对抗攻击FGSM的纯粹版FGNS

引言

 $\mathrm{F}\mathrm{G}\mathrm{S}\mathrm{M}$是基于梯度迭代攻击中生成对抗样本的开创性工作。我第一次接触相关工作的时候，给我困惑最多的就是论文中为什么要给梯度加上$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$这个符号函数，因为这会导致生成的对抗扰动的方向与最速梯度方向有一个锐角偏移。$\mathrm{I}\mathrm{a}\mathrm{n}\mathrm{G}\mathrm{o}\mathrm{o}\mathrm{d}\mathrm{f}\mathrm{e}\mathrm{l}\mathrm{l}\mathrm{o}\mathrm{w}$在斯坦福大学的讲座里对梯度符号中加入$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$符号给出了一个基于实证的解释，即在线性假设下，给定一个数据集的样本，当样本中对抗扰动分量方向与梯度分量的方向相同的个数如果多余某个常数时，该样本沿着对抗扰动的方向即可进入到对抗子区域中。这个解释是在说明加入$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$符号后的扰动方向依然具有攻击性，但从原理上来说这并不是最好的攻击方向。最近看到了一篇文章，就讨论了该问题，论文作者通过原理分析实验验证，发现当梯度方向加入$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$符号后会使得攻击效率比较低。论文的代码链接失效，我根据论文中的算法流程图重新编写了一下代码。
论文链接：https://arxiv.org/abs/2110.12734

