deeprobust.image.attack package

Submodules

deeprobust.image.attack.Nattack module

class NATTACK(model, device='cuda')[source]

Nattack is a black box attack algorithm.

generate(**kwargs)[source]

Call this function to generate adversarial examples.

Parameters:kwargs – user defined paremeters
parse_params(dataloader, classnum, target_or_not=False, clip_max=1, clip_min=0, epsilon=0.2, population=300, max_iterations=400, learning_rate=2, sigma=0.1)[source]

parse_params.

Parameters:
  • dataloader – dataloader
  • classnum – classnum
  • target_or_not – target_or_not
  • clip_max – maximum pixel value
  • clip_min – minimum pixel value
  • epsilon – perturb constraint
  • population – population
  • max_iterations – maximum number of iterations
  • learning_rate – learning rate
  • sigma – sigma

deeprobust.image.attack.Universal module

https://github.com/ferjad/Universal_Adversarial_Perturbation_pytorch Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>

universal_adversarial_perturbation(dataloader, model, device, xi=10, delta=0.2, max_iter_uni=10, p=inf, num_classes=10, overshoot=0.02, max_iter_df=10, t_p=0.2)[source]

universal_adversarial_perturbation.

Parameters:
  • dataloader – dataloader
  • model – target model
  • device – device
  • xi – controls the l_p magnitude of the perturbation
  • delta – controls the desired fooling rate (default = 80% fooling rate)
  • max_iter_uni – maximum number of iteration (default = 10*num_images)
  • p – norm to be used (default = np.inf)
  • num_classes – num_classes (default = 10)
  • overshoot – to prevent vanishing updates (default = 0.02)
  • max_iter_df – maximum number of iterations for deepfool (default = 10)
  • t_p – truth percentage, for how many flipped labels in a batch. (default = 0.2)
Returns:
Return type:

the universal perturbation matrix.

deeprobust.image.attack.YOPOpgd module

class FASTPGD(eps=0.023529411764705882, sigma=0.011764705882352941, nb_iter=20, norm=inf, DEVICE=<sphinx.ext.autodoc.importer._MockObject object>, mean=<sphinx.ext.autodoc.importer._MockObject object>, std=<sphinx.ext.autodoc.importer._MockObject object>, random_start=True)[source]

This module is the adversarial example gererated algorithm in YOPO.

References

Original code: https://github.com/a1600012888/YOPO-You-Only-Propagate-Once

single_attack(net, inp, label, eta, target=None)[source]

Given the original image and the perturbation computed so far, computes a new perturbation. :param net: :param inp: original image :param label: :param eta: perturbation computed so far :return: a new perturbation

deeprobust.image.attack.base_attack module

class BaseAttack(model, device='cuda')[source]

Attack base class.

check_type_device(image, label)[source]

Check device, match variable type to device type.

Parameters:
  • image – image
  • label – label
generate(image, label, **kwargs)[source]

Overide this function for the main body of attack algorithm.

Parameters:
  • image – original image
  • label – original label
  • kwargs – user defined parameters
parse_params(**kwargs)[source]

Parse user defined parameters.

deeprobust.image.attack.cw module

class CarliniWagner(model, device='cuda')[source]

C&W attack is an effective method to calcuate high-confidence adversarial examples.

References

[1]Carlini, N., & Wagner, D. (2017, May). Towards evaluating the robustness of neural networks. https://arxiv.org/pdf/1608.04644.pdf

This reimplementation is based on https://github.com/kkew3/pytorch-cw2 Copyright 2018 Kaiwen Wu

Examples

>>> from deeprobust.image.attack.cw import CarliniWagner
>>> from deeprobust.image.netmodels.CNN import Net
>>> from deeprobust.image.config import attack_params

>>> model = Net()
>>> model.load_state_dict(torch.load("./trained_models/MNIST_CNN_epoch_20.pt", map_location = torch.device('cuda')))
>>> model.eval()

>>> x,y = datasets.MNIST()
>>> attack = CarliniWagner(model, device='cuda')
>>> AdvExArray = attack.generate(x, y, target_label = 1, classnum = 10, **attack_params['CW_MNIST])
generate(image, label, target_label, **kwargs)[source]

Call this function to generate adversarial examples.

Parameters:
  • image – original image
  • label – target label
  • kwargs – user defined paremeters
loss_function(x_p, const, target, reconstructed_original, confidence, min_, max_)[source]

Returns the loss and the gradient of the loss w.r.t. x, assuming that logits = model(x).

parse_params(classnum=10, confidence=0.0001, clip_max=1, clip_min=0, max_iterations=1000, initial_const=0.01, binary_search_steps=5, learning_rate=1e-05, abort_early=True)[source]

Parse the user defined parameters.

