"""The CarliniWagnerL2 attack """ import logging import numpy as np import tensorflow as tf from cleverhans.attacks.attack import Attack from cleverhans.compat import reduce_sum, reduce_max from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits from cleverhans import utils np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') _logger = utils.create_logger("cleverhans.attacks.carlini_wagner_l2") _logger.setLevel(logging.INFO) class CarliniWagnerL2(Attack): """ This attack was originally proposed by Carlini and Wagner. It is an iterative attack that finds adversarial examples on many defenses that are robust to other attacks. Paper link: https://arxiv.org/abs/1608.04644 At a high level, this attack is an iterative attack using Adam and a specially-chosen loss function to find adversarial examples with lower distortion than other attacks. This comes at the cost of speed, as this attack is often much slower than others.
from cleverhans.attacks_tf import jacobian_graph from cleverhans import utils_tf from cleverhans import utils import copy FLAGS = flags.FLAGS # NOTE: I found 4 attack method in Cifar-10 untargeted attack has low successful rate, which are # 1. VirtualAdversarialMethod, 2. L2 norm of MomentumIterativeMethod, # 3. L2 norm of BasicIterativeMethod, 4. L infinity version of deep_fool(the original cleverhans deepfool is L2 norm, I extend it to L-inf version according to original paper, # In addition, I also test a L-infinity version of DeepFool, this code is just little modifed of original cleverhans' DeepFool # to add L-inf functionality, which is described in original paper's page 5. # paper can be downloaded from https://arxiv.org/abs/1511.04599. But it also test FAILED! SUCCESSFUL RATE is so LOW! # implementation of L-infinity version of DeepFool, just modified little code of original L2 version cleverhans deepfool _logger = utils.create_logger("cleverhans.attacks.tf") def deepfool_batch(sess, x, pred, logits, grads, X, nb_candidate, overshoot, max_iter, clip_min, clip_max, nb_classes, Lp_norm=2, feed=None, ):
"""The LBFGS attack """ import numpy as np import tensorflow as tf from cleverhans.attacks.attack import Attack from cleverhans.compat import reduce_sum, softmax_cross_entropy_with_logits from cleverhans.model import CallableModelWrapper, Model, wrapper_warning from cleverhans import utils from cleverhans import utils_tf _logger = utils.create_logger("cleverhans.attacks.lbfgs") tf_dtype = tf.as_dtype('float32') class LBFGS(Attack): """ LBFGS is the first adversarial attack for convolutional neural networks, and is a target & iterative attack. Paper link: "https://arxiv.org/pdf/1312.6199.pdf" :param model: cleverhans.model.Model :param sess: tf.Session :param dtypestr: dtype of the data :param kwargs: passed through to super constructor """ def __init__(self, model, sess, dtypestr='float32', **kwargs): """ Note: the model parameter should be an instance of the cleverhans.model.Model abstraction provided by CleverHans.
import numpy as np import warnings import cleverhans.utils as utils from cleverhans.model import Model, CallableModelWrapper from cleverhans.attacks import Attack _logger = utils.create_logger("EOT_attacks") class EOT_ATTACK(Attack): """ This attack was originally proposed by Carlini and Wagner. It is an iterative attack that finds adversarial examples on many defenses that are robust to other attacks. Paper link: https://arxiv.org/abs/1608.04644 At a high level, this attack is an iterative attack using Adam and a specially-chosen loss function to find adversarial examples with lower distortion than other attacks. This comes at the cost of speed, as this attack is often much slower than others. """ def __init__(self, model, back='tf', sess=None, dtypestr='float32'): """ Note: the model parameter should be an instance of the cleverhans.model.Model abstraction provided by CleverHans. """ if not isinstance(model, Model): model = CallableModelWrapper(model, 'logits') super(EOT_ATTACK, self).__init__(model, back, sess, dtypestr) self.feedable_kwargs = {'y': self.tf_dtype,
