Spaces:

Trusted-AI
/

art-huggingface-evasion

Running

App Files Files Community

Kieran Fraser commited on Feb 1

Commit

bfddcf6

•

1 Parent(s): 8786a62

Updating descriptions and labels

Browse files

Signed-off-by: Kieran Fraser <[email protected]>

Files changed (1) hide show

app.py +37 -29

app.py CHANGED Viewed

@@ -38,6 +38,9 @@ css = """
     --prose-text-size: var(--text-md);
     --section-header-text-size: var(--text-md);
 }
 .center-text { text-align: center !important }
 .larger-gap { gap: 100px !important; }
 .symbols { text-align: center !important; margin: auto !important; }
@@ -169,8 +172,13 @@ def clf_evasion_evaluate(*args):
                                            learning_rate=learning_rate,
                                            max_iter=attack_max_iter, patch_type='square',
                                                 patch_location=(x_location, y_location),
-                                                patch_shape=(3, patch_height, patch_width))
-        patch, _ = attacker.generate(x_subset)
         x_adv = attacker.apply_patch(x_subset, scale=0.3)
         outputs = hf_model.predict(x_adv)
@@ -217,28 +225,28 @@ def default_perturbation():
             ('./data/pgd/perturb/p10.png')]
 def default_pgd():
-    return [('./data/pgd/attacked/0_airplane.png', 'airplane'),
-            ('./data/pgd/attacked/1_automobile.png', 'automobile'),
-            ('./data/pgd/attacked/2_bird.png', 'bird'),
-            ('./data/pgd/attacked/3_cat.png', 'cat'),
-            ('./data/pgd/attacked/4_deer.png', 'deer'),
-            ('./data/pgd/attacked/5_dog.png', 'dog'),
-            ('./data/pgd/attacked/6_frog.png', 'frog'),
-            ('./data/pgd/attacked/7_horse.png', 'horse'),
-            ('./data/pgd/attacked/8_ship.png', 'ship'),
-            ('./data/pgd/attacked/9_truck.png', 'truck')]
 def default_patch():
-    return [('./data/patch/0_airplane.png', 'airplane'),
             ('./data/patch/1_automobile.png', 'automobile'),
             ('./data/patch/2_bird.png', 'bird'),
-            ('./data/patch/3_cat.png', 'cat'),
-            ('./data/patch/4_deer.png', 'deer'),
-            ('./data/patch/5_dog.png', 'dog'),
-            ('./data/patch/6_frog.png', 'frog'),
             ('./data/patch/7_horse.png', 'horse'),
             ('./data/patch/8_ship.png', 'ship'),
-            ('./data/patch/9_truck.png', 'truck')]
 # e.g. To use a local alternative theme: carbon_theme = Carbon()
 carbon_theme = Carbon()
@@ -303,7 +311,7 @@ with gr.Blocks(css=css, theme='Tshackelton/IBMPlex-DenseReadable') as demo:
                 however they contain subtle changes which cause the AI model to make incorrect predictions.</p><br/>''')
-    with gr.Accordion("Projected Gradient Descent", open=False, elem_classes="custom-text"):
         gr.Markdown('''This attack uses the PGD optimization algorithm to identify the optimal perturbations
                     to add to an image (i.e. changing pixel values) to cause the model to misclassify images. See more
