Merge pull request #765 from GiulioZizzo/development_pgd

beat-buesser · web-flow · commit 26c8cbac1408 · 2020-11-27T18:07:30.000Z
Development PGD
diff --git a/art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_numpy.py b/art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_numpy.py
@@ -36,11 +36,7 @@
 from art.config import ART_NUMPY_DTYPE
 from art.estimators.classification.classifier import ClassifierMixin
 from art.estimators.estimator import BaseEstimator, LossGradientsMixin
-from art.utils import (
-    compute_success,
-    get_labels_np_array,
-    check_and_transform_label_format,
-)
+from art.utils import compute_success, get_labels_np_array, check_and_transform_label_format, compute_success_array
 
 if TYPE_CHECKING:
     from art.utils import CLASSIFIER_LOSS_GRADIENTS_TYPE, OBJECT_DETECTOR_TYPE
@@ -259,43 +255,62 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
             targets = self._set_targets(x, y)
 
             # Start to compute adversarial examples
-            adv_x_best = None
-            rate_best = None
-
-            for _ in trange(
-                max(1, self.num_random_init), desc="PGD - Random Initializations", disable=not self.verbose
-            ):
-                adv_x = x.astype(ART_NUMPY_DTYPE)
-
-                for i_max_iter in trange(self.max_iter, desc="PGD - Iterations", leave=False, disable=not self.verbose):
-                    adv_x = self._compute(
-                        adv_x,
-                        x,
-                        targets,
-                        mask,
-                        self.eps,
-                        self.eps_step,
-                        self._project,
-                        self.num_random_init > 0 and i_max_iter == 0,
-                    )
-
-                if self.num_random_init > 1:
-                    rate = 100 * compute_success(
-                        self.estimator, x, targets, adv_x, self.targeted, batch_size=self.batch_size,  # type: ignore
-                    )
-                    if rate_best is None or rate > rate_best or adv_x_best is None:
-                        rate_best = rate
-                        adv_x_best = adv_x
-                else:
-                    adv_x_best = adv_x
+            adv_x = x.astype(ART_NUMPY_DTYPE)
+
+            for batch_id in range(int(np.ceil(x.shape[0] / float(self.batch_size)))):
+                for rand_init_num in trange(
+                    max(1, self.num_random_init), desc="PGD - Random Initializations", disable=not self.verbose
+                ):
+                    batch_index_1, batch_index_2 = batch_id * self.batch_size, (batch_id + 1) * self.batch_size
+                    batch_index_2 = min(batch_index_2, x.shape[0])
+                    batch = x[batch_index_1:batch_index_2]
+                    batch_labels = targets[batch_index_1:batch_index_2]
+                    mask_batch = mask
+
+                    if mask is not None:
+                        if len(mask.shape) == len(x.shape):
+                            mask_batch = mask[batch_index_1:batch_index_2]
+
+                    for i_max_iter in trange(
+                        self.max_iter, desc="PGD - Iterations", leave=False, disable=not self.verbose
+                    ):
+                        batch = self._compute(
+                            batch,
+                            x[batch_index_1:batch_index_2],
+                            batch_labels,
+                            mask_batch,
+                            self.eps,
+                            self.eps_step,
+                            self._project,
+                            self.num_random_init > 0 and i_max_iter == 0,
+                        )
+
+                    if rand_init_num == 0:
+                        # initial (and possibly only) random restart: we only have this set of
+                        # adversarial examples for now
+                        adv_x[batch_index_1:batch_index_2] = np.copy(batch)
+                    else:
+                        # replace adversarial examples if they are successful
+                        attack_success = compute_success_array(
+                            self.estimator,
+                            x[batch_index_1:batch_index_2],
+                            targets[batch_index_1:batch_index_2],
+                            batch,
+                            self.targeted,
+                            batch_size=self.batch_size,
+                        )
+                        adv_x[batch_index_1:batch_index_2][attack_success] = batch[attack_success]
 
             logger.info(
                 "Success rate of attack: %.2f%%",
-                rate_best
-                if rate_best is not None
-                else 100
+                100
                 * compute_success(
-                    self.estimator, x, y, adv_x_best, self.targeted, batch_size=self.batch_size,  # type: ignore
+                    self.estimator,
+                    x,
+                    targets,
+                    adv_x,
+                    self.targeted,
+                    batch_size=self.batch_size,  # type: ignore
                 ),
             )
         else:
@@ -323,6 +338,4 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                     self.num_random_init > 0 and i_max_iter == 0,
                 )
 
