python3 神经网络

The author selected Dev Color to receive a donation as part of the Write for DOnations program.

作者选择Dev Color接受捐赠，这是Write for DOnations计划的一部分。

Could a neural network for animal classification be fooled? Fooling an animal classifier may have few consequences, but what if our face authenticator could be fooled? Or our self-driving car prototype’s software? Fortunately, legions of engineers and research stand between a prototype computer-vision model and production-quality models on our mobile devices or cars. Still, these risks have significant implications and are important to consider as a machine-learning practitioner.

用于动物分类的神经网络会被愚弄吗？ 愚弄动物分类器可能没有什么后果，但是如果我们的面部认证器可能被欺骗怎么办？ 还是我们的自动驾驶汽车原型软件？ 幸运的是，大量的工程师和研究人员站在我们的移动设备或汽车上的计算机视觉原型模型和生产质量模型之间。 尽管如此，这些风险仍然具有重大意义，对于作为机器学习从业者而言，这些风险也很重要。

In this tutorial, you will try “fooling” or tricking an animal classifier. As you work through the tutorial, you’ll use OpenCV, a computer-vision library, and PyTorch, a deep learning library. You will cover the following topics in the associated field of adversarial machine learning:

在本教程中，您将尝试“欺骗”或欺骗动物分类器。 在学习本教程时，您将使用OpenCV (一个计算机视觉库)和PyTorch (一个深度学习库)。 您将在对抗性机器学习的相关领域涵盖以下主题：

• Create a targeted adversarial example. Pick an image, say, of a dog. Pick a target class, say, a cat. Your goal is to trick the neural network into believing the pictured dog is a cat.

  创建一个有针对性的对抗示例 。 选择一个狗的图像。 选择一个目标类别，例如一只猫。 您的目标是欺骗神经网络，使之相信图中的狗是猫。

• Create an adversarial defense. In short, protect your neural network against these tricky images, without knowing what the trick is.

  建立对抗性防御 。 简而言之，保护您的神经网络不受这些棘手的图像的伤害，而不必知道这些技巧是什么。

By the end of the tutorial, you will have a tool for tricking neural networks and an understanding of how to defend against tricks.

到本教程结束时，您将拥有用于欺骗神经网络的工具，以及如何防御欺骗的知识。

先决条件 (Prerequisites)

To complete this tutorial, you will need the following:

要完成本教程，您将需要以下内容：

• A local development environment for Python 3 with at least 1GB of RAM. You can follow How to Install and Set Up a Local Programming Environment for Python 3 to configure everything you need.

  具有至少1GB RAM的Python 3本地开发环境。 您可以按照如何为Python 3安装和设置本地编程环境来配置所需的一切。

• It is recommended that you review Build an Emotion-Based Dog Filter; this tutorial is not explicitly used but introduces the notion of classification.

  建议您阅读“ 构建基于情感的狗过滤器” ； 本教程未明确使用，但介绍了分类的概念。

第1步-创建项目并安装依赖项 (Step 1 — Creating Your Project and Installing Dependencies)

Let’s create a workspace for this project and install the dependencies you’ll need. You’ll call your workspace AdversarialML:

让我们为该项目创建一个工作区，并安装所需的依赖项。 您将把您的工作区称为AdversarialML ：

Navigate to the AdversarialML directory:

导航到AdversarialML目录：

Make a directory to hold all your assets:

创建一个目录来保存您的所有资产：

Then create a new virtual environment for the project:

然后为项目创建一个新的虚拟环境：

Activate your environment:

激活您的环境：

Then install PyTorch, a deep-learning framework for Python that you’ll use in this tutorial.

然后安装PyTorch ，这是本教程中将使用的Python深度学习框架。

On macOS, install Pytorch with the following command:

在macOS上，使用以下命令安装Pytorch：

On Linux and Windows, use the following commands for a CPU-only build:

在Linux和Windows上，对仅CPU的构建使用以下命令：

Now install prepackaged binaries for OpenCV and numpy, which are libraries for computer vision and linear algebra, respectively. OpenCV offers utilities such as image rotations, and numpy offers linear algebra utilities such as a matrix inversion:

现在为OpenCV和numpy安装预打包的二进制文件，它们分别是计算机视觉和线性代数的库。 OpenCV提供诸如图像旋转之类的实用程序，而numpy提供诸如矩阵求逆之类的线性代数实用程序：

On Linux distributions, you will need to install libSM.so:

在Linux发行版上，您将需要安装libSM.so ：

With the dependencies installed, let’s run an animal classifier called ResNet18, which we describe next.