                     <a href="https://github.com/Trusted-AI/adversarial-robustness-toolbox"
@@ -313,9 +321,9 @@ with gr.Blocks(css=css, theme='Tshackelton/IBMPlex-DenseReadable') as demo:
             with gr.Column(scale=1):
                 attack = gr.Textbox(visible=True, value="PGD", label="Attack", interactive=False)
-                max_iter = gr.Slider(minimum=1, maximum=10, label="Max iterations", value=4)
-                eps = gr.Slider(minimum=0.0001, maximum=1, label="Epslion", value=0.3)
-                eps_steps = gr.Slider(minimum=0.0001, maximum=1, label="Epsilon steps", value=0.03)
                 bt_eval_pgd = gr.Button("Evaluate ✨", elem_classes="eval-bt")
             # Evaluation Output. Visualisations of success/failures of running evaluation attacks.
@@ -346,7 +354,7 @@ with gr.Blocks(css=css, theme='Tshackelton/IBMPlex-DenseReadable') as demo:
     gr.Markdown('''<br/>''')
-    with gr.Accordion("Adversarial Patch", open=False, elem_classes="custom-text"):
         gr.Markdown('''This attack optimizes pixels in a patch which can be overlayed on an image, causing a model to misclassify. See more
                     <a href="https://github.com/Trusted-AI/adversarial-robustness-toolbox"
                     target="blank_">here</a>.''')
@@ -355,11 +363,11 @@ with gr.Blocks(css=css, theme='Tshackelton/IBMPlex-DenseReadable') as demo:
             with gr.Column(scale=1):
                 attack = gr.Textbox(visible=True, value="Adversarial Patch", label="Attack", interactive=False)
-                max_iter = gr.Slider(minimum=1, maximum=1000, label="Max iterations", value=10)
-                x_location = gr.Slider(minimum=1, maximum=32, label="Location (x)", value=1)
-                y_location = gr.Slider(minimum=1, maximum=32, label="Location (y)", value=1)
-                patch_height = gr.Slider(minimum=1, maximum=32, label="Patch height", value=12)
-                patch_width = gr.Slider(minimum=1, maximum=32, label="Patch width", value=12)
                 eval_btn_patch = gr.Button("Evaluate ✨", elem_classes="eval-bt")
             # Evaluation Output. Visualisations of success/failures of running evaluation attacks.
@@ -383,7 +391,7 @@ with gr.Blocks(css=css, theme='Tshackelton/IBMPlex-DenseReadable') as demo:
                     with gr.Column(scale=10):
                         gr.Markdown('''<p style="font-size: 18px"><i>The original image (with optimized perturbations applied) gives us an adversarial image which fools the model.</i></p>''')
                         adversarial_gallery = gr.Gallery(default_patch, label="Adversarial", preview=False, show_download_button=True)
-                        robust_accuracy = gr.Number(0.8, label="Robust Accuracy", precision=2)
             eval_btn_patch.click(clf_evasion_evaluate, inputs=[attack, max_iter, eps, eps_steps, x_location, y_location, patch_height,
                                                                 patch_width],

     --prose-text-size: var(--text-md);
     --section-header-text-size: var(--text-md);
 }
+.eta-bar.svelte-1occ011.svelte-1occ011 {
+    background: #ccccff !important;
+}
 .center-text { text-align: center !important }
 .larger-gap { gap: 100px !important; }
 .symbols { text-align: center !important; margin: auto !important; }
                                            learning_rate=learning_rate,
                                            max_iter=attack_max_iter, patch_type='square',
                                                 patch_location=(x_location, y_location),
+                                                patch_shape=(3, patch_height, patch_width),
+                                                targeted=True)
+        y_one_hot = np.zeros(len(label_names))
+        y_one_hot[2] = 1.0
+        y_target = np.tile(y_one_hot, (x_subset.shape[0], 1))
+        patch, _ = attacker.generate(x_subset, y_target)
         x_adv = attacker.apply_patch(x_subset, scale=0.3)
         outputs = hf_model.predict(x_adv)
             ('./data/pgd/perturb/p10.png')]
 def default_pgd():
+    return [('./data/pgd/attacked/0_airplane.png', 'ship'),
+            ('./data/pgd/attacked/1_automobile.png', 'ship'),
+            ('./data/pgd/attacked/2_bird.png', 'truck'),
+            ('./data/pgd/attacked/3_cat.png', 'deer'),
+            ('./data/pgd/attacked/4_deer.png', 'dog'),
+            ('./data/pgd/attacked/5_dog.png', 'deer'),
+            ('./data/pgd/attacked/6_frog.png', 'horse'),
+            ('./data/pgd/attacked/7_horse.png', 'frog'),
+            ('./data/pgd/attacked/8_ship.png', 'frog'),
+            ('./data/pgd/attacked/9_truck.png', 'automobile')]
 def default_patch():
+    return [('./data/patch/0_airplane.png', 'bird'),
             ('./data/patch/1_automobile.png', 'automobile'),
             ('./data/patch/2_bird.png', 'bird'),
+            ('./data/patch/3_cat.png', 'bird'),
+            ('./data/patch/4_deer.png', 'bird'),
+            ('./data/patch/5_dog.png', 'bird'),
+            ('./data/patch/6_frog.png', 'bird'),
             ('./data/patch/7_horse.png', 'horse'),
             ('./data/patch/8_ship.png', 'ship'),
+            ('./data/patch/9_truck.png', 'automobile')]
 # e.g. To use a local alternative theme: carbon_theme = Carbon()
 carbon_theme = Carbon()
                 however they contain subtle changes which cause the AI model to make incorrect predictions.</p><br/>''')
+    with gr.Accordion("Projected Gradient Descent", open=True, elem_classes="custom-text"):
         gr.Markdown('''This attack uses the PGD optimization algorithm to identify the optimal perturbations
                     to add to an image (i.e. changing pixel values) to cause the model to misclassify images. See more
                     <a href="https://github.com/Trusted-AI/adversarial-robustness-toolbox"
             with gr.Column(scale=1):
                 attack = gr.Textbox(visible=True, value="PGD", label="Attack", interactive=False)
+                max_iter = gr.Slider(minimum=1, maximum=10, label="Max iterations", value=4, info="Max number of iterations for attack to run searching for adversarial perturbation. Larger value prolongs search.")
+                eps = gr.Slider(minimum=0.0001, maximum=1, label="Epsilon", value=0.3, info="Adjusts the maximum allowed perturbation added to the image.")
+                eps_steps = gr.Slider(minimum=0.0001, maximum=1, label="Epsilon steps", value=0.03, info="Smaller value yields finer perturbation, slower to find adversarial image. Larger value yields more perceptible perturbations, quicker finding adversarial image.")
                 bt_eval_pgd = gr.Button("Evaluate ✨", elem_classes="eval-bt")
             # Evaluation Output. Visualisations of success/failures of running evaluation attacks.
     gr.Markdown('''<br/>''')
+    with gr.Accordion("Adversarial Patch", open=True, elem_classes="custom-text"):
         gr.Markdown('''This attack optimizes pixels in a patch which can be overlayed on an image, causing a model to misclassify. See more
                     <a href="https://github.com/Trusted-AI/adversarial-robustness-toolbox"
                     target="blank_">here</a>.''')
             with gr.Column(scale=1):
                 attack = gr.Textbox(visible=True, value="Adversarial Patch", label="Attack", interactive=False)
+                max_iter = gr.Slider(minimum=1, maximum=1000, label="Max iterations", value=100, info="Max number of iterations for attack to run searching for optimal adversarial patch. Larger value prolongs search.")
+                x_location = gr.Slider(minimum=0.01, maximum=32, label="Location (x)", value=1, info="Moves patch left and right")
+                y_location = gr.Slider(minimum=0.01, maximum=32, label="Location (y)", value=1, info="Moves patch up and down")
+                patch_height = gr.Slider(minimum=1, maximum=32, label="Patch height", value=16)
+                patch_width = gr.Slider(minimum=1, maximum=32, label="Patch width", value=16)
                 eval_btn_patch = gr.Button("Evaluate ✨", elem_classes="eval-bt")
             # Evaluation Output. Visualisations of success/failures of running evaluation attacks.
                     with gr.Column(scale=10):
                         gr.Markdown('''<p style="font-size: 18px"><i>The original image (with optimized perturbations applied) gives us an adversarial image which fools the model.</i></p>''')
                         adversarial_gallery = gr.Gallery(default_patch, label="Adversarial", preview=False, show_download_button=True)
+                        robust_accuracy = gr.Number(0.4, label="Robust Accuracy", precision=2)
             eval_btn_patch.click(clf_evasion_evaluate, inputs=[attack, max_iter, eps, eps_steps, x_location, y_location, patch_height,
                                                                 patch_width],