Hi, I am doing adversarial training only using two classes. I just f

BoundaryAttack cannot be used in two classes model about foolbox HOT 7 CLOSED

bethgelab commented on May 19, 2024

BoundaryAttack cannot be used in two classes model

from foolbox.

Comments (7)

jonasrauber commented on May 19, 2024

model which has classes instead of multiple classes

I think there is a word missing ;-)

Why not? BoundaryAttack should work with any number of classes.

from foolbox.

villawang commented on May 19, 2024

Hi,

I used the following code:

with tf.Session() as sess:
load(sess, FLAGS.load_model, saver_inception)
img = x_test[10]
label = y_test[10]
criterion = Misclassification()
model = TensorFlowModel(x_tensor, logits_inception, bounds=(0, 255))
attack = BoundaryAttack(model, criterion)
img_adv = attack(img, label[0], verbose=True)

But it returns warning like this:
/home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/blended_noise.py:37: UserWarning: BlendedUniformNoiseAttack failed to draw a random image that is adversarial.
warnings.warn('BlendedUniformNoiseAttack failed to draw a'
/home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/base.py:102: UserWarning: BlendedUniformNoiseAttack did not find an adversarial, maybe the model or the criterion is not supported by this attack.
warnings.warn('{} did not find an adversarial, maybe the model or the criterion is not supported by this attack.'.format(self.name())) # noqa: E501
/home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/boundary_attack.py:218: UserWarning: Initialization failed. If the criterion is targeted, it might be necessary to pass an explicit starting point or targeted initialization attack.
'Initialization failed. If the criterion is targeted,'
/home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/base.py:102: UserWarning: BoundaryAttack did not find an adversarial, maybe the model or the criterion is not supported by this attack.
warnings.warn('{} did not find an adversarial, maybe the model or the criterion is not supported by this attack.'.format(self.name())) # noqa: E501

It seems that BoundaryAttack cannot find the adversarial input for the model? Can you give me some help on this? Thanks.

from foolbox.

jonasrauber commented on May 19, 2024

Well, the BoundaryAttack tries to find an initial (possibly very large) adversarial perturbation to start with (to minimize further). By default (if nothing else is specified), it does so by drawing a random input and usually that one will have the wrong class. If you only have two classes, this will only work 50% of time (or maybe even less often your classes aren't balanced, etc.).

There are many ways to fix this. For example you could manually pass a starting_point to the BoundaryAttack:

img_adv = attack(img, label[0], verbose=True, starting_point=...)

Such a starting_point should have the same format as your input image; it should basically just be an image from another class.

Before you do any of that you should however make sure that it's really necessary. The BlendedUniformNoiseAttack used as initialization tries 1000 times and in principle (if your bounds are set correctly) that should also work for two classes. Could it be that random noise images are always classified as the same class? It that case, the starting_point approach as described above should help

from foolbox.

villawang commented on May 19, 2024

Hi Jonas, Thanks for the answer. I used the starting point in the attack and the starting point is the adversarial example: sigmoid_prob = 0.743585, True label = 0.0 So the starting point returns the probability 0.74 which would be classified as 1 and the actual label is 0. But it returns the following error when I used BoudaryAttack:

…

---------------------------------------------------------------------------AssertionError Traceback (most recent call last)<ipython-input-39-2b3bbde7eca2> in <module>() 38 39 attack = BoundaryAttack(model, criterion)---> 40 img_adv = attack(img, label[0], verbose=True, starting_point = starting_point) 41 42 /home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/boundary_attack.pyc in __call__(self, image, label, unpack, iterations, max_directions, starting_point, initialization_attack, log_every_n_steps, spherical_step, source_step, step_adaptation, batch_size, tune_batch_size, threaded_rnd, threaded_gen, alternative_generator, internal_dtype, verbose) 160 tune_batch_size=tune_batch_size, 161 threaded_rnd=threaded_rnd,--> 162 threaded_gen=threaded_gen) 163 164 def _apply( /home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/base.pyc in __call__(self, image, label, unpack, **kwargs) 96 warnings.warn('Not running the attack because the original image is already misclassified and the adversarial thus has a distance of 0.') # noqa: E501 97 else:---> 98 _ = self._apply(adversarial, **kwargs) 99 assert _ is None, '_apply must return None' 100 /home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/boundary_attack.pyc in _apply(self, *args, **kwargs) 178 n = kwargs['threaded_gen'] 179 with ThreadPoolExecutor(max_workers=n) as pool:--> 180 return self._apply_inner(pool, *args, **kwargs) 181 else: 182 with DummyExecutor() as pool: /home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/boundary_attack.pyc in _apply_inner(self, pool, a, iterations, tune_batch_size, threaded_rnd, threaded_gen) 212 # =========================================================== 213 --> 214 self.initialize_starting_point(a) 215 216 if a.image is None: /home/zhengwei/python2.7/local/lib/python2.7/site-packages/foolbox/attacks/boundary_attack.pyc in initialize_starting_point(self, a) 651 if starting_point is not None: 652 a.predictions(starting_point)--> 653 assert a.image is not None, ('Invalid starting point provided.' 654 ' Please provide a starting point' 655 ' that is adversarial.') AssertionError: Invalid starting point provided. Please provide a starting point that is adversarial. Regards, Villa 2018-03-19 17:50 GMT+00:00 Jonas Rauber <[email protected]>:

Well, the BoundaryAttack tires to find an initial (possibly very large) adversarial perturbation to start with (to minimize further). By default (if nothing else is specified), it does so by drawing a random input and usually that one will have the wrong class. If you only have two classes, this will only work 50% of time (or maybe even less often your classes aren't balanced, etc.). There are many ways to fix this. For example you could manually pass a starting_point to the BoundaryAttack: img_adv = attack(img, label[0], verbose=True, starting_point=...) Such a starting_point should have the same format as your input image; it should basically just be an image from another class. Before you do any of that you should however make sure that it's really necessary. The BlendedUniformNoiseAttack used as initialization tries 1000 times and in principle (if your bounds are set correctly) that should also work for two classes. Could it be that random noise images are always classified as the same class? It that case, the starting_point approach as described above should help — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#117 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/APeWw20qdiBHQLTksRVbrCsWETaawuBwks5tf-_kgaJpZM4SwSFS> .

from foolbox.

jonasrauber commented on May 19, 2024

Did you check the output of fmodel.predictions(starting_point), where fmodel is the Foolbox model that wraps your model. The output should be the logits for the two classes. Could it be that the preprocessing or so are wrong?
In any case, please share the acutal code (or a minimal example that demonstrates the problem), otherwise it's hard to help.

from foolbox.

jonasrauber commented on May 19, 2024

Oh, and please post the error message properly formatted (e.g. by marking it as code on GitHub; don't reply via mail).

from foolbox.

jonasrauber commented on May 19, 2024

Closing because there has been no activity. Please reopen if the problem still exists.

from foolbox.

BoundaryAttack cannot be used in two classes model about foolbox HOT 7 CLOSED

Comments (7)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent