When checking the bound of the image, the preprocessed offset is not added back.

[Ailss]

in this line https://github.com/bethgelab/foolbox/blob/master/foolbox/adversarial.py#L226, you check whether the adversarial image is within bound or not, but we should add the offset back first. Currently I constantly receive "error message about assert not strict or self.inbounds(image)". By the way, the tutorial of tensorflow uses "preprocessed = images - [123.68, 116.78, 103.94] logits, = vgg.vgg_19(preprocessed, is_training=False)" to preprocess the input. Why don't we just use "preprocessing = (np.array([123.68, 116.78, 103.94]), 1)" and "model = foolbox.models.TensorFlowModel(inputs, logits, (0, 255), preprocessing=preprocessing)"? Though the second one does not work right now...

[jonasrauber]

The line you refer to is correct. The images fed to the predictions method are before preprocessing, e.g. they have values in [0, 255].

There is two ways to do preprocessing: either it's implemented in the respective framework and therefore part of the model (in this case, Foolbox does not need to handle preprocessing at all, e.g. its preprocessing argument is (0, 1)) or the preprocessing is not part of the model, then it's done by Foolbox.

TensorFlow (unlike other frameworks) makes it quite easy to add the preprocessing to the model and consider the new model as one that doesn't need preprocessing. The option to specify the preprocessing in Foolbox is mostly relevant for other frameworks where it's not so easy to add the processing in the respective framework.

If you could post the code you use, I can have look what's going wrong in your case.

[Ailss]

Sorry for the bad formatting. I guess you are right. I think the reason is actually the attack is not able to generate the adversarial within the given range.

I actually try to attack a pre-trained resnet152 with foolbox. However, FGSM, Deepfool, and LBFGS all failed to generate adversarial. They just throw the assertion exception. I am trying to use some other attacks now.

[jonasrauber]

All of these attacks should work fine and should generate adversarials. If you could just show me the relevant code (where you create the ResNet and apply Foolbox), I am happy to help.

[DeepSpaceHarbor]

@jonasrauber What exactly is the cause for this error message? I always end up with "assert not strict or self.in_bounds(image)" error but I'm unable to figure out why that happens.

I'm trying to create adv.example for image j.jpg available at https://imgur.com/EmfHXVX This is my code:

import foolbox
import numpy as np
from PIL import Image
from keras.applications.resnet50 import ResNet50
from keras.preprocessing import image
from keras.applications.resnet50 import preprocess_input, decode_predictions

model = ResNet50(weights='imagenet')
img_path = 'j.jpg'
img = image.load_img(img_path,target_size=(224, 224))
x = image.img_to_array(img)
x = np.expand_dims(x, axis=0)
x = preprocess_input(x)

preds = model.predict(x)

# decode the results into a list of tuples (class, description, probability)
print('Predicted:', decode_predictions(preds, top=3))
#Predicted: [('n01910747', 'jellyfish', 0.99934798), ('n04275548', 'spider_web', 0.00044213724), ('n02643566', 'lionfish', 3.7984399e-05)]

fmodel = foolbox.models.KerasModel(model,bounds=(0, 255))
label = preds.argmax()
print(label)
# apply attack on source image
attack = foolbox.attacks.FGSM(fmodel)
adversarial = attack(x, label)

[wielandbrendel]

The cause of the error message is that your input is out of bounds: in the foolbox model you specify that the input x has values between 0 and 255. But your x is actually the preprocessed input for which the mean is already subtracted, hence your values are outside of this regime which causes the error message. Also, you have to add the preprocessing to your foolbox model! Please compare with the example in the Readme.

[DeepSpaceHarbor]

^Yep, that did the trick. Thank you for the quick help!

[wielandbrendel]

Happy to help! BTW, I just saw your curated AI list on adversarials, great work! I think our latest paper on decision-based attacks would be a good fit: https://arxiv.org/abs/1712.04248.

[jonasrauber]

@Ailss is this issue also fixed for you?

[Ailss]

I already got your point and found the reason for the exception. Thanks! we can close this thread