hummingbird
/
mindarmour
Not watched
2
0
Fork 0
Code
Releases 17 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: f3acd2f983
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f3acd2f983'
${ noResults }
mindarmour/mindarmour/adv_robustness/attacks/attack.py

241 lines
11 kB
Raw Blame History 

  1. # Copyright 2019 Huawei Technologies Co., Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. # http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. """

  15. Base Class of Attack.

  16. """

  17. from abc import abstractmethod

  18. 

  19. import numpy as np

  20. 

  21. from mindarmour.utils._check_param import check_inputs_labels, \

  22.     check_int_positive, check_equal_shape, check_numpy_param, check_model

  23. from mindarmour.utils.util import calculate_iou

  24. from mindarmour.utils.logger import LogUtil

  25. from mindarmour.adv_robustness.attacks.black.black_model import BlackModel

  26. 

  27. LOGGER = LogUtil.get_instance()

  28. TAG = 'Attack'

  29. 

  30. 

  31. class Attack:

  32.     """

  33.     The abstract base class for all attack classes creating adversarial examples.

  34.     """

  35.     def __init__(self):

  36.         pass

  37. 

  38.     def batch_generate(self, inputs, labels, batch_size=64):

  39.         """

  40.         Generate adversarial examples in batch, based on input samples and

  41.         their labels.

  42. 

  43.         Args:

  44.             inputs (Union[numpy.ndarray, tuple]): Samples based on which adversarial

  45.                 examples are generated.

  46.             labels (Union[numpy.ndarray, tuple]): Original/target labels. \

  47.                 For each input if it has more than one label, it is wrapped in a tuple.

  48.             batch_size (int): The number of samples in one batch. Default: 64.

  49. 

  50.         Returns:

  51.             numpy.ndarray, generated adversarial examples

  52.         """

  53.         inputs_image, inputs, labels = check_inputs_labels(inputs, labels)

  54.         arr_x = inputs

  55.         arr_y = labels

  56.         len_x = inputs_image.shape[0]

  57.         batch_size = check_int_positive('batch_size', batch_size)

  58.         batches = int(len_x / batch_size)

  59.         rest = len_x - batches*batch_size

  60.         res = []

  61.         for i in range(batches):

  62.             if isinstance(arr_x, tuple):

  63.                 x_batch = tuple([sub_items[i*batch_size: (i + 1)*batch_size] for sub_items in arr_x])

  64.             else:

  65.                 x_batch = arr_x[i*batch_size: (i + 1)*batch_size]

  66.             if isinstance(arr_y, tuple):

  67.                 y_batch = tuple([sub_labels[i*batch_size: (i + 1)*batch_size] for sub_labels in arr_y])

  68.             else:

  69.                 y_batch = arr_y[i*batch_size: (i + 1)*batch_size]

  70.             adv_x = self.generate(x_batch, y_batch)

  71.             # Black-attack methods will return 3 values, just get the second.

  72.             res.append(adv_x[1] if isinstance(adv_x, tuple) else adv_x)

  73. 

  74.         if rest != 0:

  75.             if isinstance(arr_x, tuple):

  76.                 x_batch = tuple([sub_items[batches*batch_size:] for sub_items in arr_x])

  77.             else:

  78.                 x_batch = arr_x[batches*batch_size:]

  79.             if isinstance(arr_y, tuple):

  80.                 y_batch = tuple([sub_labels[batches*batch_size:] for sub_labels in arr_y])

  81.             else:

  82.                 y_batch = arr_y[batches*batch_size:]

  83.             adv_x = self.generate(x_batch, y_batch)

  84.             # Black-attack methods will return 3 values, just get the second.

  85.             res.append(adv_x[1] if isinstance(adv_x, tuple) else adv_x)

  86. 

  87.         adv_x = np.concatenate(res, axis=0)

  88.         return adv_x

  89. 

  90.     @abstractmethod

  91.     def generate(self, inputs, labels):

  92.         """

  93.         Generate adversarial examples based on normal samples and their labels.

  94. 

