Implement Projected Gradient Descent Attack about foolbox HOT 7 CLOSED

I have implemented this for some of my experiments for similar results. I used the code they released here

I only have the Max norm bounded attack though. It should be simple to add an option for restarts. And to implement the L2 bounded attack

Here is my implementation

One thing to note is that their PGD attack adds random noise at the start by default, which conflicted with Foolbox's bounds checking. So I clipped after adding noise, I think there should be a way around this.

from foolbox.

@neale how would I use your PGD attack on a Keras model that I have trained?

Edit: Nevermind I see this in your implementation

from foolbox.

Hi @neale, thanks for sharing. You can pass strict=False when calling a.gradient to bypass the bounds checking.

from foolbox.

Can we Pull his PGD implementation if it works? This seems extremely useful.

@neale code only works with Python 2.7 it seems.

File "/usr/local/lib/python3.5/dist-packages/foolbox/attacks/__init__.py", line 4, in <module>
    from .momentum_attack import MIM, MomentumIterativeAttack

  File "/usr/local/lib/python3.5/dist-packages/foolbox/attacks/momentum_attack.py", line 42
    print "mim success norm: ", np.max(np.abs(perturbed - image))

Print function is not py 3.5 compliant. I am not sure what else in the library is not compliant as well.

Also what is the most performant way to generates lots of adversarial examples based on a trained model in your opinion?

from foolbox.

@pGit1 I haven't had a chance to finish this implementation.
It should be very easy to port/integrate yourself in the meantime. The changes to 3.5 are trivial I think.

My stuff isn't connected to the main Foolbox tree at all. I think everything there is 3.5 compliant. I just have these attacks that I needed for my own work. If I'm not too late, I'll get around to cleaning them up.

Performant as in fast? Just apply FGSM.

from foolbox.

@neale

No you arent too late. Thanks for the reply! I like how you implemented both PGD and Momentum attack! Two options I have at this point: 1) Just wait for your clean up and clone/pip install your repo 2) Fork the repo and clean it up where there are issues (I cant do a keyword search on a fork so I didnt know how extensive the py 2.7 artifacts had made there way into the codebase).

For the momentum attack I notice these two differences in the code:

-    def _apply(self, a, u=1.0, epsilon=.3, eps_iter=0.06, nb_iter=10):
+    def _apply(self, a, epsilons=[0.3, 0.5, 1.0], eps_iter=0.06, nb_iter=10):

EDIT: Yes @neale performant as in fast but for PGD and Momentum attack as well. Trying to come up with some easy code that generates lots of adversarial samples for different attacks.
Should one be preferred over the other?

from foolbox.

closed by #171

from foolbox.