diff --git a/examples/model_security/model_attacks/black_box/mnist_attack_nes.py b/examples/model_security/model_attacks/black_box/mnist_attack_nes.py index 96ca217..85e815c 100644 --- a/examples/model_security/model_attacks/black_box/mnist_attack_nes.py +++ b/examples/model_security/model_attacks/black_box/mnist_attack_nes.py @@ -140,7 +140,7 @@ def test_nes_mnist_attack(): target_image = create_target_images(test_images, true_labels, target_class) nes_instance.set_target_images(target_image) - tag, adv, queries = nes_instance.generate(initial_img, target_class) + tag, adv, queries = nes_instance.generate(np.array(initial_img), np.array(target_class)) if tag[0]: success += 1 queries_num += queries[0] diff --git a/examples/model_security/model_attacks/black_box/mnist_attack_salt_and_pepper.py b/examples/model_security/model_attacks/black_box/mnist_attack_salt_and_pepper.py index 60d4f5c..0ffd008 100644 --- a/examples/model_security/model_attacks/black_box/mnist_attack_salt_and_pepper.py +++ b/examples/model_security/model_attacks/black_box/mnist_attack_salt_and_pepper.py @@ -108,6 +108,7 @@ def test_salt_and_pepper_attack_on_mnist(): # rescale predict confidences into (0, 1). pred_logits_adv = softmax(pred_logits_adv, axis=1) adv_preds.extend(pred_logits_adv) + adv_preds = np.array(adv_preds) accuracy_adv = np.mean(np.equal(np.max(adv_preds, axis=1), true_labels)) LOGGER.info(TAG, "prediction accuracy after attacking is : %g", accuracy_adv) diff --git a/mindarmour/adv_robustness/attacks/deep_fool.py b/mindarmour/adv_robustness/attacks/deep_fool.py index db6a63e..d98034e 100644 --- a/mindarmour/adv_robustness/attacks/deep_fool.py +++ b/mindarmour/adv_robustness/attacks/deep_fool.py @@ -63,14 +63,14 @@ def _deepfool_detection_scores(inputs, gt_boxes, gt_labels, network): pred_labels = np.argmax(pred_logits, axis=2) det_scores = [] correct_labels_num = [] - gt_boxes_num = gt_boxes.shape[0] + gt_boxes_num = gt_boxes.shape[1] iou_thres = 0.5 for idx, (boxes, labels) in enumerate(zip(box_and_confi, pred_labels)): score = 0 box_num = boxes.shape[0] - correct_label_flag = np.zeros(gt_labels.shape) gt_boxes_idx = gt_boxes[idx] gt_labels_idx = gt_labels[idx] + correct_label_flag = np.zeros(gt_labels_idx.shape) for i in range(box_num): pred_box = boxes[i] max_iou_confi = 0 @@ -102,6 +102,10 @@ class DeepFool(Attack): network (Cell): Target model. num_classes (int): Number of labels of model output, which should be greater than zero. + model_type (str): Tye type of targeted model. 'classification' and 'detection' are supported now. + default: 'classification'. + reserve_ratio (Union[int, float]): The percentage of objects that can be detected after attaks, + specifically for model_type='detection'. Reserve_ratio should be in the range of (0, 1). Default: 0.3. max_iters (int): Max iterations, which should be greater than zero. Default: 50. overshoot (float): Overshoot parameter. Default: 0.02. diff --git a/mindarmour/utils/_check_param.py b/mindarmour/utils/_check_param.py index a72ca61..cf5f954 100644 --- a/mindarmour/utils/_check_param.py +++ b/mindarmour/utils/_check_param.py @@ -138,7 +138,7 @@ def check_numpy_param(arg_name, arg_value): Args: arg_name (str): Name of parameter. - arg_value (Union[list, tuple, numpy.ndarray]): Value for check. + arg_value (numpy.ndarray): Value for check. Returns: numpy.ndarray, if `value` is not empty, return `value` with type of @@ -146,7 +146,7 @@ def check_numpy_param(arg_name, arg_value): Raises: ValueError: If value is empty. - ValueError: If value type is not in (list, tuple, numpy.ndarray). + ValueError: If value type is not numpy.ndarray. """ _ = _check_array_not_empty(arg_name, arg_value) if isinstance(arg_value, np.ndarray): @@ -165,15 +165,15 @@ def check_pair_numpy_param(inputs_name, inputs, labels_name, labels): Args: inputs_name (str): Name of inputs. - inputs (Union[list, tuple, numpy.ndarray]): Inputs. + inputs (numpy.ndarray): Inputs. labels_name (str): Name of labels. - labels (Union[list, tuple, numpy.ndarray]): Labels of `inputs`. + labels (numpy.ndarray): Labels of `inputs`. Returns: - - Union[list, tuple, numpy.ndarray], if `inputs` 's dimension equals to + - numpy.ndarray, if `inputs` 's dimension equals to `labels`, return inputs with type of numpy.ndarray. - - Union[list, tuple, numpy.ndarray], if `inputs` 's dimension equals to + - numpy.ndarray, if `inputs` 's dimension equals to `labels` , return labels with type of numpy.ndarray. Raises: diff --git a/tests/ut/python/adv_robustness/attacks/test_deep_fool.py b/tests/ut/python/adv_robustness/attacks/test_deep_fool.py index d12a7d1..005e8ea 100644 --- a/tests/ut/python/adv_robustness/attacks/test_deep_fool.py +++ b/tests/ut/python/adv_robustness/attacks/test_deep_fool.py @@ -66,9 +66,9 @@ class Net2(Cell): self._softmax = P.Softmax() def construct(self, inputs1, inputs2): - out1 = self._softmax(inputs2) - out2 = self._softmax(inputs1) - return out1, out2 + out1 = self._softmax(inputs1) + out2 = self._softmax(inputs2) + return out2, out1 @pytest.mark.level0 @@ -108,13 +108,15 @@ def test_deepfool_attack_detection(): net = Net2() inputs1_np = np.random.random((2, 10, 10)).astype(np.float32) inputs2_np = np.random.random((2, 10, 5)).astype(np.float32) - gt_boxes = inputs1_np[:, :, 0: 5] - gt_labels = np.argmax(inputs1_np, axis=2) + gt_boxes, gt_logits = net(Tensor(inputs1_np), Tensor(inputs2_np)) + gt_boxes, gt_logits = gt_boxes.asnumpy(), gt_logits.asnumpy() + gt_labels = np.argmax(gt_logits, axis=2) num_classes = 10 attack = DeepFool(net, num_classes, model_type='detection', reserve_ratio=0.3, bounds=(0.0, 1.0)) - _ = attack.generate((inputs1_np, inputs2_np), (gt_boxes, gt_labels)) + adv_data = attack.generate((inputs1_np, inputs2_np), (gt_boxes, gt_labels)) + assert np.any(adv_data != inputs1_np) @pytest.mark.level0