def setUpClass(cls):
master_seed(seed=1234)
super().setUpClass()
cls.sklearn_model = LinearSVC()
cls.classifier = ScikitlearnSVC(model=cls.sklearn_model)
cls.classifier.fit(x=cls.x_train_iris, y=cls.y_train_iris)
def test_general_cancer_svc(breast_cancer_dataset):
"""
Check whether the produced adversaries are correct,
given SVC and breast cancer wisconsin dataset.
"""
(x_train, y_train, x_valid,
y_valid), _, clip_values = breast_cancer_dataset
svc_clf = SVC()
svc_clf.fit(x_train, y_train)
scaled_clip_values_cancer = (-1.0, 1.0)
clf_svc = ScikitlearnSVC(model=svc_clf,
clip_values=scaled_clip_values_cancer)
lpf_svc = LowProFool(classifier=clf_svc,
n_steps=15,
eta=15,
lambd=1.75,
eta_decay=0.985,
verbose=False)
lpf_svc.fit_importances(x_train, y_train)
n_classes = lpf_svc.n_classes
targets = np.eye(n_classes)[np.array(
y_valid.apply(lambda x: np.random.choice(
[i for i in range(n_classes) if i != x])))]
# Generate adversaries
adversaries = lpf_svc.generate(x=x_valid, y=targets)
# Check the success rate
expected = np.argmax(targets, axis=1)
predicted = np.argmax(clf_svc.predict(adversaries), axis=1)
correct = expected == predicted
success_rate = np.sum(correct) / correct.shape[0]
expected = 0.75
logger.info(
"[Breast cancer, Scikit-learn SVC] success rate of adversarial attack (expected >{:.2f}): "
"{:.2f}%".format(expected * 100, success_rate * 100))
assert success_rate > expected
def __init__(
self,
classifier: "ScikitlearnSVC",
step: Optional[float] = None,
eps: Optional[float] = None,
x_train: Optional[np.ndarray] = None,
y_train: Optional[np.ndarray] = None,
x_val: Optional[np.ndarray] = None,
y_val: Optional[np.ndarray] = None,
max_iter: int = 100,
verbose: bool = True,
) -> None:
"""
Initialize an SVM poisoning attack.
:param classifier: A trained :class:`.ScikitlearnSVC` classifier.
:param step: The step size of the classifier.
:param eps: The minimum difference in loss before convergence of the classifier.
:param x_train: The training data used for classification.
:param y_train: The training labels used for classification.
:param x_val: The validation data used to test the attack.
:param y_val: The validation labels used to test the attack.
:param max_iter: The maximum number of iterations for the attack.
:raises `NotImplementedError`, `TypeError`: If the argument classifier has the wrong type.
:param verbose: Show progress bars.
"""
# pylint: disable=W0212
from sklearn.svm import LinearSVC, SVC
super().__init__(classifier=classifier)
if isinstance(self.estimator.model, LinearSVC):
self._estimator = ScikitlearnSVC(
model=SVC(C=self.estimator.model.C, kernel="linear"),
clip_values=self.estimator.clip_values,
)
self.estimator.fit(x_train, y_train)
elif not isinstance(self.estimator.model, SVC):
raise NotImplementedError(
"Model type '{}' not yet supported".format(
type(self.estimator.model)))
self.step = step
self.eps = eps
self.x_train = x_train
self.y_train = y_train
self.x_val = x_val
self.y_val = y_val
self.max_iter = max_iter
self.verbose = verbose
self._check_params()
def setUpClass(cls):
master_seed(seed=301)
(x_train, y_train), (x_test, y_test), min_, max_ = load_mnist()
y_train = np.argmax(y_train, axis=1)
y_test = np.argmax(y_test, axis=1)
zero_or_four = np.logical_or(y_train == 4, y_train == 0, y_train == 9)
x_train = x_train[zero_or_four]
y_train = y_train[zero_or_four]
tr_labels = np.zeros((y_train.shape[0], 2))
tr_labels[y_train == 0] = np.array([1, 0])
tr_labels[y_train == 4] = np.array([0, 1])
y_train = tr_labels
zero_or_four = np.logical_or(y_test == 4, y_test == 0)
x_test = x_test[zero_or_four]
y_test = y_test[zero_or_four]
te_labels = np.zeros((y_test.shape[0], 2))
te_labels[y_test == 0] = np.array([1, 0])
te_labels[y_test == 4] = np.array([0, 1])
y_test = te_labels
n_samples_train = x_train.shape[0]
n_features_train = x_train.shape[1] * x_train.shape[2] * x_train.shape[3]
n_samples_test = x_test.shape[0]
n_features_test = x_test.shape[1] * x_test.shape[2] * x_test.shape[3]
x_train = x_train.reshape(n_samples_train, n_features_train)
x_test = x_test.reshape(n_samples_test, n_features_test)
x_train = x_train[:NB_TRAIN]
y_train = y_train[:NB_TRAIN]
trusted_data = x_test[:NB_TRUSTED]
trusted_labels = y_test[:NB_TRUSTED]
x_test = x_test[NB_TRUSTED:]
y_test = y_test[NB_TRUSTED:]
valid_data = x_test[:NB_VALID]
valid_labels = y_test[:NB_VALID]
x_test = x_test[NB_VALID:]
y_test = y_test[NB_VALID:]
clean_prov = np.random.randint(NB_DEVICES - 1, size=x_train.shape[0])
p_train = np.eye(NB_DEVICES)[clean_prov]
no_defense = ScikitlearnSVC(model=SVC(kernel=kernel, gamma="auto"), clip_values=(min_, max_))
no_defense.fit(x=x_train, y=y_train)
poison_points = np.random.randint(no_defense._model.support_vectors_.shape[0], size=NB_POISON)
all_poison_init = np.copy(no_defense._model.support_vectors_[poison_points])
poison_labels = np.array([1, 1]) - no_defense.predict(all_poison_init)
svm_attack = PoisoningAttackSVM(
classifier=no_defense,
x_train=x_train,
y_train=y_train,
step=0.1,
eps=1.0,
x_val=valid_data,
y_val=valid_labels,
)
poisoned_data, _ = svm_attack.poison(all_poison_init, y=poison_labels)
# Stack on poison to data and add provenance of bad actor
all_data = np.vstack([x_train, poisoned_data])
all_labels = np.vstack([y_train, poison_labels])
poison_prov = np.zeros((NB_POISON, NB_DEVICES))
poison_prov[:, NB_DEVICES - 1] = 1
all_p = np.vstack([p_train, poison_prov])
model = SVC(kernel=kernel, gamma="auto")
cls.mnist = (
(all_data, all_labels, all_p),
(x_test, y_test),
(trusted_data, trusted_labels),
(valid_data, valid_labels),
(min_, max_),
)
cls.classifier = SklearnClassifier(model=model, clip_values=(min_, max_))
cls.classifier.fit(all_data, all_labels)
cls.defence_trust = ProvenanceDefense(
cls.classifier, all_data, all_labels, all_p, x_val=trusted_data, y_val=trusted_labels, eps=0.1,
)
cls.defence_no_trust = ProvenanceDefense(cls.classifier, all_data, all_labels, all_p, eps=0.1)
def test_type(self):
self.assertIsInstance(
self.classifier, type(SklearnClassifier(model=self.sklearn_model)))
with self.assertRaises(TypeError):
ScikitlearnSVC(model="sklearn_model")