├── .gitignore ├── README.md ├── common ├── cat.jpeg ├── example_6.trch ├── generate_5k.py ├── im+grad.png ├── labels.json └── train_mnist.py ├── images ├── imnet_fgsm.png ├── mnist_fgsm.png └── mnist_paper_1.png ├── method1-OptimizingNoise ├── attack.py ├── attack_mnist.py └── visualize_adv_examples.py └── method2-FastGradientSignMethod ├── imnet-fast-gradient.py ├── mnist-fast-gradient.py ├── visualize_imnet.py └── visualize_mnist.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.pkl 2 | mnist/* 3 | *.swp 4 | common/mnist/* 5 | 6 | # Byte-compiled / optimized / DLL files 7 | __pycache__/ 8 | *.py[cod] 9 | *$py.class 10 | 11 | # C extensions 12 | *.so 13 | 14 | # Distribution / packaging 15 | .Python 16 | build/ 17 | develop-eggs/ 18 | dist/ 19 | downloads/ 20 | eggs/ 21 | .eggs/ 22 | lib/ 23 | lib64/ 24 | parts/ 25 | sdist/ 26 | var/ 27 | wheels/ 28 | *.egg-info/ 29 | .installed.cfg 30 | *.egg 31 | MANIFEST 32 | 33 | # PyInstaller 34 | # Usually these files are written by a python script from a template 35 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 36 | *.manifest 37 | *.spec 38 | 39 | # Installer logs 40 | pip-log.txt 41 | pip-delete-this-directory.txt 42 | 43 | # Unit test / coverage reports 44 | htmlcov/ 45 | .tox/ 46 | .nox/ 47 | .coverage 48 | .coverage.* 49 | .cache 50 | nosetests.xml 51 | coverage.xml 52 | *.cover 53 | .hypothesis/ 54 | .pytest_cache/ 55 | 56 | # Translations 57 | *.mo 58 | *.pot 59 | 60 | # Django stuff: 61 | *.log 62 | local_settings.py 63 | db.sqlite3 64 | 65 | # Flask stuff: 66 | instance/ 67 | .webassets-cache 68 | 69 | # Scrapy stuff: 70 | .scrapy 71 | 72 | # Sphinx documentation 73 | docs/_build/ 74 | 75 | # PyBuilder 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | .python-version 87 | 88 | # celery beat schedule file 89 | celerybeat-schedule 90 | 91 | # SageMath parsed files 92 | *.sage.py 93 | 94 | # Environments 95 | .env 96 | .venv 97 | env/ 98 | venv/ 99 | ENV/ 100 | env.bak/ 101 | venv.bak/ 102 | 103 | # Spyder project settings 104 | .spyderproject 105 | .spyproject 106 | 107 | # Rope project settings 108 | .ropeproject 109 | 110 | # mkdocs documentation 111 | /site 112 | 113 | # mypy 114 | .mypy_cache/ 115 | .dmypy.json 116 | dmypy.json 117 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Adversarial Examples 2 | 3 | Adversarial examples are inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake; they’re like optical illusions for machines. However, they look almost identical to the original inputs when seen through the naked eye. 4 | 5 | ![](https://blog.openai.com/content/images/2017/02/adversarial_img_1.png) 6 | 7 | Adversarial examples are an important aspect of AI research due to the security concerns regarding AI's widespread use in the real world. for e.g. An adversarialized stop sign might appear like a merge symbol to a self driving car, which compromises the safety of the vehicle. 8 | 9 | This repository is an attempt to implement 2 common methods to produce adversarial examples.The directory structure is as follows. 10 | 11 | ``` 12 | . 13 | +-- .gitignore --> do not track 14 | +-- README.md --> This document. 15 | +-- Method 1 - optimizing for noise --> Method based on [1] 16 | | +-- attack.py --> Class that performs the attack 17 | | +-- attack_mnist.py --> use attack.py on mnist dataset 18 | | +-- visualize_adv_examples.py --> vis the results 19 | +-- Method 2 - Fast gradient sign method 20 | | +-- imnet-fast-gradient.py --> fgsm on VGG16 w/ images from ImageNet. 21 | | +-- mnist-fast-gradient.py --> fgsm on Mnist dataset 22 | | +-- visualize_imnet.py 23 | | +-- visualize_mnist.py 24 | +-- common 25 | | +-- train_mnist.py --> train a simple nn on mnist and save to weights.pkl 26 | | +-- generate_5k.py --> extract 5k random mnist samples from the dataset. 27 | | +-- labels.json --> map ImageNet classes <--> # between 0-999 28 | ``` 29 | 30 | ## Method 1 - Optimizing for noise 31 | 32 | In the method presented in [1] the authors find that neural networks are not stable to small perturbations in input space. Specifically, it is possible to optimize for a small perturbation that misclassifies an image but is visually similar to the original image. 33 | In the paper, the author use an L-BFGS optimizer to solve: 34 | 35 | ``` 36 | minimize ||r||_2, subject to 37 | 1. f(x+r) = l 38 | 2. x + r in [0,1] 39 | where l = target class 40 | r = noise 41 | f = nn mapping images -> labels s.t f(x) -> k (correct class) 42 | ``` 43 | 44 | However, in this implementation I use an SGD optimizer to find "r", I do this by fixing the input "x" and weights of the network and minimizing the cross entropy loss between network output and target label "l". 45 | I honor the 2nd constraint by clamping x+r to [0,1]. I also try to keep the values of "r" to a minimum by imposing L2/L1/No regularization. 46 | 47 | The following table shows the min, max and mean perturbation for No/L1/L2 regularization. 48 | 49 | | | Mean | Max | Min | 50 | |:-----------------:|:------:|:-------:|:------:| 51 | | No regularization | 0.0151 | 1.00202 | -0.999 | 52 | | L1 regularization | 0.0155 | 1.00323 | -1.000 | 53 | | L2 regularization | 0.0150 | 1.00285 | -1.002 | 54 | 55 | ![](images/mnist_paper_1.png) 56 | 57 | ## Method 2 - Fast gradient sign method 58 | 59 | In [2] the authors propose an easier method to generate adversarial examples known as fast gradient sign method. This method makes use of the idea that deep models behave in a linear manner and that a large number of small variations in a high dimensional input space can cause a significant change in the output of the model. According the the paper, an adversarial example can be generated by: 60 | 61 | ``` 62 | x_adversarial = x + eta * sign( dL/dx ) 63 | where 64 | eta = scale of perturbation 65 | dL/dx = gradient of loss function w.r.t. input 66 | sign = signum function 67 | ``` 68 | 69 | Mean, Max, Min noise: 0.0373817, 0.1, -0.1 70 | 71 | ![](images/mnist_fgsm.png) 72 | ![](images/imnet_fgsm.png) 73 | 74 | ## How to run 75 | ``` 76 | # Download and generate 5k mnist samples 77 | cd common/ 78 | python generate_5k.py # creates 5k_samples.pkl 79 | 80 | # Train NN on mnist 81 | python train_mnist.py # creates weights.pkl 82 | 83 | # Method 1 84 | cd ../Method\ 1\ -\ optimizing\ for\ noise/ 85 | python attack_mnist.py --> generates bulk...pkl file 86 | python visualize_adv_examples.py bulk...pkl # visualize adv examples on a grid 87 | 88 | # Method 2 89 | cd ../Method\ 2\ -\ Fast\ gradient\ sign\ method/ 90 | python mnist-fast-gradient.py # runs on 5k images and creates bulk_mnist_fgsd.pkl 91 | python visualize_mnist.py bulk_mnist_fgsd.pkl # visualize on a grid 92 | 93 | ``` 94 | 95 | ## Some observations 96 | 1. FGSM is faster to compute in comparison to method 1. 97 | 2. In FGSM, the noise is spread accross the entirety of the image instead of being localized. FGSM hence gives noticeably 'cleaner' images. 98 | 3. The minimum epsilon required to change the classification of an image varies for each sample. Hence, to get the mimimum possible perturbation required for misclassification, one can run a bilinear search. 99 | 4. In Method 1, it is possible to control the target class, however in FGSM it is not possible to do so. 100 | 101 | 102 | 103 | ## References 104 | 105 | [1] Intriguing properties of neural networks. Szegedy et al. (ICLR 2014). [paper](https://arxiv.org/abs/1312.6199) 106 | 107 | [2] Explaining and Harnessing Adversarial Examples. IJ Goodfellow et al. (ICLR 2015) [paper](https://arxiv.org/abs/1412.6572) 108 | -------------------------------------------------------------------------------- /common/cat.