-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
boundary.py
404 lines (338 loc) · 17.5 KB
/
boundary.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
# MIT License
#
# Copyright (C) IBM Corporation 2018
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
# persons to whom the Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
# Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
"""
This module implements the boundary attack `BoundaryAttack`. This is a black-box attack which only requires class
predictions.
| Paper link: https://arxiv.org/abs/1712.04248
"""
from __future__ import absolute_import, division, print_function, unicode_literals
import logging
import numpy as np
from art import NUMPY_DTYPE
from art.attacks.attack import Attack
from art.utils import compute_success, to_categorical, check_and_transform_label_format
logger = logging.getLogger(__name__)
class BoundaryAttack(Attack):
"""
Implementation of the boundary attack from Brendel et al. (2018). This is a powerful black-box attack that
only requires final class prediction.
| Paper link: https://arxiv.org/abs/1712.04248
"""
attack_params = Attack.attack_params + ['targeted', 'delta', 'epsilon', 'step_adapt', 'max_iter', 'num_trial',
'sample_size', 'init_size', 'batch_size']
def __init__(self, classifier, targeted=True, delta=0.01, epsilon=0.01, step_adapt=0.667, max_iter=5000,
num_trial=25, sample_size=20, init_size=100):
"""
Create a boundary attack instance.
:param classifier: A trained classifier.
:type classifier: :class:`.Classifier`
:param targeted: Should the attack target one specific class.
:type targeted: `bool`
:param delta: Initial step size for the orthogonal step.
:type delta: `float`
:param epsilon: Initial step size for the step towards the target.
:type epsilon: `float`
:param step_adapt: Factor by which the step sizes are multiplied or divided, must be in the range (0, 1).
:type step_adapt: `float`
:param max_iter: Maximum number of iterations.
:type max_iter: `int`
:param num_trial: Maximum number of trials per iteration.
:type num_trial: `int`
:param sample_size: Number of samples per trial.
:type sample_size: `int`
:param init_size: Maximum number of trials for initial generation of adversarial examples.
:type init_size: `int`
"""
super(BoundaryAttack, self).__init__(classifier=classifier)
params = {'targeted': targeted,
'delta': delta,
'epsilon': epsilon,
'step_adapt': step_adapt,
'max_iter': max_iter,
'num_trial': num_trial,
'sample_size': sample_size,
'init_size': init_size,
'batch_size': 1
}
self.set_params(**params)
def generate(self, x, y=None, **kwargs):
"""
Generate adversarial samples and return them in an array.
:param x: An array with the original inputs to be attacked.
:type x: `np.ndarray`
:param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape
(nb_samples,). If `self.targeted` is true, then `y` represents the target labels.
:type y: `np.ndarray` or `None`
:param x_adv_init: Initial array to act as initial adversarial examples. Same shape as `x`.
:type x_adv_init: `np.ndarray`
:return: An array holding the adversarial examples.
:rtype: `np.ndarray`
"""
y = check_and_transform_label_format(y, self.classifier.nb_classes(), return_one_hot=False)
# Get clip_min and clip_max from the classifier or infer them from data
if hasattr(self.classifier, 'clip_values') and self.classifier.clip_values is not None:
clip_min, clip_max = self.classifier.clip_values
else:
clip_min, clip_max = np.min(x), np.max(x)
# Prediction from the original images
preds = np.argmax(self.classifier.predict(x, batch_size=self.batch_size), axis=1)
# Prediction from the initial adversarial examples if not None
x_adv_init = kwargs.get('x_adv_init')
if x_adv_init is not None:
init_preds = np.argmax(self.classifier.predict(x_adv_init, batch_size=self.batch_size), axis=1)
else:
init_preds = [None] * len(x)
x_adv_init = [None] * len(x)
# Assert that, if attack is targeted, y is provided
if self.targeted and y is None:
raise ValueError('Target labels `y` need to be provided for a targeted attack.')
# Some initial setups
x_adv = x.astype(NUMPY_DTYPE)
# Generate the adversarial samples
for ind, val in enumerate(x_adv):
if self.targeted:
x_adv[ind] = self._perturb(x=val, y=y[ind], y_p=preds[ind], init_pred=init_preds[ind],
adv_init=x_adv_init[ind], clip_min=clip_min, clip_max=clip_max)
else:
x_adv[ind] = self._perturb(x=val, y=-1, y_p=preds[ind], init_pred=init_preds[ind],
adv_init=x_adv_init[ind], clip_min=clip_min, clip_max=clip_max)
if y is not None:
y = to_categorical(y, self.classifier.nb_classes())
logger.info('Success rate of Boundary attack: %.2f%%',
100 * compute_success(self.classifier, x, y, x_adv, self.targeted, batch_size=self.batch_size))
return x_adv
def _perturb(self, x, y, y_p, init_pred, adv_init, clip_min, clip_max):
"""
Internal attack function for one example.
