论文信息
论文标题:Towards deep learning models resistant to adversarial attacks
论文作者:Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu
论文来源:ICLR 2018
论文地址:download
论文代码:download
视屏讲解:click
1 介绍
对抗攻击
2 方法
2.1 问题建模
在本文中,作者将对抗样本的攻击防御问题总结为以下公式:
$\min _{\theta} \rho(\theta), \quad \text { where } \quad \rho(\theta)=\mathbb{E}_{(x, y) \sim \mathcal{D}}\left[\max _{\delta \in \mathcal{S}} L(\theta, x+\delta, y)\right]$
该问题分为两个部分,分别为 内部损失函数最大化 和 外部经验风险最小化:
-
- 先看内部问题,式中 $L(\cdot)$ 为损失函数,在神经网络优化中通常取交叉熵,$x$ 是原始样本, $ \delta$ 为扰动信息, $S$ 为扰动信 息的集合, $y$ 为原始样本的标签。内部问题的优化目标级寻找一个扰动,使得添加扰动后的样本不 属于原始标签的风险最大化;
- 对于外部最小化问题, $D$ 是数据 $(x, y)$ 满足的分布,$\theta$ 是深度神经网络的参数,外部问题的目标是寻找参数 $\theta$ 使得 $E_{(x, y) \sim D}[L(x, y, \theta)]$ 风险最小。即内部问题 是寻找一个原始样本的对抗版本来最大化损失函数,即攻击模型;外部问题则是基于这种攻击方法去训练一个更具鲁棒性的神经网络,以防御对抗样本的攻击;
2.2 问题解决
作者考虑了两种攻击模型,第一个是专栏已多次提及的快速梯度法(FGSM),文中主要以此作为单步攻击算法的代表,公式如下:
$x+\varepsilon \operatorname{sgn}\left(\nabla_{x} L(\theta, x, y)\right)$
第二种是迭代的快速梯度法,本质是在损失函数负方向上进行投影梯度下降(Projection Gradient Descent),简称此算法为PGD,其公式如下:
$x^{t+1}=\Pi_{x+\mathcal{S}}\left(x^{t}+\alpha \operatorname{sgn}\left(\nabla_{x} L(\theta, x, y)\right)\right)$
3 代码
import torch
import torch.nn as nn
import torch.optim as optim
import torch.nn.functional as F
import torch.backends.cudnn as cudnn
import torchvision
import torchvision.transforms as transforms
class BasicBlock(nn.Module):
expansion = 1
def __init__(self, in_planes, planes, stride=1):
super(BasicBlock, self).__init__()
self.conv1 = nn.Conv2d(in_planes, planes, kernel_size=3, stride=stride, padding=1, bias=False)
self.bn1 = nn.BatchNorm2d(planes)
self.conv2 = nn.Conv2d(planes, planes, kernel_size=3, stride=1, padding=1, bias=False)
self.bn2 = nn.BatchNorm2d(planes)
self.shortcut = nn.Sequential()
if stride != 1 or in_planes != self.expansion*planes:
self.shortcut = nn.Sequential(
nn.Conv2d(in_planes, self.expansion*planes, kernel_size=1, stride=stride, bias=False),
nn.BatchNorm2d(self.expansion*planes)
)
def forward(self, x):
out = F.relu(self.bn1(self.conv1(x)))
out = self.bn2(self.conv2(out))
out += self.shortcut(x)
out = F.relu(out)
return out
class ResNet(nn.Module):
def __init__(self, block, num_blocks, num_classes=10):
super(ResNet, self).__init__()
self.in_planes = 64
self.conv1 = nn.Conv2d(3, 64, kernel_size=3, stride=1, padding=1, bias=False)
self.bn1 = nn.BatchNorm2d(64)
self.layer1 = self._make_layer(block, 64, num_blocks[0], stride=1)
self.layer2 = self._make_layer(block, 128, num_blocks[1], stride=2)
self.layer3 = self._make_layer(block, 256, num_blocks[2], stride=2)
self.layer4 = self._make_layer(block, 512, num_blocks[3], stride=2)
self.linear = nn.Linear(512*block.expansion, num_classes)
def _make_layer(self, block, planes, num_blocks, stride):
strides = [stride] + [1]*(num_blocks-1)
layers = []
for stride in strides:
layers.append(block(self.in_planes, planes, stride))
self.in_planes = planes * block.expansion
return nn.Sequential(*layers)
def forward(self, x):
out = F.relu(self.bn1(self.conv1(x)))
out = self.layer1(out)
out = self.layer2(out)
out = self.layer3(out)
out = self.layer4(out)
out = F.avg_pool2d(out, 4)
out = out.view(out.size(0), -1)
out = self.linear(out)
return out
def ResNet18():
return ResNet(BasicBlock, [2,2,2,2])
learning_rate = 0.1
epsilon = 0.0314
k = 7
alpha = 0.00784
file_name = 'pgd_adversarial_training'
device = 'cuda' if torch.cuda.is_available() else 'cpu'