安装依赖项后，我们运行一个称为ResNet18的动物分类器，我们将在下面进行描述。

第2步-运行预先训练的动物分类器 (Step 2 — Running a Pretrained Animal Classifier)

The torchvision library, the official computer vision library for PyTorch, contains pretrained versions of commonly used computer vision neural networks. These neural networks are all trained on ImageNet 2012, a dataset of 1.2 million training images with 1000 classes. These classes include vehicles, places, and most importantly, animals. In this step, you will run one of these pretrained neural networks, called ResNet18. We will refer to ResNet18 trained on ImageNet as an “animal classifier”.

torchvision库是torchvision的官方计算机视觉库，其中包含常用计算机视觉神经网络的预训练版本。 这些神经网络都在ImageNet 2012上进行了训练， ImageNet 2012是120万个训练图像的1000个分类的数据集。 这些类别包括车辆，地点，最重要的是动物。 在此步骤中，您将运行这些预训练的神经网络之一，称为ResNet18。 我们将经过ImageNet培训的ResNet18称为“动物分类器”。

What is ResNet18? ResNet18 is the smallest neural network in a family of neural networks called residual neural networks, developed by MSR (He et al.). In short, He found that a neural network (denoted as a function f, with input x, and output f(x)) would perform better with a “residual connection” x + f(x). This residual connection is used prolifically in state-of-the-art neural networks, even today. For example, FBNetV2, FBNetV3.

什么是ResNet18？ ResNet18是由MSR (He et al。)开发的称为残差神经网络的神经网络家族中最小的神经网络。 简而言之，他发现神经网络(表示为具有输入x和输出f(x)的函数f )在“残余连接” x + f(x)会表现更好。 即使在今天，这种残余连接也被大量使用在最新的神经网络中。 例如， FBNetV2 ， FBNetV3 。

Download this image of a dog with the following command:

使用以下命令下载此狗的图像 ：

Then, download a JSON file to convert neural network output to a human-readable class name:

然后，下载一个JSON文件以将神经网络输出转换为人类可读的类名：

Next, create a script to run your pretrained model on the dog image. Create a new file called step_2_pretrained.py:

接下来，创建一个脚本以在狗图像上运行您的预训练模型。 创建一个名为step_2_pretrained.py的新文件：

First, add the Python boilerplate by importing the necessary packages and declaring a main function:

首先，通过导入必要的软件包并声明main功能来添加Python样板：

from PIL import Image
import json
import torchvision.models as models
import torchvision.transforms as transforms
import torch
import sysdef main():passif __name__ == '__main__':main()

Next, load the mapping from neural network output to human-readable class names. Add this directly after your import statements and before your main function:

接下来，加载从神经网络输出到人类可读类名的映射。 在import语句之后和main函数之前直接添加以下代码：

. . .
def get_idx_to_label():with open("assets/imagenet_idx_to_label.json") as f:return json.load(f)
. . .

Create an image transformation function that will ensure your input image firstly has the correct dimensions, and secondly is normalized correctly. Add the following function directly after the last:

创建一个图像变换功能，该功能将首先确保您输入的图像具有正确的尺寸，其次将被正确规范化。 在最后一个之后直接添加以下功能：

. . .
def get_image_transform():transform = transforms.Compose([transforms.Resize(224),transforms.CenterCrop(224),transforms.ToTensor(),transforms.Normalize(mean=[0.485, 0.456, 0.406],std=[0.229, 0.224, 0.225])])return transform
. . .

