Hello,

Note: I've updated this issue to reflect new testing I've done.

I'm using pytorch, a simple MLP model pre-trained on MNIST, and the foolbox boundary attack.

The Boundary attack often spits out a result that is not adversarial, and without any error or warning.

Here is the relevant portion of my code

        adversarial = attack(image, label)
        classification_label = int(np.argmax(fmodel.predictions(image)))
        adversarial_label = int(np.argmax(fmodel.predictions(adversarial)))

        print("source label: " + str(label) + ", adversarial_label: " + str(adversarial_label) + ", classification_label: " + str(classification_label))

        if np.array_equal(adversarial, image):
            # this branch is never reached, as expected
            print("Boundary attack did not find adversarial!")

This code is run in a loop.

Here is a sample of the output

source label: 9, adversarial_label: 8, classification_label: 9 source label: 8, adversarial_label: 8, classification_label: 8 # THIS SHOULDN'T BE POSSIBE source label: 6, adversarial_label: 6, classification_label: 6 # THIS SHOULDN'T BE POSSIBE source label: 9, adversarial_label: 9, classification_label: 9 source label: 3, adversarial_label: 3, classification_label: 3 # THIS SHOULDN'T BE POSSIBE source label: 9, adversarial_label: 1, classification_label: 9 source label: 4, adversarial_label: 8, classification_label: 4

Notice that the classification label is always equal to the source label, meaning the classifier never misclassifies in this sample output.

And yet, the adversarial label is sometimes equal to the source label, meaning an adversarial was not found.

As well, the fact that the if np.array_equal(adversarial, image): condition is never met suggests that the Boundary attack does do something, but simply outputs an output that the "adversarial" was in reality not adversarial.

This seems like a bug, but maybe I'm missing something? Was the boundary attack tested in pytorch? (Although I don't see why pytorch would be relevant)

Thank you!

This pull request contains a very minor change to the zoo module.

In the current version of the zoo it is not possible to use the module_name parameter of model loader. Due to this it is only possible to have one model for each zoo enabled git repository. By enabling the user to specify the module name in the get_model() function this restriction is lifted.

With this change it is easier for developers to contribute models to the zoo.

Scenario is the following one: There is a website where i can send a 128x128 colored PNG to and it get's classified either as a cat with confidence >0 or as not-a-cat (confidence =0) ( i have full authorization to use that website how i want to and i can send really as much as i want, to prevent strange questions). I would like to create an adversarial example with foolbox (is a car, get's classified as a cat with +90% confidence) but i can't seem to get my head around how i can create a model with that, so that i can attack it with foolbox boundary attack. Here's a template of what i have:

images = tf.placeholder(tf.int8, (None, 128, 128, 3))
label = ["cat", "not-a-cat"]

def get_prediction(image):
    #gets the confidence for the target, between 0 and 1 from the website
    return confidence #float32

Any help/hints would be appreciated, thank you in advance.

Hi, I tried following the instructions mentioned in the tutorialand examples sections, and create an attack for a VGG19 model. Downloaded the model's checkpoint from here

The code "runs" however it doesn't seem to be able to generate an adversarial example - the process never ends... What am I doing wrong?

Please advise

import tensorflow as tf
from tensorflow.contrib.slim.nets import vgg
import numpy as np
import foolbox
import matplotlib.pyplot as plt
from foolbox.attacks import LBFGSAttack
from foolbox.criteria import TargetClassProbability

images = tf.placeholder(tf.float32, shape=(None, 224, 224, 3))
preprocessed = images - [123.68, 116.78, 103.94]
logits, _ = vgg.vgg_19(images, is_training=False)
restorer = tf.train.Saver(tf.trainable_variables())

image, _ = foolbox.utils.imagenet_example()

with foolbox.models.TensorFlowModel(images, logits, (0, 255)) as model:
    restorer.restore(model.session, "./vgg_19.ckpt")
    print(np.argmax(model.predictions(image)))
    target_class = 22
    criterion = TargetClassProbability(target_class, p=0.01)

    attack = LBFGSAttack(model, criterion)
    label = np.argmax(model.predictions(image))

    adversarial = attack(image=image, label=label)

    plt.subplot(1, 3, 1)
    plt.imshow(image)

    plt.subplot(1, 3, 2)
    plt.imshow(adversarial)

    plt.subplot(1, 3, 3)
    plt.imshow(adversarial - image)

Hi, I read through the docs and issues, and couldn't find any information about this.