-            adv_x_best = adv_x
-
-        return adv_x_best
+        return adv_x
diff --git a/art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py b/art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py
@@ -37,7 +37,7 @@
 from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent_numpy import (
     ProjectedGradientDescentCommon,
 )
-from art.utils import compute_success, random_sphere
+from art.utils import compute_success, random_sphere, compute_success_array
 
 if TYPE_CHECKING:
     import torch
@@ -154,67 +154,70 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
 
         else:
             dataset = torch.utils.data.TensorDataset(
-                torch.from_numpy(x.astype(ART_NUMPY_DTYPE)), torch.from_numpy(targets.astype(ART_NUMPY_DTYPE)),
+                torch.from_numpy(x.astype(ART_NUMPY_DTYPE)),
+                torch.from_numpy(targets.astype(ART_NUMPY_DTYPE)),
             )
 
         data_loader = torch.utils.data.DataLoader(
             dataset=dataset, batch_size=self.batch_size, shuffle=False, drop_last=False
         )
 
         # Start to compute adversarial examples
-        adv_x_best = None
-        rate_best = None
-
-        for _ in trange(max(1, self.num_random_init), desc="PGD - Random Initializations", disable=not self.verbose):
-            adv_x = x.astype(ART_NUMPY_DTYPE)
-
-            # Compute perturbation with batching
-            for (batch_id, batch_all) in enumerate(
-                tqdm(data_loader, desc="PGD - Batches", leave=False, disable=not self.verbose)
-            ):
-                if mask is not None:
-                    (batch, batch_labels, mask_batch) = batch_all[0], batch_all[1], batch_all[2]
-                else:
-                    (batch, batch_labels, mask_batch) = batch_all[0], batch_all[1], None
+        adv_x = x.astype(ART_NUMPY_DTYPE)
 
-                batch_index_1, batch_index_2 = batch_id * self.batch_size, (batch_id + 1) * self.batch_size
+        # Compute perturbation with batching
+        for (batch_id, batch_all) in enumerate(
+            tqdm(data_loader, desc="PGD - Batches", leave=False, disable=not self.verbose)
+        ):
+            if mask is not None:
+                (batch, batch_labels, mask_batch) = batch_all[0], batch_all[1], batch_all[2]
+            else:
+                (batch, batch_labels, mask_batch) = batch_all[0], batch_all[1], None
 
-                # Compute batch_eps and batch_eps_step
-                if isinstance(self.eps, np.ndarray):
-                    if len(self.eps.shape) == len(x.shape) and self.eps.shape[0] == x.shape[0]:
-                        batch_eps = self.eps[batch_index_1:batch_index_2]
-                        batch_eps_step = self.eps_step[batch_index_1:batch_index_2]
+            batch_index_1, batch_index_2 = batch_id * self.batch_size, (batch_id + 1) * self.batch_size
 
-                    else:
-                        batch_eps = self.eps
-                        batch_eps_step = self.eps_step
+            # Compute batch_eps and batch_eps_step
+            if isinstance(self.eps, np.ndarray):
+                if len(self.eps.shape) == len(x.shape) and self.eps.shape[0] == x.shape[0]:
+                    batch_eps = self.eps[batch_index_1:batch_index_2]
+                    batch_eps_step = self.eps_step[batch_index_1:batch_index_2]
 
                 else:
                     batch_eps = self.eps
                     batch_eps_step = self.eps_step
 
