search

carlini / nn_robust_attacks

Robust evasion attacks against neural network to find adversarial examples
BSD 2-Clause "Simplified" License
778 stars 229 forks source link

How to control the pixel number to be noised ? #31

Closed lith0613 closed 5 years ago

lith0613 commented 5 years ago

I want to control the adversarial example with a fixed noised pixel level, i.e. set the L0 norm between the adversarial example and original image to be about image.size*c%. For example, I want to set the L0 norm in cifar to be about 32x32x3x20%. (Probably in this range, no exact values are needed) Can you give some help ?

carlini commented 5 years ago

There are two types of attacks:

  1. Maximize adversarialness subject to the distortion being less than some threshold.
  2. Minimize distortion subject to the image being adversarial.

This attack is of the second flavor. So you can't directly control how many pixels are perturbed, it will keep shrinking the number of pixels until it can't succeed any more.

The simplest thing to do is just to run the attack and then at the end check if the number of pixels that changed is less than your threshold. If yes, the attack succeeded. Slightly more efficient would be to add an extra check around here https://github.com/carlini/nn_robust_attacks/blob/master/l0_attack.py#L228 That will break out of the loop if equal_count > threshold.

lith0613 commented 5 years ago

There are two types of attacks:

  1. Maximize adversarialness subject to the distortion being less than some threshold.
  2. Minimize distortion subject to the image being adversarial.

This attack is of the second flavor. So you can't directly control how many pixels are perturbed, it will keep shrinking the number of pixels until it can't succeed any more.

The simplest thing to do is just to run the attack and then at the end check if the number of pixels that changed is less than your threshold. If yes, the attack succeeded. Slightly more efficient would be to add an extra check around here https://github.com/carlini/nn_robust_attacks/blob/master/l0_attack.py#L228 That will break out of the loop if equal_count > threshold.

Yes, I have tried this method as your instruction and the result is okay!

equal_count = self.image_size**2-np.sum(np.all(np.abs(img-nimg[0])<.0001,axis=2)) 
if equal_count <threshold:
      return last_solution

Thanks so much !