# Perceptual Attack

Apply neural perceptual attack to images taken from: Cassidy Laidlaw, Sahil Singla, and Soheil Feizi. ["Perceptual adversarial robustness: Defense against unseen threat models."](https://arxiv.org/abs/2006.12655) arXiv preprint arXiv:2006.12655 (2020).

## Problem Description

Given a classifier $f$ which maps any input image $x \in X$ to its label $y = f(x) \in Y$. The goal of neural perceptual attack is to find an input $\widetilde{x}$ that is perceptually similar to the original input $x$ but can fool the classifier $f$. This can be formulated as:

$$\max_{\widetilde{x}} L (f(\widetilde{x}),y),$$
$$\text{s.t.}\;\; d(x,\widetilde{x}) = ||\phi(x) - \phi (\tilde{x}) ||_{2} \leq \epsilon$$
Here $$L (f({x}),y) = \max_{i\neq y} (z_i(x) - z_y(x) ),$$
where $z_i(x)$ is the $i$-th logit output of $f(x)$, and $\phi(\cdot)$ is a function that maps the input $x$ to  normalized, flattened activations

## Modules Importing
Import all necessary modules and add PyGRANSO src folder to system path. 

NOTE: the perceptual advex package (https://github.com/cassidylaidlaw/perceptual-advex.git) is required to calculate the distance 

In [1]:
# install required package
try:
    import perceptual_advex
except ImportError:
    !pip install perceptual-advex

In [2]:
import time
import torch
import sys
## Adding PyGRANSO directories. Should be modified by user
sys.path.append('Y:/Working/PyGRANSO')
from pygranso import pygranso
from pygransoStruct import pygransoStruct
from private.getNvar import getNvarTorch

from perceptual_advex.utilities import get_dataset_model
from perceptual_advex.perceptual_attacks import get_lpips_model
from perceptual_advex.distances import normalize_flatten_features

## Data Initialization 

Specify torch device, neural network architecture, and generate data.

NOTE: please specify path for downloading data.

Use GPU for this problem. If no cuda device available, please set *device = torch.device('cpu')*

In [3]:
device = torch.device('cuda')

dataset, model = get_dataset_model(
dataset='cifar',
arch='resnet50',
checkpoint_fname='C:/Users/jian0649/Downloads/cifar/cifar_pgd_l2_1_cpu.pt',
)
model = model.to(device=device, dtype=torch.double)
# Create a validation set loader.
batch_size = 1
_, val_loader = dataset.make_loaders(1, batch_size, only_val=True, shuffle_val=False)

inputs, labels = next(iter(val_loader))

# All the user-provided data (vector/matrix/tensor) must be in torch tensor format. 
# As PyTorch tensor is single precision by default, one must explicitly set `dtype=torch.double`.
# Also, please make sure the device of provided torch tensor is the same as opts.torch_device.
inputs = inputs.to(device=device, dtype=torch.double)
labels = labels.to(device=device)
# lpips_model = get_lpips_model('self', model).to(device=device, dtype=torch.double) #### modify to self
lpips_model = get_lpips_model('self', model).to(device=device, dtype=torch.double)

# attack_type = 'L_2'
# attack_type = 'L_inf'
attack_type = 'Perceptual'

=> loading checkpoint 'C:/Users/jian0649/Downloads/cifar/cifar_pgd_l2_1_cpu.pt'
==> Preparing dataset cifar..
Files already downloaded and verified


## Function Set-Up

Encode the optimization variables, and objective and constraint functions.

Note: please strictly follow the format of comb_fn, which will be used in the PyGRANSO main algortihm.

In [4]:
# variables and corresponding dimensions.
var_in = {"x_tilde": list(inputs.shape)}

def myMarginLoss(logits, labels):
    correct_logits = torch.gather(logits, 1, labels.view(-1, 1))
    max_2_logits, argmax_2_logits = torch.topk(logits, 2, dim=1)
    top_max, second_max = max_2_logits.chunk(2, dim=1)
    top_argmax, _ = argmax_2_logits.chunk(2, dim=1)
    labels_eq_max = top_argmax.squeeze().eq(labels).float().view(-1, 1)
    labels_ne_max = top_argmax.squeeze().ne(labels).float().view(-1, 1)
    max_incorrect_logits = labels_eq_max * second_max + labels_ne_max * top_max
    loss = -(max_incorrect_logits - correct_logits).clamp(max=1).squeeze().sum()
    return loss

def user_fn(X_struct,inputs,labels,lpips_model):
    adv_inputs = X_struct.x_tilde
    
