mindarmour.adv_robustness.evaluations
This module includes various metrics to evaluate the result of attacks or defenses.
- class mindarmour.adv_robustness.evaluations.AttackEvaluate(inputs, labels, adv_inputs, adv_preds, targeted=False, target_label=None)[source]
Evaluation metrics of attack methods.
- Parameters
inputs (numpy.ndarray) – Original samples.
labels (numpy.ndarray) – Original samples’ label by one-hot format.
adv_inputs (numpy.ndarray) – Adversarial samples generated from original samples.
adv_preds (numpy.ndarray) – Probability of all output classes of adversarial examples.
targeted (bool) – If True, it is a targeted attack. If False, it is an untargeted attack. Default: False.
target_label (numpy.ndarray) – Targeted classes of adversarial examples, which is one dimension whose size is adv_inputs.shape[0]. Default: None.
- Raises
ValueError – If target_label is None when targeted is True.
Examples
>>> from mindarmour.adv_robustness.evaluations import AttackEvaluate >>> x = np.random.normal(size=(3, 512, 512, 3)) >>> adv_x = np.random.normal(size=(3, 512, 512, 3)) >>> y = np.array([[0.1, 0.1, 0.2, 0.6], ... [0.1, 0.7, 0.0, 0.2], ... [0.8, 0.1, 0.0, 0.1]]) >>> adv_y = np.array([[0.1, 0.1, 0.2, 0.6], ... [0.1, 0.0, 0.8, 0.1], ... [0.0, 0.9, 0.1, 0.0]]) >>> attack_eval = AttackEvaluate(x, y, adv_x, adv_y) >>> mr = attack_eval.mis_classification_rate() >>> acac = attack_eval.avg_conf_adv_class() >>> l_0, l_2, l_inf = attack_eval.avg_lp_distance() >>> ass = attack_eval.avg_ssim() >>> nte = attack_eval.nte() >>> actc = attack_eval.avg_conf_true_class()
- avg_conf_adv_class()[source]
Calculate average confidence of adversarial class (ACAC).
- Returns
float, ranges between (0, 1). The higher, the more successful the attack is.
- avg_conf_true_class()[source]
Calculate average confidence of true class (ACTC).
- Returns
float, ranges between (0, 1). The lower, the more successful the attack is.
- avg_lp_distance()[source]
Calculate average lp distance (lp-dist).
- Returns
float, return average l0, l2, or linf distance of all success adversarial examples, return value includes following cases.
If return value
0, average lp distance. The lower, the more successful the attack is.If return value is -1, there is no success adversarial examples.
- avg_ssim()[source]
Calculate average structural similarity (ASS).
- Returns
float, average structural similarity.
If return value ranges between (0, 1), the higher, the more successful the attack is.
If return value is -1: there is no success adversarial examples.
- mis_classification_rate()[source]
Calculate misclassification rate(MR).
- Returns
float, ranges between (0, 1). The higher, the more successful the attack is.
- nte()[source]
Calculate noise tolerance estimation (NTE).
References: Towards Imperceptible and Robust Adversarial Example Attacks against Neural Networks
- Returns
float, ranges between (0, 1). The higher, the more successful the attack is.
- class mindarmour.adv_robustness.evaluations.BlackDefenseEvaluate(raw_preds, def_preds, raw_query_counts, def_query_counts, raw_query_time, def_query_time, def_detection_counts, true_labels, max_queries)[source]
Evaluation metrics of anti-black-box defense method.
- Parameters
raw_preds (numpy.ndarray) – Predict results of some certain samples on raw model.
def_preds (numpy.ndarray) – Predict results of some certain samples on defensed model.
raw_query_counts (numpy.ndarray) – Number of queries to generate adversarial examples on raw model, which is one dimensional whose size is raw_preds.shape[0]. For benign samples, query count must be set to 0.
def_query_counts (numpy.ndarray) – Number of queries to generate adversarial examples on defensed model, which is one dimensional whose size is raw_preds.shape[0]. For benign samples, query count must be set to 0.
raw_query_time (numpy.ndarray) – The total time duration to generate an adversarial example on raw model, which is one dimensional whose size is raw_preds.shape[0].
def_query_time (numpy.ndarray) – The total time duration to generate an adversarial example on defensed model, which is one dimensional whose size is raw_preds.shape[0].
def_detection_counts (numpy.ndarray) – Total number of detected queries during each adversarial example generation, which is one dimensional whose size is raw_preds.shape[0]. For a benign sample, the def_detection_counts is set to 1 if the query is identified as suspicious, and 0 otherwise.
true_labels (numpy.ndarray) – True labels in one-dim whose size is raw_preds.shape[0].
max_queries (int) – Attack budget, the maximum number of queries.
Examples
>>> from mindarmour.adv_robustness.evaluations import BlackDefenseEvaluate >>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6], ... [0.1, 0.7, 0.0, 0.2], ... [0.8, 0.1, 0.0, 0.1]]) >>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7], ... [0.1, 0.6, 0.2, 0.1], ... [0.1, 0.2, 0.1, 0.6]]) >>> raw_query_counts = np.array([0,20,10]) >>> def_query_counts = np.array([0,50,60]) >>> raw_query_time = np.array([0.1, 2, 1]) >>> def_query_time = np.array([0.2, 6, 5]) >>> def_detection_counts = np.array([1, 5, 10]) >>> true_labels = np.array([3, 1, 0]) >>> max_queries = 100 >>> def_eval = BlackDefenseEvaluate(raw_preds, ... def_preds, ... raw_query_counts, ... def_query_counts, ... raw_query_time, ... def_query_time, ... def_detection_counts, ... true_labels, ... max_queries) >>> qcv = def_eval.qcv() >>> asv = def_eval.asv() >>> fpr = def_eval.fpr() >>> qrv = def_eval.qrv()
- asv()[source]
Calculate attack success rate variance (ASV).
- Returns
float, the lower, the stronger the defense is. If num_adv_samples=0, return -1.
- fpr()[source]
Calculate false positive rate (FPR) of the query-based detector.
- Returns
float, the lower, the higher usability the defense is. If num_adv_samples=0, return -1.
- class mindarmour.adv_robustness.evaluations.DefenseEvaluate(raw_preds, def_preds, true_labels)[source]
Evaluation metrics of defense methods.
- Parameters
raw_preds (numpy.ndarray) – Prediction results of some certain samples on raw model.
def_preds (numpy.ndarray) – Prediction results of some certain samples on defensed model.
true_labels (numpy.ndarray) – Ground-truth labels of samples, a one-dimension array whose size is raw_preds.shape[0].
Examples
>>> from mindarmour.adv_robustness.evaluations import DefenseEvaluate >>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6], ... [0.1, 0.7, 0.0, 0.2], ... [0.8, 0.1, 0.0, 0.1]]) >>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7], ... [0.1, 0.6, 0.2, 0.1], ... [0.1, 0.2, 0.1, 0.6]]) >>> true_labels = np.array([3, 1, 0]) >>> def_eval = DefenseEvaluate(raw_preds, ... def_preds, ... true_labels) >>> cav = def_eval.cav() >>> crr = def_eval.crr() >>> csr = def_eval.csr() >>> ccv = def_eval.ccv() >>> cos = def_eval.cos()
- cav()[source]
Calculate classification accuracy variance (CAV).
- Returns
float, the higher, the more successful the defense is.
- ccv()[source]
Calculate classification confidence variance (CCV).
- Returns
float, the lower, the more successful the defense is.
If return value == -1, len(idxes) == 0.
- cos()[source]
References: Calculate classification output stability (COS)
- Returns
- float.
If return value >= 0, is effective defense. The lower, the more successful the defense.
If return value == -1, idxes == 0.
- class mindarmour.adv_robustness.evaluations.RadarMetric(metrics_name, metrics_data, labels, title, scale='hide')[source]
Radar chart to show the robustness of a model by multiple metrics.
- Parameters
metrics_name (Union[tuple, list]) – An array of names of metrics to show.
metrics_data (numpy.ndarray) – The (normalized) values of each metrics of multiple radar curves, like [[0.5, 0.8, …], [0.2,0.6,…], …]. Each set of values corresponds to one radar curve.
title (str) – Title of the chart.
scale (str) – Scalar to adjust axis ticks, such as ‘hide’, ‘norm’, ‘sparse’ or ‘dense’. Default: ‘hide’.
- Raises
ValueError – If scale not in [‘hide’, ‘norm’, ‘sparse’, ‘dense’].
Examples
>>> from mindarmour.adv_robustness.evaluations import RadarMetric >>> metrics_name = ['MR', 'ACAC', 'ASS', 'NTE', 'ACTC'] >>> def_metrics = [0.9, 0.85, 0.6, 0.7, 0.8] >>> raw_metrics = [0.5, 0.3, 0.55, 0.65, 0.7] >>> metrics_data = np.array([def_metrics, raw_metrics]) >>> metrics_labels = ['before', 'after'] >>> rm = RadarMetric(metrics_name, ... metrics_data, ... metrics_labels, ... title='', ... scale='sparse') >>> #rm.show()