deeprobust.image.attack package¶
Submodules¶
deeprobust.image.attack.BPDA module¶
https://github.com/lordwarlock/Pytorch-BPDA/blob/master/bpda.py
deeprobust.image.attack.Nattack module¶
-
class
NATTACK
(model, device='cuda')[source]¶ Nattack is a black box attack algorithm.
-
generate
(**kwargs)[source]¶ Call this function to generate adversarial examples.
Parameters: kwargs – user defined paremeters
-
parse_params
(dataloader, classnum, target_or_not=False, clip_max=1, clip_min=0, epsilon=0.2, population=300, max_iterations=400, learning_rate=2, sigma=0.1)[source]¶ parse_params.
Parameters: - dataloader – dataloader
- classnum – classnum
- target_or_not – target_or_not
- clip_max – maximum pixel value
- clip_min – minimum pixel value
- epsilon – perturb constraint
- population – population
- max_iterations – maximum number of iterations
- learning_rate – learning rate
- sigma – sigma
-
deeprobust.image.attack.Universal module¶
https://github.com/ferjad/Universal_Adversarial_Perturbation_pytorch Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
-
universal_adversarial_perturbation
(dataloader, model, device, xi=10, delta=0.2, max_iter_uni=10, p=inf, num_classes=10, overshoot=0.02, max_iter_df=10, t_p=0.2)[source]¶ universal_adversarial_perturbation.
Parameters: - dataloader – dataloader
- model – target model
- device – device
- xi – controls the l_p magnitude of the perturbation
- delta – controls the desired fooling rate (default = 80% fooling rate)
- max_iter_uni – maximum number of iteration (default = 10*num_images)
- p – norm to be used (default = np.inf)
- num_classes – num_classes (default = 10)
- overshoot – to prevent vanishing updates (default = 0.02)
- max_iter_df – maximum number of iterations for deepfool (default = 10)
- t_p – truth percentage, for how many flipped labels in a batch. (default = 0.2)
Returns: Return type: the universal perturbation matrix.
deeprobust.image.attack.YOPOpgd module¶
-
class
FASTPGD
(eps=0.023529411764705882, sigma=0.011764705882352941, nb_iter=20, norm=inf, DEVICE=<sphinx.ext.autodoc.importer._MockObject object>, mean=<sphinx.ext.autodoc.importer._MockObject object>, std=<sphinx.ext.autodoc.importer._MockObject object>, random_start=True)[source]¶ This module is the adversarial example gererated algorithm in YOPO.
References
Original code: https://github.com/a1600012888/YOPO-You-Only-Propagate-Once
deeprobust.image.attack.base_attack module¶
-
class
BaseAttack
(model, device='cuda')[source]¶ Attack base class.
-
check_type_device
(image, label)[source]¶ Check device, match variable type to device type.
Parameters: - image – image
- label – label
-
deeprobust.image.attack.cw module¶
-
class
CarliniWagner
(model, device='cuda')[source]¶ C&W attack is an effective method to calcuate high-confidence adversarial examples.
References
[1] Carlini, N., & Wagner, D. (2017, May). Towards evaluating the robustness of neural networks. https://arxiv.org/pdf/1608.04644.pdf This reimplementation is based on https://github.com/kkew3/pytorch-cw2 Copyright 2018 Kaiwen Wu
Examples
>>> from deeprobust.image.attack.cw import CarliniWagner >>> from deeprobust.image.netmodels.CNN import Net >>> from deeprobust.image.config import attack_params
>>> model = Net() >>> model.load_state_dict(torch.load("./trained_models/MNIST_CNN_epoch_20.pt", map_location = torch.device('cuda'))) >>> model.eval()
>>> x,y = datasets.MNIST() >>> attack = CarliniWagner(model, device='cuda') >>> AdvExArray = attack.generate(x, y, target_label = 1, classnum = 10, **attack_params['CW_MNIST])
-
generate
(image, label, target_label, **kwargs)[source]¶ Call this function to generate adversarial examples.
Parameters: - image – original image
- label – target label
- kwargs – user defined paremeters
-
loss_function
(x_p, const, target, reconstructed_original, confidence, min_, max_)[source]¶ Returns the loss and the gradient of the loss w.r.t. x, assuming that logits = model(x).
-
parse_params
(classnum=10, confidence=0.0001, clip_max=1, clip_min=0, max_iterations=1000, initial_const=0.01, binary_search_steps=5, learning_rate=1e-05, abort_early=True)[source]¶ Parse the user defined parameters.