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akshaychawla/Adversarial-Examples-in-PyTorch/e9e4e1052c5a1147f0885b6f6248645167283dd3/common/cat.jpeg -------------------------------------------------------------------------------- /common/example_6.trch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akshaychawla/Adversarial-Examples-in-PyTorch/e9e4e1052c5a1147f0885b6f6248645167283dd3/common/example_6.trch -------------------------------------------------------------------------------- /common/generate_5k.py: -------------------------------------------------------------------------------- 1 | import torchvision 2 | import torch 3 | from torch.autograd import Variable 4 | from torchvision import transforms 5 | import torch.nn as nn 6 | import torch.nn.functional as F 7 | import numpy as np 8 | 9 | def flat_trans(x): 10 | x.resize_(28*28) 11 | return x 12 | 13 | if __name__ == '__main__': 14 | mnist_transform = transforms.Compose( 15 | [transforms.ToTensor(), transforms.Lambda(flat_trans)] 16 | ) 17 | testdata = torchvision.datasets.MNIST(root="./mnist", train=False, download=True, transform=mnist_transform) 18 | testloader = torch.utils.data.DataLoader(testdata, batch_size=100, shuffle=True, num_workers=1) 19 | 20 | images, labels = [], [] 21 | for idx, data in enumerate(testloader): 22 | 23 | x_lots, y_lots = data 24 | for x,y in zip(x_lots, y_lots): 25 | images.append(x.numpy()) 26 | labels.append(y) 27 | 28 | if idx==49: 29 | break 30 | 31 | # import ipdb; ipdb.set_trace() 32 | with open("5k_samples.pkl", "wb") as f: 33 | import pickle 34 | data_dict = { "images":images, "labels": labels} 35 | pickle.dump(data_dict, f) 36 | 37 | -------------------------------------------------------------------------------- /common/im+grad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akshaychawla/Adversarial-Examples-in-PyTorch/e9e4e1052c5a1147f0885b6f6248645167283dd3/common/im+grad.png -------------------------------------------------------------------------------- /common/labels.json: -------------------------------------------------------------------------------- 1 | {"0": "tench, Tinca tinca", "1": "goldfish, Carassius auratus", "2": "great white shark, white shark, man-eater, man-eating shark, Carcharodon carcharias", "3": "tiger shark, Galeocerdo cuvieri", "4": "hammerhead, hammerhead shark", "5": "electric ray, crampfish, numbfish, torpedo", "6": "stingray", "7": "cock", "8": "hen", "9": "ostrich, Struthio camelus", "10": "brambling, Fringilla montifringilla", "11": "goldfinch, Carduelis carduelis", "12": "house finch, linnet, Carpodacus mexicanus", "13": "junco, snowbird", "14": "indigo bunting, indigo finch, indigo bird, Passerina cyanea", "15": "robin, American robin, Turdus migratorius", "16": "bulbul", "17": "jay", "18": "magpie", "19": "chickadee", "20": "water ouzel, dipper", "21": "kite", "22": "bald eagle, American eagle, Haliaeetus leucocephalus", "23": "vulture", "24": "great grey owl, great gray owl, Strix nebulosa", "25": "European fire salamander, Salamandra salamandra", "26": "common newt, Triturus vulgaris", "27": "eft", "28": "spotted salamander, Ambystoma maculatum", "29": "axolotl, mud puppy, Ambystoma mexicanum", "30": "bullfrog, Rana catesbeiana", "31": "tree frog, tree-frog", "32": "tailed frog, bell toad, ribbed toad, tailed toad, Ascaphus trui", "33": "loggerhead, loggerhead turtle, Caretta caretta", "34": "leatherback turtle, leatherback, leathery turtle, Dermochelys coriacea", "35": "mud turtle", "36": "terrapin", "37": "box turtle, box tortoise", "38": "banded gecko", "39": "common iguana, iguana, Iguana iguana", "40": "American chameleon, anole, Anolis carolinensis", "41": "whiptail, whiptail lizard", "42": "agama", "43": "frilled lizard, Chlamydosaurus kingi", "44": "alligator lizard", "45": "Gila monster, Heloderma suspectum", "46": "green lizard, Lacerta viridis", "47": "African chameleon, Chamaeleo chamaeleon", "48": "Komodo dragon, Komodo lizard, dragon lizard, giant lizard, Varanus komodoensis", "49": "African crocodile, Nile crocodile, Crocodylus niloticus", "50": "American alligator, Alligator mississipiensis", "51": "triceratops", "52": "thunder snake, worm snake, Carphophis amoenus", "53": "ringneck snake, ring-necked snake, ring snake", "54": "hognose snake, puff adder, sand viper", "55": "green snake, grass snake", "56": "king snake, kingsnake", "57": "garter snake, grass snake", "58": "water snake", "59": "vine snake", "60": "night snake, Hypsiglena torquata", "61": "boa constrictor, Constrictor constrictor", "62": "rock python, rock snake, Python sebae", "63": "Indian cobra, Naja naja", "64": "green mamba", "65": "sea snake", "66": "horned viper, cerastes, sand viper, horned asp, Cerastes cornutus", "67": "diamondback, diamondback rattlesnake, Crotalus adamanteus", "68": "sidewinder, horned rattlesnake, Crotalus cerastes", "69": "trilobite", "70": "harvestman, daddy longlegs, Phalangium opilio", "71": "scorpion", "72": "black and gold garden spider, Argiope aurantia", "73": "barn spider, Araneus cavaticus", "74": "garden spider, Aranea diademata", "75": "black widow, Latrodectus mactans", "76": "tarantula", "77": "wolf spider, hunting spider", "78": "tick", "79": "centipede", "80": "black grouse", "81": "ptarmigan", "82": "ruffed grouse, partridge, Bonasa umbellus", "83": "prairie chicken, prairie grouse, prairie fowl", "84": "peacock", "85": "quail", "86": "partridge", "87": "African grey, African gray, Psittacus erithacus", "88": "macaw", "89": "sulphur-crested cockatoo, Kakatoe galerita, Cacatua galerita", "90": "lorikeet", "91": "coucal", "92": "bee eater", "93": "hornbill", "94": "hummingbird", "95": "jacamar", "96": "toucan", "97": "drake", "98": "red-breasted merganser, Mergus serrator", "99": "goose", "100": "black swan, Cygnus atratus", "101": "tusker", "102": "echidna, spiny anteater, anteater", "103": "platypus, duckbill, duckbilled platypus, duck-billed platypus, Ornithorhynchus anatinus", "104": "wallaby, brush kangaroo", "105": "koala, koala bear, kangaroo bear, native bear, Phascolarctos cinereus", "106": "wombat", "107": "jellyfish", "108": "sea anemone, anemone", "109": "brain coral", "110": "flatworm, platyhelminth", "111": "nematode, nematode worm, roundworm", "112": "conch", "113": "snail", "114": "slug", "115": "sea slug, nudibranch", "116": "chiton, coat-of-mail shell, sea cradle, polyplacophore", "117": "chambered nautilus, pearly nautilus, nautilus", "118": "Dungeness crab, Cancer magister", "119": "rock crab, Cancer irroratus", "120": "fiddler crab", "121": "king crab, Alaska crab, Alaskan king crab, Alaska king crab, Paralithodes camtschatica", "122": "American lobster, Northern lobster, Maine lobster, Homarus americanus", "123": "spiny lobster, langouste, rock lobster, crawfish, crayfish, sea crawfish", "124": "crayfish, crawfish, crawdad, crawdaddy", "125": "hermit crab", "126": "isopod", "127": "white stork, Ciconia ciconia", "128": "black stork, Ciconia nigra", "129": "spoonbill", "130": "flamingo", "131": "little blue heron, Egretta caerulea", "132": "American egret, great white heron, Egretta albus", "133": "bittern", "134": "crane", "135": "limpkin, Aramus pictus", "136": "European gallinule, Porphyrio porphyrio", "137": "American coot, marsh hen, mud hen, water hen, Fulica americana", "138": "bustard", "139": "ruddy turnstone, Arenaria interpres", "140": "red-backed sandpiper, dunlin, Erolia alpina", "141": "redshank, Tringa totanus", "142": "dowitcher", "143": "oystercatcher, oyster catcher", "144": "pelican", "145": "king penguin, Aptenodytes patagonica", "146": "albatross, mollymawk", "147": "grey whale, gray whale, devilfish, Eschrichtius gibbosus, Eschrichtius robustus", "148": "killer whale, killer, orca, grampus, sea wolf, Orcinus orca", "149": "dugong, Dugong dugon", "150": "sea lion", "151": "Chihuahua", "152": "Japanese spaniel", "153": "Maltese dog, Maltese terrier, Maltese", "154": "Pekinese, Pekingese, Peke", "155": "Shih-Tzu", "156": "Blenheim spaniel", "157": "papillon", "158": "toy terrier", "159": "Rhodesian ridgeback", "160": "Afghan hound, Afghan", "161": "basset, basset hound", "162": "beagle", "163": "bloodhound, sleuthhound", "164": "bluetick", "165": "black-and-tan coonhound", "166": "Walker hound, Walker foxhound", "167": "English foxhound", "168": "redbone", "169": "borzoi, Russian wolfhound", "170": "Irish wolfhound", "171": "Italian greyhound", "172": "whippet", "173": "Ibizan hound, Ibizan