def sparsefool(x_0, net, lb, ub, lambda_=3., max_iter=20, epsilon=0.02, device='cuda', fixed_iter=False): pred_label = torch.argmax( net.forward(Variable(x_0, requires_grad=True)).data).item() x_i = copy.deepcopy(x_0) fool_im = copy.deepcopy(x_i) fool_label = pred_label loops = 0 if fixed_iter: while loops < max_iter: normal, x_adv = deepfool(x_i, net, lambda_, device=device) x_i = linear_solver(x_i, normal, x_adv, lb, ub) fool_im = x_0 + (1 + epsilon) * (x_i - x_0) fool_im = clip_image_values(fool_im, lb, ub) fool_label = torch.argmax( net.forward(Variable(fool_im, requires_grad=True)).data).item() loops += 1 r = fool_im - x_0 print('Number of loops: ', loops) return fool_im, r, pred_label, fool_label, loops else: while fool_label == pred_label and loops < max_iter: normal, x_adv = deepfool(x_i, net, lambda_, device=device) x_i = linear_solver(x_i, normal, x_adv, lb, ub) fool_im = x_0 + (1 + epsilon) * (x_i - x_0) fool_im = clip_image_values(fool_im, lb, ub) fool_label = torch.argmax( net.forward(Variable(fool_im, requires_grad=True)).data).item() loops += 1 r = fool_im - x_0 print('Number of loops: ', loops) return fool_im, r, pred_label, fool_label, loops
def go_to_boundary(x_0, grad, x_b): epsilon = 5 num_calls = 1 perturbed = x_0 if dist == 'l1' or dist == 'l2': grads = grad if dist == 'linf': grads = torch.sign(grad)/torch.norm(grad) while is_adversarial(perturbed, orig_label) == 0: perturbed = x_0 + (num_calls*epsilon* grads[0]) perturbed = clip_image_values(perturbed, lb, ub) num_calls += 1 if num_calls > 100: print('falied ... ') break print return perturbed, num_calls, epsilon*num_calls
def sparsefool_1(x_0, net, lb, ub, lambda_=3., max_iter=20, epsilon=0.1, device='cuda',fixed_iter=False): pred_label = torch.argmax(net.forward(Variable(x_0, requires_grad=True)).data).item() x_i = copy.deepcopy(x_0) fool_im_100 = copy.deepcopy(x_i) fool_im_40 = copy.deepcopy(x_i) fool_im_70 = copy.deepcopy(x_i) fool_label = pred_label loops = 0 while loops < max_iter: normal, x_adv = deepfool(x_i, net, lambda_, device=device) x_i = linear_solver(x_i, normal, x_adv, lb, ub) fool_im_100 = x_0 + (1 + epsilon) * (x_i - x_0) fool_im_100 = clip_image_values(fool_im_100, lb, ub) fool_label = torch.argmax(net.forward(Variable(fool_im_100, requires_grad=True)).data).item() loops += 1 if loops == 30: fool_im_40 = copy.deepcopy(fool_im_100) elif loops == 45: fool_im_70 = copy.deepcopy(fool_im_100) r_40 = fool_im_40 -x_0 r_70 = fool_im_70 - x_0 r_100 = fool_im_100 - x_0 return fool_im_40, fool_im_70, fool_im_100, r_40, r_70, r_100, pred_label, fool_label, loops
def GeoDA(x_b, iteration, q_opt): norms = [] q_num = 0 grad = 0 for i in range(iteration): t1 = time.time() random_vec_o = torch.randn(q_opt[i],3,224,224) grad_oi, ratios = black_grad_batch(x_b, q_opt[i], sigma, random_vec_o, grad_estimator_batch_size , orig_label) q_num = q_num + q_opt[i] grad = grad_oi + grad x_adv, qs, eps = go_to_boundary(x_0, grad, x_b) q_num = q_num + qs x_adv, bin_query = bin_search(x_0, x_adv, tol) q_num = q_num + bin_query x_b = x_adv t2 = time.time() x_adv_inv = inv_tf(x_adv.cpu().numpy()[0,:,:,:].squeeze(), mean, std) if dist == 'l1' or dist == 'l2': dp = 'l2' norm_p = linalg.norm(x_adv_inv-image_fb) if dist == 'linf': dp = dist norm_p = np.max(abs(x_adv_inv-image_fb)) if verbose_control == 'Yes': message = ' (took {:.5f} seconds)'.format(t2 - t1) print('iteration -> ' + str(i) + str(message) + ' -- ' + dp + ' norm is -> ' + str(norm_p)) x_adv = clip_image_values(x_adv, lb, ub) return x_adv, q_num, grad
def find_random_adversarial(image, epsilon=1000): num_calls = 1 step = 0.02 perturbed = x_0 while is_adversarial(perturbed, orig_label) == 0: pert = torch.randn([1,3,224,224]) pert = pert.to(device) perturbed = image + num_calls*step* pert perturbed = clip_image_values(perturbed, lb, ub) perturbed = perturbed.to(device) num_calls += 1 return perturbed, num_calls
def linear_solver(x_0, normal, boundary_point, lb, ub): input_shape = x_0.size() coord_vec = copy.deepcopy(normal) plane_normal = copy.deepcopy(coord_vec).view(-1) plane_point = copy.deepcopy(boundary_point).view(-1) x_i = copy.deepcopy(x_0) f_k = torch.dot(plane_normal, x_0.view(-1) - plane_point) sign_true = f_k.sign().item() beta = 0.001 * sign_true current_sign = sign_true while current_sign == sign_true and coord_vec.nonzero().size()[0] > 0: f_k = torch.dot(plane_normal, x_i.view(-1) - plane_point) + beta pert = f_k.abs() / coord_vec.abs().max() mask = torch.zeros_like(coord_vec) mask[np.unravel_index( torch.argmax(coord_vec.abs()).cpu(), input_shape)] = 1. r_i = torch.clamp(pert, min=1e-4) * mask * coord_vec.sign() x_i = x_i + r_i x_i = clip_image_values(x_i, lb, ub) f_k = torch.dot(plane_normal, x_i.view(-1) - plane_point) current_sign = f_k.sign().item() coord_vec[r_i != 0] = 0 return x_i
grad_l2 = gradient[0, :, :, :] / torch.norm(gradient[0, :, :, :]) k = 10 mid = 0 mint = 0 maxt = 3 * 224 * 224 dist = norm_inv_opt multip = delt / np.sqrt(dist) for q_ind in range(20): mid = round((mint + maxt) / 2) grad_sp = topk_3D(grad_l2, mid) grad_sp = grad_sp[None, :, :, :].to(device) image_perturbed = x_0 + 5 * grad_sp perturbed_clip = clip_image_values(image_perturbed, lb, ub) pert = clip_image_values(100 * grad_sp, lb, ub) x_B = x_0 + multip * (x_adv - x_0 / torch.norm(x_adv - x_0)) grad_flatten = grad_l2.cpu().numpy().reshape(-1) vec = perturbed_clip - x_B vec_flatten = vec.cpu().numpy().reshape(-1) hyperplane = np.inner(grad_flatten, vec_flatten) if hyperplane > 0: maxt = mid + 1 else: mint = mid - 1