FGSM | Simple pytorch implementation of FGSM and I-FGSM | Cybersecurity library
kandi X-RAY | FGSM Summary
kandi X-RAY | FGSM Summary
Simple pytorch implementation of FGSM and I-FGSM (FGSM : explaining and harnessing adversarial examples, Goodfellow et al.) (I-FGSM : adversarial examples in the physical world, Kurakin et al.).
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Universal objective function
- Train the model
- Compute test accuracy
- Set mode
- Run test
- Generates an image
- Runs the FSM algorithm
- Optimized FSM
- Compute the FSM
- Return MNIST dataset
- Clean up build directory
- Removes a directory
- Display a single batch of images
- Remove all checkpoint files
- Flush summary files
FGSM Key Features
FGSM Examples and Code Snippets
Community Discussions
Trending Discussions on FGSM
QUESTION
I'm trying to use the Elastic-Net algorithm implemented in Cleverhans to generate adversarial samples in a classification task. The main problem is that i'm trying to use it in a way to obtain an higher confidence at classification time on a target class (different from the original one) but i'm not able to reach good results. The system that i'm trying to fool is a DNN with a softmax output on 10 classes.
For instance:
- Given a sample of class 3 i want to generate an adversarial sample of class 0.
- Using the default hyperparameters implemented in the ElasticNetMethod of cleverhans i'm able to obtain a succesful attack, so the class assigned to the adversarial sample became the class 0, but the confidence is quite low(about 30%). This also happens trying different values for the hyperparameters.
- My purpose is to obtain a quite higher confidence (at least 90%).
- For other algorithm like "FGSM" or "MadryEtAl" i'm able to reach this purpose creating a loop in which the algorithm is applied until the sample is classified as the target class with a confidence greater than 90%, but i can't to apply this iteration on the EAD algorithm because at each step of the iteration it yields the adversarial sample generated at the first step, and in the following iterations it remains unchanged. (I know that this may happens because the algorithm is different from the other two metioned, but i'm trying to find a solution to reach my purpose).
This is the code that i'm actually using to generate adversarial samples.
...ANSWER
Answered 2020-Sep-06 at 06:41For anyone intrested in this problem the previous code can be modified in this way to works properly:
FIRST SOLUTION:
QUESTION
I would like to implement a custom loss function for my neural network in order to consider also the contribution of adversarial examples during training, computed with the Fast Gradient Sign Method.
where J is a classic categorical cross-entropy computed wrt to the inputs. And x + delta is the adversarial example.
Network Structure
More in details, my network is the following:
...ANSWER
Answered 2020-Apr-17 at 04:13Neural networks operate on a continuous space, and don't know what to do with a discrete space like words. That's why NLP tasks start by embedding the discrete word IDs into a continuous space.
Fast Gradient Sign Method, which clearly uses the gradient and also operates that continuous space, can get you as far as an adversarial embedding. But if you want an adversarial example, then you need to somehow go from that adversarial embedding to an adversarial word.
This paper on Black-box Generation of Adversarial Text Sequences describes one such idea.
Multiple recent studies [21, 25] defined adversarial perturbations on RNN-based text classifiers. [21] first chose the word at a random position in a text input, then used a projected Fast Gradient Sign Method to perturb the word’s embedding vector. The perturbed vector is projected to the nearest word vector in the word embedding space, resulting in an adversarial sequence (adversarial examples in the text case).
But right after that quote they said this technique does not always generate great examples. Perhaps it will be suitable for your purposes, or perhaps you will want to dive deeper into the paper to see how that their black box idea works.
Or maybe you don't need to generate adversarial words, and an adversarial embedding is sufficient. If so, read on.
Older idea of mine, not backed by research.
Another path forward is to generate the adversarial example on top of the embedding, instead of the indices the embedding is based on. That is:
- Run the embedding.
- Feed it directly to the
answerpart of your model, which gives one half of your loss. - Update the embedding in an adversarial way. This will now work because you are working on the embeddings, which are floating point and suitable for the FGSM update.
- Feed the adversarial example to your
answersubnet, which gives the second half of your loss.
This is straightforward to do in PyTorch, but unfortunately I do not know a convenient way to do so in Keras given the up-front requirement to compile() the model instead of leaving it in two pieces.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install FGSM
You can use FGSM like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
