heart_library.attacks.evasion package

Submodules

heart_library.attacks.evasion.hop_skip_jump module

This module extends ART’s HopSkipJump attack to support HEART.

class heart_library.attacks.evasion.hop_skip_jump.HeartHopSkipJump(classifier: Any, batch_size: int = 64, targeted: bool = False, norm: float | str = 2, max_iter: int = 50, max_eval: int = 10000, init_eval: int = 100, init_size: int = 100, verbose: bool = True)[source]

Bases: HopSkipJump

Extension of ART’s implementation of a generic laser attack case which supports channel first images.

Parameters:

HopSkipJump (_type_) – HopSkipJump object to be wrapped.

Examples

We can create a HeartHopSkipJump attack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion import HeartHopSkipJump
>>> from heart_library.attacks.attack import JaticAttack

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartHopSkipJump attack, wrap in HEART attack class and execute:

>>> hsj_attack = HeartHopSkipJump(
...     classifier=jptc, targeted=True, verbose=True, max_iter=50, max_eval=10, init_eval=10
... )
>>> attack = JaticAttack(hsj_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
>>> x_adv[0][0][0][0][0]
158.0
generate(x: ndarray[Any, dtype[float32]], y: ndarray[Any, dtype[float32]] | None = None, **kwargs: Any) ndarray[Any, dtype[float32]][source]

Generate adversarial samples and return them in an array.

Parameters:

  • x (NDArray[np.float32]) – An array with the original inputs to be attacked.

  • y (Optional[NDArray[np.float32]], optional) – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,). Defaults to None.

  • mask (NDArray[np.float32]) – An array with a mask broadcastable to input x defining where to apply adversarial perturbations. Shape needs to be broadcastable to the shape of x and can also be of the same shape as x. Any features for which the mask is zero will not be adversarially perturbed.

  • x_adv_init (NDArray[np.float32]) – Initial array to act as initial adversarial examples. Same shape as x.

  • resume (bool) – Allow users to continue their previous attack.

Raises:

  • ValueError – if target labels y are not provided.

  • ValueError – if target labels y are not correctly provided as an np.ndarray.

  • ValueError – if attack has not yet been tested for binary classification with a single output classifier..

  • ValueError – if attack is targeted and target labels y are not provided.

Returns:

An array holding the adversarial examples.

Return type:

NDArray[np.float32]

heart_library.attacks.evasion.laser_attack module

This module extends ART’s LaserAttack attack to support HEART.

Paper link: https://arxiv.org/abs/2103.06504
class heart_library.attacks.evasion.laser_attack.HeartLaserAttack(estimator: ~typing.Any, iterations: int, laser_generator: ~typing.Any, image_generator: ~typing.Any = <art.attacks.evasion.laser_attack.utils.ImageGenerator object>, random_initializations: int = 1, optimisation_algorithm: ~collections.abc.Callable = <function _greedy_search>, debug: ~typing.Any | None = None)[source]

Bases: LaserAttack

Extension of ART’s implementation of a generic laser attack case which supports channel first images.

Parameters:

LaserAttack (LaserAttack) – Generic laser attack case.

Examples

We can create a HeartLaserAttack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion import HeartLaserBeamAttack
>>> from heart_library.attacks.attack import JaticAttack
>>> from art.attacks.evasion.laser_attack.laser_attack import LaserBeamGenerator, LaserBeam

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartLaserAttack, wrap in HEART attack class and execute:

>>> laser_min = LaserBeam.from_array([380, 0, 0, 0])
>>> laser_max = LaserBeam.from_array([780, 3.14, 32, 32])
>>> laser_generator = LaserBeamGenerator(laser_min, laser_max)
>>> laser_attack = HeartLaserAttack(jptc, 5, laser_generator=laser_generator, random_initializations=10)
>>> attack = JaticAttack(laser_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
generate(x: ndarray[Any, dtype[float32]], y: ndarray[Any, dtype[float32]] | None = None, **kwargs: Any) ndarray[Any, dtype[float32]][source]

Generate adversarial examples.

Parameters:

  • x (NDArray[np.float32]) – Images to attack as a tensor in NHWC order.

  • y (Optional[NDArray[np.float32]], optional) – Array of correct classes. Defaults to None.

Raises:

ValueError – If input dimension is unrecognized, != 4.

Returns:

Array of adversarial images.

Return type:

NDArray[np.float32]

class heart_library.attacks.evasion.laser_attack.HeartLaserBeamAttack(estimator: ~typing.Any, iterations: int, max_laser_beam: ~typing.Any | tuple[float, float, float, int], min_laser_beam: ~typing.Any | tuple[float, float, float, int] = (380.0, 0.0, 1.0, 1), random_initializations: int = 1, image_generator: ~typing.Any = <art.attacks.evasion.laser_attack.utils.ImageGenerator object>, debug: ~typing.Any | None = None)[source]

Bases: HeartLaserAttack

Extension of ART’s implementation of the LaserBeam attack, which supports channel first images.

Parameters:

HeartLaserAttack (HeartLaserAttack) – HEART Laserbeam attack.

Paper link: https://arxiv.org/abs/2103.06504

Examples

We can create a HeartLaserBeamAttack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion import HeartLaserBeamAttack
>>> from heart_library.attacks.attack import JaticAttack

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartLaserBeamAttack, wrap in HEART attack class and execute:

>>> laser_attack = HeartLaserBeamAttack(jptc, 5, max_laser_beam=(580, 3.14, 100, 100), random_initializations=10)
>>> attack = JaticAttack(laser_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
>>> x_adv[0][0][0][0][0]
1.0

heart_library.attacks.evasion.query_efficient_bb_attack module

This module implements a HEART compatible ART Query Efficient Black Box attack

class heart_library.attacks.evasion.query_efficient_bb_attack.HeartQueryEfficientBlackBoxAttack(estimator: Any, num_basis: int = 20, sigma: float = 0.015625, round_samples: float = 0.0, norm: float | str = inf, eps: float | ndarray[Any, dtype[float32]] = 0.3, eps_step: float | ndarray[Any, dtype[float32]] = 0.1, targeted: bool = False, num_random_init: int = 0, batch_size: int = 32, minimal: bool = False, **kwargs: Any)[source]

Bases: EvasionAttack

HEART defined extension of ART core Query Efficient Black Box attack.

Parameters:

EvasionAttack (EvasionAttack) – ART core Query Efficient Black Box attack.

Examples

We can create a QueryEfficientBlackBoxAttack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion.query_efficient_bb_attack import HeartQueryEfficientBlackBoxAttack
>>> from heart_library.attacks.attack import JaticAttack

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartQueryEfficientBlackBoxAttack, wrap in HEART attack class and execute:

>>> query_attack = HeartQueryEfficientBlackBoxAttack(estimator=jptc, eps=0.2)
>>> attack = JaticAttack(query_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
>>> x_adv[0][0][0][0][0]
158.0
attack_params: list[str] = ['norm', 'eps', 'eps_step', 'targeted', 'num_random_init', 'batch_size', 'minimal', 'summary_writer']
generate(x: ndarray[Any, dtype[float32]], y: ndarray[Any, dtype[float32]] | None = None, **kwargs: Any) ndarray[Any, dtype[float32]][source]

Generate adversarial examples and return them as an array.

Parameters:

  • x (NDArray[np.float32]) – An array with the original inputs to be attacked.

  • y (Optional[NDArray[np.float32]], optional) – Correct labels or target labels for x, depending on if the attack is targeted or not. This parameter is only used by some of the attacks. Defaults to None.

Returns:

An array holding the adversarial examples.

Return type:

NDArray[np.float32]

Module contents

Module providing evasion attacks

class heart_library.attacks.evasion.HeartHopSkipJump(classifier: Any, batch_size: int = 64, targeted: bool = False, norm: float | str = 2, max_iter: int = 50, max_eval: int = 10000, init_eval: int = 100, init_size: int = 100, verbose: bool = True)[source]

Bases: HopSkipJump

Extension of ART’s implementation of a generic laser attack case which supports channel first images.

Parameters:

HopSkipJump (_type_) – HopSkipJump object to be wrapped.

Examples

We can create a HeartHopSkipJump attack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion import HeartHopSkipJump
>>> from heart_library.attacks.attack import JaticAttack

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartHopSkipJump attack, wrap in HEART attack class and execute:

>>> hsj_attack = HeartHopSkipJump(
...     classifier=jptc, targeted=True, verbose=True, max_iter=50, max_eval=10, init_eval=10
... )
>>> attack = JaticAttack(hsj_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
>>> x_adv[0][0][0][0][0]
158.0
generate(x: ndarray[Any, dtype[float32]], y: ndarray[Any, dtype[float32]] | None = None, **kwargs: Any) ndarray[Any, dtype[float32]][source]

Generate adversarial samples and return them in an array.

Parameters:

  • x (NDArray[np.float32]) – An array with the original inputs to be attacked.

  • y (Optional[NDArray[np.float32]], optional) – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,). Defaults to None.

  • mask (NDArray[np.float32]) – An array with a mask broadcastable to input x defining where to apply adversarial perturbations. Shape needs to be broadcastable to the shape of x and can also be of the same shape as x. Any features for which the mask is zero will not be adversarially perturbed.

  • x_adv_init (NDArray[np.float32]) – Initial array to act as initial adversarial examples. Same shape as x.

  • resume (bool) – Allow users to continue their previous attack.

Raises:

  • ValueError – if target labels y are not provided.

  • ValueError – if target labels y are not correctly provided as an np.ndarray.

  • ValueError – if attack has not yet been tested for binary classification with a single output classifier..

  • ValueError – if attack is targeted and target labels y are not provided.

Returns:

An array holding the adversarial examples.

Return type:

NDArray[np.float32]

class heart_library.attacks.evasion.HeartLaserBeamAttack(estimator: ~typing.Any, iterations: int, max_laser_beam: ~typing.Any | tuple[float, float, float, int], min_laser_beam: ~typing.Any | tuple[float, float, float, int] = (380.0, 0.0, 1.0, 1), random_initializations: int = 1, image_generator: ~typing.Any = <art.attacks.evasion.laser_attack.utils.ImageGenerator object>, debug: ~typing.Any | None = None)[source]

Bases: HeartLaserAttack

Extension of ART’s implementation of the LaserBeam attack, which supports channel first images.

Parameters:

HeartLaserAttack (HeartLaserAttack) – HEART Laserbeam attack.

Paper link: https://arxiv.org/abs/2103.06504

Examples

We can create a HeartLaserBeamAttack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion import HeartLaserBeamAttack
>>> from heart_library.attacks.attack import JaticAttack

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartLaserBeamAttack, wrap in HEART attack class and execute:

>>> laser_attack = HeartLaserBeamAttack(jptc, 5, max_laser_beam=(580, 3.14, 100, 100), random_initializations=10)
>>> attack = JaticAttack(laser_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
>>> x_adv[0][0][0][0][0]
1.0
class heart_library.attacks.evasion.HeartQueryEfficientBlackBoxAttack(estimator: Any, num_basis: int = 20, sigma: float = 0.015625, round_samples: float = 0.0, norm: float | str = inf, eps: float | ndarray[Any, dtype[float32]] = 0.3, eps_step: float | ndarray[Any, dtype[float32]] = 0.1, targeted: bool = False, num_random_init: int = 0, batch_size: int = 32, minimal: bool = False, **kwargs: Any)[source]

Bases: EvasionAttack

HEART defined extension of ART core Query Efficient Black Box attack.

Parameters:

EvasionAttack (EvasionAttack) – ART core Query Efficient Black Box attack.

Examples

We can create a QueryEfficientBlackBoxAttack by defining the image data, model parameters, and attack specification:

>>> from torchvision.models import resnet18, ResNet18_Weights
>>> from heart_library.estimators.classification.pytorch import JaticPyTorchClassifier
>>> import torch
>>> from datasets import load_dataset
>>> from heart_library.attacks.evasion.query_efficient_bb_attack import HeartQueryEfficientBlackBoxAttack
>>> from heart_library.attacks.attack import JaticAttack

Define the JaticPyTorchClassifier inputs, in this case for image classification:

>>> data = load_dataset("cifar10", split="test[0:10]")
>>> model = resnet18(ResNet18_Weights)
>>> loss_fn = torch.nn.CrossEntropyLoss(reduction="sum")
>>> optimizer = torch.optim.Adam(model.parameters(), lr=0.01)
>>> jptc = JaticPyTorchClassifier(
...     model=model,
...     loss=loss_fn,
...     optimizer=optimizer,
...     input_shape=(3, 32, 32),
...     nb_classes=10,
...     clip_values=(0, 255),
...     preprocessing=(0.0, 255),
... )

Define the HeartQueryEfficientBlackBoxAttack, wrap in HEART attack class and execute:

>>> query_attack = HeartQueryEfficientBlackBoxAttack(estimator=jptc, eps=0.2)
>>> attack = JaticAttack(query_attack, norm=2)

Generate adversarial images:

>>> x_adv, y, metadata = attack(data=data)
>>> x_adv[0][0][0][0][0]
158.0
attack_params: list[str] = ['norm', 'eps', 'eps_step', 'targeted', 'num_random_init', 'batch_size', 'minimal', 'summary_writer']
generate(x: ndarray[Any, dtype[float32]], y: ndarray[Any, dtype[float32]] | None = None, **kwargs: Any) ndarray[Any, dtype[float32]][source]

Generate adversarial examples and return them as an array.

Parameters:

  • x (NDArray[np.float32]) – An array with the original inputs to be attacked.

  • y (Optional[NDArray[np.float32]], optional) – Correct labels or target labels for x, depending on if the attack is targeted or not. This parameter is only used by some of the attacks. Defaults to None.

Returns:

An array holding the adversarial examples.

Return type:

NDArray[np.float32]