def build_pgd_linf_stadv_att(classifier_net, normalizer): delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND)) flow_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=FLOW_LINF_BOUND, xform_class=st.FullSpatial, use_stadv=True)) sequence_threat = ap.ThreatModel( ap.SequentialPerturbation, [delta_threat, flow_threat], ap.PerturbationParameters(norm_weights=[0.00, 1.00])) adv_loss = lf.CWLossF6(classifier_net, normalizer) st_loss = lf.PerturbationNormLoss(lp=2) loss_fxn = lf.RegularizedLoss({ 'adv': adv_loss, 'st': st_loss }, { 'adv': 1.0, 'st': 0.05 }, negate=True) pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS) pgd_kwargs['optimizer_kwargs']['lr'] = 0.001 pgd_attack = aa.PGD(classifier_net, normalizer, sequence_threat, loss_fxn) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) return params
def build_full_attack(classifier_net, normalizer, use_gpu): # L_inf + flow style attack delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND, use_gpu=use_gpu)) trans_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style=1, lp_bound=0.05, xform_class=st.TranslationTransform, use_gpu=use_gpu)) flow_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=FLOW_LINF_BOUND, xform_class=st.FullSpatial, use_gpu=use_gpu, use_stadv=True)) rotation_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(xform_class=st.RotationTransform, lp_style='inf', lp_bound=math.pi / 24., use_gpu=use_gpu)) sequence_threat = ap.ThreatModel( ap.SequentialPerturbation, [delta_threat, flow_threat, trans_threat, rotation_threat], ap.PerturbationParameters(norm_weights=[0.0, 1.0, 1.0, 1.0])) pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS) pgd_kwargs['optimizer_kwargs']['lr'] = 0.001 adv_loss = lf.CWLossF6(classifier_net, normalizer) st_loss = lf.PerturbationNormLoss(lp=2) loss_fxn = lf.RegularizedLoss({ 'adv': adv_loss, 'st': st_loss }, { 'adv': 1.0, 'st': 0.05 }, negate=True) pgd_attack = aar.PGD(classifier_net, normalizer, sequence_threat, loss_fxn, use_gpu=use_gpu) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) return params
def get_pgd(dataset='mnist'): eps, normalizer = _get_settings(dataset) delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=eps, manual_gpu=True)) return aa.PGD(classifier_net=None, normalizer=normalizer, threat_model=delta_threat, loss_fxn=None, manual_gpu=True)
def build_fgsm_attack(classifier_net, normalizer): delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND)) attack_loss = plf.VanillaXentropy(classifier_net, normalizer) fgsm_attack = aa.FGSM(classifier_net, cifar_normer, delta_threat, attack_loss) attack_kwargs = {'verbose': GLOBAL_ATK_KWARGS['verbose']} params = advtrain.AdversarialAttackParameters( fgsm_attack, 1.0, attack_specific_params={'attack_kwargs': attack_kwargs}) return params
def get_cw(dataset='mnist'): eps, normalizer = _get_settings(dataset) delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=eps, manual_gpu=True)) return aa.CarliniWagner(classifier_net=None, normalizer=normalizer, threat_model=delta_threat, distance_fxn=lf.SoftLInfRegularization, carlini_loss=lf.CWLossF6, manual_gpu=True)
def build_pgd_linf_attack(classifier_net, normalizer, use_gpu): # PREBUILT LOSS FUNCTION delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND, use_gpu=use_gpu)) attack_loss = plf.VanillaXentropy(classifier_net, normalizer=normalizer) pgd_attack = aar.PGD(classifier_net, normalizer, delta_threat, attack_loss) pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) return params
