# Adversarial machine learning

В самом широком понимании этого слова, это наука об атаках на алгоритмы машинного обучения и способах защиты от них

В данной работе будет рассмотрен пример такой атаки. Сначала будет обучена модель для распознавания цифр на картинке, затем будут сформированы примеры (adversarial examples), изменяющие показания модели

Работа выполнена студентом БИБ233 МИЭМ НИУ ВШЭ Коноваловым Матвеем



## Обучение модели
Сначала скачаем [модель](https://github.com/ultralytics/ultralytics/blob/main/docs/en/models/yolov8.md)

Была выбрана модель YOLOv8, предназначенная для задачи классификации, имеющая малое количество параметров. Большие модели могли бы замедлить эксперимент, меньшие представляли бы меньше интереса

In [12]:
from ultralytics import YOLO

model = YOLO("yolov8s-cls.pt")
model.info()

YOLOv8s-cls summary: 56 layers, 6,361,736 parameters, 0 gradients, 13.6 GFLOPs


(56, 6361736, 0, 13.609779199999998)

Затем скачаем датасет и приведем его в формат, совместимый с YOLO

In [10]:
from datasets import load_dataset
from pathlib import Path

ds = load_dataset("ufldl-stanford/svhn", "cropped_digits")
root = Path("datasets/svhn_cls")
splits = ["train", "test"]

for split in splits:
    split_ds = ds[split]
    for i, example in enumerate(split_ds):
        label = str(example["label"])
        out_dir = root / split / label
        out_dir.mkdir(parents=True, exist_ok=True)
        example["image"].save(out_dir / f"{i}.png")

Обучим модель

In [14]:
model.train(data=root,
            epochs=50,
            batch=128)
model.val()

Ultralytics 8.3.153  Python-3.11.9 torch-2.1.2+cu121 CUDA:0 (NVIDIA GeForce RTX 4060 Ti, 8188MiB)
[34m[1mengine\trainer: [0magnostic_nms=False, amp=True, augment=False, auto_augment=randaugment, batch=128, bgr=0.0, box=7.5, cache=False, cfg=None, classes=None, close_mosaic=10, cls=0.5, conf=None, copy_paste=0.0, copy_paste_mode=flip, cos_lr=False, cutmix=0.0, data=datasets\svhn_cls, degrees=0.0, deterministic=True, device=None, dfl=1.5, dnn=False, dropout=0.0, dynamic=False, embed=None, epochs=50, erasing=0.4, exist_ok=False, fliplr=0.5, flipud=0.0, format=torchscript, fraction=1.0, freeze=None, half=False, hsv_h=0.015, hsv_s=0.7, hsv_v=0.4, imgsz=224, int8=False, iou=0.7, keras=False, kobj=1.0, line_width=None, lr0=0.01, lrf=0.01, mask_ratio=4, max_det=300, mixup=0.0, mode=train, model=yolov8s-cls.pt, momentum=0.937, mosaic=1.0, multi_scale=False, name=train3, nbs=64, nms=False, opset=None, optimize=False, optimizer=auto, overlap_mask=True, patience=100, perspective=0.0, plots=True

[34m[1mtrain: [0mScanning C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\train... 73257 images, 0 corrupt: 100%|██████████| 73257/73257 [00:00<?, ?it/s]


[34m[1mval: [0mFast image access  (ping: 0.20.0 ms, read: 5.31.1 MB/s, size: 1.7 KB)


[34m[1mval: [0mScanning C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\test... 26032 images, 0 corrupt: 100%|██████████| 26032/26032 [00:00<?, ?it/s]


[34m[1moptimizer:[0m 'optimizer=auto' found, ignoring 'lr0=0.01' and 'momentum=0.937' and determining best 'optimizer', 'lr0' and 'momentum' automatically... 
[34m[1moptimizer:[0m SGD(lr=0.01, momentum=0.9) with parameter groups 26 weight(decay=0.0), 27 weight(decay=0.001), 27 bias(decay=0.0)
Image sizes 224 train, 224 val
Using 8 dataloader workers
Logging results to [1mruns\classify\train3[0m
Starting training for 50 epochs...

      Epoch    GPU_mem       loss  Instances       Size


       1/50      4.45G      1.965         41        224: 100%|██████████| 573/573 [01:11<00:00,  7.98it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:11<00:00,  8.83it/s]


                   all      0.616      0.947

      Epoch    GPU_mem       loss  Instances       Size


       2/50      2.48G     0.9635         41        224: 100%|██████████| 573/573 [01:09<00:00,  8.20it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:11<00:00,  9.03it/s]

                   all      0.847      0.987






      Epoch    GPU_mem       loss  Instances       Size


       3/50      2.48G     0.6187         41        224: 100%|██████████| 573/573 [01:08<00:00,  8.38it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:13<00:00,  7.60it/s]

                   all      0.867      0.988






      Epoch    GPU_mem       loss  Instances       Size


       4/50      2.48G     0.4922         41        224: 100%|██████████| 573/573 [01:09<00:00,  8.21it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.47it/s]

