In [None]:
from __future__ import print_function
import torch.nn.functional as F
import torch
from torch.utils.data import DataLoader
import matplotlib.pyplot as plt
import numpy as np
import warnings
import torch.optim as optim
import torch.nn as nn
import sys
from torchvision import datasets, transforms
from torch.utils.data import DataLoader
from datetime import datetime
from numpy.linalg import norm
import torchvision.models as models
import warnings
import timeit

In [None]:
class CNN(nn.Module):
    def __init__(self):

        super(CNN, self).__init__()

        self.conv1 = nn.Conv2d(1, 16, kernel_size=3,padding=1)
        self.conv2 = nn.Conv2d(16, 16, kernel_size=3,padding=1)
        self.conv3 = nn.Conv2d(16, 32, kernel_size=3,padding=1)
        self.conv4 = nn.Conv2d(32, 32, kernel_size=3,padding=1)
        self.fc1 = nn.Linear(7*7*32, 100)
        self.fc2 = nn.Linear(100, 10)
        self.drop_layer = nn.Dropout(p=0.2)

    def last_hidden_layer_output(self, x):
        x = F.max_pool2d(F.relu(self.conv1(x)), 2)
        x = F.max_pool2d(F.relu(self.conv2(x)), 2)
        x = self.drop_layer(F.relu(self.conv3(x)))
        x = self.drop_layer(F.relu(self.conv4(x)))
        x = x.view(-1, 7*7*32)
        x = F.relu(self.fc1(x))
        return x

    def forward(self, x):
        x = self.last_hidden_layer_output(x)
        x = self.fc2(x)
        return x

In [None]:
class Flatten(nn.Module):
    def forward(self, x):
        return x.view(x.shape[0], -1)

device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")

model_cnn = CNN()
model_cnn.load_state_dict(torch.load("model_cnn_mnist_digit.pt", map_location=device))
model_cnn = model_cnn.to(device)
model_cnn.eval()

softmax = nn.Softmax(dim=1)

def enable_dropout(model):
    """ Function to enable the dropout layers during test-time """
    for m in model.modules():
        if m.__class__.__name__.startswith('Dropout'):
            m.train()

corrects = []
corrects_tuple_list = []

reformatted_GMT_timestamp = datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
print(reformatted_GMT_timestamp)

2021-09-07 11:03:00


In [None]:

batch_size = 256

mnist_train = datasets.MNIST("data", train=True, download=True, transform=transforms.ToTensor())
mnist_test = datasets.MNIST("data", train=False, download=True, transform=transforms.ToTensor())

train_loader = DataLoader(mnist_train, batch_size=batch_size, shuffle=True)
test_loader = DataLoader(mnist_test, batch_size=batch_size, shuffle=False)

  return torch.from_numpy(parsed.astype(m[2], copy=False)).view(*s)


In [None]:
warnings.filterwarnings("ignore")

torch.manual_seed(2)
np.random.seed(2)

eps = 0.16
alpha = 0.2 * eps
num_iter = 10

num_restart = 5

count_successfull_attack = 0
count_unsuccessfull_attack = 0

In [None]:
def fgsm(image,model,epsilon, label):

    image = image.detach()

    item_count = image.shape[0]

    delta = torch.zeros_like(image, requires_grad=True)
    delta.grad = None

    model.eval()
    o = model((image + delta))
    loss = nn.CrossEntropyLoss(reduce=False)(o, label)
    loss = loss.reshape(1, item_count)
    
    loss.backward(torch.ones_like(loss))

    delta.data = delta + epsilon * delta.grad.detach().sign()
    delta.grad.zero_()

    perturbed_image = image + delta.detach()
    perturbed_image = torch.clamp(perturbed_image, 0, 1)

    return perturbed_image.detach()

In [None]:

def rectified_fgsm(image,model,epsilon):

    torch.manual_seed(2)
    np.random.seed(2)

    item_count = image.shape[0]

    image = image.detach()

    delta = torch.zeros_like(image, requires_grad=True)
    
    delta.grad = None

    model.eval()

    with torch.no_grad():
        o = model(image)
        o = softmax(o)
    init_pred = o.data.max(1, keepdim=True)[1]

    lbls = torch.squeeze(init_pred,1)

    enable_dropout(model)

    dropout_predictions = torch.zeros([50,item_count,10])

    for i in range(50):

        enable_dropout(model)
        output = model((image + delta))
        output = softmax(output)

        dropout_predictions[i] = output

    variance = torch.var(dropout_predictions, dim=0)

