本文介绍了如何使用cleverhans库生成对抗样本,包括FGSM、PGD和CW攻击。首先,加载并训练了一个简单的MNIST分类模型,然后通过这些攻击方法展示了如何使模型对输入数据产生错误预测,从而揭示了模型的脆弱性。
cleverhans模块的使用
介绍
cleverhans是一个开源的对抗样本库,最新版本v4.0.0支持pytorch,v3.1.0及之前仅仅支持tensorflow- 里面实现了常见对抗样本的攻击和防御,
v4.0.0版本还不太完善,仅仅实现了部分算法 - 下载:
pip install cleverhans
使用:
对抗样本生成常见流程:
- 收集处理数据
- 构建并训练目标模型
- 实现相应的对抗样本算法,实现与之对应的对抗样本
导入对应包
import cleverhans
from cleverhans.torch.attacks.fast_gradient_method import fast_gradient_method
from cleverhans.torch.attacks.carlini_wagner_l2 import carlini_wagner_l2
from cleverhans.torch.attacks.projected_gradient_descent import projected_gradient_descent
import numpy as np
import torch
import torch.nn as nn
from torchvision.datasets import MNIST
from torchvision.transforms import ToTensor
from torch.utils.data import DataLoader
import matplotlib.pyplot as plt
import os
import torch.nn.functional as F
from tqdm import tqdm
os.environ["KMP_DUPLICATE_LIB_OK"]="TRUE"
%matplotlib inline
收集处理数据:
我们采用torchvision模块中的MNIST数据集
#MNIST数据集加载和处理
train_data=MNIST(root="data",train=True,download=False,transform=ToTensor())
test_data=MNIST(root="data",train=False,download=False,transform=ToTensor())
#数据处理
batch_size=16
train_loader=DataLoader(train_data,batch_size=batch_size)
test_loader=DataLoader(test_data,batch_size=batch_size)
原始数据可视化:
for x,label in train_loader:
plt.figure(figsize=(16,8))
id=0
for i in range(4):
for j in range(4):
plt.subplot(4,4,id+1)
plt.imshow(x[id,0].reshape(28,28),cmap="gray")
plt.title(str(label[id].detach().numpy()),{"color":"red"})
plt.axis("off")
id+=1
break
构建模型进行训练:
#构建网络模型
class Net(nn.Module):
def __init__(self):
super(Net,self).__init__()
self.conv=nn.Sequential(nn.Conv2d(1,16,3,1,0),nn.ReLU(),nn.Conv2d(16,8,3,1,0),nn.ReLU())
self.full=nn.Sequential(nn.Linear(8*24*24,32),nn.ReLU(),nn.Linear(32,10))
def weight_init(self):
for m in self._modules:
if isinstance(m, nn.Linear) or isinstance(m, nn.Conv2d): #判断当前网络结构是否为全连接层或者卷积层
m.weight.data.normal_(0.0, 0.01)
m.bias.data.zero_()
def forward(self,inx):
x=self.conv(inx)
# print(x.shape)
# input()
x=x.view(-1,8*24*24)
x=self.full(x)
return x
模型训练
#模型训练
def train(model,data_loader,loss_func,epochs,lr):
optimizer=torch.optim.Adam(model.parameters(),lr)
for epoch in range(1,epochs+1):
for i,(x,y) in tqdm(enumerate(data_loader)):
x=x.to(device)
y=y.to(device)
out=model(x)
loss=loss_func(out,y)
optimizer.zero_grad()
loss.backward()
optimizer.step()
if i%1000==0:
print(f"epoch:{epoch}|| current_num:{i}|| loss:{loss}")
criterion=nn.CrossEntropyLoss()
lr=1e-3
epochs=1
net.weight_init()
模型测试:
def test(model,data_loader):
correct_sum=0
all_sum=0
for x,y in data_loader:
x=x.to(device)
out=torch.argmax(model(x),dim=1).cpu()
correct=(out==y).sum()
correct_sum+=correct
all_sum+=len(y)
return correct_sum/all_sum
sample=next(iter(test_loader))
data,label=sample
predic=torch.argmax(net(data.to(device)),dim=1).detach().cpu()
plt.figure(figsize=(16,8))
id=0
for i in range(4):
for j in range(4):
plt.subplot(4,4,id+1)
plt.imshow(data[id,0].reshape(28,28),cmap="gray")
plt.title(f"{label[id]}->{predic[id]}",{"color":"red"})
plt.axis("off")
id+=1
对抗样本生成
FGSM算法:
advx=fast_gradient_method(net,data.to(device),0.1,np.inf).detach().cpu()
predic=torch.argmax(net(advx.to(device)),dim=1).detach().cpu()
plt.figure(figsize=(16,8))
id=0
for i in range(4):
for j in range(4):
plt.subplot(4,4,id+1)
plt.imshow(advx[id,0].reshape(28,28),cmap="gray")
plt.title(f"{label[id]}->{predic[id]}",{"color":"red"})
plt.axis("off")
id+=1
PGD算法:
advx=projected_gradient_descent(net,data.to(device),0.1,0.05,40,np.inf).detach().cpu()
predic=torch.argmax(net(advx.to(device)),dim=1).detach().cpu()
CW算法
1.定向攻击,target=5
advx=carlini_wagner_l2(net,data.to(device),10,torch.tensor([5]*batch_size,device=device),targeted=True).detach().cpu()
predic=torch.argmax(net(advx.to(device)),dim=1).detach().cpu()
2.非定向攻击
advx=carlini_wagner_l2(net,data.to(device),10,torch.tensor([5]*batch_size,device=device),targeted=False).detach().cpu()
predic=torch.argmax(net(advx.to(device)),dim=1).detach().cpu()
扫一扫
473
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
