hummingbird
/
mindarmour
Not watched
2
0
Fork 0
Code
Releases 17 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 1e0bc59251
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1e0bc59251'
${ noResults }
mindarmour/mindarmour/adv_robustness/defenses/adversarial_defense.py

205 lines
8.1 kB
Raw Blame History 

  1. # Copyright 2019 Huawei Technologies Co., Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. # http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. """

  15. Adversarial Defense.

  16. """

  17. import numpy as np

  18. 

  19. from mindspore import Tensor

  20. from mindspore.nn import Cell, SoftmaxCrossEntropyWithLogits

  21. from mindspore.nn import WithLossCell, TrainOneStepCell

  22. from mindspore.nn.optim.momentum import Momentum

  23. 

  24. from mindarmour.utils._check_param import check_pair_numpy_param, check_model, \

  25.     check_param_in_range, check_param_type, check_param_multi_types

  26. from .defense import Defense

  27. 

  28. 

  29. class AdversarialDefense(Defense):

  30.     """

  31.     Adversarial training using given adversarial examples.

  32. 

  33.     Args:

  34.         network (Cell): A MindSpore network to be defensed.

  35.         loss_fn (Functions): Loss function. Default: None.

  36.         optimizer (Cell): Optimizer used to train the network. Default: None.

  37. 

  38.     Examples:

  39.         >>> class Net(Cell):

  40.         >>>     def __init__(self):

  41.         >>>         super(Net, self).__init__()

  42.         >>>         self._reshape = P.Reshape()

  43.         >>>         self._full_con_1 = Dense(28*28, 120)

  44.         >>>         self._full_con_2 = Dense(120, 84)

  45.         >>>         self._full_con_3 = Dense(84, 10)

  46.         >>>         self._relu = ReLU()

  47.         >>>

  48.         >>>     def construct(self, x):

  49.         >>>         out = self._reshape(x, (-1, 28*28))

  50.         >>>         out = self._full_con_1(out)

  51.         >>>         out = self.relu(out)

  52.         >>>         out = self._full_con_2(out)

  53.         >>>         out = self.relu(out)

  54.         >>>         out = self._full_con_3(out)

  55.         >>>         return out

  56.         >>>

  57.         >>> net = Net()

  58.         >>> lr = 0.0001

  59.         >>> momentum = 0.9

  60.         >>> loss_fn = SoftmaxCrossEntropyWithLogits(sparse=True)

  61.         >>> optimizer = Momentum(net.trainable_params(), lr, momentum)

  62.         >>> adv_defense = AdversarialDefense(net, loss_fn, optimizer)

  63.         >>> inputs = np.random.rand(32, 1, 28, 28).astype(np.float32)

  64.         >>> labels = np.random.randint(0, 10).astype(np.int32)

  65.         >>> adv_defense.defense(inputs, labels)

  66.     """

  67. 

  68.     def __init__(self, network, loss_fn=None, optimizer=None):

  69.         super(AdversarialDefense, self).__init__(network)

  70.         network = check_model('network', network, Cell)

  71.         if loss_fn is None:

  72.             loss_fn = SoftmaxCrossEntropyWithLogits(sparse=True)

  73. 

  74.         if optimizer is None:

  75.             optimizer = Momentum(

  76.                 params=network.trainable_params(),

  77.                 learning_rate=0.01,

  78.                 momentum=0.9)

  79. 

  80.         loss_net = WithLossCell(network, loss_fn)

  81.         self._train_net = TrainOneStepCell(loss_net, optimizer)

  82.         self._train_net.set_train()

  83. 

  84.     def defense(self, inputs, labels):

  85.         """

  86.         Enhance model via training with input samples.

  87. 

  88.         Args:

  89.             inputs (numpy.ndarray): Input samples.

  90.             labels (numpy.ndarray): Labels of input samples.

  91. 

  92.         Returns:

  93.             numpy.ndarray, loss of defense operation.

  94.         """

  95.         inputs, labels = check_pair_numpy_param('inputs', inputs, 'labels',

  96.                                                 labels)

  97.         loss = self._train_net(Tensor(inputs), Tensor(labels))

  98.         return loss.asnumpy()

  99. 

  100. 

  101. class AdversarialDefenseWithAttacks(AdversarialDefense):

  102.     """

  103.     Adversarial defense with attacks.

  104. 

  105.     Args:

  106.         network (Cell): A MindSpore network to be defensed.

  107.         attacks (list[Attack]): List of attack method.

  108.         loss_fn (Functions): Loss function. Default: None.

