Hugging Face's logo

Spaces:
lucasddmc
/
ViTViz
Running

App Files Community
ViTViz / utils /attacks.py
lucasddmc's picture
lucasddmc
feat: new version of report after attack
f9c424d
raw
history blame contribute delete
61.1 kB
import torch
import torchattacks
from PIL import Image
from typing import List, Tuple, Optional
import numpy as np
import warnings
from pathlib import Path
import types
import os
try:
 import torchvision.models as tv_models
except Exception: # pragma: no cover - torchvision is optional for ViT-only mode
 tv_models = None
try:
 import timm
except Exception: # pragma: no cover - timm is optional for CNN blending
 timm = None
try:
 from huggingface_hub import hf_hub_download
except Exception: # pragma: no cover - optional dependency
 hf_hub_download = None
def capture_outputs_and_attentions(model, x_norm: torch.Tensor):
 """Executa um forward único capturando atenções via hooks nas camadas de atenção do ViT.
 Retorna (outputs, attentions_list) onde attentions_list é lista de tensores [B,H,T,T] por camada.
 Funciona para modelos do timm com atributo 'blocks' e submódulo 'attn'.
 """
 # TODO: adaptar para pytorch também, além de timm
 attentions: List[torch.Tensor] = []
def make_attention_hook():
 def hook(module, input, output):
 x = input[0]
 B, N, C = x.shape
 if not (hasattr(module, 'qkv') and hasattr(module, 'num_heads')):
 return
 qkv = module.qkv(x).reshape(B, N, 3, module.num_heads, C // module.num_heads).permute(2, 0, 3, 1, 4)
 q, k, v = qkv.unbind(0)
 scale = (C // module.num_heads) ** -0.5
 attn = (q @ k.transpose(-2, -1)) * scale
 attn = attn.softmax(dim=-1)
 attentions.append(attn.detach())
 return hook
hooks = []
 if hasattr(model, 'blocks'):
 for block in model.blocks:
 if hasattr(block, 'attn'):
 hooks.append(block.attn.register_forward_hook(make_attention_hook()))
model.eval()
 outputs = model(x_norm)
for h in hooks:
 h.remove()
attentions = [a.cpu() for a in attentions]
 return outputs, attentions
def denormalize_imagenet(tensor: torch.Tensor) -> torch.Tensor:
 """
 Reverte a normalização ImageNet de um tensor.
Args:
 tensor: Tensor normalizado (CxHxW) com mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225]
Returns:
 Tensor desnormalizado com valores em [0, 1]
 """
 mean = torch.tensor([0.485, 0.456, 0.406]).view(3, 1, 1).to(tensor.device)
 std = torch.tensor([0.229, 0.224, 0.225]).view(3, 1, 1).to(tensor.device)
# Inverte: x_norm = (x - mean) / std => x = x_norm * std + mean
 denorm = tensor * std + mean
# Clip para garantir [0, 1]
 return torch.clamp(denorm, 0, 1)
def tensor_to_pil(tensor: torch.Tensor, denormalize: bool = True) -> Image.Image:
 """
 Converte tensor (CxHxW) para PIL Image RGB.
Args:
 tensor: Tensor com shape (C, H, W)
 denormalize: Se True, aplica desnormalização ImageNet antes da conversão
Returns:
 PIL Image no espaço RGB [0, 255]
 """
 if denormalize:
 tensor = denormalize_imagenet(tensor)
# tensor shape: (C, H, W) com valores [0, 1]
 img_np = tensor.cpu().detach().numpy()
 img_np = np.transpose(img_np, (1, 2, 0)) # HxWxC
 img_np = (img_np * 255).clip(0, 255).astype(np.uint8)
 return Image.fromarray(img_np, mode='RGB')
class FGSM(torchattacks.FGSM):
 """
 Extensão do ataque FGSM (Fast Gradient Sign Method) que captura
 a imagem original e a imagem adversarial final.
FGSM é um ataque de 1 única iteração (non-iterative).
 """
 def __init__(self, model, eps=0.03):
 super().__init__(model, eps=eps)
 self.iteration_images: List[Image.Image] = []
 self.iteration_tensors: List[torch.Tensor] = []
 # Atenções por iteração (iteração 0: original, iteração 1: adversarial)
 self.attentions_per_iter: List[List[torch.Tensor]] = []
def forward(self, images, labels) -> Tuple[torch.Tensor, List[Image.Image]]:
 """
 Executa o ataque FGSM e retorna:
 - adv_images: tensor adversarial final
 - iteration_images: lista com [imagem_original, imagem_adversarial]
 """
 images = images.clone().detach().to(self.device)
 labels = labels.clone().detach().to(self.device)
loss = torch.nn.CrossEntropyLoss()
# Desnormalizar para trabalhar no espaço [0,1]
 mean = torch.tensor([0.485, 0.456, 0.406]).view(1, 3, 1, 1).to(self.device)
 std = torch.tensor([0.229, 0.224, 0.225]).view(1, 3, 1, 1).to(self.device)
images_denorm = images * std + mean
self.iteration_images = []
 self.iteration_tensors = []
 self.attentions_per_iter = []
# Salvar imagem original
 pil_img_orig = tensor_to_pil(images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img_orig)
 self.iteration_tensors.append(images.clone().detach())
# Calcular gradiente
 images.requires_grad = True
 # Capturar atenções e logits para imagem original
 outputs, attentions0 = capture_outputs_and_attentions(self.model, images)
 self.attentions_per_iter.append([att for att in attentions0])
if self.targeted:
 target_labels = self.get_target_label(images, labels)
 cost = -loss(outputs, target_labels)
 else:
 cost = loss(outputs, labels)
grad = torch.autograd.grad(cost, images, retain_graph=False, create_graph=False)[0]
# Aplicar perturbação no espaço desnormalizado [0,1]
 # sign(grad) dá a direção, eps é a magnitude no pixel space
 adv_images_denorm = images_denorm + self.eps * grad.sign()
 adv_images_denorm = torch.clamp(adv_images_denorm, min=0, max=1).detach()
# Normalizar de volta
 adv_images = (adv_images_denorm - mean) / std
# Salvar imagem adversarial
 pil_img_adv = tensor_to_pil(adv_images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img_adv)
 self.iteration_tensors.append(adv_images.clone().detach())
# Capturar atenções para imagem adversarial final
 outputs_adv, attentions1 = capture_outputs_and_attentions(self.model, adv_images)
 self.attentions_per_iter.append([att for att in attentions1])
return adv_images, self.iteration_images
class PGDIterations(torchattacks.PGD):
 """
 Extensão do ataque PGD padrão que captura e retorna
 as imagens adversariais de cada iteração como lista de PIL Images.
