def __init__(self,
model,
pop_size=6,
mutation_rate=0.005,
per_bounds=0.15,
max_steps=1000,
step_size=0.20,
temp=0.3,
bounds=(0, 1.0),
adaptive=False,
sparse=True):
super(GeneticAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._per_bounds = check_value_positive('per_bounds', per_bounds)
self._pop_size = check_int_positive('pop_size', pop_size)
self._step_size = check_value_positive('step_size', step_size)
self._temp = check_value_positive('temp', temp)
self._max_steps = check_int_positive('max_steps', max_steps)
self._mutation_rate = check_value_positive('mutation_rate',
mutation_rate)
self._adaptive = check_param_type('adaptive', adaptive, bool)
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
# initial global optimum fitness value
self._best_fit = -1
# count times of no progress
self._plateau_times = 0
# count times of changing attack step
self._adap_times = 0
self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, model, scene, max_queries=10000, top_k=-1, num_class=10, batch_size=128, epsilon=0.3,
samples_per_draw=128, momentum=0.9, learning_rate=1e-3, max_lr=5e-2, min_lr=5e-4, sigma=1e-3,
plateau_length=20, plateau_drop=2.0, adv_thresh=0.25, zero_iters=10, starting_eps=1.0,
starting_delta_eps=0.5, label_only_sigma=1e-3, conservative=2, sparse=True):
super(NES, self).__init__()
self._model = check_model('model', model, BlackModel)
self._scene = scene
self._max_queries = check_int_positive('max_queries', max_queries)
self._num_class = check_int_positive('num_class', num_class)
self._batch_size = check_int_positive('batch_size', batch_size)
self._samples_per_draw = check_int_positive('samples_per_draw', samples_per_draw)
self._goal_epsilon = check_value_positive('epsilon', epsilon)
self._momentum = check_value_positive('momentum', momentum)
self._learning_rate = check_value_positive('learning_rate', learning_rate)
self._max_lr = check_value_positive('max_lr', max_lr)
self._min_lr = check_value_positive('min_lr', min_lr)
self._sigma = check_value_positive('sigma', sigma)
self._plateau_length = check_int_positive('plateau_length', plateau_length)
self._plateau_drop = check_value_positive('plateau_drop', plateau_drop)
# partial information arguments
self._k = top_k
self._adv_thresh = check_value_positive('adv_thresh', adv_thresh)
# label only arguments
self._zero_iters = check_int_positive('zero_iters', zero_iters)
self._starting_eps = check_value_positive('starting_eps', starting_eps)
self._starting_delta_eps = check_value_positive('starting_delta_eps', starting_delta_eps)
self._label_only_sigma = check_value_positive('label_only_sigma', label_only_sigma)
self._conservative = check_int_positive('conservative', conservative)
self._sparse = check_param_type('sparse', sparse, bool)
self.target_imgs = None
self.target_img = None
self.target_class = None
def __init__(self,
network,
eps=0.07,
alpha=None,
bounds=None,
loss_fn=None):
super(GradientMethod, self).__init__()
self._network = check_model('network', network, Cell)
self._eps = check_value_positive('eps', eps)
self._dtype = None
if bounds is not None:
self._bounds = check_param_multi_types('bounds', bounds,
[list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
else:
self._bounds = bounds
if alpha is not None:
self._alpha = check_value_positive('alpha', alpha)
else:
self._alpha = alpha
if loss_fn is None:
loss_fn = SoftmaxCrossEntropyWithLogits(is_grad=False,
sparse=False)
with_loss_cell = WithLossCell(self._network, loss_fn)
self._grad_all = GradWrapWithLoss(with_loss_cell)
self._grad_all.set_train()
def __init__(self,
model,
step_size=0.5,
per_bounds=0.6,
c1=2.0,
c2=2.0,
c=2.0,
pop_size=6,
t_max=1000,
pm=0.5,
bounds=None,
targeted=False,
reduction_iters=3,
sparse=True):
super(PSOAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._step_size = check_value_positive('step_size', step_size)
self._per_bounds = check_value_positive('per_bounds', per_bounds)
self._c1 = check_value_positive('c1', c1)
self._c2 = check_value_positive('c2', c2)
self._c = check_value_positive('c', c)
self._pop_size = check_int_positive('pop_size', pop_size)
self._pm = check_value_positive('pm', pm)
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
self._targeted = check_param_type('targeted', targeted, bool)
