#解压代码压缩包
import zipfile
tar = zipfile.ZipFile('/home/aistudio/data/data17209/attack_example.zip','r')
tar.extractall() In[2]
cd attack_example//home/aistudio/attack_example
你的神经网络有多脆弱
本项目将介绍几种非常有趣的对抗样本生成方法,几行代码就可以让你精心调参几天几夜训练的模型精度下降。
下载安装命令
## CPU版本安装命令
pip install -f https://paddlepaddle.org.cn/pip/oschina/cpu paddlepaddle
## GPU版本安装命令
pip install -f https://paddlepaddle.org.cn/pip/oschina/gpu paddlepaddle-gpu 本项目不涉及高深的算法,有没有涉足此领域都可放心阅读,老少咸宜。
阅读完本项目你将获得:
- 一声惊叹,原来自己的神经网络如此脆弱
- 一些反思,神经网络究竟在学什么,学到了什么
- 你将掌握PaddlePaddle分类模型的基本训练方法,前向推理方法
本项目分为以下几个部分
- 基本框架浏览,介绍做实验的基本框架,衡量指标。
- 不同的对抗样本生成方法与指标对比。
1. 基本框架介绍
实验环境介绍
模型
ResNeXt50_32x4d
模型定义存放在 /home/aistudio/attack_example/attack_code/models
模型参数存放在 /home/aistudio/attack_example/attack_code/model_parameters
原始图片
提供图片120张,取自Stanford Dogs数据集全集,120张图片分别属于120类。
存放在 /home/aistudio/attack_example/attack_code/input_image
标签为val_list.txt,存放在同目录下
评判指标
正确率
下面我们用代码将模型和参数载入,并看看原始样本的正确率如何。
In[3]
cd attack_code//home/aistudio/attack_example/attack_code
In[4]
#coding=utf-8
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
import argparse
import functools
import numpy as np
import paddle.fluid as fluid
import os
#加载自定义文件
import models
from utils import init_prog, save_adv_image, process_img, tensor2img, calc_mse, add_arguments, print_arguments
path = "/home/aistudio/attack_example/attack_code/"
#os.makedirs("./output_image_attack")
######Init args
image_shape = [3,224,224]
class_dim=121
input_dir = path + "input_image/"
output_dir = path + "output_image/"
if not os.path.exists('./output_image'):
os.mkdir('./output_image')
model_name="ResNeXt50_32x4d"
pretrained_model= path + "models_parameters/ResNeXt50_32x4d"
val_list = 'val_list.txt'
use_gpu=True
######Attack graph
adv_program=fluid.Program()
#完成初始化
with fluid.program_guard(adv_program):
input_layer = fluid.layers.data(name='image', shape=image_shape, dtype='float32')
#设置为可以计算梯度
input_layer.stop_gradient=False
# model definition
model = models.__dict__[model_name]()
out_logits = model.net(input=input_layer, class_dim=class_dim)
out = fluid.layers.softmax(out_logits)
place = fluid.CUDAPlace(0) if use_gpu else fluid.CPUPlace()
exe = fluid.Executor(place)
exe.run(fluid.default_startup_program())
#记载模型参数
fluid.io.load_persistables(exe, pretrained_model)
#设置adv_program的BN层状态
init_prog(adv_program)
#创建测试用评估模式
eval_program = adv_program.clone(for_test=True)
#定义梯度
with fluid.program_guard(adv_program):
label = fluid.layers.data(name="label", shape=[1] ,dtype='int64')
loss = fluid.layers.cross_entropy(input=out, label=label)
gradients = fluid.backward.gradients(targets=loss, inputs=[input_layer])[0]
######Inference
def inference(img):
fetch_list = [out.name]
result = exe.run(eval_program,
fetch_list=fetch_list,
feed={ 'image':img })
result = result[0][0]
pred_label = np.argmax(result)
pred_score = result[pred_label].copy()
return pred_label, pred_score
####### Main #######
def get_original_file(filepath):
with open(filepath, 'r') as cfile:
full_lines = [line.strip() for line in cfile]
cfile.close()
original_files = []
for line in full_lines:
label, file_name = line.split()
original_files.append([file_name, int(label)])
return original_files
def gen_acc():
original_files = get_original_file(input_dir + val_list)
acc = 0
len_example = len(original_files)
for filename, label in original_files:
img_path = input_dir + filename
##读入图像,转换维度,归一化##########
img=process_img(img_path)
##进行前向推理
pred_label, pred_score = inference(img)
print("Image: {0} ,true label is {1} , pred label is {2}".format(img_path,label,pred_label))
if(pred_label == label):
acc = acc+1
acc = acc/len_example
print("the accuracy is {}".format(acc))
2020-03-04 16:29:06,206-INFO: font search path ['/opt/conda/envs/python35-paddle120-env/lib/python3.7/site-packages/matplotlib/mpl-data/fonts/ttf', '/opt/conda/envs/python35-paddle120-env/lib/python3.7/site-packages/matplotlib/mpl-data/fonts/afm', '/opt/conda/envs/python35-paddle120-env/lib/python3.7/site-packages/matplotlib/mpl-data/fonts/pdfcorefonts'] 2020-03-04 16:29:06,534-INFO: generated new fontManager
In[5]
gen_acc()Image: /home/aistudio/attack_example/attack_code/input_image/n02085620_10074.jpg ,true label is 1 , pred label is 1 Image: /home/aistudio/attack_example/attack_code/input_image/n02085782_1039.jpg ,true label is 2 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02085936_10130.jpg ,true label is 3 , pred label is 3 Image: /home/aistudio/attack_example/attack_code/input_image/n02086079_10600.jpg ,true label is 4 , pred label is 4 Image: /home/aistudio/attack_example/attack_code/input_image/n02086240_1059.jpg ,true label is 5 , pred label is 5 Image: /home/aistudio/attack_example/attack_code/input_image/n02086646_1002.jpg ,true label is 6 , pred label is 6 Image: /home/aistudio/attack_example/attack_code/input_image/n02086910_1048.jpg ,true label is 7 , pred label is 7 Image: /home/aistudio/attack_example/attack_code/input_image/n02087046_1206.jpg ,true label is 8 , pred label is 8 Image: /home/aistudio/attack_example/attack_code/input_image/n02087394_11337.jpg ,true label is 9 , pred label is 9 Image: /home/aistudio/attack_example/attack_code/input_image/n02088094_1003.jpg ,true label is 10 , pred label is 10 Image: /home/aistudio/attack_example/attack_code/input_image/n02088238_10013.jpg ,true label is 11 , pred label is 11 Image: /home/aistudio/attack_example/attack_code/input_image/n02088364_10108.jpg ,true label is 12 , pred label is 12 Image: /home/aistudio/attack_example/attack_code/input_image/n02088466_10083.jpg ,true label is 13 , pred label is 13 Image: /home/aistudio/attack_example/attack_code/input_image/n02088632_101.jpg ,true label is 14 , pred label is 14 Image: /home/aistudio/attack_example/attack_code/input_image/n02089078_1064.jpg ,true label is 15 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02089867_1029.jpg ,true label is 16 , pred label is 16 Image: /home/aistudio/attack_example/attack_code/input_image/n02089973_1066.jpg ,true label is 17 , pred label is 17 Image: /home/aistudio/attack_example/attack_code/input_image/n02090379_1272.jpg ,true label is 18 , pred label is 18 Image: /home/aistudio/attack_example/attack_code/input_image/n02090622_10343.jpg ,true label is 19 , pred label is 19 Image: /home/aistudio/attack_example/attack_code/input_image/n02090721_1292.jpg ,true label is 20 , pred label is 20 Image: /home/aistudio/attack_example/attack_code/input_image/n02091032_10079.jpg ,true label is 21 , pred label is 21 Image: /home/aistudio/attack_example/attack_code/input_image/n02091134_10107.jpg ,true label is 22 , pred label is 22 Image: /home/aistudio/attack_example/attack_code/input_image/n02091244_1000.jpg ,true label is 23 , pred label is 23 Image: /home/aistudio/attack_example/attack_code/input_image/n02091467_1110.jpg ,true label is 24 , pred label is 24 Image: /home/aistudio/attack_example/attack_code/input_image/n02091635_1319.jpg ,true label is 25 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02091831_10576.jpg ,true label is 26 , pred label is 26 Image: /home/aistudio/attack_example/attack_code/input_image/n02092002_10699.jpg ,true label is 27 , pred label is 27 Image: /home/aistudio/attack_example/attack_code/input_image/n02092339_1100.jpg ,true label is 28 , pred label is 28 Image: /home/aistudio/attack_example/attack_code/input_image/n02093256_11023.jpg ,true label is 29 , pred label is 29 Image: /home/aistudio/attack_example/attack_code/input_image/n02093428_10947.jpg ,true label is 30 , pred label is 30 Image: /home/aistudio/attack_example/attack_code/input_image/n02093647_1037.jpg ,true label is 31 , pred label is 31 Image: /home/aistudio/attack_example/attack_code/input_image/n02093754_1062.jpg ,true label is 32 , pred label is 32 Image: /home/aistudio/attack_example/attack_code/input_image/n02093859_1003.jpg ,true label is 33 , pred label is 33 Image: /home/aistudio/attack_example/attack_code/input_image/n02093991_1026.jpg ,true label is 34 , pred label is 34 Image: /home/aistudio/attack_example/attack_code/input_image/n02094114_1173.jpg ,true label is 35 , pred label is 35 Image: /home/aistudio/attack_example/attack_code/input_image/n02094258_1004.jpg ,true label is 36 , pred label is 36 Image: /home/aistudio/attack_example/attack_code/input_image/n02094433_10126.jpg ,true label is 37 , pred label is 37 Image: /home/aistudio/attack_example/attack_code/input_image/n02095314_1033.jpg ,true label is 38 , pred label is 38 Image: /home/aistudio/attack_example/attack_code/input_image/n02095570_1031.jpg ,true label is 39 , pred label is 39 Image: /home/aistudio/attack_example/attack_code/input_image/n02095889_1003.jpg ,true label is 40 , pred label is 40 Image: /home/aistudio/attack_example/attack_code/input_image/n02096051_1110.jpg ,true label is 41 , pred label is 41 Image: /home/aistudio/attack_example/attack_code/input_image/n02096177_10031.jpg ,true label is 42 , pred label is 42 Image: /home/aistudio/attack_example/attack_code/input_image/n02096294_1111.jpg ,true label is 43 , pred label is 43 Image: /home/aistudio/attack_example/attack_code/input_image/n02096437_1055.jpg ,true label is 44 , pred label is 44 Image: /home/aistudio/attack_example/attack_code/input_image/n02096585_10604.jpg ,true label is 45 , pred label is 45 Image: /home/aistudio/attack_example/attack_code/input_image/n02097047_1412.jpg ,true label is 46 , pred label is 46 Image: /home/aistudio/attack_example/attack_code/input_image/n02097130_1193.jpg ,true label is 47 , pred label is 47 Image: /home/aistudio/attack_example/attack_code/input_image/n02097209_1038.jpg ,true label is 48 , pred label is 48 Image: /home/aistudio/attack_example/attack_code/input_image/n02097298_10676.jpg ,true label is 49 , pred label is 49 Image: /home/aistudio/attack_example/attack_code/input_image/n02097474_1070.jpg ,true label is 50 , pred label is 50 Image: /home/aistudio/attack_example/attack_code/input_image/n02097658_1018.jpg ,true label is 51 , pred label is 51 Image: /home/aistudio/attack_example/attack_code/input_image/n02098105_1078.jpg ,true label is 52 , pred label is 52 Image: /home/aistudio/attack_example/attack_code/input_image/n02098286_1009.jpg ,true label is 53 , pred label is 53 Image: /home/aistudio/attack_example/attack_code/input_image/n02098413_11385.jpg ,true label is 54 , pred label is 54 Image: /home/aistudio/attack_example/attack_code/input_image/n02099267_1018.jpg ,true label is 55 , pred label is 55 Image: /home/aistudio/attack_example/attack_code/input_image/n02099429_1039.jpg ,true label is 56 , pred label is 56 Image: /home/aistudio/attack_example/attack_code/input_image/n02099601_100.jpg ,true label is 57 , pred label is 57 Image: /home/aistudio/attack_example/attack_code/input_image/n02099712_1150.jpg ,true label is 58 , pred label is 58 Image: /home/aistudio/attack_example/attack_code/input_image/n02099849_1068.jpg ,true label is 59 , pred label is 59 Image: /home/aistudio/attack_example/attack_code/input_image/n02100236_1244.jpg ,true label is 60 , pred label is 60 Image: /home/aistudio/attack_example/attack_code/input_image/n02100583_10249.jpg ,true label is 61 , pred label is 61 Image: /home/aistudio/attack_example/attack_code/input_image/n02100735_10064.jpg ,true label is 62 , pred label is 62 Image: /home/aistudio/attack_example/attack_code/input_image/n02100877_1062.jpg ,true label is 63 , pred label is 63 Image: /home/aistudio/attack_example/attack_code/input_image/n02101006_135.jpg ,true label is 64 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02101388_10017.jpg ,true label is 65 , pred label is 65 Image: /home/aistudio/attack_example/attack_code/input_image/n02101556_1116.jpg ,true label is 66 , pred label is 66 Image: /home/aistudio/attack_example/attack_code/input_image/n02102040_1055.jpg ,true label is 67 , pred label is 67 Image: /home/aistudio/attack_example/attack_code/input_image/n02102177_1160.jpg ,true label is 68 , pred label is 68 Image: /home/aistudio/attack_example/attack_code/input_image/n02102318_10000.jpg ,true label is 69 , pred label is 69 Image: /home/aistudio/attack_example/attack_code/input_image/n02102480_101.jpg ,true label is 70 , pred label is 70 Image: /home/aistudio/attack_example/attack_code/input_image/n02102973_1037.jpg ,true label is 71 , pred label is 71 Image: /home/aistudio/attack_example/attack_code/input_image/n02104029_1075.jpg ,true label is 72 , pred label is 72 Image: /home/aistudio/attack_example/attack_code/input_image/n02104365_10071.jpg ,true label is 73 , pred label is 73 Image: /home/aistudio/attack_example/attack_code/input_image/n02105056_1165.jpg ,true label is 74 , pred label is 74 Image: /home/aistudio/attack_example/attack_code/input_image/n02105162_10076.jpg ,true label is 75 , pred label is 75 Image: /home/aistudio/attack_example/attack_code/input_image/n02105251_1588.jpg ,true label is 76 , pred label is 76 Image: /home/aistudio/attack_example/attack_code/input_image/n02105412_1159.jpg ,true label is 77 , pred label is 77 Image: /home/aistudio/attack_example/attack_code/input_image/n02105505_1018.jpg ,true label is 78 , pred label is 78 Image: /home/aistudio/attack_example/attack_code/input_image/n02105641_10051.jpg ,true label