def test_base_attack(model, criterion, image, label):
attack = attacks.FGSM(model, criterion)
assert attack.name() == 'GradientSignAttack'
with pytest.raises(ValueError):
attack(image=image)
with pytest.raises(TypeError):
attack(label=label)
wrong_label = label + 1
adv = attack(image=image, label=label)
assert adv is None
adv = attack(image=image, label=wrong_label)
assert adv.shape == image.shape
adv = attack(image=image, label=wrong_label, unpack=False)
assert adv.image.shape == image.shape
adv = Adversarial(model, criterion, image, wrong_label)
adv = attack(adv)
assert adv.shape == image.shape
adv = Adversarial(model, criterion, image, wrong_label)
with pytest.raises(ValueError):
attack(adv, label=wrong_label)
attack = attacks.FGSM()
with pytest.raises(ValueError):
attack(image=image, label=wrong_label)
def get_attack(attack, fmodel):
args = []
kwargs = {}
# L0
if attack == 'SAPA':
A = fa.SaltAndPepperNoiseAttack()
elif attack == 'PA':
A = fa.L1BrendelBethgeAttack()
# L2
elif 'IGD' in attack:
A = fa.L2BasicIterativeAttack()
elif attack == 'AGNA':
A = fa.L2AdditiveGaussianNoiseAttack()
elif attack == 'BA':
A = fa.BoundaryAttack()
elif 'DeepFool' in attack:
A = fa.L2DeepFoolAttack()
elif attack == 'PAL2':
A = fa.L2BrendelBethgeAttack()
elif attack == "CWL2":
A = fa.L2CarliniWagnerAttack()
# L inf
elif 'FGSM' in attack and not 'IFGSM' in attack:
A = fa.FGSM()
elif 'PGD' in attack:
A = fa.LinfPGD()
elif 'IGM' in attack:
A = fa.LinfBrendelBethgeAttack()
else:
raise Exception('Not implemented')
return A, 0, 0, 0
def get_attack(attack, fmodel):
args = []
kwargs = {}
# L0
if attack == 'SAPA':
metric = foolbox.distances.L0
A = fa.SaltAndPepperNoiseAttack(fmodel, distance = metric)
elif attack == 'PA':
metric = foolbox.distances.L0
A = fa.PointwiseAttack(fmodel, distance = metric)
# L2
elif 'IGD' in attack:
metric = foolbox.distances.MSE
A = fa.L2BasicIterativeAttack(fmodel, distance = metric)
# kwargs['epsilons'] = 1.5
elif attack == 'AGNA':
metric = foolbox.distances.MSE
kwargs['epsilons'] = np.linspace(0.5, 1, 50)
A = fa.AdditiveGaussianNoiseAttack(fmodel, distance = metric)
elif attack == 'BA':
metric = foolbox.distances.MSE
A = fa.BoundaryAttack(fmodel, distance = metric)
kwargs['log_every_n_steps'] = 500001
elif 'DeepFool' in attack:
metric = foolbox.distances.MSE
A = fa.DeepFoolL2Attack(fmodel, distance = metric)
elif attack == 'PAL2':
metric = foolbox.distances.MSE
A = fa.PointwiseAttack(fmodel, distance = metric)
elif attack == "CWL2":
metric = foolbox.distances.MSE
A = fa.CarliniWagnerL2Attack(fmodel, distance = metric)
# L inf
elif 'FGSM' in attack and not 'IFGSM' in attack:
metric = foolbox.distances.Linf
A = fa.FGSM(fmodel, distance = metric)
kwargs['epsilons'] = 20
elif 'PGD' in attack:
metric = foolbox.distances.Linf
A = fa.LinfinityBasicIterativeAttack(fmodel, distance = metric)
elif 'IGM' in attack:
metric = foolbox.distances.Linf
A = fa.MomentumIterativeAttack(fmodel, distance = metric)
else:
raise Exception('Not implemented')
return A, metric, args, kwargs
uses_grad=True,
),
AttackTestTarget(fa.NewtonFoolAttack(steps=20), uses_grad=True),
AttackTestTarget(fa.VirtualAdversarialAttack(steps=50, xi=1),
10,
uses_grad=True),
AttackTestTarget(fa.PGD(), Linf(1.0), uses_grad=True),
AttackTestTarget(fa.L2PGD(), L2(50.0), uses_grad=True),
AttackTestTarget(fa.L1PGD(), 5000.0, uses_grad=True),
AttackTestTarget(fa.LinfBasicIterativeAttack(abs_stepsize=0.2),
Linf(1.0),
uses_grad=True),
AttackTestTarget(fa.L2BasicIterativeAttack(), L2(50.0), uses_grad=True),
AttackTestTarget(fa.L1BasicIterativeAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.SparseL1DescentAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.FGSM(), Linf(100.0), uses_grad=True),
AttackTestTarget(FGSM_GE(), Linf(100.0)),
AttackTestTarget(fa.FGM(), L2(100.0), uses_grad=True),
AttackTestTarget(fa.L1FastGradientAttack(), 5000.0, uses_grad=True),
AttackTestTarget(fa.GaussianBlurAttack(steps=10),
uses_grad=True,
requires_real_model=True),
AttackTestTarget(
fa.GaussianBlurAttack(steps=10, max_sigma=224.0),
uses_grad=True,
requires_real_model=True,
),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="logits"),
uses_grad=True),
AttackTestTarget(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"),
uses_grad=True),
baseline_model.fit(ds_train,
epochs=1,
validation_data=ds_test,
steps_per_epoch=7500 // batch_size,
validation_steps=2500 // batch_size,
