foolbox.attacks
¶
Reduces the contrast of the input using a perturbation of the given size |
|
Second-order gradient-based attack on the logits. |
|
The Decoupled Direction and Norm L2 adversarial attack. |
|
L2 Projected Gradient Descent |
|
Linf Projected Gradient Descent |
|
L2 Basic Iterative Method |
|
L-infinity Basic Iterative Method |
|
Fast Gradient Method (FGM) |
|
Fast Gradient Sign Method (FGSM) |
|
Samples Gaussian noise with a fixed L2 size. |
|
Samples uniform noise with a fixed L2 size. |
|
Samples Gaussian noise with a fixed L2 size after clipping. |
|
Samples uniform noise with a fixed L2 size after clipping. |
|
Samples uniform noise with a fixed L-infinity size |
|
Repeatedly samples Gaussian noise with a fixed L2 size. |
|
Repeatedly samples uniform noise with a fixed L2 size. |
|
Repeatedly samples Gaussian noise with a fixed L2 size after clipping. |
|
Repeatedly samples uniform noise with a fixed L2 size after clipping. |
|
Repeatedly samples uniform noise with a fixed L-infinity size. |
|
Creates “negative images” by inverting the pixel values. |
|
Reduces the contrast of the input using a binary search to find the smallest adversarial perturbation |
|
Reduces the contrast of the input using a linear search to find the smallest adversarial perturbation |
|
Implementation of the Carlini & Wagner L2 Attack. |
|
Implementation of the NewtonFool Attack. |
|
Implementation of the EAD Attack with EN Decision Rule. |
|
Blurs the inputs using a Gaussian filter with linearly increasing standard deviation. |
|
A simple and fast gradient-based adversarial attack. |
|
A simple and fast gradient-based adversarial attack. |
|
Increases the amount of salt and pepper noise until the input is misclassified. |
|
Blends the input with a uniform noise input until it is misclassified. |
|
For models that preprocess their inputs by binarizing the inputs, this attack can improve adversarials found by other attacks. |
|
Draws randomly from the given dataset until adversarial examples for all inputs have been found. |
|
A powerful adversarial attack that requires neither gradients nor probabilities. |
|
L0 variant of the Brendel & Bethge adversarial attack. |
|
L1 variant of the Brendel & Bethge adversarial attack. |
|
L2 variant of the Brendel & Bethge adversarial attack. |
|
L-infinity variant of the Brendel & Bethge adversarial attack. |
|
alias of |
|
alias of |
|
alias of |
|
alias of |
|
alias of |
-
class
foolbox.attacks.
L2ContrastReductionAttack
(*, target=0.5)¶ Reduces the contrast of the input using a perturbation of the given size
- Parameters
target (float) – Target relative to the bounds from 0 (min) to 1 (max) towards which the contrast is reduced
-
class
foolbox.attacks.
VirtualAdversarialAttack
(steps, xi=1e-06)¶ Second-order gradient-based attack on the logits. 1 The attack calculate an untargeted adversarial perturbation by performing a approximated second order optimization step on the KL divergence between the unperturbed predictions and the predictions for the adversarial perturbation. This attack was originally introduced as the Virtual Adversarial Training 1 method.
- Parameters
steps (int) – Number of update steps.
xi (float) – L2 distance between original image and first adversarial proposal.
References
- 1(1,2)
Takeru Miyato, Shin-ichi Maeda, Masanori Koyama, Ken Nakae, Shin Ishii, “Distributional Smoothing with Virtual Adversarial Training”, https://arxiv.org/abs/1507.00677
-
class
foolbox.attacks.
DDNAttack
(*, init_epsilon=1.0, steps=10, gamma=0.05)¶ The Decoupled Direction and Norm L2 adversarial attack. 2
- Parameters
init_epsilon (float) – Initial value for the norm/epsilon ball.
steps (int) – Number of steps for the optimization.
gamma (float) – Factor by which the norm will be modified: new_norm = norm * (1 + or - gamma).
References
- 2
Jérôme Rony, Luiz G. Hafemann, Luiz S. Oliveira, Ismail Ben Ayed, Robert Sabourin, Eric Granger, “Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses”, https://arxiv.org/abs/1811.09600
-
class
foolbox.attacks.
L2ProjectedGradientDescentAttack
(*, rel_stepsize=0.025, abs_stepsize=None, steps=50, random_start=True)¶ L2 Projected Gradient Descent
- Parameters
rel_stepsize (float) – Stepsize relative to epsilon
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps to perform.
random_start (bool) – Whether the perturbation is initialized randomly or starts at zero.
