碼上快樂

相關內容    簡體    繁體

4.基於梯度的攻擊——MIM

本文轉載自   查看原文   2019-03-29 21:34   1310    對抗攻擊算法

MIM攻擊原論文地址——https://arxiv.org/pdf/1710.06081.pdf

1.MIM攻擊的原理

  MIM攻擊全稱是 Momentum Iterative Method,其實這也是一種類似於PGD的基於梯度的迭代攻擊算法。它的本質就是,在進行迭代的時候,每一輪的擾動不僅與當前的梯度方向有關,還與之前算出來的梯度方向相關。其中的衰減因子就是用來調節相關度的,decay_factor在(0,1)之間,decay_factor越小,那么迭代輪數靠前算出來的梯度對當前的梯度方向影響越小。其實仔細想想,這樣做也很有道理,由於之前的梯度對后面的迭代也有影響,那么這使得,迭代的方向不會跑偏,使得總體的大方向是對的。到目前為止都是筆者對MIM比較感性的認識,下面貼出論文中比較學術的觀點。

 其實為了加速梯度下降,通過累積損失函數的梯度方向上的矢量,從而(1)穩定更新(2)有助於通過 narrow valleys, small humps and poor local minima or maxima.(專業名詞不知道怎么翻譯,可以腦補函數圖像,大致意思就是,可以有效避免局部最優)

 

 

是decay_factor,另外,在原論文中,每一次迭代對x的導數是直接算的1-范數,然后求平均,但在各個算法庫以及論文實現的補充中,並沒有求平均,估計這個對結果影響不太大。

2.代碼實現(直接把advertorch里的代碼貼過來了)

 1 class MomentumIterativeAttack(Attack, LabelMixin):
 2     """
 3     The L-inf projected gradient descent attack (Dong et al. 2017).
 4     The attack performs nb_iter steps of size eps_iter, while always staying
 5     within eps from the initial point. The optimization is performed with
 6     momentum.
 7     Paper: https://arxiv.org/pdf/1710.06081.pdf
 8     """
 9 
10     def __init__(
11             self, predict, loss_fn=None, eps=0.3, nb_iter=40, decay_factor=1.,
12             eps_iter=0.01, clip_min=0., clip_max=1., targeted=False):
13         """
14         Create an instance of the MomentumIterativeAttack.
15 
16         :param predict: forward pass function.
17         :param loss_fn: loss function.
18         :param eps: maximum distortion.
19         :param nb_iter: number of iterations
20         :param decay_factor: momentum decay factor.
21         :param eps_iter: attack step size.
22         :param clip_min: mininum value per input dimension.
23         :param clip_max: maximum value per input dimension.
24         :param targeted: if the attack is targeted.
25         """
26         super(MomentumIterativeAttack, self).__init__(
27             predict, loss_fn, clip_min, clip_max)
28         self.eps = eps
29         self.nb_iter = nb_iter
30         self.decay_factor = decay_factor
31         self.eps_iter = eps_iter
32         self.targeted = targeted
33         if self.loss_fn is None:
34             self.loss_fn = nn.CrossEntropyLoss(reduction="sum")
35 
36     def perturb(self, x, y=None):
37         """
38         Given examples (x, y), returns their adversarial counterparts with
39         an attack length of eps.
40 
41         :param x: input tensor.
42         :param y: label tensor.
43                   - if None and self.targeted=False, compute y as predicted
44                     labels.
45                   - if self.targeted=True, then y must be the targeted labels.
46         :return: tensor containing perturbed inputs.
47         """
48         x, y = self._verify_and_process_inputs(x, y)
49 
50         delta = torch.zeros_like(x)
51         g = torch.zeros_like(x)
52 
53         delta = nn.Parameter(delta)
54 
55         for i in range(self.nb_iter):
56 
57             if delta.grad is not None:
58                 delta.grad.detach_()
59                 delta.grad.zero_()
60 
61             imgadv = x + delta
62             outputs = self.predict(imgadv)
63             loss = self.loss_fn(outputs, y)
64             if self.targeted:
65                 loss = -loss
66             loss.backward()
67 
68             g = self.decay_factor * g + normalize_by_pnorm(
69                 delta.grad.data, p=1)
70             # according to the paper it should be .sum(), but in their
71             #   implementations (both cleverhans and the link from the paper)
72             #   it is .mean(), but actually it shouldn't matter
73 
74             delta.data += self.eps_iter * torch.sign(g)
75             # delta.data += self.eps / self.nb_iter * torch.sign(g)
76 
77             delta.data = clamp(
78                 delta.data, min=-self.eps, max=self.eps)
79             delta.data = clamp(
80                 x + delta.data, min=self.clip_min, max=self.clip_max) - x
81 
82         rval = x + delta.data
83         return rval
View Code

 個人覺得,advertorch中在迭代過程中,應該是對imgadv求導,而不是對delta求導,筆者查看了foolbox和cleverhans的實現,都是對每一輪的對抗樣本求導,大家自己實現的時候可以改一下。

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 [ Layout ] MOM MIM PIP 電容的簡單對比 梯度彌散與梯度爆炸 灰度梯度 4.什么時候加ing 4. 鏡像的原理 攻擊科普:ARP攻擊 梯度消失 梯度爆炸 梯度偏置 梯度飽和 梯度死亡 文獻收藏 梯度下降法和隨機梯度下降法 梯度下降法和隨機梯度下降法 梯度下降法-理解共軛梯度法
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM