def get_attack(attack, fmodel):
args = []
kwargs = {}
# L0
if attack == 'SAPA':
A = fa.SaltAndPepperNoiseAttack()
elif attack == 'PA':
A = fa.L1BrendelBethgeAttack()
# L2
elif 'IGD' in attack:
A = fa.L2BasicIterativeAttack()
elif attack == 'AGNA':
A = fa.L2AdditiveGaussianNoiseAttack()
elif attack == 'BA':
A = fa.BoundaryAttack()
elif 'DeepFool' in attack:
A = fa.L2DeepFoolAttack()
elif attack == 'PAL2':
A = fa.L2BrendelBethgeAttack()
elif attack == "CWL2":
A = fa.L2CarliniWagnerAttack()
# L inf
elif 'FGSM' in attack and not 'IFGSM' in attack:
A = fa.FGSM()
elif 'PGD' in attack:
A = fa.LinfPGD()
elif 'IGM' in attack:
A = fa.LinfBrendelBethgeAttack()
else:
raise Exception('Not implemented')
return A, 0, 0, 0
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--steps',
type=int,
default=20000,
help='Iteration of BA')
parser.add_argument('--targeted',
action='store',
default=False,
help='For targeted attack')
args = parser.parse_args()
model = Net()
model.load_state_dict(torch.load('mnist_cnn.pt'))
model.eval()
preprocessing = dict(mean=0.1307, std=0.3081)
fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing)
fmodel = fmodel.transform_bounds((0, 1))
assert fmodel.bounds == (0, 1)
images, labels = ep.astensors(
*samples(fmodel, dataset="mnist", batchsize=10))
print('Model accuracy on clean examples: {}'.format(
accuracy(fmodel, images, labels)))
if args.targeted:
target_class = (labels + 7) % 10
criterion = fb.criteria.TargetedMisclassification(target_class)
else:
criterion = fb.criteria.Misclassification(labels)
attack = fa.BoundaryAttack(steps=args.steps, tensorboard=None)
epsilons = np.linspace(0.01, 10, 20)
raw, clipped, success = attack(fmodel, images, labels, epsilons=epsilons)
robust_accuracy = 1 - success.float32().mean(axis=-1)
plt.plot(epsilons, robust_accuracy.numpy())
plt.xlabel("Epsilons")
plt.ylabel("Robust Accuracy")
plt.savefig('mnist_BA_robust_acc.jpg')
plt.show()
mean_distance = []
for i in range(len(clipped)):
dist = np.mean(fb.distances.l2(clipped[i], images).numpy())
mean_distance.append(dist)
plt.plot(epsilons, mean_distance)
plt.xlabel('Epsilons')
plt.ylabel('Mean L2 distance')
plt.savefig("mnist_BA_mean_L2distance.jpg")
plt.show()
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--steps',
type=int,
default=10000,
help='Iteration of BA')
parser.add_argument('--targeted',
action='store',
default=False,
help='For targeted attack')
args = parser.parse_args()
model = Net()
model.load_state_dict(torch.load('mnist_cnn.pt'))
model.eval()
preprocessing = dict(mean=0.1307, std=0.3081)
fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing)
fmodel = fmodel.transform_bounds((0, 1))
assert fmodel.bounds == (0, 1)
images, labels = ep.astensors(
*samples(fmodel, dataset="mnist", batchsize=10))
print('Model accuracy on clean examples: {}'.format(
accuracy(fmodel, images, labels)))
epsilons = np.linspace(0.01, 10, 20)
boundary_attack = fa.BoundaryAttack(steps=args.steps, tensorboard=None)
_, _, ba_success = boundary_attack(fmodel,
images,
labels,
epsilons=epsilons)
ba_robust_accuracy = 1 - ba_success.float32().mean(axis=-1)
random_attack = fa.L2RepeatedAdditiveGaussianNoiseAttack(
repeats=args.steps)
_, _, ra_success = random_attack(fmodel, images, labels, epsilons=epsilons)
ra_robust_accuracy = 1 - ra_success.float32().mean(axis=-1)
legends = ["Boundary Attack", "Random Attack"]
plt.plot(epsilons, ba_robust_accuracy.numpy())
plt.plot(epsilons, ra_robust_accuracy.numpy())
plt.legend(legends, loc='upper right')
plt.xlabel("Perturbation Norm (L2)")
plt.ylabel("Robust Accuracy")
plt.title("{} Queries".format(args.steps))
plt.savefig('mnist_robust_acc.jpg')
plt.show()
def get_attack(attack, fmodel):
args = []
kwargs = {}
# L0
if attack == 'SAPA':
metric = foolbox.distances.L0
A = fa.SaltAndPepperNoiseAttack(fmodel, distance = metric)
elif attack == 'PA':
metric = foolbox.distances.L0
A = fa.PointwiseAttack(fmodel, distance = metric)
# L2
elif 'IGD' in attack:
metric = foolbox.distances.MSE
A = fa.L2BasicIterativeAttack(fmodel, distance = metric)
# kwargs['epsilons'] = 1.5
elif attack == 'AGNA':
metric = foolbox.distances.MSE
kwargs['epsilons'] = np.linspace(0.5, 1, 50)
A = fa.AdditiveGaussianNoiseAttack(fmodel, distance = metric)
elif attack == 'BA':
metric = foolbox.distances.MSE
A = fa.BoundaryAttack(fmodel, distance = metric)
kwargs['log_every_n_steps'] = 500001
elif 'DeepFool' in attack:
metric = foolbox.distances.MSE
A = fa.DeepFoolL2Attack(fmodel, distance = metric)
elif attack == 'PAL2':
metric = foolbox.distances.MSE
A = fa.PointwiseAttack(fmodel, distance = metric)
elif attack == "CWL2":
metric = foolbox.distances.MSE
A = fa.CarliniWagnerL2Attack(fmodel, distance = metric)
# L inf
elif 'FGSM' in attack and not 'IFGSM' in attack:
metric = foolbox.distances.Linf
A = fa.FGSM(fmodel, distance = metric)
kwargs['epsilons'] = 20
elif 'PGD' in attack:
metric = foolbox.distances.Linf
A = fa.LinfinityBasicIterativeAttack(fmodel, distance = metric)
elif 'IGM' in attack:
metric = foolbox.distances.Linf
A = fa.MomentumIterativeAttack(fmodel, distance = metric)
else:
raise Exception('Not implemented')
return A, metric, args, kwargs
AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True),
AttackTestTarget(fa.L1FastGradientAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.GaussianBlurAttack(steps=10),
uses_grad=True,
requires_real_model=True),
AttackTestTarget(
fa.GaussianBlurAttack(steps=10, max_sigma=224.0),
uses_grad=True,
requires_real_model=True,
),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="logits"),
uses_grad=True),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"),
uses_grad=True),
AttackTestTarget(fa.LinfDeepFoolAttack(steps=50), uses_grad=True),
AttackTestTarget(fa.BoundaryAttack(steps=50)),
AttackTestTarget(
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
)),
AttackTestTarget(fa.SaltAndPepperNoiseAttack(steps=50),
None,
uses_grad=True),
AttackTestTarget(fa.SaltAndPepperNoiseAttack(steps=50, channel_axis=1),
None,
uses_grad=True),
AttackTestTarget(fa.LinearSearchBlendedUniformNoiseAttack(steps=50), None),
AttackTestTarget(fa.L2AdditiveGaussianNoiseAttack(), 2500.0),
AttackTestTarget(fa.L2ClippingAwareAdditiveGaussianNoiseAttack(), 500.0),
False,
),
(fa.NewtonFoolAttack(steps=20), None, True, False),
(fa.VirtualAdversarialAttack(steps=50, xi=1), 10, True, False),
(fa.PGD(), Linf(1.0), True, False),
(fa.L2PGD(), L2(50.0), True, False),
(fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), True, False),
(fa.L2BasicIterativeAttack(), L2(50.0), True, False),
(fa.FGSM(), Linf(100.0), True, False),
(fa.FGM(), L2(100.0), True, False),
(fa.GaussianBlurAttack(steps=10), None, True, True),
(fa.GaussianBlurAttack(steps=10, max_sigma=224.0), None, True, True),
(fa.L2DeepFoolAttack(steps=50, loss="logits"), None, True, False),
(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), None, True, False),
(fa.LinfDeepFoolAttack(steps=50), None, True, False),
(fa.BoundaryAttack(steps=50), None, False, False),
(
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
),
None,
False,
False,
),
(fa.SaltAndPepperNoiseAttack(steps=50), None, True, False),
(fa.SaltAndPepperNoiseAttack(steps=50, channel_axis=1), None, True, False),
(fa.LinearSearchBlendedUniformNoiseAttack(steps=50), None, False, False),
(fa.L2AdditiveGaussianNoiseAttack(), 2500.0, False, False),
(fa.LinfAdditiveUniformNoiseAttack(), 10.0, False, False),