In get_image_transform, you define a number of different transformations to apply to the images that are passed to your neural network:

在get_image_transform ，您定义了许多不同的转换，以应用于传递到神经网络的图像：

• transforms.Resize(224): Resizes the smaller side of the image to 224. For example, if your image is 448 x 672, this operation would downsample the image to 224 x 336.

  transforms.Resize(224) ：将图像的较小侧调整为224。例如，如果您的图像为448 x 672，则此操作会将图像缩减为224 x 336。

• transforms.CenterCrop(224): Takes a crop from the center of the image, of size 224 x 224.

  transforms.CenterCrop(224) ：从图像中心进行裁剪，尺寸为224 x 224。

• transforms.ToTensor(): Converts the image into a PyTorch tensor. All PyTorch models require PyTorch tensors as input.

  transforms.ToTensor() ：将图像转换为PyTorch张量。 所有PyTorch模型都需要PyTorch张量作为输入。

• transforms.Normalize(mean=..., std=...): Standardizes your input by subtracting the mean, then dividing by the standard deviation. This is described more precisely in the torchvision documentation.

  transforms.Normalize(mean=..., std=...) ：通过减去平均值，然后除以标准差来标准化输入。 这在torchvision文档中有更精确的描述。

Add a utility to predict the animal class, given the image. This method uses both the previous utilities to perform animal classification:

给定图像，添加一个实用程序来预测动物类别。 此方法使用以前的两个实用程序执行动物分类：

. . .
def predict(image):model = models.resnet18(pretrained=True)model.eval()out = model(image)_, pred = torch.max(out, 1)  idx_to_label = get_idx_to_label()  cls = idx_to_label[str(int(pred))]  return cls
. . .

Here the predict function classifies the provided image using a pretrained neural network:

在这里， predict函数使用预训练的神经网络对提供的图像进行分类：

• models.resnet18(pretrained=True): Loads a pretrained neural network called ResNet18.

  models.resnet18(pretrained=True) ：加载称为ResNet18的预训练神经网络。

• model.eval(): Modifies the model in-place to run in ‘evaluation’ mode. The only other mode is 'training’ mode, but training mode isn’t needed, as you aren’t training the model (that is, updating the model’s parameters) in this tutorial.

  model.eval() ：就地修改模型以在“评估”模式下运行。 唯一的其他模式是“训练”模式，但是不需要训练模式，因为您在本教程中并不训练模型(即更新模型的参数)。

• out = model(image): Runs the neural network on the provided, transformed image.

  out = model(image) ：在提供的转换图像上运行神经网络。

• _, pred = torch.max(out, 1): The neural network outputs one probability for each possible class. This step computes the index of the class with the highest probability. For example, if out = [0.4, 0.1, 0.2], then pred = 0.

  _, pred = torch.max(out, 1) ：神经网络为每种可能的类别输出一个概率。 此步骤计算出具有最高概率的类别的索引。 例如，如果out = [0.4, 0.1, 0.2] pred = 0 out = [0.4, 0.1, 0.2] ，则pred = 0 。

• idx_to_label = get_idx_to_label(): Obtains a mapping from class index to human-readable class names. For example, the mapping could be {0: cat, 1: dog, 2: fish}.

  idx_to_label = get_idx_to_label() ：获得从类索引到人类可读的类名的映射。 例如，映射可以是{0: cat, 1: dog, 2: fish} 。

• cls = idx_to_label[str(int(pred))]: Convert the predicted class index to a class name. The examples provided in the last two bullet points would yield cls = idx_to_label[0] = 'cat'.

  cls = idx_to_label[str(int(pred))] ：将预测的类索引转换为类名。 最后两个要点提供的示例将产生cls = idx_to_label[0] = 'cat' 。

Next, following the last function, add a utility to load images:

接下来，在最后一个功能之后，添加一个实用程序来加载图像：

. . .
def load_image():assert len(sys.argv) > 1, 'Need to pass path to image'image = Image.open(sys.argv[1])transform = get_image_transform()image = transform(image)[None]return image
. . .

This will load an image from the path provided in the first argument to the script. transform(image)[None] applies the sequence of image transformations defined in the previous lines.

这将从脚本的第一个参数中提供的路径中加载图像。 transform(image)[None]应用前几行中定义的图像转换序列。

Finally, populate your main function with the following, to load your image and classify the animal in the image:

最后，使用以下命令填充您的main函数，以加载图像并对图像中的动物进行分类：

def main():x = load_image()print(f'Prediction: {predict(x)}')

Double check that your file matches our final step 2 script at step_2_pretrained.py on GitHub. Save and exit your script, and run the animal classifier:

在GitHub上的step_2_pretrained.py仔细检查您的文件是否与我们最后的第2步脚本相匹配。 保存并退出脚本，然后运行动物分类器：

This will produce the following output, showing your animal classifier works as expected:

这将产生以下输出，显示您的动物分类器按预期工作：

Prediction: Pembroke, Pembroke Welsh corgi

That concludes running inference with your pretrained model. Next, you will see an adversarial example in action by tricking a neural network with impercetible differences in the image.

