def test_tensorflow_model_non_diff(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
images_nd = tf.cast(images > 0, tf.float32)
logits = mean_brightness_net(images_nd)
with tf.Session(graph=g):
model = TensorFlowModel(
images,
logits,
bounds=bounds)
assert model.session is not None
test_images = np.random.rand(5, 5, channels).astype(np.float32)
test_label = 7
test_gradient = model.gradient(test_images, test_label)
assert (test_gradient == 0).all()
def test_tensorflow_backward(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with tf.Session(graph=g):
model = TensorFlowModel(images, logits, bounds=bounds)
assert model.session is not None
test_image = np.random.rand(5, 5, channels).astype(np.float32)
test_grad_pre = np.random.rand(num_classes).astype(np.float32)
test_grad = model.backward_one(test_grad_pre, test_image)
assert test_grad.shape == test_image.shape
manual_grad = np.repeat(np.repeat((test_grad_pre / 25.).reshape(
(1, 1, -1)),
5,
axis=0),
5,
axis=1)
np.testing.assert_almost_equal(test_grad, manual_grad)
def test_tensorflow_backward(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with tf.Session(graph=g):
model = TensorFlowModel(
images,
logits,
bounds=bounds)
assert model.session is not None
test_image = np.random.rand(5, 5, channels).astype(np.float32)
test_grad_pre = np.random.rand(num_classes).astype(np.float32)
test_grad = model.backward(test_grad_pre, test_image)
assert test_grad.shape == test_image.shape
manual_grad = np.repeat(np.repeat(
(test_grad_pre / 25.).reshape((1, 1, -1)),
5, axis=0), 5, axis=1)
np.testing.assert_almost_equal(
test_grad,
manual_grad)
def create_fmodel(cls, cfg):
model = cls.create_model(cfg)
model.sess = model.load_checkpoint(cfg["checkpoint"],
cfg.get("load_name_space", None))
with model.sess.as_default():
fmodel = TensorFlowModel(model._images,
model._logits,
bounds=(0, 255))
fmodel.model = model
return fmodel
def attack(pb_path, image_path):
with tf.Session() as session:
with gfile.FastGFile(pb_path, 'rb') as f:
graph_def = tf.GraphDef()
graph_def.ParseFromString(f.read())
session.graph.as_default()
tf.import_graph_def(graph_def, name='')
session.run(tf.global_variables_initializer())
images = session.graph.get_tensor_by_name('input_1:0')
logits = session.graph.get_tensor_by_name('dense_3/BiasAdd:0')
output = session.graph.get_tensor_by_name('dense_3/Softmax:0')
# for n in tf.get_default_graph().get_operations():
# print(n.values())
model = TensorFlowModel(images, logits, (-1, 1))
image = inception_preprocessing(open_image(image_path, 299, 299))
p, ext = os.path.splitext(image_path)
values = model.predictions(image)
label = np.argmax(values)
print('label:', categories[label])
print('attacking...')
target_class = 2
for prob in range(95, 100, 1):
prob = prob / 100
print('probability is:', prob)
adv_path = '{}-adv-{}{}'.format(p, prob, ext)
pert_path = '{}-pert-{}{}'.format(p, prob, ext)
criterion = TargetClassProbability(target_class, p=prob)
# attack = LBFGSAttack(model, criterion)
# attack = FGSM(model, criterion)
# attack = ProjectedGradientDescentAttack(model, criterion)
attack = LinfinityBasicIterativeAttack(model, criterion)
# attack = L1BasicIterativeAttack(model, criterion)
# attack = L2BasicIterativeAttack(model, criterion)
# attack = MomentumIterativeAttack(model, criterion)
# attack = FGSM(model)
# attack = MomentumIterativeAttack(model)
# attack = SinglePixelAttack(model)
# attack = LocalSearchAttack(model)
adversarial = attack(image, label=label)
new_label = np.argmax(model.predictions(adversarial))
print('new label:', categories[new_label])
raw_image = inception_postprocessing(image)
raw_adversarial = inception_postprocessing(adversarial)
raw_pert = raw_adversarial - raw_image
save_image(raw_adversarial, adv_path)
save_image(raw_pert, pert_path)
def test_tf_keras_exception():
bounds = (0, 255)
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
model = mean_brightness_net
with pytest.raises(ValueError):
TensorFlowModel.from_keras(model, bounds=bounds)
TensorFlowModel.from_keras(model, bounds=bounds, input_shape=(5, 5, 3))
def main(image_path, ckpt_path, predict_status=False):
images = tf.placeholder(tf.float32, (None, 224, 224, 3))
preprocessed_images = vgg_preprocessing(images)
logits, _ = vgg.vgg_19(preprocessed_images, is_training=False)
restorer = tf.train.Saver(tf.trainable_variables())
image = open_image(image_path)
p, ext = os.path.splitext(image_path)
adv_path = p + '-adv' + ext
pert_path = p + '-pert' + ext
with tf.Session() as session:
restorer.restore(session, ckpt_path)
model = TensorFlowModel(images, logits, (0, 255))
label = np.argmax(model.predictions(image))
print('label:', label)
if predict_status:
return
# target_class = 22
# criterion = TargetClassProbability(target_class, p=0.99)
# attack = LBFGSAttack(model, criterion)
# attack = FGSM(model, criterion)
attack = FGSM(model)
# attack = MomentumIterativeAttack(model, criterion)
# attack = MomentumIterativeAttack(model)
# attack = SinglePixelAttack(model)
# attack = LocalSearchAttack(model)
adversarial = attack(image, label=label)
new_label = np.argmax(model.predictions(adversarial))
print('new label:', new_label)
image = image.astype(np.uint8)
adversarial = adversarial.astype(np.uint8)
pert = adversarial - image
save_image(adversarial, adv_path)
save_image(pert, pert_path)
# show images
plt.subplot(1, 3, 1)
plt.imshow(image)
plt.subplot(1, 3, 2)
plt.imshow(adversarial)
plt.subplot(1, 3, 3)
plt.imshow(pert)
plt.show()
def test_tensorflow_model_cm(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with TensorFlowModel(images, logits, bounds=bounds) as model:
test_images = np.random.rand(2, 5, 5, channels).astype(np.float32)
test_label = 7
assert model.forward(test_images).shape \
== (2, num_classes)
test_logits = model.forward_one(test_images[0])
assert test_logits.shape == (num_classes, )
test_gradient = model.gradient_one(test_images[0], test_label)
assert test_gradient.shape == test_images[0].shape
np.testing.assert_almost_equal(
model.forward_and_gradient_one(test_images[0], test_label)[0],
test_logits)
np.testing.assert_almost_equal(
model.forward_and_gradient_one(test_images[0], test_label)[1],
test_gradient)
assert model.num_classes() == num_classes
def create_ir_model(sess=None, x_input=None, foolbox=True):
# Allow to reuse a session and put the model on top of an existing input
assert (sess is not None) == (x_input is not None)
if sess is not None:
graph, saver, images, logits = _create_model(sess.graph, x_input)
else:
graph, saver, images, logits = _create_model(None, None)
sess = tf.Session(graph=graph)
path = os.path.dirname(os.path.abspath(__file__))
path = os.path.join(path, 'checkpoints',
'bnfix_735572_adv_resnet-e78-acc0.7346.ckpt')
#path = os.path.join(path, 'checkpoints', 'bnfix_225411_yuv_resnet-e99-acc0.7448.ckpt')
#path = os.path.join(path, 'checkpoints', 'bnfix_551110_hsv_resnet-e70-acc0.6783.ckpt')
with graph.as_default():
saver.restore(sess, path) # tf.train.latest_checkpoint(path))
if foolbox:
with sess.as_default():
fmodel = TensorFlowModel(images, logits, bounds=(0, 255))
return fmodel
else:
return images, logits, sess
def bn_model():
"""Creates a simple brightness model that does not require training.
"""
import tensorflow as tf
bounds = (0, 1)
channel_axis = 3
channels = 10 # == num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with tf.Session():
model = TensorFlowModel(
images,
logits,
bounds=bounds,
channel_axis=channel_axis)
yield model
def binarized2_bn_model():
"""Creates a simple brightness model that does not require training.
"""
import tensorflow as tf
bounds = (0, 1)
channel_axis = 3
channels = 10 # == num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
def preprocessing(x):
x = binarize(x, (0, 1), included_in='lower')
def backward(x):
return x
return x, backward
with tf.Session():
model = TensorFlowModel(
images,
logits,
bounds=bounds,
channel_axis=channel_axis,
preprocessing=preprocessing)
yield model
def sn_bn_model():
"""Creates a simple brightness model that does not require training with stochastic
noise to simulate the behaviour of e.g. bayesian networks.
"""
import tensorflow as tf
bounds = (0, 1)
channel_axis = 3
channels = 10 # == num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2)) + tf.reduce_mean(
images * tf.random.normal(shape=(1, 1, 1, 1), stddev=1e-4),
axis=(1, 2))
return logits
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with tf.Session():
model = TensorFlowModel(images,
logits,
bounds=bounds,
channel_axis=channel_axis)
yield model
def __call__(self, session):
inputs = tf.compat.v1.placeholder(tf.float32, shape=[None, self._image_height, self._image_width,
self._n_channels])
logits = self.calculate_logits(inputs)
restorer = tf.compat.v1.train.Saver()
restorer.restore(session, self._checkpoint_path)
return TensorFlowModel(inputs=inputs, logits=logits, bounds=(-1, 1))
def main():
with tf.Session() as sess:
# End2End
tf_model = prepare_GBPdenoising_end2end(sess=sess,
saved='./Models/CIFAR10-32_End2End.ckpt')
# # pure Resnet
# tf_model = prepare_resnet(sess=sess,
# load_weights='./Models/CIFAR10-32_Resnet.ckpt',
# num_classes=10)
input_pl = tf_model.inputs
logits = tf_model.logits
# foolbox - construct a tensorflow model
model = TensorFlowModel(input_pl, logits, bounds=(0, 255))
# load in the data
num_advs = 0.
num_mis = 0.
for attack in Attacks:
print(attack)
# (x_test, y_test) = pickle_load("./", "ADVs_CIFAR10_Resnet_off_Linf_{}.pkl".format(attack))
(x_train, y_train), (x_test, y_test) = prepare_CIFAR10()
for index, adv in enumerate(x_train[:1000]):
num_advs = num_advs + 1
preds = model.predictions(adv)
if y_test[index] != np.argmax(preds):
# print("misclassified")
num_mis = num_mis + 1
print("Total number of ADVs = {}".format(num_advs))
print("Accuracy = {}".format((num_advs - num_mis) / num_advs))
def create_fmodel():
graph, saver, images, logits = create_model()
sess = tf.Session(graph=graph)
path = os.path.dirname(os.path.abspath(__file__))
path = os.path.join(path, 'resnet18', 'checkpoints', 'model')
saver.restore(sess, tf.train.latest_checkpoint(path))
with sess.as_default():
fmodel = TensorFlowModel(images, logits, bounds=(0, 255))
return fmodel
def main():
model_exp = os.path.expanduser(
'/face/etc/20170511-185253/20170511-185253.pb')
if os.path.isfile(model_exp):
logging.info('Model filename: %s' % model_exp)
with gfile.FastGFile(model_exp, 'rb') as f:
graph_def = tf.GraphDef()
graph_def.ParseFromString(f.read())
tf.import_graph_def(graph_def, name='')
model = TensorFlowModel(images, logits, bounds=(0, 255))
def __init__(self, kmodel, method, criterion):
'''
Adversarial Trainingを行うクラス
params
:kmodel: Kerasモデル(学習済み)
:method: foolboxのbatch_attacksモジュール
'''
self.kmodel = kmodel
self.fmodel = TensorFlowModel.from_keras(kmodel, bounds=(0, 1))
self.criterion = criterion
self.method_base = method
def foolbox_generate_adversarial_example(
label: int,
create_model,
input_fn: Callable[[], tf.Tensor],
attack_fn: Callable[..., Attack],
model_dir=None,
checkpoint_path=None,
preprocessing=(0, 1),
channel_axis=1,
bounds=(0, 1),
attack_params={},
**kwargs,
) -> Optional[np.ndarray]:
# Check that model has been trained.
if not checkpoint_path:
checkpoint_path = saver.latest_checkpoint(model_dir)
if not checkpoint_path:
raise ValueError(
"Could not find trained model in model_dir: {}.".format(model_dir))
with tf.Graph().as_default():
features = input_fn()
model = create_model()
image_tensor = tf.placeholder(features.dtype, features.shape)
logits = model(image_tensor)
sm = SessionManager()
with sm.prepare_session(
master="",
saver=tf.train.Saver(),
checkpoint_filename_with_path=checkpoint_path,
config=new_session_config(),
) as sess:
image = sess.run(features)[0]
attack_model = TensorFlowModel(
image_tensor,
logits,
bounds=bounds,
channel_axis=channel_axis,
preprocessing=preprocessing,
)
if attack_fn is None:
return image[np.newaxis]
attack = attack_fn(attack_model)
# adversarial_example = attack(image, label=label, **kwargs)
adversarial_example = attack(image, label=label, **attack_params)
# diff = np.abs(image - adversarial_example)
# print(diff.max()*255)
if adversarial_example is None:
return None
else:
return adversarial_example[np.newaxis]
def get_foolbox_model(self) -> TensorFlowModel:
"""
Returns an instance of a foolbox Model (more specifically, a TensorFlowModel) which is configured to use
the x-placeholder and the logits of this model. It specifies pre-processing settings as expected by the model.
"""
images = self.x
logits = self.logits
sess = tf.get_default_session()
self.restore(sess)
# this pre-processing setup normalizes the image's values to be in [-1, 1], as expected by the model
fmodel = TensorFlowModel(images, logits, bounds=(0, 255), preprocessing=(127.5, 127.5))
return fmodel
def predict(pb_path, image_path):
with tf.Session() as session:
with gfile.FastGFile(pb_path, 'rb') as f:
graph_def = tf.GraphDef()
graph_def.ParseFromString(f.read())
session.graph.as_default()
tf.import_graph_def(graph_def, name='')
session.run(tf.global_variables_initializer())
images = session.graph.get_tensor_by_name('input_1:0')
logits = session.graph.get_tensor_by_name('dense_3/BiasAdd:0')
output = session.graph.get_tensor_by_name('dense_3/Softmax:0')
# for n in tf.get_default_graph().get_operations():
# print(n.values())
model = TensorFlowModel(images, output, (0, 255))
if os.path.isdir(image_path):
predict_dir(model, image_path)
else:
image = open_image(image_path, 299, 299)
image = inception_preprocessing(image)
values = model.predictions(image)
print('values:', values)
label = np.argmax(values)
print('label:', categories[label])
def create_imagenet_irn_v2_model(sess=None,
x_input=None,
use_adv_trained_tramer=False):
# Allow to reuse a session and put the model on top of an existing input
if sess is None:
sess = tf.Session()
vars_before = tf.get_collection(tf.GraphKeys.GLOBAL_VARIABLES,
scope=tf.get_variable_scope().name)
with sess.graph.as_default():
if x_input is None:
x_input = tf.placeholder(tf.float32, (None, 299, 299, 3))
with tf.contrib.slim.arg_scope(
inception_resnet_v2.inception_resnet_v2_arg_scope()):
logits, end_points = inception_resnet_v2.inception_resnet_v2(
x_input,
num_classes=1001,
is_training=False,
create_aux_logits=True)
logits = logits[:, 1:] # ignore background class
vars_after = tf.get_collection(tf.GraphKeys.GLOBAL_VARIABLES,
scope=tf.get_variable_scope().name)
vars_new = set(vars_after).difference(vars_before)
with tf.variable_scope('utilities'):
saver = tf.train.Saver(list(vars_new))
path = os.path.dirname(os.path.abspath(__file__))
if use_adv_trained_tramer:
path = os.path.join(path, 'checkpoints',
'ens_adv_inception_resnet_v2.ckpt')
else:
path = os.path.join(path, 'checkpoints',
'inception_resnet_v2_2016_08_30.ckpt')
with sess.graph.as_default():