-
class
foolbox.attacks.
LinfProjectedGradientDescentAttack
(*, rel_stepsize=0.03333333333333333, abs_stepsize=None, steps=40, random_start=True)¶ Linf Projected Gradient Descent
- Parameters
rel_stepsize (float) – Stepsize relative to epsilon (defaults to 0.01 / 0.3).
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps to perform.
random_start (bool) – Whether the perturbation is initialized randomly or starts at zero.
-
class
foolbox.attacks.
L2BasicIterativeAttack
(*, rel_stepsize=0.2, abs_stepsize=None, steps=10, random_start=False)¶ L2 Basic Iterative Method
- Parameters
rel_stepsize (float) – Stepsize relative to epsilon.
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps.
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.
-
class
foolbox.attacks.
LinfBasicIterativeAttack
(*, rel_stepsize=0.2, abs_stepsize=None, steps=10, random_start=False)¶ L-infinity Basic Iterative Method
- Parameters
rel_stepsize (float) – Stepsize relative to epsilon.
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps.
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.
-
class
foolbox.attacks.
L2FastGradientAttack
(*, random_start=False)¶ Fast Gradient Method (FGM)
- Parameters
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.
-
class
foolbox.attacks.
LinfFastGradientAttack
(*, random_start=False)¶ Fast Gradient Sign Method (FGSM)
- Parameters
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.
-
class
foolbox.attacks.
L2AdditiveGaussianNoiseAttack
¶ Samples Gaussian noise with a fixed L2 size.
-
class
foolbox.attacks.
L2AdditiveUniformNoiseAttack
¶ Samples uniform noise with a fixed L2 size.
-
class
foolbox.attacks.
L2ClippingAwareAdditiveGaussianNoiseAttack
¶ Samples Gaussian noise with a fixed L2 size after clipping.
The implementation is based on [#Rauber20]_.
References
- 3
Jonas Rauber, Matthias Bethge “Fast Differentiable Clipping-Aware Normalization and Rescaling” https://arxiv.org/abs/2007.07677
-
class
foolbox.attacks.
L2ClippingAwareAdditiveUniformNoiseAttack
¶ Samples uniform noise with a fixed L2 size after clipping.
The implementation is based on [#Rauber20]_.
References
- 4
Jonas Rauber, Matthias Bethge “Fast Differentiable Clipping-Aware Normalization and Rescaling” https://arxiv.org/abs/2007.07677
-
class
foolbox.attacks.
LinfAdditiveUniformNoiseAttack
¶ Samples uniform noise with a fixed L-infinity size
-
class
foolbox.attacks.
L2RepeatedAdditiveGaussianNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples Gaussian noise with a fixed L2 size.
- Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.
-
class
foolbox.attacks.
L2RepeatedAdditiveUniformNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples uniform noise with a fixed L2 size.
- Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.
-
class
foolbox.attacks.
L2ClippingAwareRepeatedAdditiveGaussianNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples Gaussian noise with a fixed L2 size after clipping.
The implementation is based on [#Rauber20]_.
References
- 5
Jonas Rauber, Matthias Bethge “Fast Differentiable Clipping-Aware Normalization and Rescaling” https://arxiv.org/abs/2007.07677
- Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.
-
class
foolbox.attacks.
L2ClippingAwareRepeatedAdditiveUniformNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples uniform noise with a fixed L2 size after clipping.
The implementation is based on [#Rauber20]_.
References
- 6
Jonas Rauber, Matthias Bethge “Fast Differentiable Clipping-Aware Normalization and Rescaling” https://arxiv.org/abs/2007.07677
- Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.
-
class
foolbox.attacks.
LinfRepeatedAdditiveUniformNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples uniform noise with a fixed L-infinity size.
- Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.
-
class
foolbox.attacks.
InversionAttack
(*, distance=None)¶ Creates “negative images” by inverting the pixel values. 7
References
- 7
Hossein Hosseini, Baicen Xiao, Mayoore Jaiswal, Radha Poovendran, “On the Limitation of Convolutional Neural Networks in Recognizing Negative Images”, https://arxiv.org/abs/1607.02533
- Parameters
distance (Optional[foolbox.distances.Distance]) –
-
class
foolbox.attacks.
BinarySearchContrastReductionAttack
(*, distance=None, binary_search_steps=15, target=0.5)¶ Reduces the contrast of the input using a binary search to find the smallest adversarial perturbation
- Parameters
distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.
binary_search_steps (int) – Number of iterations in the binary search. This controls the precision of the results.
target (float) – Target relative to the bounds from 0 (min) to 1 (max) towards which the contrast is reduced
-
class
foolbox.attacks.