:param x: An array with one original input to be attacked.
:type x: `np.ndarray`
:param y: If `self.targeted` is true, then `y` represents the target label.
:type y: `int`
:param y_p: The predicted label of x.
:type y_p: `int`
:param init_pred: The predicted label of the initial image.
:type init_pred: `int`
:param adv_init: Initial array to act as an initial adversarial example.
:type adv_init: `np.ndarray`
:param clip_min: Minimum value of an example.
:type clip_min: `float`
:param clip_max: Maximum value of an example.
:type clip_max: `float`
:return: an adversarial example.
:rtype: `np.ndarray`
"""
# First, create an initial adversarial sample
initial_sample = self._init_sample(x, y, y_p, init_pred, adv_init, clip_min, clip_max)
# If an initial adversarial example is not found, then return the original image
if initial_sample is None:
return x
# If an initial adversarial example found, then go with boundary attack
x_adv = self._attack(initial_sample[0], x, initial_sample[1], self.delta, self.epsilon, clip_min, clip_max)
return x_adv
def _attack(self, initial_sample, original_sample, target, initial_delta, initial_epsilon, clip_min, clip_max):
"""
Main function for the boundary attack.
:param initial_sample: An initial adversarial example.
:type initial_sample: `np.ndarray`
:param original_sample: The original input.
:type original_sample: `np.ndarray`
:param target: The target label.
:type target: `int`
:param initial_delta: Initial step size for the orthogonal step.
:type initial_delta: `float`
:param initial_epsilon: Initial step size for the step towards the target.
:type initial_epsilon: `float`
:param clip_min: Minimum value of an example.
:type clip_min: `float`
:param clip_max: Maximum value of an example.
:type clip_max: `float`
:return: an adversarial example.
:rtype: `np.ndarray`
"""
# Get initialization for some variables
x_adv = initial_sample
self.curr_delta = initial_delta
self.curr_epsilon = initial_epsilon
# Main loop to wander around the boundary
for _ in range(self.max_iter):
# Trust region method to adjust delta
for _ in range(self.num_trial):
potential_advs = []
for _ in range(self.sample_size):
potential_adv = x_adv + self._orthogonal_perturb(self.curr_delta, x_adv, original_sample)
potential_adv = np.clip(potential_adv, clip_min, clip_max)
potential_advs.append(potential_adv)
preds = np.argmax(self.classifier.predict(np.array(potential_advs), batch_size=self.batch_size), axis=1)
satisfied = (preds == target)
delta_ratio = np.mean(satisfied)
if delta_ratio < 0.2:
self.curr_delta *= self.step_adapt
elif delta_ratio > 0.5:
self.curr_delta /= self.step_adapt
if delta_ratio > 0:
x_advs = np.array(potential_advs)[np.where(satisfied)[0]]
break
else:
logging.warning('Adversarial example found but not optimal.')
return x_adv
# Trust region method to adjust epsilon
for _ in range(self.num_trial):
perturb = np.repeat(np.array([original_sample]), len(x_advs), axis=0) - x_advs
perturb *= self.curr_epsilon
potential_advs = x_advs + perturb
potential_advs = np.clip(potential_advs, clip_min, clip_max)
preds = np.argmax(self.classifier.predict(potential_advs, batch_size=self.batch_size), axis=1)
satisfied = (preds == target)
epsilon_ratio = np.mean(satisfied)
if epsilon_ratio < 0.2:
self.curr_epsilon *= self.step_adapt
elif epsilon_ratio > 0.5:
self.curr_epsilon /= self.step_adapt
if epsilon_ratio > 0:
x_adv = potential_advs[np.where(satisfied)[0][0]]
break
else:
logging.warning('Adversarial example found but not optimal.')
return x_advs[0]
return x_adv
def _orthogonal_perturb(self, delta, current_sample, original_sample):
"""
Create an orthogonal perturbation.
:param delta: Initial step size for the orthogonal step.
:type delta: `float`
:param current_sample: Current adversarial example.
:type current_sample: `np.ndarray`
:param original_sample: The original input.
:type original_sample: `np.ndarray`
:return: a possible perturbation.
