Gradient-based attacks¶
-
class
foolbox.v1.attacks.
GradientAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Perturbs the input with the gradient of the loss w.r.t. the input, gradually increasing the magnitude until the input is misclassified.
Does not do anything if the model does not have a gradient.
-
__call__
(self, input_or_adv, label=None, unpack=True, epsilons=1000, max_epsilon=1)[source]¶ Perturbs the input with the gradient of the loss w.r.t. the input, gradually increasing the magnitude until the input is misclassified.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- epsilons : int or Iterable[float]
Either Iterable of step sizes in the gradient direction or number of step sizes between 0 and max_epsilon that should be tried.
- max_epsilon : float
Largest step size if epsilons is not an iterable.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
GradientSignAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Adds the sign of the gradient to the input, gradually increasing the magnitude until the input is misclassified. This attack is often referred to as Fast Gradient Sign Method and was introduced in [Rd18b29d45b44-1].
Does not do anything if the model does not have a gradient.
References
[Rd18b29d45b44-1] Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy, “Explaining and Harnessing Adversarial Examples”, https://arxiv.org/abs/1412.6572 -
__call__
(self, input_or_adv, label=None, unpack=True, epsilons=1000, max_epsilon=1)[source]¶ Adds the sign of the gradient to the input, gradually increasing the magnitude until the input is misclassified.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- epsilons : int or Iterable[float]
Either Iterable of step sizes in the direction of the sign of the gradient or number of step sizes between 0 and max_epsilon that should be tried.
- max_epsilon : float
Largest step size if epsilons is not an iterable.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
LinfinityBasicIterativeAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Basic Iterative Method introduced in [Rbd27454db950-1].
This attack is also known as Projected Gradient Descent (PGD) (without random start) or FGMS^k.
References
[Rbd27454db950-1] Alexey Kurakin, Ian Goodfellow, Samy Bengio, “Adversarial examples in the physical world”, https://arxiv.org/abs/1607.02533 See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.05, iterations=10, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
foolbox.v1.attacks.
BasicIterativeMethod
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.LinfinityBasicIterativeAttack
-
foolbox.v1.attacks.
BIM
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.LinfinityBasicIterativeAttack
-
class
foolbox.v1.attacks.
L1BasicIterativeAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Modified version of the Basic Iterative Method that minimizes the L1 distance.
See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.05, iterations=10, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
L2BasicIterativeAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Modified version of the Basic Iterative Method that minimizes the L2 distance.
See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.05, iterations=10, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
ProjectedGradientDescentAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Projected Gradient Descent Attack introduced in [R37229719ede6-1] without random start.
When used without a random start, this attack is also known as Basic Iterative Method (BIM) or FGSM^k.
References
[R37229719ede6-1] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks”, https://arxiv.org/abs/1706.06083 -
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.01, iterations=40, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
foolbox.v1.attacks.
ProjectedGradientDescent
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.ProjectedGradientDescentAttack
-
foolbox.v1.attacks.
PGD
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.ProjectedGradientDescentAttack
-
class
foolbox.v1.attacks.
RandomStartProjectedGradientDescentAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Projected Gradient Descent Attack introduced in [R876f5a9eb8eb-1] with random start.
References
[R876f5a9eb8eb-1] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks”, https://arxiv.org/abs/1706.06083 See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.01, iterations=40, random_start=True, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
foolbox.v1.attacks.
RandomProjectedGradientDescent
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.RandomStartProjectedGradientDescentAttack
-
foolbox.v1.attacks.
RandomPGD
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.RandomStartProjectedGradientDescentAttack
-
class
foolbox.v1.attacks.
AdamL1BasicIterativeAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Modified version of the Basic Iterative Method that minimizes the L1 distance using the Adam optimizer.
See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.05, iterations=10, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
AdamL2BasicIterativeAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Modified version of the Basic Iterative Method that minimizes the L2 distance using the Adam optimizer.
See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.05, iterations=10, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
AdamProjectedGradientDescentAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Projected Gradient Descent Attack introduced in [R78a2267bf0c5-1], [R78a2267bf0c5-2] without random start using the Adam optimizer.
When used without a random start, this attack is also known as Basic Iterative Method (BIM) or FGSM^k.