LinearSearchContrastReductionAttack
(*, distance=None, steps=1000, target=0.5)¶ Reduces the contrast of the input using a linear search to find the smallest adversarial perturbation
- Parameters
distance (Optional[foolbox.distances.Distance]) –
steps (int) –
target (float) –
-
class
foolbox.attacks.
L2CarliniWagnerAttack
(binary_search_steps=9, steps=10000, stepsize=0.01, confidence=0, initial_const=0.001, abort_early=True)¶ Implementation of the Carlini & Wagner L2 Attack. 8
- Parameters
binary_search_steps (int) – Number of steps to perform in the binary search over the const c.
steps (int) – Number of optimization steps within each binary search step.
stepsize (float) – Stepsize to update the examples.
confidence (float) – Confidence required for an example to be marked as adversarial. Controls the gap between example and decision boundary.
initial_const (float) – Initial value of the const c with which the binary search starts.
abort_early (bool) – Stop inner search as soons as an adversarial example has been found. Does not affect the binary search over the const c.
References
- 8
Nicholas Carlini, David Wagner, “Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy” https://arxiv.org/abs/1608.04644
-
class
foolbox.attacks.
NewtonFoolAttack
(steps=100, stepsize=0.01)¶ Implementation of the NewtonFool Attack. 9
- Parameters
steps (int) – Number of update steps to perform.
step_size – Size of each update step.
stepsize (float) –
References
- 9
Uyeong Jang et al., “Objective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning”, https://dl.acm.org/citation.cfm?id=3134635
-
class
foolbox.attacks.
EADAttack
(binary_search_steps=9, steps=10000, initial_stepsize=0.01, confidence=0.0, initial_const=0.001, regularization=0.01, decision_rule='EN', abort_early=True)¶ Implementation of the EAD Attack with EN Decision Rule. 10
- Parameters
binary_search_steps (int) – Number of steps to perform in the binary search over the const c.
steps (int) – Number of optimization steps within each binary search step.
initial_stepsize (float) – Initial stepsize to update the examples.
confidence (float) – Confidence required for an example to be marked as adversarial. Controls the gap between example and decision boundary.
initial_const (float) – Initial value of the const c with which the binary search starts.
regularization (float) – Controls the L1 regularization.
decision_rule (Union[typing_extensions.Literal['EN'], typing_extensions.Literal['L1']]) – Rule according to which the best adversarial examples are selected. They either minimize the L1 or ElasticNet distance.
abort_early (bool) – Stop inner search as soons as an adversarial example has been found. Does not affect the binary search over the const c.
References
- 10
Pin-Yu Chen, Yash Sharma, Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh,
“EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples”, https://www.aaai.org/ocs/index.php/AAAI/AAAI18/paper/viewPaper/16893
-
class
foolbox.attacks.
GaussianBlurAttack
(*, distance=None, steps=1000, channel_axis=None, max_sigma=None)¶ Blurs the inputs using a Gaussian filter with linearly increasing standard deviation.
- Parameters
steps (int) – Number of sigma values tested between 0 and max_sigma.
channel_axis (Optional[int]) – Index of the channel axis in the input data.
max_sigma (Optional[float]) – Maximally allowed sigma value of the Gaussian blur.
distance (Optional[foolbox.distances.Distance]) –
-
class
foolbox.attacks.
L2DeepFoolAttack
(*, steps=50, candidates=10, overshoot=0.02, loss='logits')¶ A simple and fast gradient-based adversarial attack.
Implements the DeepFool L2 attack. 11
- Parameters
steps (int) – Maximum number of steps to perform.
candidates (Optional[int]) – Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
overshoot (float) – How much to overshoot the boundary.
Loss function to use inside the update function. (loss) –
typing_extensions.Literal['crossentropy']] loss (Union[typing_extensions.Literal['logits'],) –
References
- 11
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Pascal Frossard, “DeepFool: a simple and accurate method to fool deep neural networks”, https://arxiv.org/abs/1511.04599
-
class
foolbox.attacks.
LinfDeepFoolAttack
(*, steps=50, candidates=10, overshoot=0.02, loss='logits')¶ A simple and fast gradient-based adversarial attack.
Implements the DeepFool L-Infinity attack.
- Parameters
steps (int) – Maximum number of steps to perform.
candidates (Optional[int]) – Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
overshoot (float) – How much to overshoot the boundary.