    # objective function
    # 8/255 for L_inf, 1 for L_2, 0.5 for PPGD/LPA
    if attack_type == 'L_2':
        epsilon = 1
    elif attack_type == 'L_inf':
        epsilon = 8/255
    else:
        epsilon = 0.5

    logits_outputs = model(adv_inputs)

    f = myMarginLoss(logits_outputs,labels)

    # inequality constraint
    ci = pygransoStruct()
    if attack_type == 'L_2':
        ci.c1 = torch.norm((inputs - adv_inputs).reshape(inputs.size()[0], -1)) - epsilon
    elif attack_type == 'L_inf':
        ci.c1 = torch.norm((inputs - adv_inputs).reshape(inputs.size()[0], -1), float('inf')) - epsilon
    else:
        input_features = normalize_flatten_features( lpips_model.features(inputs)).detach()
        adv_features = lpips_model.features(adv_inputs)
        adv_features = normalize_flatten_features(adv_features)
        lpips_dists = (adv_features - input_features).norm(dim=1)
        ci.c1 = lpips_dists - epsilon
    
    # equality constraint 
    ce = None

    return [f,ci,ce]

comb_fn = lambda X_struct : user_fn(X_struct,inputs,labels,lpips_model)

## User Options
Specify user-defined options for PyGRANSO 

In [5]:
opts = pygransoStruct()
opts.torch_device = device
opts.maxit = 100
opts.opt_tol = 1e-6
opts.fvalquit = 1e-6
opts.print_level = 1
opts.print_frequency = 1
opts.x0 = torch.reshape(inputs,(torch.numel(inputs),1))

## Main Algorithm

In [11]:
start = time.time()
soln = pygranso(var_spec = var_in,combined_fn = comb_fn,user_opts = opts)
end = time.time()
print("Total Wall Time: {}s".format(end - start))



[33m╔═════ QP SOLVER NOTICE ════════════════════════════════════════════════════════════════════════╗
[0m[33m║  PyGRANSO requires a quadratic program (QP) solver that has a quadprog-compatible interface,  ║
[0m[33m║  the default is osqp. Users may provide their own wrapper for the QP solver.                  ║
[0m[33m║  To disable this notice, set opts.quadprog_info_msg = False                                   ║
[0m[33m╚═══════════════════════════════════════════════════════════════════════════════════════════════╝
[0m═════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
PyGRANSO: A PyTorch-enabled port of GRANSO with auto-differentiation                                             ║ 
Version 1.0.0                                                                                                    ║ 
Licensed under the AGPLv3, Copyright (C) 2021 Tim Mitchell and Buyun Liang                                       ║ 


## Batch Attacks

Apply attacks to multiple images by repeating above steps and calculate the success rate

In [28]:
total_count = 10
total_diff = 0
original_count = 0
attack_count = 0
total_time = 0
total_iterations = 0  

for i in range(total_count):
    # Get a batch from the validation set.
    inputs, labels = next(iter(val_loader))
    inputs = inputs.to(device=device, dtype=torch.double)
    labels = labels.to(device=device)

    # variables and corresponding dimensions.
    var_in = {"x_tilde": list(inputs.shape)}

    opts.x0 = torch.reshape(inputs,(torch.numel(inputs),1))
    # suppress output
    opts.print_level = 0

    pred_labels = model(inputs).argmax(1)
    if pred_labels == labels:
        original_count += 1
    else:
        continue
    
    start = time.time()
    soln = pygranso(var_spec = var_in,combined_fn = comb_fn,user_opts = opts)
    end = time.time()
    print("i = %d"%i)
    
    total_time += end - start
    total_iterations += soln.fn_evals

    final_adv_input = torch.reshape(soln.final.x,inputs.shape)
    pred_labels2 = model(final_adv_input.to(device=device, dtype=torch.double)).argmax(1)

    if pred_labels2 == labels:
        attack_count += 1
        
    if attack_type == 'L_2':
            diff = torch.norm((inputs.to(device=device, dtype=torch.double) - final_adv_input).reshape(inputs.size()[0], -1))
    elif attack_type == 'L_inf':
        diff = ( torch.norm((inputs.to(device=device, dtype=torch.double) - final_adv_input).reshape(inputs.size()[0], -1), float('inf') ) )
    else:
        input_features = normalize_flatten_features( lpips_model.features(inputs)).detach()
        adv_features = lpips_model.features(final_adv_input)
        adv_features = normalize_flatten_features(adv_features)
        lpips_dists = torch.mean((adv_features - input_features).norm(dim=1))
        diff = lpips_dists

