|
| 1 | +# MIT License |
| 2 | +# |
| 3 | +# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2021 |
| 4 | +# |
| 5 | +# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated |
| 6 | +# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the |
| 7 | +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit |
| 8 | +# persons to whom the Software is furnished to do so, subject to the following conditions: |
| 9 | +# |
| 10 | +# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the |
| 11 | +# Software. |
| 12 | +# |
| 13 | +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE |
| 14 | +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 15 | +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
| 16 | +# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 17 | +# SOFTWARE. |
| 18 | +""" |
| 19 | +This module implements the greedy search algorithm of the `LaserBeam` attack. |
| 20 | +
|
| 21 | +| Paper link: https://arxiv.org/abs/2103.06504 |
| 22 | +""" |
| 23 | +from typing import Optional, Tuple |
| 24 | + |
| 25 | +import numpy as np |
| 26 | + |
| 27 | +from art.attacks.evasion.laser_attack.utils import AdversarialObject, AdvObjectGenerator, DebugInfo, ImageGenerator |
| 28 | + |
| 29 | + |
| 30 | +def greedy_search( |
| 31 | + image: np.ndarray, |
| 32 | + estimator, |
| 33 | + iterations: int, |
| 34 | + actual_class: int, |
| 35 | + actual_class_confidence: float, |
| 36 | + adv_object_generator: AdvObjectGenerator, |
| 37 | + image_generator: ImageGenerator, |
| 38 | + debug: Optional[DebugInfo] = None, |
| 39 | +) -> Tuple[Optional[AdversarialObject], Optional[int]]: |
| 40 | + """ |
| 41 | + Greedy search algorithm used to generate parameters of an adversarial object that added to the :image will mislead |
| 42 | + the neural network. |
| 43 | + Based on the paper: |
| 44 | + https://openaccess.thecvf.com/content/CVPR2021/papers/Duan_Adversarial_Laser_Beam_Effective_Physical-World_Attack_to_DNNs_in_a_CVPR_2021_paper.pdf |
| 45 | +
|
| 46 | + :param image: Image to attack. |
| 47 | + :param estimator: Predictor of the image class. |
| 48 | + :param iterations: Maximum number of iterations of the algorithm. |
| 49 | + :param actual_class: |
| 50 | + :param actual_class_confidence: |
| 51 | + :param adv_object_generator: Object responsible for adversarial object generation. |
| 52 | + :param image_generator: Object responsible for image generation. |
| 53 | + :param debug: Optional debug handler. |
| 54 | + """ |
| 55 | + |
| 56 | + params = adv_object_generator.random() |
| 57 | + for _ in range(iterations): |
| 58 | + predicted_class = actual_class |
| 59 | + for sign in [-1, 1]: |
| 60 | + params_prim = adv_object_generator.update_params(params, sign=sign) |
| 61 | + adversarial_image = image_generator.update_image(image, params_prim) |
| 62 | + prediction = estimator.predict(adversarial_image) |
| 63 | + if debug is not None: |
| 64 | + DebugInfo.report(debug, params_prim, np.squeeze(adversarial_image, 0)) |
| 65 | + predicted_class = prediction.argmax() |
| 66 | + confidence_adv = prediction[0][actual_class] |
| 67 | + |
| 68 | + if confidence_adv <= actual_class_confidence: |
| 69 | + params = params_prim |
| 70 | + actual_class_confidence = confidence_adv |
| 71 | + break |
| 72 | + |
| 73 | + if predicted_class != actual_class: |
| 74 | + return params, predicted_class |
| 75 | + |
| 76 | + return None, None |
0 commit comments