def build_delta_fgsm(model, normalizer, linf_bound=L_INF_BOUND, use_gpu=USE_GPU, verbose=False, adv_loss='xentropy', output='attack'): # Build threat delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=linf_bound, use_gpu=use_gpu)) # Build loss assert adv_loss in ['xentropy', 'cw'] if adv_loss == 'xentropy': attack_loss = plf.VanillaXentropy(model, normalizer) else: cw_loss = lf.CWLossF6(model, normalizer) attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0}) # Build attack fgsm_attack = aar.FGSM(model, normalizer, delta_threat, attack_loss, use_gpu=use_gpu) # Return based on output arg assert output in ['attack', 'params', 'eval'] if output == 'attack': return fgsm_attack attack_kwargs = {'verbose': verbose} params = advtrain.AdversarialAttackParameters( fgsm_attack, 1.0, attack_specific_params={'attack_kwargs': attack_kwargs}) if output == 'params': return params to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'} eval_result = adveval.EvaluationResult(params, model, normalizer, to_eval=to_eval, use_gpu=USE_GPU) return eval_result
def build_delta_pgd(model, normalizer, linf_bound=L_INF_BOUND, manual_gpu=None, verbose=False, adv_loss='cw', num_iter=PGD_ITER, loss_convergence=LOSS_CONVERGENCE, output='attack', extra_attack_kwargs=None): # Build threat delta_threat = ap.ThreatModel(ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=linf_bound, manual_gpu=manual_gpu)) # Build loss assert adv_loss in ['xentropy', 'cw'] if adv_loss == 'xentropy': attack_loss = plf.VanillaXentropy(model, normalizer) else: cw_loss = lf.CWLossF6(model, normalizer) attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0}, negate=True) # Build attack pgd_attack = aa.PGD(model, normalizer, delta_threat, attack_loss, manual_gpu=manual_gpu) # Return based on output arg assert output in ['attack', 'params', 'eval'] if output == 'attack': return pgd_attack extra_attack_kwargs = extra_attack_kwargs or {} optimizer = optim.Adam optimizer_kwargs = {'lr': 0.01} pgd_kwargs = {'num_iterations': num_iter, 'signed': False, 'optimizer': optimizer, 'optimizer_kwargs': optimizer_kwargs, 'verbose': verbose, 'loss_convergence': loss_convergence} pgd_kwargs.update(extra_attack_kwargs) params = advtrain.AdversarialAttackParameters(pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) if output == 'params': return params to_eval= {'top1': 'top1', 'lpips': 'avg_successful_lpips'} eval_result = adveval.EvaluationResult(params, to_eval=to_eval, manual_gpu=manual_gpu) return eval_result
def build_rotation_translation_attack(classifier_net, normalizer, use_gpu): # L_inf + flow style attack delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=L_INF_BOUND, use_gpu=use_gpu)) trans_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style=1, lp_bound=0.05, xform_class=st.TranslationTransform, use_gpu=use_gpu)) rotation_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(xform_class=st.RotationTransform, lp_style='inf', lp_bound=math.pi / 24., use_gpu=use_gpu)) sequence_threat = ap.ThreatModel( ap.SequentialPerturbation, [delta_threat, trans_threat, rotation_threat]) pgd_kwargs = copy.deepcopy(GLOBAL_ATK_KWARGS) pgd_kwargs['optimizer_kwargs']['lr'] = 0.001 loss_fxn = plf.VanillaXentropy(classifier_net, normalizer) pgd_attack = aar.PGD(classifier_net, normalizer, sequence_threat, loss_fxn, use_gpu=use_gpu) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) return params
def build_stadv_rot_trans_pgd(model, normalizer, flow_bound=FLOW_LINF, trans_bound=TRANS_LINF, rot_bound=ROT_LINF, use_gpu=USE_GPU, verbose=False, adv_loss='cw', num_iter=PGD_ITER, loss_convergence=LOSS_CONVERGENCE, output='attack', extra_attack_kwargs=None): # Build threat flow_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=flow_bound, xform_class=st.FullSpatial, use_gpu=use_gpu, use_stadv=True)) trans_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=trans_bound, xform_class=st.TranslationTransform, use_gpu=use_gpu)) rotation_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(xform_class=st.RotationTransform, lp_style='inf', lp_bound=rot_bound, use_gpu=use_gpu)) sequence_threat = ap.ThreatModel( ap.SequentialPerturbation, [flow_threat, trans_threat, rotation_threat], ap.PerturbationParameters(norm_weights=[1.00, 1.00, 1.0, 1.0])) # Build loss assert adv_loss in ['cw', 'xentropy'] if adv_loss == 'xentropy': adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer) else: adv_loss_obj = lf.CWLossF6(model, normalizer) st_loss = lf.PerturbationNormLoss(lp=2) loss_fxn = lf.RegularizedLoss({ 'adv': adv_loss_obj, 'st': st_loss }, { 'adv': 1.0, 'st': 0.05 }, negate=True) # Build attack optimizer = optim.Adam optimizer_kwargs = {'lr': 0.001} pgd_attack = aar.PGD(model, normalizer, sequence_threat, loss_fxn, use_gpu=use_gpu) assert output in ['attack', 'params', 'eval'] if output == 'attack': return pgd_attack pgd_kwargs = { 'num_iterations': num_iter, 'signed': False, 'optimizer': optimizer, 'optimizer_kwargs': optimizer_kwargs, 'verbose': verbose, 'loss_convergence': loss_convergence } if extra_attack_kwargs is not None: pgd_kwargs.update(extra_attack_kwargs) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) if output == 'params': return params to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'} eval_result = adveval.EvaluationResult(params, model, normalizer, to_eval=to_eval, use_gpu=use_gpu) return eval_result
def build_delta_rot_trans_pgd(model, normalizer, delta_bound=L_INF_BOUND, trans_bound=TRANS_LINF, rot_bound=ROT_LINF, use_gpu=USE_GPU, verbose=False, adv_loss='cw', num_iter=PGD_ITER, loss_convergence=LOSS_CONVERGENCE, output='attack', extra_attack_kwargs=None): # Build threat delta_threat = ap.ThreatModel( ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=delta_bound, use_gpu=use_gpu)) trans_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=trans_bound, xform_class=st.TranslationTransform, use_gpu=use_gpu)) rotation_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(xform_class=st.RotationTransform, lp_style='inf', lp_bound=rot_bound, use_gpu=use_gpu)) sequence_threat = ap.ThreatModel( ap.SequentialPerturbation, [delta_threat, trans_threat, rotation_threat]) # Build loss assert adv_loss in ['xentropy', 'cw'] if adv_loss == 'xentropy': attack_loss = plf.VanillaXentropy(model, normalizer) else: cw_loss = lf.CWLossF6(model, normalizer) attack_loss = lf.RegularizedLoss({'adv': cw_loss}, {'adv': 1.0}, negate=True) # Build attack pgd_attack = aar.PGD(model, normalizer, sequence_threat, attack_loss, use_gpu=use_gpu) # Return based on output arg assert output in ['attack', 'params', 'eval'] if output == 'attack': return pgd_attack extra_attack_kwargs = extra_attack_kwargs or {} optimizer = optim.Adam optimizer_kwargs = {'lr': 0.01} pgd_kwargs = { 'num_iterations': num_iter, 'signed': False, 'optimizer': optimizer, 'optimizer_kwargs': optimizer_kwargs, 'verbose': verbose, 'loss_convergence': loss_convergence } pgd_kwargs.update(extra_attack_kwargs) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) if output == 'params': return params to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'} eval_result = adveval.EvaluationResult(params, model, normalizer, to_eval=to_eval, use_gpu=USE_GPU) return eval_result
