def test_linearSVC(self):
        """
        Test using a attack on LinearSVC
        """
        (x_train, y_train), (x_test, y_test), min_, max_ = self.iris

        # Build Scikitlearn Classifier
        clip_values = (min_, max_)
        clean = SklearnClassifier(model=LinearSVC(), clip_values=clip_values)
        clean.fit(x_train, y_train)
        poison = SklearnClassifier(model=LinearSVC(), clip_values=clip_values)
        poison.fit(x_train, y_train)
        attack = PoisoningAttackSVM(poison, 0.01, 1.0, x_train, y_train,
                                    x_test, y_test, 100)
        attack_point = attack.generate(np.array([x_train[0]]))
        poison.fit(x=np.vstack([x_train, attack_point]),
                   y=np.vstack([y_train,
                                np.copy(y_train[0].reshape((1, 2)))]))

        acc = np.average(np.all(clean.predict(x_test) == y_test, axis=1)) * 100
        poison_acc = np.average(
            np.all(poison.predict(x_test) == y_test, axis=1)) * 100
        logger.info("Clean Accuracy {}%".format(acc))
        logger.info("Poison Accuracy {}%".format(poison_acc))
        self.assertGreaterEqual(acc, poison_acc)
Ejemplo n.º 2
0
    def test_linearSVC(self):
        """
        Test using a attack on LinearSVC
        """
        (x_train, y_train), (x_test, y_test), min_, max_ = self.iris
        x_test_original = x_test.copy()

        # Build Scikitlearn Classifier
        clip_values = (min_, max_)
        clean = SklearnClassifier(model=LinearSVC(), clip_values=clip_values)
        clean.fit(x_train, y_train)
        poison = SklearnClassifier(model=LinearSVC(), clip_values=clip_values)
        poison.fit(x_train, y_train)
        attack = PoisoningAttackSVM(poison, 0.01, 1.0, x_train, y_train,
                                    x_test, y_test, 100)
        attack_y = np.array([1, 1]) - y_train[0]
        attack_point, _ = attack.poison(np.array([x_train[0]]),
                                        y=np.array([attack_y]))
        poison.fit(x=np.vstack([x_train, attack_point]),
                   y=np.vstack([y_train,
                                np.copy(y_train[0].reshape((1, 2)))]))

        acc = np.average(np.all(clean.predict(x_test) == y_test, axis=1)) * 100
        poison_acc = np.average(
            np.all(poison.predict(x_test) == y_test, axis=1)) * 100
        logger.info("Clean Accuracy {}%".format(acc))
        logger.info("Poison Accuracy {}%".format(poison_acc))
        self.assertGreaterEqual(acc, poison_acc)

        # Check that x_test has not been modified by attack and classifier
        self.assertAlmostEqual(float(np.max(np.abs(x_test_original - x_test))),
                               0.0,
                               delta=0.00001)
    def test_SVC_kernels(self):
        """
        First test with the TFClassifier.
        :return:
        """
        # Get MNIST
        (x_train, y_train), (x_test, y_test), min_, max_ = self.iris

        # Build Scikitlearn Classifier
        clip_values = (min_, max_)
        for kernel in ['linear', 'poly', 'rbf']:
            clean = SklearnClassifier(model=SVC(kernel=kernel),
                                      clip_values=clip_values)
            clean.fit(x_train, y_train)
            poison = SklearnClassifier(model=SVC(kernel=kernel),
                                       clip_values=clip_values)
            poison.fit(x_train, y_train)
            attack = PoisoningAttackSVM(poison, 0.01, 1.0, x_train, y_train,
                                        x_test, y_test, 100)
            attack_point = attack.generate(np.array([x_train[0]]))
            poison.fit(x=np.vstack([x_train, attack_point]),
                       y=np.vstack(
                           [y_train,
                            np.copy(y_train[0].reshape((1, 2)))]))

            acc = np.average(np.all(clean.predict(x_test) == y_test,
                                    axis=1)) * 100
            poison_acc = np.average(
                np.all(poison.predict(x_test) == y_test, axis=1)) * 100
            logger.info("Clean Accuracy {}%".format(acc))
            logger.info("Poison Accuracy {}%".format(poison_acc))
            self.assertGreaterEqual(acc, poison_acc)
Ejemplo n.º 4
0
    def test_SVC_kernels(self):
        """
        First test with the TFClassifier.
        :return:
        """
        # Get MNIST
        (x_train, y_train), (x_test, y_test), min_, max_ = self.iris
        x_test_original = x_test.copy()