  95.         Args:

  96.             inputs (Union[numpy.ndarray, tuple]): Samples based on which adversarial

  97.                 examples are generated.

  98.             labels (Union[numpy.ndarray, tuple]): Original/target labels. \

  99.                 For each input if it has more than one label, it is wrapped in a tuple.

  100. 

  101.         Raises:

  102.             NotImplementedError: It is an abstract method.

  103.         """

  104.         msg = 'The function generate() is an abstract function in class ' \

  105.               '`Attack` and should be implemented in child class.'

  106.         LOGGER.error(TAG, msg)

  107.         raise NotImplementedError(msg)

  108. 

  109.     @staticmethod

  110.     def _reduction(x_ori, q_times, label, best_position, model, targeted_attack):

  111.         """

  112.         Decrease the differences between the original samples and adversarial samples.

  113. 

  114.         Args:

  115.             x_ori (numpy.ndarray): Original samples.

  116.             q_times (int): Query times.

  117.             label (int): Target label ot ground-truth label.

  118.             best_position (numpy.ndarray): Adversarial examples.

  119.             model (BlackModel): Target model.

  120.             targeted_attack (bool): If True, it means this is a targeted attack. If False,

  121.                 it means this is an untargeted attack.

  122. 

  123.         Returns:

  124.             numpy.ndarray, adversarial examples after reduction.

  125. 

  126.         Examples:

  127.             >>> adv_reduction = self._reduction(self, [0.1, 0.2, 0.3], 20, 1,

  128.             >>> [0.12, 0.15, 0.25])

  129.         """

  130.         LOGGER.info(TAG, 'Reduction begins...')

  131.         model = check_model('model', model, BlackModel)

  132.         x_ori = check_numpy_param('x_ori', x_ori)

  133.         best_position = check_numpy_param('best_position', best_position)

  134.         x_ori, best_position = check_equal_shape('x_ori', x_ori,

  135.                                                  'best_position', best_position)

  136.         x_ori_fla = x_ori.flatten()

  137.         best_position_fla = best_position.flatten()

  138.         pixel_deep = np.max(x_ori) - np.min(x_ori)

  139.         nums_pixel = len(x_ori_fla)

  140.         for i in range(nums_pixel):

  141.             diff = x_ori_fla[i] - best_position_fla[i]

  142.             if abs(diff) > pixel_deep*0.1:

  143.                 best_position_fla[i] += diff*0.5

  144.                 cur_label = np.argmax(

  145.                     model.predict(best_position_fla.reshape(x_ori.shape)))

  146.                 q_times += 1

  147.                 if targeted_attack:

  148.                     if cur_label != label:

  149.                         best_position_fla[i] -= diff * 0.5

  150. 

  151.                 else:

  152.                     if cur_label == label:

  153.                         best_position_fla -= diff*0.5

  154.         return best_position_fla.reshape(x_ori.shape), q_times

  155. 

  156.     def _fast_reduction(self, x_ori, best_position, q_times, auxiliary_inputs, gt_boxes, gt_labels, model):

  157.         """

  158.         Decrease the differences between the original samples and adversarial samples in a fast way.

  159. 

  160.         Args:

  161.             x_ori (numpy.ndarray): Original samples.

  162.             best_position (numpy.ndarray): Adversarial examples.

  163.             q_times (int): Query times.

  164.             auxiliary_inputs (tuple): Auxiliary inputs mathced with x_ori.

  165.             gt_boxes (numpy.ndarray): Ground-truth boxes of x_ori.

  166.             gt_labels (numpy.ndarray): Ground-truth labels of x_ori.

  167.             model (BlackModel): Target model.

  168. 

  169.         Returns:

  170.             - numpy.ndarray, adversarial examples after reduction.

  171. 

  172.             - int, total query times after reduction.

