CW攻击原论文地址——https://arxiv.org/pdf/1608.04644.pdf

1.CW攻击的原理

  CW攻击是一种基于优化的攻击,攻击的名称是两个作者的首字母。首先还是贴出攻击算法的公式表达:

 下面解释下算法的大概思想,该算法将对抗样本当成一个变量,那么现在如果要使得攻击成功就要满足两个条件:(1)对抗样本和对应的干净样本应该差距越小越好;(2)对抗样本应该使得模型分类错,且错的那一类的概率越高越好。

  其实上述公式的两部分loss也就是基于这两点而得到的,首先说第一部分,rn对应着干净样本和对抗样本的差,但作者在这里有个小trick,他把对抗样本映射到了tanh空间里面,这样做有什么好处呢?如果不做变换,那么x只能在(0,1)这个范围内变换,做了这个变换 ,x可以在-inf到+inf做变换,有利于优化。

再来说说第二部分,公式中的Z(x)表示的是样本x通过模型未经过softmax的输出向量,对于干净的样本来说,这个这个向量的最大值对应的就是正确的类别(如果分类正确的话),现在我们将类别t(也就是我们最后想要攻击成的类别)所对应的逻辑值记为,将最大的值(对应类别不同于t)记为,如果通过优化使得变小,攻击不就离成功了更近嘛。那么式子中的k是什么呢?k其实就是置信度(confidence),可以理解为,k越大,那么模型分错,且错成的那一类的概率越大。但与此同时,这样的对抗样本就更难找了。最后就是常数c,这是一个超参数,用来权衡两个loss之间的关系,在原论文中,作者使用二分查找来确定c值。

  下面总结一下CW攻击:

  CW是一个基于优化的攻击,主要调节的参数是c和k,看你自己的需要了。它的优点在于,可以调节置信度,生成的扰动小,可以破解很多的防御方法,缺点是,很慢~~~

  最后在说一下,就是在某些防御论文中,它实现CW攻击,是直接用替换PGD中的loss,其余步骤和PGD一模一样。

2.CW代码实现

class CarliniWagnerL2Attack(Attack, LabelMixin):