saver.restore(sess, path) # tf.train.latest_checkpoint(path))
with sess.as_default():
fmodel = TensorFlowModel(x_input, logits, bounds=(0, 255))
return fmodel
def data_set_maker(model, attack, image_list, labels):
"""
This function creates the data set that will be used to train the autoencoder (denoiser)
This data set is made of couples of adversarial/bening images
inputs:
-model (tensorflow model): the model that will be attacked to produced the adversarial examples
-attack (foolbox attack): attack that will produce the adversarial images
-image_list (list of arrays): images that will be attacked
-labels (list on one hot encoded labels): labels of the image
output:
-adv_list (list of numpy arrays): adversarial images
-benign_list (list of numpy arrays): benign images corresponding to the images in adv_list
-adv_true_label: true labels of the images (attention here the are not one hot encoded)
"""
model_to_fool = TensorFlowModel(model, bounds=(0, 255))
adv_list, benign_list, adv_true_label = [], [], []
epsilon = [5]
labels = list(map(np.argmax, labels))
print("======epsilon: " + str(epsilon[0]) + "======")
for i, image in enumerate(tqdm(image_list, position=0)):
if i != 0 and i % (len(labels) // 3) == 0:
print("======adv_list_size: " + str(len(adv_list)) + "======")
epsilon = [epsilon[0] * 1.5]
print("======epsilon: " + str(epsilon[0]) + "======")
image = np.asarray(image)[:, :, :3].astype("float32")
image = convert_to_tensor(np.expand_dims(image, axis=0))
label = labels[i]
label = tf.convert_to_tensor(np.array([label]))
_, clipped, is_adv = attack(model_to_fool,
image,
label,
epsilons=epsilon)
if bool(is_adv[0]):
adv_list.append(np.array(clipped[0][0]))
adv_true_label.append(labels[i])
benign_list.append(image)
for i, image in enumerate(benign_list):
benign_list[i] = np.squeeze(image)
return (list(adv_list), list(benign_list), adv_true_label)
def create_imagenet_iv3_model(sess=None, x_input=None):
# Allow to reuse a session
if sess is None:
sess = tf.Session()
# Allow to put model on top of an existing input
if x_input is None:
x_input = tf.placeholder(tf.float32, (None, 299, 299, 3))
# NOTE: don't norm here. For some reason this InceptionV3 accepts preproc only in specific scopes,
# so it is done in imagenet_inception_v3.py.
logits, preds = model(sess=sess, image=x_input)
with sess.as_default():
fmodel = TensorFlowModel(x_input, logits, bounds=(0, 255))
return fmodel
def attack_performances_computer(model_to_attack, predicting_model, attack,
image_list, labels, epsilon): # pylint: disable=too-many-arguments
"""
This fonction launch an attack against a model and returns the performances of the attack
inputs:
-model_to_attack (tensorflow model): model that will be attacked
-predicting_model (tensorflow model): model that will predict the label of the generated
adv example (most of the time it is the same that model_to_attack) but sometimes
it is usefull to have another model taking care of the prediction
-attack (foolbox attack)
-image_list: list of images array (32*32*3) to attack
-labels: labels (one hot encoding) of the image
-epsilon (float): epsilon is the amount of noise added into the image at each step
outputs:
-DOC_attack (float) : average degreee of change of the attack
-SR_on_attacked_model (float): success rate of the attack on the first model of the inputs
(model_to_attack)
-SR_on_predicting_model (float) : success rate of the attack on the second model of the inputs
(predicting_model)
"""
model_to_attack = TensorFlowModel(model_to_attack, bounds=(0, 255))
success = {"attacked_model": [], "predicting_model": []}
adv_list = []
labels = list(map(np.argmax, labels))
for i, image in enumerate(tqdm(image_list, position=0)):
