版本

paddlepaddle v1.1.0

问题

运行 tutorials/mnist_tutorial_fgsm.py 报错：

Traceback (most recent call last):
  File "mnist_tutorial_fgsm.py", line 152, in <module>
    main()
  File "mnist_tutorial_fgsm.py", line 76, in main
    channel_axis=1)
  File "../advbox/models/paddle.py", line 79, in __init__
    op.setattr('is_test', True)
AttributeError: 'paddle.fluid.core.OpDesc' object has no attribute 'set_attr'

对应代码在这：
https://github.com/baidu/AdvBox/blob/fe7e5dc2bb7159c7296c7a3c410a7090d0260417/advbox/models/paddle.py#L79

看了一下应该是 paddlepaddle 把 set_attr 方法重命名成了 _set_attr，所以需要改一下对应代码？

对应的 PR 在这：
PaddlePaddle/Paddle#12543

你好，我用的ubuntu1604 64位，操作步骤如下：
（1）Anaconda2 5.2.0 64
（2）pip install tensorflow
（3）pip install keras
（4）pip install paddlepaddle
（5）github拷贝文件到虚拟机（直接下载advbox的zip文件，没用git）
（6）运行tutorials中的cifar10 fgsm文件
报错：

安装模块subprocess32==3.5.2的时候报错，可以用其他模块代替么
Installing collected packages: subprocess32, pytz, pyparsing, matplotlib, pbr, mock, Pillow, protobuf, wheel, tensorboard, termcolor, tensorflow
Running setup.py install for subprocess32 ... error
Complete output from command /usr/bin/python2 -u -c "import setuptools, tokenize;file='/tmp/pip-install-mLPo9m/subprocess32/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-Es0rSY/install-record.txt --single-version-externally-managed --compile:
/usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires'
warnings.warn(msg)
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
copying subprocess32.py -> build/lib.linux-x86_64-2.7
running build_ext
running build_configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for unistd.h... (cached) yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking signal.h usability... yes
checking signal.h presence... yes
checking for signal.h... yes
checking sys/cdefs.h usability... yes
checking sys/cdefs.h presence... yes
checking for sys/cdefs.h... yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking sys/syscall.h usability... yes
checking sys/syscall.h presence... yes
checking for sys/syscall.h... yes
checking for dirent.h that defines DIR... yes
checking for library containing opendir... none required
checking for pipe2... yes
checking for setsid... yes
checking whether dirfd is declared... yes
configure: creating ./config.status
config.status: creating _posixsubprocess_config.h
building '_posixsubprocess32' extension
creating build/temp.linux-x86_64-2.7
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python2.7 -c _posixsubprocess.c -o build/temp.linux-x86_64-2.7/_posixsubprocess.o
_posixsubprocess.c:16:20: fatal error: Python.h: No such file or directory
#include "Python.h"
^
compilation terminated.
error: command 'gcc' failed with exit status 1

I get an Assertion Error when trying to run the Single Pixel Attack. Apparently, axes length must be equal to 2 (H, W), but my axes length is equal to 3 (B, H, W). I tried squeezing my img_tensor (3, 244, 244) but the predict method breaks. I tried removing the Assertion statement but creates an Index error.

Can anyone tell me how to properly use the Single Pixel Attack? I followed the same method as shown in the FGSM notebook example written in Pytorch.

Code to reproduce:

from adversarialbox.attacks.localsearch import SinglePixelAttack

# initialize model and img_tensor here

attack = SinglePixelAttack(model)  # Channel axis = 1
adversary = Adversary(img_tensor.to('cpu'), label)  # Tensor shape: (1, 3, 244, 244) B, C, H, W

adversary = attack(adversary)

我在使用singlepixelattack时发现代码中修改预处理后的图片的像素（范围是（-1，1））到255来达到攻击效果，这种实现方式是否算做bug？

我在使用singlepixelattack时发现代码中修改预处理后的图片的像素（范围是（-1，1））到255来达到攻击效果，这种实现方式是否算做bug？

Hi again,

From what I understand in the transformation.py file, the calibration.jpg performs 94 transformations in imshow. What does the calibration.xml file do which contains the box coordinates for the JPG image?

I'm also using a surveillance camera for my project. Are there any variables I should modify to accommodate EOT?

使用MIFGSM时出现：
assert self.model.channel_axis() == adversary.original.ndim
AssertionError
问题在哪里？
其他的方法却没有问题

I want to run imagene_example_cw.py, I haven't changed any thing in the source code, but I see this error:
AssertionError: The loss.shape should be (1L,), but the current loss.shape is (-1L, 1L). Maybe that you should call fluid.layers.mean to process the current loss.

what should I do?
Thanks.

TensorFlow 版本的 GraphPipe Docker Image，目前只有 TensorFlow Ver1.8 和 1.11 版本。见

在尝试部署更高版本 TensorFlow 生成的模型时会出现各种异常，因此间接影响了 AdvBox 的使用。

对此是否有解决方法，或者项目是否有计划应用在常规部署框架上？

If you encounter this problem, please install it via yum, just like
sudo yum -y install tkinter

Thanks a lot

Due to the implementation of Deepfool and C&W is for classifier which just have a 1xK dimension predict vector，but for segmentation model，the predict is a mask whose dimension is HxWxK.

        for i in range(steps):
            if adversary.is_targeted_attack:
                gradient = +self.model.gradient(adv_img,
                                                adversary.target_label)
            else:
                gradient = -self.model.gradient(adv_img,
                                               adversary.original_label)
            if norm_ord == np.inf:
                gradient_norm = np.sign(gradient)
            else:
                gradient_norm = gradient / self._norm(
                    gradient, ord=norm_ord)

            #logging.info('epsilon * gradient_norm={0}'.format(gradient_norm * epsilon))
            #logging.info('epsilon * gradient_norm* (max_ - min_)={0}'.format(gradient_norm * epsilon* (max_ - min_)))
            #改进的实现 不用考虑特征取值范围
            #adv_img = adv_img + epsilon * gradient_norm * (max_ - min_)
            #按照论文实现
            adv_img = adv_img + epsilon * gradient_norm

请问以上这段代码里.为什么non_targeted_attack的时候加负号, targeted_attack的时候不加呢?
我对算法的理解是non_targeted_attack情况下,应该梯度上升,由于后面是直接 + epsilon * gradient_norm,所以不明白这里为何要加个负号,这样不是反而变成梯度下降了么?

请教一下我哪里理解有问题,多谢了!

Defense methods第一个防御方法应该是Feature Squeezing而不是Feature Fqueezing吧……

Hi, I was trying out the tutorial from paddle.md. I have managed to trained with mnist_model.py, but can't perform the attack. It kept prompting the

IndexError: index 4 is out of bounds for axis 0 with size 1

The only change I added before facing the above issue was to the mnist_tutorial_fgsm.py is paddle.enable_static() at line 44.

Please help!!

我在使用JSMA的双像素点算法时：
attack = JSMA(m)
attack_config = {
"max_iter": 2000,
"theta": 0.3,
"max_perturbations_per_pixel": 7,
"fast":True,
"two_pix":True
}
报了下面的错：
ValueError: axes don't match array