Parameters: - classnum – number of class
- confidence – confidence
- clip_max – maximum pixel value
- clip_min – minimum pixel value
- max_iterations – maximum number of iterations
- initial_const – initialization of binary search
- binary_search_steps – step number of binary search
- learning_rate – learning rate
- abort_early – Set abort_early = True to allow early stop
-
deeprobust.image.attack.deepfool module¶
-
class
DeepFool
(model, device='cuda')[source]¶ DeepFool attack.
-
generate
(image, label, **kwargs)[source]¶ Call this function to generate adversarial examples.
Parameters: - image (1*H*W*3) – original image
- label (int) – target label
- kwargs – user defined paremeters
Returns: adversarial examples
Return type: adv_img
-
parse_params
(num_classes=10, overshoot=0.02, max_iteration=50)[source]¶ Parse the user defined parameters
Parameters: - num_classes (int) – limits the number of classes to test against. (default = 10)
- overshoot (float) – used as a termination criterion to prevent vanishing updates (default = 0.02).
- max_iteration (int) – maximum number of iteration for deepfool (default = 50)
-
deeprobust.image.attack.fgsm module¶
-
class
FGSM
(model, device='cuda')[source]¶ FGSM attack is an one step gradient descent method.
-
generate
(image, label, **kwargs)[source]¶ ” Call this function to generate FGSM adversarial examples.
Parameters: - image – original image
- label – target label
- kwargs – user defined paremeters
-
parse_params
(epsilon=0.2, order=inf, clip_max=None, clip_min=None)[source]¶ Parse the user defined parameters. :param model: victim model :param image: original attack images :param label: target labels :param epsilon: perturbation constraint :param order: constraint type :param clip_min: minimum pixel value :param clip_max: maximum pixel value :param device: device type, cpu or gpu
Returns: perturbed images Return type: [N*C*H*W], floatTensor
-
deeprobust.image.attack.l2_attack module¶
deeprobust.image.attack.lbfgs module¶
-
class
LBFGS
(model, device='cuda')[source]¶ LBFGS is the first adversarial generating algorithm.
-
generate
(image, label, target_label, **kwargs)[source]¶ Call this function to generate adversarial examples.
Parameters: - image – original image
- label – target label
- kwargs – user defined paremeters
-
parse_params
(clip_max=1, clip_min=0, class_num=10, epsilon=1e-05, maxiter=20)[source]¶ Parse the user defined parameters.
Parameters: - clip_max – maximum pixel value
- clip_min – minimum pixel value
- class_num – total number of class
- epsilon – step length for binary seach
- maxiter – maximum number of iterations
-
deeprobust.image.attack.onepixel module¶
-
class
Onepixel
(model, device='cuda')[source]¶ Onepixel attack is an algorithm that allow attacker to only manipulate one (or a few) pixel to mislead classifier. This is a re-implementation of One pixel attack. Copyright (c) 2018 Debang Li
References
Akhtar, N., & Mian, A. (2018).Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey: A Survey. IEEE Access, 6, 14410-14430.
Reference code: https://github.com/DebangLi/one-pixel-attack-pytorch
-
generate
(image, label, **kwargs)[source]¶ Call this function to generate Onepixel adversarial examples.
Parameters: - image (1*3*W*H) – original image
- label – target label
- kwargs – user defined paremeters
-
parse_params
(pixels=1, maxiter=100, popsize=400, samples=100, targeted_attack=False, print_log=True, target=0)[source]¶ Parse the user-defined params.
Parameters: - pixels – maximum number of manipulated pixels
- maxiter – maximum number of iteration
- popsize – population size
- samples – samples
- targeted_attack – targeted attack or not
- print_log – Set print_log = True to print out details in the searching algorithm
- target – target label (if targeted attack is set to be True)
-
deeprobust.image.attack.pgd module¶
-
class
PGD
(model, device='cuda')[source]¶ This is the multi-step version of FGSM attack.
-
generate
(image, label, **kwargs)[source]¶ Call this function to generate PGD adversarial examples.
Parameters: - image – original image
- label – target label
- kwargs – user defined paremeters
-
parse_params
(epsilon=0.03, num_steps=40, step_size=0.01, clip_max=1.0, clip_min=0.0, mean=(0, 0, 0), std=(1.0, 1.0, 1, 0), print_process=False)[source]¶ parse_params.
Parameters: - epsilon – perturbation constraint
- num_steps – iteration step
- step_size – step size
- clip_max – maximum pixel value
- clip_min – minimum pixel value
- print_process – whether to print out the log during optimization process, True or False print out the log during optimization process, True or False.
-