                   all       0.91      0.994






      Epoch    GPU_mem       loss  Instances       Size


       5/50      2.48G      0.432         41        224: 100%|██████████| 573/573 [01:06<00:00,  8.64it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:11<00:00,  9.09it/s]

                   all      0.926      0.994






      Epoch    GPU_mem       loss  Instances       Size


       6/50      2.48G     0.3995         41        224: 100%|██████████| 573/573 [01:00<00:00,  9.48it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.34it/s]

                   all      0.926      0.994






      Epoch    GPU_mem       loss  Instances       Size


       7/50      2.48G     0.3792         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.54it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.13it/s]

                   all      0.936      0.995






      Epoch    GPU_mem       loss  Instances       Size


       8/50      2.48G     0.3572         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.55it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.14it/s]

                   all      0.946      0.996






      Epoch    GPU_mem       loss  Instances       Size


       9/50      2.48G     0.3451         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.52it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.98it/s]

                   all      0.946      0.996






      Epoch    GPU_mem       loss  Instances       Size


      10/50      2.48G     0.3394         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.63it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.41it/s]

                   all      0.948      0.996






      Epoch    GPU_mem       loss  Instances       Size


      11/50      2.48G     0.3262         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.62it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.09it/s]


                   all      0.947      0.996

      Epoch    GPU_mem       loss  Instances       Size


      12/50      2.48G     0.3237         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.63it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.18it/s]

                   all      0.952      0.996






      Epoch    GPU_mem       loss  Instances       Size


      13/50      2.48G     0.3162         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.67it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.25it/s]


                   all      0.953      0.996

      Epoch    GPU_mem       loss  Instances       Size


      14/50      2.48G     0.3109         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.65it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.32it/s]

                   all      0.956      0.996






      Epoch    GPU_mem       loss  Instances       Size


      15/50      2.48G     0.3097         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.64it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.06it/s]

                   all      0.956      0.996






      Epoch    GPU_mem       loss  Instances       Size


      16/50      2.48G     0.3037         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.59it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.24it/s]

                   all      0.958      0.996






      Epoch    GPU_mem       loss  Instances       Size


      17/50      2.48G      0.303         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.70it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.34it/s]

                   all      0.961      0.996






      Epoch    GPU_mem       loss  Instances       Size


      18/50      2.48G     0.2972         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.53it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.37it/s]

                   all      0.963      0.997






      Epoch    GPU_mem       loss  Instances       Size


      19/50      2.48G     0.2973         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.64it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.22it/s]

                   all      0.961      0.996






      Epoch    GPU_mem       loss  Instances       Size


      20/50      2.48G     0.2871         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.64it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.33it/s]

                   all      0.961      0.996






      Epoch    GPU_mem       loss  Instances       Size


      21/50      2.48G     0.2879         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.61it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.17it/s]

                   all      0.962      0.997






      Epoch    GPU_mem       loss  Instances       Size


      22/50      2.48G     0.2859         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.73it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.33it/s]

                   all      0.963      0.997






      Epoch    GPU_mem       loss  Instances       Size


      23/50      2.48G     0.2808         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.67it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.27it/s]


                   all      0.963      0.997

      Epoch    GPU_mem       loss  Instances       Size


      24/50      2.48G     0.2826         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.66it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.35it/s]

                   all      0.965      0.997






      Epoch    GPU_mem       loss  Instances       Size


      25/50      2.48G     0.2698         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.64it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.24it/s]

                   all      0.965      0.997






      Epoch    GPU_mem       loss  Instances       Size


      26/50      2.48G     0.2742         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.62it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.14it/s]

                   all      0.967      0.997






      Epoch    GPU_mem       loss  Instances       Size


      27/50      2.48G     0.2684         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.63it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.17it/s]

                   all      0.967      0.996






      Epoch    GPU_mem       loss  Instances       Size


      28/50      2.48G     0.2631         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.60it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.26it/s]

                   all      0.968      0.997






      Epoch    GPU_mem       loss  Instances       Size


      29/50      2.48G     0.2594         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.61it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.25it/s]


                   all      0.968      0.997

      Epoch    GPU_mem       loss  Instances       Size


      30/50      2.48G     0.2514         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.63it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.01it/s]

                   all      0.968      0.997






      Epoch    GPU_mem       loss  Instances       Size


      31/50      2.48G     0.2512         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.62it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.06it/s]

                   all      0.968      0.997






      Epoch    GPU_mem       loss  Instances       Size


      32/50      2.48G     0.2445         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.61it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.44it/s]

                   all      0.968      0.997






      Epoch    GPU_mem       loss  Instances       Size


      33/50      2.48G     0.2406         41        224: 100%|██████████| 573/573 [00:55<00:00, 10.40it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.40it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      34/50      2.48G     0.2378         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.56it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.51it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      35/50      2.48G     0.2298         41        224: 100%|██████████| 573/573 [00:53<00:00, 10.68it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.36it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      36/50      2.48G     0.2248         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.54it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.42it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      37/50      2.48G     0.2164         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.56it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.23it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      38/50      2.48G     0.2166         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.59it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00, 10.08it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      39/50      2.48G     0.2058         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.59it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.31it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      40/50      2.48G     0.2037         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.54it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.20it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      41/50      2.48G     0.1954         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.51it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.21it/s]


