论文信息
论文标题:Towards deep learning models resistant to adversarial attacks
论文作者:Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu
论文来源:ICLR 2018
论文地址:download
论文代码:download
视屏讲解:click
1 介绍
对抗攻击
2 方法
2.1 问题建模
在本文中,作者将对抗样本的攻击防御问题总结为以下公式:
$\min _{\theta} \rho(\theta), \quad \text { where } \quad \rho(\theta)=\mathbb{E}_{(x, y) \sim \mathcal{D}}\left[\max _{\delta \in \mathcal{S}} L(\theta, x+\delta, y)\right]$
该问题分为两个部分,分别为 内部损失函数最大化 和 外部经验风险最小化:
-
- 先看内部问题,式中 $L(\cdot)$ 为损失函数,在神经网络优化中通常取交叉熵,$x$ 是原始样本, $ \delta$ 为扰动信息, $S$ 为扰动信 息的集合, $y$ 为原始样本的标签。内部问题的优化目标级寻找一个扰动,使得添加扰动后的样本不 属于原始标签的风险最大化;
- 对于外部最小化问题, $D$ 是数据 $(x, y)$ 满足的分布,$\theta$ 是深度神经网络的参数,外部问题的目标是寻找参数 $\theta$ 使得 $E_{(x, y) \sim D}[L(x, y, \theta)]$ 风险最小。即内部问题 是寻找一个原始样本的对抗版本来最大化损失函数,即攻击模型;外部问题则是基于这种攻击方法去训练一个更具鲁棒性的神经网络,以防御对抗样本的攻击;
2.2 问题解决
作者考虑了两种攻击模型,第一个是专栏已多次提及的快速梯度法(FGSM),文中主要以此作为单步攻击算法的代表,公式如下:
$x+\varepsilon \operatorname{sgn}\left(\nabla_{x} L(\theta, x, y)\right)$
第二种是迭代的快速梯度法,本质是在损失函数负方向上进行投影梯度下降(Projection Gradient Descent),简称此算法为PGD,其公式如下:
$x^{t+1}=\Pi_{x+\mathcal{S}}\left(x^{t}+\alpha \operatorname{sgn}\left(\nabla_{x} L(\theta, x, y)\right)\right)$
3 代码
import torch import torch.nn as nn import torch.optim as optim import torch.nn.functional as F import torch.backends.cudnn as cudnn import torchvision import torchvision.transforms as transforms class BasicBlock(nn.Module): expansion = 1 def __init__(self, in_planes, planes, stride=1): super(BasicBlock, self).__init__() self.conv1 = nn.Conv2d(in_planes, planes, kernel_size=3, stride=stride, padding=1, bias=False) self.bn1 = nn.BatchNorm2d(planes) self.conv2 = nn.Conv2d(planes, planes, kernel_size=3, stride=1, padding=1, bias=False) self.bn2 = nn.BatchNorm2d(planes) self.shortcut = nn.Sequential() if stride != 1 or in_planes != self.expansion*planes: self.shortcut = nn.Sequential( nn.Conv2d(in_planes, self.expansion*planes, kernel_size=1, stride=stride, bias=False), nn.BatchNorm2d(self.expansion*planes) ) def forward(self, x): out = F.relu(self.bn1(self.conv1(x))) out = self.bn2(self.conv2(out)) out += self.shortcut(x) out = F.relu(out) return out class ResNet(nn.Module): def __init__(self, block, num_blocks, num_classes=10): super(ResNet, self).__init__() self.in_planes = 64 self.conv1 = nn.Conv2d(3, 64, kernel_size=3, stride=1, padding=1, bias=False) self.bn1 = nn.BatchNorm2d(64) self.layer1 = self._make_layer(block, 64, num_blocks[0], stride=1) self.layer2 = self._make_layer(block, 128, num_blocks[1], stride=2) self.layer3 = self._make_layer(block, 256, num_blocks[2], stride=2) self.layer4 = self._make_layer(block, 512, num_blocks[3], stride=2) self.linear = nn.Linear(512*block.expansion, num_classes) def _make_layer(self, block, planes, num_blocks, stride): strides = [stride] + [1]*(num_blocks-1) layers = [] for stride in strides: layers.append(block(self.in_planes, planes, stride)) self.in_planes = planes * block.expansion return nn.Sequential(*layers) def forward(self, x): out = F.relu(self.bn1(self.conv1(x))) out = self.layer1(out) out = self.layer2(out) out = self.layer3(out) out = self.layer4(out) out = F.avg_pool2d(out, 4) out = out.view(out.size(0), -1) out = self.linear(out) return out def ResNet18(): return ResNet(BasicBlock, [2,2,2,2]) learning_rate = 0.1 epsilon = 0.0314 k = 7 alpha = 0.00784 file_name = 'pgd_adversarial_training' device = 'cuda' if torch.cuda.is_available() else 'cpu' transform_train = transforms.Compose([transforms.RandomCrop(32, padding=4),transforms.RandomHorizontalFlip(),transforms.ToTensor(),]) transform_test = transforms.Compose([transforms.ToTensor(),]) train_dataset = torchvision.datasets.CIFAR10(root='./data', train=True, download=True, transform=transform_train) test_dataset = torchvision.datasets.CIFAR10(root='./data', train=False, download=True, transform=transform_test) train_loader = torch.utils.data.DataLoader(train_dataset, batch_size=128, shuffle=True, num_workers=4) test_loader = torch.utils.data.DataLoader(test_dataset, batch_size=100, shuffle=False, num_workers=4) class PGDAttack(object): def __init__(self, model,loss=nn.CrossEntropyLoss(),alpha=0.00784,epsilon=0.0314): self.model = model self.loss = loss self.alpha = alpha self.epsilon = epsilon def perturb(self, x_natural, y): x = x_natural.detach() x = x + torch.zeros_like(x).uniform_(-epsilon, epsilon) for i in range(k): x.requires_grad_() with torch.enable_grad(): logits = self.model(x) loss = self.loss(logits, y) grad = torch.autograd.grad(loss, [x])[0] x = x.detach() + self.alpha * torch.sign(grad.detach()) x = torch.min(torch.max(x, x_natural - self.epsilon), x_natural + self.epsilon) x = torch.clamp(x, 0, 1) return x net = ResNet18() net = net.to(device) cudnn.benchmark = True adversary = PGDAttack(net) criterion = nn.CrossEntropyLoss() optimizer = optim.SGD(net.parameters(), lr=learning_rate, momentum=0.9, weight_decay=0.0002) def train(epoch): train_loss = 0 correct = 0 total = 0 net.train() for batch_idx, (inputs, targets) in enumerate(train_loader): inputs, targets = inputs.to(device), targets.to(device) optimizer.zero_grad() adv = adversary.perturb(inputs, targets) adv_outputs = net(adv) loss = criterion(adv_outputs, targets) loss.backward() optimizer.step() train_loss += loss.item() _, predicted = adv_outputs.max(1) total += targets.size(0) correct += predicted.eq(targets).sum().item() if batch_idx % 10 == 0: print('\nCurrent batch:', str(batch_idx)) print('Current adversarial train accuracy:', str(predicted.eq(targets).sum().item() / targets.size(0))) print('Current adversarial train loss:', loss.item()) print('\nTotal adversarial train accuarcy:', 100. * correct / total) print('Total adversarial train loss:', train_loss) def test(epoch): benign_loss = 0 adv_loss = 0 benign_correct = 0 adv_correct = 0 total = 0 net.eval() with torch.no_grad(): for batch_idx, (inputs, targets) in enumerate(test_loader): inputs, targets = inputs.to(device), targets.to(device) total += targets.size(0) outputs = net(inputs) loss = criterion(outputs, targets) benign_loss += loss.item() _, predicted = outputs.max(1) benign_correct += predicted.eq(targets).sum().item() adv = adversary.perturb(inputs, targets) adv_outputs = net(adv) loss = criterion(adv_outputs, targets) adv_loss += loss.item() _, predicted = adv_outputs.max(1) adv_correct += predicted.eq(targets).sum().item() if batch_idx % 10 == 0: print('Current adversarial test accuracy:', str(predicted.eq(targets).sum().item() / targets.size(0))) print('Current adversarial test loss:', loss.item()) print('\nTotal benign test accuarcy:', 100. * benign_correct / total) print('Total adversarial test Accuarcy:', 100. * adv_correct / total) print('Total benign test loss:', benign_loss) print('Total adversarial test loss:', adv_loss) for epoch in range(0, 200): train(epoch) test(epoch)
- adversarial resistant learning Towards attacksadversarial resistant learning towards adversarial机器attack adversarial对手attack adversarial patterns learning machine reinforcement adversarial learning through towards resistance resistant reasoning language towards models resistance standard marking series