Skip to content

PGDL2

PGDL2

Bases: Attack

The Projected Gradient Descent (PGD) attack, with L2 constraint.

From the paper: Towards Deep Learning Models Resistant to Adversarial Attacks.

Parameters:

Name Type Description Default
model Module | AttackModel

The model to attack.

 required
normalize Callable[[Tensor], Tensor] | None

A transform to normalize images.

 None
device device | None

Device to use for tensors. Defaults to cuda if available.

 None
eps float

The maximum perturbation, measured in L2. Defaults to 1.0.

 1.0
steps int

Number of steps. Defaults to 10.

 10
alpha float | None

Step size, eps / steps if None. Defaults to None.

 None
random_start bool

Start from random uniform perturbation. Defaults to True.

 True
clip_min float

Minimum value for clipping. Defaults to 0.0.

 0.0
clip_max float

Maximum value for clipping. Defaults to 1.0.

 1.0
targeted bool

Targeted attack if True. Defaults to False.

 False
Source code in torchattack/pgdl2.py 
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
@register_attack()
class PGDL2(Attack):
    """The Projected Gradient Descent (PGD) attack, with L2 constraint.

    > From the paper: [Towards Deep Learning Models Resistant to Adversarial
    Attacks](https://arxiv.org/abs/1706.06083).

    Args:
        model: The model to attack.
        normalize: A transform to normalize images.
        device: Device to use for tensors. Defaults to cuda if available.
        eps: The maximum perturbation, measured in L2. Defaults to 1.0.
        steps: Number of steps. Defaults to 10.
        alpha: Step size, `eps / steps` if None. Defaults to None.
        random_start: Start from random uniform perturbation. Defaults to True.
        clip_min: Minimum value for clipping. Defaults to 0.0.
        clip_max: Maximum value for clipping. Defaults to 1.0.
        targeted: Targeted attack if True. Defaults to False.
    """

    def __init__(
        self,
        model: nn.Module | AttackModel,
        normalize: Callable[[torch.Tensor], torch.Tensor] | None = None,
        device: torch.device | None = None,
        eps: float = 1.0,
        steps: int = 10,
        alpha: float | None = None,
        random_start: bool = True,
        clip_min: float = 0.0,
        clip_max: float = 1.0,
        targeted: bool = False,
    ) -> None:
        super().__init__(model, normalize, device)

        self.eps = eps
        self.alpha = alpha
        self.steps = steps
        self.random_start = random_start
        self.clip_min = clip_min
        self.clip_max = clip_max
        self.targeted = targeted
        self.lossfn = nn.CrossEntropyLoss()

    def forward(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
        """Perform PGD on a batch of images.

        Args:
            x: A batch of images. Shape: (N, C, H, W).
            y: A batch of labels. Shape: (N).

        Returns:
            The perturbed images if successful. Shape: (N, C, H, W).
        """

        # If random start enabled, delta (perturbation) is then randomly
        # initialized with samples from a uniform distribution.
        if self.random_start:
            delta = torch.empty_like(x).normal_()
            delta_flat = delta.reshape(x.size(0), -1)

            n = delta_flat.norm(p=2, dim=1).view(x.size(0), 1, 1, 1)
            r = torch.zeros_like(n).uniform_(0, 1)

            delta = delta * r / n * self.eps
            delta.requires_grad_()

        else:
            delta = torch.zeros_like(x, requires_grad=True)

        # If alpha is not given, set to eps / steps
        if self.alpha is None:
            self.alpha = self.eps / self.steps

        # Perform PGD
        for _ in range(self.steps):
            # Compute loss
            outs = self.model(self.normalize(x + delta))
            loss = self.lossfn(outs, y)

            if self.targeted:
                loss = -loss

            # Compute gradient
            loss.backward()

            if delta.grad is None:
                continue

            # Update delta
            g = delta.grad

            g_norms = (
                torch.norm(g.reshape(x.size(0), -1), p=2, dim=1) + EPS_FOR_DIVISION
            )
            g = g / g_norms.view(x.size(0), 1, 1, 1)
            delta.data = delta.data + self.alpha * g

            delta_norms = torch.norm(delta.reshape(x.size(0), -1), p=2, dim=1)
            factor = self.eps / delta_norms
            factor = torch.min(factor, torch.ones_like(delta_norms))
            delta.data = delta.data * factor.view(-1, 1, 1, 1)

            delta.data = torch.clamp(x + delta.data, self.clip_min, self.clip_max) - x

            # Zero out gradient
            delta.grad.detach_()
            delta.grad.zero_()

        return x + delta

forward(x, y)

Perform PGD on a batch of images.

Parameters:

Name Type Description Default
x Tensor

A batch of images. Shape: (N, C, H, W).

 required
y Tensor

A batch of labels. Shape: (N).

 required

Returns:

Type Description
Tensor

The perturbed images if successful. Shape: (N, C, H, W).
Source code in torchattack/pgdl2.py 
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
def forward(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
    """Perform PGD on a batch of images.

    Args:
        x: A batch of images. Shape: (N, C, H, W).
        y: A batch of labels. Shape: (N).

    Returns:
        The perturbed images if successful. Shape: (N, C, H, W).
    """

    # If random start enabled, delta (perturbation) is then randomly
    # initialized with samples from a uniform distribution.
    if self.random_start:
        delta = torch.empty_like(x).normal_()
        delta_flat = delta.reshape(x.size(0), -1)

        n = delta_flat.norm(p=2, dim=1).view(x.size(0), 1, 1, 1)
        r = torch.zeros_like(n).uniform_(0, 1)

        delta = delta * r / n * self.eps
        delta.requires_grad_()

    else:
        delta = torch.zeros_like(x, requires_grad=True)

    # If alpha is not given, set to eps / steps
    if self.alpha is None:
        self.alpha = self.eps / self.steps

    # Perform PGD
    for _ in range(self.steps):
        # Compute loss
        outs = self.model(self.normalize(x + delta))
        loss = self.lossfn(outs, y)

        if self.targeted:
            loss = -loss

        # Compute gradient
        loss.backward()

        if delta.grad is None:
            continue

        # Update delta
        g = delta.grad

        g_norms = (
            torch.norm(g.reshape(x.size(0), -1), p=2, dim=1) + EPS_FOR_DIVISION
        )
        g = g / g_norms.view(x.size(0), 1, 1, 1)
        delta.data = delta.data + self.alpha * g

        delta_norms = torch.norm(delta.reshape(x.size(0), -1), p=2, dim=1)
        factor = self.eps / delta_norms
        factor = torch.min(factor, torch.ones_like(delta_norms))
        delta.data = delta.data * factor.view(-1, 1, 1, 1)

        delta.data = torch.clamp(x + delta.data, self.clip_min, self.clip_max) - x

        # Zero out gradient
        delta.grad.detach_()
        delta.grad.zero_()

    return x + delta