I want to generate adversarial examples for some non-image based problems. In my specific case, the inputs are fixed length sequence of integers which then goes into an embedding layer and into the network.

Is there a way to use foolbox in this scenario at the moment?

Thanks for your time!

I am trying to implement gradient based attacks such as fgsm ,Bim,Jsma using foolbox. I took a look at the example in the documentation and accordingly implemented the attack on my own model. My model is defined in keras and accordingly I used foolbox, keras wrapper for the attack. So at a time I am able to generate adversary for only a single example, if I try multiple examples , I get an error saying, Value Error : Cannot feed value of shape (1, 10000, 28, 28, 1) for Tensor 'conv2d_5_input:0', which has shape '(?, 28, 28, 1). Now I understand the error is with the input shape , but my variable explorer displays the shape as (10000,28,28,1) which is the correct shape and still I get the error. I am attaching my code below:

import foolbox
import keras
import numpy as np
from keras import backend
from keras.models import load_model
from keras.datasets import mnist
from keras.utils import np_utils
from foolbox.attacks import SaliencyMapAttack
from foolbox.criteria import Misclassification
import matplotlib.pyplot as plt

########################################### Loading the model and preprocessing ###############################
backend.set_learning_phase(False)
model = keras.models.load_model('/home/labadmin/Mnist_Digits_Model_CNN.h5')
fmodel = foolbox.models.KerasModel(model, bounds=(0,1))
_,(images, labels) = mnist.load_data()
images = images.reshape(10000,28,28,1)
images= images.astype('float32')
images /= 255

######################################### Attacking the model ################################################
attack=foolbox.attacks.SaliencyMapAttack(fmodel, criterion=Misclassification())
adversarial=attack(images[12],labels[12]) # for single image
adversarial_all=attack(images,labels) # for all the images
adversarial =adversarial.reshape(1,28,28,1) #reshaping it for model prediction
model_predictions = model.predict(adversarial)
print(model_predictions)
######################################## Visualization #########################################################
images=images.reshape(10000,28,28)
adversarial =adversarial.reshape(28,28)

plt.figure()
plt.subplot(1,3,1)
plt.title('Original')
plt.imshow(images[12])
plt.axis('off')

plt.subplot(1, 3, 2)
plt.title('Adversarial')
plt.imshow(adversarial)
plt.axis('off')

plt.subplot(1, 3, 3)
plt.title('Difference')
difference = adversarial - images[124]
plt.imshow(difference / abs(difference).max() * 0.2 + 0.5)
plt.axis('off')
plt.show()

Hello,

I implemented the code of our recent sparse attack namely SparseFool (CVPR 2019). More details about the method can be found here: https://arxiv.org/abs/1811.02248.

Looking forward to your feedback!

This is a prototype of our upcoming batch support, bringing a massive speed-up to Foolbox without the need to rewrite attacks or even changing the attack logic to support batches (which can be very difficult for certain attacks and comes with other disadvantages).

So far, this works with TensorFlowModel and PyTorchModel. You can try this now using CarliniWagnerAttack, GradientAttack and similar ones and all PGD-like attacks (BasicIterativeMethod, RandomStartProjectedGradientDescentAttack, etc.).