self._t_max = check_int_positive('t_max', t_max)
self._reduce_iters = check_int_positive('reduction_iters',
reduction_iters)
self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self,
network,
eps=1e-5,
bounds=(0.0, 1.0),
is_targeted=True,
nb_iter=150,
search_iters=30,
loss_fn=None,
sparse=False):
super(LBFGS, self).__init__()
self._network = check_model('network', network, Cell)
self._eps = check_value_positive('eps', eps)
self._is_targeted = check_param_type('is_targeted', is_targeted, bool)
self._nb_iter = check_int_positive('nb_iter', nb_iter)
self._search_iters = check_int_positive('search_iters', search_iters)
if loss_fn is None:
loss_fn = SoftmaxCrossEntropyWithLogits(is_grad=False,
sparse=False)
with_loss_cell = WithLossCell(self._network, loss_fn)
self._grad_all = GradWrapWithLoss(with_loss_cell)
self._dtype = None
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
self._sparse = check_param_type('sparse', sparse, bool)
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
box_max, box_min = bounds
if box_max < box_min:
self._box_min = box_max
self._box_max = box_min
else:
self._box_min = box_min
self._box_max = box_max
def __init__(self, model, model_type='classification', targeted=False, reserve_ratio=0.3, sparse=True,
step_size=0.5, per_bounds=0.6, c1=2.0, c2=2.0, c=2.0, pop_size=6, t_max=1000, pm=0.5, bounds=None):
super(PSOAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._step_size = check_value_positive('step_size', step_size)
self._per_bounds = check_value_positive('per_bounds', per_bounds)
self._c1 = check_value_positive('c1', c1)
self._c2 = check_value_positive('c2', c2)
self._c = check_value_positive('c', c)
self._pop_size = check_int_positive('pop_size', pop_size)
self._pm = check_value_non_negative('pm', pm)
if self._pm > 1:
msg = "pm should not be greater than 1.0, but got {}.".format(self._pm)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._bounds = bounds
if self._bounds is not None:
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
self._targeted = check_param_type('targeted', targeted, bool)
self._t_max = check_int_positive('t_max', t_max)
self._sparse = check_param_type('sparse', sparse, bool)
self._model_type = check_param_type('model_type', model_type, str)
if self._model_type not in ('classification', 'detection'):
msg = "Only 'classification' or 'detection' is supported now, but got {}.".format(self._model_type)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._reserve_ratio = check_value_non_negative('reserve_ratio', reserve_ratio)
if self._reserve_ratio > 1:
msg = "reserve_ratio should not be greater than 1.0, but got {}.".format(self._reserve_ratio)
LOGGER.error(TAG, msg)
raise ValueError(msg)
def __init__(self, model, bounds=(0.0, 1.0), max_iter=100,
is_targeted=False, sparse=True):
super(SaltAndPepperNoiseAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._bounds = check_param_multi_types('bounds', bounds, [tuple, list])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
self._max_iter = check_int_positive('max_iter', max_iter)
self._is_targeted = check_param_type('is_targeted', is_targeted, bool)
self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, initial_seeds, target_model, train_dataset, const_K,
mode='L', max_seed_num=1000):
self.initial_seeds = initial_seeds
self.target_model = check_model('model', target_model, Model)
self.train_dataset = check_numpy_param('train_dataset', train_dataset)
self.const_k = check_int_positive('const_k', const_K)
self.mode = mode
self.max_seed_num = check_int_positive('max_seed_num', max_seed_num)
self.coverage_metrics = ModelCoverageMetrics(target_model, 1000, 10,
train_dataset)
def __init__(self, model, n_jobs=-1):
check_param_type("n_jobs", n_jobs, int)
if not (n_jobs == -1 or n_jobs > 0):
msg = "Value of n_jobs must be either -1 or positive integer, but got {}.".format(
n_jobs)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._model = check_model("model", model, Model)
self._n_jobs = min(n_jobs, cpu_count())
self._attack_list = []
def _fast_reduction(self, x_ori, best_position, q_times, auxiliary_inputs,
gt_boxes, gt_labels, model):
"""
Decrease the differences between the original samples and adversarial samples in a fast way.
