advertorch.attacks
¶
Attacks¶
Attack |
Abstract base class for all attack classes. |
GradientAttack |
Perturbs the input with gradient (not gradient sign) of the loss wrt the input. |
GradientSignAttack |
One step fast gradient sign method (Goodfellow et al, 2014). |
FastFeatureAttack |
Fast attack against a target internal representation of a model using gradient descent (Sabour et al. |
L2BasicIterativeAttack |
Like GradientAttack but with several steps for each epsilon. |
LinfBasicIterativeAttack |
Like GradientSignAttack but with several steps for each epsilon. |
PGDAttack |
The projected gradient descent attack (Madry et al, 2017). |
LinfPGDAttack |
PGD Attack with order=Linf |
L2PGDAttack |
PGD Attack with order=L2 |
L1PGDAttack |
PGD Attack with order=L1 |
LinfSPSAAttack |
SPSA Attack (Uesato et al. |
FABAttack |
Fast Adaptive Boundary Attack (Linf, L2, L1) https://arxiv.org/abs/1907.02044 |
LinfFABAttack |
Linf - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044 |
L2FABAttack |
L2 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044 |
L1FABAttack |
L1 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044 |
SparseL1DescentAttack |
SparseL1Descent Attack |
MomentumIterativeAttack |
The Momentum Iterative Attack (Dong et al. |
LinfMomentumIterativeAttack |
The Linf Momentum Iterative Attack Paper: https://arxiv.org/pdf/1710.06081.pdf |
L2MomentumIterativeAttack |
The L2 Momentum Iterative Attack Paper: https://arxiv.org/pdf/1710.06081.pdf |
CarliniWagnerL2Attack |
The Carlini and Wagner L2 Attack, https://arxiv.org/abs/1608.04644 |
ElasticNetL1Attack |
The ElasticNet L1 Attack, https://arxiv.org/abs/1709.04114 |
DDNL2Attack |
The decoupled direction and norm attack (Rony et al, 2018). |
LBFGSAttack |
The attack that uses L-BFGS to minimize the distance of the original and perturbed images |
SinglePixelAttack |
Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf |
LocalSearchAttack |
Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf |
SpatialTransformAttack |
Spatially Transformed Attack (Xiao et al. |
JacobianSaliencyMapAttack |
Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1, https://arxiv.org/abs/1511.07528v1 |
Detailed description¶
-
class
advertorch.attacks.
Attack
(predict, loss_fn, clip_min, clip_max)[source]¶ Abstract base class for all attack classes.
Parameters: - predict – forward pass function.
- loss_fn – loss function that takes .
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
-
class
advertorch.attacks.
GradientAttack
(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ Perturbs the input with gradient (not gradient sign) of the loss wrt the input.
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – indicate if this is a targeted attack.
-
perturb
(self, x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
GradientSignAttack
(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ One step fast gradient sign method (Goodfellow et al, 2014). Paper: https://arxiv.org/abs/1412.6572
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – indicate if this is a targeted attack.
-
perturb
(self, x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
FastFeatureAttack
(predict, loss_fn=None, eps=0.3, eps_iter=0.05, nb_iter=10, rand_init=True, clip_min=0.0, clip_max=1.0)[source]¶ Fast attack against a target internal representation of a model using gradient descent (Sabour et al. 2016). Paper: https://arxiv.org/abs/1511.05122
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- eps_iter – attack step size.
- nb_iter – number of iterations
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
-
perturb
(self, source, guide, delta=None)[source]¶ Given source, returns their adversarial counterparts with representations close to that of the guide.
Parameters: - source – input tensor which we want to perturb.
- guide – targeted input.
- delta – tensor contains the random initialization.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
L2BasicIterativeAttack
(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ Like GradientAttack but with several steps for each epsilon.
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
LinfBasicIterativeAttack
(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ Like GradientSignAttack but with several steps for each epsilon. Aka Basic Iterative Attack. Paper: https://arxiv.org/pdf/1611.01236.pdf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
PGDAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, ord=<Mock name='mock.inf' id='140651820369960'>, l1_sparsity=None, targeted=False)[source]¶ The projected gradient descent attack (Madry et al, 2017). The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. Paper: https://arxiv.org/pdf/1706.06083.pdf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- ord – (optional) the order of maximum distortion (inf or 2).
- targeted – if the attack is targeted.
-
perturb
(self, x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
LinfPGDAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ PGD Attack with order=Linf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
L2PGDAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ PGD Attack with order=L2
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
L1PGDAttack
(predict, loss_fn=None, eps=10.0, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]¶ PGD Attack with order=L1
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
SparseL1DescentAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=False, clip_min=0.0, clip_max=1.0, l1_sparsity=0.95, targeted=False)[source]¶ SparseL1Descent Attack
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations.