  109.         optimizer (Cell): Optimizer used to train the network. Default: None.

  110.         bounds (tuple): Upper and lower bounds of data. In form of (clip_min,

  111.             clip_max). Default: (0.0, 1.0).

  112.         replace_ratio (float): Ratio of replacing original samples with

  113.             adversarial, which must be between 0 and 1. Default: 0.5.

  114. 

  115.     Raises:

  116.         ValueError: If replace_ratio is not between 0 and 1.

  117. 

  118.     Examples:

  119.         >>> net = Net()

  120.         >>> fgsm = FastGradientSignMethod(net)

  121.         >>> pgd = ProjectedGradientDescent(net)

  122.         >>> ead = AdversarialDefenseWithAttacks(net, [fgsm, pgd])

  123.         >>> ead.defense(inputs, labels)

  124.     """

  125. 

  126.     def __init__(self, network, attacks, loss_fn=None, optimizer=None,

  127.                  bounds=(0.0, 1.0), replace_ratio=0.5):

  128.         super(AdversarialDefenseWithAttacks, self).__init__(network,

  129.                                                             loss_fn,

  130.                                                             optimizer)

  131.         self._attacks = check_param_type('attacks', attacks, list)

  132.         self._bounds = check_param_multi_types('bounds', bounds, [tuple, list])

  133.         for elem in self._bounds:

  134.             _ = check_param_multi_types('bound', elem, [int, float])

  135.         self._replace_ratio = check_param_in_range('replace_ratio',

  136.                                                    replace_ratio,

  137.                                                    0, 1)

  138.         self._graph_initialized = False

  139. 

  140.     def defense(self, inputs, labels):

  141.         """

  142.         Enhance model via training with adversarial examples generated from input samples.

  143. 

  144.         Args:

  145.             inputs (numpy.ndarray): Input samples.

  146.             labels (numpy.ndarray): Labels of input samples.

  147. 

  148.         Returns:

  149.             numpy.ndarray, loss of adversarial defense operation.

  150.         """

  151.         inputs, labels = check_pair_numpy_param('inputs', inputs, 'labels',

  152.                                                 labels)

  153.         if not self._graph_initialized:

  154.             self._train_net(Tensor(inputs), Tensor(labels))

  155.             self._graph_initialized = True

  156. 

  157.         x_len = inputs.shape[0]

  158.         n_adv = int(np.ceil(self._replace_ratio*x_len))

  159.         n_adv_per_attack = int(n_adv / len(self._attacks))

  160. 

  161.         adv_ids = np.random.choice(x_len, size=n_adv, replace=False)

  162.         start = 0

  163.         for attack in self._attacks:

  164.             idx = adv_ids[start:start + n_adv_per_attack]

  165.             inputs[idx] = attack.generate(inputs[idx], labels[idx])

  166.             start += n_adv_per_attack

  167. 

  168.         loss = self._train_net(Tensor(inputs), Tensor(labels))

  169.         return loss.asnumpy()

  170. 

  171. 

  172. class EnsembleAdversarialDefense(AdversarialDefenseWithAttacks):

  173.     """

  174.     Ensemble adversarial defense.

  175. 

  176.     Args:

  177.         network (Cell): A MindSpore network to be defensed.

  178.         attacks (list[Attack]): List of attack method.

  179.         loss_fn (Functions): Loss function. Default: None.

  180.         optimizer (Cell): Optimizer used to train the network. Default: None.

  181.         bounds (tuple): Upper and lower bounds of data. In form of (clip_min,

  182.             clip_max). Default: (0.0, 1.0).

  183.         replace_ratio (float): Ratio of replacing original samples with

  184.             adversarial, which must be between 0 and 1. Default: 0.5.

  185. 

  186.     Raises:

  187.         ValueError: If replace_ratio is not between 0 and 1.

  188. 

  189.     Examples:

  190.         >>> net = Net()

  191.         >>> fgsm = FastGradientSignMethod(net)

  192.         >>> pgd = ProjectedGradientDescent(net)

  193.         >>> ead = EnsembleAdversarialDefense(net, [fgsm, pgd])

  194.         >>> ead.defense(inputs, labels)

  195.     """

  196. 

  197.     def __init__(self, network, attacks, loss_fn=None, optimizer=None,

  198.                  bounds=(0.0, 1.0), replace_ratio=0.5):

  199.         super(EnsembleAdversarialDefense, self).__init__(network,

  200.                                                          attacks,

  201.                                                          loss_fn,

  202.                                                          optimizer,

  203.                                                          bounds,

  204.                                                          replace_ratio)