image = np.asarray(image)[:, :, :3].astype("float32")
image = convert_to_tensor(np.expand_dims(image, axis=0))
label = tf.convert_to_tensor(np.array([labels[i]]))
_, clipped, is_adv = attack(model_to_attack,
image,
label,
epsilons=epsilon)
success["attacked_model"].append(bool(is_adv[0]))
adv_list.append(np.array(clipped[0]))
prediction = predicting_model.predict(clipped[0])
success["predicting_model"].append(np.argmax(prediction) != labels[i])
return (degree_of_change(adv_list, image_list),
success_rate(success["attacked_model"]),
success_rate(success["predicting_model"]))
def test_tf_keras_constructor():
bounds = (0, 255)
def create_model():
data_format = "channels_last"
input_shape = [28, 28, 1]
l = tf.keras.layers # noqa: E741
max_pool = l.MaxPooling2D((2, 2), (2, 2),
padding="same",
data_format=data_format)
return tf.keras.Sequential([
l.Conv2D(
32,
5,
padding="same",
data_format=data_format,
input_shape=input_shape,
activation=tf.nn.relu,
),
max_pool,
l.Conv2D(
64,
5,
padding="same",
data_format=data_format,
activation=tf.nn.relu,
),
max_pool,
l.Flatten(),
l.Dense(1024, activation=tf.nn.relu),
l.Dropout(0.4),
l.Dense(10),
])
model = create_model()
fmodel = TensorFlowModel.from_keras(model, bounds=bounds)
assert fmodel.num_classes() == 10
fmodel.session.run(tf.global_variables_initializer())
test_images = np.random.rand(2, 28, 28, 1).astype(np.float32)
assert fmodel.forward(test_images).shape == (2, 10)
def fit(self,
x,
y,
epochs,
validation_data=None,
batch_size=32,
verbose=1):
'''
params
:x: オリジナルデータ
:y: オリジナルラベル
:i: イテレーション数
'''
self.x = x
self.y = y
for i in range(epochs):
print(f'\n{i+1} / {epochs} epochs')
# rand_idx = np.random.permutation(np.arange(self.x.shape[0])) # 全データのAdversarial Examplesをランダムな順番で作成
rand_idx = np.random.choice(
np.arange(self.x.shape[0]),
size=batch_size) # 全データ作成している時間がないので、ランダムな10サンプル分を作成
self.fmodel = TensorFlowModel.from_keras(self.kmodel,
bounds=(0, 1))
self.method = self.method_base(self.fmodel,
criterion=self.criterion)
self.adv_imgs, self.orig_cls = [], []
for r_idx in rand_idx:
x_adv = self.method(self.x[r_idx], self.y[r_idx], unpack=False)
if x_adv.image is None:
continue
self.adv_imgs.append(x_adv.image)
self.orig_cls.append(x_adv.original_class)
self.x = np.append(self.x, np.array(self.adv_imgs), axis=0)
self.y = np.append(self.y, self.orig_cls)
self.kmodel.fit(x=self.x,
y=self.y,
epochs=1,
validation_data=validation_data,
verbose=verbose)
def test_tensorflow_forward_gradient(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
q = (
np.arange(num_classes)[None, None],
np.random.uniform(size=(5, 5, channels)) + 1,
)
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with TensorFlowModel(images, logits, bounds=bounds,
preprocessing=q) as model:
epsilon = 1e-2
np.random.seed(23)
test_images = np.random.rand(5, 5, 5, channels).astype(np.float32)
test_labels = [7] * 5
_, g1 = model.forward_and_gradient(test_images, test_labels)
l1 = model._loss_fn(test_images - epsilon / 2 * g1, test_labels)
l2 = model._loss_fn(test_images + epsilon / 2 * g1, test_labels)
assert np.all(1e4 * (l2 - l1) > 1)
# make sure that gradient is numerically correct
np.testing.assert_array_almost_equal(
1e4 * (l2 - l1),
1e4 * epsilon *
(np.linalg.norm(g1.reshape(len(g1), -1), axis=(-1))**2).sum(),
decimal=1,
)
def create_rn50_model(sess=None, x_input=None, foolbox=True):
# Allow to reuse a session and put the model on top of an existing input
assert (sess is not None) == (x_input is not None)
if sess is not None:
graph, saver, images, logits = _create_model(sess.graph, x_input)
else:
graph, saver, images, logits = _create_model(None, None)
sess = tf.Session(graph=graph)
path = os.path.dirname(os.path.abspath(__file__))