 """
 def __init__(self, model, eps=0.05, alpha=0.005, steps=10, random_start=True):
 # Inicializa PGD padrão com os parâmetros
 super().__init__(model, eps=eps, alpha=alpha, steps=steps, random_start=random_start)
 self.iteration_images: List[Image.Image] = []
 self.iteration_tensors: List[torch.Tensor] = []
 self.attentions_per_iter: List[List[torch.Tensor]] = []
def forward(self, images, labels) -> Tuple[torch.Tensor, List[Image.Image]]:
 """
 Executa o ataque PGD e retorna:
 - adv_images: tensor adversarial final
 - iteration_images: lista de PIL Images (uma por iteração do ataque)
Implementação adaptada para trabalhar com imagens normalizadas ImageNet.
 """
 images = images.clone().detach().to(self.device)
 labels = labels.clone().detach().to(self.device)
# Para targeted attack (se implementarmos no futuro)
 if self.targeted:
 target_labels = self.get_target_label(images, labels)
loss = torch.nn.CrossEntropyLoss()
 adv_images = images.clone().detach()
# Desnormalizar para aplicar eps e clipping no espaço correto [0,1]
 mean = torch.tensor([0.485, 0.456, 0.406]).view(1, 3, 1, 1).to(self.device)
 std = torch.tensor([0.229, 0.224, 0.225]).view(1, 3, 1, 1).to(self.device)
# Converter para espaço [0,1]
 images_denorm = images * std + mean
 adv_images_denorm = images_denorm.clone().detach()
if self.random_start:
 # Starting at a uniformly random point no espaço [0,1]
 adv_images_denorm = adv_images_denorm + torch.empty_like(adv_images_denorm).uniform_(-self.eps, self.eps)
 adv_images_denorm = torch.clamp(adv_images_denorm, min=0, max=1).detach()
self.iteration_images = []
 self.iteration_tensors = []
 self.attentions_per_iter = []
# Salvar iteração 0 (imagem original)
 pil_img_orig = tensor_to_pil(images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img_orig)
 self.iteration_tensors.append(images.clone().detach())
 # Atenções da imagem original
 outputs0, attentions0 = capture_outputs_and_attentions(self.model, images)
 self.attentions_per_iter.append([att for att in attentions0])
for step_idx in range(self.steps):
 # Normalizar para passar pelo modelo
 adv_images = (adv_images_denorm - mean) / std
 adv_images.requires_grad = True
 outputs, attentions = capture_outputs_and_attentions(self.model, adv_images)
# Calculate loss
 if self.targeted:
 cost = -loss(outputs, target_labels)
 else:
 cost = loss(outputs, labels)
# Update adversarial images
 grad = torch.autograd.grad(cost, adv_images,
 retain_graph=False, create_graph=False)[0]
# Aplicar perturbação no espaço desnormalizado [0,1]
 # sign(grad) dá a direção, alpha é o step size no pixel space
 adv_images_denorm = adv_images_denorm.detach() + self.alpha * grad.sign()
 delta = torch.clamp(adv_images_denorm - images_denorm, min=-self.eps, max=self.eps)
 adv_images_denorm = torch.clamp(images_denorm + delta, min=0, max=1).detach()
# Normalizar para salvar tensor
 adv_images_normalized = (adv_images_denorm - mean) / std
# Capturar imagem e tensor desta iteração
 pil_img = tensor_to_pil(adv_images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img)
 self.iteration_tensors.append(adv_images_normalized.clone().detach())
 # Atenções desta iteração
 self.attentions_per_iter.append([att for att in attentions])
# Retornar imagem normalizada para o modelo
 adv_images = (adv_images_denorm - mean) / std
 return adv_images, self.iteration_images
class SAGA(torch.nn.Module):
 """
 SAGA: Self-Attention Gradient Attack
Ataque adversarial específico para Vision Transformers que multiplica
 o gradiente FGSM pelo mapa de atenção do modelo, focando perturbações
 nas regiões que o modelo considera importantes.
Baseado em: https://github.com/MetaMain/ViTRobust
 Paper: "On the Robustness of Vision Transformers to Adversarial Examples" (ICCV 2021)
 """
def __init__(self, model, eps=8/255, steps=10, discard_ratio: float = 0.0,
 head_fusion: str = "mean", use_resnet: bool = False,
 cnn_checkpoint_path: str = "resnet.pth", vit_weight=0.5):
 """Implementação correta do SAGA baseada no código original (SelfAttentionGradientAttack).
 Parâmetros:
 - model: Vision Transformer (deve expor atenções via forward ou função auxiliar em visualization utils)
 - eps: orçamento L_inf máximo (em pixel space [0,1])
 - steps: número de iterações (FGSM iterativo)
 - discard_ratio: razão de descarte usada no attention rollout
 - head_fusion: estratégia de fusão de heads ('mean','max','min')
 - use_resnet: se True, acumula gradiente de um backbone CNN externo e o mistura ao gradiente ponderado pela atenção
 - cnn_checkpoint_path: caminho padrão do backbone CNN auxiliar (será carregado sob demanda)
 """
 super().__init__()
 self.model = model
 self.eps = eps
 self.steps = steps
 self.eps_step = self.eps / max(1, steps)
 self.discard_ratio = discard_ratio
 self.head_fusion = head_fusion
 self.use_resnet = use_resnet
 # Pode ser um caminho local ou uma referência ao Hugging Face Hub:
 # - Local: "models/resnet.pth"
 # - HF Hub: "hf://usuario/repo/path/no/repo/resnet.pth" (opcionalmente com @revision)
 self.cnn_checkpoint_spec = cnn_checkpoint_path
 self.cnn_model: Optional[torch.nn.Module] = None
 self.vit_weight = vit_weight
 self.device = next(model.parameters()).device
 self.iteration_images: List[Image.Image] = []
 self.iteration_tensors: List[torch.Tensor] = []
 self.attention_masks_cache: List[np.ndarray] = []
 # Cache opcional: atenções por camada/head em cada iteração
 # Formato: lista por iteração; cada item é a lista de tensores [B, H, T, T] por camada
 self.attentions_per_iter: List[List[torch.Tensor]] = []
 self.loss_fn = torch.nn.CrossEntropyLoss()
@staticmethod
 def _resolve_checkpoint_path(spec: object) -> Optional[Path]:
 """Resolve um checkpoint local ou no Hugging Face Hub para um Path local.
 Formato suportado (HF):
 - hf://owner/repo/path/to/file.pth
 - hf://owner/repo@revision/path/to/file.pth
 Retorna None se não conseguir resolver.
 """
 if spec is None:
 return None
if isinstance(spec, Path):
 return spec
if not isinstance(spec, str):
 return None
s = spec.strip()
 if s.startswith("hf://") or s.startswith("hf:"):
 if hf_hub_download is None:
 warnings.warn("huggingface_hub não está instalado; não é possível baixar checkpoint via HF Hub.")
 return None
rest = s[len("hf://"):] if s.startswith("hf://") else s[len("hf:"):]
 rest = rest.lstrip("/")
 parts = [p for p in rest.split("/") if p]
 if len(parts) < 3:
 raise ValueError(
 "Formato inválido para checkpoint HF. Use hf://owner/repo/path/to/file.pth"
 )
repo_part = "/".join(parts[:2])
 filename = "/".join(parts[2:])
 revision = None
 if "@" in repo_part:
 repo_id, revision = repo_part.split("@", 1)
 else:
 repo_id = repo_part
cache_dir = os.getenv("HF_HOME") or None
 local_path = hf_hub_download(repo_id=repo_id, filename=filename, revision=revision, cache_dir=cache_dir)
 return Path(local_path)
return Path(s)
def _attention_map(self, images_norm: torch.Tensor, save: bool = False) -> torch.Tensor:
 """Extrai mapa de atenção (rollout) e retorna tensor expandido [B,3,H,W] em [0,1].
 images_norm: imagens já normalizadas para o forward do modelo.