    total_diff += diff

print("\n\n\nModel train acc on the original image = {}".format(( original_count/total_count )))
print("Success rate of attack = {}".format( (original_count-attack_count)/original_count ))
print("Average distance between attacked image and original image = {}".format(total_diff/original_count))
print("Average run time of PyGRANSO = {}s, mean f_eval = {} iters".format(total_time/original_count,total_iterations/original_count))

i = 0
i = 1
i = 2


# Batch Test

In [3]:
device = torch.device('cuda')

dataset, model = get_dataset_model(
dataset='cifar',
arch='resnet50',
checkpoint_fname='C:/Users/jian0649/Downloads/cifar/cifar_pgd_l2_1_cpu.pt',
)
model = model.to(device=device, dtype=torch.double)
# Create a validation set loader.
batch_size = 2
_, val_loader = dataset.make_loaders(1, batch_size, only_val=True, shuffle_val=False)

inputs, labels = next(iter(val_loader))

# All the user-provided data (vector/matrix/tensor) must be in torch tensor format. 
# As PyTorch tensor is single precision by default, one must explicitly set `dtype=torch.double`.
# Also, please make sure the device of provided torch tensor is the same as opts.torch_device.
inputs = inputs.to(device=device, dtype=torch.double)
labels = labels.to(device=device)
# lpips_model = get_lpips_model('self', model).to(device=device, dtype=torch.double) #### modify to self
lpips_model = get_lpips_model('self', model).to(device=device, dtype=torch.double)

# attack_type = 'L_2'
# attack_type = 'L_inf'
attack_type = 'Perceptual'

=> loading checkpoint 'C:/Users/jian0649/Downloads/cifar/cifar_pgd_l2_1_cpu.pt'
==> Preparing dataset cifar..
Files already downloaded and verified


In [4]:
from perceptual_advex.utilities import MarginLoss


In [5]:
myloss = torch.nn.CrossEntropyLoss()

def user_fn(X_struct,inputs,labels,lpips_model):
    adv_inputs = X_struct.x_tilde
    
    # objective function
    # 8/255 for L_inf, 1 for L_2, 0.5 for PPGD/LPA

    epsilon = 0.5

    logits_outputs = model(adv_inputs)

    f = myloss(logits_outputs,labels)

    # inequality constraint
    ci = pygransoStruct()

    input_features = normalize_flatten_features( lpips_model.features(inputs)).detach()
    adv_features = lpips_model.features(adv_inputs)
    adv_features = normalize_flatten_features(adv_features)
    lpips_dists = (adv_features - input_features).norm(dim=1)
    ci.c1 = lpips_dists - epsilon
    
    # equality constraint 
    ce = None

    return [f,ci,ce]

comb_fn = lambda X_struct : user_fn(X_struct,inputs,labels,lpips_model)

In [6]:

opts = pygransoStruct()
opts.torch_device = device
opts.maxit = 100
opts.opt_tol = 1e-6
opts.fvalquit = 1e-6
opts.print_level = 1
opts.print_frequency = 1
opts.x0 = torch.reshape(inputs,(torch.numel(inputs),1))

In [7]:
inputs = inputs.to(device=device, dtype=torch.double)
labels = labels.to(device=device)

# variables and corresponding dimensions.
var_in = {"x_tilde": list(inputs.shape)}


soln = pygranso(var_spec = var_in,combined_fn = comb_fn,user_opts = opts)



[33m╔═════ QP SOLVER NOTICE ════════════════════════════════════════════════════════════════════════╗
[0m[33m║  PyGRANSO requires a quadratic program (QP) solver that has a quadprog-compatible interface,  ║
[0m[33m║  the default is osqp. Users may provide their own wrapper for the QP solver.                  ║
[0m[33m║  To disable this notice, set opts.quadprog_info_msg = False                                   ║
[0m[33m╚═══════════════════════════════════════════════════════════════════════════════════════════════╝
[0m═════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
PyGRANSO: A PyTorch-enabled port of GRANSO with auto-differentiation                                             ║ 
Version 1.0.0                                                                                                    ║ 
Licensed under the AGPLv3, Copyright (C) 2021 Tim Mitchell and Buyun Liang                                       ║ 


In [9]:
soln.lam is not None

True

In [11]:
[None, None] is not None

True

In [19]:
logits_outputs = model(inputs)

loss = myloss(logits_outputs, labels)

tensor(0.3411, device='cuda:0', dtype=torch.float64,
       grad_fn=<NllLossBackward0>)