path = os.path.join(path, 'tiny_imagenet_alp05_2018_06_26.ckpt')
saver.restore(sess, path) # tf.train.latest_checkpoint(path))
if foolbox:
with sess.as_default():
fmodel = TensorFlowModel(images, logits, bounds=(0, 255))
return fmodel
else:
return images, logits, sess
def create():
# fetch weights
weights_path = zoo.fetch_weights(
'https://github.com/facebookresearch/ImageNet-Adversarial-Training/releases/download/v0.1/R152-Denoise.npz',
unzip=False)
# model constructer expects an ArgumentParser as argument
parser = argparse.ArgumentParser()
parser.add_argument('-d',
'--depth',
help='ResNet depth',
type=int,
default=152,
choices=[50, 101, 152])
parser.add_argument('--arch',
help='Name of architectures defined in nets.py',
default='ResNetDenoise')
args = parser.parse_args([])
model = getattr(nets, args.arch + 'Model')(args)
image = tf.placeholder(tf.float32, shape=(None, 3, 224, 224))
with TowerContext(tower_name='', is_training=False):
logits = model.get_logits(image)
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
session = tf.Session(config=config)
with session.as_default():
model = get_model_loader(weights_path).init(session)
fmodel = TensorFlowModel(image,
logits,
channel_axis=1,
bounds=[0, 255.],
preprocessing=(127.5, 127.5))
return fmodel
def test_tensorflow_preprocessing(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
q = (np.arange(num_classes)[None, None],
np.random.uniform(size=(5, 5, channels)) + 1)
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with TensorFlowModel(images, logits, bounds=bounds,
preprocessing=q) as model:
test_images = np.random.rand(2, 5, 5, channels).astype(np.float32)
test_label = 7
assert model.batch_predictions(test_images).shape \
== (2, num_classes)
test_logits = model.predictions(test_images[0])
assert test_logits.shape == (num_classes, )
test_gradient = model.gradient(test_images[0], test_label)
assert test_gradient.shape == test_images[0].shape
np.testing.assert_almost_equal(
model.predictions_and_gradient(test_images[0], test_label)[0],
test_logits)
np.testing.assert_almost_equal(
model.predictions_and_gradient(test_images[0], test_label)[1],
test_gradient)
assert model.num_classes() == num_classes
def test_tensorflow_model(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with tf.Session(graph=g):
model = TensorFlowModel(
images,
logits,
bounds=bounds)
assert model.session is not None
test_images = np.random.rand(2, 5, 5, channels).astype(np.float32)
test_label = 7
assert model.batch_predictions(test_images).shape \
== (2, num_classes)
test_logits = model.predictions(test_images[0])
assert test_logits.shape == (num_classes,)
test_gradient = model.gradient(test_images[0], test_label)
assert test_gradient.shape == test_images[0].shape
np.testing.assert_almost_equal(
model.predictions_and_gradient(test_images[0], test_label)[0],
test_logits)
np.testing.assert_almost_equal(
model.predictions_and_gradient(test_images[0], test_label)[1],
test_gradient)
assert model.num_classes() == num_classes
# model=CallableModelWrapper(cnn.predict, output_layer='logits')
#
#
#
# fgm=FastGradientMethod(model,sess=sess)
#
# fgm_params = {'eps': 0.3,
# 'clip_min': 0.,
# 'clip_max': 1.}
#
# adv_x = fgm.generate((train_images[:2]), **fgm_params)
# preds_adv = model.get_probs(adv_x)
model = TensorFlowModel(cnn.inputs,cnn.network,bounds=(0, 255))
from foolbox.criteria import TargetClassProbability
target_class = 9
criterion = TargetClassProbability(target_class, p=0.99)
from foolbox.attacks import FGSM
attack=FGSM(model)
image = train_images[0].reshape((28, 28, 1))
label = np.argmax(model.predictions(image))
adversarial = attack(image,label=label,epsilons=1,max_epsilon=0.03*255)