transform_train = transforms.Compose([transforms.RandomCrop(32, padding=4),transforms.RandomHorizontalFlip(),transforms.ToTensor(),])
transform_test = transforms.Compose([transforms.ToTensor(),])
train_dataset = torchvision.datasets.CIFAR10(root='./data', train=True, download=True, transform=transform_train)
test_dataset = torchvision.datasets.CIFAR10(root='./data', train=False, download=True, transform=transform_test)
train_loader = torch.utils.data.DataLoader(train_dataset, batch_size=128, shuffle=True, num_workers=4)
test_loader = torch.utils.data.DataLoader(test_dataset, batch_size=100, shuffle=False, num_workers=4)
class PGDAttack(object):
def __init__(self, model,loss=nn.CrossEntropyLoss(),alpha=0.00784,epsilon=0.0314):
self.model = model
self.loss = loss
self.alpha = alpha
self.epsilon = epsilon
def perturb(self, x_natural, y):
x = x_natural.detach()
x = x + torch.zeros_like(x).uniform_(-epsilon, epsilon)
for i in range(k):
x.requires_grad_()
with torch.enable_grad():
logits = self.model(x)
loss = self.loss(logits, y)
grad = torch.autograd.grad(loss, [x])[0]
x = x.detach() + self.alpha * torch.sign(grad.detach())
x = torch.min(torch.max(x, x_natural - self.epsilon), x_natural + self.epsilon)
x = torch.clamp(x, 0, 1)
return x
net = ResNet18()
net = net.to(device)
cudnn.benchmark = True
adversary = PGDAttack(net)
criterion = nn.CrossEntropyLoss()
optimizer = optim.SGD(net.parameters(), lr=learning_rate, momentum=0.9, weight_decay=0.0002)
def train(epoch):
train_loss = 0
correct = 0
total = 0
net.train()
for batch_idx, (inputs, targets) in enumerate(train_loader):
inputs, targets = inputs.to(device), targets.to(device)
optimizer.zero_grad()
adv = adversary.perturb(inputs, targets)
adv_outputs = net(adv)
loss = criterion(adv_outputs, targets)
loss.backward()
optimizer.step()
train_loss += loss.item()
_, predicted = adv_outputs.max(1)
total += targets.size(0)
correct += predicted.eq(targets).sum().item()
if batch_idx % 10 == 0:
print('\nCurrent batch:', str(batch_idx))
print('Current adversarial train accuracy:', str(predicted.eq(targets).sum().item() / targets.size(0)))
print('Current adversarial train loss:', loss.item())
print('\nTotal adversarial train accuarcy:', 100. * correct / total)
print('Total adversarial train loss:', train_loss)
def test(epoch):
benign_loss = 0
adv_loss = 0
benign_correct = 0
adv_correct = 0
total = 0
net.eval()
with torch.no_grad():
for batch_idx, (inputs, targets) in enumerate(test_loader):
inputs, targets = inputs.to(device), targets.to(device)
total += targets.size(0)
outputs = net(inputs)
loss = criterion(outputs, targets)
benign_loss += loss.item()
_, predicted = outputs.max(1)
benign_correct += predicted.eq(targets).sum().item()
adv = adversary.perturb(inputs, targets)
adv_outputs = net(adv)
loss = criterion(adv_outputs, targets)
adv_loss += loss.item()
_, predicted = adv_outputs.max(1)
adv_correct += predicted.eq(targets).sum().item()
if batch_idx % 10 == 0:
print('Current adversarial test accuracy:', str(predicted.eq(targets).sum().item() / targets.size(0)))
print('Current adversarial test loss:', loss.item())
print('\nTotal benign test accuarcy:', 100. * benign_correct / total)
print('Total adversarial test Accuarcy:', 100. * adv_correct / total)
print('Total benign test loss:', benign_loss)
print('Total adversarial test loss:', adv_loss)
for epoch in range(0, 200):
train(epoch)
test(epoch)
标签:loss,PGD,Towards,nn,models,self,planes,targets,out From: https://www.cnblogs.com/BlairGrowing/p/17341931.html