一、工具简介
Adversarial Robustness Toolbox 是 IBM 研究团队开源的用于检测模型及对抗攻击的工具箱,为开发人员加强 AI模型被误导的防御性,让 AI 系统变得更加安全,ART支持所有流行的机器学习框架 (TensorFlow,Keras,PyTorch,MXNet,scikit-learn,XGBoost,LightGBM,CatBoost,GPy等),所有数据类型 (图像,表格,音频,视频等)和机器学习任务(分类,物体检测,语音识别, 生成模型,认证等)。
支持以下攻击方法:
- Deep Fool
- Fast Gradient Method
- Jacobian Saliency Map
- Universal Perturbation
- Virtual Adversarial Method
- C&W Attack
- NewtonFool
支持以下防御方法:
- Feature squeezing
- Spatial smoothing
- Label smoothing
- Adversarial training
- Virtual adversarial training
github地址:https://github.com/Trusted-AI/adversarial-robustness-toolbox
| Get Started | Documentation | Contributing |
|---|---|---|
| - Installation - Examples - Notebooks | - Attacks - Defences - Estimators - Metrics - Technical Documentation | - Slack, Invitation - Contributing - Roadmap - Citing |
二、实际应用-攻击样本生成
2.1、手写数字
攻击脚本:
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
import numpy as np
import matplotlib.pyplot as pltfrom art.attacks.evasion import FastGradientMethod
from art.estimators.classification import PyTorchClassifier
from art.utils import load_mnist
import warningswarnings.filterwarnings("ignore")class Net(nn.Module):"""定义初始模型"""def __init__(self):super(Net, self).__init__()self.conv_1 = nn.Conv2d(in_channels=1, out_channels=4, kernel_size=5, stride=1)self.conv_2 = nn.Conv2d(in_channels=4, out_channels=10, kernel_size=5, stride=1)self.fc_1 = nn.Linear(in_features=4 * 4 * 10, out_features=100)self.fc_2 = nn.Linear(in_features=100, out_features=10)def forward(self, x):x = F.relu(self.conv_1(x))x = F.max_pool2d(x, 2, 2)x = F.relu(self.conv_2(x))x = F.max_pool2d(x, 2, 2)x = x.view(-1, 4 * 4 * 10)x = F.relu(self.fc_1(x))x = self.fc_2(x)return xif __name__ == '__main__':# 导入ART自带的MNIST数据集(x_train, y_train), (x_test, y_test), min_pixel_value, max_pixel_value = load_mnist()x_train = np.swapaxes(x_train, 1, 3).astype(np.float32)x_test = np.swapaxes(x_test, 1, 3).astype(np.float32)# 创建模型model = Net()criterion = nn.CrossEntropyLoss()optimizer = optim.Adam(model.parameters(), lr=0.01)# 创建并训练ART分类器,注意:框架内置的调用方式训练模型classifier = PyTorchClassifier(model=model,clip_values=(min_pixel_value, max_pixel_value),loss=criterion,optimizer=optimizer,input_shape=(1, 28, 28),nb_classes=10,)# 演示代码用训练集的前6000条样本训练模型classifier.fit(x_train[:6000], y_train[:6000], batch_size=128, nb_epochs=2)predictions = classifier.predict(x_test)accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(y_test)print("在原始测试集上的准确率为: {}%".format(accuracy * 100))# 用FGSM算法对测试集生成对抗样本并测试分类器对对抗样本的评估效果n = 1for e in range(5, 25, 5):print('-' * 88)eps = round(e / 100, 2)attack = FastGradientMethod(estimator=classifier, eps=eps)x_test_adv = attack.generate(x=x_test[:1000])predictions = classifier.predict(x_test_adv)accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test[:1000], axis=1)) / len(y_test[:1000])print(f"扰动eps={eps}时分类器的准确率为: {round(accuracy, 4) * 100}%")adv_data = np.squeeze(x_test_adv)plt.subplot(2, 2, n)plt.title(f'eps:{eps}')plt.imshow(adv_data[1])print("分类器将其分为:", np.argmax(classifier.predict(x_test_adv[1:2]), axis=1)[0])n += 1plt.show()
运行结果:
在原始测试集上的准确率为: 93.73%
----------------------------------------------------------------------------------------
扰动eps=0.05时分类器的准确率为: 81.6%
分类器将其分为: 2
----------------------------------------------------------------------------------------
扰动eps=0.1时分类器的准确率为: 57.8%
分类器将其分为: 2
----------------------------------------------------------------------------------------
扰动eps=0.15时分类器的准确率为: 34.5%
分类器将其分为: 2
----------------------------------------------------------------------------------------
扰动eps=0.2时分类器的准确率为: 16.400000000000002%
分类器将其分为: 0分析结果:
根据以上结果,随着eps的增大,分类器的准确率在下降,当准确下降至16.4%时,分类器将‘2’预测为‘0’。
2.2、交通信号
见:FGSM方法生成交通信号牌的对抗图像样本-CSDN博客
参考:
Adversarial Robustness Toolbox首页、文档和下载 - 检测模型及对抗攻击的工具箱 - OSCHINA - 中文开源技术交流社区
notebook
https://www.cnblogs.com/bonelee/p/16399758.html