Args:
x_ori (numpy.ndarray): Original samples.
best_position (numpy.ndarray): Adversarial examples.
q_times (int): Query times.
auxiliary_inputs (tuple): Auxiliary inputs mathced with x_ori.
gt_boxes (numpy.ndarray): Ground-truth boxes of x_ori.
gt_labels (numpy.ndarray): Ground-truth labels of x_ori.
model (BlackModel): Target model.
Returns:
- numpy.ndarray, adversarial examples after reduction.
- int, total query times after reduction.
"""
LOGGER.info(TAG, 'Reduction begins...')
model = check_model('model', model, BlackModel)
x_ori = check_numpy_param('x_ori', x_ori)
_, gt_num = self._detection_scores((x_ori, ) + auxiliary_inputs,
gt_boxes, gt_labels, model)
best_position = check_numpy_param('best_position', best_position)
x_ori, best_position = check_equal_shape('x_ori', x_ori,
'best_position',
best_position)
_, original_num = self._detection_scores(
(best_position, ) + auxiliary_inputs, gt_boxes, gt_labels, model)
# pylint: disable=invalid-name
REDUCTION_ITERS = 6 # recover 10% difference each time and recover 60% totally.
for _ in range(REDUCTION_ITERS):
BLOCK_NUM = 30 # divide the image into 30 segments
block_width = best_position.shape[0] // BLOCK_NUM
if block_width > 0:
for i in range(BLOCK_NUM):
diff = x_ori[i*block_width: (i+1)*block_width, :, :]\
- best_position[i*block_width:(i+1)*block_width, :, :]
if np.max(np.abs(diff)) >= 0.1 * (self._bounds[1] -
self._bounds[0]):
res = diff * 0.1
best_position[i * block_width:(i + 1) *
block_width, :, :] += res
_, correct_num = self._detection_scores(
(best_position, ) + auxiliary_inputs, gt_boxes,
gt_labels, model)
q_times += 1
if correct_num[0] > max(
original_num[0],
gt_num[0] * self._reserve_ratio):
best_position[i * block_width:(i + 1) *
block_width, :, :] -= res
return best_position, q_times
def __init__(self, auto_encoder, false_positive_rate=0.01,
bounds=(0.0, 1.0)):
super(ErrorBasedDetector, self).__init__()
self._auto_encoder = check_model('auto_encoder', auto_encoder, Model)
self._false_positive_rate = check_param_in_range('false_positive_rate',
false_positive_rate,
0, 1)
self._threshold = 0.0
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
def __init__(self, auto_encoder, model, option="jsd",
t=1, bounds=(0.0, 1.0)):
super(DivergenceBasedDetector, self).__init__(auto_encoder,
bounds=bounds)
self._auto_encoder = auto_encoder
self._model = check_model('targeted model', model, Model)
self._threshold = 0.0
self._option = option
self._t = check_int_positive('t', t)
self._bounds = check_param_multi_types('bounds', bounds, [tuple, list])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
def __init__(self, model, k, n, train_dataset):
self._model = check_model('model', model, Model)
self._k = k
self._n = n
train_dataset = check_numpy_param('train_dataset', train_dataset)
self._lower_bounds = [np.inf] * n
self._upper_bounds = [-np.inf] * n
self._var = [0] * n
self._main_section_hits = [[0 for _ in range(self._k)]
for _ in range(self._n)]
self._lower_corner_hits = [0] * self._n
self._upper_corner_hits = [0] * self._n
self._bounds_get(train_dataset)
def __init__(self, model, ksize=3, is_local_smooth=True,
metric='l1', false_positive_ratio=0.05):
super(SpatialSmoothing, self).__init__()
self._ksize = check_int_positive('ksize', ksize)
self._is_local_smooth = check_param_type('is_local_smooth',
is_local_smooth,
bool)
self._model = check_model('model', model, Model)
self._metric = metric
self._fpr = check_param_in_range('false_positive_ratio',
false_positive_ratio,
0, 1)
self._threshold = None
def __init__(self, model, segmented_num, neuron_num, train_dataset):
self._model = check_model('model', model, Model)
self._segmented_num = check_int_positive('segmented_num',
segmented_num)
self._neuron_num = check_int_positive('neuron_num', neuron_num)
train_dataset = check_numpy_param('train_dataset', train_dataset)
self._lower_bounds = [np.inf] * neuron_num
self._upper_bounds = [-np.inf] * neuron_num
self._var = [0] * neuron_num
self._main_section_hits = [[0 for _ in range(self._segmented_num)]
for _ in range(self._neuron_num)]