def build_stadv_pgd(model, normalizer, linf_bound=FLOW_LINF, use_gpu=USE_GPU, verbose=False, adv_loss='cw', num_iter=PGD_ITER, loss_convergence=LOSS_CONVERGENCE, use_stadv=True, output='attack', norm_hyperparam=0.05, extra_attack_kwargs=None): # Build threat flow_threat = ap.ThreatModel( ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=linf_bound, xform_class=st.FullSpatial, use_gpu=use_gpu, use_stadv=use_stadv)) # Build loss assert adv_loss in ['xentropy', 'cw'] if adv_loss == 'xentropy': adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer) else: adv_loss_obj = lf.CWLossF6(model, normalizer) st_loss = lf.PerturbationNormLoss(lp=2) attack_loss = lf.RegularizedLoss({ 'adv': adv_loss_obj, 'st': st_loss }, { 'adv': 1.0, 'st': norm_hyperparam }, negate=True) # Build attack pgd_attack = aar.PGD(model, normalizer, flow_threat, attack_loss, use_gpu=use_gpu) # Return based on output arg assert output in ['attack', 'params', 'eval'] if output == 'attack': return pgd_attack extra_attack_kwargs = extra_attack_kwargs or {} optimizer = optim.Adam optimizer_kwargs = {'lr': 0.01} pgd_kwargs = { 'num_iterations': num_iter, 'signed': False, 'optimizer': optimizer, 'optimizer_kwargs': optimizer_kwargs, 'verbose': verbose, 'loss_convergence': loss_convergence } pgd_kwargs.update(extra_attack_kwargs) params = advtrain.AdversarialAttackParameters( pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) if output == 'params': return params to_eval = {'top1': 'top1', 'lpips': 'avg_successful_lpips'} eval_result = adveval.EvaluationResult(params, model, normalizer, to_eval=to_eval, use_gpu=USE_GPU) return eval_result
'lp_bound': [8 / 255, 8 / 255, 8 / 255], # [epsilon_1, epsilon_2, epsilon_3] 'xform_params': { 'resolution_x': 25, # R_1 'resolution_y': 25, # R_2 'resolution_z': 25, # R_3 }, 'use_smooth_loss': False, }) additive_threat = ap.ThreatModel(ap.DeltaAddition, { 'lp_style': 'inf', 'lp_bound': 8 / 255, }) combined_threat = ap.ThreatModel( ap.SequentialPerturbation, [recoloradv_threat, additive_threat], ap.PerturbationParameters(norm_weights=[1.0, 0.0]), ) if args.noise_type==0: noise = combined_threat() elif args.noise_type==1: noise = recoloradv_threat() elif args.noise_type == 2: noise = additive_threat() ####criterion criterion = [ TripletLoss(0.5, args.num_instances, False).cuda(), nn.CrossEntropyLoss().cuda()
def build_delta_stadv_pgd(model, normalizer, delta_bound=L_INF_BOUND, flow_bound=FLOW_LINF, manual_gpu=None, verbose=False, adv_loss='cw', num_iter=PGD_ITER, loss_convergence=LOSS_CONVERGENCE, output='attack', extra_attack_kwargs=None): # Build threat delta_threat = ap.ThreatModel(ap.DeltaAddition, ap.PerturbationParameters(lp_style='inf', lp_bound=delta_bound, manual_gpu=manual_gpu)) flow_threat = ap.ThreatModel(ap.ParameterizedXformAdv, ap.PerturbationParameters(lp_style='inf', lp_bound=flow_bound, xform_class=st.FullSpatial, manual_gpu=manual_gpu, use_stadv=True)) sequence_threat = ap.ThreatModel(ap.SequentialPerturbation, [delta_threat, flow_threat], ap.PerturbationParameters(norm_weights=[0.00, 1.00])) # Build loss assert adv_loss in ['cw', 'xentropy'] if adv_loss == 'xentropy': adv_loss_obj = lf.PartialXentropy(model, normalizer=normalizer) adv_loss_scale = -1.0 else: adv_loss_obj = lf.CWLossF6(model, normalizer) adv_loss_scale = 1.0 st_loss = lf.PerturbationNormLoss(lp=2) loss_fxn = lf.RegularizedLoss({'adv': adv_loss_obj, 'st':st_loss}, {'adv': adv_loss_scale, 'st': 0.05}, negate=True) # Build attack optimizer = optim.Adam optimizer_kwargs = {'lr': 0.001} pgd_attack = aa.PGD(model, normalizer, sequence_threat, loss_fxn, manual_gpu=manual_gpu) assert output in ['attack', 'params', 'eval'] if output == 'attack': return pgd_attack pgd_kwargs = {'num_iterations': num_iter, 'signed': False, 'optimizer': optimizer, 'optimizer_kwargs': optimizer_kwargs, 'verbose': verbose, 'loss_convergence': loss_convergence} if extra_attack_kwargs is not None: pgd_kwargs.update(extra_attack_kwargs) params = advtrain.AdversarialAttackParameters(pgd_attack, 1.0, attack_specific_params={'attack_kwargs': pgd_kwargs}) if output == 'params': return params to_eval= {'top1': 'top1', 'lpips': 'avg_successful_lpips'} eval_result = adveval.EvaluationResult(params, to_eval=to_eval, manual_gpu=manual_gpu) return eval_result