References
[R78a2267bf0c5-1] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks”, https://arxiv.org/abs/1706.06083 [R78a2267bf0c5-2] Nicholas Carlini, David Wagner: “Towards Evaluating the Robustness of Neural Networks”, https://arxiv.org/abs/1608.04644 -
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.01, iterations=40, random_start=False, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
foolbox.v1.attacks.
AdamProjectedGradientDescent
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.AdamProjectedGradientDescentAttack
-
foolbox.v1.attacks.
AdamPGD
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.AdamProjectedGradientDescentAttack
-
class
foolbox.v1.attacks.
AdamRandomStartProjectedGradientDescentAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Projected Gradient Descent Attack introduced in [Rb42f1f35d85c-1], [Rb42f1f35d85c-2] with random start using the Adam optimizer.
References
[Rb42f1f35d85c-1] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks”, https://arxiv.org/abs/1706.06083 [Rb42f1f35d85c-2] Nicholas Carlini, David Wagner: “Towards Evaluating the Robustness of Neural Networks”, https://arxiv.org/abs/1608.04644 See also
-
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.01, iterations=40, random_start=True, return_early=True)[source]¶ Simple iterative gradient-based attack known as Basic Iterative Method, Projected Gradient Descent or FGSM^k.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool or int
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
foolbox.v1.attacks.
AdamRandomProjectedGradientDescent
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.AdamRandomStartProjectedGradientDescentAttack
-
foolbox.v1.attacks.
AdamRandomPGD
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.AdamRandomStartProjectedGradientDescentAttack
-
class
foolbox.v1.attacks.
MomentumIterativeAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Momentum Iterative Method attack introduced in [R0c7c08fb6fc4-1]. It’s like the Basic Iterative Method or Projected Gradient Descent except that it uses momentum.
References
[R0c7c08fb6fc4-1] Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, Jianguo Li, “Boosting Adversarial Attacks with Momentum”, https://arxiv.org/abs/1710.06081 -
__call__
(self, input_or_adv, label=None, unpack=True, binary_search=True, epsilon=0.3, stepsize=0.06, iterations=10, decay_factor=1.0, random_start=False, return_early=True)[source]¶ Momentum-based iterative gradient attack known as Momentum Iterative Method.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search : bool
Whether to perform a binary search over epsilon and stepsize, keeping their ratio constant and using their values to start the search. If False, hyperparameters are not optimized. Can also be an integer, specifying the number of binary search steps (default 20).
- epsilon : float
Limit on the perturbation size; if binary_search is True, this value is only for initialization and automatically adapted.
- stepsize : float
Step size for gradient descent; if binary_search is True, this value is only for initialization and automatically adapted.
- iterations : int
Number of iterations for each gradient descent run.
- decay_factor : float
Decay factor used by the momentum term.
- random_start : bool
Start the attack from a random point rather than from the original input.
- return_early : bool
Whether an individual gradient descent run should stop as soon as an adversarial is found.
- input_or_adv : numpy.ndarray or
-
-
foolbox.v1.attacks.
MomentumIterativeMethod
[source]¶ alias of
foolbox.v1.attacks.iterative_projected_gradient.MomentumIterativeAttack
-
class
foolbox.v1.attacks.
LBFGSAttack
(*args, **kwargs)[source]¶ Uses L-BFGS-B to minimize the distance between the input and the adversarial as well as the cross-entropy between the predictions for the adversarial and the the one-hot encoded target class.
If the criterion does not have a target class, a random class is chosen from the set of all classes except the original one.
Notes
This implementation generalizes algorithm 1 in [R26cfbde4a2fc-1] to support other targeted criteria and other distance measures.
References
[R26cfbde4a2fc-1] https://arxiv.org/abs/1510.05328 -
__call__
(self, input_or_adv, label=None, unpack=True, epsilon=1e-05, num_random_targets=0, maxiter=150)[source]¶ Uses L-BFGS-B to minimize the distance between the input and the adversarial as well as the cross-entropy between the predictions for the adversarial and the the one-hot encoded target class.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- epsilon : float
Epsilon of the binary search.
- num_random_targets : int
Number of random target classes if no target class is given by the criterion.
- maxiter : int
Maximum number of iterations for L-BFGS-B.
- input_or_adv : numpy.ndarray or
-
__init__
(self, *args, **kwargs)[source]¶ Initialize self. See help(type(self)) for accurate signature.
-
name
(self)[source]¶ Returns a human readable name that uniquely identifies the attack with its hyperparameters.