检查后，发现应该是saliency.py中有错误出现：
def _saliency_map(self, image, target, labels, mask, fast=False, two_pix=True):
"""
Get pixel location with highest influence on class.
Args:
image(numpy.ndarray): Image with shape (height, width, channels).
target(int): The target label.
labels(int): The number of classes of the output label.
mask(list): Each modified pixel with border value is set to zero in mask.
fast(bool): Whether evaluate the pixel influence on sum of residual classes.
two_pix(bool): Whether to select two pixels from salience map which
is used in original paper.
Return:
idx: The index of optimal pixel (idx = idx1 * input_dimension +
idx2 in two pix setting)
pix_sign: The direction of perturbation
"""
# pixel influence on target class
alphas = self.model.gradient(image, target) * mask
# pixel influence on sum of residual classes(don't evaluate if fast == True)
if fast:
betas = -np.ones_like(alphas)
else:
betas = np.sum([
self.model.gradient(image, label) * mask - alphas
for label in labels
], 0)

    if two_pix:
        # construct two pix matrix to treat it as one pix
        alphas_col = np.expand_dims(alphas, axis=0)
        #下面这句出现了问题
        alphas_mat = alphas_col.transpose(1, 0) + alphas_col

        输入image是一个形状[h,w,c]的矩阵，alphas模型关于image的偏导中属于类别target的部分，所以alphas的形状也为[h,w,c]，alphas_col扩维后形状为[1,h,w,c]，alphas_col.transpose(1, 0)这句维度不匹配。我不确定是否是这个问题，如果您有空的话，希望能得到您的回复，不胜感激

I found requirements.txt and requirements-gpu.txt out of date, which some packages cant download, and not support Python 3.8.

I change some lines, do like this:

conda create -n advbox python=3.7
git clone https://github.com/baidu/AdvBox.git
pip install -r requirements.txt -i https://mirror.baidu.com/pypi/simple

requirements.txt and requirements-gpu.txt should be like this:

absl-py
astor==0.7.1
backports.functools-lru-cache==1.5
backports.weakref==1.0.post1
certifi==2018.8.24
cycler==0.10.0
enum34==1.1.6
funcsigs==1.0.2
futures==3.1.1
gast
grpcio==1.15.0
h5py==2.8.0
Keras
Keras-Applications
Keras-Preprocessing
kiwisolver==1.0.1
Markdown
matplotlib
mock==2.0.0
numpy
pbr==4.2.0
Pillow==5.2.0
protobuf==3.6.1
pyparsing==2.2.0
python-dateutil==2.7.3
pytz==2018.5
PyYAML==3.13
scipy==1.1.0
six==1.11.0
subprocess32==3.5.2
tensorboard
tensorflow-gpu==1.15
termcolor==1.1.0
Werkzeug==0.14.1

tutorials/imagenet_tutorial_fgsm_tf.py 这个文件中 有导入了这个
from tutorials.mnist_model_tf import mnist_cnn_model
但我并没有找到文件

paper论文似乎没了
https://www.freebuf.com/column/181616.html
文中附的论文似乎没了

Hi, I'm trying to replicate the Defcon_Sticker.png from Object Detector Deception.

In your example, what values did you input for the attack steps and hyperparameter variables for punishment and smoothness? Also, how many images were added in the data sampling folder?

I have a dataset of 2000 images I want to use for training the attack model.

Thank you.

It looks like /applications/StealthTshirt/StealthTshirtDemo.py only provides the YOLO OD demo. Is there only one patch (Defcon_Sticker.png) can be used for physical adversarial attack?
How can I use AdvBox for generating more adversarial patches? THX

I know that theoretically, FGSM is a one-step attack while BIM is an iterative attack.
BUT in the file /adversarialbox/attacks/gradient_method.py, the definition of Class FastGradientSignMethodTargetedAttack refers to (epsilon_steps=100,steps=10) while Class IterativeLeastLikelyClassMethodAttack refers to (steps=1000,epsilon_steps=1000).
And I wonder how to imply that FGSM is a one-step attack with (epsilon_steps=100,steps=10),instead of (epsilon_steps=1,steps=1)?
THX!

您好!