Podenco", "174": "Norwegian elkhound, elkhound", "175": "otterhound, otter hound", "176": "Saluki, gazelle hound", "177": "Scottish deerhound, deerhound", "178": "Weimaraner", "179": "Staffordshire bullterrier, Staffordshire bull terrier", "180": "American Staffordshire terrier, Staffordshire terrier, American pit bull terrier, pit bull terrier", "181": "Bedlington terrier", "182": "Border terrier", "183": "Kerry blue terrier", "184": "Irish terrier", "185": "Norfolk terrier", "186": "Norwich terrier", "187": "Yorkshire terrier", "188": "wire-haired fox terrier", "189": "Lakeland terrier", "190": "Sealyham terrier, Sealyham", "191": "Airedale, Airedale terrier", "192": "cairn, cairn terrier", "193": "Australian terrier", "194": "Dandie Dinmont, Dandie Dinmont terrier", "195": "Boston bull, Boston terrier", "196": "miniature schnauzer", "197": "giant schnauzer", "198": "standard schnauzer", "199": "Scotch terrier, Scottish terrier, Scottie", "200": "Tibetan terrier, chrysanthemum dog", "201": "silky terrier, Sydney silky", "202": "soft-coated wheaten terrier", "203": "West Highland white terrier", "204": "Lhasa, Lhasa apso", "205": "flat-coated retriever", "206": "curly-coated retriever", "207": "golden retriever", "208": "Labrador retriever", "209": "Chesapeake Bay retriever", "210": "German short-haired pointer", "211": "vizsla, Hungarian pointer", "212": "English setter", "213": "Irish setter, red setter", "214": "Gordon setter", "215": "Brittany spaniel", "216": "clumber, clumber spaniel", "217": "English springer, English springer spaniel", "218": "Welsh springer spaniel", "219": "cocker spaniel, English cocker spaniel, cocker", "220": "Sussex spaniel", "221": "Irish water spaniel", "222": "kuvasz", "223": "schipperke", "224": "groenendael", "225": "malinois", "226": "briard", "227": "kelpie", "228": "komondor", "229": "Old English sheepdog, bobtail", "230": "Shetland sheepdog, Shetland sheep dog, Shetland", "231": "collie", "232": "Border collie", "233": "Bouvier des Flandres, Bouviers des Flandres", "234": "Rottweiler", "235": "German shepherd, German shepherd dog, German police dog, alsatian", "236": "Doberman, Doberman pinscher", "237": "miniature pinscher", "238": "Greater Swiss Mountain dog", "239": "Bernese mountain dog", "240": "Appenzeller", "241": "EntleBucher", "242": "boxer", "243": "bull mastiff", "244": "Tibetan mastiff", "245": "French bulldog", "246": "Great Dane", "247": "Saint Bernard, St Bernard", "248": "Eskimo dog, husky", "249": "malamute, malemute, Alaskan malamute", "250": "Siberian husky", "251": "dalmatian, coach dog, carriage dog", "252": "affenpinscher, monkey pinscher, monkey dog", "253": "basenji", "254": "pug, pug-dog", "255": "Leonberg", "256": "Newfoundland, Newfoundland dog", "257": "Great Pyrenees", "258": "Samoyed, Samoyede", "259": "Pomeranian", "260": "chow, chow chow", "261": "keeshond", "262": "Brabancon griffon", "263": "Pembroke, Pembroke Welsh corgi", "264": "Cardigan, Cardigan Welsh corgi", "265": "toy poodle", "266": "miniature poodle", "267": "standard poodle", "268": "Mexican hairless", "269": "timber wolf, grey wolf, gray wolf, Canis lupus", "270": "white wolf, Arctic wolf, Canis lupus tundrarum", "271": "red wolf, maned wolf, Canis rufus, Canis niger", "272": "coyote, prairie wolf, brush wolf, Canis latrans", "273": "dingo, warrigal, warragal, Canis dingo", "274": "dhole, Cuon alpinus", "275": "African hunting dog, hyena dog, Cape hunting dog, Lycaon pictus", "276": "hyena, hyaena", "277": "red fox, Vulpes vulpes", "278": "kit fox, Vulpes macrotis", "279": "Arctic fox, white fox, Alopex lagopus", "280": "grey fox, gray fox, Urocyon cinereoargenteus", "281": "tabby, tabby cat", "282": "tiger cat", "283": "Persian cat", "284": "Siamese cat, Siamese", "285": "Egyptian cat", "286": "cougar, puma, catamount, mountain lion, painter, panther, Felis concolor", "287": "lynx, catamount", "288": "leopard, Panthera pardus", "289": "snow leopard, ounce, Panthera uncia", "290": "jaguar, panther, Panthera onca, Felis onca", "291": "lion, king of beasts, Panthera leo", "292": "tiger, Panthera tigris", "293": "cheetah, chetah, Acinonyx jubatus", "294": "brown bear, bruin, Ursus arctos", "295": "American black bear, black bear, Ursus americanus, Euarctos americanus", "296": "ice bear, polar bear, Ursus Maritimus, Thalarctos maritimus", "297": "sloth bear, Melursus ursinus, Ursus ursinus", "298": "mongoose", "299": "meerkat, mierkat", "300": "tiger beetle", "301": "ladybug, ladybeetle, lady beetle, ladybird, ladybird beetle", "302": "ground beetle, carabid beetle", "303": "long-horned beetle, longicorn, longicorn beetle", "304": "leaf beetle, chrysomelid", "305": "dung beetle", "306": "rhinoceros beetle", "307": "weevil", "308": "fly", "309": "bee", "310": "ant, emmet, pismire", "311": "grasshopper, hopper", "312": "cricket", "313": "walking stick, walkingstick, stick insect", "314": "cockroach, roach", "315": "mantis, mantid", "316": "cicada, cicala", "317": "leafhopper", "318": "lacewing, lacewing fly", "319": "dragonfly, darning needle, devil's darning needle, sewing needle, snake feeder, snake doctor, mosquito hawk, skeeter hawk", "320": "damselfly", "321": "admiral", "322": "ringlet, ringlet butterfly", "323": "monarch, monarch butterfly, milkweed butterfly, Danaus plexippus", "324": "cabbage butterfly", "325": "sulphur butterfly, sulfur butterfly", "326": "lycaenid, lycaenid butterfly", "327": "starfish, sea star", "328": "sea urchin", "329": "sea cucumber, holothurian", "330": "wood rabbit, cottontail, cottontail rabbit", "331": "hare", "332": "Angora, Angora rabbit", "333": "hamster", "334": "porcupine, hedgehog", "335": "fox squirrel, eastern fox squirrel, Sciurus niger", "336": "marmot", "337": "beaver", "338": "guinea pig, Cavia cobaya", "339": "sorrel", "340": "zebra", "341": "hog, pig, grunter, squealer, Sus scrofa", "342": "wild boar, boar, Sus scrofa", "343": "warthog", "344": "hippopotamus, hippo, river horse, Hippopotamus amphibius", "345": "ox", "346": "water buffalo, water ox, Asiatic buffalo, Bubalus bubalis", "347": "bison", "348": "ram, tup", "349": "bighorn, bighorn sheep, cimarron, Rocky Mountain bighorn, Rocky Mountain sheep, Ovis canadensis", "350": "ibex, Capra ibex", "351": "hartebeest", "352": "impala, Aepyceros melampus", "353": "gazelle", "354": "Arabian camel, dromedary, Camelus dromedarius", "355": "llama", "356": "weasel", "357": "mink", "358": "polecat, fitch, foulmart, foumart, Mustela putorius", "359": "black-footed ferret, ferret, Mustela nigripes", "360": "otter", "361": "skunk, polecat, wood pussy", "362": "badger", "363": "armadillo", "364": "three-toed sloth, ai, Bradypus tridactylus", "365": "orangutan, orang, orangutang, Pongo pygmaeus", "366": "gorilla, Gorilla gorilla", "367": "chimpanzee, chimp, Pan troglodytes", "368": "gibbon, Hylobates lar", "369": "siamang, Hylobates syndactylus, Symphalangus syndactylus", "370": "guenon, guenon monkey", "371": "patas, hussar monkey, Erythrocebus patas", "372": "baboon", "373": "macaque", "374": "langur", "375": "colobus, colobus monkey", "376": "proboscis monkey, Nasalis larvatus", "377": "marmoset", "378": "capuchin, ringtail, Cebus capucinus", "379": "howler monkey, howler", "380": "titi, titi monkey", "381": "spider monkey, Ateles geoffroyi", "382": "squirrel monkey, Saimiri sciureus", "383": "Madagascar cat, ring-tailed lemur, Lemur catta", "384": "indri, indris, Indri indri, Indri brevicaudatus", "385": "Indian elephant, Elephas maximus", "386": "African elephant, Loxodonta africana", "387": "lesser panda, red panda, panda, bear cat, cat bear, Ailurus fulgens", "388": "giant panda, panda, panda bear, coon bear, Ailuropoda melanoleuca", "389": "barracouta, snoek", "390": "eel", "391": "coho, cohoe, coho salmon, blue jack, silver salmon, Oncorhynchus kisutch", "392": "rock beauty, Holocanthus tricolor", "393": "anemone fish", "394": "sturgeon", "395": "gar, garfish, garpike, billfish, Lepisosteus osseus", "396": "lionfish", "397": "puffer, pufferfish, blowfish, globefish", "398": "abacus", "399": "abaya", "400": "academic