FGSM对抗样本trick汇总
1.FGSM
單步攻擊,fast gradient sign method對抗樣本生成方法,通過更新對抗擾動,增大圖片分類損失,將樣本推過分類決策邊界。
對抗擾動更新方法如下
Xadv=X+?×sign(?XL(X,ytrue;θ))X^{\mathbf{adv}} = X + \epsilon \times \mathbf{sign}\big(\nabla_{X}L(X,y^{\mathbf{true}}; \theta)\big) Xadv=X+?×sign(?X?L(X,ytrue;θ))
2.I_FGSM
對單步攻擊FGSM進行迭代,擾動更新方法如下
X0adv=X;Xn+1adv=ClipX?{Xnadv+α×sign(?XL(Xnadv,ytrue;θ))}X^{\mathbf{adv}}_{0} = X; \\ \\ X^{\mathbf{adv}}_{n+1} = \mathbf{Clip}^{\epsilon}_X \{X^{\mathbf{adv}}_n + \alpha \times \mathbf{sign}\big(\nabla_{X}L(X^{\mathbf{adv}}_n,y^{\mathbf{true}}; \theta)\big) \} X0adv?=X;Xn+1adv?=ClipX??{Xnadv?+α×sign(?X?L(Xnadv?,ytrue;θ))}
3.MI-FGSM
在i-FGSM的基礎上加入動量m\mathbf{m}m,類似于優化方法中的動量法,給參數更新的方向增加一個歷史的慣性,提升參數梯度變化的穩定性。
對抗樣本更新方法如下
gn+1=μ×gn+?XL(Xnadv,ytrue;θ)∣∣?XL(Xnadv,ytrue;θ)∣∣1;Xn+1adv=ClipX?{Xnadv+α×sign(gn+1)}\mathcal{g}_{n + 1} = \mu \times \mathcal{g}_n + \frac{\nabla_{X}L(X^{\mathbf{adv}}_n,y^{\mathbf{true}}; \theta)}{||\nabla_{X}L(X^{\mathbf{adv}}_n,y^{\mathbf{true}}; \theta)||_1}; \\ \\ X^{\mathbf{adv}}_{n+1} = \mathbf{Clip}^{\epsilon}_X \{X^{\mathbf{adv}}_n + \alpha \times \mathbf{sign}\big(\mathcal{g}_{n+1}\big) \} gn+1?=μ×gn?+∣∣?X?L(Xnadv?,ytrue;θ)∣∣1??X?L(Xnadv?,ytrue;θ)?;Xn+1adv?=ClipX??{Xnadv?+α×sign(gn+1?)}
其中μ\muμ為動量參數,當為0時,即為I-FGSM方法。
4.DI-2-FGSM
輸入多樣化,輸入圖片進入一個input diversity函數T(Xnadv;p)T(X^{adv}_n; p)T(Xnadv?;p),以p的概率對輸入進行多樣化處理,提升對抗樣本的轉移性
對抗樣本更新方法
Xn+1adv=ClipX?{Xnadv+α×sign(?XL(T(Xnadv;p),ytrue;θ))}X^{\mathbf{adv}}_{n+1} = \mathbf{Clip}^{\epsilon}_X \{X^{\mathbf{adv}}_n + \alpha \times \mathbf{sign}\big(\nabla_{X}L(T(X^{\mathbf{adv}}_n; p),y^{\mathbf{true}}; \theta)\big) \} Xn+1adv?=ClipX??{Xnadv?+α×sign(?X?L(T(Xnadv?;p),ytrue;θ))}
其中函數T(Xnadv;p)T(X^{adv}_n; p)T(Xnadv?;p),以1-p的概率不做任何處理,直接輸出原始的XnadvX^{adv}_nXnadv?
T(Xnadv;p)={T(Xnadv)withprobabilityp;Xnadvwithprobability1?pT(X^{adv}_n; p) = \begin{cases} T(X^{adv}_n) \ \ \ \ \mathbf{with\ probability\ p}; \\ X^{adv}_n \ \ \ \ \ \ \ \ \ \ \mathbf{with\ probability\ 1-p} \end{cases} T(Xnadv?;p)={T(Xnadv?)????with?probability?p;Xnadv???????????with?probability?1?p?
該函數的Pytorch實現如下
import torch import torch.nn.functional as Fdef input_diversity(x, diversity_prob=0.5, resize_rate=0.9):img_size = x.shape[-1]img_resize = int(img_size * resize_rate)if resize_rate < 1:img_size = img_resizeimg_resize = x.shape[-1]rnd = torch.randint(low=img_size, high=img_resize, size=(1,), dtype=torch.int32)rescaled = F.interpolate(x, size=[rnd, rnd], mode='bilinear', align_corners=False)h_rem = img_resize - rndw_rem = img_resize - rndpad_top = torch.randint(low=0, high=h_rem.item(), size=(1,), dtype=torch.int32)pad_bottom = h_rem - pad_toppad_left = torch.randint(low=0, high=w_rem.item(), size=(1,), dtype=torch.int32)pad_right = w_rem - pad_leftpadded = F.pad(rescaled, [pad_left.item(), pad_right.item(), pad_top.item(), pad_bottom.item()], value=0)return padded if torch.rand(1) < diversity_prob else x5.TI-FGSM
針對防御模型的攻擊,利用一個事先定義好的kernel對擾動參數的梯度進行卷積平滑,提升對抗效果的轉移性
Xn+1adv=Xnreal+?×sign(W??XJ(Xnreal,y))X^{adv}_{n+1} = X^{real}_{n} + \epsilon \times \mathbf{sign}(\mathbf{W} * \nabla_X J(X^{real}_n, y)) Xn+1adv?=Xnreal?+?×sign(W??X?J(Xnreal?,y))
其中WWW為卷積核,?*?表示卷積計算;
總結
以上是生活随笔為你收集整理的FGSM对抗样本trick汇总的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 库存
- 下一篇: python贪吃蛇代码