is 79 , pred label is 79 Image: /home/aistudio/attack_example/attack_code/input_image/n02105855_10095.jpg ,true label is 80 , pred label is 80 Image: /home/aistudio/attack_example/attack_code/input_image/n02106030_11148.jpg ,true label is 81 , pred label is 81 Image: /home/aistudio/attack_example/attack_code/input_image/n02106166_1205.jpg ,true label is 82 , pred label is 82 Image: /home/aistudio/attack_example/attack_code/input_image/n02106382_1005.jpg ,true label is 83 , pred label is 83 Image: /home/aistudio/attack_example/attack_code/input_image/n02106550_10048.jpg ,true label is 84 , pred label is 84 Image: /home/aistudio/attack_example/attack_code/input_image/n02106662_10122.jpg ,true label is 85 , pred label is 85 Image: /home/aistudio/attack_example/attack_code/input_image/n02107142_10952.jpg ,true label is 86 , pred label is 86 Image: /home/aistudio/attack_example/attack_code/input_image/n02107312_105.jpg ,true label is 87 , pred label is 87 Image: /home/aistudio/attack_example/attack_code/input_image/n02107574_1026.jpg ,true label is 88 , pred label is 88 Image: /home/aistudio/attack_example/attack_code/input_image/n02107683_1003.jpg ,true label is 89 , pred label is 89 Image: /home/aistudio/attack_example/attack_code/input_image/n02107908_1030.jpg ,true label is 90 , pred label is 90 Image: /home/aistudio/attack_example/attack_code/input_image/n02108000_1087.jpg ,true label is 91 , pred label is 91 Image: /home/aistudio/attack_example/attack_code/input_image/n02108089_1104.jpg ,true label is 92 , pred label is 92 Image: /home/aistudio/attack_example/attack_code/input_image/n02108422_1096.jpg ,true label is 93 , pred label is 93 Image: /home/aistudio/attack_example/attack_code/input_image/n02108551_1025.jpg ,true label is 94 , pred label is 94 Image: /home/aistudio/attack_example/attack_code/input_image/n02108915_10564.jpg ,true label is 95 , pred label is 95 Image: /home/aistudio/attack_example/attack_code/input_image/n02109047_10160.jpg ,true label is 96 , pred label is 96 Image: /home/aistudio/attack_example/attack_code/input_image/n02109525_10032.jpg ,true label is 97 , pred label is 97 Image: /home/aistudio/attack_example/attack_code/input_image/n02109961_11224.jpg ,true label is 98 , pred label is 98 Image: /home/aistudio/attack_example/attack_code/input_image/n02110063_11105.jpg ,true label is 99 , pred label is 99 Image: /home/aistudio/attack_example/attack_code/input_image/n02110185_10116.jpg ,true label is 100 , pred label is 100 Image: /home/aistudio/attack_example/attack_code/input_image/n02110627_10147.jpg ,true label is 101 , pred label is 101 Image: /home/aistudio/attack_example/attack_code/input_image/n02110806_1214.jpg ,true label is 102 , pred label is 102 Image: /home/aistudio/attack_example/attack_code/input_image/n02110958_10378.jpg ,true label is 103 , pred label is 103 Image: /home/aistudio/attack_example/attack_code/input_image/n02111129_1111.jpg ,true label is 104 , pred label is 104 Image: /home/aistudio/attack_example/attack_code/input_image/n02111277_10237.jpg ,true label is 105 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02111500_1048.jpg ,true label is 106 , pred label is 106 Image: /home/aistudio/attack_example/attack_code/input_image/n02111889_10059.jpg ,true label is 107 , pred label is 107 Image: /home/aistudio/attack_example/attack_code/input_image/n02112018_10158.jpg ,true label is 108 , pred label is 108 Image: /home/aistudio/attack_example/attack_code/input_image/n02112137_1005.jpg ,true label is 109 , pred label is 109 Image: /home/aistudio/attack_example/attack_code/input_image/n02112350_10079.jpg ,true label is 110 , pred label is 110 Image: /home/aistudio/attack_example/attack_code/input_image/n02112706_105.jpg ,true label is 111 , pred label is 111 Image: /home/aistudio/attack_example/attack_code/input_image/n02113023_1136.jpg ,true label is 112 , pred label is 112 Image: /home/aistudio/attack_example/attack_code/input_image/n02113186_1030.jpg ,true label is 113 , pred label is 113 Image: /home/aistudio/attack_example/attack_code/input_image/n02113624_1461.jpg ,true label is 114 , pred label is 114 Image: /home/aistudio/attack_example/attack_code/input_image/n02113712_10525.jpg ,true label is 115 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02113799_1155.jpg ,true label is 116 , pred label is 116 Image: /home/aistudio/attack_example/attack_code/input_image/n02113978_1034.jpg ,true label is 117 , pred label is 117 Image: /home/aistudio/attack_example/attack_code/input_image/n02115641_10261.jpg ,true label is 118 , pred label is 118 Image: /home/aistudio/attack_example/attack_code/input_image/n02115913_1010.jpg ,true label is 119 , pred label is 119 Image: /home/aistudio/attack_example/attack_code/input_image/n02116738_10024.jpg ,true label is 120 , pred label is 120 the accuracy is 1.0
由上,我们的原始样本在模型上的正确率为100%
2. 对抗样本生成
2.1 resize大法
顾名思义,就是将原始样本先压缩到一个比较小的尺寸,再放大回原来的尺寸。其实是降低了图片的分辨率。 代码中将此操作放入图片处理函数中,先将样本压缩到(16,16),在放大回(224,224)。
In[6]
import cv2
def process_img_resize(img_path="",image_shape=[3,224,224]):
mean = [0.485, 0.456, 0.406]
std = [0.229, 0.224, 0.225]
img = cv2.imread(img_path)
#img = cv2.resize(img,(image_shape[1],image_shape[2]))
img = cv2.resize(cv2.resize(img, (16, 16), cv2.INTER_LINEAR), (224, 224), cv2.INTER_LINEAR)
#RBG img [224,224,3]->[3,224,224]
img = img[:, :, ::-1].astype('float32').transpose((2, 0, 1)) / 255
#img = img.astype('float32').transpose((2, 0, 1)) / 255
img_mean = np.array(mean).reshape((3, 1, 1))
img_std = np.array(std).reshape((3, 1, 1))
img -= img_mean
img /= img_std
img=img.astype('float32')
img=np.expand_dims(img, axis=0)
return img而在gen_acc函数中,只需修改调用的图片处理函数即可。
In[7]
output_dir = "./output_image_resize/"
if not os.path.exists("./output_image_resize"):
os.mkdir("./output_image_resize")
def gen_acc():
original_files = get_original_file(input_dir + val_list)
acc = 0
len_example = len(original_files)
for filename, label in original_files:
img_path = input_dir + filename
##读入图像,转换维度,归一化##########
######################################
######################################
#修改此处调用
img=process_img_resize(img_path)
######################################
######################################
##进行前向推理
pred_label, pred_score = inference(img)
##Save resize image(.jpg)
adv_img = tensor2img(img)
save_adv_image(adv_img, output_dir+filename)
print("Image: {0} ,true label is {1} , pred label is {2}".format(img_path,label,pred_label))
if(pred_label == label):
acc = acc+1
acc = acc/len_example
print("the accuracy is {}".format(acc))
In[8]
gen_acc()Image: /home/aistudio/attack_example/attack_code/input_image/n02085620_10074.jpg ,true label is 1 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02085782_1039.jpg ,true label is 2 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02085936_10130.jpg ,true label is 3 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02086079_10600.jpg ,true label is 4 , pred label is 44 Image: /home/aistudio/attack_example/attack_code/input_image/n02086240_1059.jpg ,true label is 5 , pred label is 6 Image: /home/aistudio/attack_example/attack_code/input_image/n02086646_1002.jpg ,true label is 6 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02086910_1048.jpg ,true label is 7 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02087046_1206.jpg ,true label is 8 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02087394_11337.jpg ,true label is 9 , pred label is 111 Image: /home/aistudio/attack_example/attack_code/input_image/n02088094_1003.jpg ,true label is 10 , pred label is 101 Image: /home/aistudio/attack_example/attack_code/input_image/n02088238_10013.jpg ,true label is 11 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02088364_10108.jpg ,true label is 12 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02088466_10083.jpg ,true label is 13 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02088632_101.jpg ,true label is 14 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02089078_1064.jpg ,true label is 15 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02089867_1029.jpg ,true label is 16 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02089973_1066.jpg ,true label is 17 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02090379_1272.jpg ,true label is 18 , pred label is 35 Image: /home/aistudio/attack_example/attack_code/input_image/n02090622_10343.jpg ,true label is 19 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02090721_1292.jpg ,true label is 20 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02091032_10079.jpg ,true label is 21 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02091134_10107.jpg ,true label is 22 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02091244_1000.jpg ,true label is 23 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02091467_1110.jpg ,true label is 24 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02091635_1319.jpg ,true label is 25 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02091831_10576.jpg ,true label is 26 , pred label is 78 Image: /home/aistudio/attack_example/attack_code/input_image/n02092002_10699.jpg ,true label is 27 , pred label is 60 Image: /home/aistudio/attack_example/attack_code/input_image/n02092339_1100.jpg ,true label is 28 , pred label is 32 Image: /home/aistudio/attack_example/attack_code/input_image/n02093256_11023.jpg ,true label is 29 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02093428_10947.jpg ,true label is 30 , pred label is 32 Image: /home/aistudio/attack_example/attack_code/input_image/n02093647_1037.jpg ,true label is 31 , pred label is 117 Image: /home/aistudio/attack_example/attack_code/input_image/n02093754_1062.jpg ,true label is 32 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02093859_1003.jpg ,true label is 33 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02093991_1026.jpg ,true label is 34 , pred label is 71 Image: /home/aistudio/attack_example/attack_code/input_image/n02094114_1173.jpg ,true label is 35 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02094258_1004.jpg ,true label is 36 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02094433_10126.jpg ,true label is 37 , pred label is 101 Image: /home/aistudio/attack_example/attack_code/input_image/n02095314_1033.jpg ,true label is 38 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02095570_1031.jpg ,true label is 39 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02095889_1003.jpg ,true label is 40 , pred label is 40 Image: /home/aistudio/attack_example/attack_code/input_image/n02096051_1110.jpg ,true label is 41 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02096177_10031.jpg ,true label is 42 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02096294_1111.jpg ,true label is 43 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02096437_1055.jpg ,true label is 44 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02096585_10604.jpg ,true label is 45 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02097047_1412.jpg ,true label is 46 , pred label is 31 Image: /home/aistudio/attack_example/attack_code/input_image/n02097130_1193.jpg ,true label is 47 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02097209_1038.jpg ,true label is 48 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02097298_10676.jpg ,true label is 49 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02097474_1070.jpg ,true label is 50 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02097658_1018.jpg ,true label is 51 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02098105_1078.jpg ,true label is 52 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02098286_1009.jpg ,true label is 53 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02098413_11385.jpg ,true label is 54 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02099267_1018.jpg ,true label is 55 , pred label is 83 Image: /home/aistudio/attack_example/attack_code/input_image/n02099429_1039.jpg ,true label is 56 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02099601_100.jpg ,true label is 57 , pred label is 57 Image: /home/aistudio/attack_example/attack_code/input_image/n02099712_1150.jpg ,true label is 58 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02099849_1068.jpg ,true label is 59 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02100236_1244.jpg ,true label is 60 , pred label is 56 Image: /home/aistudio/attack_example/attack_code/input_image/n02100583_10249.jpg ,true label is 61 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02100735_10064.jpg ,true label is 62 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02100877_1062.jpg ,true label is 63 , pred label is 63 Image: /home/aistudio/attack_example/attack_code/input_image/n02101006_135.jpg ,true label is 64 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02101388_10017.jpg ,true label is 65 , pred label is 6 Image: /home/aistudio/attack_example/attack_code/input_image/n02101556_1116.jpg ,true label is 66 , pred label is 40 Image: /home/aistudio/attack_example/attack_code/input_image/n02102040_1055.jpg ,true label is 67 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02102177_1160.jpg ,true label is 68 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02102318_10000.jpg ,true label is 69 , pred label is 6 Image: /home/aistudio/attack_example/attack_code/input_image/n02102480_101.jpg ,true label is 70 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02102973_1037.jpg ,true label is 71 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02104029_1075.jpg ,true label is 72 , pred label is 40 Image: /home/aistudio/attack_example/attack_code/input_image/n02104365_10071.jpg ,true label is 73 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02105056_1165.jpg ,true label is 74 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02105162_10076.jpg ,true label is 75 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02105251_1588.jpg ,true label is 76 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02105412_1159.jpg ,true label is 77 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02105505_1018.jpg ,true label is 78 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02105641_10051.jpg ,true label is 79 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02105855_10095.jpg ,true label is 80 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02106030_11148.jpg ,true label is 81 , pred label is 102 Image: /home/aistudio/attack_example/attack_code/input_image/n02106166_1205.jpg ,true label is 82 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02106382_1005.jpg ,true label is 83 , pred label is 71 Image: /home/aistudio/attack_example/attack_code/input_image/n02106550_10048.jpg ,true label is 84 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02106662_10122.jpg ,true label is 85 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02107142_10952.jpg ,true label is 86 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02107312_105.jpg ,true label is 87 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02107574_1026.jpg ,true label is 88 , pred label is 91 Image: /home/aistudio/attack_example/attack_code/input_image/n02107683_1003.jpg ,true label is 89 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02107908_1030.jpg ,true label is 90 , pred label is 89 Image: /home/aistudio/attack_example/attack_code/input_image/n02108000_1087.jpg ,true label is 91 , pred label is 15 Image: /home/aistudio/attack_example/attack_code/input_image/n02108089_1104.jpg ,true label is 92 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02108422_1096.jpg ,true label is 93 , pred label is 38 Image: /home/aistudio/attack_example/attack_code/input_image/n02108551_1025.jpg ,true label is 94 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02108915_10564.jpg ,true label is 95 , pred label is 117 Image: /home/aistudio/attack_example/attack_code/input_image/n02109047_10160.jpg ,true label is 96 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02109525_10032.jpg ,true label is 97 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02109961_11224.jpg ,true label is 98 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02110063_11105.jpg ,true label is 99 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02110185_10116.jpg ,true label is 100 , pred label is 91 Image: /home/aistudio/attack_example/attack_code/input_image/n02110627_10147.jpg ,true label is 101 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02110806_1214.jpg ,true label is 102 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02110958_10378.jpg ,true label is 103 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02111129_1111.jpg ,true label is 104 , pred label is 120 Image: /home/aistudio/attack_example/attack_code/input_image/n02111277_10237.jpg ,true label is 105 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02111500_1048.jpg ,true label is 106 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02111889_10059.jpg ,true label is 107 , pred label is 40 Image: /home/aistudio/attack_example/attack_code/input_image/n02112018_10158.jpg ,true label is 108 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02112137_1005.jpg ,true label is 109 , pred label is 34 Image: /home/aistudio/attack_example/attack_code/input_image/n02112350_10079.jpg ,true label is 110 , pred label is 110 Image: /home/aistudio/attack_example/attack_code/input_image/n02112706_105.jpg ,true label is 111 , pred label is 34 Image: /home/aistudio/attack_example/attack_code/input_image/n02113023_1136.jpg ,true label is 112 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02113186_1030.jpg ,true label is 113 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02113624_1461.jpg ,true label is 114 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02113712_10525.jpg ,true label is 115 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02113799_1155.jpg ,true label is 116 , pred label is 56 Image: /home/aistudio/attack_example/attack_code/input_image/n02113978_1034.jpg ,true label is 117 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02115641_10261.jpg ,true label is 118 , pred label is 25 Image: /home/aistudio/attack_example/attack_code/input_image/n02115913_1010.jpg ,true label is 119 , pred label is 119 Image: /home/aistudio/attack_example/attack_code/input_image/n02116738_10024.jpg ,true label is 120 , pred label is 25 the accuracy is 0.058333333333333334
多了只此一行代码,模型几乎全军覆没,正确率掉到只有5.83334%。
下面我们看看原图和经过resize之后图片的对比。
In[9]
#定义一个观察图片区别的函数
def show_images_diff(original_img,adversarial_img):
#original_img = np.array(Image.open(original_img))
#adversarial_img = np.array(Image.open(adversarial_img))
original_img=cv2.resize(original_img.copy(),(224,224))
adversarial_img=cv2.resize(adversarial_img.copy(),(224,224))
plt.figure(figsize=(10,10))
#original_img=original_img/255.0
#adversarial_img=adversarial_img/255.0
plt.subplot(1, 3, 1)
plt.title('Original Image')
plt.imshow(original_img)
plt.axis('off')
plt.subplot(1, 3, 2)
plt.title('Adversarial Image')
plt.imshow(adversarial_img)
plt.axis('off')
plt.subplot(1, 3, 3)
plt.title('Difference')
difference = 0.0+adversarial_img - original_img
l0 = np.where(difference != 0)[0].shape[0]*100/(224*224*3)
l2 = np.linalg.norm(difference)/(256*3)
linf=np.linalg.norm(difference.copy().ravel(),ord=np.inf)
# print(difference)
print("l0={}% l2={} linf={}".format(l0, l2,linf))
#(-1,1) -> (0,1)
#灰色打底 容易看出区别
difference=difference/255.0
difference=difference/2.0+0.5
plt.imshow(difference)
plt.axis('off')
plt.show()
In[10]
from PIL import Image, ImageOps
import cv2
import matplotlib.pyplot as plt
#########################################
##此处的pname可替换为你想查看的图片
pname = "n02085620_10074.jpg"
#########################################
image_name, image_ext = pname.split('.')
#pname_attack = image_name + ".png"
original_img=np.array(Image.open("/home/aistudio/attack_example/attack_code/input_image/" + pname))
adversarial_img=np.array(Image.open("/home/aistudio/attack_example/attack_code/output_image_resize/" + pname))
show_images_diff(original_img,adversarial_img)l0=90.96978635204081% l2=15.028726155708648 linf=193.0
2.2 椒盐大法
顾名思义,就是在照片上撒点椒盐,多寡随意,丰俭由人。
下面定义添加椒盐噪声的函数。
In[16]
import numpy as np
import numpy.random as random
np.random.seed(2020)
def addsalt_pepper(src,percetage):
NoiseImg=src
NoiseNum=int(percetage*src.shape[0]*src.shape[1])
for i in range(NoiseNum):
randX=random.random_integers(0,src.shape[0]-1)
randY=random.random_integers(0,src.shape[1]-1)
if random.random_integers(0,1)<=0.5:
NoiseImg[randX,randY]=0
else:
NoiseImg[randX,randY]=255
return NoiseImg同样的,我们将处理图片的代码添加到precess_img函数中并重命名
In[17]
import cv2
def process_img_salt(img_path="",image_shape=[3,224,224]):
mean = [0.485, 0.456, 0.406]
std = [0.229, 0.224, 0.225]
img = cv2.imread(img_path)
img = cv2.resize(img,(image_shape[1],image_shape[2]))
img = addsalt_pepper(img, 0.1)
#RBG img [224,224,3]->[3,224,224]
img = img[:, :, ::-1].astype('float32').transpose((2, 0, 1)) / 255
#img = img.astype('float32').transpose((2, 0, 1)) / 255
img_mean = np.array(mean).reshape((3, 1, 1))
img_std = np.array(std).reshape((3, 1, 1))
img -= img_mean
img /= img_std
img=img.astype('float32')
img=np.expand_dims(img, axis=0)
return img In[18]
output_dir = "./output_image_salt/"
if not os.path.exists("./output_image_salt"):
os.mkdir("./output_image_salt")
def gen_acc():
original_files = get_original_file(input_dir + val_list)
acc = 0
len_example = len(original_files)
for filename, label in original_files:
img_path = input_dir + filename
##读入图像,转换维度,归一化##########
######################################
######################################
#修改此处调用
img=process_img_salt(img_path)
######################################
######################################
##进行前向推理
pred_label, pred_score = inference(img)
##Save resize image(.jpg)
adv_img = tensor2img(img)
save_adv_image(adv_img, output_dir+filename)
print("Image: {0} ,true label is {1} , pred label is {2}".format(img_path,label,pred_label))
if(pred_label == label):
acc = acc+1
acc = acc/len_example
print("the accuracy is {}".format(acc))
In[19]
gen_acc()/opt/conda/envs/python35-paddle120-env/lib/python3.7/site-packages/ipykernel_launcher.py:8: DeprecationWarning: This function is deprecated. Please call randint(0, 223 + 1) instead /opt/conda/envs/python35-paddle120-env/lib/python3.7/site-packages/ipykernel_launcher.py:9: DeprecationWarning: This function is deprecated. Please call randint(0, 223 + 1) instead if __name__ == '__main__': /opt/conda/envs/python35-paddle120-env/lib/python3.7/site-packages/ipykernel_launcher.py:10: DeprecationWarning: This function is deprecated. Please call randint(0, 1 + 1) instead # Remove the CWD from sys.path while we load stuff.
Image: /home/aistudio/attack_example/attack_code/input_image/n02085620_10074.jpg ,true label is 1 , pred label is 1 Image: /home/aistudio/attack_example/attack_code/input_image/n02085782_1039.jpg ,true label is 2 , pred label is 2 Image: /home/aistudio/attack_example/attack_code/input_image/n02085936_10130.jpg ,true label is 3 , pred label is 44 Image: /home/aistudio/attack_example/attack_code/input_image/n02086079_10600.jpg ,true label is 4 , pred label is 107 Image: /home/aistudio/attack_example/attack_code/input_image/n02086240_1059.jpg ,true label is 5 , pred label is 5 Image: /home/aistudio/attack_example/attack_code/input_image/n02086646_1002.jpg ,true label is 6 , pred label is 69 Image: /home/aistudio/attack_example/attack_code/input_image/n02086910_1048.jpg ,true label is 7 , pred label is 6 Image: /home/aistudio/attack_example/attack_code/input_image/n02087046_1206.jpg ,true label is 8 , pred label is 24 Image: /home/aistudio/attack_example/attack_code/input_image/n02087394_11337.jpg ,true label is 9 , pred label is 9 Image: /home/aistudio/attack_example/attack_code/input_image/n02088094_1003.jpg ,true label is 10 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02088238_10013.jpg ,true label is 11 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02088364_10108.jpg ,true label is 12 , pred label is 69 Image: /home/aistudio/attack_example/attack_code/input_image/n02088466_10083.jpg ,true label is 13 , pred label is 13 Image: /home/aistudio/attack_example/attack_code/input_image/n02088632_101.jpg ,true label is 14 , pred label is 14 Image: /home/aistudio/attack_example/attack_code/input_image/n02089078_1064.jpg ,true label is 15 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02089867_1029.jpg ,true label is 16 , pred label is 16 Image: /home/aistudio/attack_example/attack_code/input_image/n02089973_1066.jpg ,true label is 17 , pred label is 17 Image: /home/aistudio/attack_example/attack_code/input_image/n02090379_1272.jpg ,true label is 18 , pred label is 18 Image: /home/aistudio/attack_example/attack_code/input_image/n02090622_10343.jpg ,true label is 19 , pred label is 116 Image: /home/aistudio/attack_example/attack_code/input_image/n02090721_1292.jpg ,true label is 20 , pred label is 31 Image: /home/aistudio/attack_example/attack_code/input_image/n02091032_10079.jpg ,true label is 21 , pred label is 95 Image: /home/aistudio/attack_example/attack_code/input_image/n02091134_10107.jpg ,true label is 22 , pred label is 92 Image: /home/aistudio/attack_example/attack_code/input_image/n02091244_1000.jpg ,true label is 23 , pred label is 23 Image: /home/aistudio/attack_example/attack_code/input_image/n02091467_1110.jpg ,true label is 24 , pred label is 100 Image: /home/aistudio/attack_example/attack_code/input_image/n02091635_1319.jpg ,true label is 25 , pred label is 52 Image: /home/aistudio/attack_example/attack_code/input_image/n02091831_10576.jpg ,true label is 26 , pred label is 92 Image: /home/aistudio/attack_example/attack_code/input_image/n02092002_10699.jpg ,true label is 27 , pred label is 27 Image: /home/aistudio/attack_example/attack_code/input_image/n02092339_1100.jpg ,true label is 28 , pred label is 55 Image: /home/aistudio/attack_example/attack_code/input_image/n02093256_11023.jpg ,true label is 29 , pred label is 71 Image: /home/aistudio/attack_example/attack_code/input_image/n02093428_10947.jpg ,true label is 30 , pred label is 75 Image: /home/aistudio/attack_example/attack_code/input_image/n02093647_1037.jpg ,true label is 31 , pred label is 31 Image: /home/aistudio/attack_example/attack_code/input_image/n02093754_1062.jpg ,true label is 32 , pred label is 39 Image: /home/aistudio/attack_example/attack_code/input_image/n02093859_1003.jpg ,true label is 33 , pred label is 33 Image: /home/aistudio/attack_example/attack_code/input_image/n02093991_1026.jpg ,true label is 34 , pred label is 114 Image: /home/aistudio/attack_example/attack_code/input_image/n02094114_1173.jpg ,true label is 35 , pred label is 41 Image: /home/aistudio/attack_example/attack_code/input_image/n02094258_1004.jpg ,true label is 36 , pred label is 43 Image: /home/aistudio/attack_example/attack_code/input_image/n02094433_10126.jpg ,true label is 37 , pred label is 37 Image: /home/aistudio/attack_example/attack_code/input_image/n02095314_1033.jpg ,true label is 38 , pred label is 62 Image: /home/aistudio/attack_example/attack_code/input_image/n02095570_1031.jpg ,true label is 39 , pred label is 39 Image: /home/aistudio/attack_example/attack_code/input_image/n02095889_1003.jpg ,true label is 40 , pred label is 39 Image: /home/aistudio/attack_example/attack_code/input_image/n02096051_1110.jpg ,true label is 41 , pred label is 41 Image: /home/aistudio/attack_example/attack_code/input_image/n02096177_10031.jpg ,true label is 42 , pred label is 116 Image: /home/aistudio/attack_example/attack_code/input_image/n02096294_1111.jpg ,true label is 43 , pred label is 38 Image: /home/aistudio/attack_example/attack_code/input_image/n02096437_1055.jpg ,true label is 44 , pred label is 52 Image: /home/aistudio/attack_example/attack_code/input_image/n02096585_10604.jpg ,true label is 45 , pred label is 55 Image: /home/aistudio/attack_example/attack_code/input_image/n02097047_1412.jpg ,true label is 46 , pred label is 33 Image: /home/aistudio/attack_example/attack_code/input_image/n02097130_1193.jpg ,true label is 47 , pred label is 47 Image: /home/aistudio/attack_example/attack_code/input_image/n02097209_1038.jpg ,true label is 48 , pred label is 48 Image: /home/aistudio/attack_example/attack_code/input_image/n02097298_10676.jpg ,true label is 49 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02097474_1070.jpg ,true label is 50 , pred label is 47 Image: /home/aistudio/attack_example/attack_code/input_image/n02097658_1018.jpg ,true label is 51 , pred label is 36 Image: /home/aistudio/attack_example/attack_code/input_image/n02098105_1078.jpg ,true label is 52 , pred label is 52 Image: /home/aistudio/attack_example/attack_code/input_image/n02098286_1009.jpg ,true label is 53 , pred label is 100 Image: /home/aistudio/attack_example/attack_code/input_image/n02098413_11385.jpg ,true label is 54 , pred label is 66 Image: /home/aistudio/attack_example/attack_code/input_image/n02099267_1018.jpg ,true label is 55 , pred label is 55 Image: /home/aistudio/attack_example/attack_code/input_image/n02099429_1039.jpg ,true label is 56 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02099601_100.jpg ,true label is 57 , pred label is 57 Image: /home/aistudio/attack_example/attack_code/input_image/n02099712_1150.jpg ,true label is 58 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02099849_1068.jpg ,true label is 59 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02100236_1244.jpg ,true label is 60 , pred label is 47 Image: /home/aistudio/attack_example/attack_code/input_image/n02100583_10249.jpg ,true label is 61 , pred label is 18 Image: /home/aistudio/attack_example/attack_code/input_image/n02100735_10064.jpg ,true label is 62 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02100877_1062.jpg ,true label is 63 , pred label is 63 Image: /home/aistudio/attack_example/attack_code/input_image/n02101006_135.jpg ,true label is 64 , pred label is 64 Image: /home/aistudio/attack_example/attack_code/input_image/n02101388_10017.jpg ,true label is 65 , pred label is 65 Image: /home/aistudio/attack_example/attack_code/input_image/n02101556_1116.jpg ,true label is 66 , pred label is 62 Image: /home/aistudio/attack_example/attack_code/input_image/n02102040_1055.jpg ,true label is 67 , pred label is 97 Image: /home/aistudio/attack_example/attack_code/input_image/n02102177_1160.jpg ,true label is 68 , pred label is 68 Image: /home/aistudio/attack_example/attack_code/input_image/n02102318_10000.jpg ,true label is 69 , pred label is 69 Image: /home/aistudio/attack_example/attack_code/input_image/n02102480_101.jpg ,true label is 70 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02102973_1037.jpg ,true label is 71 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02104029_1075.jpg ,true label is 72 , pred label is 100 Image: /home/aistudio/attack_example/attack_code/input_image/n02104365_10071.jpg ,true label is 73 , pred label is 73 Image: /home/aistudio/attack_example/attack_code/input_image/n02105056_1165.jpg ,true label is 74 , pred label is 74 Image: /home/aistudio/attack_example/attack_code/input_image/n02105162_10076.jpg ,true label is 75 , pred label is 75 Image: /home/aistudio/attack_example/attack_code/input_image/n02105251_1588.jpg ,true label is 76 , pred label is 103 Image: /home/aistudio/attack_example/attack_code/input_image/n02105412_1159.jpg ,true label is 77 , pred label is 77 Image: /home/aistudio/attack_example/attack_code/input_image/n02105505_1018.jpg ,true label is 78 , pred label is 116 Image: /home/aistudio/attack_example/attack_code/input_image/n02105641_10051.jpg ,true label is 79 , pred label