deeprobust.image.attack package¶
Submodules¶
deeprobust.image.attack.BPDA module¶
https://github.com/lordwarlock/Pytorch-BPDA/blob/master/bpda.py
deeprobust.image.attack.Nattack module¶
-
class
NATTACK
(model, device='cuda')[source]¶ Nattack is a black box attack algorithm.
-
generate
(**kwargs)[source]¶ Call this function to generate adversarial examples.
- Parameters
kwargs – user defined paremeters
-
parse_params
(dataloader, classnum, target_or_not=False, clip_max=1, clip_min=0, epsilon=0.2, population=300, max_iterations=400, learning_rate=2, sigma=0.1)[source]¶ parse_params.
- Parameters
dataloader – dataloader
classnum – classnum
target_or_not – target_or_not
clip_max – maximum pixel value
clip_min – minimum pixel value
epsilon – perturb constraint
population – population
max_iterations – maximum number of iterations
learning_rate – learning rate
sigma – sigma
-
deeprobust.image.attack.Universal module¶
https://github.com/ferjad/Universal_Adversarial_Perturbation_pytorch Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
-
universal_adversarial_perturbation
(dataloader, model, device, xi=10, delta=0.2, max_iter_uni=10, p=inf, num_classes=10, overshoot=0.02, max_iter_df=10, t_p=0.2)[source]¶ universal_adversarial_perturbation.
- Parameters
dataloader – dataloader
model – target model
device – device
xi – controls the l_p magnitude of the perturbation
delta – controls the desired fooling rate (default = 80% fooling rate)
max_iter_uni – maximum number of iteration (default = 10*num_images)
p – norm to be used (default = np.inf)
num_classes – num_classes (default = 10)
overshoot – to prevent vanishing updates (default = 0.02)
max_iter_df – maximum number of iterations for deepfool (default = 10)
t_p – truth percentage, for how many flipped labels in a batch. (default = 0.2)
- Returns
- Return type
the universal perturbation matrix.
deeprobust.image.attack.YOPOpgd module¶
-
class
FASTPGD
(eps=0.023529411764705882, sigma=0.011764705882352941, nb_iter=20, norm=inf, DEVICE=torch.device, mean=torch.tensor, std=torch.tensor, random_start=True)[source]¶ This module is the adversarial example gererated algorithm in YOPO.
References
Original code: https://github.com/a1600012888/YOPO-You-Only-Propagate-Once
deeprobust.image.attack.base_attack module¶
-
class
BaseAttack
(model, device='cuda')[source]¶ Attack base class.
-
check_type_device
(image, label)[source]¶ Check device, match variable type to device type.
- Parameters
image – image
label – label
-
deeprobust.image.attack.cw module¶
-
class
CarliniWagner
(model, device='cuda')[source]¶ C&W attack is an effective method to calcuate high-confidence adversarial examples.
References
- 1
Carlini, N., & Wagner, D. (2017, May). Towards evaluating the robustness of neural networks. https://arxiv.org/pdf/1608.04644.pdf
This reimplementation is based on https://github.com/kkew3/pytorch-cw2 Copyright 2018 Kaiwen Wu
Examples
>>> from deeprobust.image.attack.cw import CarliniWagner >>> from deeprobust.image.netmodels.CNN import Net >>> from deeprobust.image.config import attack_params
>>> model = Net() >>> model.load_state_dict(torch.load("./trained_models/MNIST_CNN_epoch_20.pt", map_location = torch.device('cuda'))) >>> model.eval()
>>> x,y = datasets.MNIST() >>> attack = CarliniWagner(model, device='cuda') >>> AdvExArray = attack.generate(x, y, target_label = 1, classnum = 10, **attack_params['CW_MNIST])
-
generate
(image, label, target_label, **kwargs)[source]¶ Call this function to generate adversarial examples.
- Parameters
image – original image
label – target label
kwargs – user defined paremeters
-
loss_function
(x_p, const, target, reconstructed_original, confidence, min_, max_)[source]¶ Returns the loss and the gradient of the loss w.r.t. x, assuming that logits = model(x).
-
parse_params
(classnum=10, confidence=0.0001, clip_max=1, clip_min=0, max_iterations=1000, initial_const=0.01, binary_search_steps=5, learning_rate=1e-05, abort_early=True)[source]¶ Parse the user defined parameters.
