Skip to content

DeepFool

DeepFool

Bases: Attack

The DeepFool attack.

From the paper: DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks.

Parameters:

Name Type Description Default
model Module | AttackModel

The model to attack.

 required
normalize Callable[[Tensor], Tensor] | None

A transform to normalize images.

 None
device device | None

Device to use for tensors. Defaults to cuda if available.

 None
steps int

Number of steps. Defaults to 100.

 100
overshoot float

Overshoot parameter for noise control. Defaults to 0.02.

 0.02
num_classes int

Number of classes to consider. Defaults to 10.

 10
clip_min float

Minimum value for clipping. Defaults to 0.0.

 0.0
clip_max float

Maximum value for clipping. Defaults to 1.0.

 1.0
Source code in torchattack/deepfool.py 
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
@register_attack(category='NON_EPS')
class DeepFool(Attack):
    """The DeepFool attack.

    > From the paper: [DeepFool: A Simple and Accurate Method to Fool Deep Neural
    Networks](https://arxiv.org/abs/1511.04599).

    Args:
        model: The model to attack.
        normalize: A transform to normalize images.
        device: Device to use for tensors. Defaults to cuda if available.
        steps: Number of steps. Defaults to 100.
        overshoot: Overshoot parameter for noise control. Defaults to 0.02.
        num_classes: Number of classes to consider. Defaults to 10.
        clip_min: Minimum value for clipping. Defaults to 0.0.
        clip_max: Maximum value for clipping. Defaults to 1.0.
    """

    def __init__(
        self,
        model: nn.Module | AttackModel,
        normalize: Callable[[torch.Tensor], torch.Tensor] | None = None,
        device: torch.device | None = None,
        steps: int = 100,
        overshoot: float = 0.02,
        num_classes: int = 10,
        clip_min: float = 0.0,
        clip_max: float = 1.0,
    ) -> None:
        super().__init__(model, normalize, device)

        self.steps = steps
        self.overshoot = overshoot
        self.num_classes = num_classes
        self.clip_min = clip_min
        self.clip_max = clip_max

    def forward(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
        """Perform DeepFool on a batch of images.

        Args:
            x: A batch of images. Shape: (N, C, H, W).
            y: A batch of labels. Shape: (N).

        Returns:
            The perturbed images if successful. Shape: (N, C, H, W).
        """

        x.requires_grad_()
        logits = self.model(self.normalize(x))

        # Get the classes
        classes = logits.argsort(axis=-1).flip(-1).detach()
        self.num_classes = min(self.num_classes, logits.shape[-1])

        n = len(x)
        rows = range(n)

        x0 = x
        p_total = torch.zeros_like(x)
        for _ in range(self.steps):
            # let's first get the logits using k = 1 to see if we are done
            diffs = [self._get_grads(x, 1, classes)]

            is_adv = self._is_adv(diffs[0]['logits'], y)
            if is_adv.all():
                break

            diffs += [
                self._get_grads(x, k, classes) for k in range(2, self.num_classes)
            ]

            deltas = torch.stack([d['deltas'] for d in diffs], dim=-1)
            grads = torch.stack([d['grads'] for d in diffs], dim=1)
            assert deltas.shape == (n, self.num_classes - 1)
            assert grads.shape == (n, self.num_classes - 1) + x0.shape[1:]

            # calculate the distances
            # compute f_k / ||w_k||
            distances = self._get_distances(deltas, grads)
            assert distances.shape == (n, self.num_classes - 1)

            # determine the best directions
            best = distances.argmin(1)  # compute \hat{l}
            distances = distances[rows, best]
            deltas = deltas[rows, best]
            grads = grads[rows, best]
            assert distances.shape == (n,)
            assert deltas.shape == (n,)
            assert grads.shape == x0.shape