Returns: - str
Human readable name that uniquely identifies the attack with its hyperparameters.
Notes
Defaults to the class name but subclasses can provide more descriptive names and must take hyperparameters into account.
-
-
class
foolbox.v1.attacks.
DeepFoolAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Simple and close to optimal gradient-based adversarial attack.
Implementes DeepFool introduced in [R66d014f60cc6-1].
References
[R66d014f60cc6-1] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Pascal Frossard, “DeepFool: a simple and accurate method to fool deep neural networks”, https://arxiv.org/abs/1511.04599 -
__call__
(self, input_or_adv, label=None, unpack=True, steps=100, subsample=10, p=None)[source]¶ Simple and close to optimal gradient-based adversarial attack.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- steps : int
Maximum number of steps to perform.
- subsample : int
Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
- p : int or float
Lp-norm that should be minimzed, must be 2 or np.inf.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
NewtonFoolAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Implements the NewtonFool Attack.
The attack was introduced in [Rd3fe0126f08a-1].
References
[Rd3fe0126f08a-1] Uyeong Jang et al., “Objective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning”, https://dl.acm.org/citation.cfm?id=3134635 -
__call__
(self, input_or_adv, label=None, unpack=True, max_iter=100, eta=0.01)[source]¶ Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- max_iter : int
The maximum number of iterations.
- eta : float
the eta coefficient
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
DeepFoolL2Attack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ -
__call__
(self, input_or_adv, label=None, unpack=True, steps=100, subsample=10)[source]¶ Simple and close to optimal gradient-based adversarial attack.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- steps : int
Maximum number of steps to perform.
- subsample : int
Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
- p : int or float
Lp-norm that should be minimzed, must be 2 or np.inf.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
DeepFoolLinfinityAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ -
__call__
(self, input_or_adv, label=None, unpack=True, steps=100, subsample=10)[source]¶ Simple and close to optimal gradient-based adversarial attack.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- steps : int
Maximum number of steps to perform.
- subsample : int
Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
- p : int or float
Lp-norm that should be minimzed, must be 2 or np.inf.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
ADefAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Adversarial attack that distorts the image, i.e. changes the locations of pixels. The algorithm is described in [Rd97cb6ce1fe8-1], a Repository with the original code can be found in [Rd97cb6ce1fe8-2].
References
[Rd97cb6ce1fe8-1] Rima Alaifari, Giovanni S. Alberti, and Tandri Gauksson: “ADef: an Iterative Algorithm to Construct Adversarial Deformations”, https://arxiv.org/abs/1804.07729 [Rd97cb6ce1fe8-2] https://gitlab.math.ethz.ch/tandrig/ADef/tree/master -
__call__
(self, input_or_adv, unpack=True, max_iter=100, max_norm=<Mock name='mock.inf' id='140306888824816'>, label=None, smooth=1.0, subsample=10)[source]¶ Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- max_iter : int > 0
Maximum number of iterations (default max_iter = 100).
- max_norm : float
Maximum l2 norm of vector field (default max_norm = numpy.inf).
- smooth : float >= 0
Width of the Gaussian kernel used for smoothing. (default is smooth = 0 for no smoothing).
- subsample : int >= 2
Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster. (default subsample = 10)
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
SLSQPAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Uses SLSQP to minimize the distance between the input and the adversarial under the constraint that the input is adversarial.
-
__call__
(self, input_or_adv, label=None, unpack=True)[source]¶ Uses SLSQP to minimize the distance between the input and the adversarial under the constraint that the input is adversarial.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, correctly classified input. If it is a numpy array, label must be passed as well. If it is an
Adversarial
instance, label must not be passed.- label : int
The reference label of the original input. Must be passed if input is a numpy array, must not be passed if input is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
SaliencyMapAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Implements the Saliency Map Attack.
The attack was introduced in [Rbb0daa49069a-1].
References
[Rbb0daa49069a-1] Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, Ananthram Swami, “The Limitations of Deep Learning in Adversarial Settings”, https://arxiv.org/abs/1511.07528 -
__call__
(self, input_or_adv, label=None, unpack=True, max_iter=2000, num_random_targets=0, fast=True, theta=0.1, max_perturbations_per_pixel=7)[source]¶ Implements the Saliency Map Attack.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- max_iter : int
The maximum number of iterations to run.
- num_random_targets : int
Number of random target classes if no target class is given by the criterion.
