Single Image

Single Image

find_adversarial_example finds the closest adversarial example to a given input image for a particular NeuralNet.

As a sanity check, we suggest that you verify that the NeuralNet imported achieves the expected performance on the test set. This can be done using frac_correct.

Index

Public Interface

MIPVerify.find_adversarial_exampleMethod.
find_adversarial_example(nn, input, target_selection, main_solver; invert_target_selection, pp, norm_order, tolerance, rebuild, tightening_algorithm, tightening_solver, cache_model, solve_if_predicted_in_targeted, adversarial_example_objective)

Finds the perturbed image closest to input such that the network described by nn classifies the perturbed image in one of the categories identified by the indexes in target_selection.

main_solver specifies the solver used to solve the MIP problem once it has been built.

The output dictionary has keys :Model, :PerturbationFamily, :TargetIndexes, :SolveStatus, :Perturbation, :PerturbedInput, :Output. See the tutorial on what individual dictionary entries correspond to.

Formal Definition: If there are a total of n categories, the (perturbed) output vector y=d[:Output]=d[:PerturbedInput] |> nn has length n. We guarantee that y[j] - y[i] ≥ tolerance for some j ∈ target_selection and for all i ∉ target_selection.

Named Arguments:

  • invert_target_selection::Bool: Defaults to false. If true, sets target_selection to be its complement.

  • pp::PerturbationFamily: Defaults to UnrestrictedPerturbationFamily(). Determines the family of perturbations over which we are searching for adversarial examples.

  • norm_order::Real: Defaults to 1. Determines the distance norm used to determine the distance from the perturbed image to the original. Supported options are 1, Inf and 2 (if the main_solver used can solve MIQPs.)

  • tolerance::Real: Defaults to 0.0. See formal definition above.

  • rebuild::Bool: Defaults to false. If true, rebuilds model by determining upper and lower bounds on input to each non-linear unit even if a cached model exists.

  • tightening_algorithm::MIPVerify.TighteningAlgorithm: Defaults to mip. Determines how we determine the upper and lower bounds on input to each nonlinear unit. Allowed options are interval_arithmetic, lp, mip. (1) interval_arithmetic looks at the bounds on the output to the previous layer. (2) lp solves an lp corresponding to the mip formulation, but with any integer constraints relaxed. (3) mip solves the full mip formulation.

  • tightening_solver: Solver used to determine upper and lower bounds for input to nonlinear units. Defaults to the same type of solver as the main_solver, with a time limit of 20s per solver and output suppressed. Used only if the tightening_algorithm is lp or mip.

  • cache_model: Defaults to true. If true, saves model generated. If false, does not save model generated, but any existing cached model is retained.

  • solve_if_predicted_in_targeted: Defaults to true. The prediction that nn makes for the unperturbed input can be determined efficiently. If the predicted index is one of the indexes in target_selection, we can skip the relatively costly process of building the model for the MIP problem since we already have an "adversarial example" –- namely, the input itself. We continue build the model and solve the (trivial) MIP problem if and only if solve_if_predicted_in_targeted is true.

source
MIPVerify.frac_correctMethod.
frac_correct(nn, dataset, num_samples)

Returns the fraction of items the neural network correctly classifies of the first num_samples of the provided dataset. If there are fewer than num_samples items, we use all of the available samples.

Named Arguments:

  • nn::NeuralNet: The parameters of the neural network.

  • dataset::LabelledDataset:

  • num_samples::Integer: Number of samples to use.

source