    var = variance.mean(1,True)
    var = var.reshape(1,item_count)
    var = var.to(device)

    model.eval()
    o = model((image + delta))
    loss = nn.CrossEntropyLoss(reduce=False)(o, lbls)
    loss = loss.reshape(1, item_count)

    loss.backward(torch.ones_like(var))
    delta_loss = delta.grad.detach().sign()
    delta.grad.zero_()
    delta.grad = None

    var.backward(torch.ones_like(var))
    delta_unc = delta.grad.detach().sign()
    delta.grad.zero_()
    delta.grad = None

    zeros = torch.zeros_like(delta_loss)
    delta_unc = torch.where(delta_unc != delta_loss, zeros, delta_unc)
    delta.data = (delta + epsilon * delta_unc)

    # model.eval()
    perturbed_image = image + delta.detach()
    perturbed_image = torch.clamp(perturbed_image, 0, 1)

    return perturbed_image.detach()
  

In [None]:
def bim(image,model,epsilon, label, alpha, num_iter):

    image = image.detach()

    item_count = image.shape[0]

    delta = torch.zeros_like(image, requires_grad=True)
    delta.grad = None

    for t in range(num_iter):

        model.eval()
        o = model((image + delta))

        loss = nn.CrossEntropyLoss(reduce=False)(o, label)
        loss = loss.reshape(1, item_count)

        loss.backward(torch.ones_like(loss))

        delta.data = (delta + alpha * delta.grad.detach().sign()).clamp(-epsilon, epsilon)
        delta.grad.zero_()

    perturbed_image = image + delta.detach()
    perturbed_image = torch.clamp(perturbed_image, 0, 1)

    return perturbed_image.detach()

In [None]:

def rectified_bim(image,model,epsilon, num_iter, alpha):

    torch.manual_seed(2)
    np.random.seed(2)

    item_count = image.shape[0]

    image = image.detach()

    delta = torch.zeros_like(image, requires_grad=True)
    
    delta.grad = None

    model.eval()

    with torch.no_grad():
        o = model(image)
        o = softmax(o)
    init_pred = o.data.max(1, keepdim=True)[1]

    lbls = torch.squeeze(init_pred,1)

    enable_dropout(model)

    for t in range(num_iter):

        dropout_predictions = torch.zeros([50,item_count,10])

        for i in range(50):

            enable_dropout(model)
            output = model((image + delta))
            output = softmax(output)

            dropout_predictions[i] = output

        variance = torch.var(dropout_predictions, dim=0)

        var = variance.mean(1,True)
        var = var.reshape(1,item_count)
        var = var.to(device)


        model.eval()
        o = model((image + delta))
        loss = nn.CrossEntropyLoss(reduce=False)(o, lbls)
        loss = loss.reshape(1, item_count)

        if t == 0:

            loss.backward(torch.ones_like(var))
            delta_loss = delta.grad.detach().sign()
            delta.grad.zero_()
            delta.grad = None

            var.backward(torch.ones_like(var))
            delta_unc = delta.grad.detach().sign()
            delta.grad.zero_()
            delta.grad = None

            zeros = torch.zeros_like(delta_loss)
            delta_unc = torch.where(delta_unc != delta_loss, zeros, delta_unc)
            delta.data = (delta + alpha * delta_unc).clamp(-epsilon, epsilon)

        else:

            model.eval()
            with torch.no_grad():
                o = model((image + delta))
                o = softmax(o)
            inter_pred = o.data.max(1, keepdim=True)[1]

##########################################################################################

            inds_notmatch = np.where(inter_pred.cpu() != init_pred.cpu())[0]

            temp = torch.ones_like(var)
            temp = temp.cpu().numpy()

            temp[0][inds_notmatch] = 0
            temp = torch.tensor(temp)
            temp = temp.to(device)

            var.backward(temp, retain_graph=True)
            delta_unc = delta.grad.detach().sign()
            delta.grad.zero_()
            delta.grad = None

            loss.backward(temp, retain_graph=True)
            delta_loss = delta.grad.detach().sign()
            delta.grad.zero_()
            delta.grad = None


            zeros = torch.zeros_like(delta_loss)
            delta_loss = torch.where(delta_unc != delta_loss, zeros, delta_loss)
            delta.data = (delta + alpha * delta_loss).clamp(-epsilon, epsilon)