""" # pylint: disable=missing-docstring import logging import numpy as np import tensorflow as tf from cleverhans.attacks.attack import Attack from cleverhans.compat import reduce_sum, reduce_max from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits from cleverhans import utils np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') _logger = utils.create_logger("cleverhans.attacks.bpda_l2") _logger.setLevel(logging.INFO) class BPDAL2(Attack): """ :param model: cleverhans.model.Model :param sess: tf.Session :param dtypestr: dtype of the data :param kwargs: passed through to super constructor """ def __init__(self, model, reconstructor, sess, dtypestr='float32',
""" Boundary Attack++ """ import logging import numpy as np import tensorflow as tf from warnings import warn from cleverhans.attacks import Attack from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits from cleverhans import utils, utils_tf np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') _logger = utils.create_logger("cleverhans.attacks.hop_skip_jump_attack") _logger.setLevel(logging.INFO) class HopSkipJumpAttack(Attack): """ HopSkipJumpAttack was originally proposed by Chen, Jordan and Wainwright. It is a decision-based attack that requires access to output labels of a model alone. Paper link: https://arxiv.org/abs/1904.02144 At a high level, this attack is an iterative attack composed of three steps: Binary search to approach the boundary; gradient estimation; stepsize search. HopSkipJumpAttack requires fewer model queries than Boundary Attack which was based on rejective sampling. :param model: cleverhans.model.Model :param sess: tf.Session :param dtypestr: dtype of the data :param kwargs: passed through to super constructor.
import copy import logging import warnings import numpy as np import tensorflow as tf from cleverhans.attacks import Attack from cleverhans.model import Model, wrapper_warning_logits, CallableModelWrapper from cleverhans import utils from cleverhans import utils_tf from cleverhans.utils_tf import clip_eta from six.moves import xrange np_dtype = np.dtype('float32') _logger = utils.create_logger("cleverhans.attacks.deep_fool") _logger.setLevel(logging.INFO) def jacobian_graph(predictions, x, nb_classes): """ Create the Jacobian graph to be ran later in a TF session :param predictions: the model's symbolic output (linear output, pre-softmax) :param x: the input placeholder :param nb_classes: the number of classes the model has :return: """ # This function will return a list of TF gradients list_derivatives = []
from __future__ import absolute_import from __future__ import division from __future__ import print_function from __future__ import unicode_literals import math import numpy as np from six.moves import xrange import tensorflow as tf import time import cleverhans.utils as utils import cleverhans.utils_tf as utils_tf import itertools from mysoftdtw_c_wd import mysoftdtw _logger = utils.create_logger("myattacks.tf") np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') data_len = 9000 def ZERO(): return np.asarray(0., dtype=np_dtype) def EOT_time(x, start, ensemble_size): def randomizing_EOT(x, start): rand_i = tf.expand_dims(tf.random_uniform((), start + 1, data_len + 1,
import logging import numpy as np import tensorflow as tf from cleverhans.attacks.attack import Attack from cleverhans.model import CallableModelWrapper, Model from cleverhans import utils np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') _logger = utils.create_logger("cleverhans.attacks.MadryEtAl") _logger.setLevel(logging.INFO) class MadryEtAl(Attack): """ The Projected Gradient Descent Attack (Madry et al. 2017). Paper link: https://arxiv.org/pdf/1706.06083.pdf """ def __init__(self, model, sess, dtypestr='float32', **kwargs): """ Create a MadryEtAl instance. """ if not isinstance(model, Model): model = CallableModelWrapper(model, 'probs') super(MadryEtAl, self).__init__(model, sess, dtypestr, **kwargs)
""" Attacks for TensorFlow Eager """ from distutils.version import LooseVersion import numpy as np import tensorflow as tf from cleverhans import attacks from cleverhans import utils from cleverhans.model import CallableModelWrapper, wrapper_warning from cleverhans.model import Model from cleverhans.loss import LossCrossEntropy _logger = utils.create_logger("cleverhans.attacks_tfe") if LooseVersion(tf.__version__) < LooseVersion("1.8.0"): error_msg = ("For eager execution", "use Tensorflow version greather than 1.8.0.") raise ValueError(error_msg) class Attack(attacks.Attack): """ Abstract base class for all eager attack classes. :param model: An instance of the cleverhans.model.Model class. :param back: The backend to use. Inherited from AttackBase class. :param dtypestr: datatype of the input data samples and crafted adversarial attacks. """ def __init__(self, model, dtypestr="float32"):
import numpy as np import warnings import cleverhans.utils as utils from cleverhans.model import Model, CallableModelWrapper from cleverhans.attacks import Attack _logger = utils.create_logger("LDMF_EOT_attacks") class LDMF_EOT_ATTACK(Attack): """ This attack was originally proposed by Carlini and Wagner. It is an iterative attack that finds adversarial examples on many defenses that are robust to other attacks. Paper link: https://arxiv.org/abs/1608.04644 At a high level, this attack is an iterative attack using Adam and a specially-chosen loss function to find adversarial examples with lower distortion than other attacks. This comes at the cost of speed, as this attack is often much slower than others. """ def __init__(self, model, back='tf', sess=None, dtypestr='float32'): """ Note: the model parameter should be an instance of the cleverhans.model.Model abstraction provided by CleverHans. """ if not isinstance(model, Model): model = CallableModelWrapper(model, 'logits') super(LDMF_EOT_ATTACK, self).__init__(model, back, sess, dtypestr) self.feedable_kwargs = {'y': self.tf_dtype,
""" Boundary Attack++ """ import logging import numpy as np import tensorflow as tf from cleverhans.attacks import Attack from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits from cleverhans import utils, utils_tf np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') _logger = utils.create_logger("cleverhans.attacks.boundary_attack_plus_plus") _logger.setLevel(logging.INFO) class BoundaryAttackPlusPlus(Attack): """ Boundary Attack ++ was originally proposed by Chen and Jordan. It is a decision-based attack that requires access to output labels of a model alone. Paper link: https://arxiv.org/abs/1904.02144 At a high level, this attack is an iterative attack composed of three steps: Binary search to approach the boundary; gradient estimation; stepsize search. Boundary Attack ++ requires fewer model queries than Boundary Attack which was based on rejective sampling. :param model: cleverhans.model.Model :param sess: tf.Session :param dtypestr: dtype of the data :param kwargs: passed through to super constructor. see parse_params for details.
import tensorflow as tf from cleverhans.attacks import Noise from cleverhans.attacks import ProjectedGradientDescent from cleverhans.attacks import SPSA from cleverhans.evaluation import correctness_and_confidence from cleverhans.evaluation import batch_eval_multi_worker, run_attack from cleverhans.model import Model from cleverhans import serial from cleverhans.utils import create_logger, deep_copy, safe_zip from cleverhans.utils_tf import infer_devices from cleverhans.confidence_report import ConfidenceReport from cleverhans.confidence_report import ConfidenceReportEntry from cleverhans.confidence_report import print_stats _logger = create_logger("attack_bundling") _logger.setLevel(logging.INFO) devices = infer_devices() num_devices = len(devices) DEFAULT_EXAMPLES_PER_DEVICE = 128 BATCH_SIZE = DEFAULT_EXAMPLES_PER_DEVICE * num_devices REPORT_TIME_INTERVAL = 60 # TODO: lower priority: make it possible to initialize one attack with # the output of an earlier attack def single_run_max_confidence_recipe(sess, model, x, y, nb_classes, eps, clip_min, clip_max, eps_iter, nb_iter, report_path,
return self.properties_to_hash == other.properties_to_hash def __call__(self): x_batch = self.model.make_input_placeholder() y_batch = self.model.make_label_placeholder() if LooseVersion(tf.__version__) < LooseVersion('1.0.0'): raise NotImplementedError() if self.attack is None: x_input = x_batch else: attack_params = self.attack_params if attack_params is None: attack_params = {} x_input = self.attack.generate(x_batch, y=y_batch, **attack_params) predictions = self.model.get_probs(x_input) correct = tf.equal(tf.argmax(y_batch, axis=-1), tf.argmax(predictions, axis=-1)) max_probs = tf.reduce_max(predictions, axis=1) return (x_batch, y_batch), (correct, max_probs) _logger = create_logger("cleverhans.evaluation") # Cache for storing output of `batch_eval_multi_worker`'s calls to # `graph_factory`, to avoid making the tf graph too big _batch_eval_multi_worker_cache = {}