self._lower_corner_hits = [0] * self._neuron_num
self._upper_corner_hits = [0] * self._neuron_num
self._bounds_get(train_dataset)
def __init__(self, network, num_classes, max_iters=50, overshoot=0.02,
norm_level=2, bounds=None, sparse=True):
super(DeepFool, self).__init__()
self._network = check_model('network', network, Cell)
self._network.set_grad(True)
self._max_iters = check_int_positive('max_iters', max_iters)
self._overshoot = check_value_positive('overshoot', overshoot)
self._norm_level = check_norm_level(norm_level)
self._num_classes = check_int_positive('num_classes', num_classes)
self._net_grad = GradWrap(self._network)
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
self._sparse = check_param_type('sparse', sparse, bool)
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
def __init__(self, network, loss_fn=None, optimizer=None):
super(AdversarialDefense, self).__init__(network)
network = check_model('network', network, Cell)
if loss_fn is None:
loss_fn = SoftmaxCrossEntropyWithLogits(is_grad=False, sparse=True)
if optimizer is None:
optimizer = Momentum(params=network.trainable_params(),
learning_rate=0.01,
momentum=0.9)
loss_net = WithLossCell(network, loss_fn)
self._train_net = TrainOneStepCell(loss_net, optimizer)
self._train_net.set_train()
def __init__(self, network, num_classes, box_min=0.0, box_max=1.0,
theta=1.0, max_iteration=1000, max_count=3, increase=True,
sparse=True):
super(JSMAAttack).__init__()
LOGGER.debug(TAG, "init jsma class.")
self._network = check_model('network', network, Cell)
self._min = check_value_non_negative('box_min', box_min)
self._max = check_value_non_negative('box_max', box_max)
self._num_classes = check_int_positive('num_classes', num_classes)
self._theta = check_value_positive('theta', theta)
self._max_iter = check_int_positive('max_iteration', max_iteration)
self._max_count = check_int_positive('max_count', max_count)
self._increase = check_param_type('increase', increase, bool)
self._net_grad = GradWrap(self._network)
self._bit_map = None
self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self,
model,
init_num_evals=100,
max_num_evals=1000,
stepsize_search='geometric_progression',
num_iterations=20,
gamma=1.0,
constraint='l2',
batch_size=32,
clip_min=0.0,
clip_max=1.0,
sparse=True):
super(HopSkipJumpAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._init_num_evals = check_int_positive('initial_num_evals',
init_num_evals)
self._max_num_evals = check_int_positive('max_num_evals',
max_num_evals)
self._batch_size = check_int_positive('batch_size', batch_size)
self._clip_min = check_value_non_negative('clip_min', clip_min)
self._clip_max = check_value_non_negative('clip_max', clip_max)
self._sparse = check_param_type('sparse', sparse, bool)
self._np_dtype = np.dtype('float32')
if stepsize_search in ['geometric_progression', 'grid_search']:
self._stepsize_search = stepsize_search
else:
msg = "stepsize_search must be in ['geometric_progression'," \
" 'grid_search'], but got {}".format(stepsize_search)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._num_iterations = check_int_positive('num_iterations',
num_iterations)
self._gamma = check_value_positive('gamma', gamma)
if constraint in ['l2', 'linf']:
self._constraint = constraint
else:
msg = "constraint must be in ['l2', 'linf'], " \
"but got {}".format(constraint)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self.queries = 0
self.is_adv = True
self.y_targets = None
self.image_targets = None
self.y_target = None
self.image_target = None
def _reduction(x_ori, q_times, label, best_position, model,
targeted_attack):
"""
Decrease the differences between the original samples and adversarial samples.
Args:
x_ori (numpy.ndarray): Original samples.
q_times (int): Query times.
label (int): Target label ot ground-truth label.
best_position (numpy.ndarray): Adversarial examples.
model (BlackModel): Target model.
targeted_attack (bool): If True, it means this is a targeted attack. If False,
it means this is an untargeted attack.
Returns:
numpy.ndarray, adversarial examples after reduction.