:rtype: `np.ndarray`
"""
# Generate perturbation randomly
# input_shape = current_sample.shape
perturb = np.random.randn(*self.classifier.input_shape).astype(NUMPY_DTYPE)
# Rescale the perturbation
perturb /= np.linalg.norm(perturb)
perturb *= delta * np.linalg.norm(original_sample - current_sample)
# Project the perturbation onto sphere
direction = original_sample - current_sample
if len(self.classifier.input_shape) == 3:
perturb = np.swapaxes(perturb, 0, self.classifier.channel_index - 1)
direction = np.swapaxes(direction, 0, self.classifier.channel_index - 1)
for i in range(direction.shape[0]):
direction[i] /= np.linalg.norm(direction[i])
perturb[i] -= np.dot(perturb[i], direction[i]) * direction[i]
perturb = np.swapaxes(perturb, 0, self.classifier.channel_index - 1)
elif len(self.classifier.input_shape) == 1:
direction /= np.linalg.norm(direction)
perturb -= np.dot(perturb, direction.T) * direction
else:
raise ValueError('Input shape not recognised.')
return perturb
def _init_sample(self, x, y, y_p, init_pred, adv_init, clip_min, clip_max):
"""
Find initial adversarial example for the attack.
:param x: An array with 1 original input to be attacked.
:type x: `np.ndarray`
:param y: If `self.targeted` is true, then `y` represents the target label.
:type y: `int`
:param y_p: The predicted label of x.
:type y_p: `int`
:param init_pred: The predicted label of the initial image.
:type init_pred: `int`
:param adv_init: Initial array to act as an initial adversarial example.
:type adv_init: `np.ndarray`
:param clip_min: Minimum value of an example.
:type clip_min: `float`
:param clip_max: Maximum value of an example.
:type clip_max: `float`
:return: an adversarial example.
:rtype: `np.ndarray`
"""
nprd = np.random.RandomState()
initial_sample = None
if self.targeted:
# Attack satisfied
if y == y_p:
return None
# Attack unsatisfied yet and the initial image satisfied
if adv_init is not None and init_pred == y:
return adv_init.astype(NUMPY_DTYPE), init_pred
# Attack unsatisfied yet and the initial image unsatisfied
for _ in range(self.init_size):
random_img = nprd.uniform(clip_min, clip_max, size=x.shape).astype(x.dtype)
random_class = np.argmax(self.classifier.predict(np.array([random_img]), batch_size=self.batch_size),
axis=1)[0]
if random_class == y:
initial_sample = random_img, random_class
logging.info('Found initial adversarial image for targeted attack.')
break
else:
logging.warning('Failed to draw a random image that is adversarial, attack failed.')
else:
# The initial image satisfied
if adv_init is not None and init_pred != y_p:
return adv_init.astype(NUMPY_DTYPE), init_pred
# The initial image unsatisfied
for _ in range(self.init_size):
random_img = nprd.uniform(clip_min, clip_max, size=x.shape).astype(x.dtype)
random_class = np.argmax(self.classifier.predict(np.array([random_img]), batch_size=self.batch_size),
axis=1)[0]
if random_class != y_p:
initial_sample = random_img, random_class
logging.info('Found initial adversarial image for untargeted attack.')
break
else:
logging.warning('Failed to draw a random image that is adversarial, attack failed.')
return initial_sample
def set_params(self, **kwargs):
"""
Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.
:param targeted: Should the attack target one specific class.
:type targeted: `bool`
:param delta: Initial step size for the orthogonal step.
:type delta: `float`
:param epsilon: Initial step size for the step towards the target.
:type epsilon: `float`
:param step_adapt: Factor by which the step sizes are multiplied or divided, must be in the range (0, 1).
:type step_adapt: `float`
:param max_iter: Maximum number of iterations.
:type max_iter: `int`
:param num_trial: Maximum number of trials per iteration.
:type num_trial: `int`
:param sample_size: Number of samples per trial.
:type sample_size: `int`
:param init_size: Maximum number of trials for initial generation of adversarial examples.
:type init_size: `int`
"""
# Save attack-specific parameters
super(BoundaryAttack, self).set_params(**kwargs)
if not isinstance(self.max_iter, (int, np.int)) or self.max_iter < 0:
raise ValueError("The number of iterations must be a non-negative integer.")
if not isinstance(self.num_trial, (int, np.int)) or self.num_trial < 0:
raise ValueError("The number of trials must be a non-negative integer.")
if not isinstance(self.sample_size, (int, np.int)) or self.sample_size <= 0:
raise ValueError("The number of samples must be a positive integer.")
if not isinstance(self.init_size, (int, np.int)) or self.init_size <= 0:
raise ValueError("The number of initial trials must be a positive integer.")
if self.epsilon <= 0:
raise ValueError("The initial step size for the step towards the target must be positive.")
if self.delta <= 0:
raise ValueError("The initial step size for the orthogonal step must be positive.")
if self.step_adapt <= 0 or self.step_adapt >= 1:
raise ValueError("The adaptation factor must be in the range (0, 1).")
return True