deeprobust.image.defense package

Submodules

deeprobust.image.defense.LIDclassifier module

This is an implementation of LID detector. Currently this implementation is under testing.

References

[1]Ma, Xingjun, Bo Li, Yisen Wang, Sarah M. Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E. Houle, and James Bailey. “Characterizing adversarial subspaces using local intrinsic dimensionality.” arXiv preprint arXiv:1801.02613 (2018).
[2]Original code:t https://github.com/xingjunm/lid_adversarial_subspace_detection

Copyright (c) 2018 Xingjun Ma

get_lid(model, X_test, X_test_noisy, X_test_adv, k, batch_size)[source]

get_lid.

Parameters:
  • model – model
  • X_test – clean data
  • X_test_noisy – noisy data
  • X_test_adv – adversarial data
  • k – k
  • batch_size – batch_size
train(self, device, train_loader, optimizer, epoch)[source]

train process.

Parameters:
  • device – device(option:’cpu’, ‘cuda’)
  • train_loader – train data loader
  • optimizer – optimizer
  • epoch – epoch

deeprobust.image.defense.TherEncoding module

This is an implementation of Thermometer Encoding.

References

[1]Buckman, Jacob, Aurko Roy, Colin Raffel, and Ian Goodfellow. “Thermometer encoding: One hot way to resist adversarial examples.” In International Conference on Learning Representations. 2018.
Thermometer(x, levels, flattened=False)[source]

Thermometer Encoding of the input.

one_hot(x, levels)[source]

One hot Encoding of the input.

one_hot_to_thermometer(x, levels, flattened=False)[source]

Convert One hot Encoding to Thermometer Encoding.

train(model, device, train_loader, optimizer, epoch)[source]

training process.

Parameters:
  • model – model
  • device – device
  • train_loader – training data loader
  • optimizer – optimizer
  • epoch – epoch

deeprobust.image.defense.YOPO module

This is an implementation of adversarial training variant: YOPO. .. rubric:: References

[1]Zhang, D., Zhang, T., Lu, Y., Zhu, Z., & Dong, B. (2019).

You only propagate once: Painless adversarial training using maximal principle. arXiv preprint arXiv:1905.00877.

[2]Original code: https://github.com/a1600012888/YOPO-You-Only-Propagate-Once
class CrossEntropyWithWeightPenlty(module, DEVICE, reg_cof=0.0001)[source]
class Hamiltonian(layer, reg_cof=0.0001)[source]
torch_accuracy(output, target, topk=(1, )) → List[<sphinx.ext.autodoc.importer._MockObject object at 0x7f2786a68e90>][source]

param output, target: should be torch Variable

train_one_epoch(net, batch_generator, optimizer, eps, criterion, LayerOneTrainner, K, DEVICE=<sphinx.ext.autodoc.importer._MockObject object>, descrip_str='Training')[source]
Parameters:
  • attack_freq – Frequencies of training with adversarial examples. -1 indicates natural training
  • AttackMethod – the attack method, None represents natural training
Returns:

None #(clean_acc, adv_acc)

deeprobust.image.defense.base_defense module

class BaseDefense(model, device)[source]

Defense base class.

adv_data(model, data, target, **kwargs)[source]

Generate adversarial examples for adversarial training. Overide this function to generate customize adv examples.

Parameters:
  • model – victim model
  • data – original data
  • target – target labels
  • kwargs – parameters
loss(output, target)[source]

Calculate training loss. Overide this function to customize loss.

Parameters:
  • output – model outputs
  • target – true labels
parse_params(**kwargs)[source]

Parse user defined parameters

save_model()[source]

Save model.

test(test_loader)[source]

test.

Parameters:test_loader – testing data
train(train_loader, optimizer, epoch)[source]

train.

Parameters:
  • train_loader – training data
  • optimizer – training optimizer
  • epoch – training epoch

deeprobust.image.defense.fast module

This is an implementation of adversarial training variant: fast

References

[1]Wong, Eric, Leslie Rice, and J. Zico Kolter. “Fast is better than free: Revisiting adversarial training.” arXiv preprint arXiv:2001.03994 (2020).
class Fast(model, device)[source]
adv_data(data, output, ep=0.3, num_steps=40)[source]

Generate adversarial examples for adversarial training. Overide this function to generate customize adv examples.

Parameters:
  • model – victim model
  • data – original data
  • target – target labels
  • kwargs – parameters
calculate_loss(output, target, redmode='mean')[source]

Calculate loss for training.

generate(train_loader, test_loader, **kwargs)[source]

FGSM defense process:

parse_params(save_dir='defense_models', save_model=True, save_name='fast_mnist_fgsmtraining_0.2.pt', epsilon=0.2, epoch_num=30, lr_train=0.005, momentum=0.1)[source]

Parse user defined parameters

test(model, device, test_loader)[source]

Testing process.

train(device, train_loader, optimizer, epoch)[source]

Training process.

deeprobust.image.defense.fgsmtraining module

This is the implementation of fgsm training.