        # Build Scikitlearn Classifier
        clip_values = (min_, max_)
        for kernel in ["linear", "poly", "rbf"]:
            clean = SklearnClassifier(model=SVC(kernel=kernel, gamma="auto"),
                                      clip_values=clip_values)
            clean.fit(x_train, y_train)
            poison = SklearnClassifier(model=SVC(kernel=kernel, gamma="auto"),
                                       clip_values=clip_values)
            poison.fit(x_train, y_train)
            attack = PoisoningAttackSVM(poison, 0.01, 1.0, x_train, y_train,
                                        x_test, y_test, 100)
            attack_y = np.array([1, 1]) - y_train[0]
            attack_point, _ = attack.poison(np.array([x_train[0]]),
                                            y=np.array([attack_y]))
            poison.fit(
                x=np.vstack([x_train, attack_point]),
                y=np.vstack([
                    y_train,
                    np.array([1, 1]) - np.copy(y_train[0].reshape((1, 2)))
                ]),
            )

            acc = np.average(np.all(clean.predict(x_test) == y_test,
                                    axis=1)) * 100
            poison_acc = np.average(
                np.all(poison.predict(x_test) == y_test, axis=1)) * 100
            logger.info("Clean Accuracy {}%".format(acc))
            logger.info("Poison Accuracy {}%".format(poison_acc))
            self.assertGreaterEqual(acc, poison_acc)

            # Check that x_test has not been modified by attack and classifier
            self.assertAlmostEqual(float(
                np.max(np.abs(x_test_original - x_test))),
                                   0.0,
                                   delta=0.00001)
Ejemplo n.º 5
0
def get_poisoning(data, labels, dist):
    n, m = np.shape(data)
    step = 0.1
    eps = 0.1
    num_pois = int(0.3 * n)
    poisoning_indices = np.random.randint(low=0, high=n - 1, size=num_pois)
    svc = svm.SVC(kernel='linear')
    classifier = SklearnClassifier(model=svc, clip_values=(0, 100))
    one_hot_labels = []
    for l in labels:
        if l == 1:
            one_hot_labels.append(np.array([1, 0]))
        else:
            one_hot_labels.append(np.array([0, 1]))
    one_hot_labels = np.array(one_hot_labels)
    classifier.fit(data, one_hot_labels)

    # evaluate classifier on benign data
    predictions = classifier.predict(data)
    err_orig = accuracy_score(labels, np.argmax(predictions, axis=1) * 2 - 1)
    print('Error on benign data: {}%'.format(err_orig * 100))

    # create adversarial examples
    attack = PoisoningAttackSVM(classifier=classifier,
                                step=step,
                                eps=eps,
                                x_train=data[poisoning_indices],
                                y_train=one_hot_labels[poisoning_indices],
                                x_val=data[poisoning_indices],
                                y_val=one_hot_labels[poisoning_indices],
                                max_iter=100)
    pois_data = attack.generate(data[poisoning_indices, :],
                                one_hot_labels[poisoning_indices, :])
    data_infected = np.array(data)
    for i in range(len(poisoning_indices)):
        data_infected[poisoning_indices[i]] = pois_data[i]

