In [178]:
from torch.utils.data import Dataset, DataLoader
from torchvision.transforms import transforms as tt
import torchvision.models as models
import timm
from PIL import Image as pil
import os
import numpy as np
import torch
import pickle
import torch.nn as nn
import torch.nn.functional as F

resnet50 = models.resnet50(pretrained=True)
vit = timm.create_model('vit_small_patch16_224', pretrained=True)
image_path="images"
old_label_path="images//old_labels"
image_list=os.listdir(image_path)


## 图片导入与数据集生成

In [179]:
def normalize(x, mean=[0.5,0.5,0.5], std=[0.5,0.5,0.5]):
    mean_t = torch.Tensor(mean).reshape([1,3,1,1]).to(x.device)
    std_t = torch.Tensor(std).reshape([1,3,1,1]).to(x.device)
    y = (x-mean_t)/std_t
    return y

def get_preprocess(model_name):
    if model_name[:6]=="resnet":
        mean=[0.485, 0.456, 0.406]
        std=[0.229, 0.224, 0.225]
    elif model_name[:3]=="vit":
        mean=[0.5,0.5,0.5]
        std=[0.5,0.5,0.5]
    def preprocess(images):
        y = F.interpolate(images.unsqueeze(0),224)
        return normalize(y, mean=mean,
                                 std=std)
    return preprocess

In [180]:
class mydata1(Dataset):
    def __init__(self,image_path):
        self.file=[]
        for i in open(old_label_path):
            self.file.append(i)
    
    def __getitem__(self,idx):
        img=pil.open("images//"+self.file[idx].split(' ')[0])
        label=np.array(int(self.file[idx].split(' ')[1]))
        img=preprocess1(tt.ToTensor()(img))
        return img[0], label
    
    def __len__(self):
        return len(self.file)
    
    
class mydata2(Dataset):
    def __init__(self,image_path):
        self.file=[]
        for i in open(old_label_path):
            self.file.append(i)
    
    def __getitem__(self,idx):
        img=pil.open("images//"+self.file[idx].split(' ')[0])
        label=np.array(int(self.file[idx].split(' ')[1]))
        img=preprocess2(tt.ToTensor()(img))
        return img[0], label
    
    def __len__(self):
        return len(self.file)
preprocess1=get_preprocess("resnet")
res_data_Tensor = torch.utils.data.DataLoader(dataset=mydata1(image_path))
preprocess2=get_preprocess("vit")
vit_data_Tensor=torch.utils.data.DataLoader(dataset=mydata2(image_path))

##  测试

In [181]:
def test(model,test_Tensor):
    model.eval()
    with torch.no_grad():
        correct = 0
        total = 0
        for images, labels in test_Tensor:
            test_output = model(images)
            pred_y = torch.max(test_output, 1)[1].data.squeeze()
            correct=correct+(pred_y == labels)
            total=total+1
        accuracy = correct / float(total)
            
    print('Test Accuracy of the model on the 1000 test images: %.3f' % accuracy)
    print(total)

In [172]:
test(resnet50,res_data_Tensor)

Test Accuracy of the model on the 1000 test images: 0.950
1000


In [182]:
test(vit,vit_data_Tensor)

Test Accuracy of the model on the 1000 test images: 0.978
1000


## 

## 对抗样本生成

### FGSM

#### L_inf

In [173]:
epsilon =1/255.0 #最大扰动

loss_fn = torch.nn.CrossEntropyLoss()
def fgsm(input,epsilon,data_grad):
    grad_attack = data_grad.sign()
    result = input + epsilon*grad_attack
    result = torch.clamp(result, 0, 1)
    return result

def fgsm_attack(model,input_Tensor,epsilon):
    fgsm_sample_list=[]
    id=0
    for (data, target) in input_Tensor:
        data.requires_grad = True
        output = model(data)
        init_pred = output.max(1)[1].squeeze()
        loss = loss_fn(output, target.long())
        model.zero_grad()
        loss.backward()
        data_grad = data.grad.data
        perturbed_data = fgsm(data,epsilon,data_grad)
        fgsm_sample_list.append((perturbed_data,target))
        id=id+1
        if(id%100==0):
            print(("%d/"+"1000"+"\r")%(id))
        
    return fgsm_sample_list

In [174]:
fgsm_sample={}
fgsm_sample_path='./fgsm_sample.txt'
fgsm_sample["res"]=fgsm_attack(resnet50, res_data_Tensor,epsilon)