到此结束对您的预训练模型的推断。 接下来，您将看到一个欺骗性示例，该示例通过欺骗图像中存在难以置信的差异的神经网络进行操作。

步骤3 —尝试一个对抗性的例子 (Step 3 — Trying an Adversarial Example)

Now, you will synthesize an adversarial example, and test the neural network on that example. For this tutorial, you will build adversarial examples of the form x + r, where x is the original image and r is some “perturbation”. You will eventually create the perturbation r yourself, but in this step, you will download one we created for you beforehand. Start by downloading the perturbation r:

现在，您将合成一个对抗性示例，并在该示例上测试神经网络。 在本教程中，您将构建x + r形式的对抗示例，其中x是原始图像， r是一些“摄动”。 你最终会创造扰动r自己，但在这个步骤中，您会下载一个我们为您建立事前。 首先下载扰动r ：

Now composite the picture with the perturbation. Create a new file called step_3_adversarial.py:

现在将图片与摄动合成。 创建一个名为step_3_adversarial.py的新文件：

In this file, you will perform the following three-step process, to produce an adversarial example:

在此文件中，您将执行以下三步过程，以产生一个对抗性示例：

1. Transform an image变换图像

2. Apply the perturbation r

   应用扰动r

3. Inverse transform the perturbed image逆变换扰动的图像

At the end of step 3, you will have an adversarial image. First, import the necessary packages and declare a main function:

在第3步结束时，您将拥有一个对抗形象。 首先，导入必要的包并声明一个main功能：

from PIL import Image
import torchvision.transforms as transforms
import torch
import numpy as np
import os
import sysfrom step_2_pretrained import get_idx_to_label, get_image_transform, predict, load_imagedef main():passif __name__ == '__main__':main()

Next, create an “image transformation” that inverts the earlier image transformation. Place this after your imports, before the main function:

接下来，创建一个“图像转换”，将先前的图像转换反转。 将其放置在导入之后， main功能之前：

. . .
def get_inverse_transform():return transforms.Normalize(mean=[-0.485/0.229, -0.456/0.224, -0.406/0.255],  # INVERSE normalize images, according to https://pytorch.org/docs/stable/torchvision/models.htmlstd=[1/0.229, 1/0.224, 1/0.255])
. . .

As before, the transforms.Normalize operation subtracts the mean and divides by the standard deviation (that is, for the original image x, y = transforms.Normalize(mean=u, std=o) = (x - u) / o). You do some algebra and define a new operation that reverses this normalize function (transforms.Normalize(mean=-u/o, std=1/o) = (y - -u/o) / 1/o = (y + u/o) o = yo + u = x).

和以前一样， transforms.Normalize操作减去平均值并除以标准差(即，对于原始图像x ， y = transforms.Normalize(mean=u, std=o) = (x - u) / o ) 。 您进行一些代数运算并定义一个新操作来反转此归一化函数( transforms.Normalize(mean=-u/o, std=1/o) = (y - -u/o) / 1/o = (y + u/o) o = yo + u = x )。

As part of the inverse transformation, add a method that transforms a PyTorch tensor back to a PIL image. Add this following the last function:

作为逆变换的一部分，添加一种将PyTorch张量变换回PIL图像的方法。 在最后一个函数之后添加：

. . .
def tensor_to_image(tensor):x = tensor.data.numpy().transpose(1, 2, 0) * 255.  x = np.clip(x, 0, 255)return Image.fromarray(x.astype(np.uint8))
. . .

