advertorch.attacks
¶
Attacks¶
Attack |
Abstract base class for all attack classes. |
GradientAttack |
Perturbs the input with gradient (not gradient sign) of the loss wrt the input. |
GradientSignAttack |
One step fast gradient sign method (Goodfellow et al, 2014). |
FastFeatureAttack |
Fast attack against a target internal representation of a model using gradient descent (Sabour et al. |
L2BasicIterativeAttack |
Like GradientAttack but with several steps for each epsilon. |
LinfBasicIterativeAttack |
Like GradientSignAttack but with several steps for each epsilon. |
PGDAttack |
The projected gradient descent attack (Madry et al, 2017). |
LinfPGDAttack |
PGD Attack with order=Linf |
L2PGDAttack |
PGD Attack with order=L2 |
MomentumIterativeAttack |
The L-inf projected gradient descent attack (Dong et al. |
CarliniWagnerL2Attack |
Carlini, Nicholas, and David Wagner “Towards evaluating the robustness of neural networks” 2017 IEEE Symposium on Security and Privacy (SP) IEEE, 2017. |
LBFGSAttack |
The attack that uses L-BFGS to minimize the distance of the original and perturbed images |
SinglePixelAttack |
Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf |
LocalSearchAttack |
Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf |
SpatialTransformAttack |
Sptially Transformed Attack |
JacobianSaliencyMapAttack |
Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1 |
Detailed description¶
-
class
advertorch.attacks.
Attack
(predict, loss_fn, clip_min, clip_max)[source]¶ Abstract base class for all attack classes.
Parameters: - predict – forward pass function.
- loss_fn – loss function that takes .
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
-
class
advertorch.attacks.
GradientAttack
(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ Perturbs the input with gradient (not gradient sign) of the loss wrt the input.
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – indicate if this is a targeted attack.
-
perturb
(x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
GradientSignAttack
(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ One step fast gradient sign method (Goodfellow et al, 2014). Paper: https://arxiv.org/abs/1412.6572
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – indicate if this is a targeted attack.
-
perturb
(x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
FastFeatureAttack
(predict, loss_fn=None, eps=0.3, eps_iter=0.05, nb_iter=10, rand_init=True, clip_min=0.0, clip_max=1.0)[source]¶ Fast attack against a target internal representation of a model using gradient descent (Sabour et al. 2016). Paper: https://arxiv.org/abs/1511.05122
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- eps_iter – attack step size.
- nb_iter – number of iterations
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
-
perturb
(source, guide, delta=None)[source]¶ Given source, returns their adversarial counterparts with representations close to that of the guide.
Parameters: - source – input tensor which we want to perturb.
- guide – targeted input.
- delta – tensor contains the random initialization.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
L2BasicIterativeAttack
(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ Like GradientAttack but with several steps for each epsilon.
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
LinfBasicIterativeAttack
(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ Like GradientSignAttack but with several steps for each epsilon. Aka Basic Iterative Attack. Paper: https://arxiv.org/pdf/1611.01236.pdf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- ord – (optional) the order of maximum distortion (inf or 2).
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
PGDAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, ord=<Mock name='mock.inf' id='140247141390488'>, targeted=False)[source]¶ The projected gradient descent attack (Madry et al, 2017). The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. Paper: https://arxiv.org/pdf/1706.06083.pdf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- ord – (optional) the order of maximum distortion (inf or 2).
- targeted – if the attack is targeted.
-
perturb
(x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
LinfPGDAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ PGD Attack with order=Linf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
L2PGDAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ PGD Attack with order=L2
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
MomentumIterativeAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, decay_factor=1.0, eps_iter=0.01, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ The L-inf projected gradient descent attack (Dong et al. 2017). The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. The optimization is performed with momentum. Paper: https://arxiv.org/pdf/1710.06081.pdf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations
- decay_factor – momentum decay factor.
- eps_iter – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
perturb
(x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
CarliniWagnerL2Attack
(predict, num_classes, confidence=0, targeted=False, learning_rate=0.01, binary_search_steps=9, max_iterations=10000, abort_early=True, initial_const=0.001, clip_min=0.0, clip_max=1.0, loss_fn=None)[source]¶ Carlini, Nicholas, and David Wagner “Towards evaluating the robustness of neural networks” 2017 IEEE Symposium on Security and Privacy (SP) IEEE, 2017. https://arxiv.org/abs/1608.04644
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- confidence – confidence of the adversarial examples.
- targeted – TODO
- learning_rate – the learning rate for the attack algorithm
- binary_search_steps – number of binary search times to find the optimum
- max_iterations – the maximum number of iterations
- abort_early – if set to true, abort early if getting stuck in local min
- initial_const – initial value of the constant c
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- loss_fn – loss function
-
class
advertorch.attacks.
LBFGSAttack
(predict, num_classes, batch_size=1, binary_search_steps=9, max_iterations=100, initial_const=0.01, clip_min=0, clip_max=1, loss_fn=None, targeted=False)[source]¶ The attack that uses L-BFGS to minimize the distance of the original and perturbed images
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- batch_size – number of samples in the batch
- binary_search_steps – number of binary search times to find the optimum
- max_iterations – the maximum number of iterations
- initial_const – initial value of the constant c
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- loss_fn – loss function
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
SinglePixelAttack
(predict, max_pixels=100, clip_min=0.0, loss_fn=None, clip_max=1.0, comply_with_foolbox=False, targeted=False)[source]¶ Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf
Parameters: - predict – forward pass function.
- max_pixels – max number of pixels to perturb.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- loss_fn – loss function
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
LocalSearchAttack
(predict, clip_min=0.0, clip_max=1.0, p=1.0, r=1.5, loss_fn=None, d=5, t=5, k=1, round_ub=10, seed_ratio=0.1, max_nb_seeds=128, comply_with_foolbox=False, targeted=False)[source]¶ Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf
Parameters: - predict – forward pass function.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- p – parameter controls pixel complexity
- r – perturbation value
- loss_fn – loss function
- d – the half side length of the neighbourhood square
- t – the number of pixels perturbed at each round
- k – the threshold for k-misclassification
- round_ub – an upper bound on the number of rounds
-
class
advertorch.attacks.
SpatialTransformAttack
(predict, num_classes, confidence=0, initial_const=1, max_iterations=1000, search_steps=1, loss_fn=None, clip_min=0.0, clip_max=1.0, abort_early=True, targeted=False)[source]¶ Sptially Transformed Attack
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- confidence – confidence of the adversarial examples.
- initial_const – initial value of the constant c
- max_iterations – the maximum number of iterations
- search_steps – number of search times to find the optimum
- loss_fn – loss function
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- abort_early – if set to true, abort early if getting stuck in local min
- targeted – if the attack is targeted
-
class
advertorch.attacks.
JacobianSaliencyMapAttack
(predict, num_classes, clip_min=0.0, clip_max=1.0, loss_fn=None, theta=1.0, gamma=1.0, comply_cleverhans=False)[source]¶ Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- gamma – highest percentage of pixels can be modified
- theta – perturb length, range is either [theta, 0], [0, theta]