Parameters:
  • classnum – number of class
  • confidence – confidence
  • clip_max – maximum pixel value
  • clip_min – minimum pixel value
  • max_iterations – maximum number of iterations
  • initial_const – initialization of binary search
  • binary_search_steps – step number of binary search
  • learning_rate – learning rate
  • abort_early – Set abort_early = True to allow early stop
pending_f(x_p)[source]

Pending is the loss function is less than 0

to_model_space(x)[source]

Transforms an input from the attack space to the model space. This transformation and the returned gradient are elementwise.

deeprobust.image.attack.deepfool module

class DeepFool(model, device='cuda')[source]

DeepFool attack.

generate(image, label, **kwargs)[source]

Call this function to generate adversarial examples.

Parameters:
  • image (1*H*W*3) – original image
  • label (int) – target label
  • kwargs – user defined paremeters
Returns:

adversarial examples
Return type:

adv_img
parse_params(num_classes=10, overshoot=0.02, max_iteration=50)[source]

Parse the user defined parameters

Parameters:
  • num_classes (int) – limits the number of classes to test against. (default = 10)
  • overshoot (float) – used as a termination criterion to prevent vanishing updates (default = 0.02).
  • max_iteration (int) – maximum number of iteration for deepfool (default = 50)

deeprobust.image.attack.fgsm module

class FGSM(model, device='cuda')[source]

FGSM attack is an one step gradient descent method.

generate(image, label, **kwargs)[source]

” Call this function to generate FGSM adversarial examples.

Parameters:
  • image – original image
  • label – target label
  • kwargs – user defined paremeters
parse_params(epsilon=0.2, order=inf, clip_max=None, clip_min=None)[source]

Parse the user defined parameters. :param model: victim model :param image: original attack images :param label: target labels :param epsilon: perturbation constraint :param order: constraint type :param clip_min: minimum pixel value :param clip_max: maximum pixel value :param device: device type, cpu or gpu

Returns:perturbed images
Return type:[N*C*H*W], floatTensor

deeprobust.image.attack.l2_attack module

deeprobust.image.attack.lbfgs module

class LBFGS(model, device='cuda')[source]

LBFGS is the first adversarial generating algorithm.

generate(image, label, target_label, **kwargs)[source]

Call this function to generate adversarial examples.

Parameters:
  • image – original image
  • label – target label
  • kwargs – user defined paremeters
parse_params(clip_max=1, clip_min=0, class_num=10, epsilon=1e-05, maxiter=20)[source]

Parse the user defined parameters.

Parameters:
  • clip_max – maximum pixel value
  • clip_min – minimum pixel value
  • class_num – total number of class
  • epsilon – step length for binary seach
  • maxiter – maximum number of iterations

deeprobust.image.attack.onepixel module

class Onepixel(model, device='cuda')[source]

Onepixel attack is an algorithm that allow attacker to only manipulate one (or a few) pixel to mislead classifier. This is a re-implementation of One pixel attack. Copyright (c) 2018 Debang Li

References

Akhtar, N., & Mian, A. (2018).Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey: A Survey. IEEE Access, 6, 14410-14430.

Reference code: https://github.com/DebangLi/one-pixel-attack-pytorch

generate(image, label, **kwargs)[source]

Call this function to generate Onepixel adversarial examples.

Parameters:
  • image (1*3*W*H) – original image
  • label – target label
  • kwargs – user defined paremeters
parse_params(pixels=1, maxiter=100, popsize=400, samples=100, targeted_attack=False, print_log=True, target=0)[source]

Parse the user-defined params.

Parameters:
  • pixels – maximum number of manipulated pixels
  • maxiter – maximum number of iteration
  • popsize – population size
  • samples – samples
  • targeted_attack – targeted attack or not
  • print_log – Set print_log = True to print out details in the searching algorithm
  • target – target label (if targeted attack is set to be True)

deeprobust.image.attack.pgd module

class PGD(model, device='cuda')[source]

This is the multi-step version of FGSM attack.

generate(image, label, **kwargs)[source]

Call this function to generate PGD adversarial examples.

Parameters:
  • image – original image
  • label – target label
  • kwargs – user defined paremeters
parse_params(epsilon=0.03, num_steps=40, step_size=0.01, clip_max=1.0, clip_min=0.0, mean=(0, 0, 0), std=(1.0, 1.0, 1, 0), print_process=False)[source]

parse_params.

Parameters:
  • epsilon – perturbation constraint
  • num_steps – iteration step
  • step_size – step size
  • clip_max – maximum pixel value
  • clip_min – minimum pixel value
  • print_process – whether to print out the log during optimization process, True or False print out the log during optimization process, True or False.

Module contents