- fast : bool
Whether to use the fast saliency map calculation.
- theta : float
perturbation per pixel relative to [min, max] range.
- max_perturbations_per_pixel : int
Maximum number of times a pixel can be modified.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
IterativeGradientAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Like GradientAttack but with several steps for each epsilon.
-
__call__
(self, input_or_adv, label=None, unpack=True, epsilons=100, max_epsilon=1, steps=10)[source]¶ Like GradientAttack but with several steps for each epsilon.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- epsilons : int or Iterable[float]
Either Iterable of step sizes in the gradient direction or number of step sizes between 0 and max_epsilon that should be tried.
- max_epsilon : float
Largest step size if epsilons is not an iterable.
- steps : int
Number of iterations to run.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
IterativeGradientSignAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Like GradientSignAttack but with several steps for each epsilon.
-
__call__
(self, input_or_adv, label=None, unpack=True, epsilons=100, max_epsilon=1, steps=10)[source]¶ Like GradientSignAttack but with several steps for each epsilon.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- epsilons : int or Iterable[float]
Either Iterable of step sizes in the direction of the sign of the gradient or number of step sizes between 0 and max_epsilon that should be tried.
- max_epsilon : float
Largest step size if epsilons is not an iterable.
- steps : int
Number of iterations to run.
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
CarliniWagnerL2Attack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The L2 version of the Carlini & Wagner attack.
This attack is described in [Red8697c8377c-1]. This implementation is based on the reference implementation by Carlini [Red8697c8377c-2]. For bounds ≠ (0, 1), it differs from [Red8697c8377c-2] because we normalize the squared L2 loss with the bounds.
References
[Red8697c8377c-1] Nicholas Carlini, David Wagner: “Towards Evaluating the Robustness of Neural Networks”, https://arxiv.org/abs/1608.04644 [Red8697c8377c-2] (1, 2) https://github.com/carlini/nn_robust_attacks -
__call__
(self, input_or_adv, label=None, unpack=True, binary_search_steps=5, max_iterations=1000, confidence=0, learning_rate=0.005, initial_const=0.01, abort_early=True)[source]¶ The L2 version of the Carlini & Wagner attack.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search_steps : int
The number of steps for the binary search used to find the optimal tradeoff-constant between distance and confidence.
- max_iterations : int
The maximum number of iterations. Larger values are more accurate; setting it too small will require a large learning rate and will produce poor results.
- confidence : int or float
Confidence of adversarial examples: a higher value produces adversarials that are further away, but more strongly classified as adversarial.
- learning_rate : float
The learning rate for the attack algorithm. Smaller values produce better results but take longer to converge.
- initial_const : float
The initial tradeoff-constant to use to tune the relative importance of distance and confidence. If binary_search_steps is large, the initial constant is not important.
- abort_early : bool
If True, Adam will be aborted if the loss hasn’t decreased for some time (a tenth of max_iterations).
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
EADAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ Gradient based attack which uses an elastic-net regularization [1]. This implementation is based on the attacks description [1] and its reference implementation [2].
References
[R1c90a35cf078-1] Pin-Yu Chen (*), Yash Sharma (*), Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh, “EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples”, https://arxiv.org/abs/1709.04114 [R1c90a35cf078-2] Pin-Yu Chen (*), Yash Sharma (*), Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh, “Reference Implementation of ‘EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples’”, https://github.com/ysharma1126/EAD_Attack/blob/master/en_attack.py -
__call__
(self, input_or_adv, label=None, unpack=True, binary_search_steps=5, max_iterations=1000, confidence=0, initial_learning_rate=0.01, regularization=0.01, initial_const=0.01, abort_early=True)[source]¶ Gradient based attack which sues an elastic-net regularization.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- binary_search_steps : int
The number of steps for the binary search used to find the optimal tradeoff-constant between distance and confidence.
- max_iterations : int
The maximum number of iterations. Larger values are more accurate; setting it too small will require a large learning rate and will produce poor results.
- confidence : int or float
Confidence of adversarial examples: a higher value produces adversarials that are further away, but more strongly classified as adversarial.
- initial_learning_rate : float
The initial learning rate for the attack algorithm. Smaller values produce better results but take longer to converge. During the attack a square-root decay in the learning rate is performed.
- initial_const : float
The initial tradeoff-constant to use to tune the relative importance of distance and confidence. If binary_search_steps is large, the initial constant is not important.
- regularization : float
The L1 regularization parameter (also called beta). A value of 0 corresponds to the
attacks.CarliniWagnerL2Attack
attack.- abort_early : bool
If True, Adam will be aborted if the loss hasn’t decreased for some time (a tenth of max_iterations).
- input_or_adv : numpy.ndarray or
-
static
best_other_class
(logits, exclude)[source]¶ Returns the index of the largest logit, ignoring the class that is passed as exclude.
-
-
class
foolbox.v1.attacks.
DecoupledDirectionNormL2Attack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ The Decoupled Direction and Norm L2 adversarial attack from [R1326043d948c-1].
References
[R1326043d948c-1] Jérôme Rony, Luiz G. Hafemann, Luiz S. Oliveira, Ismail Ben Ayed, Robert Sabourin, Eric Granger, “Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses”, https://arxiv.org/abs/1811.09600 -
__call__
(self, input_or_adv, label=None, unpack=True, steps=100, gamma=0.05, initial_norm=1, quantize=True, levels=256)[source]¶ The Decoupled Direction and Norm L2 adversarial attack.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- steps : int
Number of steps for the optimization.
- gamma : float, optional
Factor by which the norm will be modified. new_norm = norm * (1 + or - gamma).
- init_norm : float, optional
Initial value for the norm.
- quantize : bool, optional
If True, the returned adversarials will have quantized values to the specified number of levels.
- levels : int, optional
Number of levels to use for quantization (e.g. 256 for 8 bit images).
- input_or_adv : numpy.ndarray or
-
-
class
foolbox.v1.attacks.
SparseFoolAttack
(model=None, criterion=<foolbox.criteria.Misclassification object>, distance=<class 'foolbox.distances.MeanSquaredDistance'>, threshold=None)[source]¶ A geometry-inspired and fast attack for computing sparse adversarial perturbations.
Implements SparseFool introduced in [Rc99dbf830026-1]. The official code is provided in [Rc99dbf830026-2].
References
[Rc99dbf830026-1] Apostolos Modas, Seyed-Mohsen Moosavi-Dezfooli, Pascal Frossard, “SparseFool: a few pixels make a big difference”, https://arxiv.org/abs/1811.02248 [Rc99dbf830026-2] https://github.com/LTS4/SparseFool -
__call__
(self, input_or_adv, label=None, unpack=True, steps=30, lambda_=1.0, subsample=10)[source]¶ A geometry-inspired and fast attack for computing sparse adversarial perturbations.
Parameters: - input_or_adv : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- unpack : bool
If true, returns the adversarial input, otherwise returns the Adversarial object.
- steps : int
Maximum number of steps to perform.
- lambda_ : float
Pushes the approximated decision boundary deeper into the classification region of the fooling class.
- subsample : int
Limit on the number of the most likely classes that should be considered when approximating the decision boundary. A small value is usually sufficient and much faster.
- input_or_adv : numpy.ndarray or
-
classmethod
boundary_approximation_deepfool
(a, initial_point, subsample, label, lambda_, steps=100)[source]¶ Approximates the decision boundary as an affine hyperplane. The approximation is done using a slightly modified version of the unconstrained DeepFool.
Parameters: - a : numpy.ndarray or
Adversarial
The original, unperturbed input as a numpy.ndarray or an
Adversarial
instance.- initial_point : numpy.ndarray
The initial point that we want to move towards the decision boundary of the fooling class.
- subsample : int
Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
- label : int
The reference label of the original input. Must be passed if a is a numpy.ndarray, must not be passed if a is an
Adversarial
instance.- lambda_ : float
Specifies the factor by which the boundary point is pushed further into the classification region of the fooling class.
- steps : int
Maximum number of steps to perform.
- a : numpy.ndarray or
-
classmethod
l1_linear_solver
(initial_point, boundary_point, normal, min_, max_)[source]¶ Computes the L1 solution (perturbation) to the linearized problem. It corresponds to algorithm 1.
Parameters: - initial_point : numpy.ndarray
The initial point for which we seek the L1 solution.
- boundary_point : numpy.ndarray
The point that lies on the decision boundary (or an overshooted version).
- normal : numpy.ndarray
The normal of the decision boundary at the boundary point.
- min_ : numpy.ndarray
The minimum allowed input values.
- max_ : int
The maximum allowed input values.
-