Adversarial-Machine-Learning-Clinic/Filter_Analysis/fgsm.py

import torch
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
from torchvision import datasets, transforms
import numpy as np
import matplotlib.pyplot as plt
import cv2
from mnist import Net
from pykuwahara import kuwahara

epsilons = np.arange(0.05,0.35,0.05)
pretrained_model = "data/lenet_mnist_model.pth"
use_cuda=False

torch.manual_seed(69)


test_loader = torch.utils.data.DataLoader(
        datasets.MNIST('data/', train=False, download=True, transform=transforms.Compose([
            transforms.ToTensor(),
            transforms.Normalize((0.1307,), (0.3081,)),
            ])),
        batch_size=1, shuffle=True)

print("CUDA Available: ", torch.cuda.is_available())
device = torch.device("cuda" if use_cuda and torch.cuda.is_available() else "cpu")

model = Net().to(device)

model.load_state_dict(torch.load(pretrained_model, map_location=device))

model.eval()

def fgsm_attack(image, epsilon, data_grad):
    sign_data_grad = data_grad.sign()
    perturbed_image = image + epsilon*sign_data_grad
    perturbed_image = torch.clamp(perturbed_image, 0, 1)
    return perturbed_image

def denorm(batch, mean=[0.1307], std=[0.3081]):
    """
    Convert a batch of tensors to their original scale.

    Args:
        batch (torch.Tensor): Batch of normalized tensors.
        mean (torch.Tensor or list): Man used for normalization.
        std (torch.Tensor or list): Standard deviation used for normalization.

    Returns:
        torch.Tensor: batch of tensors without normalization applied to them.
    """

    if isinstance(mean, list):
        mean = torch.tensor(mean).to(device)
    if isinstance(std, list):
        std = torch.tensor(std).to(device)

    return batch * std.view(1, -1, 1, 1) + mean.view(1, -1, 1, 1)

def test(model, device, test_loader, epsilon):
    orig_correct = 0
    attacked_correct = 0
    filtered_correct = 0
    adv_examples = []
    incorrect=0

    for data, target in test_loader:
        data, target = data.to(device), target.to(device)
        data.requires_grad = True

        output_orig = model(data)
        orig_pred = output_orig.max(1, keepdim=True)[1]

        loss = F.nll_loss(output_orig, target)

        model.zero_grad()

        loss.backward()
        data_grad = data.grad.data

        data_denorm = denorm(data)

        perturbed_data = fgsm_attack(data_denorm, epsilon, data_grad)

        perturbed_data_normalized = transforms.Normalize((0.1307,), (0.3081,))(perturbed_data)

        # convert the perturbed data tensor to a cv2 readable image
        image = perturbed_data_normalized.detach().numpy().transpose(0,2,3,1)

        # apply the Kuwahara filter
        filtered_image = np.ndarray((1,28,28,1))
        filtered_image[0] = kuwahara(image[0], method='gaussian', radius=3, image_2d=image[0])

        # convert the cv2 image back to a torch tensor
        filtered_image = filtered_image.transpose(0,3,1,2)
        perturbed_data_filtered = torch.tensor(filtered_image).float()

        # evaluate the model on the attacked and filtered images
        output_attacked = model(perturbed_data_normalized)
        output_filtered = model(perturbed_data_filtered)

        attacked_pred = output_attacked.max(1, keepdim=True)[1]
        filtered_pred = output_filtered.max(1, keepdim=True)[1]

        if orig_pred.item() == target.item():
            orig_correct += 1
        else:
            incorrect += 1

        if attacked_pred.item() == target.item():
            attacked_correct += 1

            if epsilon == 0 and len(adv_examples) < 5:
                adv_ex = perturbed_data.squeeze().detach().cpu().numpy()
                adv_examples.append( (orig_pred.item(), attacked_pred.item(), adv_ex) )

        if filtered_pred.item() == target.item():
            filtered_correct += 1

            if epsilon == 0 and len(adv_examples) < 5:
                adv_ex = perturbed_data.squeeze().detach().cpu().numpy()
                adv_examples.append( (orig_pred.item(), filtered_pred.item(), adv_ex) )

    orig_acc = orig_correct/float(len(test_loader))
    attacked_acc = attacked_correct/float(len(test_loader))
    filtered_acc = filtered_correct/float(len(test_loader))
    print(f"Epsilon: {epsilon}")
    print(f"Original Accuracy = {orig_correct} / {len(test_loader)} = {orig_acc}")
    print(f"Attacked Accuracy = {attacked_correct} / {len(test_loader)} = {attacked_acc}")
    print(f"Filtered Accuracy = {filtered_correct} / {len(test_loader)} = {filtered_acc}")

    return attacked_acc, adv_examples

accuracies = []
examples = []

for eps in epsilons:
    acc, ex = test(model, device, test_loader, eps)
    accuracies.append(acc)
    examples.append(ex)