mindarmour.adv_robustness.evaluations
This module includes various metrics to evaluate the result of attacks or defenses.
- class mindarmour.adv_robustness.evaluations.AttackEvaluate(inputs, labels, adv_inputs, adv_preds, targeted=False, target_label=None)[source]
Evaluation metrics of attack methods.
- Parameters
inputs (numpy.ndarray) – Original samples.
labels (numpy.ndarray) – Original samples’ label by one-hot format.
adv_inputs (numpy.ndarray) – Adversarial samples generated from original samples.
adv_preds (numpy.ndarray) – Probability of all output classes of adversarial examples.
targeted (bool) – If True, it is a targeted attack. If False, it is an untargeted attack. Default: False.
target_label (numpy.ndarray) – Targeted classes of adversarial examples, which is one dimension whose size is adv_inputs.shape[0]. Default: None.
- Raises
ValueError – If target_label is None when targeted is True.
Examples
>>> x = np.random.normal(size=(3, 512, 512, 3)) >>> adv_x = np.random.normal(size=(3, 512, 512, 3)) >>> y = np.array([[0.1, 0.1, 0.2, 0.6], >>> [0.1, 0.7, 0.0, 0.2], >>> [0.8, 0.1, 0.0, 0.1]]) >>> adv_y = np.array([[0.1, 0.1, 0.2, 0.6], >>> [0.1, 0.0, 0.8, 0.1], >>> [0.0, 0.9, 0.1, 0.0]]) >>> attack_eval = AttackEvaluate(x, y, adv_x, adv_y) >>> mr = attack_eval.mis_classification_rate()
- avg_conf_adv_class()[source]
Calculate average confidence of adversarial class (ACAC).
- Returns
float, ranges between (0, 1). The higher, the more successful the attack is.
- avg_conf_true_class()[source]
Calculate average confidence of true class (ACTC).
- Returns
float, ranges between (0, 1). The lower, the more successful the attack is.
- avg_lp_distance()[source]
Calculate average lp distance (lp-dist).
- Returns
float, return average l0, l2, or linf distance of all success adversarial examples, return value includes following cases.
If return value \(>=\) 0, average lp distance. The lower, the more successful the attack is.
If return value is -1, there is no success adversarial examples.
- avg_ssim()[source]
Calculate average structural similarity (ASS).
- Returns
float, average structural similarity.
If return value ranges between (0, 1), the higher, the more successful the attack is.
If return value is -1: there is no success adversarial examples.
- mis_classification_rate()[source]
Calculate misclassification rate(MR).
- Returns
float, ranges between (0, 1). The higher, the more successful the attack is.
- nte()[source]
Calculate noise tolerance estimation (NTE).
References: Towards Imperceptible and Robust Adversarial Example Attacks against Neural Networks
- Returns
float, ranges between (0, 1). The higher, the more successful the attack is.
- class mindarmour.adv_robustness.evaluations.BlackDefenseEvaluate(raw_preds, def_preds, raw_query_counts, def_query_counts, raw_query_time, def_query_time, def_detection_counts, true_labels, max_queries)[source]
Evaluation metrics of anti-black-box defense method.
- Parameters
raw_preds (numpy.ndarray) – Predict results of some certain samples on raw model.
def_preds (numpy.ndarray) – Predict results of some certain samples on defensed model.
raw_query_counts (numpy.ndarray) – Number of queries to generate adversarial examples on raw model, which is one dimensional whose size is raw_preds.shape[0]. For benign samples, query count must be set to 0.
def_query_counts (numpy.ndarray) – Number of queries to generate adversarial examples on defensed model, which is one dimensional whose size is raw_preds.shape[0]. For benign samples, query count must be set to 0.
raw_query_time (numpy.ndarray) – The total time duration to generate an adversarial example on raw model, which is one dimensional whose size is raw_preds.shape[0].
def_query_time (numpy.ndarray) – The total time duration to generate an adversarial example on defensed model, which is one dimensional whose size is raw_preds.shape[0].
def_detection_counts (numpy.ndarray) – Total number of detected queries during each adversarial example generation, which is one dimensional whose size is raw_preds.shape[0]. For a benign sample, the def_detection_counts is set to 1 if the query is identified as suspicious, and 0 otherwise.
true_labels (numpy.ndarray) – True labels in one-dim whose size is raw_preds.shape[0].
max_queries (int) – Attack budget, the maximum number of queries.
