In [1]:
import torch
import torch.nn.functional as F
import random
from CNN.resnet import ResNet18
from load_data import load_data
import matplotlib.pyplot as plt
import torchvision.utils as utils
from tqdm import tqdm


# load the mnist dataset (images are resized into 32 * 32)
training_set, test_set = load_data(data='mnist')

# define the model
model = ResNet18()

# detect if GPU is available
device = "cuda" if torch.cuda.is_available() else "cpu"
# device = "cpu"


# load the learned model parameters
model.load_state_dict(torch.load('./model_weights/cpu_model.pth'))

model.to(device)
model.eval()





ResNet(
  (conv1): Conv2d(1, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
  (bn1): BatchNorm2d(64, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
  (layer1): Sequential(
    (0): BasicBlock(
      (conv1): Conv2d(64, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn1): BatchNorm2d(64, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
      (conv2): Conv2d(64, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn2): BatchNorm2d(64, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
      (shortcut): Sequential()
    )
    (1): BasicBlock(
      (conv1): Conv2d(64, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn1): BatchNorm2d(64, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
      (conv2): Conv2d(64, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn2): BatchNorm2d(64, eps=1e-05, momentum=0.1, affine=

In [2]:
def loss_fn(logits, label):
    
    log_probs = F.log_softmax(logits, dim=1).reshape(-1,)
    label_log_prob = log_probs[label].item()
    log_probs[label] = -1e8
    max_log_prob = log_probs.max()
    return max(label_log_prob - max_log_prob, 0)



In [3]:

def gradient(network, image, label, row, col):
    
    constant = torch.zeros(*image.shape).to(device)
    constant[0, 0, row:row+3, col:col+3] = 0.0001
    diff = loss_fn(network(image+constant), label) - loss_fn(network(image-constant), label)
    diff = diff/0.0002
    
    del constant
    return diff


In [4]:

def hessian(network, image, label, row, col):
        
    constant = torch.zeros(*image.shape).to(device)
    constant[0,0,row:row+3, col:col+3] = 0.0001
    diff = loss_fn(network(image+constant), label) + loss_fn(network(image-constant), label) - 2*loss_fn(network(image), label)
    diff = diff/0.0001**2
    del constant
    return diff

In [5]:

def zoo_attack_newton(network, image, label):
    step_size = 0.01
    while loss_fn(network(image), label)>0:
        row = random.randint(0, 31-9)
        col = random.randint(0, 31-9)
        grad = gradient(network, image, label, row, col)
        hess = hessian(network, image, label, row, col)
        if hess<=0:
            delta = -step_size*grad
        else:
            delta = -step_size*grad/hess
        image[0, 0, row:row+3, col:col+3] = image[0, 0, row:row+3, col:col+3] + delta.to(device)
        
        print('\rloss : %.4f'%loss_fn(network(image), label), end="")
        
        del delta
    return image


In [8]:

def zoo_attack_adam(network, image, label):
    betas = (0.9,0.999)
    eps = 1e-08
    step_size = 0.01
    M,v,T = torch.zeros(*image.shape[2:]), torch.zeros(*image.shape[2:]), torch.zeros(*image.shape[2:])
    curr_loss = 100
    while curr_loss>0:
    
        row = random.randint(0, 31-9)
        col = random.randint(0, 31-9)
        grad = gradient(network, image, label, row, col).cpu()
        T[row:row+3, col:col+3]+=1
        M[row:row+3, col:col+3] = betas[0]*M[row:row+3, col:col+3] + (1-betas[0])*grad
        v[row:row+3, col:col+3] = betas[1]*v[row:row+3, col:col+3] + (1-betas[1])*grad**2
        M_hat = M[row:row+3, col:col+3]/(1-betas[0]**T[row:row+3, col:col+3])
        v_hat = v[row:row+3, col:col+3]/(1-betas[1]**T[row:row+3, col:col+3])
        delta = -step_size * M_hat/(v_hat**0.5 + eps)
        image[0, 0, row:row+3, col:col+3] = image[0, 0, row:row+3, col:col+3] + delta
        curr_loss = loss_fn(network(image), label)
        
        print('\rloss : %.4f'%loss_fn(network(image), label), end="")
    # print(T.sum())
    
    return image


In [9]:
testloader = torch.utils.data.DataLoader(test_set, batch_size=1, shuffle=False, num_workers=2)

def get_target(labels):
    a = random.randint(0, 9)
    while a == labels[0]:
        a = random.randint(0, 9)
    return torch.tensor([a])



total = 0
success = 0
num_image = 10 # number of images to be attacked

true_images, adv_images = [], []

for i, (images, labels) in enumerate(testloader):
    target_label = get_target(labels)
    images, labels = images.to(device), labels.to(device)
    outputs = model(images)
    _, predicted = outputs.max(1)
    if predicted.item() != labels.item():
        continue

    total += 1

    #adv_image = zoo_attack(network=model, image=images, target=target_label)
    adv_image = zoo_attack_adam(network=model, image=images, label=labels)
    adv_image = adv_image.to(device)
    adv_output = model(adv_image)
    _, adv_pred = adv_output.max(1)
    if adv_pred.item() != labels.item():
        success += 1
    true_images.append(images.permute([2,3,0,1])[:,:,:,0].detach().cpu().numpy())
    adv_images.append(adv_image.permute([2,3,0,1])[:,:,:,0].detach().cpu().numpy())
    utils.save_image(adv_image, './adv_images/'+str(total)+''+str(adv_pred.item())+''+str(labels.item())+'_image.png')
    
    del images
    del adv_image
    
    # print(F.mse_loss(images, adv_image))
    print('\rsuccess rate : %.4f'%(success/total), end="")
    if total >= num_image:
        break

RuntimeError: Expected all tensors to be on the same device, but found at least two devices, cuda:0 and cpu!

In [None]:
plt.figure(figsize=(20,10))
for i in range(0,18,2):
    plt.subplot(3,6,i+1)
    plt.imshow(true_images[i], cmap='gray')
    plt.axis('off')
    plt.subplot(3,6,i+2)
    plt.imshow(adv_images[i], cmap='gray')
    plt.axis('off')