-                adv_x[batch_index_1:batch_index_2] = self._generate_batch(
-                    x=batch, targets=batch_labels, mask=mask_batch, eps=batch_eps, eps_step=batch_eps_step
-                )
-
-            if self.num_random_init > 1:
-                rate = 100 * compute_success(
-                    self.estimator, x, targets, adv_x, self.targeted, batch_size=self.batch_size
-                )
-                if rate_best is None or rate > rate_best or adv_x_best is None:
-                    rate_best = rate
-                    adv_x_best = adv_x
             else:
-                adv_x_best = adv_x
+                batch_eps = self.eps
+                batch_eps_step = self.eps_step
+
+            for rand_init_num in range(max(1, self.num_random_init)):
+                if rand_init_num == 0:
+                    # first iteration: use the adversarial examples as they are the only ones we have now
+                    adv_x[batch_index_1:batch_index_2] = self._generate_batch(
+                        x=batch, targets=batch_labels, mask=mask_batch, eps=batch_eps, eps_step=batch_eps_step
+                    )
+                else:
+                    adversarial_batch = self._generate_batch(
+                        x=batch, targets=batch_labels, mask=mask_batch, eps=batch_eps, eps_step=batch_eps_step
+                    )
+
+                    # return the successful adversarial examples
+                    attack_success = compute_success_array(
+                        self.estimator,
+                        batch,
+                        batch_labels,
+                        adversarial_batch,
+                        self.targeted,
+                        batch_size=self.batch_size,
+                    )
+                    adv_x[batch_index_1:batch_index_2][attack_success] = adversarial_batch[attack_success]
 
         logger.info(
             "Success rate of attack: %.2f%%",
-            rate_best
-            if rate_best is not None
-            else 100 * compute_success(self.estimator, x, y, adv_x_best, self.targeted, batch_size=self.batch_size),
+            100 * compute_success(self.estimator, x, y, adv_x, self.targeted, batch_size=self.batch_size),
         )
 
-        return adv_x_best
+        return adv_x
 
     def _generate_batch(
         self,
@@ -245,7 +248,13 @@ def _generate_batch(
 
         for i_max_iter in range(self.max_iter):
             adv_x = self._compute_torch(
-                adv_x, inputs, targets, mask, eps, eps_step, self.num_random_init > 0 and i_max_iter == 0,
+                adv_x,
+                inputs,
+                targets,
+                mask,
+                eps,
+                eps_step,
+                self.num_random_init > 0 and i_max_iter == 0,
             )
 
         return adv_x.cpu().detach().numpy()
@@ -408,25 +417,31 @@ def _projection(
                     "The parameter `eps` of type `np.ndarray` is not supported to use with norm 2."
                 )
 
-            values_tmp = values_tmp * torch.min(
-                torch.tensor([1.0], dtype=torch.float32).to(self.estimator.device),
-                eps / (torch.norm(values_tmp, p=2, dim=1) + tol),
-            ).unsqueeze_(-1)
+            values_tmp = (
+                values_tmp
+                * torch.min(
+                    torch.tensor([1.0], dtype=torch.float32).to(self.estimator.device),
+                    eps / (torch.norm(values_tmp, p=2, dim=1) + tol),
+                ).unsqueeze_(-1)
+            )
 
         elif norm_p == 1:
             if isinstance(eps, np.ndarray):
                 raise NotImplementedError(
                     "The parameter `eps` of type `np.ndarray` is not supported to use with norm 1."
                 )
 
-            values_tmp = values_tmp * torch.min(
-                torch.tensor([1.0], dtype=torch.float32).to(self.estimator.device),
-                eps / (torch.norm(values_tmp, p=1, dim=1) + tol),
-            ).unsqueeze_(-1)
+            values_tmp = (
+                values_tmp
+                * torch.min(
+                    torch.tensor([1.0], dtype=torch.float32).to(self.estimator.device),
+                    eps / (torch.norm(values_tmp, p=1, dim=1) + tol),
+                ).unsqueeze_(-1)
+            )
 
         elif norm_p in [np.inf, "inf"]:
             if isinstance(eps, np.ndarray):
-                eps = eps * np.ones_like(values)
+                eps = eps * np.ones_like(values.cpu())
                 eps = eps.reshape([eps.shape[0], -1])
 
             values_tmp = values_tmp.sign() * torch.min(
diff --git a/art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_tensorflow_v2.py b/art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_tensorflow_v2.py
