| | import numpy as np |
| | import torch |
| | import torch.nn as nn |
| | from torch.autograd import Variable |
| | import torch.optim as optim |
| | import torch.nn.functional as F |
| |
|
| | from deeprobust.image.attack.base_attack import BaseAttack |
| |
|
| | class PGD(BaseAttack): |
| | """ |
| | This is the multi-step version of FGSM attack. |
| | """ |
| |
|
| |
|
| | def __init__(self, model, device = 'cuda'): |
| |
|
| | super(PGD, self).__init__(model, device) |
| |
|
| | def generate(self, image, label, **kwargs): |
| | """ |
| | Call this function to generate PGD adversarial examples. |
| | |
| | Parameters |
| | ---------- |
| | image : |
| | original image |
| | label : |
| | target label |
| | kwargs : |
| | user defined paremeters |
| | """ |
| |
|
| | |
| | label = label.type(torch.FloatTensor) |
| |
|
| | assert self.check_type_device(image, label) |
| | assert self.parse_params(**kwargs) |
| |
|
| | return pgd_attack(self.model, |
| | self.image, |
| | self.label, |
| | self.epsilon, |
| | self.clip_max, |
| | self.clip_min, |
| | self.num_steps, |
| | self.step_size, |
| | self.print_process, |
| | self.bound) |
| | |
| |
|
| | def parse_params(self, |
| | epsilon = 0.03, |
| | num_steps = 40, |
| | step_size = 0.01, |
| | clip_max = 1.0, |
| | clip_min = 0.0, |
| | print_process = False, |
| | bound = 'linf' |
| | ): |
| | """parse_params. |
| | |
| | Parameters |
| | ---------- |
| | epsilon : |
| | perturbation constraint |
| | num_steps : |
| | iteration step |
| | step_size : |
| | step size |
| | clip_max : |
| | maximum pixel value |
| | clip_min : |
| | minimum pixel value |
| | print_process : |
| | whether to print out the log during optimization process, True or False print out the log during optimization process, True or False. |
| | """ |
| | self.epsilon = epsilon |
| | self.num_steps = num_steps |
| | self.step_size = step_size |
| | self.clip_max = clip_max |
| | self.clip_min = clip_min |
| | self.print_process = print_process |
| | self.bound = bound |
| | return True |
| |
|
| | def pgd_attack(model, |
| | X, |
| | y, |
| | epsilon, |
| | clip_max, |
| | clip_min, |
| | num_steps, |
| | step_size, |
| | print_process, |
| | bound = 'linf'): |
| |
|
| | out = model(X) |
| | err = (out.data.max(1)[1] != y.data).float().sum() |
| | |
| | device = X.device |
| | imageArray = X.detach().cpu().numpy() |
| | X_random = np.random.uniform(-epsilon, epsilon, X.shape) |
| | imageArray = np.clip(imageArray + X_random, 0, 1.0) |
| |
|
| | X_pgd = torch.tensor(imageArray).to(device).float() |
| | X_pgd.requires_grad = True |
| | eta = torch.zeros_like(X) |
| | eta.requires_grad = True |
| | for i in range(num_steps): |
| |
|
| | pred = model(X_pgd) |
| | loss = nn.CrossEntropyLoss()(pred, y) |
| |
|
| | if print_process: |
| | print("iteration {:.0f}, loss:{:.4f}".format(i,loss)) |
| |
|
| | loss.backward() |
| |
|
| | if bound == 'linf': |
| | eta = step_size * X_pgd.grad.data.sign() |
| | X_pgd = X_pgd + eta |
| | eta = torch.clamp(X_pgd.data - X.data, -epsilon, epsilon) |
| |
|
| | X_pgd = X.data + eta |
| |
|
| | X_pgd = torch.clamp(X_pgd, clip_min, clip_max) |
| | |
| | |
| |
|
| | X_pgd = X_pgd.detach() |
| | X_pgd.requires_grad_() |
| | X_pgd.retain_grad() |
| |
|
| | if bound == 'l2': |
| | output = model(X + eta) |
| | incorrect = output.max(1)[1] != y |
| | correct = (~incorrect).unsqueeze(1).unsqueeze(1).unsqueeze(1).float() |
| | |
| | loss = nn.CrossEntropyLoss()(model(X + eta), y) |
| | loss.backward() |
| |
|
| | eta.data += correct * step_size * eta.grad.detach() / torch.norm(eta.grad.detach()) |
| | eta.data *= epsilon / torch.norm(eta.detach()).clamp(min=epsilon) |
| | eta.data = torch.min(torch.max(eta.detach(), -X), 1-X) |
| | eta.grad.zero_() |
| | X_pgd = X + eta |
| |
|
| | return X_pgd |
| |
|
| |
|