 """
 # Esta função agora assume que as atenções foram capturadas no mesmo forward
 # e serão passadas externamente; mantida para compatibilidade se necessário.
 raise RuntimeError("_attention_map should not be called directly; use integrated forward attention capture.")
def _capture_outputs_and_attentions(self, x_norm: torch.Tensor):
 """Executa um forward único capturando atenções via hooks nas camadas de atenção do ViT.
 Retorna (outputs, attentions_list) onde attentions_list é lista de tensores [B,H,T,T] por camada.
 """
 attentions: List[torch.Tensor] = []
def make_attention_hook():
 def hook(module, input, output):
 # input[0] é o embedding antes de atenção (B, N, C)
 x = input[0]
 B, N, C = x.shape
 if not (hasattr(module, 'qkv') and hasattr(module, 'num_heads')):
 return
 qkv = module.qkv(x).reshape(B, N, 3, module.num_heads, C // module.num_heads).permute(2, 0, 3, 1, 4)
 q, k, v = qkv.unbind(0)
 scale = (C // module.num_heads) ** -0.5
 attn = (q @ k.transpose(-2, -1)) * scale
 attn = attn.softmax(dim=-1)
 attentions.append(attn.detach())
 return hook
hooks = []
 if not hasattr(self.model, 'blocks'):
 outputs = self.model(x_norm)
 return outputs, []
 for block in self.model.blocks:
 if hasattr(block, 'attn'):
 hooks.append(block.attn.register_forward_hook(make_attention_hook()))
self.model.eval()
 outputs = self.model(x_norm)
for h in hooks:
 h.remove()
# mover atenções para CPU para cache leve
 attentions = [a.cpu() for a in attentions]
 return outputs, attentions
def _load_cnn_backbone(self) -> Optional[torch.nn.Module]:
 """Carrega (lazy) o backbone CNN auxiliar usado quando use_resnet=True."""
 if not self.use_resnet:
 return None
 if self.cnn_model is not None:
 return self.cnn_model
 if tv_models is None:
 warnings.warn("torchvision não disponível; desabilitando modo CNN do SAGA.")
 return None
model: Optional[torch.nn.Module] = None
 checkpoint_model_name = "resnetv2_101x1_bit.goog_in21k_ft_in1k"
resolved_ckpt_path = None
 try:
 resolved_ckpt_path = self._resolve_checkpoint_path(self.cnn_checkpoint_spec)
 except Exception as exc:
 warnings.warn(f"Falha ao resolver cnn_checkpoint_path='{self.cnn_checkpoint_spec}': {exc}")
if resolved_ckpt_path and resolved_ckpt_path.exists():
 try:
 checkpoint = torch.load(resolved_ckpt_path, map_location=self.device)
 if isinstance(checkpoint, torch.nn.Module):
 model = checkpoint
 elif isinstance(checkpoint, dict):
 state_dict = checkpoint.get('model_state_dict') or checkpoint.get('state_dict') or checkpoint
 if timm is not None and any(key.startswith("stem.") for key in state_dict.keys()):
 num_classes = None
 head_bias = state_dict.get('head.fc.bias')
 if isinstance(head_bias, torch.Tensor):
 num_classes = head_bias.shape[0]
 model = timm.create_model(
 checkpoint.get("model_name", checkpoint_model_name),
 pretrained=False,
 num_classes=num_classes or 1000
 )
 load_result = model.load_state_dict(state_dict, strict=False)
 else:
 model = tv_models.resnet101(weights=None)
 load_result = model.load_state_dict(state_dict, strict=False)
 missing = load_result.missing_keys
 unexpected = load_result.unexpected_keys
 if missing or unexpected:
 warn_msg = "[SAGA] ResNet checkpoint keys mismatch."
 if missing:
 warn_msg += f" Missing: {missing[:5]}{'...' if len(missing) > 5 else ''}."
 if unexpected:
 warn_msg += f" Unexpected: {unexpected[:5]}{'...' if len(unexpected) > 5 else ''}."
 warnings.warn(warn_msg + " Using available weights (strict=False).")
 else:
 warnings.warn(f"Formato de checkpoint desconhecido em {resolved_ckpt_path}; utilizando pesos padrão.")
 except Exception as exc: # pragma: no cover - fallback resiliente
 warnings.warn(f"Falha ao carregar {resolved_ckpt_path}: {exc}. Usando ResNet padrão.")
if model is None:
 if timm is not None:
 try:
 model = timm.create_model(checkpoint_model_name, pretrained=True)
 except Exception:
 model = None
 if model is None and tv_models is not None:
 try:
 model = tv_models.resnet101(weights="IMAGENET1K_V2")
 except Exception:
 model = tv_models.resnet101(pretrained=True)
model = model.to(self.device)
 model.eval()
 self.cnn_model = model
 return self.cnn_model
def _compute_cnn_gradient(self, images_norm: torch.Tensor, labels: torch.Tensor) -> Optional[torch.Tensor]:
 """Obtém gradientes do backbone CNN auxiliar para a mesma imagem normalizada."""
 cnn_model = self._load_cnn_backbone()
 if cnn_model is None:
 return None
cnn_input = images_norm.detach().clone().requires_grad_(True)
 outputs = cnn_model(cnn_input)
 loss = self.loss_fn(outputs, labels)
 grad = torch.autograd.grad(loss, cnn_input, retain_graph=False, create_graph=False)[0]
 return grad
def forward(self, images, labels) -> Tuple[torch.Tensor, List[Image.Image]]:
 """Executa o ataque SAGA (FGSM iterativo com ponderação por atenção).