import os import time import warnings import math import numpy as np from six.moves import xrange import tensorflow as tf from cleverhans import canary from cleverhans.utils import _ArgsWrapper, create_logger from cleverhans.utils import safe_zip from cleverhans.utils_tf import infer_devices from cleverhans.utils_tf import initialize_uninitialized_global_variables _logger = create_logger("train_ae") _logger.setLevel(logging.INFO) def train_ae(sess, loss, x_train, x_train_target, init_all=False, evaluate=None, feed=None, args=None, rng=None, var_list=None, fprop_args=None, optimizer=None,
import time import warnings import math import numpy as np from six.moves import xrange import tensorflow as tf from cleverhans import canary from cleverhans.utils import _ArgsWrapper, create_logger from cleverhans.utils import safe_zip from cleverhans.utils_tf import infer_devices from cleverhans.utils_tf import initialize_uninitialized_global_variables _logger = create_logger("train") _logger.setLevel(logging.INFO) def train(sess, loss, x_train, y_train, init_all=False, evaluate=None, feed=None, args=None, rng=None, var_list=None, fprop_args=None, optimizer=None, devices=None, x_batch_preprocessor=None, use_ema=False, ema_decay=.998, run_canary=None, loss_threshold=1e5, dataset_train=None, dataset_size=None): """ Run (optionally multi-replica, synchronous) training to minimize `loss` :param sess: TF session to use when training the graph :param loss: tensor, the loss to minimize :param x_train: numpy array with training inputs or tf Dataset :param y_train: numpy array with training outputs or tf Dataset
""" # pylint: disable=missing-docstring import logging import numpy as np import tensorflow as tf from cleverhans.attacks.attack import Attack from cleverhans.compat import reduce_sum, reduce_max from cleverhans.model import Model, CallableModelWrapper, wrapper_warning_logits from cleverhans import utils np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') _logger = utils.create_logger("cleverhans.attacks.elastic_net_method") _logger.setLevel(logging.INFO) def ZERO(): return np.asarray(0., dtype=np_dtype) class ElasticNetMethod(Attack): """ This attack features L1-oriented adversarial examples and includes the C&W L2 attack as a special case (when beta is set to 0). Adversarial examples attain similar performance to those generated by the C&W L2 attack in the white-box case, and more importantly, have improved transferability properties and complement adversarial training. Paper link: https://arxiv.org/abs/1709.04114 :param model: cleverhans.model.Model
import os import time import warnings import numpy as np import six from six.moves import xrange import tensorflow as tf from cleverhans.compat import device_lib from cleverhans.compat import reduce_sum, reduce_mean from cleverhans.compat import reduce_max from cleverhans.compat import softmax_cross_entropy_with_logits from cleverhans.utils import batch_indices, _ArgsWrapper, create_logger _logger = create_logger("cleverhans.utils.tf") _logger.setLevel(logging.INFO) def model_loss(y, model, mean=True): """ Define loss of TF graph :param y: correct labels :param model: output of the model :param mean: boolean indicating whether should return mean of loss or vector of losses for each input of the batch :return: return mean of loss if True, otherwise return vector with per sample loss """ warnings.warn("This function is deprecated and will be removed on or after" " 2019-04-05. Switch to cleverhans.train.train.")
""" from __future__ import absolute_import from __future__ import division from __future__ import print_function from __future__ import unicode_literals import numpy as np import tensorflow as tf from cleverhans import utils from cleverhans.attacks import CarliniWagnerL2 from cleverhans.compat import reduce_max from cleverhans.compat import reduce_sum _logger = utils.create_logger("cleverhans.cw_attacks") np_dtype = np.dtype('float32') tf_dtype = tf.as_dtype('float32') def ZERO(): return np.asarray(0., dtype=np_dtype) class CWL2_NNIF(object): def __init__(self, sess, model, batch_size, confidence, targeted, learning_rate, binary_search_steps, max_iterations, abort_early, initial_const, clip_min, clip_max, num_labels, shape): """ Return a tensor that constructs adversarial examples for the given