    # evaluate poisoned classifier on benign data
    svc1 = svm.SVC(kernel='linear')
    svc1.fit(data_infected, labels)
    predictions = svc1.predict(data)
    err_pois = 1 - accuracy_score(labels, predictions)
    print('Poisoned error on benign data: {}%'.format(err_pois * 100))
    return data_infected, labels
Ejemplo n.º 6
0
 def test_unsupported_SVC(self):
     (x_train, y_train), (x_test, y_test), _, _ = self.iris
     model = NuSVC()
     with self.assertRaises(TypeError):
         _ = PoisoningAttackSVM(classifier=model,
                                step=0.01,
                                eps=1.0,
                                x_train=x_train,
                                y_train=y_train,
                                x_val=x_test,
                                y_val=y_test)
Ejemplo n.º 7
0
 def test_unsupported_kernel(self):
     (x_train, y_train), (x_test, y_test), min_, max_ = self.iris
     model = SVC(kernel="sigmoid", gamma="auto")
     with self.assertRaises(TypeError):
         _ = PoisoningAttackSVM(classifier=model,
                                step=0.01,
                                eps=1.0,
                                x_train=x_train,
                                y_train=y_train,
                                x_val=x_test,
                                y_val=y_test)
Ejemplo n.º 8
0
    def setUpClass(cls):
        master_seed(301)
        (x_train, y_train), (x_test, y_test), min_, max_ = load_mnist()
        y_train = np.argmax(y_train, axis=1)
        y_test = np.argmax(y_test, axis=1)
        zero_or_four = np.logical_or(y_train == 4, y_train == 0)
        x_train = x_train[zero_or_four]
        y_train = y_train[zero_or_four]
        tr_labels = np.zeros((y_train.shape[0], 2))
        tr_labels[y_train == 0] = np.array([1, 0])
        tr_labels[y_train == 4] = np.array([0, 1])
        y_train = tr_labels

        zero_or_four = np.logical_or(y_test == 4, y_test == 0)
        x_test = x_test[zero_or_four]
        y_test = y_test[zero_or_four]
        te_labels = np.zeros((y_test.shape[0], 2))
        te_labels[y_test == 0] = np.array([1, 0])
        te_labels[y_test == 4] = np.array([0, 1])
        y_test = te_labels

        n_samples_train = x_train.shape[0]
        n_features_train = x_train.shape[1] * x_train.shape[2] * x_train.shape[3]
        n_samples_test = x_test.shape[0]
        n_features_test = x_test.shape[1] * x_test.shape[2] * x_test.shape[3]

        x_train = x_train.reshape(n_samples_train, n_features_train)
        x_test = x_test.reshape(n_samples_test, n_features_test)
        x_train = x_train[:NB_TRAIN]
        y_train = y_train[:NB_TRAIN]

        trusted_data = x_test[:NB_TRUSTED]
        trusted_labels = y_test[:NB_TRUSTED]
        x_test = x_test[NB_TRUSTED:]
        y_test = y_test[NB_TRUSTED:]
        valid_data = x_test[:NB_VALID]
        valid_labels = y_test[:NB_VALID]
        x_test = x_test[NB_VALID:]
        y_test = y_test[NB_VALID:]

        clean_prov = np.random.randint(NB_DEVICES - 1, size=x_train.shape[0])
        p_train = np.eye(NB_DEVICES)[clean_prov]

        no_defense = ScikitlearnSVC(model=SVC(kernel=kernel), clip_values=(min_, max_))
        no_defense.fit(x=x_train, y=y_train)
        poison_points = np.random.randint(no_defense._model.support_vectors_.shape[0], size=NB_POISON)
        all_poison_init = np.copy(no_defense._model.support_vectors_[poison_points])
        poison_labels = np.array([1, 1]) - no_defense.predict(all_poison_init)

        svm_attack = PoisoningAttackSVM(classifier=no_defense, x_train=x_train, y_train=y_train,
                                        step=0.1, eps=1.0, x_val=valid_data, y_val=valid_labels, max_iters=200)

        poisoned_data = svm_attack.generate(all_poison_init, y=poison_labels)

        # Stack on poison to data and add provenance of bad actor
        all_data = np.vstack([x_train, poisoned_data])
        all_labels = np.vstack([y_train, poison_labels])
        poison_prov = np.zeros((NB_POISON, NB_DEVICES))
        poison_prov[:, NB_DEVICES - 1] = 1
        all_p = np.vstack([p_train, poison_prov])

        model = SVC(kernel=kernel)
        cls.mnist = (all_data, all_labels, all_p), (x_test, y_test), (trusted_data, trusted_labels), \
                    (valid_data, valid_labels), (min_, max_)
        cls.classifier = SklearnClassifier(model=model, clip_values=(min_, max_))

        cls.classifier.fit(all_data, all_labels)
        cls.defence_trust = ProvenanceDefense(cls.classifier, all_data, all_labels, all_p,
                                              x_val=trusted_data, y_val=trusted_labels, eps=0.1)
        cls.defence_no_trust = ProvenanceDefense(cls.classifier, all_data, all_labels, all_p, eps=0.1)
Ejemplo n.º 9
0
    target_sets = [data_detection_tr, data_detection_te, data_detection_te]
    target_stream_sets = [data_stream_tr, data_stream_te, data_stream_te]
    target_labels = [
        labels_detection_tr, labels_detection_te, labels_detection_te
    ]
    target_stream_labels = [
        labels_stream_tr, labels_stream_te, labels_stream_te
    ]

    for j in range(3):
        for i in range(n_pois):
            poisoning_indices = np.random.randint(0, n, n_pois)
            attack = PoisoningAttackSVM(classifier=classifier,
                                        step=0.1,
                                        eps=0.1,
                                        x_train=data,
                                        y_train=one_hot_labels,
                                        x_val=data[:n_pois],
                                        y_val=one_hot_labels[:n_pois],
                                        max_iter=10)
            pois_data = attack.generate(data[poisoning_indices, :],
                                        one_hot_labels[poisoning_indices, :])

            # gradient attack
            '''svm_ = svm.SVC(kernel='linear').fit(data[poisoning_indices, :], labels[poisoning_indices])
            pois_shift = np.zeros_like(data[poisoning_indices, :])
            for supp in svm_.support_:
                pois_shift[supp] = svm_.coef_[0]
            pois_shift = pois_shift*dist/np.linalg.norm(pois_shift)
            pois_shift = pois_shift * 0.5 * np.linalg.norm(data) / np.linalg.norm(pois_shift)
            pois_data = data[poisoning_indices, :] + pois_shift'''
Ejemplo n.º 10
0
# model.compile(optimizer='adam',
#               loss='sparse_categorical_crossentropy',
#               metrics=['accuracy'])
#
# model.fit(x_train, y_train, epochs=3)
#
# loss_test, accuracy_test = model.evaluate(x_test, y_test)
# print('Accuracy on test data: {:4.2f}%'.format(accuracy_test * 100))
#
# classifier = KerasClassifier(model=model, clip_values=(0, 1))
classsifierSVC = ScikitlearnSVC(model=model_svc, clip_values=(0, 1))


# attack_PGD = ProjectedGradientDescent(classifier=classifier)
# attack_PSVM = PoisoningAttackSVM(classifier=classsifierSVC, eps=.3, step=.1, x_train=x_train, y_train=y_train, x_val=x_test[101:200], y_val=None)
attack_PSVM = PoisoningAttackSVM(classifier=classsifierSVC, eps=.3, step=.1, x_train=x_train_svc, y_train=y_train, x_val=x_test[101:200], y_val=None)
#
# attack_SMM = SaliencyMapMethod(classifier=classifier)
# attack_STran = SpatialTransformation(classifier=classifier)

# test_PGD = attack_PGD.generate(x_test)
# test_PSVM = attack_PSVM.generate(x_test)
test_PSVM = attack_PSVM.generate(x_test_svc)

# test_SMM = attack_SMM.generate(x_test)
# test_STran = attack_STran.generate(x_test)



fig = plt.figure()
ax1 = fig.add_subplot(221)