• tensor.data.numpy() converts the PyTorch tensor into a NumPy array. .transpose(1, 2, 0) rearranges (channels, width, height) into (height, width, channels). This NumPy array is approximately in the range (0, 1). Finally, multiply by 255 to ensure the image is now in the range (0, 255).

  tensor.data.numpy()将PyTorch张量转换为NumPy数组。 .transpose(1, 2, 0) (channels, width, height)重新排列为(height, width, channels) 。 此NumPy数组大约在(0, 1)范围内。 最后，乘以255以确保图像现在在(0, 255)范围内。

• np.clip ensures that all values in the image are between (0, 255).

  np.clip确保图像中的所有值都在(0, 255) 。

• x.astype(np.uint8) ensures all image values are integers. Finally, Image.fromarray(...) creates a PIL image object from the NumPy array.

  x.astype(np.uint8)确保所有图像值都是整数。 最后， Image.fromarray(...)从NumPy数组创建一个PIL图像对象。

Then, use these utilities to create the adversarial example with the following:

然后，使用这些实用程序创建具有以下内容的对抗示例：

. . .
def get_adversarial_example(x, r):y = x + ry = get_inverse_transform()(y[0])image = tensor_to_image(y)return image
. . .

This function generates the adversarial example as described at the start of the section:

此功能生成对抗示例，如本节开头所述：

1. y = x + r. Take your perturbation r and add it to the original image x.

   y = x + r 取扰动r并将其添加到原始图像x 。

2. get_inverse_transform: Obtain and apply the reverse image transformation you defined several lines earlier.

   get_inverse_transform ：获取并应用您先前定义的几行反向图像转换。

3. tensor_to_image: Finally, convert the PyTorch tensor back to an image object.

   tensor_to_image ：最后，将PyTorch张量转换回图像对象。

Finally, modify your main function to load the image, load the adversarial perturbation r, apply the perturbation, save the adversarial example to disk, and run prediction on the adversarial example:

最后，修改您的main功能以加载图像，加载对抗性扰动r ，应用扰动，将对抗性示例保存到磁盘，并在对抗性示例上运行预测：

def main():x = load_image()r = torch.Tensor(np.load('assets/adversarial_r.npy'))# save perturbed imageos.makedirs('outputs', exist_ok=True)adversarial = get_adversarial_example(x, r)adversarial.save('outputs/adversarial.png')# check prediction is new classprint(f'Old prediction: {predict(x)}')print(f'New prediction: {predict(x + r)}')

Your completed file should match step_3_adversarial.py on GitHub. Save the file, exit the editor, and launch your script with:

完成的文件应与GitHub上的step_3_adversarial.py匹配。 保存文件，退出编辑器，并使用以下命令启动脚本：

You’ll see this output:

您将看到以下输出：

Old prediction: Pembroke, Pembroke Welsh corgi
New prediction: goldfish, Carassius auratus

You’ve now created an adversarial example: tricking the neural network into thinking a corgi is a goldfish. In the next step, you will actually create the perturbation r that you used here.

现在，您已经创建了一个对抗性示例：欺骗神经网络以使其认为小狗是金鱼。 在下一步中，您将实际创建在此使用的扰动r 。

第4步-了解对抗示例 (Step 4 — Understanding an Adversarial Example)

For a primer on classification, see “How to Build an Emotion-Based Dog Filter”.

有关分类的基础知识，请参见“如何构建基于情感的狗过滤器” 。

Taking a step back, recall that your classification model outputs a probability for each class. During inference, the model predicts the class with the highest probability. During training, you update the model parameters t to maximize the probability of the correct class y, given your data x.

退后一步，回想一下您的分类模型为每个类别输出一个概率。 在推理期间，模型以最高的概率预测类别。 在训练过程中，给定数据x ，您将更新模型参数t以使正确类别y的概率最大化。

argmax_y P(y|x,t)

However, to generate adversarial examples, you now modify your goal. Instead of finding a class, your goal is now to find a new image, x. Take any class other than the correct one. Let us call this new class w. Your new objective is to maximize the probability of the wrong class.

但是，要生成对抗性示例，您现在可以修改目标。 现在，您的目标是找到一个新的图像x ，而不是查找一个类。 参加除正确课程以外的任何课程。 让我们称这个新类为w 。 您的新目标是最大程度地提高上错课的可能性。

argmax_x P(w|x)

Note that the neural network weights t are missing from the above expression. This is because you now assume the role of the adversary: Someone else has trained and deployed a model. You are only allowed to create adversarial inputs and are not allowed to modify the deployed model. To generate the adversarial example x, you can run “training”, except instead of updating the neural network weights, you update the input image with the new objective.