The current API to try this feature looks like this:

from foolbox.batching import run_parallel_attack

model = ...
images = ...
labels = ...

attack_create_fn = foolbox.attacks.CarliniWagnerL2Attack  # for example
criterion = foolbox.criteria.Misclassification()  # for example

advs = run_parallel_attack(attack_create_fn, model, criterion, images, labels)
# advs will be a list of Adversarial objects

This Jupyter notebook contains a complete example: https://gist.github.com/jonasrauber/140ada5a352cabb3dd0e91b9cd3adf03

Hi folks,

I am using Foolbox 3.3.1 to perform some adversarial attacks on resnet50 network. The code is as follows:

```

import torch from torchvision import models

device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
model = models.resnet50(pretrained=True).to(device)
model.eval()

mean = [0.485, 0.456, 0.406]
std=[0.229, 0.224, 0.225]
preprocessing = dict(mean=mean, std=std, axis=-3)
bounds = (0, 1)
fmodel = fb.models.PyTorchModel(model, bounds=bounds, preprocessing=preprocessing)

images, labels = fb.utils.samples(fmodel, dataset='imagenet', batchsize=8)
labels_float = labels.to(torch.float32)


def perform_attack(attack, fmodel, images, labels, predicted_labels_before_attack):
    print(f'Performing attack with {type(attack).__name__}...', end='')
    raw, clipped, is_adv = attack(fmodel, images, labels, epsilons=0.03)
    print('done')
    logits_after_attacks = fmodel(clipped)
    labels_after_attack = logits_after_attacks.max(dim=1)[1].cpu().numpy()
    for image, predicted_label_before_attack, label, label_after_attack in zip(images, predicted_labels_before_attack, labels.cpu().numpy(), labels_after_attack):
        label_imshow = type(attack).__name__
        if predicted_label_before_attack == label and label != label_after_attack:
            label_imshow += '; successful attack'
        label_imshow += f'\nTrue class: {lab_dict[label]}\nClassified before attack as: {lab_dict[predicted_label_before_attack]}\nClassified after attack as: {lab_dict[label_after_attack]}'
        imshow(image, label_imshow)
		
for attack in (
                fb.attacks.FGSM(), # "nll_loss_forward_no_reduce_cuda_kernel_index" not implemented for 'Int'
              ):
    perform_attack(attack, fmodel, images, labels, predicted_labels_before_attack)

I get the error: 

RuntimeError: "nll_loss_forward_no_reduce_cuda_kernel_index" not implemented for 'Int'

with full stack:

     ```
Performing attack with LinfFastGradientAttack...
    ---------------------------------------------------------------------------
    RuntimeError                              Traceback (most recent call last)
    ~\AppData\Local\Temp/ipykernel_1736/3238714708.py in <module>
         28 #                 fb.attacks.BoundaryAttack(),  # very slow
         29               ):
    ---> 30     perform_attack(attack, fmodel, images, labels, predicted_labels_before_attack)
    
    ~\AppData\Local\Temp/ipykernel_1736/3978727835.py in perform_attack(attack, fmodel, images, labels, predicted_labels_before_attack)
          1 def perform_attack(attack, fmodel, images, labels, predicted_labels_before_attack):
          2     print(f'Performing attack with {type(attack).__name__}...', end='')
    ----> 3     raw, clipped, is_adv = attack(fmodel, images, labels, epsilons=0.03)
          4     print('done')
          5     logits_after_attacks = fmodel(clipped)
    
    ~\anaconda3\envs\adversarial\lib\site-packages\foolbox\attacks\base.py in __call__(***failed resolving arguments***)
        277         success = []
        278         for epsilon in real_epsilons:
    --> 279             xp = self.run(model, x, criterion, epsilon=epsilon, **kwargs)
        280 
        281             # clip to epsilon because we don't really know what the attack returns;
    
    ~\anaconda3\envs\adversarial\lib\site-packages\foolbox\attacks\fast_gradient_method.py in run(self, model, inputs, criterion, epsilon, **kwargs)
