DIFGSM¶

`DIFGSM` ¶

Bases: Attack

The DI-FGSM (Diverse-input Iterative FGSM) attack.

From the paper: Improving Transferability of Adversarial Examples with Input Diversity.

Note

Key parameters include resize_rate and diversity_prob, which defines the scale size of the resized image and the probability of applying input diversity. The default values are set to 0.9 and 1.0 respectively (implying that input diversity is always applied).

Parameters:

Name	Type	Description	Default
`model`	`Module \| AttackModel`	The model to attack.	required
`normalize`	`Callable[[Tensor], Tensor] \| None`	A transform to normalize images.	`None`
`device`	`device \| None`	Device to use for tensors. Defaults to cuda if available.	`None`
`eps`	`float`	The maximum perturbation. Defaults to 8/255.	`8 / 255`
`steps`	`int`	Number of steps. Defaults to 10.	`10`
`alpha`	`float \| None`	Step size, `eps / steps` if None. Defaults to None.	`None`
`decay`	`float`	Decay factor for the momentum term. Defaults to 1.0.	`1.0`
`resize_rate`	`float`	The resize rate. Defaults to 0.9.	`0.9`
`diversity_prob`	`float`	Applying input diversity with probability. Defaults to 1.0.	`1.0`
`clip_min`	`float`	Minimum value for clipping. Defaults to 0.0.	`0.0`
`clip_max`	`float`	Maximum value for clipping. Defaults to 1.0.	`1.0`
`targeted`	`bool`	Targeted attack if True. Defaults to False.	`False`

Source code in torchattack/difgsm.py

@register_attack()
class DIFGSM(Attack):
    """The DI-FGSM (Diverse-input Iterative FGSM) attack.

    > From the paper: [Improving Transferability of Adversarial Examples with Input
    Diversity](https://arxiv.org/abs/1803.06978).

    Note:
        Key parameters include `resize_rate` and `diversity_prob`, which defines the
        scale size of the resized image and the probability of applying input
        diversity. The default values are set to 0.9 and 1.0 respectively (implying
        that input diversity is always applied).

    Args:
        model: The model to attack.
        normalize: A transform to normalize images.
        device: Device to use for tensors. Defaults to cuda if available.
        eps: The maximum perturbation. Defaults to 8/255.
        steps: Number of steps. Defaults to 10.
        alpha: Step size, `eps / steps` if None. Defaults to None.
        decay: Decay factor for the momentum term. Defaults to 1.0.
        resize_rate: The resize rate. Defaults to 0.9.
        diversity_prob: Applying input diversity with probability. Defaults to 1.0.
        clip_min: Minimum value for clipping. Defaults to 0.0.
        clip_max: Maximum value for clipping. Defaults to 1.0.
        targeted: Targeted attack if True. Defaults to False.
    """

    def __init__(
        self,
        model: nn.Module | AttackModel,
        normalize: Callable[[torch.Tensor], torch.Tensor] | None = None,
        device: torch.device | None = None,
        eps: float = 8 / 255,
        steps: int = 10,
        alpha: float | None = None,
        decay: float = 1.0,
        resize_rate: float = 0.9,
        diversity_prob: float = 1.0,
        clip_min: float = 0.0,
        clip_max: float = 1.0,
        targeted: bool = False,
    ) -> None:
        super().__init__(model, normalize, device)

        self.eps = eps
        self.steps = steps
        self.alpha = alpha
        self.decay = decay
        self.resize_rate = resize_rate
        self.diversity_prob = diversity_prob
        self.clip_min = clip_min
        self.clip_max = clip_max
        self.targeted = targeted
        self.lossfn = nn.CrossEntropyLoss()

    def forward(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
        """Perform DI-FGSM on a batch of images.

        Args:
            x: A batch of images. Shape: (N, C, H, W).
            y: A batch of labels. Shape: (N).

        Returns:
            The perturbed images if successful. Shape: (N, C, H, W).
        """

        g = torch.zeros_like(x)
        delta = torch.zeros_like(x, requires_grad=True)

        # If alpha is not given, set to eps / steps
        if self.alpha is None:
            self.alpha = self.eps / self.steps

        # Perform DI-FGSM
        for _ in range(self.steps):
            # Apply input diversity to intermediate images
            x_adv = input_diversity(x + delta, self.resize_rate, self.diversity_prob)

            # Compute loss
            outs = self.model(self.normalize(x_adv))
            loss = self.lossfn(outs, y)

            if self.targeted:
                loss = -loss

            # Compute gradient
            loss.backward()

            if delta.grad is None:
                continue

            # Apply momentum term
            g = self.decay * g + delta.grad / torch.mean(
                torch.abs(delta.grad), dim=(1, 2, 3), keepdim=True
            )

            # Update delta
            delta.data = delta.data + self.alpha * g.sign()
            delta.data = torch.clamp(delta.data, -self.eps, self.eps)
            delta.data = torch.clamp(x + delta.data, self.clip_min, self.clip_max) - x

            # Zero out gradient
            delta.grad.detach_()
            delta.grad.zero_()

        return x + delta

`forward(x, y)` ¶

Perform DI-FGSM on a batch of images.

Parameters:

Name	Type	Description	Default
`x`	`Tensor`	A batch of images. Shape: (N, C, H, W).	required
`y`	`Tensor`	A batch of labels. Shape: (N).	required

Returns:

Type	Description
`Tensor`	The perturbed images if successful. Shape: (N, C, H, W).

Source code in torchattack/difgsm.py

def forward(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
    """Perform DI-FGSM on a batch of images.

    Args:
        x: A batch of images. Shape: (N, C, H, W).
        y: A batch of labels. Shape: (N).

    Returns:
        The perturbed images if successful. Shape: (N, C, H, W).
    """

    g = torch.zeros_like(x)
    delta = torch.zeros_like(x, requires_grad=True)

    # If alpha is not given, set to eps / steps
    if self.alpha is None:
        self.alpha = self.eps / self.steps

    # Perform DI-FGSM
    for _ in range(self.steps):
        # Apply input diversity to intermediate images
        x_adv = input_diversity(x + delta, self.resize_rate, self.diversity_prob)

        # Compute loss
        outs = self.model(self.normalize(x_adv))
        loss = self.lossfn(outs, y)

        if self.targeted:
            loss = -loss

        # Compute gradient
        loss.backward()

        if delta.grad is None:
            continue

        # Apply momentum term
        g = self.decay * g + delta.grad / torch.mean(
            torch.abs(delta.grad), dim=(1, 2, 3), keepdim=True
        )

        # Update delta
        delta.data = delta.data + self.alpha * g.sign()
        delta.data = torch.clamp(delta.data, -self.eps, self.eps)
        delta.data = torch.clamp(x + delta.data, self.clip_min, self.clip_max) - x

        # Zero out gradient
        delta.grad.detach_()
        delta.grad.zero_()

    return x + delta

DIFGSM¶

DIFGSM ¶

forward(x, y) ¶

`DIFGSM` ¶

`forward(x, y)` ¶