            # apply perturbation
            distances = distances + 1e-4  # for numerical stability
            p_step = self._get_perturbations(distances, grads)  # =r_i
            assert p_step.shape == x0.shape

            p_total += p_step

            # don't do anything for those that are already adversarial
            x = torch.where(
                self._atleast_kd(is_adv, x.ndim),
                x,
                x0 + (1.0 + self.overshoot) * p_total,
            )  # =x_{i+1}

            x = (
                torch.clamp(x, self.clip_min, self.clip_max)
                .clone()
                .detach()
                .requires_grad_()
            )

        return x.detach()

    def _is_adv(self, logits: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
        # criterion
        y_hat = logits.argmax(-1)
        is_adv = y_hat != y
        return is_adv

    def _get_deltas_logits(
        self, x: torch.Tensor, k: int, classes: torch.Tensor
    ) -> dict[str, torch.Tensor]:
        # definition of loss_fn
        n = len(classes)
        rows = range(n)
        i0 = classes[:, 0]

        logits = self.model(self.normalize(x))
        ik = classes[:, k]
        l0 = logits[rows, i0]
        lk = logits[rows, ik]
        delta_logits = lk - l0

        return {
            'sum_deltas': delta_logits.sum(),
            'deltas': delta_logits,
            'logits': logits,
        }

    def _get_grads(
        self, x: torch.Tensor, k: int, classes: torch.Tensor
    ) -> dict[str, torch.Tensor]:
        deltas_logits = self._get_deltas_logits(x, k, classes)
        deltas_logits['sum_deltas'].backward()
        if x.grad is not None:
            deltas_logits['grads'] = x.grad.clone()
            x.grad.data.zero_()
        return deltas_logits

    def _get_distances(self, deltas: torch.Tensor, grads: torch.Tensor) -> torch.Tensor:
        return deltas.abs() / (
            grads.flatten(start_dim=2, end_dim=-1).abs().sum(dim=-1) + 1e-8
        )

    def _get_perturbations(
        self, distances: torch.Tensor, grads: torch.Tensor
    ) -> torch.Tensor:
        return self._atleast_kd(distances, grads.ndim) * grads.sign()

    def _atleast_kd(self, x: torch.Tensor, k: int) -> torch.Tensor:
        shape = x.shape + (1,) * (k - x.ndim)
        return x.reshape(shape)

forward(x, y)

Perform DeepFool on a batch of images.

Parameters:

Name Type Description Default
x Tensor

A batch of images. Shape: (N, C, H, W).

 required
y Tensor

A batch of labels. Shape: (N).

 required

Returns:

Type Description
Tensor

The perturbed images if successful. Shape: (N, C, H, W).
Source code in torchattack/deepfool.py 
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
def forward(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
    """Perform DeepFool on a batch of images.

    Args:
        x: A batch of images. Shape: (N, C, H, W).
        y: A batch of labels. Shape: (N).

    Returns:
        The perturbed images if successful. Shape: (N, C, H, W).
    """

    x.requires_grad_()
    logits = self.model(self.normalize(x))

    # Get the classes
    classes = logits.argsort(axis=-1).flip(-1).detach()
    self.num_classes = min(self.num_classes, logits.shape[-1])

    n = len(x)
    rows = range(n)

    x0 = x
    p_total = torch.zeros_like(x)
    for _ in range(self.steps):
        # let's first get the logits using k = 1 to see if we are done
        diffs = [self._get_grads(x, 1, classes)]

        is_adv = self._is_adv(diffs[0]['logits'], y)
        if is_adv.all():
            break

        diffs += [
            self._get_grads(x, k, classes) for k in range(2, self.num_classes)
        ]

        deltas = torch.stack([d['deltas'] for d in diffs], dim=-1)
        grads = torch.stack([d['grads'] for d in diffs], dim=1)
        assert deltas.shape == (n, self.num_classes - 1)
        assert grads.shape == (n, self.num_classes - 1) + x0.shape[1:]

        # calculate the distances
        # compute f_k / ||w_k||
        distances = self._get_distances(deltas, grads)
        assert distances.shape == (n, self.num_classes - 1)

        # determine the best directions
        best = distances.argmin(1)  # compute \hat{l}
        distances = distances[rows, best]
        deltas = deltas[rows, best]
        grads = grads[rows, best]
        assert distances.shape == (n,)
        assert deltas.shape == (n,)
        assert grads.shape == x0.shape

        # apply perturbation
        distances = distances + 1e-4  # for numerical stability
        p_step = self._get_perturbations(distances, grads)  # =r_i
        assert p_step.shape == x0.shape

        p_total += p_step

        # don't do anything for those that are already adversarial
        x = torch.where(
            self._atleast_kd(is_adv, x.ndim),
            x,
            x0 + (1.0 + self.overshoot) * p_total,
        )  # =x_{i+1}

        x = (
            torch.clamp(x, self.clip_min, self.clip_max)
            .clone()
            .detach()
            .requires_grad_()
        )

    return x.detach()