100/1000
200/1000
300/1000
400/1000
500/1000
600/1000
700/1000
800/1000
900/1000
1000/1000


In [183]:
fgsm_sample["vit"]=fgsm_attack(vit, vit_data_Tensor,epsilon)

100/1000
200/1000
300/1000
400/1000
500/1000
600/1000
700/1000
800/1000
900/1000
1000/1000


In [184]:
with open(fgsm_sample_path,'wb') as f:
    content = pickle.dumps(fgsm_sample)
    f.write(content)

In [177]:
test(resnet50,fgsm_sample["res"])

Test Accuracy of the model on the 1000 test images: 0.379
1000


In [186]:
test(vit,fgsm_sample["vit"])

Test Accuracy of the model on the 1000 test images: 0.739
1000


### PGD

#### L_inf

In [189]:
iters = 6     #迭代次数
alpha =epsilon*2/iters    #迭代步长

def PGD(input,epsilon,data_grad,iters,alpha):
    grad_attack = data_grad.sign()
    delta = grad_attack*alpha
    result = input+delta
    result = torch.clamp(result,0,1)
    return result
        
  

def PGD_attack(model,input_Tensor,epsilon,iters,alpha):
    pgd_sample_list=[]
    for (data,target) in input_Tensor:
        perturbed_data=data.detach()
        for i in range(iters):
            perturbed_data.requires_grad = True
            output = model(perturbed_data)
            init_pred = output.max(1)[1].squeeze()
            loss = loss_fn(output, target.long())
            model.zero_grad()
            loss.backward()
            perturbed_data_grad = perturbed_data.grad.data
            disturb = torch.clamp(PGD(perturbed_data,epsilon,perturbed_data_grad,iters,alpha)-data,-epsilon,epsilon)
            perturbed_data=(data+disturb).detach()
        pgd_sample_list.append((perturbed_data,target)) 
        
        
    return pgd_sample_list

pgd_sample={}
pgd_sample_path='./pgd_sample.txt'


pgd_sample["vit"]=PGD_attack(vit,vit_data_Tensor,epsilon,iters,alpha)
pgd_sample["res"]=PGD_attack(resnet50,res_data_Tensor,epsilon,iters,alpha)
    
with open(pgd_sample_path,'wb') as f:
    content = pickle.dumps(pgd_sample)
    f.write(content)

In [190]:
test(resnet50,pgd_sample["res"])

Test Accuracy of the model on the 1000 test images: 0.628
1000


In [191]:
test(vit,pgd_sample["vit"])

Test Accuracy of the model on the 1000 test images: 0.741
1000


#### L_2

In [None]:
iters = 6     #迭代次数
alpha =epsilon*2/iters    #迭代步长

def PGD(input,epsilon,data_grad,iters,alpha):
    grad_attack = data_grad.sign()
    delta = grad_attack*alpha 
    result = input+delta
    result = torch.clamp(result,0,1)
    return result
        
  

def PGD_attack(model,input_Tensor,epsilon,iters,alpha):
    pgd_sample_list=[]
    for (data,target) in input_Tensor:
        perturbed_data=data.detach()
        for i in range(iters):
            perturbed_data.requires_grad = True
            output = model(perturbed_data)
            init_pred = output.max(1)[1].squeeze()
            loss = loss_fn(output, target.long())
            model.zero_grad()
            loss.backward()
            perturbed_data_grad = perturbed_data.grad.data
            disturb = torch.clamp(PGD(perturbed_data,epsilon,perturbed_data_grad,iters,alpha)-data,-epsilon,epsilon)
            perturbed_data=(data+disturb).detach()
        pgd_sample_list.append((perturbed_data,target)) 
        
        
    return pgd_sample_list

pgd_sample={}
pgd_sample_path='./pgd_sample.txt'


pgd_sample["vit"]=PGD_attack(vit,vit_data_Tensor,epsilon,iters,alpha)
pgd_sample["res"]=PGD_attack(resnet50,res_data_Tensor,epsilon,iters,alpha)
    
with open(pgd_sample_path,'wb') as f:
    content = pickle.dumps(pgd_sample)
    f.write(content)