 Fluxo por iteração:
 1. Normaliza a imagem adversarial atual.
 2. Calcula loss e gradiente.
 3. Extrai mapa de atenção da imagem atual e pondera gradiente.
 4. Aplica passo FGSM (sign) em pixel space [0,1].
 5. Projeta em L_inf (clamp delta) e clip final para [0,1].
 6. Salva imagem e tensor normalizado.
 """
 images = images.clone().detach().to(self.device)
 labels = labels.clone().detach().to(self.device)
# Mean/std ImageNet para conversão entre espaços
 mean = torch.tensor([0.485, 0.456, 0.406], device=self.device).view(1, 3, 1, 1)
 std = torch.tensor([0.229, 0.224, 0.225], device=self.device).view(1, 3, 1, 1)
# Pixel space [0,1]
 images_denorm = images * std + mean
 adv_denorm = images_denorm.clone().detach()
# Reset buffers
 self.iteration_images = []
 self.iteration_tensors = []
 self.attention_masks_cache = []
 self.attentions_per_iter = []
# Iteração 0 (imagem original)
 self.iteration_images.append(tensor_to_pil(images_denorm[0], denormalize=False))
 self.iteration_tensors.append(images.clone().detach())
 # Atenção da imagem original: captura integrada
 outputs0, attentions0 = self._capture_outputs_and_attentions(images)
 # Guardar atenções brutas
 self.attentions_per_iter.append([att for att in attentions0])
 # Gerar máscara de rollout para cache visual
 from utils.visualization import attention_rollout
 import cv2
 b, _, h, w = images.shape
 mask0 = attention_rollout(attentions0, discard_ratio=self.discard_ratio, head_fusion=self.head_fusion)
 mask0_resized = cv2.resize(mask0, (w, h))
 self.attention_masks_cache.append(mask0.copy())
for step_idx in range(self.steps):
 # Normalizar para forward
 adv_norm = (adv_denorm - mean) / std
 adv_norm.requires_grad = True
 outputs, attentions = self._capture_outputs_and_attentions(adv_norm)
 if isinstance(outputs, tuple): # compatibilidade com modelos que retornam extras
 outputs = outputs[0]
 loss = self.loss_fn(outputs, labels)
 grad = torch.autograd.grad(loss, adv_norm, retain_graph=False, create_graph=False)[0]
# Atenção da imagem adversarial atual (já capturada)
 # Cache de atenções por camada/head
 self.attentions_per_iter.append([att for att in attentions])
 # Rollout para gerar mapa usado na ponderação
 mask = attention_rollout(attentions, discard_ratio=self.discard_ratio, head_fusion=self.head_fusion)
 mask_resized = cv2.resize(mask, (adv_norm.shape[-1], adv_norm.shape[-2]))
 mmax = mask_resized.max() if mask_resized.max() > 0 else 1.0
 mask_resized = (mask_resized / mmax).astype('float32')
 att_map = torch.from_numpy(mask_resized).to(self.device).unsqueeze(0).unsqueeze(0).repeat(adv_norm.size(0), 3, 1, 1)
 # Cache visual
 self.attention_masks_cache.append(mask.copy())
 grad_weighted = grad * att_map
grad_final = grad_weighted
 if self.use_resnet:
 cnn_grad = self._compute_cnn_gradient(adv_norm, labels)
 if cnn_grad is not None:
 vit_contrib = grad_weighted.detach().abs().mean().item()
 cnn_contrib = cnn_grad.detach().abs().mean().item()
 grad_final = self.vit_weight * grad_weighted + (1 - self.vit_weight) * cnn_grad
 blended_contrib = grad_final.detach().abs().mean().item()
# FGSM step em pixel space (sign do gradiente normalizado equivale ao do desnormalizado)
 adv_denorm = adv_denorm.detach() + self.eps_step * grad_final.sign()
# Projeção na bola L_inf de raio eps em relação à imagem original
 delta = torch.clamp(adv_denorm - images_denorm, min=-self.eps, max=self.eps)
 adv_denorm = torch.clamp(images_denorm + delta, 0.0, 1.0).detach()
# Salvar artefatos desta iteração
 self.iteration_images.append(tensor_to_pil(adv_denorm[0], denormalize=False))
 self.iteration_tensors.append(((adv_denorm - mean) / std).clone().detach())
# Retorna tensor normalizado final
 adv_final = (adv_denorm - mean) / std
 return adv_final, self.iteration_images
class AttentionWeightedPGD(torch.nn.Module):
 """
 [Deprecated]
 Implementação errada do ataque SAGA, mas que consegue fazer ataques
 adversariais eficazes em ViTs usando mapas de atenção para pesar o gradiente.
 """
 def __init__(self, model, eps=0.03, steps=10):
 super().__init__()
 self.model = model
 self.eps = eps
 self.steps = steps
 self.eps_step = self.eps / self.steps
 self.device = next(model.parameters()).device
 self.iteration_images: List[Image.Image] = []
 self.iteration_tensors: List[torch.Tensor] = []
 self.attention_masks_cache: List[np.ndarray] = [] # Cache das máscaras de atenção
def get_attention_map(self, images: torch.Tensor, save_for_viz: bool = False) -> tuple:
 """
 Extrai mapa de atenção do ViT usando attention rollout.
 Retorna:
 - mask_tensor: [B, C, H, W] para uso no ataque
 - mask_np: [H, W] numpy array para visualização (se save_for_viz=True)
 """
 from utils.visualization import extract_attention_maps, attention_rollout
 import cv2
batch_size = images.shape[0]
 img_size = images.shape[2]
# Extrair attention maps
 attentions = extract_attention_maps(self.model, images)
# Aplicar attention rollout
 mask = attention_rollout(attentions, discard_ratio=0.9, head_fusion='max')
# Salvar para visualização se necessário
 if save_for_viz:
 self.attention_masks_cache.append(mask.copy())
# Redimensionar para tamanho da imagem (14x14 -> 224x224)
 mask_resized = cv2.resize(mask, (img_size, img_size))
# Expandir para 3 canais e batch: [H, W] -> [B, C, H, W]
 mask_tensor = torch.from_numpy(mask_resized).float().to(self.device)
 mask_tensor = mask_tensor.unsqueeze(0).unsqueeze(0) # [1, 1, H, W]
 mask_tensor = mask_tensor.repeat(batch_size, 3, 1, 1) # [B, 3, H, W]
return mask_tensor, mask if save_for_viz else None
def forward(self, images, labels) -> Tuple[torch.Tensor, List[Image.Image]]:
 """
 Executa ataque SAGA e retorna:
 - adv_images: tensor adversarial final
 - iteration_images: lista de PIL Images de cada iteração
 """
 images = images.clone().detach().to(self.device)
 labels = labels.clone().detach().to(self.device)
loss_fn = torch.nn.CrossEntropyLoss()
# Desnormalizar para trabalhar no espaço [0,1]
 mean = torch.tensor([0.485, 0.456, 0.406]).view(1, 3, 1, 1).to(self.device)
 std = torch.tensor([0.229, 0.224, 0.225]).view(1, 3, 1, 1).to(self.device)
images_denorm = images * std + mean
 adv_images_denorm = images_denorm.clone().detach()
self.iteration_images = []
 self.iteration_tensors = []
 self.attention_masks_cache = []
# Salvar imagem original (iteração 0)
 pil_img_orig = tensor_to_pil(images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img_orig)
 self.iteration_tensors.append(images.clone().detach())
# Calcular atenção para imagem original e salvar
 attention_map, _ = self.get_attention_map(images, save_for_viz=True)
for step in range(self.steps):
 # Normalizar para passar pelo modelo
 adv_images = (adv_images_denorm - mean) / std
 adv_images.requires_grad = True
# Forward pass
 outputs = self.model(adv_images)
# Calcular loss
 cost = loss_fn(outputs, labels)
# Calcular gradiente
 grad = torch.autograd.grad(cost, adv_images,
 retain_graph=False,
 create_graph=False)[0]
# RECALCULAR atenção para a imagem adversarial ATUAL (chave do SAGA!)
 attention_map, _ = self.get_attention_map(adv_images.detach(), save_for_viz=True)
# SAGA: Multiplicar gradiente pelo mapa de atenção
 grad_weighted = grad * attention_map
# Aplicar perturbação no espaço desnormalizado [0,1]
 adv_images_denorm = adv_images_denorm.detach() + self.eps_step * grad_weighted.sign()
 delta = torch.clamp(adv_images_denorm - images_denorm, min=-self.eps, max=self.eps)
 adv_images_denorm = torch.clamp(images_denorm + delta, min=0, max=1).detach()
# Normalizar para salvar tensor
 adv_images_normalized = (adv_images_denorm - mean) / std
# Salvar iteração
 pil_img = tensor_to_pil(adv_images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img)
 self.iteration_tensors.append(adv_images_normalized.clone().detach())
# Retornar imagem normalizada
 adv_images = (adv_images_denorm - mean) / std
 return adv_images, self.iteration_images
class MIFGSM(torchattacks.MIFGSM):
 """
 MI-FGSM: Momentum Iterative Fast Gradient Sign Method
Extensão do ataque MIFGSM que captura imagens e atenção de cada iteração.
 Usa momentum para estabilizar direção do gradiente e melhorar transferabilidade.
Paper: "Boosting Adversarial Attacks with Momentum" (2017)
 https://arxiv.org/abs/1710.06081
 """
 def __init__(self, model, eps=8/255, alpha=2/255, steps=10, decay=1.0):
 super().__init__(model, eps=eps, alpha=alpha, steps=steps, decay=decay)
 self.iteration_images: List[Image.Image] = []
 self.iteration_tensors: List[torch.Tensor] = []
 self.attentions_per_iter: List[List[torch.Tensor]] = []
def forward(self, images, labels) -> Tuple[torch.Tensor, List[Image.Image]]:
 """
 Executa o ataque MI-FGSM e retorna:
 - adv_images: tensor adversarial final
 - iteration_images: lista de PIL Images (uma por iteração)
Implementação adaptada para trabalhar com imagens normalizadas ImageNet
 e capturar todas as iterações.
 """
 images = images.clone().detach().to(self.device)
 labels = labels.clone().detach().to(self.device)
 if self.targeted:
 target_labels = self.get_target_label(images, labels)
loss = torch.nn.CrossEntropyLoss()
# Desnormalizar para aplicar eps e clipping no espaço correto [0,1]
 mean = torch.tensor([0.485, 0.456, 0.406]).view(1, 3, 1, 1).to(self.device)
 std = torch.tensor([0.229, 0.224, 0.225]).view(1, 3, 1, 1).to(self.device)
images_denorm = images * std + mean
 adv_images_denorm = images_denorm.clone().detach()
# Inicializar momentum no espaço desnormalizado
 momentum = torch.zeros_like(images_denorm).detach().to(self.device)
 self.iteration_images = []
 self.iteration_tensors = []
 self.attentions_per_iter = []
# Salvar imagem original (iteração 0)
 pil_img_orig = tensor_to_pil(images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_img_orig)
 self.iteration_tensors.append(images.clone().detach())
# Atenções da imagem original
 outputs0, attentions0 = capture_outputs_and_attentions(self.model, images)
 self.attentions_per_iter.append([att for att in attentions0])
for step in range(self.steps):
 # Normalizar para passar pelo modelo com gradiente
 adv_images = (adv_images_denorm - mean) / std
 adv_images.requires_grad = True
 outputs, attentions = capture_outputs_and_attentions(self.model, adv_images)
# Calcular loss
 if self.targeted:
 cost = -loss(outputs, target_labels)
 else:
 cost = loss(outputs, labels)
# Calcular gradiente no espaço normalizado
 grad = torch.autograd.grad(cost, adv_images,
 retain_graph=False, create_graph=False)[0]
# Cache de atenções desta iteração
 self.attentions_per_iter.append([att for att in attentions])
# Converter gradiente para espaço desnormalizado
 grad_denorm = grad * std
# Normalizar gradiente (chave do MI-FGSM!)
 grad_denorm = grad_denorm / torch.mean(torch.abs(grad_denorm), dim=(1, 2, 3), keepdim=True)
 # Aplicar momentum no espaço desnormalizado
 grad_denorm = grad_denorm + momentum * self.decay
 momentum = grad_denorm
 # Aplicar perturbação no espaço desnormalizado
 adv_images_denorm = adv_images_denorm.detach() + self.alpha * grad_denorm.sign()
 delta = torch.clamp(adv_images_denorm - images_denorm, min=-self.eps, max=self.eps)
 adv_images_denorm = torch.clamp(images_denorm + delta, min=0, max=1).detach()
# Normalizar e armazenar artefatos desta iteração
 adv_images_normalized = (adv_images_denorm - mean) / std
 self.iteration_tensors.append(adv_images_normalized.clone().detach())
 pil_iter = tensor_to_pil(adv_images_denorm[0], denormalize=False)
 self.iteration_images.append(pil_iter)
adv_images = (adv_images_denorm - mean) / std
return adv_images, self.iteration_images
class TGR(torch.nn.Module):
 """TGR: Token Gradient Regularization attack.
Ataque iterativo untargeted, white-box, no estilo MI-FGSM, que aplica
 regularização de gradiente em módulos internos do transformer via
 backward hooks (Attention map, QKV, MLP).
 Diferenças-chave vs. MI-FGSM:
 - Attention: zera LINHAS e COLUNAS inteiras do mapa N×N (pares extremos)
 - QKV/MLP: zera TOKENS INTEIROS (todas as features de tokens extremos)
 - Escala por componente (código oficial): s_attn=0.25, s_qkv=0.75, s_mlp=0.5
O ataque trabalha em pixel space [0,1], respeitando orçamento L_inf.
