1.1.2. aijack.attack.evasion package#

1.1.2.1. Submodules#

1.1.2.2. aijack.attack.evasion.diva module#

class aijack.attack.evasion.diva.DIVAWhiteBoxAttacker(target_model, target_model_on_edge, c=1.0, num_itr=1000, eps=0.1, lam=0.01, device='cpu')[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Class implementing the DIVA white-box attack.

This class provides functionality to perform the DIVA white-box attack on a target model.

Parameters

target_model (torch.nn.Module) – The target model to be attacked.
target_model_on_edge (torch.nn.Module) – The target model deployed on the edge.
c (float, optional) – The trade-off parameter between origin and edge predictions. Defaults to 1.0.
num_itr (int, optional) – The number of iterations for the attack. Defaults to 1000.
eps (float, optional) – The maximum perturbation allowed. Defaults to 0.1.
lam (float, optional) – The step size for gradient updates. Defaults to 0.01.
device (str, optional) – The device to perform computation on. Defaults to “cpu”.

target_model#

The target model to be attacked.

Type: torch.nn.Module

target_model_on_edge#

The target model deployed on the edge.

Type: torch.nn.Module

c#

The trade-off parameter between origin and edge predictions.

Type: float

num_itr#

The number of iterations for the attack.

Type: int

eps#

The maximum perturbation allowed.

Type: float

lam#

The step size for gradient updates.

Type: float

device#

The device to perform computation on.

Type: str

attack(data)[source]#

Performs the DIVA white-box attack on input data.

Parameters: data (tuple) – A tuple containing input data and corresponding labels.
Returns: A tuple containing the adversarial examples and attack logs.
Return type: tuple

1.1.2.3. aijack.attack.evasion.evasion_attack module#

class aijack.attack.evasion.evasion_attack.Evasion_attack_sklearn(target_model, X_minus_1, dmax, max_iter, gamma, lam, t, h, distance='L1', kde_type='L1')[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Creates an adversarial example against sklearn objects based on https://arxiv.org/abs/1708.06131

Parameters

target_model (sklearn) – sklearn classifier
X_minus_1 (numpy.array) – datasets that contains only the class you want to misclasssify
dmax (float) – max distance between the adversarial example and initial one
max_iter (int) – maxium number of iterations
gamma (float) – parameter gamma of svm (used for only svm)
lam (float) – trade - off parameter
t (float) – step_size
h (float) – a badwidtch paramter for a KDE
distance (str) – type of distance such as L2 or L1
kde_type (str) – type of kernel density estimator

target_model#

sklearn classifier

Type: sklearn

X_minus_1#

datasets that contains only the class you want to misclasssify

Type: numpy.array

dmax#

max distance between the adversarial example and initial one

Type: float

max_iter#

maxium number of iterations

Type: int

gamma#

parameter gamma of svm (used for only svm)

Type: float

lam#

trade - off parameter

Type: float

t#

step_size

Type: float

h#

a badwidtch paramter for a KDE

Type: float

distance#

type of distance such as L2 or L1

Type: str

kde_type#

type of kernel density estimator

Type: str

n_minus_1#

number of rows of X_minus_1

Type: int

delta_g#

deviation of he discriminant function of a surrogate classifier f learnt on D

Type: func

Raises: ValueError – if given distance is not supported.

attack(x0)[source]#

Executes evasion attack

Parameters

x0 (np.array) – initial data point

Returns

created adversarial example g_list (list) : lof of decision function (only for svm)

(need future improvement)

Return type

xm (np.array)

1.1.2.4. aijack.attack.evasion.fgsm module#

class aijack.attack.evasion.fgsm.FGSMAttacker(target_model, criterion, eps=0.3, grad_lower_bound=- 0.1, grad_upper_bound=0.1, output_lower_bound=- 1.0, output_upper_bound=1.0)[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Class implementing the Fast Gradient Sign Method (FGSM) attack.

This class provides functionality to perform the FGSM attack on a target model.

Parameters

target_model (torch.nn.Module) – The target model to be attacked.
criterion – The criterion to compute the loss.
eps (float, optional) – The epsilon value for the FGSM attack. Defaults to 0.3.
grad_lower_bound (float, optional) – The lower bound for the gradient. Defaults to -0.1.
grad_upper_bound (float, optional) – The upper bound for the gradient. Defaults to 0.1.
output_lower_bound (float, optional) – The lower bound for the output values. Defaults to -1.0.
output_upper_bound (float, optional) – The upper bound for the output values. Defaults to 1.0.

target_model#

The target model to be attacked.

Type: torch.nn.Module

criterion#: The criterion to compute the loss.

eps#

The epsilon value for the FGSM attack.

Type: float

grad_lower_bound#

The lower bound for the gradient.

Type: float

grad_upper_bound#

The upper bound for the gradient.

Type: float

output_lower_bound#

The lower bound for the output values.

Type: float

output_upper_bound#

The upper bound for the output values.

Type: float

attack(data)[source]#

Performs the FGSM attack on input seed data.