注意，上述表达式中缺少神经网络权重t 。 这是因为您现在扮演对手的角色：有人训练和部署了模型。 您只可以创建对抗性输入，而不能修改部署的模型。 要生成对抗性示例x ，可以运行“训练”，除了用新的物镜更新输入图像以外，不更新神经网络权重。

As a reminder, for this tutorial, you assume that the adversarial example is an affine transformation of x. In other words, your adversarial example takes the form x + r for some r. In the next step, you will write a script to generate this r.

提醒一下，在本教程中，您假设对抗性示例是x的仿射变换。 换句话说，您的对抗示例对某r采取x + r的形式。 在下一步中，您将编写一个脚本来生成此r 。

第5步-创建对抗示例 (Step 5 — Creating an Adversarial Example)

In this step, you will learn a perturbation r, so that your corgi is misclassified as a goldfish. Create a new file called step_5_perturb.py:

在这一步中，您将学习扰动r ，以便将您的柯基犬图片误分类为金鱼。 创建一个名为step_5_perturb.py的新文件：

Import the necessary packages and declare a main function:

导入必要的软件包并声明一个main功能：

from torch.autograd import Variable
import torchvision.models as models
import torch.nn as nn
import torch.optim as optim
import numpy as np
import torch
import osfrom step_2_pretrained import get_idx_to_label, get_image_transform, predict, load_image
from step_3_adversarial import get_adversarial_exampledef main():passif __name__ == '__main__':main()

Directly following your imports and before the main function, define two constants:

直接在导入之后并在main函数之前，定义两个常量：

. . .
TARGET_LABEL = 1
EPSILON = 10 / 255.
. . .

The first constant TARGET_LABEL is the class to misclassify the corgi as. In this case, index 1 corresponds to “goldfish”. The second constant EPSILON is the maximum amount of perturbation allowed for each image value. This limit is introduced so that the image is imperceptibly altered.

第一个常量TARGET_LABEL是将柯基狗误分类为的类。 在这种情况下，索引1对应于“金鱼”。 第二个常数EPSILON是每个图像值所允许的最大摄动量。 引入此限制是为了使图像不会被察觉地改变。

Following your two constants, add a helper function to define a neural network and the perturbation parameter r:

在您的两个常数之后，添加一个辅助函数来定义神经网络和扰动参数r ：

. . .
def get_model():net = models.resnet18(pretrained=True).eval()r = nn.Parameter(data=torch.zeros(1, 3, 224, 224), requires_grad=True)return net, r
. . .

• model.resnet18(pretrained=True) loads a pretrained neural network called ResNet18, like before. Also like before, you set the model to evaluation mode using .eval.

  像以前一样， model.resnet18(pretrained=True)加载称为ResNet18的预训练神经网络。 与之前一样，您可以使用.eval将模型设置为评估模式。

• nn.Parameter(...) defines a new perturbation r, the size of the input image. The input image is also of size (1, 3, 224, 224). The requires_grad=True keyword argument ensures that you can update this perturbation r in later lines, in this file.

  nn.Parameter(...)定义新的扰动r ，即输入图像的大小。 输入图像的大小也为(1, 3, 224, 224) 。 requires_grad=True关键字参数可确保您可以在此文件的以后各行中更新此扰动r 。

Next, begin modifying your main function. Start by loading the model net, loading the inputs x, and defining the label label:

接下来，开始修改您的main功能。 首先加载模型net ，加载输入x ，然后定义标签label ：

. . .
def main():print(f'Target class: {get_idx_to_label()[str(TARGET_LABEL)]}')net, r = get_model()x = load_image()labels = Variable(torch.Tensor([TARGET_LABEL])).long(). . .

Next, define both the criterion and the optimizer in your main function. The former tells PyTorch what the objective is—that is, what loss to minimize. The latter tells PyTorch how to train your parameter r:

接下来，在您的main功能中定义标准和优化程序。 前者告诉PyTorch目标是什么，也就是要最大程度地减少损失。 后者告诉PyTorch如何训练参数r ：

. . .criterion = nn.CrossEntropyLoss()optimizer = optim.SGD([r], lr=0.1, momentum=0.1)
. . .