         90             raise ValueError("unsupported criterion")
         91 
    ---> 92         return super().run(
         93             model=model, inputs=inputs, criterion=criterion, epsilon=epsilon, **kwargs
         94         )
    
    ~\anaconda3\envs\adversarial\lib\site-packages\foolbox\attacks\gradient_descent_base.py in run(***failed resolving arguments***)
         90 
         91         for _ in range(self.steps):
    ---> 92             _, gradients = self.value_and_grad(loss_fn, x)
         93             gradients = self.normalize(gradients, x=x, bounds=model.bounds)
         94             x = x + gradient_step_sign * stepsize * gradients
    
    ~\anaconda3\envs\adversarial\lib\site-packages\foolbox\attacks\gradient_descent_base.py in value_and_grad(self, loss_fn, x)
         50         x: ep.Tensor,
         51     ) -> Tuple[ep.Tensor, ep.Tensor]:
    ---> 52         return ep.value_and_grad(loss_fn, x)
         53 
         54     def run(
    
    ~\anaconda3\envs\adversarial\lib\site-packages\eagerpy\framework.py in value_and_grad(f, t, *args, **kwargs)
        350     f: Callable[..., TensorType], t: TensorType, *args: Any, **kwargs: Any
        351 ) -> Tuple[TensorType, TensorType]:
    --> 352     return t.value_and_grad(f, *args, **kwargs)
        353 
        354 
    
    ~\anaconda3\envs\adversarial\lib\site-packages\eagerpy\tensor\tensor.py in value_and_grad(self, f, *args, **kwargs)
        541         self: TensorType, f: Callable[..., TensorType], *args: Any, **kwargs: Any
        542     ) -> Tuple[TensorType, TensorType]:
    --> 543         return self._value_and_grad_fn(f, has_aux=False)(self, *args, **kwargs)
        544 
        545     @final
    
    ~\anaconda3\envs\adversarial\lib\site-packages\eagerpy\tensor\pytorch.py in value_and_grad(x, *args, **kwargs)
        493                 loss, aux = f(x, *args, **kwargs)
        494             else:
    --> 495                 loss = f(x, *args, **kwargs)
        496             loss = loss.raw
        497             loss.backward()
    
    ~\anaconda3\envs\adversarial\lib\site-packages\foolbox\attacks\gradient_descent_base.py in loss_fn(inputs)
         40         def loss_fn(inputs: ep.Tensor) -> ep.Tensor:
         41             logits = model(inputs)
    ---> 42             return ep.crossentropy(logits, labels).sum()
         43 
         44         return loss_fn
    
    ~\anaconda3\envs\adversarial\lib\site-packages\eagerpy\framework.py in crossentropy(logits, labels)
        319 
        320 def crossentropy(logits: TensorType, labels: TensorType) -> TensorType:
    --> 321     return logits.crossentropy(labels)
        322 
        323 
    
    ~\anaconda3\envs\adversarial\lib\site-packages\eagerpy\tensor\pytorch.py in crossentropy(self, labels)
        462             raise ValueError("labels must be 1D and must match the length of logits")
        463         return type(self)(
    --> 464             torch.nn.functional.cross_entropy(self.raw, labels.raw, reduction="none")
        465         )
        466 
    
    ~\anaconda3\envs\adversarial\lib\site-packages\torch\nn\functional.py in cross_entropy(input, target, weight, size_average, ignore_index, reduce, reduction, label_smoothing)
       2844     if size_average is not None or reduce is not None:
       2845         reduction = _Reduction.legacy_get_string(size_average, reduce)
    -> 2846     return torch._C._nn.cross_entropy_loss(input, target, weight, _Reduction.get_enum(reduction), ignore_index, label_smoothing)
       2847 
       2848 
    
    RuntimeError: "nll_loss_forward_no_reduce_cuda_kernel_index" not implemented for 'Int'

What should I do?

Note: cross posted at https://stackoverflow.com/questions/71291544/fgsm-attack-in-foolbox