Parameters: data (tuple) – A tuple containing input seed data and corresponding labels.
Returns: The perturbed input data.
Return type: torch.Tensor

1.1.2.5. Module contents#

Subpackage for evasion attack, which creates a malicious data that the target machine learning model cannot correctly classify.

class aijack.attack.evasion.DIVAWhiteBoxAttacker(target_model, target_model_on_edge, c=1.0, num_itr=1000, eps=0.1, lam=0.01, device='cpu')[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Class implementing the DIVA white-box attack.

This class provides functionality to perform the DIVA white-box attack on a target model.

Parameters

target_model (torch.nn.Module) – The target model to be attacked.
target_model_on_edge (torch.nn.Module) – The target model deployed on the edge.
c (float, optional) – The trade-off parameter between origin and edge predictions. Defaults to 1.0.
num_itr (int, optional) – The number of iterations for the attack. Defaults to 1000.
eps (float, optional) – The maximum perturbation allowed. Defaults to 0.1.
lam (float, optional) – The step size for gradient updates. Defaults to 0.01.
device (str, optional) – The device to perform computation on. Defaults to “cpu”.

target_model#

The target model to be attacked.

Type: torch.nn.Module

target_model_on_edge#

The target model deployed on the edge.

Type: torch.nn.Module

c#

The trade-off parameter between origin and edge predictions.

Type: float

num_itr#

The number of iterations for the attack.

Type: int

eps#

The maximum perturbation allowed.

Type: float

lam#

The step size for gradient updates.

Type: float

device#

The device to perform computation on.

Type: str

attack(data)[source]#

Performs the DIVA white-box attack on input data.

Parameters: data (tuple) – A tuple containing input data and corresponding labels.
Returns: A tuple containing the adversarial examples and attack logs.
Return type: tuple

class aijack.attack.evasion.Evasion_attack_sklearn(target_model, X_minus_1, dmax, max_iter, gamma, lam, t, h, distance='L1', kde_type='L1')[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Creates an adversarial example against sklearn objects based on https://arxiv.org/abs/1708.06131

Parameters

target_model (sklearn) – sklearn classifier
X_minus_1 (numpy.array) – datasets that contains only the class you want to misclasssify
dmax (float) – max distance between the adversarial example and initial one
max_iter (int) – maxium number of iterations
gamma (float) – parameter gamma of svm (used for only svm)
lam (float) – trade - off parameter
t (float) – step_size
h (float) – a badwidtch paramter for a KDE
distance (str) – type of distance such as L2 or L1
kde_type (str) – type of kernel density estimator

target_model#

sklearn classifier

Type: sklearn

X_minus_1#

datasets that contains only the class you want to misclasssify

Type: numpy.array

dmax#

max distance between the adversarial example and initial one

Type: float

max_iter#

maxium number of iterations

Type: int

gamma#

parameter gamma of svm (used for only svm)

Type: float

lam#

trade - off parameter

Type: float

t#

step_size

Type: float

h#

a badwidtch paramter for a KDE

Type: float

distance#

type of distance such as L2 or L1

Type: str

kde_type#

type of kernel density estimator

Type: str

n_minus_1#

number of rows of X_minus_1

Type: int

delta_g#

deviation of he discriminant function of a surrogate classifier f learnt on D

Type: func

Raises: ValueError – if given distance is not supported.

attack(x0)[source]#

Executes evasion attack

Parameters

x0 (np.array) – initial data point

Returns

created adversarial example g_list (list) : lof of decision function (only for svm)

(need future improvement)

Return type

xm (np.array)

class aijack.attack.evasion.FGSMAttacker(target_model, criterion, eps=0.3, grad_lower_bound=- 0.1, grad_upper_bound=0.1, output_lower_bound=- 1.0, output_upper_bound=1.0)[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Class implementing the Fast Gradient Sign Method (FGSM) attack.

This class provides functionality to perform the FGSM attack on a target model.

Parameters

target_model (torch.nn.Module) – The target model to be attacked.
criterion – The criterion to compute the loss.
eps (float, optional) – The epsilon value for the FGSM attack. Defaults to 0.3.
grad_lower_bound (float, optional) – The lower bound for the gradient. Defaults to -0.1.
grad_upper_bound (float, optional) – The upper bound for the gradient. Defaults to 0.1.
output_lower_bound (float, optional) – The lower bound for the output values. Defaults to -1.0.
output_upper_bound (float, optional) – The upper bound for the output values. Defaults to 1.0.

target_model#

The target model to be attacked.

Type: torch.nn.Module

criterion#: The criterion to compute the loss.

eps#

The epsilon value for the FGSM attack.

Type: float

grad_lower_bound#

The lower bound for the gradient.

Type: float

grad_upper_bound#

The upper bound for the gradient.

Type: float

output_lower_bound#

The lower bound for the output values.

Type: float

output_upper_bound#

The upper bound for the output values.

Type: float

attack(data)[source]#

Performs the FGSM attack on input seed data.

Parameters: data (tuple) – A tuple containing input seed data and corresponding labels.
Returns: The perturbed input data.
Return type: torch.Tensor

aijack.attack.evasion package

Contents

1.1.2. aijack.attack.evasion package#

1.1.2.1. Submodules#

1.1.2.2. aijack.attack.evasion.diva module#

1.1.2.3. aijack.attack.evasion.evasion_attack module#

1.1.2.4. aijack.attack.evasion.fgsm module#

1.1.2.5. Module contents#