Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
PaddlePaddle
models
提交
4c08303c
M
models
项目概览
PaddlePaddle
/
models
大约 2 年 前同步成功
通知
232
Star
6828
Fork
2962
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
602
列表
看板
标记
里程碑
合并请求
255
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
M
models
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
602
Issue
602
列表
看板
标记
里程碑
合并请求
255
合并请求
255
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
未验证
提交
4c08303c
编写于
2月 09, 2018
作者:
G
gx-wind
提交者:
GitHub
2月 09, 2018
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #655 from lyzsea/jsma
adversarial example attack method -- jsma
上级
65c962df
c2b80706
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
243 addition
and
0 deletion
+243
-0
fluid/adversarial/advbox/attacks/saliency.py
fluid/adversarial/advbox/attacks/saliency.py
+146
-0
fluid/adversarial/mnist_tutorial_jsma.py
fluid/adversarial/mnist_tutorial_jsma.py
+97
-0
未找到文件。
fluid/adversarial/advbox/attacks/saliency.py
0 → 100644
浏览文件 @
4c08303c
"""
This module provide the attack method for JSMA's implement.
"""
from
__future__
import
division
import
logging
import
random
import
numpy
as
np
from
.base
import
Attack
class
SaliencyMapAttack
(
Attack
):
"""
Implements the Saliency Map Attack.
The Jacobian-based Saliency Map Approach (Papernot et al. 2016).
Paper link: https://arxiv.org/pdf/1511.07528.pdf
"""
def
_apply
(
self
,
adversary
,
max_iter
=
2000
,
fast
=
True
,
theta
=
0.1
,
max_perturbations_per_pixel
=
7
):
"""
Apply the JSMA attack.
Args:
adversary(Adversary): The Adversary object.
max_iter(int): The max iterations.
fast(bool): Whether evaluate the pixel influence on sum of residual classes.
theta(float): Perturbation per pixel relative to [min, max] range.
max_perturbations_per_pixel(int): The max count of perturbation per pixel.
Return:
adversary: The Adversary object.
"""
assert
adversary
is
not
None
if
not
adversary
.
is_targeted_attack
or
(
adversary
.
target_label
is
None
):
target_labels
=
self
.
_generate_random_target
(
adversary
.
original_label
)
else
:
target_labels
=
[
adversary
.
target_label
]
for
target
in
target_labels
:
original_image
=
adversary
.
original
# the mask defines the search domain
# each modified pixel with border value is set to zero in mask
mask
=
np
.
ones_like
(
original_image
)
# count tracks how often each pixel was changed
counts
=
np
.
zeros_like
(
original_image
)
labels
=
range
(
self
.
model
.
num_classes
())
adv_img
=
original_image
.
copy
()
min_
,
max_
=
self
.
model
.
bounds
()
for
step
in
range
(
max_iter
):
adv_img
=
np
.
clip
(
adv_img
,
min_
,
max_
)
adv_label
=
np
.
argmax
(
self
.
model
.
predict
(
adv_img
))
if
adversary
.
try_accept_the_example
(
adv_img
,
adv_label
):
return
adversary
# stop if mask is all zero
if
not
any
(
mask
.
flatten
()):
return
adversary
logging
.
info
(
'step = {}, original_label = {}, adv_label={}'
.
format
(
step
,
adversary
.
original_label
,
adv_label
))
# get pixel location with highest influence on class
idx
,
p_sign
=
self
.
_saliency_map
(
adv_img
,
target
,
labels
,
mask
,
fast
=
fast
)
# apply perturbation
adv_img
[
idx
]
+=
-
p_sign
*
theta
*
(
max_
-
min_
)
# tracks number of updates for each pixel
counts
[
idx
]
+=
1
# remove pixel from search domain if it hits the bound
if
adv_img
[
idx
]
<=
min_
or
adv_img
[
idx
]
>=
max_
:
mask
[
idx
]
=
0
# remove pixel if it was changed too often
if
counts
[
idx
]
>=
max_perturbations_per_pixel
:
mask
[
idx
]
=
0
adv_img
=
np
.
clip
(
adv_img
,
min_
,
max_
)
def
_generate_random_target
(
self
,
original_label
):
"""
Draw random target labels all of which are different and not the original label.
Args:
original_label(int): Original label.
Return:
target_labels(list): random target labels
"""
num_random_target
=
1
num_classes
=
self
.
model
.
num_classes
()
assert
num_random_target
<=
num_classes
-
1
target_labels
=
random
.
sample
(
range
(
num_classes
),
num_random_target
+
1
)
target_labels
=
[
t
for
t
in
target_labels
if
t
!=
original_label
]
target_labels
=
target_labels
[:
num_random_target
]
return
target_labels
def
_saliency_map
(
self
,
image
,
target
,
labels
,
mask
,
fast
=
False
):
"""
Get pixel location with highest influence on class.
Args:
image(numpy.ndarray): Image with shape (height, width, channels).
target(int): The target label.
labels(int): The number of classes of the output label.
mask(list): Each modified pixel with border value is set to zero in mask.
fast(bool): Whether evaluate the pixel influence on sum of residual classes.
