New Attacks : FGSM, IFGSM, IterLL, RFGSM, CW(L2), PGD are added.Demos are uploaded.
DO NOT USE : 'init.py' is omitted.
Package name changed : 'attacks' is changed to 'torchattacks'.New Attack : APGD is added.attack.py : 'update_model' method is added.
Error Solved :Before this version, even after getting an adversarial image, the model remains evaluation mode.To solve this, below methods are modified.'_switch_model' method is added into attack.py. It will automatically change model mode to the previous mode after getting adversarial images. When getting adversarial images, model is switched to evaluation mode.'call' methods in all attack changed to forward. Instead of this, 'call' method is added into 'attack.py'
attack.py : To provide ease of changing images to uint8 from float, 'set_mode' and '_to_uint' is added.'set_mode' determines returning all outputs as 'int' OR 'flaot' through '_to_uint'.'_to_uint' changes all outputs into uint8.
All attacks are modifiedclone().detach() is used instead of .datatorch.autograd.grad is used instead of .backward() and .grad :It showed 2% reduction of computation time.
New Attack : RPGD is added.attack.py : 'update_model' method is depreciated. Because torch models are passed by call-by-reference, we don't need to update models.cw.py : In the process of cw attack, now masked_select uses a mask with dtype torch.bool instead of a mask with dtype torch.uint8.
New Attack : DeepFool is added.Some attacks are renamed :I-FGSM -> BIMIterLL -> StepLL
attack.py :load : Load is depreciated. Instead, use TensorDataset and DataLoader.save : The problem of calculating invalid accuracy when the mode of the attack set to 'int' is solved.
DeepFool :
Description has been added for each module.Sphinx Document uploadedattack.py : 'device' will be decided by next(model.parameters()).device.Two attacks are merged :RPGD, PGD -> PGD
- Pip Package Re-uploaded.
PGD
:- Now PGD supports targeted mode.
MultiAttack
:- MultiAttack is added.
- With it, you can use PGD with N-random-restarts or stronger attacks with different methods.
steps
instead ofiters
:- For compatibility reasons, all
iters
are changed tosteps
.
- For compatibility reasons, all
TPGD
:- PGD (Linf) based on KL-Divergence loss proposed by Hongyang Zhang et al. is added.
FFGSM
:- New FGSM proposed by Eric Wong et al. is added.
- Methods for
Attack
are added:set_attack_mode
: To set attack mode totargeted
(Use input labels as targeted labels) orleast likely
(Use least likely labels as targeted labels),set_attack_mode
is added.StepLL
is merged toBIM
. Please useset_attack_mode(mode='least_likely')
.- However, there are several methods that can not be changed by
set_attack_mode
such asDeepfool
set_return_type
: Instead ofset_mode
, nowset_return_type
will be the method to change the return type of adversarial images.
MIFGSM
:
VANILA
:- Vanila version of torch.Attack.
MultiAttack
:- MultiAttack does not need a model as an input. It automatically get models from given attacks.
- Demo added.
Attack.set_attack_mode
:- For the targeted mode, target_map_function is required.
GN
:- Add guassian noise with given sigma.
TPGD
: Faster computation
attacks
: To preserve the original gradient status of images, all attacks usesimages.clone().detach()
instead ofimages
.
CW
- Now it outputs the best L2 adversarial images.
- Faster computation.
DeepFool
- Make the codes cleaner.
BIM
- Bug fixed: Wrong cliping.
MIFGSM
- Bug fixed: Wrong cliping.
- Bug fixed: Gradient Norm.
- Demo Added
- Performance Comparison (CIFAR10)
DeepFool
- Deprecated.
Attack._targeted
- ._targeted is set to 1 when targeted mode is activated. Issue.
- All attacks supporting targeted mode is change.
- ._targeted is set to 1 when targeted mode is activated. Issue.
Attack.set_attack_mode
- To provide various attack mode, it uses following methods.
set_default_mode
: default mode.set_targeted_mode
: targeted mode. Now supportingtarget_map_function=None
for pre-generated targeted labels.set_least_likely_mode
: least likely targeted mode. Now supporting k-th smallest probability targeted mode bykth_min
.
- To provide various attack mode, it uses following methods.
Attack.save
- Bug fixed: When
verbose=True
, it now use model.eval() and torch.no_grad().
- Bug fixed: When
DeepFool
- Deprecated.
Attack._targeted
- ._targeted is set to 1 when targeted mode is activated. Issue.
- All attacks supporting targeted mode is change.
- ._targeted is set to 1 when targeted mode is activated. Issue.
Attack.set_attack_mode
- To provide various attack mode, it uses following methods.
set_default_mode
: default mode.set_targeted_mode
: targeted mode. Now supportingtarget_map_function=None
for pre-generated targeted labels.set_least_likely_mode
: least likely targeted mode. Now supporting k-th smallest probability targeted mode bykth_min
.
- To provide various attack mode, it uses following methods.
Attack.save
- Bug fixed: When
verbose=True
, it now use model.eval() and torch.no_grad().
- Bug fixed: When
PGDL2
- PGD with L2 distance measure.
Attack.save
- Print L2 distance between adversarial examples and the original examples.
-
PGDL2
- Initialization perturbation is changed.
Attack.set_attack_mode
- Deprecated. Use following built-in functions.
set_mode_default
: default mode.set_mode_targeted
: targeted mode. Now supportingtarget_map_function=None
for pre-generated targeted labels.set_mode_least_likely
: least likely targeted mode. Now supporting k-th smallest probability targeted mode bykth_min
.
- Deprecated. Use following built-in functions.
APGD
is changed toEOTPGD
.PGDDLR
is added.APGD
,APGDT
,Square
,FAB
- Modified from https://github.com/fra31/auto-attack.
n_iters
is changed tosteps
.n_target_classes
is calculated based onn_claases
.reduce=False
is erased because it is enough withreduction='none'
.
- Modified from https://github.com/fra31/auto-attack.
AutoAttack
- Created based on
APGD
,APGDT
,Square
,FAB
.
- Created based on
Attack.save
- Don't use an additional memory if
save_path=None
- Don't use an additional memory if
DeepFool
,OnePixel
,SparseFool
are added.
Attack.set_training_mode
- The method to support changing the model to training mode.
- Note that RNN requires model.training=True to calculate gradient.
SparseFool
- Issue solved.
DI2FGSM
is added.
Square
is fixed.- If idx_to_fool is empty, then terminate an iteration.
MIFGSM
is fixed.CW
is fixed.
-
torch=1.9.0
supported. -
Targeted mode is officially supported.
-
Attack
&Attacks.*
-
set_mode_default
-
set_mode_targeted_by_function
-
set_mode_targeted_least_likely
-
set_mode_targeted_random
-
_get_target_label
-
_get_least_likely_label
-
_get_random_target_label
-
self._supported_mode
-
self._targeted
-
-
-
UPGD
created.- Utimate PGD that supports various options of gradient-based adversarial attacks.
-
DIFGSM
is fixed. -
Extra
- Iteration variable (e.g.,
for i in range
) is replaced to_
if it is not needed. MultiAttack
now prints the attack success rate for each attack.- Arguments for
super()
is erased.
- Iteration variable (e.g.,
-
Jitter
is added. -
Attack.*
set_training_mode
: Now supports changing training mode ofBatchnorm
andDropout
.save
: Now supports return values of the last verbose information.
-
MultiAttack
- Fixed the verbose function.
- Now supports return values of the last verbose information
GN
:sigma
is changed tostd
.
save
,MultiAttack
: Now supports saving predictions.
save
,MultiAttack
:return_verbose
can beTrue
even ifverbose=False
.
Pixle
is added.save
: Now saving images and labels for every batch.OnePixel
: Now supports targeted version._get_target_label
: Now generates target label under evaluation mode andtorch.no_grad()
.
_differential_evolution
: bug fixed.