## README
1、这是机器学习实践对抗项目的全部具体实现代码和实验结果，如果想要运行，直接运行全部即可。

2、由于作者本人硬件限制，本项目编写中并未提供GPU加速的选项，代码全部运行（包括对抗样本生成）大约需要5-10小时（参考计算资源：CPU AMD R7-4800U）。

3、本文件中有许多弃用代码，为先前使用但后来被放弃的攻击算法，将其注释符号去掉后即可运行,但可能存在部分错误或仅计算了部分数据集的情况。

4、随本文件附带了生成的对抗样本，如果需要重新生成，将下方的recal参数改为True即可。

5、代码中对生成样本的扰动范围的限制均已注释。

In [50]:
from torch.utils.data import Dataset, DataLoader
from torchvision.transforms import transforms as tt
import torchvision.models as models
import timm
from PIL import Image as pil
import os
import numpy as np
import torch
import pickle
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
import utils
from numpy import linalg as LA
import matplotlib.pyplot as plt
import random

#图片集路径设置
image_path="images"
old_label_path="images//old_labels"
image_list=os.listdir(image_path)

#是否重新生成对抗样本
recal=True


#图片大小数据224在代码中直接使用了，故无法适用其他大小的图片
#模型导入
resnet50 = models.resnet50(pretrained=True)
vit = timm.create_model('vit_small_patch16_224', pretrained=True)



## 图片导入与数据集生成

In [2]:
#助教提供的预处理函数
def normalize(x, mean=[0.5,0.5,0.5], std=[0.5,0.5,0.5]):
    mean_t = torch.Tensor(mean).reshape([1,3,1,1]).to(x.device)
    std_t = torch.Tensor(std).reshape([1,3,1,1]).to(x.device)
    y = (x-mean_t)/std_t
    return y

def get_preprocess(model_name):
    if model_name[:6]=="resnet":
        mean=[0.485, 0.456, 0.406]
        std=[0.229, 0.224, 0.225]
    elif model_name[:3]=="vit":
        mean=[0.5,0.5,0.5]
        std=[0.5,0.5,0.5]
    def preprocess(images):
        y = F.interpolate(images.unsqueeze(0),224)
        return normalize(y, mean=mean,
                                 std=std)
    return preprocess

In [3]:
#数据集类的构建与实例化

class mydata1(Dataset):                          #适用res
    def __init__(self,image_path):
        self.file=[]
        for i in open(old_label_path):
            self.file.append(i)
    
    def __getitem__(self,idx):
        img=pil.open("images//"+self.file[idx].split(' ')[0])
        label=np.array(int(self.file[idx].split(' ')[1]))
        img=preprocess1(tt.ToTensor()(img))
        return img[0], label
    
    def __len__(self):
        return len(self.file)
    
    
class mydata2(Dataset):                          #适用vit
    def __init__(self,image_path):
        self.file=[]
        for i in open(old_label_path):
            self.file.append(i)
    
    def __getitem__(self,idx):
        img=pil.open("images//"+self.file[idx].split(' ')[0])
        label=np.array(int(self.file[idx].split(' ')[1]))
        img=preprocess2(tt.ToTensor()(img))
        return img[0], label
    
    def __len__(self):
        return len(self.file)
preprocess1=get_preprocess("resnet")
res_data_Tensor = torch.utils.data.DataLoader(dataset=mydata1(image_path))
preprocess2=get_preprocess("vit")
vit_data_Tensor=torch.utils.data.DataLoader(dataset=mydata2(image_path))

##  测试

In [4]:
def test(model,test_Tensor):
    model.eval()
    with torch.no_grad():
        correct = 0
        total = 0
        for images, labels in test_Tensor:
            test_output = model(images)
            pred_y = torch.max(test_output, 1)[1].data.squeeze()
            correct=correct+(pred_y == labels)
            total=total+1
        accuracy = correct / float(total)
            
    print('Test Accuracy of the model on the 1000 test images: %.3f' % accuracy)

In [5]:
#res模型在提供的数据集上的精度
test(resnet50,res_data_Tensor)

Test Accuracy of the model on the 1000 test images: 0.950


In [6]:
#vit模型在提供的数据集上的精度
test(vit,vit_data_Tensor)