- eps_iter – attack step size.
- rand_init – (optional bool) random initialization.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
- l1_sparsity – proportion of zeros in gradient updates
-
class
advertorch.attacks.
LinfSPSAAttack
(predict, eps, delta=0.01, lr=0.01, nb_iter=1, nb_sample=128, max_batch_size=64, targeted=False, loss_fn=None, clip_min=0.0, clip_max=1.0)[source]¶ SPSA Attack (Uesato et al. 2018). Based on: https://arxiv.org/abs/1802.05666
Parameters: - predict – predict function (single argument: input).
- eps – the L_inf budget of the attack.
- delta – scaling parameter of SPSA.
- lr – the learning rate of the Adam optimizer.
- nb_iter – number of iterations of the attack.
- nb_sample – number of samples for SPSA gradient approximation.
- max_batch_size – maximum batch size to be evaluated at once.
- targeted – [description]
- loss_fn – loss function (dual arguments: output, target).
- clip_min – upper bound of image values.
- clip_max – lower bound of image values.
-
perturb
(self, x, y=None)[source]¶ Perturbs the input x based on SPSA attack.
Parameters: - x – input tensor.
- y – label tensor (default=`None`). if self.targeted is False, y is the ground-truth label. if it’s None, then y is computed as the predicted label of x. if self.targeted is True, y is the target label.
Returns: the perturbated input.
-
class
advertorch.attacks.
FABAttack
(predict, norm='Linf', n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]¶ Fast Adaptive Boundary Attack (Linf, L2, L1) https://arxiv.org/abs/1907.02044
Parameters: - predict – forward pass function
- norm – Lp-norm to minimize (‘Linf’, ‘L2’, ‘L1’ supported)
- n_restarts – number of random restarts
- n_iter – number of iterations
- eps – epsilon for the random restarts
- alpha_max – alpha_max
- eta – overshooting
- beta – backward step
- device – device to use (‘cuda’ or ‘cpu’)
-
class
advertorch.attacks.
LinfFABAttack
(predict, n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]¶ Linf - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044
Parameters: - predict – forward pass function
- n_restarts – number of random restarts
- n_iter – number of iterations
- eps – epsilon for the random restarts
- alpha_max – alpha_max
- eta – overshooting
- beta – backward step
- device – device to use (‘cuda’ or ‘cpu’)
-
class
advertorch.attacks.
L2FABAttack
(predict, n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]¶ L2 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044
Parameters: - predict – forward pass function
- n_restarts – number of random restarts
- n_iter – number of iterations
- eps – epsilon for the random restarts
- alpha_max – alpha_max
- eta – overshooting
- beta – backward step
- device – device to use (‘cuda’ or ‘cpu’)
-
class
advertorch.attacks.
L1FABAttack
(predict, n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]¶ L1 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044
Parameters: - predict – forward pass function
- n_restarts – number of random restarts
- n_iter – number of iterations
- eps – epsilon for the random restarts
- alpha_max – alpha_max
- eta – overshooting
- beta – backward step
- device – device to use (‘cuda’ or ‘cpu’)
-
class
advertorch.attacks.
MomentumIterativeAttack
(predict, loss_fn=None, eps=0.3, nb_iter=40, decay_factor=1.0, eps_iter=0.01, clip_min=0.0, clip_max=1.0, targeted=False, ord=<Mock name='mock.inf' id='140651820369960'>)[source]¶ The Momentum Iterative Attack (Dong et al. 2017).
The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. The optimization is performed with momentum. Paper: https://arxiv.org/pdf/1710.06081.pdf
Parameters: - predict – forward pass function.
- loss_fn – loss function.
- eps – maximum distortion.
- nb_iter – number of iterations
- decay_factor – momentum decay factor.
- eps_iter – attack step size.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
- ord – the order of maximum distortion (inf or 2).
-
perturb
(self, x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
CarliniWagnerL2Attack
(predict, num_classes, confidence=0, targeted=False, learning_rate=0.01, binary_search_steps=9, max_iterations=10000, abort_early=True, initial_const=0.001, clip_min=0.0, clip_max=1.0, loss_fn=None)[source]¶ The Carlini and Wagner L2 Attack, https://arxiv.org/abs/1608.04644
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- confidence – confidence of the adversarial examples.
- targeted – if the attack is targeted.
- learning_rate – the learning rate for the attack algorithm
- binary_search_steps – number of binary search times to find the optimum
- max_iterations – the maximum number of iterations
- abort_early – if set to true, abort early if getting stuck in local min
- initial_const – initial value of the constant c
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- loss_fn – loss function
-
class
advertorch.attacks.