- Parameters
classnum – number of class
confidence – confidence
clip_max – maximum pixel value
clip_min – minimum pixel value
max_iterations – maximum number of iterations
initial_const – initialization of binary search
binary_search_steps – step number of binary search
learning_rate – learning rate
abort_early – Set abort_early = True to allow early stop
deeprobust.image.attack.deepfool module¶
-
class
DeepFool
(model, device='cuda')[source]¶ DeepFool attack.
-
generate
(image, label, **kwargs)[source]¶ Call this function to generate adversarial examples.
- Parameters
image (1*H*W*3) – original image
label (int) – target label
kwargs – user defined paremeters
- Returns
adversarial examples
- Return type
adv_img
-
parse_params
(num_classes=10, overshoot=0.02, max_iteration=50)[source]¶ Parse the user defined parameters
- Parameters
num_classes (int) – limits the number of classes to test against. (default = 10)
overshoot (float) – used as a termination criterion to prevent vanishing updates (default = 0.02).
max_iteration (int) – maximum number of iteration for deepfool (default = 50)
-
deeprobust.image.attack.fgsm module¶
-
class
FGSM
(model, device='cuda')[source]¶ FGSM attack is an one step gradient descent method.
-
generate
(image, label, **kwargs)[source]¶ ” Call this function to generate FGSM adversarial examples.
- Parameters
image – original image
label – target label
kwargs – user defined paremeters
-
parse_params
(epsilon=0.2, order=inf, clip_max=None, clip_min=None)[source]¶ Parse the user defined parameters. :param model: victim model :param image: original attack images :param label: target labels :param epsilon: perturbation constraint :param order: constraint type :param clip_min: minimum pixel value :param clip_max: maximum pixel value :param device: device type, cpu or gpu
- Returns
perturbed images
- Return type
[N*C*H*W], floatTensor
-
deeprobust.image.attack.l2_attack module¶
deeprobust.image.attack.lbfgs module¶
-
class
LBFGS
(model, device='cuda')[source]¶ LBFGS is the first adversarial generating algorithm.
-
generate
(image, label, target_label, **kwargs)[source]¶ Call this function to generate adversarial examples.
- Parameters
image – original image
label – target label
kwargs – user defined paremeters
-
parse_params
(clip_max=1, clip_min=0, class_num=10, epsilon=1e-05, maxiter=20)[source]¶ Parse the user defined parameters.
- Parameters
clip_max – maximum pixel value
clip_min – minimum pixel value
class_num – total number of class
epsilon – step length for binary seach
maxiter – maximum number of iterations
-
deeprobust.image.attack.onepixel module¶
-
class
Onepixel
(model, device='cuda')[source]¶ Onepixel attack is an algorithm that allow attacker to only manipulate one (or a few) pixel to mislead classifier. This is a re-implementation of One pixel attack. Copyright (c) 2018 Debang Li
References
Akhtar, N., & Mian, A. (2018).Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey: A Survey. IEEE Access, 6, 14410-14430.
Reference code: https://github.com/DebangLi/one-pixel-attack-pytorch
-
generate
(image, label, **kwargs)[source]¶ Call this function to generate Onepixel adversarial examples.
- Parameters
image (1*3*W*H) – original image
label – target label
kwargs – user defined paremeters
-
parse_params
(pixels=1, maxiter=100, popsize=400, samples=100, targeted_attack=False, print_log=True, target=0)[source]¶ Parse the user-defined params.
- Parameters
pixels – maximum number of manipulated pixels
maxiter – maximum number of iteration
popsize – population size
samples – samples
targeted_attack – targeted attack or not
print_log – Set print_log = True to print out details in the searching algorithm
target – target label (if targeted attack is set to be True)
-
deeprobust.image.attack.pgd module¶
-
class
PGD
(model, device='cuda')[source]¶ This is the multi-step version of FGSM attack.
-
generate
(image, label, **kwargs)[source]¶ Call this function to generate PGD adversarial examples.
- Parameters
image – original image
label – target label
kwargs – user defined paremeters
-
parse_params
(epsilon=0.03, num_steps=40, step_size=0.01, clip_max=1.0, clip_min=0.0, mean=(0, 0, 0), std=(1.0, 1.0, 1, 0), print_process=False)[source]¶ parse_params.
- Parameters
epsilon – perturbation constraint
num_steps – iteration step
step_size – step size
clip_max – maximum pixel value
clip_min – minimum pixel value
print_process – whether to print out the log during optimization process, True or False print out the log during optimization process, True or False.
-