Test Accuracy of the model on the 1000 test images: 0.978


## 

## 白盒攻击

### FGSM

In [7]:
'''
经测试后弃用

def fgm(model, image, label, epsilon, order, clip_min, clip_max, device):
    imageArray = image.cpu().detach().numpy()
    X_fgsm = torch.tensor(imageArray).to(device)
    X_fgsm.requires_grad = True
    opt = optim.SGD([X_fgsm], lr=1e-3)
    opt.zero_grad()
    loss = nn.CrossEntropyLoss()(model(X_fgsm), label.long())
    loss.backward()
    if order == np.inf:
        d = epsilon * X_fgsm.grad.data.sign()
    elif order == 2:
        gradient = X_fgsm.grad
        d = torch.zeros(gradient.shape, device = device)
        for i in range(gradient.shape[0]):
            norm_grad = gradient[i].data/LA.norm(gradient[i].data.cpu().numpy())
            d[i] = norm_grad * epsilon
    else:
        raise ValueError('Other p norms may need other algorithms')

    x_adv = X_fgsm + d

    if clip_max == None and clip_min == None:
        clip_max = np.inf
        clip_min = -np.inf

    x_adv = torch.clamp(x_adv,clip_min, clip_max)

    return x_adv
        

def fgsm_attack(model,input_Tensor,epsilon,lim):
    fgsm_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        perturbed_data = fgm(model,data,target,epsilon,2,0,1,"cpu")
        fgsm_sample_list.append((perturbed_data,target))
        id=id+1
        if(id%100==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return fgsm_sample_list
    
    
'''

'\n\n\ndef fgm(model, image, label, epsilon, order, clip_min, clip_max, device):\n    imageArray = image.cpu().detach().numpy()\n    X_fgsm = torch.tensor(imageArray).to(device)\n    X_fgsm.requires_grad = True\n    opt = optim.SGD([X_fgsm], lr=1e-3)\n    opt.zero_grad()\n    loss = nn.CrossEntropyLoss()(model(X_fgsm), label.long())\n    loss.backward()\n    if order == np.inf:\n        d = epsilon * X_fgsm.grad.data.sign()\n    elif order == 2:\n        gradient = X_fgsm.grad\n        d = torch.zeros(gradient.shape, device = device)\n        for i in range(gradient.shape[0]):\n            norm_grad = gradient[i].data/LA.norm(gradient[i].data.cpu().numpy())\n            d[i] = norm_grad * epsilon\n    else:\n        raise ValueError(\'Other p norms may need other algorithms\')\n\n    x_adv = X_fgsm + d\n\n    if clip_max == None and clip_min == None:\n        clip_max = np.inf\n        clip_min = -np.inf\n\n    x_adv = torch.clamp(x_adv,clip_min, clip_max)\n\n    return x_adv\n        

In [8]:
'''
经测试后弃用
epsilon=0.3
lim="l_2"
fgsm_sample={}
fgsm_sample_path='./fgsm_sample.txt'
fgsm_sample["res"]=fgsm_attack(resnet50, res_data_Tensor,epsilon,lim)

fgsm_sample["vit"]=fgsm_attack(vit, vit_data_Tensor,epsilon,lim)

with open(fgsm_sample_path,'wb') as f:
    content = pickle.dumps(fgsm_sample)
    f.write(content)
    
test(resnet50,fgsm_sample["res"])

'''

'\nepsilon=0.3\nlim="l_2"\nfgsm_sample={}\nfgsm_sample_path=\'./fgsm_sample.txt\'\nfgsm_sample["res"]=fgsm_attack(resnet50, res_data_Tensor,epsilon,lim)\n\nfgsm_sample["vit"]=fgsm_attack(vit, vit_data_Tensor,epsilon,lim)\n\nwith open(fgsm_sample_path,\'wb\') as f:\n    content = pickle.dumps(fgsm_sample)\n    f.write(content)\n    \ntest(resnet50,fgsm_sample["res"])\n\n'

### PGD

In [20]:
#pdg攻击样本生成函数

def pgd(model,X,y,epsilon,num_steps,step_size,bound = 'linf'):
    out = model(X)
    err = (out.data.max(1)[1] != y.data).float().sum()
    
    device = X.device
    imageArray = X.detach().cpu().numpy()
    X_random = np.random.uniform(-epsilon, epsilon, X.shape)
    imageArray = np.clip(imageArray + X_random, 0, 1.0)

    X_pgd = torch.tensor(imageArray).to(device).float()
    X_pgd.requires_grad = True
    eta = torch.zeros_like(X)
    eta.requires_grad = True
    for i in range(num_steps):
        
