(images[m][np.newaxis, :, :, :])
print('id:{},mse:{}'.format(train_id * batch_size + m + 1,
call_avg_mse_np(adv_image, ori_image)))
save_adv_image(
adv_image,
os.path.join(output_target,
filenames[m].split('.')[0] + '.png'))
print("attack over ,failed:%d" % (fail_count, ))
def gen_adv():
mse = 0
num = 1
original_files = get_original_file(input_dir + val_list)
f = open('log.txt', 'w') # log
for filename, label in original_files:
img_path = input_dir + filename
print("Image: {0} ".format(img_path))
img = process_img(img_path)
Res_result, Inception_result, Mob_result = exe.run(
double_eval_program,
fetch_list=[Res_out, Inception_out, Mob_out],
feed={input_layer.name: img})
Res_result = Res_result[0]
Inception_result = Inception_result[0]
Mob_result = Mob_result[0]
r_o_label = np.argsort(Res_result)[::-1][:1][0]
i_o_label = np.argsort(Inception_result)[::-1][:1][0]
m_o_label = np.argsort(Mob_result)[::-1][:1][0]
pred_label = [r_o_label, i_o_label, m_o_label]
print("原始标签为{0}".format(label))
print("Res result: %d, Inception result: %d, Mobile result: %d" %
(r_o_label, i_o_label, m_o_label))
f.write("原始标签为{0}\n".format(label))
f.write("Res result: %d, Inception result: %d, Mobile result: %d\n" %
(r_o_label, i_o_label, m_o_label))
if r_o_label == int(label) and i_o_label == int(
label) and m_o_label == int(label):
global Res_ratio, Incep_ratio, Mob_ratio
Res_ratio = 30.0 / 43.0
Incep_ratio = 10.0 / 43.0
Mob_ratio = 3.0 / 43.0
adv_img = attack_nontarget_by_PGD(
double_adv_program,
img,
pred_label,
label,
out=[Res_out, Inception_out, Mob_out])
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
#image_name += "MSE_{}".format(score)
save_adv_image(adv_img, output_dir + image_name + '.png')
mse += score
elif r_o_label == int(label) and m_o_label == int(
label): # Inception 预测错误
print("filename:{}, Inception failed!".format(filename))
Res_ratio = 0.9
Incep_ratio = 0
Mob_ratio = 0.1
adv_img = attack_nontarget_by_PGD(double_adv_program,
img, [r_o_label, 0, m_o_label],
label,
out=[Res_out, Mob_out])
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
#image_name += "MSE_{}".format(score)
save_adv_image(adv_img, output_dir + image_name + '.png')
mse += score
elif r_o_label == int(label) and i_o_label == int(
label): # Mobile 预测错误
print("filename:{}, Mobile failed!".format(filename))
Res_ratio = 0.75
Incep_ratio = 0.25
Mob_ratio = 0
adv_img = attack_nontarget_by_PGD(double_adv_program,
img, [r_o_label, i_o_label, 0],
label,
out=[Res_out, Inception_out])
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
# image_name += "MSE_{}".format(score)
save_adv_image(adv_img, output_dir + image_name + '.png')
mse += score
elif r_o_label == int(label): # Mobile, Inception 预测错误
print("filename:{}, Mobile failed!, Inception failed!".format(
filename))
Res_ratio = 1.0
Incep_ratio = 0.0
Mob_ratio = 0.0
adv_img = attack_nontarget_by_PGD(double_adv_program,
img, [r_o_label, 0, 0],
label,
out=[Res_out])
image_name, image_ext = filename.split('.')
##Save adversarial image(.png)
org_img = tensor2img(img)
score = calc_mse(org_img, adv_img)
# image_name += "MSE_{}".format(score)
save_adv_image(adv_img, output_dir + image_name + '.png')
mse += score
else:
print("{0}个样本已为对抗样本, name为{1}".format(num, filename))
score = 0
f.write("{0}个样本已为对抗样本, name为{1}\n".format(num, filename))
img = tensor2img(img)
image_name, image_ext = filename.split('.')
#image_name += "_un_adv_"
save_adv_image(img, output_dir + image_name + '.png')
print("this rext network weight is {0}".format(Res_ratio))
num += 1
print("the image's mse is {}".format(score))
# break
print("ADV {} files, AVG MSE: {} ".format(len(original_files),
mse / len(original_files)))
#print("ADV {} files, AVG MSE: {} ".format(len(original_files - num), mse / len(original_files - num)))
f.write("ADV {} files, AVG MSE: {} ".format(len(original_files),
mse / len(original_files)))
f.close()