gown, academic robe, judge's robe", "401": "accordion, piano accordion, squeeze box", "402": "acoustic guitar", "403": "aircraft carrier, carrier, flattop, attack aircraft carrier", "404": "airliner", "405": "airship, dirigible", "406": "altar", "407": "ambulance", "408": "amphibian, amphibious vehicle", "409": "analog clock", "410": "apiary, bee house", "411": "apron", "412": "ashcan, trash can, garbage can, wastebin, ash bin, ash-bin, ashbin, dustbin, trash barrel, trash bin", "413": "assault rifle, assault gun", "414": "backpack, back pack, knapsack, packsack, rucksack, haversack", "415": "bakery, bakeshop, bakehouse", "416": "balance beam, beam", "417": "balloon", "418": "ballpoint, ballpoint pen, ballpen, Biro", "419": "Band Aid", "420": "banjo", "421": "bannister, banister, balustrade, balusters, handrail", "422": "barbell", "423": "barber chair", "424": "barbershop", "425": "barn", "426": "barometer", "427": "barrel, cask", "428": "barrow, garden cart, lawn cart, wheelbarrow", "429": "baseball", "430": "basketball", "431": "bassinet", "432": "bassoon", "433": "bathing cap, swimming cap", "434": "bath towel", "435": "bathtub, bathing tub, bath, tub", "436": "beach wagon, station wagon, wagon, estate car, beach waggon, station waggon, waggon", "437": "beacon, lighthouse, beacon light, pharos", "438": "beaker", "439": "bearskin, busby, shako", "440": "beer bottle", "441": "beer glass", "442": "bell cote, bell cot", "443": "bib", "444": "bicycle-built-for-two, tandem bicycle, tandem", "445": "bikini, two-piece", "446": "binder, ring-binder", "447": "binoculars, field glasses, opera glasses", "448": "birdhouse", "449": "boathouse", "450": "bobsled, bobsleigh, bob", "451": "bolo tie, bolo, bola tie, bola", "452": "bonnet, poke bonnet", "453": "bookcase", "454": "bookshop, bookstore, bookstall", "455": "bottlecap", "456": "bow", "457": "bow tie, bow-tie, bowtie", "458": "brass, memorial tablet, plaque", "459": "brassiere, bra, bandeau", "460": "breakwater, groin, groyne, mole, bulwark, seawall, jetty", "461": "breastplate, aegis, egis", "462": "broom", "463": "bucket, pail", "464": "buckle", "465": "bulletproof vest", "466": "bullet train, bullet", "467": "butcher shop, meat market", "468": "cab, hack, taxi, taxicab", "469": "caldron, cauldron", "470": "candle, taper, wax light", "471": "cannon", "472": "canoe", "473": "can opener, tin opener", "474": "cardigan", "475": "car mirror", "476": "carousel, carrousel, merry-go-round, roundabout, whirligig", "477": "carpenter's kit, tool kit", "478": "carton", "479": "car wheel", "480": "cash machine, cash dispenser, automated teller machine, automatic teller machine, automated teller, automatic teller, ATM", "481": "cassette", "482": "cassette player", "483": "castle", "484": "catamaran", "485": "CD player", "486": "cello, violoncello", "487": "cellular telephone, cellular phone, cellphone, cell, mobile phone", "488": "chain", "489": "chainlink fence", "490": "chain mail, ring mail, mail, chain armor, chain armour, ring armor, ring armour", "491": "chain saw, chainsaw", "492": "chest", "493": "chiffonier, commode", "494": "chime, bell, gong", "495": "china cabinet, china closet", "496": "Christmas stocking", "497": "church, church building", "498": "cinema, movie theater, movie theatre, movie house, picture palace", "499": "cleaver, meat cleaver, chopper", "500": "cliff dwelling", "501": "cloak", "502": "clog, geta, patten, sabot", "503": "cocktail shaker", "504": "coffee mug", "505": "coffeepot", "506": "coil, spiral, volute, whorl, helix", "507": "combination lock", "508": "computer keyboard, keypad", "509": "confectionery, confectionary, candy store", "510": "container ship, containership, container vessel", "511": "convertible", "512": "corkscrew, bottle screw", "513": "cornet, horn, trumpet, trump", "514": "cowboy boot", "515": "cowboy hat, ten-gallon hat", "516": "cradle", "517": "crane", "518": "crash helmet", "519": "crate", "520": "crib, cot", "521": "Crock Pot", "522": "croquet ball", "523": "crutch", "524": "cuirass", "525": "dam, dike, dyke", "526": "desk", "527": "desktop computer", "528": "dial telephone, dial phone", "529": "diaper, nappy, napkin", "530": "digital clock", "531": "digital watch", "532": "dining table, board", "533": "dishrag, dishcloth", "534": "dishwasher, dish washer, dishwashing machine", "535": "disk brake, disc brake", "536": "dock, dockage, docking facility", "537": "dogsled, dog sled, dog sleigh", "538": "dome", "539": "doormat, welcome mat", "540": "drilling platform, offshore rig", "541": "drum, membranophone, tympan", "542": "drumstick", "543": "dumbbell", "544": "Dutch oven", "545": "electric fan, blower", "546": "electric guitar", "547": "electric locomotive", "548": "entertainment center", "549": "envelope", "550": "espresso maker", "551": "face powder", "552": "feather boa, boa", "553": "file, file cabinet, filing cabinet", "554": "fireboat", "555": "fire engine, fire truck", "556": "fire screen, fireguard", "557": "flagpole, flagstaff", "558": "flute, transverse flute", "559": "folding chair", "560": "football helmet", "561": "forklift", "562": "fountain", "563": "fountain pen", "564": "four-poster", "565": "freight car", "566": "French horn, horn", "567": "frying pan, frypan, skillet", "568": "fur coat", "569": "garbage truck, dustcart", "570": "gasmask, respirator, gas helmet", "571": "gas pump, gasoline pump, petrol pump, island dispenser", "572": "goblet", "573": "go-kart", "574": "golf ball", "575": "golfcart, golf cart", "576": "gondola", "577": "gong, tam-tam", "578": "gown", "579": "grand piano, grand", "580": "greenhouse, nursery, glasshouse", "581": "grille, radiator grille", "582": "grocery store, grocery, food market, market", "583": "guillotine", "584": "hair slide", "585": "hair spray", "586": "half track", "587": "hammer", "588": "hamper", "589": "hand blower, blow dryer, blow drier, hair dryer, hair drier", "590": "hand-held computer, hand-held microcomputer", "591": "handkerchief, hankie, hanky, hankey", "592": "hard disc, hard disk, fixed disk", "593": "harmonica, mouth organ, harp, mouth harp", "594": "harp", "595": "harvester, reaper", "596": "hatchet", "597": "holster", "598": "home theater, home theatre", "599": "honeycomb", "600": "hook, claw", "601": "hoopskirt, crinoline", "602": "horizontal bar, high bar", "603": "horse cart, horse-cart", "604": "hourglass", "605": "iPod", "606": "iron, smoothing iron", "607": "jack-o'-lantern", "608": "jean, blue jean, denim", "609": "jeep, landrover", "610": "jersey, T-shirt, tee shirt", "611": "jigsaw puzzle", "612": "jinrikisha, ricksha, rickshaw", "613": "joystick", "614": "kimono", "615": "knee pad", "616": "knot", "617": "lab coat, laboratory coat", "618": "ladle", "619": "lampshade, lamp shade", "620": "laptop, laptop computer", "621": "lawn mower, mower", "622": "lens cap, lens cover", "623": "letter opener, paper knife, paperknife", "624": "library", "625": "lifeboat", "626": "lighter, light, igniter, ignitor", "627": "limousine, limo", "628": "liner, ocean liner", "629": "lipstick, lip rouge", "630": "Loafer", "631": "lotion", "632": "loudspeaker, speaker, speaker unit, loudspeaker system, speaker system", "633": "loupe, jeweler's loupe", "634": "lumbermill, sawmill", "635": "magnetic compass", "636": "mailbag, postbag", "637": "mailbox, letter box", "638": "maillot", "639": "maillot, tank suit", "640": "manhole cover", "641": "maraca", "642": "marimba, xylophone", "643": "mask", "644": "matchstick", "645": "maypole", "646": "maze, labyrinth", "647": "measuring cup", "648": "medicine chest, medicine cabinet", "649": "megalith, megalithic structure", "650": "microphone, mike", "651": "microwave, microwave oven", "652": "military uniform", "653": "milk can", "654": "minibus", "655": "miniskirt, mini", "656": "minivan", "657": "missile", "658": "mitten", "659": "mixing bowl", "660": "mobile home, manufactured home", "661": "Model