Merge pull request #882 from Trusted-AI/development_issue_823

Expand range of eps_step and eps in PGD attacks

Author: beat-buesser

art/attacks/evasion/fast_gradient.py

@@ -281,25 +281,27 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
         return adv_x_best
 
     def _check_params(self) -> None:
-        # Check if order of the norm is acceptable given current implementation
+
         if self.norm not in [1, 2, np.inf, "inf"]:
             raise ValueError('Norm order must be either 1, 2, `np.inf` or "inf".')
 
-        if (not (isinstance(self.eps, (int, float, np.ndarray)) and isinstance(self.eps_step, (int, float)))) and (
-            hasattr(self, "minimal")
-            and self.minimal
-            and not (isinstance(self.eps, np.ndarray) and isinstance(self.eps_step, np.ndarray))
+        if not (
+            isinstance(self.eps, (int, float))
+            and isinstance(self.eps_step, (int, float))
+            or isinstance(self.eps, np.ndarray)
+            and isinstance(self.eps_step, np.ndarray)
         ):
             raise TypeError(
-                "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same type."
+                "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same type of `int`"
+                ", `float`, or `np.ndarray`."
             )
 
         if isinstance(self.eps, (int, float)):
-            if self.eps <= 0:
-                raise ValueError("The perturbation size `eps` has to be positive.")
+            if self.eps < 0:
+                raise ValueError("The perturbation size `eps` has to be nonnegative.")
         else:
-            if (self.eps <= 0).any():
-                raise ValueError("The perturbation size `eps` has to be positive.")
+            if (self.eps < 0).any():
+                raise ValueError("The perturbation size `eps` has to be nonnegative.")
 
         if isinstance(self.eps_step, (int, float)):
             if self.eps_step <= 0:
@@ -308,14 +310,11 @@ def _check_params(self) -> None:
             if (self.eps_step <= 0).any():
                 raise ValueError("The perturbation step-size `eps_step` has to be positive.")
 
-        if (
-            isinstance(self.eps, np.ndarray)
-            and isinstance(self.eps_step, np.ndarray)
-            and self.eps.shape != self.eps_step.shape
-        ):
-            raise ValueError(
-                "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same shape."
-            )
+        if isinstance(self.eps, np.ndarray) and isinstance(self.eps_step, np.ndarray):
+            if self.eps.shape != self.eps_step.shape:
+                raise ValueError(
+                    "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same shape."
+                )
 
         if not isinstance(self.targeted, bool):
             raise ValueError("The flag `targeted` has to be of type bool.")
@@ -377,8 +376,10 @@ def _apply_norm(grad, object_type=False):
     def _apply_perturbation(
         self, batch: np.ndarray, perturbation: np.ndarray, eps_step: Union[int, float, np.ndarray]
     ) -> np.ndarray:
-        batch = batch + eps_step * perturbation
 
+        perturbation_step = eps_step * perturbation
+        perturbation_step[np.isnan(perturbation_step)] = 0
+        batch = batch + perturbation_step
         if self.estimator.clip_values is not None:
             clip_min, clip_max = self.estimator.clip_values
             batch = np.clip(batch, clip_min, clip_max)

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent.py

@@ -185,21 +185,27 @@ def set_params(self, **kwargs) -> None:
         self._attack.set_params(**kwargs)
 
     def _check_params(self) -> None:
-        # Check if order of the norm is acceptable given current implementation
+
         if self.norm not in [1, 2, np.inf, "inf"]:
             raise ValueError('Norm order must be either 1, 2, `np.inf` or "inf".')
 
-        if not (isinstance(self.eps, (int, float, np.ndarray)) and isinstance(self.eps_step, (int, float, np.ndarray))):
+        if not (
+            isinstance(self.eps, (int, float))
+            and isinstance(self.eps_step, (int, float))
+            or isinstance(self.eps, np.ndarray)
+            and isinstance(self.eps_step, np.ndarray)
+        ):
             raise TypeError(
-                "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same type."
+                "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same type of `int`"
+                ", `float`, or `np.ndarray`."
             )
 
         if isinstance(self.eps, (int, float)):
-            if self.eps <= 0:
-                raise ValueError("The perturbation size `eps` has to be positive.")
+            if self.eps < 0:
+                raise ValueError("The perturbation size `eps` has to be nonnegative.")
         else:
-            if (self.eps <= 0).any():
-                raise ValueError("The perturbation size `eps` has to be positive.")
+            if (self.eps < 0).any():
+                raise ValueError("The perturbation size `eps` has to be nonnegative.")
 
         if isinstance(self.eps_step, (int, float)):
             if self.eps_step <= 0:
@@ -214,13 +220,6 @@ def _check_params(self) -> None:
                     "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same shape."
                 )
 
-            if self.norm in ["inf", np.inf] and (self.eps_step > self.eps).any():
-                raise ValueError("The iteration step `eps_step` has to be smaller than the total attack `eps`.")
-
-        else:
-            if self.norm in ["inf", np.inf] and self.eps_step > self.eps:
-                raise ValueError("The iteration step `eps_step` has to be smaller than the total attack `eps`.")
-
         if not isinstance(self.targeted, bool):
             raise ValueError("The flag `targeted` has to be of type bool.")
 