  173.         """

  174.         LOGGER.info(TAG, 'Reduction begins...')

  175.         model = check_model('model', model, BlackModel)

  176.         x_ori = check_numpy_param('x_ori', x_ori)

  177.         _, gt_num = self._detection_scores((x_ori,) + auxiliary_inputs, gt_boxes, gt_labels, model)

  178.         best_position = check_numpy_param('best_position', best_position)

  179.         x_ori, best_position = check_equal_shape('x_ori', x_ori, 'best_position', best_position)

  180.         _, original_num = self._detection_scores((best_position,) + auxiliary_inputs, gt_boxes, gt_labels, model)

  181.         reduction_iters = 6  # recover 10% difference each time and recover 60% totally.

  182.         for _ in range(reduction_iters):

  183.             block_num = 30  # divide the image into 30 segments

  184.             block_width = best_position.shape[0] // block_num

  185.             if block_width > 0:

  186.                 for i in range(block_num):

  187.                     diff = x_ori[i*block_width: (i+1)*block_width, :, :]\

  188.                            - best_position[i*block_width:(i+1)*block_width, :, :]

  189.                     if np.max(np.abs(diff)) >= 0.1*(self._bounds[1] - self._bounds[0]):

  190.                         res = diff*0.1

  191.                         best_position[i*block_width: (i+1)*block_width, :, :] += res

  192.                         _, correct_num = self._detection_scores((best_position,) + auxiliary_inputs, gt_boxes,

  193.                                                                 gt_labels, model)

  194.                         q_times += 1

  195.                         if correct_num[0] > max(original_num[0], gt_num[0]*self._reserve_ratio):

  196.                             best_position[i*block_width:(i+1)*block_width, :, :] -= res

  197.         return best_position, q_times

  198. 

  199.     @staticmethod

  200.     def _detection_scores(inputs, gt_boxes, gt_labels, model):

  201.         """

  202.         Evaluate the detection result of inputs, specially for object detection models.

  203. 

  204.         Args:

  205.             inputs (numpy.ndarray): Input samples.

  206.             gt_boxes (numpy.ndarray): Ground-truth boxes of inputs.

  207.             gt_labels (numpy.ndarray): Ground-truth labels of inputs.

  208.             model (BlackModel): Target model.

  209. 

  210.         Returns:

  211.             - numpy.ndarray, detection scores of inputs.

  212. 

  213.             - numpy.ndarray, the number of objects that are correctly detected.

  214.         """

  215.         model = check_model('model', model, BlackModel)

  216.         boxes_and_confi, pred_labels = model.predict(*inputs)

  217.         det_scores = []

  218.         correct_labels_num = []

  219.         # repeat gt_boxes and gt_labels for all particles cloned from the same sample in PSOAttack/GeneticAttack

  220.         if gt_boxes.shape[0] == 1 and boxes_and_confi.shape[0] > 1:

  221.             gt_boxes = np.repeat(gt_boxes, boxes_and_confi.shape[0], axis=0)

  222.             gt_labels = np.repeat(gt_labels, boxes_and_confi.shape[0], axis=0)

  223.         iou_thres = 0.5

  224.         for boxes, labels, gt_box, gt_label in zip(boxes_and_confi, pred_labels, gt_boxes, gt_labels):

  225.             gt_box_num = gt_box.shape[0]

  226.             score = 0

  227.             box_num = boxes.shape[0]

  228.             correct_label_flag = np.zeros(gt_label.shape)

  229.             for i in range(box_num):

  230.                 pred_box = boxes[i]

  231.                 max_iou_confi = 0

  232.                 for j in range(gt_box_num):

  233.                     iou = calculate_iou(pred_box[:4], gt_box[j][:4])

  234.                     if labels[i] == gt_label[j] and iou > iou_thres and correct_label_flag[j] == 0:

  235.                         max_iou_confi = max(max_iou_confi, pred_box[-1] + iou)

  236.                         correct_label_flag[j] = 1

  237.                 score += max_iou_confi

  238.             det_scores.append(score)

  239.             correct_labels_num.append(np.sum(correct_label_flag))

  240.         return np.array(det_scores), np.array(correct_labels_num)