callbacks=[tensorboard_callback])
for images, labels in ds_train.take(1): # only take first element of dataset
images_ex = ep.astensors(images)
labels_ex = ep.astensors(labels)
fmodel = fb.TensorFlowModel(baseline_model, bounds=(0, 1))
attacks = [
fa.FGSM(),
fa.LinfPGD(),
fa.LinfBasicIterativeAttack(),
fa.LinfAdditiveUniformNoiseAttack(),
fa.LinfDeepFoolAttack(),
]
attacks_names = [
"FGSM", "LinfPGD", "LinfBasicIterativeAttack",
"LinfAdditiveUniformNoiseAttack", "LinfDeepFoolAttack"
]
epsilons = [
0.0, 0.0005, 0.001, 0.0015, 0.002, 0.003, 0.005, 0.01, 0.02, 0.03, 0.1,
0.3, 0.5, 1.0
]
(
fa.EADAttack(binary_search_steps=3,
steps=20,
decision_rule="L1",
regularization=0),
None,
True,
False,
),
(fa.NewtonFoolAttack(steps=20), None, True, False),
(fa.VirtualAdversarialAttack(steps=50, xi=1), 10, True, False),
(fa.PGD(), Linf(1.0), True, False),
(fa.L2PGD(), L2(50.0), True, False),
(fa.LinfBasicIterativeAttack(abs_stepsize=0.2), Linf(1.0), True, False),
(fa.L2BasicIterativeAttack(), L2(50.0), True, False),
(fa.FGSM(), Linf(100.0), True, False),
(fa.FGM(), L2(100.0), True, False),
(fa.GaussianBlurAttack(steps=10), None, True, True),
(fa.GaussianBlurAttack(steps=10, max_sigma=224.0), None, True, True),
(fa.L2DeepFoolAttack(steps=50, loss="logits"), None, True, False),
(fa.L2DeepFoolAttack(steps=50, loss="crossentropy"), None, True, False),
(fa.LinfDeepFoolAttack(steps=50), None, True, False),
(fa.BoundaryAttack(steps=50), None, False, False),
(
fa.BoundaryAttack(
steps=110,
init_attack=fa.LinearSearchBlendedUniformNoiseAttack(steps=50),
update_stats_every_k=1,
),
None,
False,
model.fit(
ds_train,
epochs=1,
validation_data=ds_test,
callbacks=[tensorboard_callback]
)
for images, labels in ds_train.take(1):
images_ex = ep.astensors(images)
labels_ex = ep.astensors(labels)
fmodel = fb.TensorFlowModel(model, bounds=(0, 1))
attacks = [
fa.FGSM(),
fa.LinfPGD(),
fa.LinfBasicIterativeAttack(),
fa.LinfAdditiveUniformNoiseAttack(),
fa.LinfDeepFoolAttack(),
]
epsilons = [
0.0,
0.0005,
0.001,
0.0015,
0.002,
0.003,
0.005,
0.01,
def test_base_init():
assert attacks.FGSM() is not None
assert attacks.FGSM(Mock()) is not None
assert attacks.FGSM(None, None) is not None
assert attacks.FGSM(Mock(), Mock()) is not None
def test_early_stopping(bn_model, bn_criterion, bn_image, bn_label):
attack = attacks.FGSM()
model = bn_model
criterion = bn_criterion
image = bn_image
label = bn_label
wrong_label = label + 1
adv = Adversarial(model, criterion, image, wrong_label)
attack(adv)
assert adv.distance.value == 0
assert not adv.reached_threshold() # because no threshold specified
adv = Adversarial(model, criterion, image, wrong_label, threshold=1e10)
attack(adv)
assert adv.distance.value == 0
assert adv.reached_threshold()
adv = Adversarial(model, criterion, image, label)
attack(adv)
assert adv.distance.value > 0
assert not adv.reached_threshold() # because no threshold specified
c = adv._total_prediction_calls
d = adv.distance.value
large_d = 10 * d
small_d = d / 2
adv = Adversarial(model,
criterion,
image,
label,
threshold=adv._distance(value=large_d))
attack(adv)
assert 0 < adv.distance.value <= large_d
assert adv.reached_threshold()
assert adv._total_prediction_calls < c
adv = Adversarial(model, criterion, image, label, threshold=large_d)
attack(adv)
assert 0 < adv.distance.value <= large_d
assert adv.reached_threshold()
assert adv._total_prediction_calls < c
adv = Adversarial(model, criterion, image, label, threshold=small_d)
attack(adv)
assert small_d < adv.distance.value <= large_d
assert not adv.reached_threshold()
assert adv._total_prediction_calls == c
assert adv.distance.value == d
adv = Adversarial(model,
criterion,
image,
label,
threshold=adv._distance(value=large_d))
attack(adv)
assert adv.reached_threshold()
c = adv._total_prediction_calls
attack(adv)
assert adv._total_prediction_calls == c # no new calls
return ssim from foolbox.attacks import LBFGSAttack from foolbox.criteria import TargetClass # In[18]: # FGSM from foolbox.criteria import TargetClass from foolbox import attacks target_class = 22 criterion = TargetClass(target_class) attack = attacks.FGSM(fmodel) # In[17]: # # from foolbox.criteria import TargetClass # # target_class = 22 # criterion = TargetClass(target_class) # attack=foolbox.attacks.IterativeGradientSignAttack(fmodel, criterion=criterion) # In[20]: import attacker for idx in tqdm(img_pairs.index.values):