Return:
idx: The index of optimal pixel.
pix_sign: The direction of perturbation
"""
# pixel influence on target class
alphas
=
self
.
model
.
gradient
(
image
,
target
)
*
mask
# pixel influence on sum of residual classes(don't evaluate if fast == True)
if
fast
:
betas
=
-
np
.
ones_like
(
alphas
)
else
:
betas
=
np
.
sum
([
self
.
model
.
gradient
(
image
,
label
)
*
mask
-
alphas
for
label
in
labels
],
0
)
# compute saliency map (take into account both pos. & neg. perturbations)
sal_map
=
np
.
abs
(
alphas
)
*
np
.
abs
(
betas
)
*
np
.
sign
(
alphas
*
betas
)
# find optimal pixel & direction of perturbation
idx
=
np
.
argmin
(
sal_map
)
idx
=
np
.
unravel_index
(
idx
,
mask
.
shape
)
pix_sign
=
np
.
sign
(
alphas
)[
idx
]
return
idx
,
pix_sign
JSMA
=
SaliencyMapAttack
fluid/adversarial/mnist_tutorial_jsma.py
0 → 100644
浏览文件 @
4c08303c
"""
FGSM demos on mnist using advbox tool.
"""
import
matplotlib.pyplot
as
plt
import
paddle.v2
as
paddle
import
paddle.v2.fluid
as
fluid
import
numpy
as
np
from
advbox
import
Adversary
from
advbox.attacks.saliency
import
SaliencyMapAttack
from
advbox.models.paddle
import
PaddleModel
def
cnn_model
(
img
):
"""
Mnist cnn model
Args:
img(Varaible): the input image to be recognized
Returns:
Variable: the label prediction
"""
# conv1 = fluid.nets.conv2d()
conv_pool_1
=
fluid
.
nets
.
simple_img_conv_pool
(
input
=
img
,
num_filters
=
20
,
filter_size
=
5
,
pool_size
=
2
,
pool_stride
=
2
,
act
=
'relu'
)
conv_pool_2
=
fluid
.
nets
.
simple_img_conv_pool
(
input
=
conv_pool_1
,
num_filters
=
50
,
filter_size
=
5
,
pool_size
=
2
,
pool_stride
=
2
,
act
=
'relu'
)
logits
=
fluid
.
layers
.
fc
(
input
=
conv_pool_2
,
size
=
10
,
act
=
'softmax'
)
return
logits
def
main
():
"""
Advbox demo which demonstrate how to use advbox.
"""
IMG_NAME
=
'img'
LABEL_NAME
=
'label'
img
=
fluid
.
layers
.
data
(
name
=
IMG_NAME
,
shape
=
[
1
,
28
,
28
],
dtype
=
'float32'
)
# gradient should flow
img
.
stop_gradient
=
False
label
=
fluid
.
layers
.
data
(
name
=
LABEL_NAME
,
shape
=
[
1
],
dtype
=
'int64'
)
logits
=
cnn_model
(
img
)
cost
=
fluid
.
layers
.
cross_entropy
(
input
=
logits
,
label
=
label
)
avg_cost
=
fluid
.
layers
.
mean
(
x
=
cost
)
place
=
fluid
.
CPUPlace
()
exe
=
fluid
.
Executor
(
place
)
BATCH_SIZE
=
1
train_reader
=
paddle
.
batch
(
paddle
.
reader
.
shuffle
(
paddle
.
dataset
.
mnist
.
train
(),
buf_size
=
500
),
batch_size
=
BATCH_SIZE
)
feeder
=
fluid
.
DataFeeder
(
feed_list
=
[
IMG_NAME
,
LABEL_NAME
],
place
=
place
,
program
=
fluid
.
default_main_program
())
fluid
.
io
.
load_params
(
exe
,
"./mnist/"
,
main_program
=
fluid
.
default_main_program
())
# advbox demo
m
=
PaddleModel
(
fluid
.
default_main_program
(),
IMG_NAME
,
LABEL_NAME
,
logits
.
name
,
avg_cost
.
name
,
(
-
1
,
1
))
attack
=
SaliencyMapAttack
(
m
)
total_num
=
0
success_num
=
0
for
data
in
train_reader
():
total_num
+=
1
# adversary.set_target(True, target_label=target_label)
jsma_attack
=
attack
(
Adversary
(
data
[
0
][
0
],
data
[
0
][
1
]))
if
jsma_attack
is
not
None
and
jsma_attack
.
is_successful
():
# plt.imshow(jsma_attack.target, cmap='Greys_r')
# plt.show()
success_num
+=
1
print
(
'original_label=%d, adversary examples label =%d'
%
(
data
[
0
][
1
],
jsma_attack
.
adversarial_label
))
# np.save('adv_img', jsma_attack.adversarial_example)
print
(
'total num = %d, success num = %d '
%
(
total_num
,
success_num
))
if
total_num
==
100
:
break
if
__name__
==
'__main__'
:
main
()
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录