理论分析

 给定一个样本$x$，其对应的标签为$y$，损失函数为$\mathcal{L}(x,y)$，其中第$t$步生成的对抗样本为$x_T^{adv}$。根据多元函数的泰勒展开公式可以得到如下方程组
$$\{\begin{array}{rl}\mathcal{L}(x_T^{adv},y)& =\mathcal{L}(x_{T-1}^{adv},y)+(x_T^{adv}-x_{T-1}^{adv})\cdot \nabla \mathcal{L}(x_{T-1}^{adv},y)+O(\Vert x_T^{adv}-x_{T-1}^{adv}{\Vert }^2)\\ \mathcal{L}(x_{T-1}^{adv},y)& =\mathcal{L}(x_{T-2}^{adv},y)+(x_{T-1}^{adv}-x_{T-2}^{adv})\cdot \nabla \mathcal{L}(x_{T-2}^{adv},y)+O(\Vert x_{T-1}^{adv}-x_{T-2}^{adv}{\Vert }^2)\\ \mathcal{L}(x_{T-2}^{adv},y)& =\mathcal{L}(x_{T-3}^{adv},y)+(x_{T-2}^{adv}-x_{T-3}^{adv})\cdot \nabla \mathcal{L}(x_{T-3}^{adv},y)+O(\Vert x_{T-2}^{adv}-x_{T-3}^{adv}{\Vert }^2)\\ ⋮& \\ \mathcal{L}(x_3^{adv},y)& =\mathcal{L}(x_2^{adv},y)+(x_3^{adv}-x_2^{adv})\cdot \nabla \mathcal{L}(x_2^{adv},y)+O(\Vert x_3^{adv}-x_2^{adv}{\Vert }^2)\\ \mathcal{L}(x_2^{adv},y)& =\mathcal{L}(x_2^{adv},y)+(x_2^{adv}-x_1^{adv})\cdot \nabla \mathcal{L}(x_1^{adv},y)+O(\Vert x_2^{adv}-x_1^{adv}{\Vert }^2)\\ \mathcal{L}(x_1^{adv},y)& =\mathcal{L}(x_0^{adv},y)+(x_1^{adv}-x_0^{adv})\cdot \nabla \mathcal{L}(x_0^{adv},y)+O(\Vert x_1^{adv}-x_0^{adv}{\Vert }^2)\end{array}$$根据以上方程组可以得到如下公式$$\mathcal{L}(x_T^{adv},y)=\mathcal{L}(x,y)+\sum _{t=0}^{T-1}(x_{t+1}^{adv}-x_t^{adv})\cdot \nabla \mathcal{L}(x_t^{adv},y)+\sum _{t=0}^{T-1}O(\Vert x_{t+1}^{adv}-x_t^{adv}{\Vert }^2)$$令${\delta }_t=x_{t+1}^{adv}-x_t^{adv}$，$g_t=\nabla \mathcal{L}(x_t^{adv},y)$，进而则有$$\begin{array}{rl}\mathcal{L}(x_T^{adv},y)& =\mathcal{L}(x,y)+\sum _{t=0}^{T-1}{\delta }_t\cdot g_t+\sum _{t=0}^{T-1}O(\Vert {\delta }_t{\Vert }^2)\\ & =\mathcal{L}(x,y)+\sum _{t=0}^{T-1}\Vert {\delta }_t\Vert \cdot \Vert g_t\Vert \cdot \cos ⟨{\delta }_t,g_t⟩+\sum _{t=0}^{T-1}O(\Vert {\delta }_t{\Vert }^2)\\ & \approx \mathcal{L}(x,y)+\sum _{t=0}^{T-1}\Vert {\delta }_t\Vert \cdot \Vert g_t\Vert \cdot \cos ⟨{\delta }_t,g_t⟩\end{array}$$假设$x_t^{adv}=\left[x_t^1,x_t^2,\cdots ,x_t^D\right]$，$g_t=\left[{\nabla }_{x_t^1},{\nabla }_{x_t^2},\cdots ,{\nabla }_{x_t^D}\right]$，且$D=H\times W\times C$。令${\delta }_t=\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)$，则此时${\delta }_t$和$g_t$的余弦值$\cos {\theta }_t$表示为$$\cos {\theta }_t=\frac{g_t\cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)}{\Vert g_t\Vert \Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert }$$因为$$\begin{array}{rl}{g}_t\cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)& ={\nabla }_{x_t^1}\cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}({\nabla }_{x_t^1})+{\nabla }_{x_t^2}\cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}({\nabla }_{x_t^2})+\cdots +{\nabla }_{x_t^D}\cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}({\nabla }_{x_t^D})\\ & =\left|{\nabla }_{x_t^1}\right|+\left|{\nabla }_{x_t^2}\right|+\cdots +\left|{\nabla }_{x_t^D}\right|\\ & ={\Vert g_t\Vert }_1\end{array}$$又因为$\Vert g_t{\Vert }_0=\Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert \approx D$，在向量所有的$p$范数中1范数是最大的，即$\Vert \cdot {\Vert }_1\ge \Vert \cdot \Vert$，此时则有$$\begin{array}{rl}\cos {\theta }_t=\frac{\Vert g_t{\Vert }_1}{\Vert g_t\Vert \Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert }⟹& \frac{1}{\sqrt{D}}<\cos {\theta }_t\le 1\end{array}$$进而则有$$1<\Vert {\delta }_t\Vert \cos {\theta }_t\le \sqrt{D}$$令新的对抗扰动为${\delta }_t^{\prime }$，且此时该扰动的方向与梯度方向一致即$$\cos ⟨{\delta }_t^{\prime },g_t⟩=\cos {\varphi }_t=1$$为了能够使得与$\mathrm{F}\mathrm{G}\mathrm{S}\mathrm{M}$的扰动步长$\Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert$范围一致，则有$$\zeta =\frac{\Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert }{\Vert g_t\Vert }$$进而则有$$\begin{array}{rl}& {\delta }_t^{\prime }=\zeta \cdot g_t\\ ⟹& \Vert {\delta }_t^{\prime }\Vert =\frac{\Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert }{\Vert g_t\Vert }\cdot \Vert g_t\Vert =\Vert \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(g_t)\Vert \end{array}$$根据以上公式则可以推导出$$\Vert {\delta }_t\Vert \cos {\theta }_t\le \Vert {\delta }_t^{\prime }\Vert \cos {\varphi }_t=\sqrt{D}$$给定$ϵ$的范围，第$t$步的对抗扰动为$$x_{t+1}^{adv}-x_t^{adv}={\mathrm{c}\mathrm{l}\mathrm{i}\mathrm{p}}_{ϵ}^x\left(x_t^{adv}+\alpha \cdot {\delta }_t^{\prime }\right)-x_t^{adv}$$$\mathrm{F}\mathrm{G}\mathrm{N}\mathrm{M}$具体的算法流程图如下所示

实验结果

 如下图所示，为原始梯度方向和$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$梯度方向的可视化剪头图。从下图发现原始梯度更快更高效收敛到最优点中。然而$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$施加到梯度上会使得它推离最优方向，导致要以更多的迭代次数才能达到最优点。

 如下两图所示为不同方法的平均攻击成功率比较。作者使用$\mathrm{I}\mathrm{n}\mathrm{c}-\mathrm{v}3$作为白盒，并计算其它四种黑盒模型($\mathrm{I}\mathrm{n}\mathrm{c}$-$\mathrm{v}4$、$\mathrm{R}\mathrm{e}\mathrm{s}152$、$\mathrm{I}\mathrm{n}\mathrm{c}\mathrm{R}\mathrm{e}\mathrm{s}$和$\mathrm{D}\mathrm{e}\mathrm{n}161$)的平均攻击成功率，可以发现在各个攻击迭代方法下，应用论文中的方法会取得更好的效果。

算法实现

from torchvision import datasets, transforms
from torch.utils.data import DataLoader, Dataset
import torch
import torch.nn as nn
from torch.autograd import Variable
import torch.optim as optim
import torch.nn.functional as F
import os

class CNN(nn.Module):
    def __init__(self):
        super().__init__()
        self.Sq1 = nn.Sequential(         
            nn.Conv2d(in_channels=1, out_channels=16, kernel_size=5, stride=1, padding=2),   # (16, 28, 28)                           #  output: (16, 28, 28)
            nn.ReLU(),                    
            nn.MaxPool2d(kernel_size=2),    # (16, 14, 14)
        )
        self.Sq2 = nn.Sequential(
            nn.Conv2d(in_channels=16, out_channels=32, kernel_size=5, stride=1, padding=2),  # (32, 14, 14)
            nn.ReLU(),                      
            nn.MaxPool2d(2),                # (32, 7, 7)
        )
        self.out = nn.Linear(32 * 7 * 7, 10)   

    def forward(self, x):
        x = self.Sq1(x)
        x = self.Sq2(x)
        x = x.view(x.size(0), -1)          
        output = self.out(x)
        return output
        
def FGM_attack(inputs, targets, net, alpha, epsilon, attack_type):
	delta = torch.zeros_like(inputs)
	delta.requires_grad = True
	outputs = net(inputs + delta)
	loss = nn.CrossEntropyLoss()(outputs, targets)
	loss.backward()
	grad = delta.grad.detach()
	if type == 'FGSN':
		zeta = (torch.norm(inputs, p=0, dim=(2,3), keepdim=True) / torch.norm(inputs, p=2, dim=(2,3), keepdim=True)) * torch.ones(inputs.shape)
		delta.data = torch.clamp(delta + alpha * zeta * grad, -epsilon, epsilon)
	else:
		delta.data = torch.clamp(delta + alpha * torch.sign(grad), -epsilon, epsilon)
	delta = delta.detach()
	return delta

def main():
	alpha = 0.2
	epsilon = 0.5
	total = 0
	correct1 = 0
	correct2 = 0
	model = CNN()
	model.load_state_dict(torch.load('model/model.pt'))
	use_cuda = torch.cuda.is_available()
	mnist_train = datasets.MNIST("mnist-data", train=True, download=True, transform=transforms.ToTensor())
	train_loader = torch.utils.data.DataLoader(mnist_train, batch_size= 5, shuffle=True)

	for batch_idx, (inputs, targets) in enumerate(train_loader):
		if use_cuda:
			inputs, targets = inputs.cuda(), targets.cuda()
		inputs, targets = Variable(inputs), Variable(targets)
		total += targets.size(0)

		delta1 = FGM_attack(inputs, targets, model, alpha, epsilon, 'FGNM')
		adv_image1 = torch.clamp(inputs + delta1, 0, 1)
		outputs1 = model(adv_image1)
		_, predicted1 = torch.max(outputs1.data, 1)
		correct1 += predicted1.eq(targets.data).cpu().sum().item()
		print('The FGNM accuracy:', correct1, total, correct1/total)

		delta2 = FGM_attack(inputs, targets, model, alpha, epsilon, 'FGSM')
		adv_images2 = torch.clamp(inputs + delta1, 0, 1)
		outputs2 = model(adv_images2)
		_, predicted2 = torch.max(outputs2.data, 1)
		correct2 += predicted2.eq(targets.data).cpu().sum().item()
		print('The FGSM accuracy:', correct2, total, correct2/total)
	print('The FGNM accuracy:', correct1)
	print('The FGSM accuracy:', correct2)

if __name__ == '__main__':
	main() 

当给定的攻击步长$\alpha =0.2$，则有如下实验结果