 """
def __init__(
 self,
 model: torch.nn.Module,
 eps: float = 16 / 255,
 steps: int = 10,
 decay: float = 1.0,
 k: int = 1,
 gamma_attn: float = 0.25,
 gamma_qkv: float = 0.75,
 gamma_mlp: float = 0.5,
 debug_shapes: bool = False,
 enable_attn_hook: bool = True,
 enable_qkv_hook: bool = True,
 enable_mlp_hook: bool = True,
 debug_stats: bool = False,
 protect_cls_token: bool = True,
 debug_progress: bool = False,
 ) -> None:
 super().__init__()
 self.model = model
 self.eps = float(eps)
 self.steps = int(steps)
 self.decay = float(decay)
 self.k = int(k) # número de extremos (paper usa k=1)
 self.eps_step = self.eps / max(1, self.steps)
 self.gamma_attn = float(gamma_attn)
 self.gamma_qkv = float(gamma_qkv)
 self.gamma_mlp = float(gamma_mlp)
 self.debug_shapes = bool(debug_shapes)
 self.enable_attn_hook = bool(enable_attn_hook)
 self.enable_qkv_hook = bool(enable_qkv_hook)
 self.enable_mlp_hook = bool(enable_mlp_hook)
 self.debug_stats = bool(debug_stats)
 self.protect_cls_token = bool(protect_cls_token)
 self.debug_progress = bool(debug_progress)
self.device = next(model.parameters()).device
 self.loss_fn = torch.nn.CrossEntropyLoss()
self.iteration_images: List[Image.Image] = []
 self.iteration_tensors: List[torch.Tensor] = []
 self.attentions_per_iter: List[List[torch.Tensor]] = []
self.debug_last: dict = {}
 self.debug_progress_log: List[dict] = []
 self._patched_attn_forwards: dict = {}
# ---------------------- hooks & grad processing ----------------------
def _patch_attention_forward(self, attn_module: torch.nn.Module) -> None:
 """Monkeypatch do forward do Attention para anexar hook no mapa de atenção.
 Isso permite aplicar o Algoritmo 1 de forma paper-faithful em timm ViTs,
 porque o tensor de atenção [B,H,N,N] não é exposto diretamente como
 saída de um submódulo.
 """
 if attn_module in self._patched_attn_forwards:
 return
orig_forward = attn_module.forward
 self._patched_attn_forwards[attn_module] = orig_forward
def forward_patched(this, x, attn_mask=None, **kwargs):
 B, N, C = x.shape
 num_heads = getattr(this, "num_heads")
qkv = this.qkv(x).reshape(B, N, 3, num_heads, C // num_heads).permute(2, 0, 3, 1, 4)
 q, k, v = qkv.unbind(0)
 scale = getattr(this, "scale", (C // num_heads) ** -0.5)
 attn = (q @ k.transpose(-2, -1)) * scale
 # `attn_mask` pode existir em variantes do timm (p.ex. atenção com máscara). Aqui,
 # para ViT-B/16 padrão, costuma ser None.
 if attn_mask is not None:
 # Espera-se broadcastável para [B, H, N, N]
 attn = attn + attn_mask
 attn = attn.softmax(dim=-1)
if self.debug_shapes and not getattr(self, "_debug_attn_map_printed", False):
 print(f"[TGR DEBUG] attn_map tensor shape (patched): {attn.shape}")
 print(f"[TGR DEBUG] attn_map tensor ndim (patched): {attn.ndim}")
 self._debug_attn_map_printed = True
def grad_hook(grad):
 return self._tgr_process_grad_attention(grad, self.gamma_attn)
attn.register_hook(grad_hook)
attn = this.attn_drop(attn)
 x_out = (attn @ v).transpose(1, 2).reshape(B, N, C)
 x_out = this.proj(x_out)
 proj_drop = getattr(this, "proj_drop", None)
 if proj_drop is not None:
 x_out = proj_drop(x_out)
 return x_out
attn_module.forward = types.MethodType(forward_patched, attn_module)
def _tgr_process_grad_attention(self, grad: torch.Tensor, gamma: float) -> torch.Tensor:
 """Regularização TGR para componente Attention.
 Paper-faithful (Algoritmo 1): atua no gradiente do mapa de atenção
 com shape [B, H, N, N] (H=heads). Para cada head (canal de saída),
 seleciona 2k posições extremas e zera a linha e a coluna correspondentes.
 Mantemos também suportes legados:
 - [B, N, C] (tokens): fallback para arquiteturas onde só há gradiente token-wise.
 - [B, C, H, W] (CNN): fallback histórico.
 Args:
 grad: gradiente [B,H,N,N] (atenção) ou [B,N,C] ou [B,C,H,W]
 gamma: fator de escala (paper usa 0.25). Se gamma=1.0, retorna sem modificação.
 """
 if grad is None:
 return grad
# Se gamma=1.0, não há regularização TGR - retorna gradiente original
 if abs(gamma - 1.0) < 1e-6:
 return grad
g = grad * gamma
# Caso 0: [B, H, N, N] - gradiente do mapa de atenção (paper)
 if g.ndim == 4 and g.shape[-1] == g.shape[-2] and g.shape[1] <= 64:
 try:
 B, Hh, N, _ = g.shape
 k_actual = min(self.k, N * N)
 if k_actual <= 0:
 return g
for b in range(B):
 for h in range(Hh):
 gh = g[b, h] # [N, N]
 flat = gh.reshape(-1)
 _, idx_max = torch.topk(flat, k_actual, largest=True)
 _, idx_min = torch.topk(flat, k_actual, largest=False)
 idxs = torch.cat([idx_max, idx_min], dim=0)
removed_cls = False
 for idx in idxs.tolist():
 r = idx // N
 c = idx % N
 if self.protect_cls_token and (r == 0 or c == 0):
 removed_cls = True
 continue
 g[b, h, r, :] = 0.0
 g[b, h, :, c] = 0.0
if self.debug_shapes and b == 0 and h == 0:
 extra = " (CLS protegido)" if removed_cls else ""
 print(
 f"[TGR DEBUG] AttentionMap: head0 zerou linhas/cols por 2k={2*k_actual} entradas{extra}"
 )
return g
 except Exception as e:
 warnings.warn(f"[TGR] AttentionMap ([B,H,N,N]): fallback ({e})")
 return g
# Caso 1: [B, N, C] - tokens (fallback)
 if g.ndim == 3:
 # Usar mesma lógica de _tgr_process_grad_tokens
 try:
 B, N, C = g.shape
 for b in range(B):
 # Paper: rank by channel independently (Seção 3.2)
 token_ids = set()
 for c in range(C):
 v = g[b, :, c] # [N] valores do canal c
 k_actual = min(self.k, N)
if k_actual > 0:
 _, idx_max = torch.topk(v, k_actual, largest=True)
 _, idx_min = torch.topk(v, k_actual, largest=False)
 token_ids.update(idx_max.tolist())
 token_ids.update(idx_min.tolist())
removed_cls = False
 if self.protect_cls_token and 0 in token_ids:
 token_ids.discard(0)
 removed_cls = True
# Debug: mostrar quantos tokens serão zerados
 if self.debug_shapes and b == 0:
 extra = " (CLS protegido)" if removed_cls else ""
 print(f"[TGR DEBUG] AttentionTokens: zerando {len(token_ids)}/{N} tokens (k={self.k}, C={C}){extra}")
# Zera todas as features dos tokens extremos
 for t in token_ids:
 g[b, t, :] = 0.0
return g
 except Exception as e:
 warnings.warn(f"[TGR] Atenção ([B,N,C]): fallback ({e})")
 return g
# Caso 2: [B, C, H, W] - feature maps espaciais (implementação original TGR)
 elif g.ndim == 4:
 B, C, H, W = g.shape
# Verifica se é formato espacial (não formato de atenção N×N)
 if H * W >= C:
 try:
 g_flat = g[0].reshape(C, H * W)
 max_idx = g_flat.argmax(dim=1)
 min_idx = g_flat.argmin(dim=1)
max_h = max_idx // W
 max_w = max_idx % W
 min_h = min_idx // W
 min_w = min_idx % W
c_range = torch.arange(C, device=g.device)
 g[:, c_range, max_h, :] = 0.0
 g[:, c_range, :, max_w] = 0.0
 g[:, c_range, min_h, :] = 0.0
 g[:, c_range, :, min_w] = 0.0
return g
 except Exception as e:
 warnings.warn(f"[TGR] Atenção ([B,C,H,W]): fallback ({e})")
 return g
# Fallback: apenas escala
 return g
def _tgr_process_grad_tokens(self, grad: torch.Tensor, gamma: float) -> torch.Tensor:
 """Regularização TGR para componentes QKV/MLP (conforme implementação original do paper).