T", "662": "modem", "663": "monastery", "664": "monitor", "665": "moped", "666": "mortar", "667": "mortarboard", "668": "mosque", "669": "mosquito net", "670": "motor scooter, scooter", "671": "mountain bike, all-terrain bike, off-roader", "672": "mountain tent", "673": "mouse, computer mouse", "674": "mousetrap", "675": "moving van", "676": "muzzle", "677": "nail", "678": "neck brace", "679": "necklace", "680": "nipple", "681": "notebook, notebook computer", "682": "obelisk", "683": "oboe, hautboy, hautbois", "684": "ocarina, sweet potato", "685": "odometer, hodometer, mileometer, milometer", "686": "oil filter", "687": "organ, pipe organ", "688": "oscilloscope, scope, cathode-ray oscilloscope, CRO", "689": "overskirt", "690": "oxcart", "691": "oxygen mask", "692": "packet", "693": "paddle, boat paddle", "694": "paddlewheel, paddle wheel", "695": "padlock", "696": "paintbrush", "697": "pajama, pyjama, pj's, jammies", "698": "palace", "699": "panpipe, pandean pipe, syrinx", "700": "paper towel", "701": "parachute, chute", "702": "parallel bars, bars", "703": "park bench", "704": "parking meter", "705": "passenger car, coach, carriage", "706": "patio, terrace", "707": "pay-phone, pay-station", "708": "pedestal, plinth, footstall", "709": "pencil box, pencil case", "710": "pencil sharpener", "711": "perfume, essence", "712": "Petri dish", "713": "photocopier", "714": "pick, plectrum, plectron", "715": "pickelhaube", "716": "picket fence, paling", "717": "pickup, pickup truck", "718": "pier", "719": "piggy bank, penny bank", "720": "pill bottle", "721": "pillow", "722": "ping-pong ball", "723": "pinwheel", "724": "pirate, pirate ship", "725": "pitcher, ewer", "726": "plane, carpenter's plane, woodworking plane", "727": "planetarium", "728": "plastic bag", "729": "plate rack", "730": "plow, plough", "731": "plunger, plumber's helper", "732": "Polaroid camera, Polaroid Land camera", "733": "pole", "734": "police van, police wagon, paddy wagon, patrol wagon, wagon, black Maria", "735": "poncho", "736": "pool table, billiard table, snooker table", "737": "pop bottle, soda bottle", "738": "pot, flowerpot", "739": "potter's wheel", "740": "power drill", "741": "prayer rug, prayer mat", "742": "printer", "743": "prison, prison house", "744": "projectile, missile", "745": "projector", "746": "puck, hockey puck", "747": "punching bag, punch bag, punching ball, punchball", "748": "purse", "749": "quill, quill pen", "750": "quilt, comforter, comfort, puff", "751": "racer, race car, racing car", "752": "racket, racquet", "753": "radiator", "754": "radio, wireless", "755": "radio telescope, radio reflector", "756": "rain barrel", "757": "recreational vehicle, RV, R.V.", "758": "reel", "759": "reflex camera", "760": "refrigerator, icebox", "761": "remote control, remote", "762": "restaurant, eating house, eating place, eatery", "763": "revolver, six-gun, six-shooter", "764": "rifle", "765": "rocking chair, rocker", "766": "rotisserie", "767": "rubber eraser, rubber, pencil eraser", "768": "rugby ball", "769": "rule, ruler", "770": "running shoe", "771": "safe", "772": "safety pin", "773": "saltshaker, salt shaker", "774": "sandal", "775": "sarong", "776": "sax, saxophone", "777": "scabbard", "778": "scale, weighing machine", "779": "school bus", "780": "schooner", "781": "scoreboard", "782": "screen, CRT screen", "783": "screw", "784": "screwdriver", "785": "seat belt, seatbelt", "786": "sewing machine", "787": "shield, buckler", "788": "shoe shop, shoe-shop, shoe store", "789": "shoji", "790": "shopping basket", "791": "shopping cart", "792": "shovel", "793": "shower cap", "794": "shower curtain", "795": "ski", "796": "ski mask", "797": "sleeping bag", "798": "slide rule, slipstick", "799": "sliding door", "800": "slot, one-armed bandit", "801": "snorkel", "802": "snowmobile", "803": "snowplow, snowplough", "804": "soap dispenser", "805": "soccer ball", "806": "sock", "807": "solar dish, solar collector, solar furnace", "808": "sombrero", "809": "soup bowl", "810": "space bar", "811": "space heater", "812": "space shuttle", "813": "spatula", "814": "speedboat", "815": "spider web, spider's web", "816": "spindle", "817": "sports car, sport car", "818": "spotlight, spot", "819": "stage", "820": "steam locomotive", "821": "steel arch bridge", "822": "steel drum", "823": "stethoscope", "824": "stole", "825": "stone wall", "826": "stopwatch, stop watch", "827": "stove", "828": "strainer", "829": "streetcar, tram, tramcar, trolley, trolley car", "830": "stretcher", "831": "studio couch, day bed", "832": "stupa, tope", "833": "submarine, pigboat, sub, U-boat", "834": "suit, suit of clothes", "835": "sundial", "836": "sunglass", "837": "sunglasses, dark glasses, shades", "838": "sunscreen, sunblock, sun blocker", "839": "suspension bridge", "840": "swab, swob, mop", "841": "sweatshirt", "842": "swimming trunks, bathing trunks", "843": "swing", "844": "switch, electric switch, electrical switch", "845": "syringe", "846": "table lamp", "847": "tank, army tank, armored combat vehicle, armoured combat vehicle", "848": "tape player", "849": "teapot", "850": "teddy, teddy bear", "851": "television, television system", "852": "tennis ball", "853": "thatch, thatched roof", "854": "theater curtain, theatre curtain", "855": "thimble", "856": "thresher, thrasher, threshing machine", "857": "throne", "858": "tile roof", "859": "toaster", "860": "tobacco shop, tobacconist shop, tobacconist", "861": "toilet seat", "862": "torch", "863": "totem pole", "864": "tow truck, tow car, wrecker", "865": "toyshop", "866": "tractor", "867": "trailer truck, tractor trailer, trucking rig, rig, articulated lorry, semi", "868": "tray", "869": "trench coat", "870": "tricycle, trike, velocipede", "871": "trimaran", "872": "tripod", "873": "triumphal arch", "874": "trolleybus, trolley coach, trackless trolley", "875": "trombone", "876": "tub, vat", "877": "turnstile", "878": "typewriter keyboard", "879": "umbrella", "880": "unicycle, monocycle", "881": "upright, upright piano", "882": "vacuum, vacuum cleaner", "883": "vase", "884": "vault", "885": "velvet", "886": "vending machine", "887": "vestment", "888": "viaduct", "889": "violin, fiddle", "890": "volleyball", "891": "waffle iron", "892": "wall clock", "893": "wallet, billfold, notecase, pocketbook", "894": "wardrobe, closet, press", "895": "warplane, military plane", "896": "washbasin, handbasin, washbowl, lavabo, wash-hand basin", "897": "washer, automatic washer, washing machine", "898": "water bottle", "899": "water jug", "900": "water tower", "901": "whiskey jug", "902": "whistle", "903": "wig", "904": "window screen", "905": "window shade", "906": "Windsor tie", "907": "wine bottle", "908": "wing", "909": "wok", "910": "wooden spoon", "911": "wool, woolen, woollen", "912": "worm fence, snake fence, snake-rail fence, Virginia fence", "913": "wreck", "914": "yawl", "915": "yurt", "916": "web site, website, internet site, site", "917": "comic book", "918": "crossword puzzle, crossword", "919": "street sign", "920": "traffic light, traffic signal, stoplight", "921": "book jacket, dust cover, dust jacket, dust wrapper", "922": "menu", "923": "plate", "924": "guacamole", "925": "consomme", "926": "hot pot, hotpot", "927": "trifle", "928": "ice cream, icecream", "929": "ice lolly, lolly, lollipop, popsicle", "930": "French loaf", "931": "bagel, beigel", "932": "pretzel", "933": "cheeseburger", "934": "hotdog, hot dog, red hot", "935": "mashed potato", "936": "head cabbage", "937": "broccoli", "938": "cauliflower", "939": "zucchini, courgette", "940": "spaghetti squash", "941": "acorn squash", "942": "butternut squash", "943": "cucumber, cuke", "944": "artichoke, globe artichoke", "945": "bell pepper", "946": "cardoon", "947": "mushroom", "948": "Granny Smith", "949": "strawberry", "950": "orange", "951": "lemon", "952": "fig", "953": "pineapple, ananas", "954": "banana", "955": "jackfruit, jak, jack", "956": "custard apple", "957": "pomegranate", "958": "hay", "959": "carbonara", "960": "chocolate sauce, chocolate syrup", "961": "dough", "962": "meat loaf, meatloaf", "963": "pizza, pizza pie", "964": "potpie", "965": "burrito", "966": "red wine", "967": "espresso", "968": "cup", "969": "eggnog", "970": "alp", "971": "bubble", "972": "cliff, drop, drop-off", "973": "coral reef", "974": "geyser", "975": "lakeside, lakeshore", "976": "promontory, headland, head, foreland", "977": "sandbar, sand bar", "978": "seashore, coast, seacoast, sea-coast", "979": "valley, vale", "980": "volcano", "981": "ballplayer, baseball player", "982": "groom, bridegroom", "983": "scuba diver", "984": "rapeseed", "985": "daisy", "986": "yellow lady's slipper, yellow lady-slipper, Cypripedium calceolus, Cypripedium parviflorum", "987": "corn", "988": "acorn", "989": "hip, rose hip, rosehip", "990": "buckeye, horse chestnut, conker", "991": "coral fungus", "992": "agaric", "993": "gyromitra", "994": "stinkhorn, carrion fungus", "995": "earthstar", "996": "hen-of-the-woods, hen of the woods, Polyporus frondosus, Grifola frondosa", "997": "bolete", "998": "ear, spike, capitulum", "999": "toilet tissue, toilet paper, bathroom tissue"} -------------------------------------------------------------------------------- /common/train_mnist.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | from torch.autograd import Variable 4 | import torch.nn as nn 5 | import torch.nn.functional as F 6 | import torchvision 7 | import torch.optim as optim 8 | from torchvision import transforms 9 | from tqdm import * 10 | 11 | class Net(nn.Module): 12 | def __init__(self): 13 | super(Net, self).__init__() 14 | # my network is composed of only affine layers 15 | self.fc1 = nn.Linear(28*28, 300) 16 | self.fc2 = nn.Linear(300, 100) 17 | self.fc3 = nn.Linear(100, 10) 18 | # self.r = nn.Parameter(data=torch.randn(5,5), requires_grad=True) 19 | 20 | def forward(self, x): 21 | x = F.relu(self.fc1(x)) 22 | x = F.relu(self.fc2(x)) 23 | x = self.fc3(x) 24 | return x 25 | 26 | net = Net() 27 | print(net) 28 | SoftmaxWithXent = nn.CrossEntropyLoss() 29 | optimizer = optim.SGD(net.parameters(), lr=0.001, momentum=0.9, weight_decay=1e-04) 30 | 31 | 32 | # DATA LOADERS 33 | def flat_trans(x): 34 | x.resize_(28*28) 35 | return x 36 | 37 | 38 | if __name__ == '__main__': 39 | # DEFINE NETWORK 40 | mnist_transform = transforms.Compose( 41 | [transforms.ToTensor(), transforms.Lambda(flat_trans)] 42 | ) 43 | traindata = torchvision.datasets.MNIST(root="./mnist", train=True, download=True, transform=mnist_transform) 44 | trainloader = torch.utils.data.DataLoader(traindata, batch_size=256, shuffle=True, num_workers=2) 45 | testdata = torchvision.datasets.MNIST(root="./mnist", train=False, download=True, transform=mnist_transform) 46 | testloader = torch.utils.data.DataLoader(testdata, batch_size=256, shuffle=True, num_workers=2) 47 | 48 | # TRAIN 49 | for epoch in range(100): 50 | 51 | print("Epoch: {}".format(epoch)) 52 | running_loss = 0.0 53 | # import ipdb; ipdb.set_trace() 54 | for data in tqdm(trainloader): 55 | 56 | # get the inputs 57 | inputs, labels = data 58 | # wrap them in a variable 59 | inputs, labels = Variable(inputs), Variable(labels) 60 | # zero the gradients 61 | optimizer.zero_grad() 62 | 63 | # forward + loss + backward 64 | outputs = net(inputs) # forward pass 65 | loss = SoftmaxWithXent(outputs, labels) # compute softmax -> loss 66 | loss.backward() # get gradients on params 67 | optimizer.step() # SGD update 68 | 69 | # print statistics 70 | running_loss += loss.data[0] 71 | 72 | print('Epoch: {} | Loss: {}'.format(epoch, running_loss/2000.0)) 73 | 74 | print ("Finished Training") 75 | 76 | # TEST 77 | correct = 0.0 78 | total = 0 79 | for data in testloader: 80 | images, labels = data 81 | outputs = net(Variable(images)) 82 | _, predicted = torch.max(outputs.data, 1) 83 | total += labels.size(0) 84 | correct += (predicted == labels).sum() 85 | 86 | print("Accuracy: {}".format(correct/total)) 87 | 88 | print ("Dumping weights to disk") 89 | weights_dict = {} 90 | # import ipdb; ipdb.set_trace() 91 | for param in list(net.named_parameters()): 92 | print ("Serializing Param", param[0]) 93 | weights_dict[param[0]] = param[1] 94 | with open("weights.pkl","wb") as f: 95 | import pickle 96 | pickle.dump(weights_dict, f) 97 | print ("Finished dumping to disk..") 98 | -------------------------------------------------------------------------------- /images/imnet_fgsm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akshaychawla/Adversarial-Examples-in-PyTorch/e9e4e1052c5a1147f0885b6f6248645167283dd3/images/imnet_fgsm.png -------------------------------------------------------------------------------- /images/mnist_fgsm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akshaychawla/Adversarial-Examples-in-PyTorch/e9e4e1052c5a1147f0885b6f6248645167283dd3/images/mnist_fgsm.png -------------------------------------------------------------------------------- /images/mnist_paper_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/akshaychawla/Adversarial-Examples-in-PyTorch/e9e4e1052c5a1147f0885b6f6248645167283dd3/images/mnist_paper_1.png -------------------------------------------------------------------------------- /method1-OptimizingNoise/attack.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | from torch.autograd import Variable 4 | import torch.nn as nn 5 | import torch.nn.functional as F 6 | import torchvision 7 | import torch.optim as optim 8 | from torchvision import transforms 9 | from tqdm import * 10 | import matplotlib.pyplot as plt 11 | import pickle 12 | import random 13 | import sys, os 14 | 15 | # DEFINE NETWORK 16 | class Net(nn.Module): 17 | def __init__(self): 18 | super(Net, self).__init__() 19 | # my network is composed of only affine layers 20 | self.fc1 = nn.Linear(28*28, 300) 21 | self.fc2 = nn.Linear(300, 100) 22 | self.fc3 = nn.Linear(100, 10) 23 | self.r = nn.Parameter(data=torch.zeros(1,784), requires_grad=True) # really small initial values 24 | 25 | def forward(self, x): 26 | x = x + self.r 27 | x = torch.clamp(x, 0, 1) 28 | x = F.relu(self.fc1(x)) 29 | x = F.relu(self.fc2(x)) 30 | x = self.fc3(x) 31 | return x 32 | 33 | 34 | class Attack: 35 | def __init__(self, weights): 36 | self.net = Net() 37 | self.softmaxwithxent = nn.CrossEntropyLoss() 38 | self.optimizer = optim.SGD(params=[self.net.r], lr=0.008) 39 | self.load_weights(weights) 40 | 41 | def load_weights(self, weights=None): 42 | assert os.path.isfile(weights), "Error: weight file {} is invalid".format(weights) 43 | # LOAD PRE-TRAINED WEIGHTS 44 | weights_dict = {} 45 | with open(weights, "rb") as f: 46 | weights_dict = pickle.load(f) 47 | for param in self.net.named_parameters(): 48 | if param[0] in weights_dict.keys(): 49 | print ("Copying: ", param[0]) 50 | param[1].data = weights_dict[param[0]].data 51 | print ("Weights Loaded!") 52 | 53 | def attack(self, x, y_true, y_target, regularization=None): 54 | """ 55 | This method uses the method described in the paper 56 | "Intriguing properties of neural networks" to find a 57 | noise vector 'r' that misclassifies 'x' as 'y_target'. 