A tool for benchmarking adversarial robustness of pixel-wise prediction tasks.
Project description
CosPGD: a unified white-box adversarial attack for pixel-wise prediction tasks
Introduction
While neural networks allow highly accurate predictions in many tasks, their lack of robustness towards even slight input perturbations hampers their deployment in many real-world applications. Recent research towards evaluating the robustness of neural networks such as the seminal projected gradient descent (PGD) attack and subsequent works have drawn significant attention, as they provide an effective insight into the quality of representations learned by the network. However, these methods predominantly focus on image classification tasks, while only a few approaches specifically address the analysis of pixel-wise prediction tasks such as semantic segmentation, optical flow, disparity estimation, and others, respectively.
Thus, there is a lack of a unified adversarial robustness benchmarking tool (algorithm) that is applicable to all such pixel-wise prediction tasks. In this work, we close this gap and propose CosPGD, a novel white-box adversarial attack that allows optimizing dedicated attacks for any pixel-wise prediction task in a unified setting. It leverages the cosine similarity between the distributions over the predictions and ground truth (or target) to extend directly from classification tasks to regression settings. We outperform the SotA on semantic segmentation attacks in our experiments on PASCAL VOC2012. Further, we set a new benchmark for adversarial attacks on optical flow displaying the ability to extend to any pixel-wise prediction task.
For more details please see our Arxiv paper.
Installation
Install the package from PyPI:
pip install cospgd
Usage
Sample code for usage for semantic segmentation using UNet has been provided at cospgd/unet_backbones
Simple usage could be as follows:
import cospgd
from cospgd import functions
Following are the included functionalities:
- Function to take one attack step in the l-infinity norm constraint:
functions.step_inf(
perturbed_image: Float tensor of shape [batch size, channels, (image spatial resolution)]
epsilon: Float tensor, permissible epsilon range
data_grad: gradient on the image input to the model w.r.t. the loss backpropagated
orig_image: Float tensor of shape [batch size, channels, (image spatial resolution)], Original unattacked image, before adding any noise
alpha: Float tensor, attack step size
targeted: boolean: Targeted attack or not
clamp_min: Float tensor, minimum clip value for clipping the perturbed image back to the permisible input space
clamp_max: Float tensor, maximum clip value for clipping the perturbed image back to the permisible input space
grad_scale: tensor either single value or of the same shape as data_grad, to scale the added noise
)
- Function to take one attack step in the l2 norm constraint:
functions.step_l2(
perturbed_image: Float tensor of shape [batch size, channels, (image spatial resolution)]
epsilon: Float tensor, permissible epsilon range
data_grad: gradient on the image input to the model w.r.t. the loss backpropagated
orig_image: Float tensor of shape [batch size, channels, (image spatial resolution)], Original unattacked image, before adding any noise
alpha: Float tensor, attack step size
targeted: boolean: Targeted attack or not
clamp_min: Float tensor, minimum clip value for clipping the perturbed image back to the permisible input space
clamp_max: Float tensor, maximum clip value for clipping the perturbed image back to the permisible input space
grad_scale: tensor either single value or of the same shape as data_grad: to scale the added noise
)
- Function to clamp noise in the l-p norm constraint:
functions.lp_normalize(
noise: tensor of shape [batch size, (image spatial resolution)], the noise to be clamped
p: int: the norm
epsilon: Float tensor, permissible epsilon range
decrease_only: boolean: to only clamp the upper bound and not the lower bound
)
- Function to initialize noise in the l-infinity norm constraint:
functions.init_linf(
epsilon: Float tensor, permissible epsilon range
images: Float tensor of shape [batch size, channels, (image spatial resolution)], Original unattacked image, before adding any noise
clamp_min: Float tensor, minimum clip value for clipping the perturbed image back to the permisible input space
clamp_max: Float tensor, maximum clip value for clipping the perturbed image back to the permisible input space
)
- Function to initialize noise in the l-2 norm constraint:
functions.init_l2(
epsilon: Float tensor, permissible epsilon range
images: Float tensor of shape [batch size, channels, (image spatial resolution)], Original unattacked image, before adding any noise
clamp_min: Float tensor, minimum clip value for clipping the perturbed image back to the permisible input space
clamp_max: Float tensor, maximum clip value for clipping the perturbed image back to the permisible input space
)
- Function to implement scaling of the pixel-wise loss as proposed by SegPGD:
functions.segpgd_scale(
predictions: Float tensor of shape [batch size, channel, (image spatial resolution)], Predictions made by the model
labels: The ground truth/target labels, for semantic segmentation index tensor of the shape [batch size, channel, (image spatial resolution)].
for pixel-wise regression tasks, same shape as predictions
loss: Float tensor, The loss between the predictions and the ground truth/target
iteration: Current attack iteration for calculating lambda as used in SegPGD
iterations: Total number of attack iterations for calculating lambda as used in SegPGD
targeted: boolean, Targeted attack or not
)
- Function to implement scaling of the pixel-wise loss as proposed by CosPGD:
functions.cospgd_scale(
predictions: Float tensor of shape [batch size, channel, (image spatial resolution)], Predictions made by the model
labels: The ground truth/target labels, for semantic segmentation index tensor of the shape [batch size, channel, (image spatial resolution)].
for pixel-wise regression tasks, same shape as predictions
loss: Float tensor, The loss between the predictions and the ground truth/target
num_classes: int, For semantic segmentation the number of classes. None for pixel-wise regression tasks
targeted: boolean, Targeted attack or not
one_hot: boolean, To use one-hot encoding, SHOULD BE TRUE FOR SEMANTIC SEGMENTATION and FALSE FOR pixel-wise regression tasks
)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cospgd-0.1.3.tar.gz.
File metadata
- Download URL: cospgd-0.1.3.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
489f31899f7da012c52d0dc65607fae483720f280f130d0d17e02e4722676df6
|
|
| MD5 |
0bdad744ff6a8a2002551ad286a6bc37
|
|
| BLAKE2b-256 |
4b9ae69f5bc6210711ee8ff87920095da311228548be04269a2f0bc8f955c443
|
File details
Details for the file cospgd-0.1.3-py2.py3-none-any.whl.
File metadata
- Download URL: cospgd-0.1.3-py2.py3-none-any.whl
- Upload date:
- Size: 7.5 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
780033dd2907e730d3f4f88bc12bd6ab7a5bdf21dc42deb7c85257443634dc77
|
|
| MD5 |
18b824dddeeca3228efd71967a101c90
|
|
| BLAKE2b-256 |
84f524bc49d8c692a71f273e86946c84541d597b8b1569d0acf59f4d022b39a7
|