    def __init__(self, predict, num_classes, confidence=0,
targeted=False, learning_rate=0.01,
binary_search_steps=9, max_iterations=10000,
abort_early=True, initial_const=1e-3,
clip_min=0., clip_max=1., loss_fn=None):
"""
Carlini Wagner L2 Attack implementation in pytorch Carlini, Nicholas, and David Wagner. "Towards evaluating the
robustness of neural networks." 2017 IEEE Symposium on Security and
Privacy (SP). IEEE, 2017.
https://arxiv.org/abs/1608.04644 learning_rate: the learning rate for the attack algorithm
max_iterations: the maximum number of iterations
binary_search_steps: number of binary search times to find the optimum
abort_early: if set to true, abort early if getting stuck in local min
confidence: confidence of the adversarial examples
targeted: TODO
""" if loss_fn is not None:
import warnings
warnings.warn(
"This Attack currently do not support a different loss"
" function other than the default. Setting loss_fn manually"
" is not effective."
) loss_fn = None super(CarliniWagnerL2Attack, self).__init__(
predict, loss_fn, clip_min, clip_max) self.learning_rate = learning_rate
self.max_iterations = max_iterations
self.binary_search_steps = binary_search_steps
self.abort_early = abort_early
self.confidence = confidence
self.initial_const = initial_const
self.num_classes = num_classes
# The last iteration (if we run many steps) repeat the search once.
self.repeat = binary_search_steps >= REPEAT_STEP
self.targeted = targeted def _loss_fn(self, output, y_onehot, l2distsq, const):
# TODO: move this out of the class and make this the default loss_fn
# after having targeted tests implemented
real = (y_onehot * output).sum(dim=1) # TODO: make loss modular, write a loss class
other = ((1.0 - y_onehot) * output - (y_onehot * TARGET_MULT)
).max(1)[0]
# - (y_onehot * TARGET_MULT) is for the true label not to be selected if self.targeted:
loss1 = clamp(other - real + self.confidence, min=0.)
else:
loss1 = clamp(real - other + self.confidence, min=0.)
loss2 = (l2distsq).sum()
loss1 = torch.sum(const * loss1)
loss = loss1 + loss2
return loss def _is_successful(self, output, label, is_logits):
# determine success, see if confidence-adjusted logits give the right
# label if is_logits:
output = output.detach().clone()
if self.targeted:
output[torch.arange(len(label)), label] -= self.confidence
else:
output[torch.arange(len(label)), label] += self.confidence
pred = torch.argmax(output, dim=1)
else:
pred = output
if pred == INVALID_LABEL:
return pred.new_zeros(pred.shape).byte() return is_successful(pred, label, self.targeted) def _forward_and_update_delta(
self, optimizer, x_atanh, delta, y_onehot, loss_coeffs): optimizer.zero_grad()
adv = tanh_rescale(delta + x_atanh, self.clip_min, self.clip_max)
transimgs_rescale = tanh_rescale(x_atanh, self.clip_min, self.clip_max)
output = self.predict(adv)
l2distsq = calc_l2distsq(adv, transimgs_rescale)
loss = self._loss_fn(output, y_onehot, l2distsq, loss_coeffs)
loss.backward()
optimizer.step() return loss.item(), l2distsq.data, output.data, adv.data def _get_arctanh_x(self, x):
result = clamp((x - self.clip_min) / (self.clip_max - self.clip_min),
min=self.clip_min, max=self.clip_max) * 2 - 1
return torch_arctanh(result * ONE_MINUS_EPS) def _update_if_smaller_dist_succeed(
self, adv_img, labs, output, l2distsq, batch_size,
cur_l2distsqs, cur_labels,
final_l2distsqs, final_labels, final_advs): target_label = labs
output_logits = output
_, output_label = torch.max(output_logits, 1) mask = (l2distsq < cur_l2distsqs) & self._is_successful(
output_logits, target_label, True) cur_l2distsqs[mask] = l2distsq[mask] # redundant
cur_labels[mask] = output_label[mask] mask = (l2distsq < final_l2distsqs) & self._is_successful(
output_logits, target_label, True)
final_l2distsqs[mask] = l2distsq[mask]
final_labels[mask] = output_label[mask]
final_advs[mask] = adv_img[mask] def _update_loss_coeffs(
self, labs, cur_labels, batch_size, loss_coeffs,
coeff_upper_bound, coeff_lower_bound): # TODO: remove for loop, not significant, since only called during each
# binary search step
for ii in range(batch_size):
cur_labels[ii] = int(cur_labels[ii])
if self._is_successful(cur_labels[ii], labs[ii], False):
coeff_upper_bound[ii] = min(
coeff_upper_bound[ii], loss_coeffs[ii]) if coeff_upper_bound[ii] < UPPER_CHECK:
loss_coeffs[ii] = (
coeff_lower_bound[ii] + coeff_upper_bound[ii]) / 2
else:
coeff_lower_bound[ii] = max(
coeff_lower_bound[ii], loss_coeffs[ii])
if coeff_upper_bound[ii] < UPPER_CHECK:
loss_coeffs[ii] = (
coeff_lower_bound[ii] + coeff_upper_bound[ii]) / 2
else:
loss_coeffs[ii] *= 10 def perturb(self, x, y=None):
x, y = self._verify_and_process_inputs(x, y) # Initialization
if y is None:
y = self._get_predicted_label(x)
x = replicate_input(x)
batch_size = len(x)
coeff_lower_bound = x.new_zeros(batch_size)
coeff_upper_bound = x.new_ones(batch_size) * CARLINI_COEFF_UPPER
loss_coeffs = torch.ones_like(y).float() * self.initial_const
final_l2distsqs = [CARLINI_L2DIST_UPPER] * batch_size
final_labels = [INVALID_LABEL] * batch_size
final_advs = x
x_atanh = self._get_arctanh_x(x)
y_onehot = to_one_hot(y, self.num_classes).float() final_l2distsqs = torch.FloatTensor(final_l2distsqs).to(x.device)
final_labels = torch.LongTensor(final_labels).to(x.device) # Start binary search
for outer_step in range(self.binary_search_steps):
delta = nn.Parameter(torch.zeros_like(x))
optimizer = optim.Adam([delta], lr=self.learning_rate)
cur_l2distsqs = [CARLINI_L2DIST_UPPER] * batch_size
cur_labels = [INVALID_LABEL] * batch_size
cur_l2distsqs = torch.FloatTensor(cur_l2distsqs).to(x.device)
cur_labels = torch.LongTensor(cur_labels).to(x.device)
prevloss = PREV_LOSS_INIT if (self.repeat and outer_step == (self.binary_search_steps - 1)):
loss_coeffs = coeff_upper_bound
for ii in range(self.max_iterations):
loss, l2distsq, output, adv_img = \
self._forward_and_update_delta(
optimizer, x_atanh, delta, y_onehot, loss_coeffs)
if self.abort_early:
if ii % (self.max_iterations // NUM_CHECKS or 1) == 0:
if loss > prevloss * ONE_MINUS_EPS:
break
prevloss = loss self._update_if_smaller_dist_succeed(
adv_img, y, output, l2distsq, batch_size,
cur_l2distsqs, cur_labels,
final_l2distsqs, final_labels, final_advs) self._update_loss_coeffs(
y, cur_labels, batch_size,
loss_coeffs, coeff_upper_bound, coeff_lower_bound) return final_advs

  

4 基于优化的攻击——CW的更多相关文章

  1. 5.基于优化的攻击——CW

    CW攻击原论文地址——https://arxiv.org/pdf/1608.04644.pdf 1.CW攻击的原理 CW攻击是一种基于优化的攻击,攻击的名称是两个作者的首字母.首先还是贴出攻击算法的公 ...