This was reported to me by @max-andr. Most of the differences are actually explicitly mentioned in comments in our implementation, but we should check again if we can match the reference implementation more closely and possible mention deviations in the docs, not just in comments.

@max-andr might create a PR to fix this

As I know, we should not normalize before Attacks. Does Foolbox also follow this principle? 1. Foolbox explanation says: bounds [0,1] -> preprocessing(normalization) However, the image tensor is [0,1] which doesn’t match with an explanation.

Using 'transforms.ToTensor()' already makes in the [0, 1] value range. So we don't need to normalize in this case?

ex. transform = transforms.Compose([ transforms.Resize((224, 224)), transforms.ToTensor(), transforms.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225]), ])

3. Clipped_Adv has value out of [0,1] but original _adv is in [0,1]. Something wrong here?

ex. Clipped_Adv: [ 0.5029, 0.4851, 0.0167, ..., -1.1999, -1.1302, -0.9559]

Hello,

First of all, thank you very much for publishing this package, this is really helpful. Here I got some inconsistent results from Foolbox and my code. When I test the robustness of my model to pgd_linf attacks bounded by epsilon = 0.3 for mnist dataset, I get 89% accuracy with the following code with PyTorch:

def pgd_linf(model, x, y, epsilon, alpha = 0.01, number_iter = 40, random_restart = True):
    model.eval()
    if random_restart:
        delta = torch.zeros_like(x).uniform_(-epsilon, epsilon)
        delta.requires_grad = True
    else:
        delta = torch.zeros_like(x,requires_grad=True)
    for _ in range(number_iter):
        loss = nn.CrossEntropyLoss()(model((x + delta).clamp(0,1)), y)
        loss.backward()
        delta.data = (delta.data + (epsilon/0.3)*alpha*delta.grad.detach().sign()).clamp(-epsilon,epsilon)
        delta.grad.zero_()
    return delta.detach()

However, I got only 81% accuracy when I test the robustness of the same model to pgd_linf attacks by using the Foolbox. Here I use the following code:

 model.eval()
 fmodel = fb.PyTorchModel(model, bounds=(0,1))
 total_err = 0
 with torch.no_grad():
        for X,y in test_loader:
                X,y = X.to(device), y.to(device)
                with torch.enable_grad():
                        raw, clipped, is_adv = attack(fmodel, X, y, epsilons = 0.3)
                total_err += torch.sum(is_adv.float())
print((total_err / len(test_loader.dataset)).cpu())

actually, I have tested the robustness of model to Foolbox pgd and my code multiple times, every time I would get around 10% lower accuracy with Foolbox pgd, so I think this is not an issue about randomness. Can you please help me figure out why the difference happens? Is there anything wrong in my code or the way I use foolbox? Thanks.

I trained the model with normalized image, and when attacking the model should I use the training dataset and normalize the image in the same way? Should the bounds be (0,1)? actually after normalization the pixel value of image data is between -3 and 3. Should the bounds be (-3,3)?

Describe the bug foolbox is importing gaussian_filter from the namespace scipy.ndimage.filters, which is deprecated in more recent versions of scipy so yields a deprecation warning. The correct namespace of scipy.ndimage has been available since at least v1.2 so importing from there should support all target versions of Python (3.6 - 3.8).

To Reproduce Install latest stable version of scipy (1.9.3). Run a Gaussian blue attack.

Expected behavior No deprecation warning if newer namespace employed.

Software (please complete the following information):

• Foolbox version: 3.3.3

I've had a similar issue in close, but after I use the latest version, I still get an error like this "nll_loss_forward_no_reduce_cuda_kernel_index" not implemented for 'Float' Please help me

Bumps pillow from 9.0.1 to 9.3.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps tensorflow from 2.6.4 to 2.9.3.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.