最近在做Keras下的FGSM实验，发现KerasModel中有FeatureFqueezingDefence这个函数。

请问，这是表示默认情况下都会加入特征挤压防御嘛？如果只是想得到原始的模型，在KerasModel初始化时，把featurefqueezing_bit_depth设置为None，则scaled_data会跳过下列if语句：

if self._featurefqueezing_bit_depth is not None: #logging.info(data) scaled_data=FeatureFqueezingDefence(data.copy(),None,self._featurefqueezing_bit_depth,self._bounds) #logging.info(scaled_data)

进而出现未赋值的情况。

期待回复！谢谢！

I'm trying to run the ODD code via attack_model.py, but I'm getting this error:

2020-09-18 07:24:08.108889: I tensorflow/stream_executor/platform/default/dso_loader.cc:48] Successfully opened dynamic library libcudart.so.10.1
Traceback (most recent call last):
File "attack_model.py", line 23, in
main(sys.argv)
File "attack_model.py", line 18, in main
attack = EOTB_attack(YOLO_tiny_model_updated)
TypeError: Can't instantiate abstract class EOTB_attack with abstract methods interpret_output

1. 使用FGSM对Keras模型在CIFAR10数据集攻击时，adversary.is_successful返回时True，用model去predict adversary.adversarial_example也确实被mistake了。但是，show_image_diff时候，Difference是一堆噪点，但是Adversarial Image确跟原始图片差异不大。我特地去看了下生成的对抗样本的RGB值，跟原始图片差距微小，比如“某个像素的某个通道从187变成186.5"，然后我看源码猜测：plt.imshow的时候，图像预处理/255.0差距更小，所以显示不出区别。
   其中，使用的attack_config = {"epsilon":0.3,"epsilongs_max":0.5,"epsilon_steps":1,"steps":3}

2. 为了对比，我又用了另一个对抗样本攻击repo——cleverhans，也用同样的epsilon=0.3.结果RGB变化很明显，而且它那个调用plt.imshow也可以看出变化。

所以，我想请教一下问题出在哪里？

谢谢！

imagenet_tutorial_fgsm_pytorch.py[line:52] INFO CUDA Available: True cuda pytorch.py[line:63] INFO Finish PytorchModel init (1, 3, 224, 224) Traceback (most recent call last): File "imagenet_tutorial_fgsm_pytorch.py", line 132, in <module> main("cropped_panda.jpg") File "imagenet_tutorial_fgsm_pytorch.py", line 108, in main adversary = attack(adversary, **attack_config) File "../advbox/attacks/base.py", line 47, in __call__ self._preprocess(adversary) File "../advbox/attacks/base.py", line 72, in _preprocess self.model.predict(adversary.original)) File "../advbox/models/pytorch.py", line 86, in predict predict = np.squeeze(predict, axis=0) File "/home/.../anaconda3/envs/bdbox/lib/python2.7/site-packages/numpy/core/fromnumeric.py", line 1292, in squeeze return squeeze(axis=axis) TypeError: squeeze() missing 1 required positional arguments: "dim"
按照官方的实例运行，环境也是按照requirement安装的，出现了这个squeeze()的问题。

设置attack_config = {"epsilons": 0.0}时, 攻击的成功率依然为100%

Dear authors of AdvBox,

I believe this repository is violating the MIT license of Foolbox.

It seems that substantial parts of the code in this repository have been copied from Foolbox v1. You have added some modifications (renaming variables, adding and removing comments, rearranging code, etc.), but nevertheless the code is still based on and copied from Foolbox without adhering to the conditions of the MIT license (despite it's extremely permissive rules).

Ironically, in this commit you even forgot to replace foolbox with advbox. And in both your README and your paper you use sentences like "Advbox is a toolbox to generate adversarial examples that fool neural networks" or "Advbox: a toolbox to generate adversarial examples that fool neural networks" that are not just loosely inspired by Foolbox's orignal slogan "Foolbox is a Python toolbox to create adversarial examples that fool neural networks.".