  2. 2.基于梯度的攻击——FGSM

    FGSM原论文地址:https://arxiv.org/abs/1412.6572 1.FGSM的原理 FGSM的全称是Fast Gradient Sign Method(快速梯度下降法),在白盒环境 ...

  3. 1 基于梯度的攻击——FGSM

    FGSM原论文地址:https://arxiv.org/abs/1412.6572 1.FGSM的原理 FGSM的全称是Fast Gradient Sign Method(快速梯度下降法),在白盒环境 ...

  4. 4.基于梯度的攻击——MIM

    MIM攻击原论文地址——https://arxiv.org/pdf/1710.06081.pdf 1.MIM攻击的原理 MIM攻击全称是 Momentum Iterative Method,其实这也是 ...

  5. 3.基于梯度的攻击——PGD

    PGD攻击原论文地址——https://arxiv.org/pdf/1706.06083.pdf 1.PGD攻击的原理 PGD(Project Gradient Descent)攻击是一种迭代攻击,可 ...

  6. 3 基于梯度的攻击——MIM

    MIM攻击原论文地址——https://arxiv.org/pdf/1710.06081.pdf 1.MIM攻击的原理 MIM攻击全称是 Momentum Iterative Method,其实这也是 ...

  7. 2 基于梯度的攻击——PGD

    PGD攻击原论文地址——https://arxiv.org/pdf/1706.06083.pdf 1.PGD攻击的原理 PGD(Project Gradient Descent)攻击是一种迭代攻击,可 ...

  8. uva live 6190 Beautiful Spacing (二分法+dp试 基于优化的独特性质)

    I - Beautiful Spacing Time Limit:8000MS     Memory Limit:65536KB     64bit IO Format:%lld & %llu ...

  9. 京东云与AI 10 篇论文被AAAI 2020 收录,京东科技实力亮相世界舞台

    美国时间2月7-12日,AAAI 2020大会在纽约正式拉开序幕,AAAI作为全球人工智能领域的顶级学术会议,每年评审并收录来自全球最顶尖的学术论文,这些学术研究引领着技术的趋势和未来.京东云与AI在 ...

随机推荐

  1. gtid 1032同步异常处理

    gtid  1032同步异常处理 .sql # 在从库中执行 ; ,); ,); ,); ,); ; mysql> select * from fudao_student_lable; +--- ...

  2. 【原】GitHub使用教程

    GitHub使用教程 1 注册 GitHub 账户 要想使用github第一步当然是注册github账号了(www.github.com). 2 安装客户端 msysgit github是服务端,要想 ...

  3. JavaScript基础之变量的自增与自减

    一.自增(++) ⑴什么是自增? 通过自增运算符可以使变量在自身的基础上加一: 对于一个变量自增以后,原变量的值会立即自增一: 示例: <!DOCTYPE html> <html l ...

  4. 1、Socket通信

    [TCP] 服务器端:无目标插座升级为有目标插座后,就可以通过有目标的插座收发数据 客户端: 实战:此案例有利于理解Socket的工作流程. 缺点:服务器只能接收1个客户端的连接,因为只写了一个Acc ...

  5. 51 Nod 1636 教育改革(dp)

    1636 教育改革  题目来源: CodeForces 基准时间限制:1 秒 空间限制:131072 KB 分值: 20 难度:3级算法题  收藏  关注 最近A学校正在实施教育改革. 一个学年由n天 ...

  6. 灰度图像--图像分割 霍夫变换(Hough Transform)--直线

    学习DIP第50天 转载请标明本文出处:http://blog.csdn.net/tonyshengtan ,出于尊重文章作者的劳动,转载请标明出处!文章代码已托管,欢迎共同开发:https://gi ...

  7. jquery注册验证的写法

    在做注册页面时会用到jquery验证注册信息,用户名,密码,邮箱,手机号的验证,比较简单的,新手莫怪... <script> function Name(){ var name = $(& ...

  8. Log4j rootLogger根配置以及4种日志级别

    Log4j 根配置语法 log4j.rootLogger = [ level ] , appenderName, appenderName, … 把指定级别以上的日志信息输出到指定的一个或者多个位置 ...

  9. 微信小程序之阻止冒泡事件

    众所周知,在微信小程序给标签绑定点击方法大家都会想到 "bindtap" 但是在页面中会遇到 点击 会冒泡而触发其他元素的时间发生 那么怎么办呢 就把引发冒泡事件的始作俑者的 bi ...

  10. 升级日志sdfsdfsdfsdfsdfdsf

    升级日志sdfsdfsdfsdfsdfdsf 升级日志小书匠 版本号 新功能 修改