本篇文章是博主在AI、无人机、强化学习等领域学习时,用于个人学习、研究或者欣赏使用,并基于博主对人工智能等领域的一些理解而记录的学习摘录和笔记,若有不当和侵权之处,指出后将会立即改正,还望谅解。文章分类在AI学习:
AI学习笔记(6)---《FGSM、PGD、BIM对抗攻击算法实现》
FGSM、PGD、BIM对抗攻击算法实现
目录
1 前言
2 采用PGD对抗样本生成
3 采用BIM对抗样本生成
4 总结
1 前言
PGD、BIM对抗攻击算法实现可以直接导入这个 torchattacks这个库,这个库中有很多常用的对抗攻击的算法。
pip install torchattacks
然后添加相关代码,即可直接调用:
perturbed_data = torchattacks.PGD(model, epsilon, 0.2, steps=4)
# perturbed_data = (torchattacks.BIM(model, epsilon, 0.2, steps=4))
perturbed_data = perturbed_data(data, target)FGSM对抗样本识别的代码请看这篇文章:
FGSM对抗攻击算法实现
本篇文章主要分享使用FGSM、PGD、BIM对抗攻击算法实现实现手写数字识别,项目的代码在下面的链接中:
FGSM、PGD、BIM对抗攻击算法实现资源
如果CSDN下载不了的话,可以关注公众号免费获取:小趴菜只卖红薯
2 采用PGD对抗样本生成
2.1 PGD对抗样本生成代码
class PGD(Attack):def __init__(self, model, eps=8 / 255, alpha=2 / 255, steps=10, random_start=True):super().__init__("PGD", model)self.eps = epsself.alpha = alphaself.steps = stepsself.random_start = random_startself.supported_mode = ["default", "targeted"]def forward(self, images, labels):r"""Overridden."""images = images.clone().detach().to(self.device)labels = labels.clone().detach().to(self.device)if self.targeted:target_labels = self.get_target_label(images, labels)loss = nn.CrossEntropyLoss()adv_images = images.clone().detach()if self.random_start:# Starting at a uniformly random pointadv_images = adv_images + torch.empty_like(adv_images).uniform_(-self.eps, self.eps)adv_images = torch.clamp(adv_images, min=0, max=1).detach()for _ in range(self.steps):adv_images.requires_grad = Trueoutputs = self.get_logits(adv_images)# Calculate lossif self.targeted:cost = -loss(outputs, target_labels)else:cost = loss(outputs, labels)# Update adversarial imagesgrad = torch.autograd.grad(cost, adv_images, retain_graph=False, create_graph=False)[0]adv_images = adv_images.detach() + self.alpha * grad.sign()delta = torch.clamp(adv_images - images, min=-self.eps, max=self.eps)adv_images = torch.clamp(images + delta, min=0, max=1).detach()return adv_images2.2 PGD对抗样本生成测试结果
3 采用BIM对抗样本生成
3.1 BIM对抗样本生成代码
class BIM(Attack):def __init__(self, model, eps=8 / 255, alpha=2 / 255, steps=10):super().__init__("BIM", model)self.eps = epsself.alpha = alphaif steps == 0:self.steps = int(min(eps * 255 + 4, 1.25 * eps * 255))else:self.steps = stepsself.supported_mode = ["default", "targeted"]def forward(self, images, labels):r"""Overridden."""images = images.clone().detach().to(self.device)labels = labels.clone().detach().to(self.device)if self.targeted:target_labels = self.get_target_label(images, labels)loss = nn.CrossEntropyLoss()ori_images = images.clone().detach()for _ in range(self.steps):images.requires_grad = Trueoutputs = self.get_logits(images)# Calculate lossif self.targeted:cost = -loss(outputs, target_labels)else:cost = loss(outputs, labels)# Update adversarial imagesgrad = torch.autograd.grad(cost, images, retain_graph=False, create_graph=False)[0]adv_images = images + self.alpha * grad.sign()a = torch.clamp(ori_images - self.eps, min=0)b = (adv_images >= a).float() * adv_images + (adv_images < a).float() * a # nopep8c = (b > ori_images + self.eps).float() * (ori_images + self.eps) + (b <= ori_images + self.eps).float() * b # nopep8images = torch.clamp(c, max=1).detach()return images3.2 BIM对抗样本生成测试结果
4 总结
由上述的实验结果可以看出,在epsilon相同的时候有FGSM的准确率率 > PGD的准确率 > BIM的准确率衰减速率;
通过图像的倾斜角度可以观察出,FGSM的准确率衰减速率 < PGD的准确率衰减速率 < BIM的准确率衰减速率。
如果限制扰动量的大小,以使人眼不易察觉,可以通过改进对抗样本生成方法,使用不同对抗样本生成方法,提高对抗样本的对抗性。
文章若有不当和不正确之处,还望理解与指出。由于部分文字、图片等来源于互联网,无法核实真实出处,如涉及相关争议,请联系博主删除。如有错误、疑问和侵权,欢迎评论留言联系作者,或者关注VX公众号:Rain21321,联系作者。