I propose we resolve this issue by making the following changes:

1. You explicitly state in your README that AdvBox is based on Foolbox v1
2. You explicitly state in your paper that AdvBox is based on Foolbox v1
3. You add the Foolbox bibtex entry to your How to cite section
4. You update your LICENSE file by adding our copyright and license
5. You update the Copyright and License part at the top of all files that are based on Foolbox to include our copyright and license

Thanks for your wonderful work.
I'd like to know how to train my own adv examples trargeting a certain object, such as cars, etc.
If it is possible, what should i do? need i put my dataset in a certain folder or modify the code?
Looking forward to your reply:D

Hi, thank you for your contribution. Are you going to release codes for generating Defcon_Sticker.png? Or , can you share the way to generate Defcon_Sticker.png?

/home/hawk/.local/lib/python2.7/site-packages/paddle/fluid/average.py:63: Warning: The WeightedAverage is deprecated, please use fluid.metrics.Accuracy instead.
(self.class.name), Warning)
*** Aborted at 1550691803 (unix time) try "date -d @1550691803" if you are using GNU date ***
PC: @ 0x0 (unknown)
*** SIGSEGV (@0x50) received by PID 2073 (TID 0x7f3f6d781740) from PID 80; stack trace: ***
@ 0x7f3f6d1b5f20 (unknown)
@ 0x7f3f6d574ac8 (unknown)
@ 0x7f3f6d57d0bd (unknown)
@ 0x7f3f6d2de2df _dl_catch_exception
@ 0x7f3f6d57c7ca (unknown)
@ 0x7f3f6d2dd3ad (unknown)
@ 0x7f3f6d2de2df _dl_catch_exception
@ 0x7f3f6d2de36f _dl_catch_error
@ 0x7f3f6d2dd4d9 __libc_dlopen_mode
@ 0x7f3f6d2a8075 (unknown)
@ 0x7f3f6cf67827 __pthread_once_slow
@ 0x7f3f6d2a814f backtrace
@ 0x7f3f6a22dd53 check_callers.part.0
@ 0x7f3f6a22e290 try_binary_elide
@ 0x7f3f6a21646b array_multiply
@ 0x5601403f83c9 (unknown)
@ 0x5601403b736d (unknown)
@ 0x5601403cef58 (unknown)
@ 0x5601403b6a30 (unknown)
@ 0x5601403cef58 (unknown)
@ 0x5601403b6a30 (unknown)
@ 0x5601403cef58 (unknown)
@ 0x5601403b6a30 (unknown)
@ 0x5601403b3d0a (unknown)
@ 0x5601403bbc38 (unknown)
@ 0x5601403b3d0a (unknown)
@ 0x5601403b3629 (unknown)
@ 0x5601403e461f (unknown)
@ 0x5601403df322 (unknown)
@ 0x5601403de67d (unknown)
@ 0x56014038d1ab (unknown)
@ 0x7f3f6d198b97 __libc_start_main

gzip: stdout: Broken pipe
Segmentation fault (core dumped)

Collecting tensorflow==1.10.1 (from -r requirements.txt (line 33))
Could not find a version that satisfies the requirement tensorflow==1.10.1 (from -r requirements.txt (line 33)) (from versions: )
No matching distribution found for tensorflow==1.10.1 (from -r requirements.txt (line 33))

当我用MIFGSM方法做攻击实验时，我发现出现了以下错误：
File "attack.py", line 184, in main adversary = attack(adversary, **attack_config) File "/Users/anselt/IJCAI/9102/targeted/advbox/attacks/base.py", line 48, in __call__ return self._apply(adversary, **kwargs) File "/Users/anselt/IJCAI/9102/targeted/advbox/attacks/gradient_method.py", line 296, in _apply velocity = gradient / self._norm(gradient, ord=1) ValueError: operands could not be broadcast together with shapes (3,224,224) (3,)
也就是出现除法维度不一致的情况。
然后我对照论文中的算法，发现算法中也是这样的

（6）式中的速度项维度就应该是（3,224,224)/(3,)呀（矩阵1范数是列和最大值），这样本来就不能实现相除，是我哪里理解错了吗？