##########################################################################################

            inds_match = np.where(inter_pred.cpu() == init_pred.cpu())[0]

            temp = torch.ones_like(var)
            temp = temp.cpu().numpy()

            temp[0][inds_match] = 0
            temp = torch.tensor(temp)
            temp = temp.to(device)

            var.backward(temp)
            delta_unc = delta.grad.detach().sign()
            delta.grad.zero_()
            delta.grad = None

            loss.backward(temp)
            delta_loss = delta.grad.detach().sign()
            delta.grad.zero_()
            delta.grad = None

            zeros = torch.zeros_like(delta_loss)
            delta_loss = torch.where(delta_unc == delta_loss, zeros, delta_loss)
            delta.data = (delta + alpha * delta_loss).clamp(-epsilon, epsilon)

##########################################################################################

    # model.eval()
    perturbed_image = image + delta.detach()
    perturbed_image = torch.clamp(perturbed_image, 0, 1)

    return perturbed_image.detach()
  

In [None]:
def pgd(image,model,epsilon, label, alpha, num_iter, restarts):

    torch.manual_seed(2)
    np.random.seed(2)

    item_count = image.shape[0]
    image = image.detach()

    max_loss = torch.zeros(label.shape[0]).to(label.device)
    max_delta = torch.zeros_like(image)

    for i in range(restarts):

        delta = torch.rand_like(image, requires_grad=True)
        delta.data = delta.data * 2 * epsilon - epsilon

        for t in range(num_iter):

            model.eval()
            o = model((image + delta))

            loss = nn.CrossEntropyLoss(reduce=False)(o, label)
            loss = loss.reshape(1, item_count)

            loss.backward(torch.ones_like(loss))

            delta.data = (delta + alpha * delta.grad.detach().sign()).clamp(-epsilon, epsilon)
            delta.grad.zero_()
        
        all_loss = nn.CrossEntropyLoss(reduction='none')(model((image + delta)),label)
        max_delta[all_loss >= max_loss] = delta.detach()[all_loss >= max_loss]
        max_loss = torch.max(max_loss, all_loss)


    perturbed_image = image + max_delta.detach()
    perturbed_image = torch.clamp(perturbed_image, 0, 1)

    return perturbed_image.detach()

In [None]:

def rectified_pgd(image, model, epsilon, label, alpha, num_iter, restarts):

    torch.manual_seed(2)
    np.random.seed(2)

    item_count = image.shape[0]

    image = image.detach()

    max_loss = torch.zeros(label.shape[0]).to(label.device)
    max_delta = torch.zeros_like(image)

    model.eval()
    with torch.no_grad():
        o = model(image)
        o = softmax(o)
    init_pred = o.data.max(1, keepdim=True)[1]

    lbls = torch.squeeze(init_pred,1)

    for r in range(restarts):

        delta = torch.rand_like(image, requires_grad=True)
        delta.data = delta.data * 2 * epsilon - epsilon

        for t in range(num_iter):

            dropout_predictions = torch.zeros([50,item_count,10])
            enable_dropout(model)

            for i in range(50):
               
                output = model((image + delta))
                output = softmax(output)

                dropout_predictions[i] = output

            variance = torch.var(dropout_predictions, dim=0)

            var = variance.mean(1,True)
            var = var.reshape(1,item_count)
            var = var.to(device)

            model.eval()
            o = model((image + delta))
            loss = nn.CrossEntropyLoss(reduce=False)(o, lbls)
            loss = loss.reshape(1, item_count)

            if t == 0:

                loss.backward(torch.ones_like(var))
                delta_loss = delta.grad.detach().sign()
                delta.grad.zero_()
                delta.grad = None

                var.backward(torch.ones_like(var))
                delta_unc = delta.grad.detach().sign()
                delta.grad.zero_()
                delta.grad = None

                zeros = torch.zeros_like(delta_loss)
                delta_unc = torch.where(delta_unc != delta_loss, zeros, delta_unc)
                delta.data = (delta + alpha * delta_unc).clamp(-epsilon, epsilon)

            else:

                model.eval()
                with torch.no_grad():
                    o = model((image + delta))
                    o = softmax(o)
                inter_pred = o.data.max(1, keepdim=True)[1]