Examples:
>>> adv_reduction = self._reduction(self, [0.1, 0.2, 0.3], 20, 1,
>>> [0.12, 0.15, 0.25])
"""
LOGGER.info(TAG, 'Reduction begins...')
model = check_model('model', model, BlackModel)
x_ori = check_numpy_param('x_ori', x_ori)
best_position = check_numpy_param('best_position', best_position)
x_ori, best_position = check_equal_shape('x_ori', x_ori,
'best_position',
best_position)
x_ori_fla = x_ori.flatten()
best_position_fla = best_position.flatten()
pixel_deep = np.max(x_ori) - np.min(x_ori)
nums_pixel = len(x_ori_fla)
for i in range(nums_pixel):
diff = x_ori_fla[i] - best_position_fla[i]
if abs(diff) > pixel_deep * 0.1:
best_position_fla[i] += diff * 0.5
cur_label = np.argmax(
model.predict(best_position_fla.reshape(x_ori.shape)))
q_times += 1
if targeted_attack:
if cur_label != label:
best_position_fla[i] -= diff * 0.5
else:
if cur_label == label:
best_position_fla -= diff * 0.5
return best_position_fla.reshape(x_ori.shape), q_times
def __init__(self, network, eps=0.3, eps_iter=0.1, bounds=(0.0, 1.0), nb_iter=5,
loss_fn=None):
super(IterativeGradientMethod, self).__init__()
self._network = check_model('network', network, Cell)
self._eps = check_value_positive('eps', eps)
self._eps_iter = check_value_positive('eps_iter', eps_iter)
self._nb_iter = check_int_positive('nb_iter', nb_iter)
self._bounds = None
if bounds is not None:
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
if loss_fn is None:
self._loss_grad = network
else:
self._loss_grad = GradWrapWithLoss(WithLossCell(self._network, loss_fn))
self._loss_grad.set_train()
def _detection_scores(inputs, gt_boxes, gt_labels, model):
"""
Evaluate the detection result of inputs, specially for object detection models.
Args:
inputs (numpy.ndarray): Input samples.
gt_boxes (numpy.ndarray): Ground-truth boxes of inputs.
gt_labels (numpy.ndarray): Ground-truth labels of inputs.
model (BlackModel): Target model.
Returns:
- numpy.ndarray, detection scores of inputs.
- numpy.ndarray, the number of objects that are correctly detected.
"""
model = check_model('model', model, BlackModel)
boxes_and_confi, pred_labels = model.predict(*inputs)
det_scores = []
correct_labels_num = []
# repeat gt_boxes and gt_labels for all particles cloned from the same sample in PSOAttack/GeneticAttack
if gt_boxes.shape[0] == 1 and boxes_and_confi.shape[0] > 1:
gt_boxes = np.repeat(gt_boxes, boxes_and_confi.shape[0], axis=0)
gt_labels = np.repeat(gt_labels, boxes_and_confi.shape[0], axis=0)
iou_thres = 0.5
for boxes, labels, gt_box, gt_label in zip(boxes_and_confi,
pred_labels, gt_boxes,
gt_labels):
gt_box_num = gt_box.shape[0]
score = 0
box_num = boxes.shape[0]
correct_label_flag = np.zeros(gt_label.shape)
for i in range(box_num):
pred_box = boxes[i]
max_iou_confi = 0
for j in range(gt_box_num):
iou = calculate_iou(pred_box[:4], gt_box[j][:4])
if labels[i] == gt_label[
j] and iou > iou_thres and correct_label_flag[
j] == 0:
max_iou_confi = max(max_iou_confi, pred_box[-1] + iou)
correct_label_flag[j] = 1
score += max_iou_confi
det_scores.append(score)
correct_labels_num.append(np.sum(correct_label_flag))
return np.array(det_scores), np.array(correct_labels_num)
def __init__(self, trans_model, max_k_neighbor=1000, chunk_size=1000,
max_buffer_size=10000, tuning=False, fpr=0.001):
super(SimilarityDetector, self).__init__()
self._max_k_neighbor = check_int_positive('max_k_neighbor',
max_k_neighbor)
self._trans_model = check_model('trans_model', trans_model, Model)
self._tuning = check_param_type('tuning', tuning, bool)
self._chunk_size = check_int_positive('chunk_size', chunk_size)
self._max_buffer_size = check_int_positive('max_buffer_size',
max_buffer_size)
self._fpr = check_param_in_range('fpr', fpr, 0, 1)
self._num_of_neighbors = None
self._threshold = None
self._num_queries = 0
# Stores recently processed queries
self._buffer = []
# Tracks indexes of detected queries
self._detected_queries = []
def __init__(self,
model,
max_iter=1000,
search_iter=10,
is_targeted=False,
init_attack=None,
sparse=True):
