mindarmour

MindArmour, a tool box of MindSpore to enhance model security andtrustworthiness against adversarial examples.

  • class mindarmour.Attack[source]

  • The abstract base class for all attack classes creating adversarial examples.

    • batchgenerate(_inputs, labels, batch_size=64)[source]

    • Generate adversarial examples in batch, based on input samples andtheir labels.

      • Parameters

        • inputs (numpy.ndarray) – Samples based on which adversarialexamples are generated.

        • labels (numpy.ndarray) – Labels of samples, whose values determinedby specific attacks.

        • batch_size (int) – The number of samples in one batch.

      • Returns

      • numpy.ndarray, generated adversarial examples

Examples

  1. Copy>>> inputs = Tensor([[0.2, 0.4, 0.5, 0.2], [0.7, 0.2, 0.4, 0.3]])
  2. >>> labels = [3, 0]
  3. >>> advs = attack.batch_generate(inputs, labels, batch_size=2)
  • abstract generate(inputs, labels)[source]

  • Generate adversarial examples based on normal samples and their labels.

    • Parameters

      • inputs (numpy.ndarray) – Samples based on which adversarialexamples are generated.

      • labels (numpy.ndarray) – Labels of samples, whose values determinedby specific attacks.

    • Raises

    • NotImplementedError – It is an abstract method.
  • class mindarmour.BlackModel[source]

  • The abstract class which treats the target model as a black box. The modelshould be defined by users.

    • isadversarial(_data, label, is_targeted)[source]

    • Check if input sample is adversarial example or not.

      • Parameters

        • data (numpy.ndarray) – The input sample to be check, typically somemaliciously perturbed examples.

        • label (numpy.ndarray) – For targeted attacks, label is intendedlabel of perturbed example. For untargeted attacks, label isoriginal label of corresponding unperturbed sample.

        • is_targeted (bool) – For targeted/untargeted attacks, select True/False.

      • Returns

  1.   - bool.
  2.   - 
  3.     -

If True, the input sample is adversarial.

  1.     -

If False, the input sample is not adversarial.

  • abstract predict(inputs)[source]

  • Predict using the user specified model. The shape of predict resultsshould be (m, n), where n represents the number of classes this modelclassifies.

  • class mindarmour.Detector[source]

  • The abstract base class for all adversarial example detectors.

    • abstract detect(inputs)[source]

    • Detect adversarial examples from input samples.

    • abstract detectdiff(_inputs)[source]

    • Calculate the difference between the input samples and de-noised samples.

    • abstract fit(inputs, labels=None)[source]

    • Fit a threshold and refuse adversarial examples whose difference fromtheir denoised versions are larger than the threshold. The threshold isdetermined by a certain false positive rate when applying to normal samples.

    • abstract transform(inputs)[source]

    • Filter adversarial noises in input samples.

  • class mindarmour.Defense(network)[source]

  • The abstract base class for all defense classes defending adversarialexamples.

    • Parameters

    • network (Cell) – A MindSpore-style deep learning model to be defensed.

    • batchdefense(_inputs, labels, batch_size=32, epochs=5)[source]

    • Defense model with samples in batch.

      • Parameters

        • inputs (numpy.ndarray) – Samples based on which adversarialexamples are generated.

        • labels (numpy.ndarray) – Labels of input samples.

        • batch_size (int) – Number of samples in one batch.

        • epochs (int) – Number of epochs.

      • Returns

      • numpy.ndarray, loss of batch_defense operation.

      • Raises

      • ValueError – If batch_size is 0.

    • abstract defense(inputs, labels)[source]

    • Defense model with samples.