58 | 59 | Parameters 60 | ---------- 61 | x: a numpy array containing an mnist example 62 | y_target: target label for attack. (int) 63 | y_true: true label for x (int) 64 | 65 | Returns 66 | ------- 67 | noise: Numpy array (1x784) of the noise to be added to x 68 | y_pred: Prediction before adversarial optimization 69 | y_pred_adversarial: Prediction after adversarial optimization 70 | """ 71 | 72 | _x = Variable(torch.FloatTensor(x)) 73 | _y_target = Variable(torch.LongTensor([y_target])) 74 | 75 | # Reset value of r 76 | self.net.r.data = torch.zeros(1,784) 77 | 78 | # Classification before modification 79 | y_pred = np.argmax(self.net(_x).data.numpy()) 80 | incorrect_classify = False 81 | # print "Y_TRUE: {} | Y_PRED: {}".format(_y_true, y_pred) 82 | if y_true != y_pred: 83 | incorrect_classify = True 84 | print ("WARNING: IMAGE WAS NOT CLASSIFIED CORRECTLY") 85 | 86 | # Optimization Loop 87 | for iteration in range(1000): 88 | 89 | self.optimizer.zero_grad() 90 | outputs = self.net(_x) 91 | xent_loss = self.softmaxwithxent(outputs, _y_target) 92 | 93 | if regularization == "l1": 94 | adv_loss = xent_loss + torch.mean(torch.abs(self.net.r)) 95 | elif regularization == "l2": 96 | adv_loss = xent_loss + torch.mean(torch.pow(self.net.r,2)) 97 | elif regularization == None: 98 | adv_loss = xent_loss 99 | else: 100 | raise Exception("regularization method {} is not implemented, please choose one of l1, l2 or None".format(regularization)) 101 | 102 | adv_loss.backward() 103 | self.optimizer.step() 104 | 105 | # keep optimizing Until classif_op == _y_target 106 | y_pred_adversarial = np.argmax(self.net(_x).data.numpy()) 107 | if y_pred_adversarial == y_target: 108 | break 109 | 110 | if iteration == 999: 111 | print ("Warning: optimization loop ran for 1000 iterations. The result may not be correct") 112 | 113 | return self.net.r.data.numpy(), y_pred, y_pred_adversarial 114 | 115 | 116 | # net = Net() 117 | # print(net) 118 | # SoftmaxWithXent = nn.CrossEntropyLoss() 119 | 120 | # # OPTIMIZE FOR "r" 121 | # optimizer = optim.SGD(params=[net.r], lr=0.008) 122 | 123 | 124 | # # Load 5K samples 125 | # with open("5k_samples.pkl","r") as f: 126 | # samples_5k = pickle.load(f) 127 | # # import ipdb; ipdb.set_trace() 128 | # images = samples_5k["images"] 129 | # labels = samples_5k["labels"] 130 | # noise = [] 131 | # y_preds = [] 132 | 133 | # for _x, _y_true in zip(images, labels): 134 | 135 | # _x = torch.FloatTensor(_x) 136 | # # import ipdb; ipdb.set_trace() 137 | # # Note: choose _y_target to be something other than _y_true 138 | # _y_target = random.choice( list(set([0,1,2,3,4,5,6,7,8,9]) - set([_y_true])) ) 139 | # _y_target = torch.LongTensor([_y_target]) 140 | 141 | # # Reset value of r 142 | # net.r.data = torch.zeros(1,784) 143 | # # import ipdb; ipdb.set_trace() 144 | 145 | # # Classification before Adv 146 | # y_pred = np.argmax(net(Variable(_x)).data.numpy()) 147 | # y_preds.append(y_pred) 148 | 149 | # print "Y_TRUE: {} | Y_PRED: {}".format(_y_true, y_pred) 150 | # if _y_true != y_pred: 151 | # print "WARNING: IMAGE WAS NOT CLASSIFIED CORRECTLY" 152 | 153 | # # Optimization Loop 154 | # tqd_loop = trange(1000) 155 | # for iteration in tqd_loop: 156 | 157 | # x,y = Variable(_x), Variable(_y_target) 158 | # optimizer.zero_grad() 159 | # outputs = net(x) 160 | # xent_loss = SoftmaxWithXent(outputs, y) 161 | # adv_loss = xent_loss + torch.mean(torch.pow(net.r,2)) 162 | 163 | # adv_loss.backward() 164 | # # xent_loss.backward() 165 | # optimizer.step() 166 | 167 | # # print stats 168 | # classif_op = np.argmax(net(Variable(_x)).data.numpy()) 169 | # tqd_loop.set_description("xent Loss: {} classif: {}".format(xent_loss.data.numpy(), classif_op)) 170 | 171 | 172 | # # keep optimizing Until classif_op == _y_target 173 | # if classif_op == _y_target.numpy()[0]: 174 | # tqd_loop.close() 175 | # break 176 | 177 | # # save adv_image and noise to list 178 | # noise.append(net.r.data.numpy()) 179 | # print "After Optimization Image is classified as: " 180 | # print np.argmax(net(Variable(_x)).data.numpy()) 181 | 182 | # with open("adv_results_l2.pkl","w") as f: 183 | # adv_data_dict = { 184 | # "x" : images, 185 | # "y_true" : labels, 186 | # "y_pred" : y_preds, 187 | # "r" : noise 188 | # } 189 | # pickle.dump(adv_data_dict, f) 190 | 191 | -------------------------------------------------------------------------------- /method1-OptimizingNoise/attack_mnist.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import os, sys, pickle 3 | import matplotlib.pyplot as plt 4 | import random 5 | from attack import Attack 6 | from tqdm import * 7 | 8 | 9 | # Load 5K samples 10 | with open("../common/5k_samples.pkl","rb") as f: 11 | samples_5k = pickle.load(f) 12 | images = samples_5k["images"] 13 | labels = samples_5k["labels"] 14 | 15 | # Aggregate 16 | xs, y_trues, y_preds, y_preds_adversarial, noises = [], [], [], [], [] 17 | 18 | # Attack each example 19 | attacker = Attack(weights="../common/weights.pkl") 20 | for x, y_true in tqdm(zip(images, labels)): 21 | 22 | y_target = random.choice( list(set([0,1,2,3,4,5,6,7,8,9]) - set([y_true])) ) 23 | noise, y_pred, y_pred_adversarial = attacker.attack(x, y_true, y_target, regularization="l2") 24 | 25 | if y_pred == y_true: 26 | # store 27 | xs.append(x) 28 | y_trues.append(y_true) 29 | y_preds.append(y_pred) 30 | y_preds_adversarial.append(y_pred_adversarial) 31 | noises.append(noise.squeeze()) 32 | else: 33 | print ("y_pred != y_true, not storing to disk" ) 34 | 35 | with open("bulk_mnist_adversarial_examples.pkl","wb") as f: 36 | save_dict = {"xs":xs, 37 | "y_trues":y_trues, 38 | "y_preds":y_preds, 39 | "y_preds_adversarial":y_preds_adversarial, 40 | "noises": noises } 41 | pickle.dump(save_dict, f) 42 | print ("..done") 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /method1-OptimizingNoise/visualize_adv_examples.py: -------------------------------------------------------------------------------- 1 | """ 2 | This script visualizes the adversarial samples on a grid. 3 | How to run: python visualize_adv_examples.py ./location_of_bulk_pickle.pkl 4 | """ 5 | import numpy as np 6 | import matplotlib.pyplot as plt 7 | import pickle 8 | import sys, os 9 | 10 | pkl_loc = sys.argv[1] 11 | with open(pkl_loc, "rb") as f: 12 | adv_data_dict = pickle.load(f) 13 | 14 | xs = adv_data_dict["xs"] 15 | y_trues = adv_data_dict["y_trues"] 16 | y_preds = adv_data_dict["y_preds"] 17 | noises = adv_data_dict["noises"] 18 | y_preds_adversarial = adv_data_dict["y_preds_adversarial"] 19 | 20 | # visualize N random images 21 | idxs = np.random.choice(range(500), size=(20,), replace=False) 22 | for matidx, idx in enumerate(idxs): 23 | orig_im = xs[idx].reshape(28,28) 24 | adv_im = orig_im + noises[idx].reshape(28,28) 25 | disp_im = np.concatenate((orig_im, adv_im), axis=1) 26 | plt.subplot(5,4,matidx+1) 27 | plt.imshow(disp_im, "gray") 28 | plt.xticks([]) 29 | plt.yticks([]) 30 | plt.title("Orig: {} | New: {}".format(y_trues[idx], y_preds_adversarial[idx])) 31 | plt.show() 32 | 33 | # Noise statistics 34 | noises, xs, y_trues, y_preds = np.array(noises), np.array(xs), np.array(y_trues), np.array(y_preds) 35 | adv_exs = xs + noises 36 | print ("Adv examples: max, min: ", adv_exs.max(), adv_exs.min()) 37 | print ("Noise: Mean, Max, Min: ") 38 | print (np.mean(noises), np.max(noises), np.min(noises)) 39 | -------------------------------------------------------------------------------- /method2-FastGradientSignMethod/imnet-fast-gradient.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import matplotlib.pyplot as plt 3 | from PIL import Image 4 | import torch 5 | from torch.autograd import Variable 6 | import torch.nn as nn 7 | import torch.nn.functional as F 8 | import torchvision 9 | import torch.optim as optim 10 | from torchvision import transforms 11 | from tqdm import * 12 | import torchvision.models 13 | import pickle 14 | 15 | with open("../common/labels.json","r") as f: 16 | import json 17 | ImageNet_mapping = json.loads(f.read()) 18 | 19 | def image_location_generator(_root): 20 | import os 21 | _dirs = os.listdir(_root) 22 | assert len(_dirs) > 0, "no directories in given root folder" 23 | for _dir in _dirs: 24 | _imfiles = os.listdir(os.path.join(_root,_dir)) 25 | for _imfile in _imfiles: 26 | yield os.path.join(_root, _dir, _imfile) 27 | 28 | imsize = (224, 224) 29 | loader = transforms.Compose([transforms.Scale(imsize), transforms.ToTensor()]) 30 | normalize = transforms.