ElasticNetL1Attack
(predict, num_classes, confidence=0, targeted=False, learning_rate=0.01, binary_search_steps=9, max_iterations=10000, abort_early=False, initial_const=0.001, clip_min=0.0, clip_max=1.0, beta=0.01, decision_rule='EN', loss_fn=None)[source]¶ The ElasticNet L1 Attack, https://arxiv.org/abs/1709.04114
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- confidence – confidence of the adversarial examples.
- targeted – if the attack is targeted.
- learning_rate – the learning rate for the attack algorithm
- binary_search_steps – number of binary search times to find the optimum
- max_iterations – the maximum number of iterations
- abort_early – if set to true, abort early if getting stuck in local min
- initial_const – initial value of the constant c
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- beta – hyperparameter trading off L2 minimization for L1 minimization
- decision_rule – EN or L1. Select final adversarial example from all successful examples based on the least elastic-net or L1 distortion criterion.
- loss_fn – loss function
-
class
advertorch.attacks.
DDNL2Attack
(predict, nb_iter=100, gamma=0.05, init_norm=1.0, quantize=True, levels=256, clip_min=0.0, clip_max=1.0, targeted=False, loss_fn=None)[source]¶ The decoupled direction and norm attack (Rony et al, 2018). Paper: https://arxiv.org/abs/1811.09600
Parameters: - predict – forward pass function.
- nb_iter – number of iterations.
- gamma – factor to modify the norm at each iteration.
- init_norm – initial norm of the perturbation.
- quantize – perform quantization at each iteration.
- levels – number of quantization levels (e.g. 256 for 8 bit images).
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- targeted – if the attack is targeted.
- loss_fn – loss function.
-
perturb
(self, x, y=None)[source]¶ Given examples (x, y), returns their adversarial counterparts with an attack length of eps.
Parameters: - x – input tensor.
- y –
label tensor. - if None and self.targeted=False, compute y as predicted
labels.- if self.targeted=True, then y must be the targeted labels.
Returns: tensor containing perturbed inputs.
-
class
advertorch.attacks.
LBFGSAttack
(predict, num_classes, batch_size=1, binary_search_steps=9, max_iterations=100, initial_const=0.01, clip_min=0, clip_max=1, loss_fn=None, targeted=False)[source]¶ The attack that uses L-BFGS to minimize the distance of the original and perturbed images
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- batch_size – number of samples in the batch
- binary_search_steps – number of binary search times to find the optimum
- max_iterations – the maximum number of iterations
- initial_const – initial value of the constant c
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- loss_fn – loss function
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
SinglePixelAttack
(predict, max_pixels=100, clip_min=0.0, loss_fn=None, clip_max=1.0, comply_with_foolbox=False, targeted=False)[source]¶ Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf
Parameters: - predict – forward pass function.
- max_pixels – max number of pixels to perturb.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- loss_fn – loss function
- targeted – if the attack is targeted.
-
class
advertorch.attacks.
LocalSearchAttack
(predict, clip_min=0.0, clip_max=1.0, p=1.0, r=1.5, loss_fn=None, d=5, t=5, k=1, round_ub=10, seed_ratio=0.1, max_nb_seeds=128, comply_with_foolbox=False, targeted=False)[source]¶ Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf
Parameters: - predict – forward pass function.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- p – parameter controls pixel complexity
- r – perturbation value
- loss_fn – loss function
- d – the half side length of the neighbourhood square
- t – the number of pixels perturbed at each round
- k – the threshold for k-misclassification
- round_ub – an upper bound on the number of rounds
-
class
advertorch.attacks.
SpatialTransformAttack
(predict, num_classes, confidence=0, initial_const=1, max_iterations=1000, search_steps=1, loss_fn=None, clip_min=0.0, clip_max=1.0, abort_early=True, targeted=False)[source]¶ Spatially Transformed Attack (Xiao et al. 2018) https://openreview.net/forum?id=HyydRMZC-
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- confidence – confidence of the adversarial examples.
- initial_const – initial value of the constant c
- max_iterations – the maximum number of iterations
- search_steps – number of search times to find the optimum
- loss_fn – loss function
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- abort_early – if set to true, abort early if getting stuck in local min
- targeted – if the attack is targeted
-
class
advertorch.attacks.
JacobianSaliencyMapAttack
(predict, num_classes, clip_min=0.0, clip_max=1.0, loss_fn=None, theta=1.0, gamma=1.0, comply_cleverhans=False)[source]¶ Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1, https://arxiv.org/abs/1511.07528v1
Parameters: - predict – forward pass function.
- num_classes – number of clasess.
- clip_min – mininum value per input dimension.
- clip_max – maximum value per input dimension.
- gamma – highest percentage of pixels can be modified
- theta – perturb length, range is either [theta, 0], [0, theta]