Directly following, add the main training loop for your parameter r:

紧接着，为参数r添加主训练循环：

. . .for i in range(30):r.data.clamp_(-EPSILON, EPSILON)optimizer.zero_grad()outputs = net(x + r)loss = criterion(outputs, labels)loss.backward()optimizer.step()_, pred = torch.max(outputs, 1)if i % 5 == 0:print(f'Loss: {loss.item():.2f} / Class: {get_idx_to_label()[str(int(pred))]}')
. . .

On each iteration of this training loop, you:

在此训练循环的每次迭代中，您：

• r.data.clamp_(...): Ensure the parameter r is small, within EPSILON of 0.

  r.data.clamp_(...) ：确保参数r小， EPSILON为0之内。

• optimizer.zero_grad(): Clear any gradients you computed in the previous iteration.

  optimizer.zero_grad() ：清除您在上一次迭代中计算的任何渐变。

• model(x + r): Run inference on the modified image x + r.

  model(x + r) ：对修改后的图像x + r推断。

• Compute the loss.

  计算loss 。

• Compute the gradient loss.backward.

  计算梯度loss.backward 。

• Take a gradient descent step optimizer.step.

  采取梯度下降步骤optimizer.step 。

• Compute the prediction pred.

  计算预测pred 。

• Finally, report the loss and predicted class print(...).

  最后，报告损失和预测的类print(...) 。

Next, save the final perturbation r:

接下来，保存最终扰动r ：

def main():. . .for i in range(30):. . .. . .np.save('outputs/adversarial_r.npy', r.data.numpy())

Directly following, still in the main function, save the perturbed image:

紧接着仍在main功能中，保存被摄动的图像：

. . .os.makedirs('outputs', exist_ok=True)adversarial = get_adversarial_example(x, r)

Finally, run prediction on both the original image and the adversarial example:

最后，对原始图像和对抗示例进行预测：

print(f'Old prediction: {predict(x)}')print(f'New prediction: {predict(x + r)}')

Double check your script matches step_5_perturb.py on GitHub. Save, exit, and run the script:

仔细检查您的脚本是否与GitHub上的step_5_perturb.py相匹配。 保存，退出并运行脚本：

Your script will output the following.

您的脚本将输出以下内容。

Target class: goldfish, Carassius auratus
Loss: 17.03 / Class: Pembroke, Pembroke Welsh corgi
Loss: 8.19 / Class: Pembroke, Pembroke Welsh corgi
Loss: 5.56 / Class: Pembroke, Pembroke Welsh corgi
Loss: 3.53 / Class: Pembroke, Pembroke Welsh corgi
Loss: 1.99 / Class: Pembroke, Pembroke Welsh corgi
Loss: 1.00 / Class: goldfish, Carassius auratus
Old prediction: Pembroke, Pembroke Welsh corgi
New prediction: goldfish, Carassius auratus

The last two lines indicate you have now completed construction of an adversarial example from scratch. Your neural network now classifies a perfectly reasonable corgi image as a goldfish.

最后两行表明您现在已经从头开始完成一个对抗示例的构建。 您的神经网络现在将完全合理的柯基犬图片归类为金鱼。

You’ve now shown that neural networks can be fooled easily—what’s more, the lack of robustness to adversarial examples has significant consequences. A natural next question is this: How can you combat adversarial examples? A good amount of research has been conducted by various organizations, including OpenAI. In the next section, you’ll run a defense to thwart this adversarial example.

现在，您已经证明了神经网络很容易被愚弄-而且，缺乏对抗性示例的鲁棒性会带来重大后果。 一个自然的下一个问题是：如何对抗对抗性例子？ 包括OpenAI在内的各种组织已经进行了大量研究。 在下一部分中，您将进行防御以挫败此对抗性示例。

第6步-对抗对手的例子 (Step 6 — Defending Against Adversarial Examples)

In this step, you will implement a defense against adversarial examples. The idea is the following: You are now the owner of the animal classifier being deployed to production. You don’t know what adversarial examples may be generated, but you can modify the image or the model to protect against attacks.

在此步骤中，您将防御对抗性示例。 想法如下：您现在是部署到生产中的动物分类器的所有者。 您不知道可能会生成哪些对抗示例，但是您可以修改映像或模型以防止受到攻击。

Before you defend, you should see for yourself how imperceptible the image manipulation is. Open both of the following images:

在您进行辩护之前，您应该亲眼目睹图像操纵的潜移默化。 打开以下两个图像：

1. assets/dog.jpg

   assets/dog.jpg

2. outputs/adversarial.png

   outputs/adversarial.png

Here, you show both side by side. Your original image will have a different aspect ratio. Can you tell which is the adversarial example?