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225]) 31 | def image_loader(image_name): 32 | """load image, returns tensor""" 33 | image = Image.open(image_name) 34 | image = image.convert("RGB") # Auto remove the "alpha" channel from png image 35 | image = loader(image).float() 36 | image = normalize(image).float() 37 | image = image.unsqueeze(0) #this is for VGG, may not be needed for ResNet 38 | return image 39 | 40 | # Pretrained VGG16 model 41 | vgg16 = torchvision.models.vgg16(pretrained=True) 42 | vgg16.eval() # disable dropout, batchnorm 43 | SoftmaxWithXent = nn.CrossEntropyLoss() 44 | print (".. loaded pre-trained vgg16") 45 | 46 | xs, y_trues, y_preds, noises, y_preds_adversarial = [], [], [], [], [] 47 | 48 | for imloc in tqdm(image_location_generator("./downloads/")): 49 | 50 | x = Variable(image_loader(imloc), requires_grad=True) 51 | output = vgg16.forward(x) 52 | y = Variable(torch.LongTensor(np.array([output.data.numpy().argmax()])), requires_grad = False) 53 | loss = SoftmaxWithXent(output, y) 54 | loss.backward() 55 | 56 | # Add perturbation 57 | epsilon = 0.02 58 | x_grad = torch.sign(x.grad.data) 59 | adv_x = x.data + epsilon*x_grad # we do not know the min/max because of torch's own stuff 60 | 61 | # Check adversarilized output 62 | y_pred_adversarial = ImageNet_mapping[ str(np.argmax(vgg16.forward(Variable(adv_x)).data.numpy())) ] 63 | y_true = ImageNet_mapping[ str( int( y.data.numpy() ) ) ] 64 | 65 | if y_pred_adversarial == y_true: 66 | print ("Error: Could not adversarialize image ") 67 | else: 68 | xs.append(x.data.numpy()) 69 | y_preds.append( y_true ) 70 | y_trues.append( y_true ) 71 | noises.append((adv_x - x.data).numpy()) 72 | y_preds_adversarial.append( y_pred_adversarial ) 73 | 74 | # Display 75 | # print y_preds[-1], " | ", y_preds_adversarial[-1] 76 | 77 | import ipdb; ipdb.set_trace() 78 | with open("bulk_imnet_fgsm.pkl", "wb") as f: 79 | adv_data_dict = { 80 | 'xs' : xs, 81 | 'y_trues': y_trues, 82 | 'y_preds': y_preds, 83 | 'noises': noises, 84 | 'y_preds_adversarial': y_preds_adversarial 85 | } 86 | pickle.dump(adv_data_dict, f) 87 | 88 | 89 | -------------------------------------------------------------------------------- /method2-FastGradientSignMethod/mnist-fast-gradient.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | from torch.autograd import Variable 4 | import torch.nn as nn 5 | import torch.nn.functional as F 6 | import torchvision 7 | import torch.optim as optim 8 | from torchvision import transforms 9 | from tqdm import * 10 | import matplotlib.pyplot as plt 11 | import pickle 12 | import random 13 | 14 | # DEFINE NETWORK 15 | class Net(nn.Module): 16 | def __init__(self): 17 | super(Net, self).__init__() 18 | # my network is composed of only affine layers 19 | self.fc1 = nn.Linear(28*28, 300) 20 | self.fc2 = nn.Linear(300, 100) 21 | self.fc3 = nn.Linear(100, 10) 22 | 23 | def forward(self, x): 24 | x = F.relu(self.fc1(x)) 25 | x = F.relu(self.fc2(x)) 26 | x = self.fc3(x) 27 | return x 28 | 29 | def classify(self, x): 30 | outputs = self.forward(x) 31 | outputs = outputs / torch.norm(outputs) 32 | max_val, max_idx = torch.max(outputs, 1) 33 | return int(max_idx.data.numpy()), float(max_val.data.numpy()) 34 | 35 | net = Net() 36 | print(net) 37 | SoftmaxWithXent = nn.CrossEntropyLoss() 38 | 39 | # Load pre-trained weights 40 | weights_dict = {} 41 | with open("../common/weights.pkl", "rb") as f: 42 | weights_dict = pickle.load(f) 43 | for param in net.named_parameters(): 44 | if param[0] in weights_dict.keys(): 45 | print ("Copying: ", param[0]) 46 | param[1].data = weights_dict[param[0]].data 47 | print ("Weights Loaded!") 48 | 49 | # Load 5K samples 50 | with open("../common/5k_samples.pkl","rb") as f: 51 | samples_5k = pickle.load(f) 52 | 53 | xs = samples_5k["images"] 54 | y_trues = samples_5k["labels"] 55 | noises = [] 56 | y_preds = [] 57 | y_preds_adversarial = [] 58 | totalMisclassifications = 0 59 | xs_clean = [] 60 | y_trues_clean = [] 61 | 62 | for x, y_true in tqdm(zip(xs, y_trues)): 63 | 64 | # Wrap x as a variable 65 | x = Variable(torch.FloatTensor(x.reshape(1,784)), requires_grad=True) 66 | y_true = Variable(torch.LongTensor(np.array([y_true])), requires_grad=False) 67 | 68 | # Classification before Adv 69 | y_pred = np.argmax(net(x).data.numpy()) 70 | 71 | # Generate Adversarial Image 72 | 73 | # Forward pass 74 | outputs = net(x) 75 | loss = SoftmaxWithXent(outputs, y_true) 76 | loss.backward() # obtain gradients on x 77 | 78 | # Add perturbation 79 | epsilon = 0.1 80 | x_grad = torch.sign(x.grad.data) 81 | x_adversarial = torch.clamp(x.data + epsilon * x_grad, 0, 1) 82 | 83 | # Classification after optimization 84 | y_pred_adversarial = np.argmax(net(Variable(x_adversarial)).data.numpy()) 85 | # print "Before: {} | after: {}".format(y_pred, y_pred_adversarial) 86 | 87 | # print "Y_TRUE: {} | Y_PRED: {}".format(_y_true, y_pred) 88 | if y_true.data.numpy() != y_pred: 89 | print ("WARNING: MISCLASSIFICATION ERROR") 90 | totalMisclassifications += 1 91 | else: 92 | y_preds.append(y_pred) 93 | y_preds_adversarial.append(y_pred_adversarial) 94 | noises.append( (x_adversarial - x.data).numpy() ) 95 | xs_clean.append(x.data.numpy()) 96 | y_trues_clean.append(y_true.data.numpy()) 97 | 98 | print ("Total totalMisclassifications : ", totalMisclassifications) 99 | print ("out of : ", len(xs)) 100 | 101 | with open("bulk_mnist_fgsd.pkl","wb") as f: 102 | adv_data_dict = { 103 | "xs" : xs_clean, 104 | "y_trues" : y_trues_clean, 105 | "y_preds" : y_preds, 106 | "noises" : noises, 107 | "y_preds_adversarial" : y_preds_adversarial 108 | } 109 | pickle.dump(adv_data_dict, f) 110 | -------------------------------------------------------------------------------- /method2-FastGradientSignMethod/visualize_imnet.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import matplotlib.pyplot as plt 3 | import pickle 4 | import sys, os 5 | 6 | def tensor2im(tens): 7 | 8 | im = tens[0] 9 | im[0] = im[0] * 0.229 10 | im[1] = im[1] * 0.224 11 | im[2] = im[2] * 0.225 12 | im[0] += 0.485 13 | im[1] += 0.456 14 | im[2] += 0.406 15 | im = np.moveaxis(im, 0, 2) 16 | return im 17 | # return (im*255).astype(np.uint8) # RGB in [0,255] 18 | 19 | 20 | pkl_loc = sys.argv[1] 21 | with open(pkl_loc, "r") as f: 22 | adv_data_dict = pickle.load(f) 23 | 24 | xs = adv_data_dict["xs"] 25 | y_trues = adv_data_dict["y_trues"] 26 | y_preds = adv_data_dict["y_preds"] 27 | noises = adv_data_dict["noises"] 28 | y_preds_adversarial = adv_data_dict["y_preds_adversarial"] 29 | 30 | # visualize N random images 31 | idxs = np.random.choice(range(50), size=(9,), replace=False) 32 | for matidx, idx in enumerate(idxs): 33 | orig_im = xs[idx] 34 | adv_im = orig_im + noises[idx] 35 | orig_im = tensor2im(orig_im) 36 | adv_im = tensor2im(adv_im) 37 | disp_im = np.concatenate((orig_im, adv_im), axis=1) 38 | disp_im = np.clip(disp_im, 0, 1) 39 | # import ipdb; ipdb.set_trace() 40 | # disp_im = disp_im.astype(np.uint8) 41 | plt.subplot(3,3,matidx+1) 42 | plt.imshow(disp_im) 43 | plt.xticks([]) 44 | plt.yticks([]) 45 | plt.title("{} / {}".format(y_preds[idx][:30], y_preds_adversarial[idx][:30]), fontsize = 9) 46 | 47 | plt.show() 48 | -------------------------------------------------------------------------------- /method2-FastGradientSignMethod/visualize_mnist.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import matplotlib.pyplot as plt 3 | import pickle 4 | import sys, os 5 | 6 | pkl_loc = sys.argv[1] 7 | with open(pkl_loc, "rb") as f: 8 | adv_data_dict = pickle.load(f) 9 | 10 | xs = adv_data_dict["xs"] 11 | y_trues = adv_data_dict["y_trues"] 12 | y_preds = adv_data_dict["y_preds"] 13 | noises = adv_data_dict["noises"] 14 | y_preds_adversarial = adv_data_dict["y_preds_adversarial"] 15 | 16 | 17 | # import ipdb; ipdb.set_trace() 18 | # visualize N random images 19 | idxs = np.random.choice(range(50), size=(20,), replace=False) 20 | for matidx, idx in enumerate(idxs): 21 | orig_im = xs[idx].reshape(28,28) 22 | adv_im = orig_im + noises[idx].reshape(28,28) 23 | disp_im = np.concatenate((orig_im, adv_im), axis=1) 24 | plt.subplot(5,4,matidx+1) 25 | plt.imshow(disp_im, "gray") 26 | plt.xticks([]) 27 | plt.yticks([]) 28 | plt.show() 29 | 30 | # Noise statistics 31 | # import ipdb; ipdb.set_trace() 32 | noises, xs, y_trues, y_preds = np.array(noises), np.array(xs), np.array(y_trues), np.array(y_preds) 33 | noises = noises.squeeze(axis=1) 34 | xs = xs.squeeze(axis=1) 35 | adv_exs = xs + noises 36 | print ("Adv examples: max, min: ", adv_exs.max(), adv_exs.min()) 37 | print ("Noise: Mean, Max, Min: ") 38 | print (np.mean(noises), np.max(noises), np.min(noises)) 39 | --------------------------------------------------------------------------------