        

        if bound == 'linf':
            output = model(X + eta)
            incorrect = output.max(1)[1] != y
            correct = (~incorrect).unsqueeze(1).unsqueeze(1).unsqueeze(1).float()
            loss = nn.CrossEntropyLoss()(model(X + eta), y.long())
            loss.backward()
            eta.data +=  correct *step_size* eta.grad.detach().data.sign()        
            eta.data =torch.clamp(eta.detach(),-epsilon,epsilon)                    #将扰动限制在epsilon范围内
            eta.data =   torch.min(torch.max(eta.detach(), -X), 1-X)                #将每位数据限制在[0，1]
            eta.grad.zero_()
            X_pgd = X + eta
            

        if bound == 'l2':
            output = model(X + eta)
            incorrect = output.max(1)[1] != y
            correct = (~incorrect).unsqueeze(1).unsqueeze(1).unsqueeze(1).float()
            loss = nn.CrossEntropyLoss()(model(X + eta), y.long())
            loss.backward()
            eta.data +=  correct * step_size * eta.grad.detach() / torch.norm(eta.grad.detach())
            eta.data *=  epsilon / torch.norm(eta.detach())                        #将扰动限制在epsilon范围内
            eta.data =   torch.min(torch.max(eta.detach(), -X), 1-X)               #将每位数据限制在[0，1]
            eta.grad.zero_()
            X_pgd = X + eta
    return X_pgd

def pgd_attack(model,input_Tensor,epsilon,num_steps,step_size,bound = 'linf'):
    pgd_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        perturbed_data = pgd(model,data,target,epsilon,num_steps,step_size,bound = 'linf')
        pgd_sample_list.append((perturbed_data,target))
        id=id+1
        #if(id==50):break
        if(id%50==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return pgd_sample_list

#### l2

In [10]:
#l_2攻击样本生成/读取

pgd_sample_path='./pgd_sample.txt'
epsilon=0.3
if recal:
    pgd_sample={}
    pgd_sample["res"]=pgd_attack(resnet50,res_data_Tensor,epsilon,2,epsilon,'l2')
    pgd_sample["vit"]=pgd_attack(vit,vit_data_Tensor,epsilon,2,epsilon,'l2')
    with open(pgd_sample_path,'wb') as f:
        content = pickle.dumps(pgd_sample)
        f.write(content)
else:
    with open(pgd_sample_path,'rb') as f:
        pgd_sample=pickle.load(f)

50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000
50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000


In [11]:
test(resnet50,pgd_sample["res"])

Test Accuracy of the model on the 1000 test images: 0.002


In [12]:
test(vit,pgd_sample["vit"])

Test Accuracy of the model on the 1000 test images: 0.000


#### linf

In [21]:
#l_inf攻击样本生成

pgd_inf_sample_path='./pgd_inf_sample.txt'
epsilon=1/255.0
if recal:
    pgd_inf_sample={}
    pgd_inf_sample["res"]=pgd_attack(resnet50,res_data_Tensor,epsilon,10,epsilon/5,'linf')
    pgd_inf_sample["vit"]=pgd_attack(vit,vit_data_Tensor,epsilon,10,epsilon/5,'linf')
    with open(pgd_inf_sample_path,'wb') as f:
        content = pickle.dumps(pgd_inf_sample)
        f.write(content)
    
else:
    with open(pgd_inf_sample_path,'rb') as f:
        pgd_inf_sample=pickle.load(f)

50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000
50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000


In [22]:
test(resnet50,pgd_inf_sample["res"])

Test Accuracy of the model on the 1000 test images: 0.151


In [23]:
test(vit,pgd_inf_sample["vit"])

Test Accuracy of the model on the 1000 test images: 0.290


### patch_attack

In [None]:
'''
攻击方案一：用梯度的模来判断patch的优劣

def patch_attack(model,input_Tensor,patch_size):
    patch_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        data.requires_grad = True
        output = model(data)
        init_pred = output.max(1)[1].squeeze()
        loss = nn.CrossEntropyLoss()(output, target.long())
        model.zero_grad()
        loss.backward()
        data_grad = data.grad.data
        perturbed_data = patch(data,patch_size,data_grad)
        patch_sample_list.append((perturbed_data,target))
        id=id+1
        #if(id==100):break
        if(id%50==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return patch_sample_list
        
def patch(data,patch_size,data_grad):
    max_i=0
    max=0
    for i in range(0,(223-patch_size)):
        temp=torch.norm(data_grad[:,:,i:i+patch_size,i:i+patch_size])
        if(temp>max):
            max=temp
            max_i=i
    #print(max)
    #print(max_i)
    