在这里，您可以同时显示两个。 您的原始图像将具有不同的宽高比。 你能说出哪个是对抗性的例子吗？

Notice that the new image looks identical to the original. As it turns out, the left image is your adversarial image. To be certain, download the image and run your evaluation script:

请注意，新图像看起来与原始图像相同。 事实证明，左图是您的对抗图。 可以肯定的是，下载图像并运行评估脚本：

This will output the goldfish class, to prove its adversarial nature:

这将输出金鱼类，以证明其对抗性质：

Prediction: goldfish, Carassius auratus

You will run a fairly naive, but effective, defense: Compress the image by writing to a lossy JPEG format. Open the Python interactive prompt:

您将运行一个非常幼稚但有效的防御措施：通过写入有损JPEG格式来压缩图像。 打开Python交互式提示：

Then, load the adversarial image as PNG, and save it back as a JPEG.

然后，将对抗性图像加载为PNG，并将其另存为JPEG。

Type CTRL + D to leave the Python interactive prompt. Next, run inference with your model on the compressed adversarial example:

输入CTRL + D退出Python交互式提示符。 接下来，在压缩的对抗示例中对模型进行推断：

This will now output the corgi class, proving the efficacy of your naive defense.

现在，这将输出柯基犬等级，证明您的幼稚防御能力有效。

Prediction: Pembroke, Pembroke Welsh corgi

You’ve now completed your very first adversarial defense. Note that this defense does not require knowing how the adversarial example was generated. This is what makes an effective defense. There are also many other forms of defense, many of which involve retraining the neural network. However, these retraining procedures are a topic of their own and beyond the scope of this tutorial. With that, this concludes your guide into adversarial machine learning.

现在，您已经完成了第一个对抗性防御。 注意，这种防御不需要知道如何产生对抗性例子。 这就是有效的防御措施。 还有许多其他形式的防御，其中许多涉及重新训练神经网络。 但是，这些再培训过程本身就是一个主题，不在本教程的讨论范围之内。 这样一来，您就可以得出对抗性机器学习的指南。

结论 (Conclusion)

To understand the implications of your work in this tutorial, revisit the two images side-by-side—the original and the adversarial example.

要了解本教程中您的工作的含义，请并排重新查看两个图像-原始示例和对抗示例。

Despite the fact that both images look identical to the human eye, the first has been manipulated to fool your model. Both images clearly feature a corgi, and yet the model is entirely confident that the second model contains a goldfish. This should concern you and, as you wrap up this tutorial, keep in mind the fragility of your model. Just by applying a simple transformation, you can fool it. These are real, plausible dangers that evade even cutting-edge research. Research beyond machine-learning security is just as susceptible to these flaws, and, as a practitioner, it is up to you to apply machine learning safely. For more readings, check out the following links:

尽管两个图像看起来都与人眼相同，但第一个图像已被操纵来欺骗您的模型。 这两个图像都清楚地显示了柯基犬图片，但是该模型完全有信心第二个模型包含一条金鱼。 这应该引起您的关注，并且在完成本教程时，请记住模型的脆弱性。 只需应用简单的转换，就可以使其蒙混。 这些是真实的，似乎合理的危险，即使是最前沿的研究也无法规避。 超出机器学习安全性的研究也容易受到这些漏洞的影响，并且作为从业者，您有责任安全地应用机器学习。 欲了解更多信息，请查看以下链接：

• Adversarial Machine Learning tutorial from NeurIPS 2018 Conference.

  来自NeurIPS 2018 Conference的Adversarial Machine Learning教程。

• Related blog posts from OpenAI on Attacking Machine Learning with Adversarial Examples, Testing Robustness Against Unseen Adversaries, and Robust Adversarial Inputs.

  OpenAI的相关博客文章涉及攻击机器学习的对抗实例 ， 测试对看不见的对手的鲁棒性和鲁棒的对抗投入 。

For more machine learning content and tutorials, you can visit our Machine Learning Topic page.

有关更多机器学习内容和教程，您可以访问我们的机器学习主题页面 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-trick-a-neural-network-in-python-3

python3 神经网络