def run(self, model, input, target, batch_idx=0):
input_var = autograd.Variable(input, requires_grad=True)
target_var = autograd.Variable(target)
eps = self.eps
step_alpha = self.step_alpha
step = 0
while step < self.num_steps:
zero_gradients(input_var)
output = model(input_var)
if not self.targeted and not step:
# for non-targeted, we'll move away from most likely
target_var.data = output.data.max(1)[1]
loss = self.loss_fn(output, target_var)
loss.backward()
# normalize and scale gradient
if self.norm == 2:
normed_grad = step_alpha * input_var.grad.data / l2_norm(input_var.grad.data)
elif self.norm == 1:
normed_grad = step_alpha * input_var.grad.data / l1_norm(input_var.grad.data)
else:
# infinity-norm
normed_grad = step_alpha * torch.sign(input_var.grad.data)
# perturb current input image by normalized and scaled gradient
if self.targeted:
step_adv = input_var.data - normed_grad
else:
step_adv = input_var.data + normed_grad
# calculate total adversarial perturbation from original image and clip to epsilon constraints
total_adv = step_adv - input
if self.norm == 2:
# total_adv = eps * total_adv / l2norm(total_adv)
total_adv = torch.clamp(total_adv, -eps, eps)
elif self.norm == 1:
# total_adv = eps * total_adv / l1norm(total_adv)
total_adv = torch.clamp(total_adv, -eps, eps)
else:
# infinity-norm
total_adv = torch.clamp(total_adv, -eps, eps)
if self.debug:
print('batch:', batch_idx, 'step:', step, total_adv.mean(), total_adv.min(), total_adv.max())
sys.stdout.flush()
# apply total adversarial perturbation to original image and clip to valid pixel range
input_adv = input + total_adv
input_adv = torch.clamp(input_adv, -1.0, 1.0)
input_var.data = input_adv
step += 1
return input_adv.permute(0, 2, 3, 1).cpu().numpy()
attack_iterative.py 文件源码
python
阅读 25
收藏 0
点赞 0
评论 0
评论列表
文章目录