                   all      0.969      0.997

      Epoch    GPU_mem       loss  Instances       Size


      42/50      2.48G      0.187         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.53it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.92it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      43/50      2.48G     0.1795         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.49it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.93it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      44/50      2.48G     0.1722         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.51it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.95it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      45/50      2.48G     0.1664         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.52it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:10<00:00,  9.77it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      46/50      2.48G     0.1535         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.46it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.42it/s]

                   all      0.969      0.997






      Epoch    GPU_mem       loss  Instances       Size


      47/50      2.48G     0.1461         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.56it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.39it/s]

                   all       0.97      0.997






      Epoch    GPU_mem       loss  Instances       Size


      48/50      2.48G     0.1407         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.56it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.47it/s]

                   all       0.97      0.997






      Epoch    GPU_mem       loss  Instances       Size


      49/50      2.48G     0.1316         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.52it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.34it/s]

                   all       0.97      0.997






      Epoch    GPU_mem       loss  Instances       Size


      50/50      2.48G     0.1253         41        224: 100%|██████████| 573/573 [00:54<00:00, 10.53it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.24it/s]

                   all       0.97      0.997






50 epochs completed in 0.927 hours.
Optimizer stripped from runs\classify\train3\weights\last.pt, 10.3MB
Optimizer stripped from runs\classify\train3\weights\best.pt, 10.3MB

Validating runs\classify\train3\weights\best.pt...
Ultralytics 8.3.153  Python-3.11.9 torch-2.1.2+cu121 CUDA:0 (NVIDIA GeForce RTX 4060 Ti, 8188MiB)
YOLOv8s-cls summary (fused): 30 layers, 5,088,010 parameters, 0 gradients, 12.5 GFLOPs
[34m[1mtrain:[0m C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\train... found 73257 images in 10 classes  
[34m[1mval:[0m C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\test... found 26032 images in 10 classes  
[34m[1mtest:[0m C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\test... found 26032 images in 10 classes  


               classes   top1_acc   top5_acc: 100%|██████████| 102/102 [00:09<00:00, 10.24it/s]


                   all       0.97      0.997
Speed: 0.1ms preprocess, 0.2ms inference, 0.0ms loss, 0.0ms postprocess per image
Results saved to [1mruns\classify\train3[0m
Ultralytics 8.3.153  Python-3.11.9 torch-2.1.2+cu121 CUDA:0 (NVIDIA GeForce RTX 4060 Ti, 8188MiB)
YOLOv8s-cls summary (fused): 30 layers, 5,088,010 parameters, 0 gradients, 12.5 GFLOPs
[34m[1mtrain:[0m C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\train... found 73257 images in 10 classes  
[34m[1mval:[0m C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\test... found 26032 images in 10 classes  
[34m[1mtest:[0m C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\test... found 26032 images in 10 classes  
[34m[1mval: [0mFast image access  (ping: 0.00.0 ms, read: 19.03.7 MB/s, size: 1.7 KB)


[34m[1mval: [0mScanning C:\Users\ok__\PycharmProjects\MLSecOps\datasets\svhn_cls\test... 26032 images, 0 corrupt: 100%|██████████| 26032/26032 [00:00<?, ?it/s]
               classes   top1_acc   top5_acc: 100%|██████████| 204/204 [00:12<00:00, 16.31it/s]


                   all       0.97      0.997
Speed: 0.1ms preprocess, 0.3ms inference, 0.0ms loss, 0.0ms postprocess per image
Results saved to [1mruns\classify\train32[0m


ultralytics.utils.metrics.ClassifyMetrics object with attributes:

confusion_matrix: <ultralytics.utils.metrics.ConfusionMatrix object at 0x0000016839F93AD0>
curves: []
curves_results: []
fitness: 0.9836931526660919
keys: ['metrics/accuracy_top1', 'metrics/accuracy_top5']
results_dict: {'metrics/accuracy_top1': 0.9702289700508118, 'metrics/accuracy_top5': 0.9971573352813721, 'fitness': 0.9836931526660919}
save_dir: WindowsPath('runs/classify/train32')
speed: {'preprocess': 0.05283406576525764, 'inference': 0.30222762753539256, 'loss': 8.201060240060639e-05, 'postprocess': 0.0003986708666821197}
task: 'classify'
top1: 0.9702289700508118
top5: 0.9971573352813721

Отлично, модель обучилась и имеет долю правильных ответов 97%, при этом правильный ответ находится в топ 5 в 99,7% случаев
Обученную модель можно скачать по [ссылке](https://disk.360.yandex.ru/d/r-5SqYBdwTfuuQ) (рекомендуется положить её в папку models)



## Проведение атаки

Пусть наша [модель](https://disk.360.yandex.ru/d/r-5SqYBdwTfuuQ) находится в папке models. Считаем её

In [None]:
from ultralytics import YOLO

model = YOLO("yolov8s-cls.pt")