    #print(mask[:,:,max_i:(max_i+patch_size),max_i:(max_i+patch_size)].size())
    #mask.[max_i:(max_i+patch_size),max_i:(max_i+patch_size)],1)
    
    mask=torch.zeros((1,3,224,224))
    mask[:,:,max_i:(max_i+patch_size),max_i:(max_i+patch_size)]=torch.ones((1,3,patch_size,patch_size))
                                                                  #将改动范围限制在16*16的区域内
    grad_attack = data_grad.sign()*mask
    
    result = data + grad_attack
    result = torch.clamp(result, 0, 1)
    return result
    
    '''

In [46]:
#攻击方案二
'''
def patch_attack(model,input_Tensor,patch_size):
    patch_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        data.requires_grad = True
        output = model(data)
        init_pred = output.max(1)[1].squeeze()
        loss = nn.CrossEntropyLoss()(output, target.long())
        model.zero_grad()
        loss.backward()
        data_grad = data.grad.data
        perturbed_data = patch(model,data,target,patch_size,data_grad)
        patch_sample_list.append((perturbed_data,target))
        id=id+1
        #if(id==100):break
        if(id%50==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return patch_sample_list
        
def patch(model,data,target,patch_size,data_grad):
    max_i=0
    max=0
    loss = nn.CrossEntropyLoss()
    for i in range(0,(223-patch_size),patch_size):
        for j in range(0,(223-patch_size),patch_size):
            mask=torch.zeros((1,3,224,224))
            mask[:,:,i:(i+patch_size),j:(j+patch_size)]=torch.ones((1,3,patch_size,patch_size))
                                                                             #将改动范围限制在16*16的区域内
            grad_attack = data_grad.detach().sign()*mask
            result1 = data + grad_attack.detach()

            result1 = torch.clamp(result1.detach(), 0, 1)                    #将每位数据限制在[0，1]
            temp=loss(model(result1),target.long())
            if(temp>max):
                max=temp.detach()
                result=result1.detach()

    #print(max)
    #print(max_i)
    
    #print(mask[:,:,max_i:(max_i+patch_size),max_i:(max_i+patch_size)].size())
    #mask.[max_i:(max_i+patch_size),max_i:(max_i+patch_size)],1)
    
    
    
    
    
    return result
'''

In [114]:
#攻击方案三

def patch_attack(model,input_Tensor,patch_size,iters):
    patch_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        data.requires_grad = True
        output = model(data)
        init_pred = output.max(1)[1].squeeze()
        loss = nn.CrossEntropyLoss()(output, target.long())
        model.zero_grad()
        loss.backward()
        data_grad = data.grad.data
        perturbed_data = patch(model,data,target,patch_size,data_grad,iters)
        patch_sample_list.append((perturbed_data,target))
        id=id+1
        #if(id==100):break
        if(id%50==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return patch_sample_list
        
def patch(model,data,target,patch_size,data_grad,iters):
    max_i=0
    max=0
    loss = nn.CrossEntropyLoss()
    for k in range(iters):
        i=random.randint(0,223-patch_size)
        j=random.randint(0,223-patch_size)
        mask=torch.zeros((1,3,224,224))
        mask[:,:,i:(i+patch_size),j:(j+patch_size)]=torch.ones((1,3,patch_size,patch_size))
                                                                         #将改动范围限制在16*16的区域内
        grad_attack = data_grad.detach().sign()*mask
        
        result1 = data + grad_attack.detach()

        result1 = torch.clamp(result1.detach(), 0, 1)                    #将每位数据限制在[0，1]
        temp=loss(model(result1),target.long())
        if(temp>max):
            max=temp.detach()
            result=result1.detach()
        

    #print(max)
    #print(max_i)
    
    #print(mask[:,:,max_i:(max_i+patch_size),max_i:(max_i+patch_size)].size())
    #mask.[max_i:(max_i+patch_size),max_i:(max_i+patch_size)],1)
    
    
    
    
    
    return result

In [115]:
patch_sample={}
patch_sample_path='./patch_sample.txt'
iters=10
if recal:
    patch_sample["res"]=patch_attack(resnet50,res_data_Tensor,16,iters)
    patch_sample["vit"]=patch_attack(vit,vit_data_Tensor,16,iters)
    with open(patch_sample_path,'wb') as f:
        content = pickle.dumps(patch_sample)
        f.write(content)
else:
    with open(patch_sample_path,'rb') as f:
        patch_sample=pickle.load(f)
    