super(PointWiseAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._max_iter = check_int_positive('max_iter', max_iter)
self._search_iter = check_int_positive('search_iter', search_iter)
self._is_targeted = check_param_type('is_targeted', is_targeted, bool)
if init_attack is None:
self._init_attack = SaltAndPepperNoiseAttack(
model, is_targeted=self._is_targeted)
else:
self._init_attack = init_attack
self._sparse = check_param_type('sparse', sparse, bool)
def __init__(self, model, neuron_num, segmented_num, train_dataset):
self._model = check_model('model', model, Model)
self._segmented_num = check_int_positive('segmented_num',
segmented_num)
self._neuron_num = check_int_positive('neuron_num', neuron_num)
if self._neuron_num > 1e+9:
msg = 'neuron_num should be less than 1e+10, otherwise a MemoryError would occur'
LOGGER.error(TAG, msg)
raise ValueError(msg)
train_dataset = check_numpy_param('train_dataset', train_dataset)
self._lower_bounds = [np.inf] * self._neuron_num
self._upper_bounds = [-np.inf] * self._neuron_num
self._var = [0] * self._neuron_num
self._main_section_hits = [[0 for _ in range(self._segmented_num)]
for _ in range(self._neuron_num)]
self._lower_corner_hits = [0] * self._neuron_num
self._upper_corner_hits = [0] * self._neuron_num
self._bounds_get(train_dataset)
def __init__(self,
model,
number_points=10,
initial_radius=0.0,
max_radius=1.0,
search_step=0.01,
degrade_limit=0.0,
sparse=False):
super(RegionBasedDetector, self).__init__()
self._model = check_model('targeted model', model, Model)
self._number_points = check_int_positive('number_points',
number_points)
self._initial_radius = check_value_non_negative(
'initial_radius', initial_radius)
self._max_radius = check_value_positive('max_radius', max_radius)
self._search_step = check_value_positive('search_step', search_step)
self._degrade_limit = check_value_non_negative('degrade_limit',
degrade_limit)
self._sparse = check_param_type('sparse', sparse, bool)
self._radius = None
def __init__(self,
network,
num_classes,
box_min=0.0,
box_max=1.0,
bin_search_steps=5,
max_iterations=1000,
confidence=0,
learning_rate=5e-3,
initial_const=1e-2,
abort_early_check_ratio=5e-2,
targeted=False,
fast=True,
abort_early=True,
sparse=True):
LOGGER.info(TAG, "init CW object.")
super(CarliniWagnerL2Attack, self).__init__()
self._network = check_model('network', network, Cell)
self._network.set_grad(True)
self._num_classes = check_int_positive('num_classes', num_classes)
self._min = check_param_type('box_min', box_min, float)
self._max = check_param_type('box_max', box_max, float)
self._bin_search_steps = check_int_positive('search_steps',
bin_search_steps)
self._max_iterations = check_int_positive('max_iterations',
max_iterations)
self._confidence = check_param_multi_types('confidence', confidence,
[int, float])
self._learning_rate = check_value_positive('learning_rate',
learning_rate)
self._initial_const = check_value_positive('initial_const',
initial_const)
self._abort_early = check_param_type('abort_early', abort_early, bool)
self._fast = check_param_type('fast', fast, bool)
self._abort_early_check_ratio = check_value_positive(
'abort_early_check_ratio', abort_early_check_ratio)
self._targeted = check_param_type('targeted', targeted, bool)
self._net_grad = GradWrap(self._network)
self._sparse = check_param_type('sparse', sparse, bool)
self._dtype = None
def __init__(self, model, model_type='classification', targeted=True, reserve_ratio=0.3, sparse=True,
pop_size=6, mutation_rate=0.005, per_bounds=0.15, max_steps=1000, step_size=0.20, temp=0.3,
bounds=(0, 1.0), adaptive=False, c=0.1):
super(GeneticAttack, self).__init__()
self._model = check_model('model', model, BlackModel)
self._model_type = check_param_type('model_type', model_type, str)
if self._model_type not in ('classification', 'detection'):
msg = "Only 'classification' or 'detection' is supported now, but got {}.".format(self._model_type)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._targeted = check_param_type('targeted', targeted, bool)