@@ -233,8 +232,8 @@ def _check_params(self) -> None:
         if self.batch_size <= 0:
             raise ValueError("The batch size `batch_size` has to be positive.")
 
-        if self.max_iter <= 0:
-            raise ValueError("The number of iterations `max_iter` has to be a positive integer.")
+        if self.max_iter < 0:
+            raise ValueError("The number of iterations `max_iter` has to be a nonnegative integer.")
 
         if not isinstance(self.verbose, bool):
             raise ValueError("The verbose has to be a Boolean.")

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_numpy.py

@@ -159,16 +159,58 @@ def _set_targets(self, x: np.ndarray, y: np.ndarray, classifier_mixin: bool = Tr
         return targets
 
     def _check_params(self) -> None:
-        super(ProjectedGradientDescentCommon, self)._check_params()
 
-        if (self.norm in ["inf", np.inf]) and (
-            (isinstance(self.eps, (int, float)) and self.eps_step > self.eps)
-            or (isinstance(self.eps, np.ndarray) and (self.eps_step > self.eps).any())
+        if self.norm not in [1, 2, np.inf, "inf"]:
+            raise ValueError('Norm order must be either 1, 2, `np.inf` or "inf".')
+
+        if not (
+            isinstance(self.eps, (int, float))
+            and isinstance(self.eps_step, (int, float))
+            or isinstance(self.eps, np.ndarray)
+            and isinstance(self.eps_step, np.ndarray)
         ):
-            raise ValueError("The iteration step `eps_step` has to be smaller than the total attack `eps`.")
+            raise TypeError(
+                "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same type of `int`"
+                ", `float`, or `np.ndarray`."
+            )
+
+        if isinstance(self.eps, (int, float)):
+            if self.eps < 0:
+                raise ValueError("The perturbation size `eps` has to be nonnegative.")
+        else:
+            if (self.eps < 0).any():
+                raise ValueError("The perturbation size `eps` has to be nonnegative.")
+
+        if isinstance(self.eps_step, (int, float)):
+            if self.eps_step <= 0:
+                raise ValueError("The perturbation step-size `eps_step` has to be positive.")
+        else:
+            if (self.eps_step <= 0).any():
+                raise ValueError("The perturbation step-size `eps_step` has to be positive.")
+
+        if isinstance(self.eps, np.ndarray) and isinstance(self.eps_step, np.ndarray):
+            if self.eps.shape != self.eps_step.shape:
+                raise ValueError(
+                    "The perturbation size `eps` and the perturbation step-size `eps_step` must have the same shape."
+                )
+
+        if not isinstance(self.targeted, bool):
+            raise ValueError("The flag `targeted` has to be of type bool.")
+
+        if not isinstance(self.num_random_init, (int, np.int)):
+            raise TypeError("The number of random initialisations has to be of type integer.")
+
+        if self.num_random_init < 0:
+            raise ValueError("The number of random initialisations `random_init` has to be greater than or equal to 0.")
+
+        if self.batch_size <= 0:
+            raise ValueError("The batch size `batch_size` has to be positive.")
+
+        if self.max_iter < 0:
+            raise ValueError("The number of iterations `max_iter` has to be a nonnegative integer.")
 
-        if self.max_iter <= 0:
-            raise ValueError("The number of iterations `max_iter` has to be a positive integer.")
+        if not isinstance(self.verbose, bool):
+            raise ValueError("The verbose has to be a Boolean.")
 
 
 class ProjectedGradientDescentNumpy(ProjectedGradientDescentCommon):

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py

@@ -312,8 +312,9 @@ def _apply_perturbation(
         import torch  # lgtm [py/repeated-import]
 
         eps_step = np.array(eps_step, dtype=ART_NUMPY_DTYPE)
-        x = x + torch.tensor(eps_step).to(self.estimator.device) * perturbation
-
+        perturbation_step = torch.tensor(eps_step).to(self.estimator.device) * perturbation
+        perturbation_step[torch.isnan(perturbation_step)] = 0
+        x = x + perturbation_step
         if self.estimator.clip_values is not None:
             clip_min, clip_max = self.estimator.clip_values
             x = torch.max(

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_tensorflow_v2.py

@@ -304,11 +304,12 @@ def _apply_perturbation(
         """
         import tensorflow as tf  # lgtm [py/repeated-import]
 
-        x = x + tf.constant(eps_step, dtype=ART_NUMPY_DTYPE) * perturbation
-
+        perturbation_step = tf.constant(eps_step, dtype=ART_NUMPY_DTYPE) * perturbation
+        perturbation_step = tf.where(tf.math.is_nan(perturbation_step), 0, perturbation_step)
+        x = x + perturbation_step
         if self.estimator.clip_values is not None:
             clip_min, clip_max = self.estimator.clip_values
-            x = tf.clip_by_value(x, clip_min, clip_max)
+            x = tf.clip_by_value(x, clip_value_min=clip_min, clip_value_max=clip_max)
 
         return x