is 31 Image: /home/aistudio/attack_example/attack_code/input_image/n02105855_10095.jpg ,true label is 80 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02106030_11148.jpg ,true label is 81 , pred label is 109 Image: /home/aistudio/attack_example/attack_code/input_image/n02106166_1205.jpg ,true label is 82 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02106382_1005.jpg ,true label is 83 , pred label is 83 Image: /home/aistudio/attack_example/attack_code/input_image/n02106550_10048.jpg ,true label is 84 , pred label is 84 Image: /home/aistudio/attack_example/attack_code/input_image/n02106662_10122.jpg ,true label is 85 , pred label is 85 Image: /home/aistudio/attack_example/attack_code/input_image/n02107142_10952.jpg ,true label is 86 , pred label is 86 Image: /home/aistudio/attack_example/attack_code/input_image/n02107312_105.jpg ,true label is 87 , pred label is 87 Image: /home/aistudio/attack_example/attack_code/input_image/n02107574_1026.jpg ,true label is 88 , pred label is 88 Image: /home/aistudio/attack_example/attack_code/input_image/n02107683_1003.jpg ,true label is 89 , pred label is 105 Image: /home/aistudio/attack_example/attack_code/input_image/n02107908_1030.jpg ,true label is 90 , pred label is 89 Image: /home/aistudio/attack_example/attack_code/input_image/n02108000_1087.jpg ,true label is 91 , pred label is 88 Image: /home/aistudio/attack_example/attack_code/input_image/n02108089_1104.jpg ,true label is 92 , pred label is 97 Image: /home/aistudio/attack_example/attack_code/input_image/n02108422_1096.jpg ,true label is 93 , pred label is 93 Image: /home/aistudio/attack_example/attack_code/input_image/n02108551_1025.jpg ,true label is 94 , pred label is 94 Image: /home/aistudio/attack_example/attack_code/input_image/n02108915_10564.jpg ,true label is 95 , pred label is 95 Image: /home/aistudio/attack_example/attack_code/input_image/n02109047_10160.jpg ,true label is 96 , pred label is 104 Image: /home/aistudio/attack_example/attack_code/input_image/n02109525_10032.jpg ,true label is 97 , pred label is 97 Image: /home/aistudio/attack_example/attack_code/input_image/n02109961_11224.jpg ,true label is 98 , pred label is 98 Image: /home/aistudio/attack_example/attack_code/input_image/n02110063_11105.jpg ,true label is 99 , pred label is 85 Image: /home/aistudio/attack_example/attack_code/input_image/n02110185_10116.jpg ,true label is 100 , pred label is 73 Image: /home/aistudio/attack_example/attack_code/input_image/n02110627_10147.jpg ,true label is 101 , pred label is 115 Image: /home/aistudio/attack_example/attack_code/input_image/n02110806_1214.jpg ,true label is 102 , pred label is 8 Image: /home/aistudio/attack_example/attack_code/input_image/n02110958_10378.jpg ,true label is 103 , pred label is 83 Image: /home/aistudio/attack_example/attack_code/input_image/n02111129_1111.jpg ,true label is 104 , pred label is 104 Image: /home/aistudio/attack_example/attack_code/input_image/n02111277_10237.jpg ,true label is 105 , pred label is 86 Image: /home/aistudio/attack_example/attack_code/input_image/n02111500_1048.jpg ,true label is 106 , pred label is 116 Image: /home/aistudio/attack_example/attack_code/input_image/n02111889_10059.jpg ,true label is 107 , pred label is 107 Image: /home/aistudio/attack_example/attack_code/input_image/n02112018_10158.jpg ,true label is 108 , pred label is 108 Image: /home/aistudio/attack_example/attack_code/input_image/n02112137_1005.jpg ,true label is 109 , pred label is 109 Image: /home/aistudio/attack_example/attack_code/input_image/n02112350_10079.jpg ,true label is 110 , pred label is 110 Image: /home/aistudio/attack_example/attack_code/input_image/n02112706_105.jpg ,true label is 111 , pred label is 104 Image: /home/aistudio/attack_example/attack_code/input_image/n02113023_1136.jpg ,true label is 112 , pred label is 109 Image: /home/aistudio/attack_example/attack_code/input_image/n02113186_1030.jpg ,true label is 113 , pred label is 113 Image: /home/aistudio/attack_example/attack_code/input_image/n02113624_1461.jpg ,true label is 114 , pred label is 44 Image: /home/aistudio/attack_example/attack_code/input_image/n02113712_10525.jpg ,true label is 115 , pred label is 114 Image: /home/aistudio/attack_example/attack_code/input_image/n02113799_1155.jpg ,true label is 116 , pred label is 83 Image: /home/aistudio/attack_example/attack_code/input_image/n02113978_1034.jpg ,true label is 117 , pred label is 117 Image: /home/aistudio/attack_example/attack_code/input_image/n02115641_10261.jpg ,true label is 118 , pred label is 118 Image: /home/aistudio/attack_example/attack_code/input_image/n02115913_1010.jpg ,true label is 119 , pred label is 59 Image: /home/aistudio/attack_example/attack_code/input_image/n02116738_10024.jpg ,true label is 120 , pred label is 120 the accuracy is 0.4166666666666667
可以看到,为原图像10%的像素添加椒盐噪声后,正确率由1降为0.41667。
下面我们直观看看原来的图片和添加椒盐噪声的图片有什么区别。
In[15]
from PIL import Image, ImageOps
import cv2
import matplotlib.pyplot as plt
#########################################
##此处的pname可替换为你想查看的图片
pname = "n02085620_10074.jpg"
#########################################
image_name, image_ext = pname.split('.')
#pname_attack = image_name + ".png"
original_img=np.array(Image.open("/home/aistudio/attack_example/attack_code/input_image/" + pname))
adversarial_img=np.array(Image.open("/home/aistudio/attack_example/attack_code/output_image_salt/" + pname))
show_images_diff(original_img,adversarial_img)l0=84.56234056122449% l2=23.405695470792207 linf=255.0
至此也就到本项目的最后了,我们用一表格对比原图正确率,resize图片之后的正确率,添加椒盐噪声的正确率。
| 原图acc | resize_acc | salt_acc |
|---|---|---|
| 1 | 0.05834 | 0.41667 |
希望本项目对你有所帮助启发。
点击链接,使用AI Studio一键上手实践项目吧:https://aistudio.baidu.com/aistudio/projectdetail/301861
下载安装命令
## CPU版本安装命令
pip install -f https://paddlepaddle.org.cn/pip/oschina/cpu paddlepaddle
## GPU版本安装命令
pip install -f https://paddlepaddle.org.cn/pip/oschina/gpu paddlepaddle-gpu >> 访问 PaddlePaddle 官网,了解更多相关内容。