mindarmour.adv_robustness.evaluations

This module includes various metrics to evaluate the result of attacks or defenses.

class mindarmour.adv_robustness.evaluations.AttackEvaluate(inputs, labels, adv_inputs, adv_preds, targeted=False, target_label=None)[source]

Evaluation metrics of attack methods.

Parameters
  • inputs (numpy.ndarray) – Original samples.

  • labels (numpy.ndarray) – Original samples’ label by one-hot format.

  • adv_inputs (numpy.ndarray) – Adversarial samples generated from original samples.

  • adv_preds (numpy.ndarray) – Probability of all output classes of adversarial examples.

  • targeted (bool) – If True, it is a targeted attack. If False, it is an untargeted attack. Default: False.

  • target_label (numpy.ndarray) – Targeted classes of adversarial examples, which is one dimension whose size is adv_inputs.shape[0]. Default: None.

Raises

ValueError – If target_label is None when targeted is True.

Examples

>>> x = np.random.normal(size=(3, 512, 512, 3))
>>> adv_x = np.random.normal(size=(3, 512, 512, 3))
>>> y = np.array([[0.1, 0.1, 0.2, 0.6],
>>>               [0.1, 0.7, 0.0, 0.2],
>>>               [0.8, 0.1, 0.0, 0.1]])
>>> adv_y = np.array([[0.1, 0.1, 0.2, 0.6],
>>>                   [0.1, 0.0, 0.8, 0.1],
>>>                   [0.0, 0.9, 0.1, 0.0]])
>>> attack_eval = AttackEvaluate(x, y, adv_x, adv_y)
>>> mr = attack_eval.mis_classification_rate()
avg_conf_adv_class()[source]

Calculate average confidence of adversarial class (ACAC).

Returns

float, ranges between (0, 1). The higher, the more successful the attack is.

avg_conf_true_class()[source]

Calculate average confidence of true class (ACTC).

Returns

float, ranges between (0, 1). The lower, the more successful the attack is.

avg_lp_distance()[source]

Calculate average lp distance (lp-dist).

Returns

  • float, return average l0, l2, or linf distance of all success adversarial examples, return value includes following cases.

    • If return value \(>=\) 0, average lp distance. The lower, the more successful the attack is.

    • If return value is -1, there is no success adversarial examples.

avg_ssim()[source]

Calculate average structural similarity (ASS).

Returns

  • float, average structural similarity.

    • If return value ranges between (0, 1), the higher, the more successful the attack is.

    • If return value is -1: there is no success adversarial examples.

mis_classification_rate()[source]

Calculate misclassification rate(MR).

Returns

float, ranges between (0, 1). The higher, the more successful the attack is.

nte()[source]

Calculate noise tolerance estimation (NTE).

References: Towards Imperceptible and Robust Adversarial Example Attacks against Neural Networks

Returns

float, ranges between (0, 1). The higher, the more successful the attack is.

class mindarmour.adv_robustness.evaluations.BlackDefenseEvaluate(raw_preds, def_preds, raw_query_counts, def_query_counts, raw_query_time, def_query_time, def_detection_counts, true_labels, max_queries)[source]

Evaluation metrics of anti-black-box defense method.

Parameters
  • raw_preds (numpy.ndarray) – Predict results of some certain samples on raw model.

  • def_preds (numpy.ndarray) – Predict results of some certain samples on defensed model.

  • raw_query_counts (numpy.ndarray) – Number of queries to generate adversarial examples on raw model, which is one dimensional whose size is raw_preds.shape[0]. For benign samples, query count must be set to 0.

  • def_query_counts (numpy.ndarray) – Number of queries to generate adversarial examples on defensed model, which is one dimensional whose size is raw_preds.shape[0]. For benign samples, query count must be set to 0.

  • raw_query_time (numpy.ndarray) – The total time duration to generate an adversarial example on raw model, which is one dimensional whose size is raw_preds.shape[0].

  • def_query_time (numpy.ndarray) – The total time duration to generate an adversarial example on defensed model, which is one dimensional whose size is raw_preds.shape[0].

  • def_detection_counts (numpy.ndarray) – Total number of detected queries during each adversarial example generation, which is one dimensional whose size is raw_preds.shape[0]. For a benign sample, the def_detection_counts is set to 1 if the query is identified as suspicious, and 0 otherwise.

  • true_labels (numpy.ndarray) – True labels in one-dim whose size is raw_preds.shape[0].

  • max_queries (int) – Attack budget, the maximum number of queries.

Examples

>>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6],
>>>                     [0.1, 0.7, 0.0, 0.2],
>>>                     [0.8, 0.1, 0.0, 0.1]])
>>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7],
>>>                     [0.1, 0.6, 0.2, 0.1],
>>>                     [0.1, 0.2, 0.1, 0.6]])
>>> raw_query_counts = np.array([0,20,10])
>>> def_query_counts = np.array([0,50,60])
>>> raw_query_time = np.array([0.1, 2, 1])
>>> def_query_time = np.array([0.2, 6, 5])
>>> def_detection_counts = np.array([1, 5, 10])
>>> true_labels = np.array([3, 1, 0])
>>> max_queries = 100
>>> def_eval = BlackDefenseEvaluate(raw_preds,
>>>                             def_preds,
>>>                             raw_query_counts,
>>>                             def_query_counts,
>>>                             raw_query_time,
>>>                             def_query_time,
>>>                             def_detection_counts,
>>>                             true_labels,
>>>                             max_queries)
>>> def_eval.qcv()
asv()[source]

Calculate attack success rate variance (ASV).

Returns

float, the lower, the stronger the defense is. If num_adv_samples=0, return -1.

fpr()[source]

Calculate false positive rate (FPR) of the query-based detector.

Returns

float, the lower, the higher usability the defense is. If num_adv_samples=0, return -1.

qcv()[source]

Calculate query count variance (QCV).

Returns

float, the higher, the stronger the defense is. If num_adv_samples=0, return -1.

qrv()[source]

Calculate the benign query response time variance (QRV).

Returns

float, the lower, the higher usability the defense is. If num_adv_samples=0, return -1.

class mindarmour.adv_robustness.evaluations.DefenseEvaluate(raw_preds, def_preds, true_labels)[source]

Evaluation metrics of defense methods.

Parameters
  • raw_preds (numpy.ndarray) – Prediction results of some certain samples on raw model.

  • def_preds (numpy.ndarray) – Prediction results of some certain samples on defensed model.

  • true_labels (numpy.ndarray) – Ground-truth labels of samples, a one-dimension array whose size is raw_preds.shape[0].

Examples

>>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6],
>>>                       [0.1, 0.7, 0.0, 0.2],
>>>                       [0.8, 0.1, 0.0, 0.1]])
>>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7],
>>>                       [0.1, 0.6, 0.2, 0.1],
>>>                       [0.1, 0.2, 0.1, 0.6]])
>>> true_labels = np.array([3, 1, 0])
>>> def_eval = DefenseEvaluate(raw_preds,
>>>                            def_preds,
>>>                            true_labels)
>>> def_eval.cav()
cav()[source]

Calculate classification accuracy variance (CAV).

Returns

float, the higher, the more successful the defense is.

ccv()[source]

Calculate classification confidence variance (CCV).

Returns

  • float, the lower, the more successful the defense is.

    • If return value == -1, len(idxes) == 0.

cos()[source]

References: Calculate classification output stability (COS)

Returns

float.
  • If return value >= 0, is effective defense. The lower, the more successful the defense.

  • If return value == -1, idxes == 0.

crr()[source]

Calculate classification rectify ratio (CRR).

Returns

float, the higher, the more successful the defense is.

csr()[source]

Calculate classification sacrifice ratio (CSR), the lower the better.

Returns

float, the lower, the more successful the defense is.

class mindarmour.adv_robustness.evaluations.RadarMetric(metrics_name, metrics_data, labels, title, scale="hide")[source]

Radar chart to show the robustness of a model by multiple metrics.

Parameters
  • metrics_name (Union[tuple, list]) – An array of names of metrics to show.

  • metrics_data (numpy.ndarray) – The (normalized) values of each metrics of multiple radar curves, like [[0.5, 0.8, …], [0.2,0.6,…], …]. Each set of values corresponds to one radar curve.

  • labels (Union[tuple, list]) – Legends of all radar curves.

  • title (str) – Title of the chart.

  • scale (str) – Scalar to adjust axis ticks, such as ‘hide’, ‘norm’, ‘sparse’ or ‘dense’. Default: ‘hide’.

Raises

ValueError – If scale not in [‘hide’, ‘norm’, ‘sparse’, ‘dense’].

Examples

>>> metrics_name = ['MR', 'ACAC', 'ASS', 'NTE', 'ACTC']
>>> def_metrics = [0.9, 0.85, 0.6, 0.7, 0.8]
>>> raw_metrics = [0.5, 0.3, 0.55, 0.65, 0.7]
>>> metrics_data = [def_metrics, raw_metrics]
>>> metrics_labels = ['before', 'after']
>>> rm = RadarMetric(metrics_name,
>>>                  metrics_data,
>>>                  metrics_labels,
>>>                  title='',
>>>                  scale='sparse')
>>> rm.show()
show()[source]

Show the radar chart.