Loss function to use inside the update function. (loss) –
typing_extensions.Literal['crossentropy']] loss (Union[typing_extensions.Literal['logits'],) –
-
class
foolbox.attacks.
SaltAndPepperNoiseAttack
(steps=1000, across_channels=True, channel_axis=None)¶ Increases the amount of salt and pepper noise until the input is misclassified.
- Parameters
steps (int) – The number of steps to run.
across_channels (bool) – Whether the noise should be the same across all channels.
channel_axis (Optional[int]) – The axis across which the noise should be the same (if across_channels is True). If None, will be automatically inferred from the model if possible.
-
class
foolbox.attacks.
LinearSearchBlendedUniformNoiseAttack
(*, distance=None, directions=1000, steps=1000)¶ Blends the input with a uniform noise input until it is misclassified.
- Parameters
distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.
directions (int) – Number of random directions in which the perturbation is searched.
steps (int) – Number of blending steps between the original image and the random directions.
-
class
foolbox.attacks.
BinarizationRefinementAttack
(*, distance=None, threshold=None, included_in='upper')¶ For models that preprocess their inputs by binarizing the inputs, this attack can improve adversarials found by other attacks. It does this by utilizing information about the binarization and mapping values to the corresponding value in the clean input or to the right side of the threshold.
- Parameters
threshold (Optional[float]) – The threshold used by the models binarization. If none, defaults to (model.bounds()[1] - model.bounds()[0]) / 2.
included_in (Union[typing_extensions.Literal['lower'], typing_extensions.Literal['upper']]) – Whether the threshold value itself belongs to the lower or upper interval.
distance (Optional[foolbox.distances.Distance]) –
-
class
foolbox.attacks.
DatasetAttack
(*, distance=None)¶ Draws randomly from the given dataset until adversarial examples for all inputs have been found.
To pass data form the dataset to this attack, call
feed()
.feed()
can be called several times and should only be called with batches that are small enough that they can be passed through the model.- Parameters
distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.
-
class
foolbox.attacks.
BoundaryAttack
(init_attack=None, steps=25000, spherical_step=0.01, source_step=0.01, source_step_convergance=1e-07, step_adaptation=1.5, tensorboard=False, update_stats_every_k=10)¶ A powerful adversarial attack that requires neither gradients nor probabilities.
This is the reference implementation for the attack. 12
Notes
Differences to the original reference implementation: * We do not perform internal operations with float64 * The samples within a batch can currently influence each other a bit * We don’t perform the additional convergence confirmation * The success rate tracking changed a bit * Some other changes due to batching and merged loops
- Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) – Attack to use to find a starting points. Defaults to LinearSearchBlendedUniformNoiseAttack. Only used if starting_points is None.
steps (int) – Maximum number of steps to run. Might converge and stop before that.
spherical_step (float) – Initial step size for the orthogonal (spherical) step.
source_step (float) – Initial step size for the step towards the target.
source_step_convergance (float) – Sets the threshold of the stop criterion: if source_step becomes smaller than this value during the attack, the attack has converged and will stop.
step_adaptation (float) – Factor by which the step sizes are multiplied or divided.
tensorboard (Union[typing_extensions.Literal[False], None, str]) – The log directory for TensorBoard summaries. If False, TensorBoard summaries will be disabled (default). If None, the logdir will be runs/CURRENT_DATETIME_HOSTNAME.
update_stats_every_k (int) –
References
- 12
Wieland Brendel (*), Jonas Rauber (*), Matthias Bethge, “Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models”, https://arxiv.org/abs/1712.04248
-
class
foolbox.attacks.
L0BrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L0 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
References
- 13
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
- Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –
-
class
foolbox.attacks.
L1BrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L1 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
References
- 14
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
- Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –
-
class
foolbox.attacks.
L2BrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L2 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
References
- 15
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
- Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –
-
class
foolbox.attacks.
LinfinityBrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L-infinity variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
References
- 16
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
- Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –
-
foolbox.attacks.
FGM
¶ alias of
foolbox.attacks.fast_gradient_method.L2FastGradientAttack
-
foolbox.attacks.
FGSM
¶ alias of
foolbox.attacks.fast_gradient_method.LinfFastGradientAttack
-
foolbox.attacks.
L2PGD
¶ alias of
foolbox.attacks.projected_gradient_descent.L2ProjectedGradientDescentAttack
-
foolbox.attacks.
LinfPGD
¶ alias of
foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack
-
foolbox.attacks.
PGD
¶ alias of
foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack