def backend_untargeted_tabular(attack, iris_dataset, clipped):
(_, _), (x_test_iris, y_test_iris) = iris_dataset
x_test_adv = attack.generate(x_test_iris)
# TODO remove that platform specific case
# if framework in ["scikitlearn"]:
# np.testing.assert_array_almost_equal(np.abs(x_test_adv - x_test_iris), .1, decimal=5)
check_adverse_example_x(x_test_adv, x_test_iris)
# utils_test.check_adverse_example_x(x_test_adv, x_test_iris, bounded=clipped)
y_pred_test_adv = np.argmax(attack.estimator.predict(x_test_adv), axis=1)
y_test_true = np.argmax(y_test_iris, axis=1)
# assert (y_test_true == y_pred_test_adv).any(), "An untargeted attack should have changed SOME predictions"
assert (bool((y_test_true == y_pred_test_adv).all()) is False
), "An untargeted attack should NOT have changed all predictions"
accuracy = np.sum(y_pred_test_adv == y_test_true) / y_test_true.shape[0]
logger.info(
"Accuracy of " + attack.estimator.__class__.__name__ +
" on Iris with FGM adversarial examples: "
"%.2f%%",
(accuracy * 100),
)
def back_end_untargeted_images(attack, fix_get_mnist_subset, fix_mlFramework):
(x_train_mnist, y_train_mnist, x_test_mnist, y_test_mnist) = fix_get_mnist_subset
x_test_adv = attack.generate(x_test_mnist)
check_adverse_example_x(x_test_adv, x_test_mnist)
y_pred = np.argmax(attack.classifier.predict(x_test_mnist), axis=1)
y_pred_adv = np.argmax(attack.classifier.predict(x_test_adv), axis=1)
assert (y_pred != y_pred_adv).any()
if fix_mlFramework in ["keras"]:
k.clear_session()
def backend_targeted_tabular(attack, fix_get_iris):
(x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = fix_get_iris
targets = random_targets(y_test_iris, nb_classes=3)
x_test_adv = attack.generate(x_test_iris, **{"y": targets})
check_adverse_example_x(x_test_adv, x_test_iris)
y_pred_adv = np.argmax(attack.classifier.predict(x_test_adv), axis=1)
target = np.argmax(targets, axis=1)
assert (target == y_pred_adv).any()
accuracy = np.sum(y_pred_adv == target) / y_test_iris.shape[0]
logger.info("Success rate of targeted boundary on Iris: %.2f%%", (accuracy * 100))
def backend_test_defended_images(attack, mnist_dataset):
(x_train_mnist, y_train_mnist, x_test_mnist, y_test_mnist) = mnist_dataset
x_train_adv = attack.generate(x_train_mnist)
check_adverse_example_x(x_train_adv, x_train_mnist)
y_train_pred_adv = get_labels_np_array(attack.classifier.predict(x_train_adv))
y_train_labels = get_labels_np_array(y_train_mnist)
check_adverse_predicted_sample_y(y_train_pred_adv, y_train_labels)
x_test_adv = attack.generate(x_test_mnist)
check_adverse_example_x(x_test_adv, x_test_mnist)
y_test_pred_adv = get_labels_np_array(attack.classifier.predict(x_test_adv))
check_adverse_predicted_sample_y(y_test_pred_adv, y_test_mnist)
def backend_targeted_images(attack, fix_get_mnist_subset):
(x_train_mnist, y_train_mnist, x_test_mnist, y_test_mnist) = fix_get_mnist_subset
targets = random_targets(y_test_mnist, attack.classifier.nb_classes())
x_test_adv = attack.generate(x_test_mnist, y=targets)
assert bool((x_test_mnist == x_test_adv).all()) is False
y_test_pred_adv = get_labels_np_array(attack.classifier.predict(x_test_adv))
assert targets.shape == y_test_pred_adv.shape
assert (targets == y_test_pred_adv).sum() >= (x_test_mnist.shape[0] // 2)
check_adverse_example_x(x_test_adv, x_test_mnist)
y_pred_adv = np.argmax(attack.classifier.predict(x_test_adv), axis=1)
target = np.argmax(targets, axis=1)
assert (target == y_pred_adv).any()