References

..[1]Szegedy, C., Zaremba, W., Sutskever, I., Estrach, J. B., Erhan, D., Goodfellow, I., & Fergus, R. (2014, January). Intriguing properties of neural networks.

class FGSMtraining(model, device)[source]

FGSM adversarial training.

adv_data(data, output, ep=0.3, num_steps=40)[source]

Generate adversarial data for training.

Parameters:
  • data – data
  • output – output
  • ep – epsilon, perturbation budget.
  • num_steps – iteration steps
calculate_loss(output, target, redmode='mean')[source]

Calculate loss for training.

generate(train_loader, test_loader, **kwargs)[source]

FGSM adversarial training process.

Parameters:
  • train_loader – training data loader
  • test_loader – testing data loader
  • kwargs – kwargs
parse_params(save_dir='defense_models', save_model=True, save_name='mnist_fgsmtraining_0.2.pt', epsilon=0.2, epoch_num=50, lr_train=0.005, momentum=0.1)[source]

parse_params.

Parameters:
  • save_dir – dir
  • save_model – Whether to save model
  • save_name – model name
  • epsilon – attack perturbation constraint
  • epoch_num – number of training epoch
  • lr_train – training learning rate
  • momentum – momentum for optimizor
test(model, device, test_loader)[source]

testing process.

Parameters:
  • model – model
  • device – device
  • test_loader – testing dataloder
train(device, train_loader, optimizer, epoch)[source]

training process.

Parameters:
  • device – device
  • train_loader – training data loader
  • optimizer – optimizer
  • epoch – training epoch

deeprobust.image.defense.pgdtraining module

This is an implementation of pgd adversarial training. .. rubric:: References

..[1]Mądry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2017). Towards Deep Learning Models Resistant to Adversarial Attacks. stat, 1050, 9.

class PGDtraining(model, device)[source]

PGD adversarial training.

adv_data(data, output, ep=0.3, num_steps=10, perturb_step_size=0.01)[source]

Generate input(adversarial) data for training.

calculate_loss(output, target, redmode='mean')[source]

Calculate loss for training.

generate(train_loader, test_loader, **kwargs)[source]

Call this function to generate robust model.

Parameters:
  • train_loader – training data loader
  • test_loader – testing data loader
  • kwargs – kwargs
parse_params(epoch_num=100, save_dir='./defense_models', save_name='mnist_pgdtraining_0.3', save_model=True, epsilon=0.03137254901960784, num_steps=10, perturb_step_size=0.01, lr=0.1, momentum=0.1, save_per_epoch=10)[source]

Parameter parser.

Parameters:
  • epoch_num (int) – epoch
  • save_dir (str) – model dir
  • save_name (str) – model name
  • save_model (bool) – Whether to save model
  • epsilon (float) – attack constraint
  • num_steps (int) – PGD attack iteration time
  • perturb_step_size (float) – perturb step size
  • lr (float) – learning rate for adversary training process
  • momentum (float) – momentum for optimizor
test(model, device, test_loader)[source]

testing process.

Parameters:
  • model – model
  • device – device
  • test_loader – testing dataloder
train(device, train_loader, optimizer, epoch)[source]

training process.

Parameters:
  • device – device
  • train_loader – training data loader
  • optimizer – optimizer
  • epoch – training epoch

deeprobust.image.defense.trades module

This is an implementation of [1] .. rubric:: References

[1]Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., & Jordan, M. (2019, May).

Theoretically Principled Trade-off between Robustness and Accuracy. In International Conference on Machine Learning (pp. 7472-7482).

This implementation is based on their code: https://github.com/yaodongyu/TRADES Copyright (c) 2019 Hongyang Zhang, Yaodong Yu

class TRADES(model, device='cuda')[source]

TRADES.

generate(train_loader, test_loader, **kwargs)[source]

generate robust model.

Parameters:
  • train_loader – train_loader
  • test_loader – test_loader
  • kwargs – kwargs
parse_params(epochs=100, lr=0.01, momentum=0.9, epsilon=0.3, num_steps=40, step_size=0.01, beta=1.0, seed=1, log_interval=100, save_dir='./defense_model', save_freq=10)[source]
:param epoch : int
  • pgd training epoch
:param save_dir : str
  • directory path to save model
:param epsilon : float
  • perturb constraint of pgd adversary example used to train defense model
:param num_steps : int
  • the perturb
:param perturb_step_size : float
  • step_size
:param lr : float
  • learning rate for adversary training process
:param momentum : float
  • parameter for optimizer in training process
test(model, device, test_loader)[source]

test.

Parameters:test_loader – testing data
train(device, train_loader, optimizer, epoch)[source]

train.

Parameters:
  • train_loader – training data
  • optimizer – training optimizer
  • epoch – training epoch

Module contents