mindarmour.evaluations

This module includes various metrics to evaluate the result of attacks ordefenses.

  • class mindarmour.evaluations.AttackEvaluate(inputs, labels, adv_inputs, adv_preds, targeted=False, target_label=None)[source]

  • Evaluation metrics of attack methods.

    • Parameters

      • inputs (numpy.ndarray) – Original samples.

      • labels (numpy.ndarray) – Original samples’ label by one-hot format.

      • adv_inputs (numpy.ndarray) – Adversarial samples generated from originalsamples.

      • adv_preds (numpy.ndarray) – Probability of all output classes ofadversarial examples.

      • targeted (bool) – If True, it is a targeted attack. If False, it is anuntargeted attack. Default: False.

      • target_label (numpy.ndarray) – Targeted classes of adversarial examples,which is one dimension whose size is adv_inputs.shape[0].Default: None.

    • Raises

    • ValueError – If target_label is None when targeted is True.

Examples

  1. Copy>>> x = np.random.normal(size=(3, 512, 512, 3))
  2. >>> adv_x = np.random.normal(size=(3, 512, 512, 3))
  3. >>> y = np.array([[0.1, 0.1, 0.2, 0.6],
  4. >>>               [0.1, 0.7, 0.0, 0.2],
  5. >>>               [0.8, 0.1, 0.0, 0.1]])
  6. >>> adv_y = np.array([[0.1, 0.1, 0.2, 0.6],
  7. >>>                   [0.1, 0.0, 0.8, 0.1],
  8. >>>                   [0.0, 0.9, 0.1, 0.0]])
  9. >>> attack_eval = AttackEvaluate(x, y, adv_x, adv_y)
  10. >>> mr = attack_eval.mis_classification_rate()
  • avg_conf_adv_class()[source]

  • Calculate average confidence of adversarial class (ACAC).

    • Returns
    • float, ranges between (0, 1). The higher, the more successful the attack is.

  • avg_conf_true_class()[source]

  • Calculate average confidence of true class (ACTC).

    • Returns
    • float, ranges between (0, 1). The lower, the more successful the attack is.

  • avg_lp_distance()[source]

  • Calculate average lp distance (lp-dist).

    • Returns
  1.   -

float, return average l0, l2, or linf distance of all successadversarial examples, return value includes following cases.



  • If return value

    mindarmour.evaluations - 图1
    0, average lp distance. The lower,
    the more successful the attack is.


  • If return value is -1, there is no success adversarial examples.



  • avg_ssim()[source]

  • Calculate average structural similarity (ASS).

    • Returns
  1.   -

float, average structural similarity.



  • If return value ranges between (0, 1), the higher, the more
    successful the attack is.


  • If return value is -1: there is no success adversarial examples.



  • mis_classification_rate()[source]

  • Calculate misclassification rate(MR).

    • Returns
    • float, ranges between (0, 1). The higher, the more successful the attack is.

  • nte()[source]

  • Calculate noise tolerance estimation (NTE).

References: Towards Imperceptible and Robust Adversarial Example Attacksagainst Neural Networks

  1. - Returns
  2. -

float, ranges between (0, 1). The higher, the more successful theattack is.

  • class mindarmour.evaluations.BlackDefenseEvaluate(raw_preds, def_preds, raw_query_counts, def_query_counts, raw_query_time, def_query_time, def_detection_counts, true_labels, max_queries)[source]

  • Evaluation metrics of anti-black-box defense method.

    • Parameters

      • raw_preds (numpy.ndarray) – Predict results of some certain samples onraw model.

      • def_preds (numpy.ndarray) – Predict results of some certain samples ondefensed model.

      • raw_query_counts (numpy.ndarray) – Number of queries to generateadversarial examples on raw model, which is one dimensional whosesize is raw_preds.shape[0]. For benign samples, query count must beset to 0.

      • def_query_counts (numpy.ndarray) – Number of queries to generateadversarial examples on defensed model, which is one dimensionalwhose size is raw_preds.shape[0].For benign samples, query count must be set to 0.

      • raw_query_time (numpy.ndarray) – The total time duration to generatean adversarial example on raw model, which is one dimensionalwhose size is raw_preds.shape[0].

      • def_query_time (numpy.ndarray) – The total time duration to generate anadversarial example on defensed model, which is one dimensionalwhose size is raw_preds.shape[0].

      • def_detection_counts (numpy.ndarray) – Total number of detected queriesduring each adversarial example generation, which is one dimensionalwhose size is raw_preds.shape[0]. For a benign sample, thedef_detection_counts is set to 1 if the query is identified assuspicious, and 0 otherwise.

      • true_labels (numpy.ndarray) – True labels in one-dim whose size israw_preds.shape[0].

      • max_queries (int) – Attack budget, the maximum number of queries.

Examples

  1. Copy>>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6],
  2. >>>                     [0.1, 0.7, 0.0, 0.2],
  3. >>>                     [0.8, 0.1, 0.0, 0.1]])
  4. >>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7],
  5. >>>                     [0.1, 0.6, 0.2, 0.1],
  6. >>>                     [0.1, 0.2, 0.1, 0.6]])
  7. >>> raw_query_counts = np.array([0,20,10])
  8. >>> def_query_counts = np.array([0,50,60])
  9. >>> raw_query_time = np.array([0.1, 2, 1])
  10. >>> def_query_time = np.array([0.2, 6, 5])
  11. >>> def_detection_counts = np.array([1, 5, 10])
  12. >>> true_labels = np.array([3, 1, 0])
  13. >>> max_queries = 100
  14. >>> def_eval = BlackDefenseEvaluat(raw_preds,
  15. >>>                             def_preds,
  16. >>>                             raw_query_counts,
  17. >>>                             def_query_counts,
  18. >>>                             raw_query_time,
  19. >>>                             def_query_time,
  20. >>>                             def_detection_counts,
  21. >>>                             true_labels,
  22. >>>                             max_queries)
  23. >>> def_eval.qcv()
  • asv()[source]

  • Calculate attack success rate variance (ASV).

    • Returns
    • float, the lower, the stronger the defense is. If num_adv_samples=0,return -1.

  • fpr()[source]

  • Calculate false positive rate (FPR) of the query-based detector.

    • Returns
    • float, the lower, the higher usability the defense is. Ifnum_adv_samples=0, return -1.

  • qcv()[source]

  • Calculate query count variance (QCV).

    • Returns
    • float, the higher, the stronger the defense is. If num_adv_samples=0,return -1.

  • qrv()[source]

  • Calculate the benign query response time variance (QRV).

    • Returns
    • float, the lower, the higher usability the defense is. Ifnum_adv_samples=0, return -1.
  • class mindarmour.evaluations.DefenseEvaluate(raw_preds, def_preds, true_labels)[source]

  • Evaluation metrics of defense methods.

    • Parameters

      • raw_preds (numpy.ndarray) – Prediction results of some certain sampleson raw model.

      • def_preds (numpy.ndarray) – Prediction results of some certain samples ondefensed model.

      • true_labels (numpy.ndarray) – Ground-truth labels of samples, aone-dimension array whose size is raw_preds.shape[0].

Examples

  1. Copy>>> raw_preds = np.array([[0.1, 0.1, 0.2, 0.6],
  2. >>>                       [0.1, 0.7, 0.0, 0.2],
  3. >>>                       [0.8, 0.1, 0.0, 0.1]])
  4. >>> def_preds = np.array([[0.1, 0.1, 0.1, 0.7],
  5. >>>                       [0.1, 0.6, 0.2, 0.1],
  6. >>>                       [0.1, 0.2, 0.1, 0.6]])
  7. >>> true_labels = np.array([3, 1, 0])
  8. >>> def_eval = DefenseEvaluate(raw_preds,
  9. >>>                            def_preds,
  10. >>>                            true_labels)
  11. >>> def_eval.cav()
  • cav()[source]

  • Calculate classification accuracy variance (CAV).

    • Returns
    • float, the higher, the more successful the defense is.

  • ccv()[source]

  • Calculate classification confidence variance (CCV).

    • Returns
  1.   -

float, the lower, the more successful the defense is.



  • If return value == -1, len(idxes) == 0.



  1.   - float.
  2.   - 
  3.     -

If return value >= 0, is effective defense. The lower, themore successful the defense.

  1.     -

If return value == -1, idxes == 0.

  • crr()[source]

  • Calculate classification rectify ratio (CRR).

    • Returns
    • float, the higher, the more successful the defense is.

  • csr()[source]

  • Calculate classification sacrifice ratio (CSR), the lower the better.

    • Returns
    • float, the lower, the more successful the defense is.
  • class mindarmour.evaluations.RadarMetric(metrics_name, metrics_data, labels, title, scale='hide')[source]

  • Radar chart to show the robustness of a model by multiple metrics.

    • Parameters

      • metrics_name (Union__[tuple, list]) – An array of names of metrics to show.

      • metrics_data (numpy.ndarray) – The (normalized) values of each metrics ofmultiple radar curves, like [[0.5, 0.8, …], [0.2,0.6,…], …].Each set of values corresponds to one radar curve.

      • labels (Union__[tuple, list]) – Legends of all radar curves.

      • title (str) – Title of the chart.

      • scale (str) – Scalar to adjust axis ticks, such as ‘hide’, ‘norm’,‘sparse’ or ‘dense’. Default: ‘hide’.

    • Raises

    • ValueError – If scale not in [‘hide’, ‘norm’, ‘sparse’, ‘dense’].

Examples

  1. Copy>>> metrics_name = ['MR', 'ACAC', 'ASS', 'NTE', 'ACTC']
  2. >>> def_metrics = [0.9, 0.85, 0.6, 0.7, 0.8]
  3. >>> raw_metrics = [0.5, 0.3, 0.55, 0.65, 0.7]
  4. >>> metrics_data = [def_metrics, raw_metrics]
  5. >>> metrics_labels = ['before', 'after']
  6. >>> rm = RadarMetric(metrics_name,
  7. >>>                  metrics_data,
  8. >>>                  metrics_labels,
  9. >>>                  title='',
  10. >>>                  scale='sparse')
  11. >>> rm.show()