 Para gradiente shape [B, N, C] (entrada do QKV/MLP):
 - Escala por gamma
 - Para cada canal c, encontra top-k e bottom-k tokens (por valor)
 - Zera as ENTRADAS extremas (token, canal), isto é: g[b, token, c] = 0
 Observação: isso difere de "zerar token inteiro". É o que o código oficial
 faz quando executa: out_grad[:, max_all, range(c)] = 0.0.
 """
 if grad is None:
 return grad
# Se gamma=1.0, não há regularização TGR - retorna gradiente original
 if abs(gamma - 1.0) < 1e-6:
 return grad
g = grad * gamma
try:
 if g.ndim == 3: # [B, N, C]
 B, N, C = g.shape
 for b in range(B):
 # Seleção por canal, como no código oficial
 k_actual = min(self.k, N)
 zeroed = 0
 for c in range(C):
 v = g[b, :, c] # [N]
 if k_actual <= 0:
 continue
 _, idx_max = torch.topk(v, k_actual, largest=True)
 _, idx_min = torch.topk(v, k_actual, largest=False)
 for t in idx_max.tolist() + idx_min.tolist():
 if self.protect_cls_token and t == 0:
 continue
 g[b, t, c] = 0.0
 zeroed += 1
if self.debug_shapes and b == 0:
 if not hasattr(self, "_debug_token_zero_counts"):
 self._debug_token_zero_counts = {}
 key = f"gamma={gamma:.3f}"
 count = self._debug_token_zero_counts.get(key, 0)
 if count < 3:
 # total de entradas potencialmente zeradas = 2*k*C
 print(
 f"[TGR DEBUG] Tokens ({key}): zerando ~{zeroed} entradas (2*k*C={2*k_actual*C}, ataque em [token,canal])"
 )
 self._debug_token_zero_counts[key] = count + 1
except Exception as e:
 warnings.warn(f"[TGR] Tokens: fallback no processo de QKV/MLP ({e})")
 g = grad * gamma
return g
def _make_attention_hook(self):
 raise RuntimeError("_make_attention_hook não é mais usado; use _patch_attention_forward")
def _make_qkv_hook(self):
 """Hook para componente QKV."""
 def hook(module, grad_input, grad_output):
 if not grad_input or grad_input[0] is None:
 return grad_input
 g0_new = self._tgr_process_grad_tokens(grad_input[0], self.gamma_qkv)
 return (g0_new,) + tuple(grad_input[1:])
 return hook
def _make_mlp_hook(self):
 """Hook para componente MLP."""
 def hook(module, grad_input, grad_output):
 if not grad_input or grad_input[0] is None:
 return grad_input
 g0_new = self._tgr_process_grad_tokens(grad_input[0], self.gamma_mlp)
 return (g0_new,) + tuple(grad_input[1:])
 return hook
def _register_tgr_hooks(self) -> List[torch.utils.hooks.RemovableHandle]:
 """Registra hooks conforme Algoritmo 1 do paper TGR.
 Implementação alinhada ao código oficial:
 - Attention: aplica TGR no gradiente do mapa de atenção [B,H,N,N]
 (monkeypatch no forward do módulo de atenção para anexar hook no tensor `attn`)
 - QKV: hook em `attn.qkv` para regularizar grad_input[0] ([B,N,C])
 - MLP: hook no `mlp` para regularizar grad_input[0] ([B,N,C])
Se não encontrar nenhum módulo compatível, não registra nada; o ataque
 ainda funciona (equivale a um MI-FGSM), apenas sem regularização TGR.
 """
 handles: List[torch.utils.hooks.RemovableHandle] = []
 warned_attn = False
# ViTs estilo timm normalmente expõem model.blocks[*].attn e .mlp
 if hasattr(self.model, "blocks"):
 for block in self.model.blocks:
 attn_module = getattr(block, "attn", None)
 if attn_module is not None:
 # Hook 1: Attention component (paper-faithful)
 # - Monkeypatch do forward para anexar hook no tensor `attn` (softmax) [B,H,N,N].
 if self.enable_attn_hook:
 if hasattr(attn_module, "qkv") and hasattr(attn_module, "num_heads") and hasattr(attn_module, "proj"):
 self._patch_attention_forward(attn_module)
 elif not warned_attn:
 warnings.warn(
 "[TGR] Nenhum módulo de atenção compatível encontrado (qkv/num_heads/proj); "
 "pulando regularização TGR-Attention. Apenas QKV/MLP serão regularizados."
 )
 warned_attn = True
# Hook 2: QKV component
 if self.enable_qkv_hook and hasattr(attn_module, "qkv"):
 handles.append(
 attn_module.qkv.register_full_backward_hook(self._make_qkv_hook())
 )
# Hook 3: MLP component
 mlp = getattr(block, "mlp", None)
 if self.enable_mlp_hook and mlp is not None:
 handles.append(mlp.register_full_backward_hook(self._make_mlp_hook()))
if not handles:
 warnings.warn(
 "[TGR] Nenhum módulo compatível encontrado para hooks; "
 "executando como MI-FGSM (sem regularização interna)."
 )
 elif self.debug_shapes:
 print(f"[TGR DEBUG] Registrados {len(handles)} hooks")
return handles
# ------------------------------ forward ------------------------------
def forward(self, images: torch.Tensor, labels: torch.Tensor) -> Tuple[torch.Tensor, List[Image.Image]]:
 """Executa o ataque TGR.