50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000
50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000


In [116]:
test(resnet50,patch_sample["res"])

Test Accuracy of the model on the 1000 test images: 0.204


In [117]:
test(vit,patch_sample["vit"])

Test Accuracy of the model on the 1000 test images: 0.768


## 黑盒攻击

### Query-based Attack

In [None]:
'''

def query_attack(model,input_Tensor,epsilon,budget):
    loss = nn.CrossEntropyLoss()
    query_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        data.requires_grad=True
        y=model(data)
        X=data
        L_0=loss(y,target.long())
        for i in range(budget):
            noise=torch.rand(3,224,224)
            X_new=torch.clamp((epsilon*noise/torch.norm(noise)+X),0,1)
            L_1=loss(model(X_new),target.long())
            if(L_1>L_0):
                L_0=L_1
                X=X_new
            
        
        query_sample_list.append((X,target));
        id=id+1
        #if(id==100):break
        if(id%50==0):
            print(("%d/"+"1000"+"\r")%(id))
    return query_sample_list
        
'''     

In [None]:
'''
epsilon=5
budget=5
query_sample={}
query_sample_path='./query_sample.txt'
if recal:
    query_sample["res"]=query_attack(resnet50,res_data_Tensor,epsilon,budget)
    query_sample["vit"]=query_attack(vit,vit_data_Tensor,epsilon,10)
    with open(query_sample_path,'wb') as f:
        content = pickle.dumps(query_sample)
        f.write(content)
else:
    with open(query_sample_path,'rb') as f:
        query_sample=pickle.load(f)
'''

In [None]:
#test(resnet50,query_sample["res"])

In [None]:
#test(vit,query_sample["vit"])

### simBA 

In [28]:
def get_probs(model, x, y):
    output = model(x)
    probs = torch.nn.Softmax()(output)[:, y.long()]
    return torch.diag(probs.data)

def simba_single(model, x, y, num_iters=10000, epsilon=0.2):
    n_dims = x.view(1, -1).size(1)
    X=x
    perm = torch.randperm(n_dims)
    last_prob = get_probs(model, x, y)
    for i in range(num_iters):
        diff = torch.zeros(n_dims)
        diff[perm[i]] = epsilon
        left_prob = get_probs(model, (X - diff.view(X.size())).clamp(0, 1), y)
        if left_prob < last_prob:
            X = (X - diff.view(X.size())).clamp(0, 1)                                
            last_prob = left_prob
        else:
            right_prob = get_probs(model, (X + diff.view(X.size())).clamp(0, 1), y)
            if right_prob < last_prob:
                X = (X + diff.view(X.size())).clamp(0, 1)                            
                last_prob = right_prob
    X=(X-x)*epsilon/torch.norm(X-x)+x                                    #将扰动限制在epsilon范围内
    X=X.clamp(0,1)                                                       #将每位数据限制在[0，1]
    return X

def simba(model,input_Tensor,num_iters,epsilon):
    simba_sample_list=[]
    id=0
    for (data,target) in input_Tensor:
        simba_sample_list.append((simba_single(model,data,target,num_iters,epsilon),target))
        id=id+1
        #if(id==100):break
        if(id%50==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return simba_sample_list



In [29]:
epsilon=5
num_iters=5
simba_sample={}
simba_sample_path='./simba_sample.txt'
if recal:
    simba_sample["res"]=simba(resnet50,res_data_Tensor,num_iters,epsilon)
    simba_sample["vit"]=simba(vit,vit_data_Tensor,10,epsilon)
    with open(simba_sample_path,'wb') as f:
        content = pickle.dumps(simba_sample)
        f.write(content)
else:
    with open(simba_sample_path,'rb') as f:
        simba_sample=pickle.load(f)

  probs = torch.nn.Softmax()(output)[:, y.long()]


50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000
50/1000
100/1000
150/1000
200/1000
250/1000
300/1000
350/1000
400/1000
450/1000
500/1000
550/1000
600/1000
650/1000
700/1000
750/1000
800/1000
850/1000
900/1000
950/1000
1000/1000


In [30]:
test(resnet50,simba_sample["res"])

Test Accuracy of the model on the 1000 test images: 0.354


In [31]:
test(vit,simba_sample["vit"])

Test Accuracy of the model on the 1000 test images: 0.671