Examples
>>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6], >>> [0.1, 0.7, 0.0, 0.2], >>> [0.8, 0.1, 0.0, 0.1]]) >>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7], >>> [0.1, 0.6, 0.2, 0.1], >>> [0.1, 0.2, 0.1, 0.6]]) >>> raw_query_counts = np.array([0,20,10]) >>> def_query_counts = np.array([0,50,60]) >>> raw_query_time = np.array([0.1, 2, 1]) >>> def_query_time = np.array([0.2, 6, 5]) >>> def_detection_counts = np.array([1, 5, 10]) >>> true_labels = np.array([3, 1, 0]) >>> max_queries = 100 >>> def_eval = BlackDefenseEvaluate(raw_preds, >>> def_preds, >>> raw_query_counts, >>> def_query_counts, >>> raw_query_time, >>> def_query_time, >>> def_detection_counts, >>> true_labels, >>> max_queries) >>> def_eval.qcv()
- asv()[source]
Calculate attack success rate variance (ASV).
- Returns
float, the lower, the stronger the defense is. If num_adv_samples=0, return -1.
- fpr()[source]
Calculate false positive rate (FPR) of the query-based detector.
- Returns
float, the lower, the higher usability the defense is. If num_adv_samples=0, return -1.
- class mindarmour.adv_robustness.evaluations.DefenseEvaluate(raw_preds, def_preds, true_labels)[source]
Evaluation metrics of defense methods.
- Parameters
raw_preds (numpy.ndarray) – Prediction results of some certain samples on raw model.
def_preds (numpy.ndarray) – Prediction results of some certain samples on defensed model.
true_labels (numpy.ndarray) – Ground-truth labels of samples, a one-dimension array whose size is raw_preds.shape[0].
Examples
>>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6], >>> [0.1, 0.7, 0.0, 0.2], >>> [0.8, 0.1, 0.0, 0.1]]) >>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7], >>> [0.1, 0.6, 0.2, 0.1], >>> [0.1, 0.2, 0.1, 0.6]]) >>> true_labels = np.array([3, 1, 0]) >>> def_eval = DefenseEvaluate(raw_preds, >>> def_preds, >>> true_labels) >>> def_eval.cav()
- cav()[source]
Calculate classification accuracy variance (CAV).
- Returns
float, the higher, the more successful the defense is.
- ccv()[source]
Calculate classification confidence variance (CCV).
- Returns
float, the lower, the more successful the defense is.
If return value == -1, len(idxes) == 0.
- cos()[source]
References: Calculate classification output stability (COS)
- Returns
- float.
If return value >= 0, is effective defense. The lower, the more successful the defense.
If return value == -1, idxes == 0.
- class mindarmour.adv_robustness.evaluations.RadarMetric(metrics_name, metrics_data, labels, title, scale='hide')[source]
Radar chart to show the robustness of a model by multiple metrics.
- Parameters
metrics_name (Union[tuple, list]) – An array of names of metrics to show.
metrics_data (numpy.ndarray) – The (normalized) values of each metrics of multiple radar curves, like [[0.5, 0.8, …], [0.2,0.6,…], …]. Each set of values corresponds to one radar curve.
title (str) – Title of the chart.
scale (str) – Scalar to adjust axis ticks, such as ‘hide’, ‘norm’, ‘sparse’ or ‘dense’. Default: ‘hide’.
- Raises
ValueError – If scale not in [‘hide’, ‘norm’, ‘sparse’, ‘dense’].
Examples
>>> metrics_name = ['MR', 'ACAC', 'ASS', 'NTE', 'ACTC'] >>> def_metrics = [0.9, 0.85, 0.6, 0.7, 0.8] >>> raw_metrics = [0.5, 0.3, 0.55, 0.65, 0.7] >>> metrics_data = [def_metrics, raw_metrics] >>> metrics_labels = ['before', 'after'] >>> rm = RadarMetric(metrics_name, >>> metrics_data, >>> metrics_labels, >>> title='', >>> scale='sparse') >>> rm.show()