 Retorna:
 - adv_images: tensor adversarial final (normalizado)
 - iteration_images: lista de PIL Images (uma por iteração, incluindo original)
 """
 images = images.clone().detach().to(self.device)
 labels = labels.clone().detach().to(self.device)
# Mean/std ImageNet para conversão entre espaços
 mean = torch.tensor([0.485, 0.456, 0.406], device=self.device).view(1, 3, 1, 1)
 std = torch.tensor([0.229, 0.224, 0.225], device=self.device).view(1, 3, 1, 1)
# Pixel space [0,1]
 images_denorm = images * std + mean
 unnorm_inps = images_denorm.clone().detach()
# Perturbação em pixel-space, como no código oficial
 perts = torch.zeros_like(unnorm_inps).detach()
# Reset buffers
 self.iteration_images = []
 self.iteration_tensors = []
 self.attentions_per_iter = []
 self.debug_progress_log = []
# Iteração 0 (imagem original)
 self.iteration_images.append(tensor_to_pil(images_denorm[0], denormalize=False))
 self.iteration_tensors.append(images.clone().detach())
# Garantir eval mode (evita dropout/ruído durante ataque)
 was_training = self.model.training
 self.model.eval()
# Atenções da imagem original (detach para evitar vazamento de memória)
 outputs0, attentions0 = capture_outputs_and_attentions(self.model, images)
 self.attentions_per_iter.append([att.detach().cpu() for att in attentions0])
momentum = torch.zeros_like(perts).detach().to(self.device)
handles: List[torch.utils.hooks.RemovableHandle] = []
 try:
 handles = self._register_tgr_hooks()
self.debug_last = {}
 for step_idx in range(self.steps):
 # Forward do modelo com (imagem + perturbação) em pixel space
 perts = perts.detach().requires_grad_(True)
 adv_norm = (torch.clamp(unnorm_inps + perts, 0.0, 1.0) - mean) / std
outputs, attentions = capture_outputs_and_attentions(self.model, adv_norm)
 if isinstance(outputs, tuple):
 outputs = outputs[0]
loss = self.loss_fn(outputs, labels)
if self.debug_progress:
 with torch.no_grad():
 probs = torch.softmax(outputs, dim=1)
 pred = probs.argmax(dim=1)
 conf_pred = probs.gather(1, pred.view(-1, 1)).squeeze(1)
 conf_label = probs.gather(1, labels.view(-1, 1)).squeeze(1)
 delta_now = (torch.clamp(unnorm_inps + perts, 0.0, 1.0) - unnorm_inps).detach()
 dmax = float(delta_now.abs().max().item())
 dmean = float(delta_now.abs().mean().item())
 changed = float((delta_now.abs() > 1e-6).float().mean().item())
 self.debug_progress_log.append(
 {
 "iter": int(step_idx),
 "loss": float(loss.detach().item()),
 "pred": pred.detach().cpu().tolist(),
 "label": labels.detach().cpu().tolist(),
 "conf_pred": conf_pred.detach().cpu().tolist(),
 "conf_label": conf_label.detach().cpu().tolist(),
 "delta_linf": dmax,
 "delta_mean": dmean,
 "pixels_changed_ratio": changed,
 }
 )
 # Mostra só o batch 0 para não poluir
 print(
 f"[TGR PROGRESS] it={step_idx} loss={loss.item():.4f} "
 f"pred={int(pred[0])} conf_pred={conf_pred[0].item():.4f} "
 f"label={int(labels[0])} conf_label={conf_label[0].item():.4f} "
 f"dLinf={dmax:.6f} dMean={dmean:.6f} changed={changed*100:.1f}%"
 )
 grad_norm = torch.autograd.grad(
 loss,
 perts,
 retain_graph=False,
 create_graph=False,
 )[0]
# Cache de atenções desta iteração (detach para evitar vazamento)
 self.attentions_per_iter.append([att.detach().cpu() for att in attentions])
# Aqui grad_norm já é dL/d(perts) no pixel-space (depois de normalização interna do modelo)
 grad_denorm = grad_norm
if self.debug_stats:
 # estatísticas no espaço normalizado e no pixel-space
 self.debug_last[f"iter_{step_idx}"] = {
 "loss": float(loss.detach().item()),
 "grad_norm_abs_mean": float(grad_norm.detach().abs().mean().item()),
 "grad_norm_abs_max": float(grad_norm.detach().abs().max().item()),
 "grad_denorm_abs_mean_pre_norm": float(grad_denorm.detach().abs().mean().item()),
 "grad_denorm_abs_max_pre_norm": float(grad_denorm.detach().abs().max().item()),
 }
# Normalizar gradiente (como MI-FGSM)
 denom = torch.mean(torch.abs(grad_denorm), dim=(1, 2, 3), keepdim=True) + 1e-12
 grad_denorm = grad_denorm / denom
 # Momentum
 grad_denorm = grad_denorm + momentum * self.decay
 momentum = grad_denorm
# Atualiza perturbação (igual ao código oficial)
 perts = perts.detach() + self.eps_step * grad_denorm.sign()
 perts = torch.clamp(perts, -self.eps, self.eps)
 # clamp final em pixel space e volta para delta
 perts = torch.clamp(unnorm_inps + perts, 0.0, 1.0) - unnorm_inps
if self.debug_shapes:
 step_size = (self.eps_step * grad_denorm.sign()).abs().max().item()
 grad_sign_nonzero = (grad_denorm.sign().abs() > 0).float().mean().item()
 print(f"[TGR DEBUG] Step size: {step_size:.6f}, grad_sign non-zero: {grad_sign_nonzero*100:.1f}%")
if self.debug_stats:
 # completa estatísticas após normalização + momentum
 iter_stats = self.debug_last.get(f"iter_{step_idx}", {})
 iter_stats.update(
 {
 "denom_abs_mean": float(denom.detach().mean().item()),
 "grad_denorm_abs_mean_post_norm": float(grad_denorm.detach().abs().mean().item()),
 "grad_denorm_abs_max_post_norm": float(grad_denorm.detach().abs().max().item()),
 "grad_sign_nonzero_ratio": float(
 (grad_denorm.detach().sign().abs() > 0).float().mean().item()
 ),
 "step_size": float((self.eps_step * grad_denorm.detach().sign()).abs().max().item()),
 }
 )
 self.debug_last[f"iter_{step_idx}"] = iter_stats
if self.debug_shapes:
 actual_delta = (torch.clamp(unnorm_inps + perts, 0.0, 1.0) - unnorm_inps).abs().max().item()
 print(f"[TGR DEBUG] Iteration delta: {actual_delta:.6f} (eps={self.eps:.6f}, eps_step={self.eps_step:.6f})")
# Salvar artefatos desta iteração
 adv_denorm = torch.clamp(unnorm_inps + perts, 0.0, 1.0).detach()
 self.iteration_images.append(tensor_to_pil(adv_denorm[0], denormalize=False))
 self.iteration_tensors.append(((adv_denorm - mean) / std).clone().detach())
finally:
 for h in handles:
 h.remove()
 # Restaurar forwards originais de atenção
 if self._patched_attn_forwards:
 for attn_module, orig_forward in list(self._patched_attn_forwards.items()):
 try:
 attn_module.forward = orig_forward
 except Exception:
 pass
 self._patched_attn_forwards.clear()
 if hasattr(self, "_debug_attn_map_printed"):
 delattr(self, "_debug_attn_map_printed")
 # Restaurar modo de treinamento original
 if was_training:
 self.model.train()
adv_final = (torch.clamp(unnorm_inps + perts, 0.0, 1.0) - mean) / std
 return adv_final, self.iteration_images