self._reserve_ratio = check_value_non_negative('reserve_ratio', reserve_ratio)
if self._reserve_ratio > 1:
msg = "reserve_ratio should not be greater than 1.0, but got {}.".format(self._reserve_ratio)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._sparse = check_param_type('sparse', sparse, bool)
self._per_bounds = check_value_positive('per_bounds', per_bounds)
self._pop_size = check_int_positive('pop_size', pop_size)
self._step_size = check_value_positive('step_size', step_size)
self._temp = check_value_positive('temp', temp)
self._max_steps = check_int_positive('max_steps', max_steps)
self._mutation_rate = check_value_non_negative('mutation_rate', mutation_rate)
if self._mutation_rate > 1:
msg = "mutation_rate should not be greater than 1.0, but got {}.".format(self._mutation_rate)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._adaptive = check_param_type('adaptive', adaptive, bool)
# initial global optimum fitness value
self._best_fit = -np.inf
# count times of no progress
self._plateau_times = 0
# count times of changing attack step_size
self._adap_times = 0
self._bounds = bounds
if self._bounds is not None:
self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
self._c = check_value_positive('c', c)
def __init__(self,
network,
num_classes,
model_type='classification',
reserve_ratio=0.3,
max_iters=50,
overshoot=0.02,
norm_level=2,
bounds=None,
sparse=True):
super(DeepFool, self).__init__()
self._network = check_model('network', network, Cell)
self._max_iters = check_int_positive('max_iters', max_iters)
self._overshoot = check_value_positive('overshoot', overshoot)
self._norm_level = check_norm_level(norm_level)
self._num_classes = check_int_positive('num_classes', num_classes)
self._net_grad = GradWrap(self._network)
self._bounds = bounds
if self._bounds is not None:
self._bounds = check_param_multi_types('bounds', bounds,
[list, tuple])
for b in self._bounds:
_ = check_param_multi_types('bound', b, [int, float])
self._sparse = check_param_type('sparse', sparse, bool)
self._model_type = check_param_type('model_type', model_type, str)
if self._model_type not in ('classification', 'detection'):
msg = "Only 'classification' or 'detection' is supported now, but got {}.".format(
self._model_type)
LOGGER.error(TAG, msg)
raise ValueError(msg)
self._reserve_ratio = check_value_non_negative('reserve_ratio',
reserve_ratio)
if self._reserve_ratio > 1:
msg = 'reserve_ratio should be less than 1.0, but got {}.'.format(
self._reserve_ratio)
LOGGER.error(TAG, msg)
raise ValueError(TAG, msg)
def __init__(self,
target_model,
train_dataset,
neuron_num,
segmented_num=1000):
self._target_model = check_model('model', target_model, Model)
train_dataset = check_numpy_param('train_dataset', train_dataset)
self._coverage_metrics = ModelCoverageMetrics(target_model, neuron_num,
segmented_num,
train_dataset)
# Allowed mutate strategies so far.
self._strategies = {
'Contrast': Contrast,
'Brightness': Brightness,
'Blur': Blur,
'Noise': Noise,
'Translate': Translate,
'Scale': Scale,
'Shear': Shear,
'Rotate': Rotate,
'FGSM': FastGradientSignMethod,
'PGD': ProjectedGradientDescent,
'MDIIM': MomentumDiverseInputIterativeMethod
}
self._affine_trans_list = ['Translate', 'Scale', 'Shear', 'Rotate']
self._pixel_value_trans_list = [
'Contrast', 'Brightness', 'Blur', 'Noise'
]
self._attacks_list = ['FGSM', 'PGD', 'MDIIM']
self._attack_param_checklists = {
'FGSM': {
'eps': {
'dtype': [float],
'range': [0, 1]
},
'alpha': {
'dtype': [float],
'range': [0, 1]
},
'bounds': {
'dtype': [tuple]
}
},
'PGD': {
'eps': {
'dtype': [float],
'range': [0, 1]
},
'eps_iter': {
'dtype': [float],
'range': [0, 1]
},
'nb_iter': {
'dtype': [int],
'range': [0, 100000]
},
'bounds': {
'dtype': [tuple]
}
},
'MDIIM': {
'eps': {
'dtype': [float],
'range': [0, 1]
},
'norm_level': {
'dtype': [str, int],
'range': [1, 2, '1', '2', 'l1', 'l2', 'inf', 'np.inf']
},
'prob': {
'dtype': [float],
'range': [0, 1]
},
'bounds': {
'dtype': [tuple]
}
}
}