    ##########################################################################################

                inds_notmatch = np.where(inter_pred.cpu() != init_pred.cpu())[0]

                temp = torch.ones_like(var)
                temp = temp.cpu().numpy()

                temp[0][inds_notmatch] = 0
                temp = torch.tensor(temp)
                temp = temp.to(device)

                var.backward(temp, retain_graph=True)
                delta_unc = delta.grad.detach().sign()
                delta.grad.zero_()
                delta.grad = None

                loss.backward(temp, retain_graph=True)
                delta_loss = delta.grad.detach().sign()
                delta.grad.zero_()
                delta.grad = None


                zeros = torch.zeros_like(delta_loss)
                delta_loss = torch.where(delta_unc != delta_loss, zeros, delta_loss)
                delta.data = (delta + alpha * delta_loss).clamp(-epsilon, epsilon)


    ##########################################################################################

                inds_match = np.where(inter_pred.cpu() == init_pred.cpu())[0]

                temp = torch.ones_like(var)
                temp = temp.cpu().numpy()

                temp[0][inds_match] = 0
                temp = torch.tensor(temp)
                temp = temp.to(device)

                var.backward(temp)
                delta_unc = delta.grad.detach().sign()
                delta.grad.zero_()
                delta.grad = None

                loss.backward(temp)
                delta_loss = delta.grad.detach().sign()
                delta.grad.zero_()
                delta.grad = None

                zeros = torch.zeros_like(delta_loss)
                delta_loss = torch.where(delta_unc == delta_loss, zeros, delta_loss)
                delta.data = (delta + alpha * delta_loss).clamp(-epsilon, epsilon)

    ##########################################################################################

        all_loss = nn.CrossEntropyLoss(reduction='none')(model((image + delta)),label)
        max_delta[all_loss >= max_loss] = delta.detach()[all_loss >= max_loss]
        max_loss = torch.max(max_loss, all_loss)

    # model.eval()
    perturbed_image = image + max_delta.detach()
    perturbed_image = torch.clamp(perturbed_image, 0, 1)

    return perturbed_image.detach()
  

In [None]:
sum_l2 = 0
sum_l1 = 0

In [None]:

for i, (image, label) in enumerate(test_loader):

    image = image.to(device)
    label = label.to(device)

    model_cnn.eval()

    with torch.no_grad():
        o = model_cnn(image)
        o = softmax(o)

    pred_original = o.data.max(1, keepdim=True)[1]
    pred_original = pred_original.view_as(label)
    inds_correct = np.where(pred_original.cpu() == label.cpu())[0]

    image = image[inds_correct]
    label = label[inds_correct]

    #pert = fgsm(image, model_cnn, eps, label)
    
    pert = rectified_fgsm(image, model_cnn, eps)

    #pert = bim(image, model_cnn, eps, label, alpha, num_iter)

    #pert = rectified_bim(image, model_cnn, eps, num_iter, alpha)

    #pert = pgd(image, model_cnn, eps, label, alpha, num_iter, num_restart)
    
    #pert = rectified_pgd(image, model_cnn, eps, label, alpha, num_iter, num_restart)
    
    model_cnn.eval()
    with torch.no_grad():
        o = model_cnn(pert)
        o = softmax(o)
    pred_pert = o.data.max(1, keepdim=True)[1]

    pred_pert = pred_pert.view_as(label)

    inds_correct_after_attack = np.where(pred_pert.cpu() == label.cpu())[0]
    inds_wrong_after_attack = np.where(pred_pert.cpu() != label.cpu())[0]

    inds_correct_after_attackk = inds_correct_after_attack.tolist()
    inds_wrong_after_attackk = inds_wrong_after_attack.tolist()

    count_unsuccessfull_attack += len(inds_correct_after_attackk)
    count_successfull_attack += len(inds_wrong_after_attackk)

    image = image[inds_wrong_after_attack]
    label = label[inds_wrong_after_attack]
    pert = pert[inds_wrong_after_attack]

    if i%30==0:
      print("Success ratio for the attack is : %{:.2f}".format(
    100 * count_successfull_attack / (count_successfull_attack + count_unsuccessfull_attack)))
      
    if i == 0:
      break

Success ratio for the attack is : %42.13


In [None]:
number = image.shape[0]
print("number ", number)

for n in range(number):
  perturbation = pert[n] - image[n]
  perturbation = perturbation.cpu()

  sum_l2 = sum_l2 + norm(perturbation.flatten(), 2)
  sum_l1 = sum_l1 + norm(perturbation.flatten(), 1)

number  107


In [None]:
print(' Mean of L2 norm of perturbation: {}'.format(sum_l2/number, 2))
print(' Mean of L1 norm of perturbation: {}'.format(sum_l1/number, 2))

 Mean of L2 norm of perturbation: 3.0691128490127135
 Mean of L1 norm of perturbation: 59.53189254475531
