def def_GaussianAugmentation(x_raw, x_raw_test, y_raw, y_raw_test, x_train_adv,
x_test_adv, y_train, y_test, min_, max_):
ga = GaussianAugmentation(sigma=150)
x_train_aug, y_train_aug = ga(x_raw, y_raw)
x_test_aug, y_test_aug = ga(x_raw_test, y_raw_test)
x_train_aug, y_train_aug = preprocess(x_train_aug, y_train_aug)
x_test_aug, y_test_aug = preprocess(x_test_aug, y_test_aug)
x_train_aug = x_train_aug.reshape(120000, 784)
x_test_aug = x_test_aug.reshape(20000, 784)
# train network
classifier = create_Neural_Network(min_, max_)
classifier.fit(x_train_aug, y_train_aug, nb_epochs=5, batch_size=50)
# print result
print("After Defense\n")
preds = np.argmax(classifier.predict(x_train_aug), axis=1)
acc = np.sum(
preds == np.argmax(y_train_aug, axis=1)) / y_train_aug.shape[0]
print("TRAIN: %.2f%% \n" % (acc * 100))
preds = np.argmax(classifier.predict(x_train_adv), axis=1)
acc = np.sum(preds == np.argmax(y_train, axis=1)) / y_train.shape[0]
print("TRAIN-ADVERSARY: %.2f%% \n" % (acc * 100))
preds = np.argmax(classifier.predict(x_test_aug), axis=1)
acc = np.sum(preds == np.argmax(y_test_aug, axis=1)) / y_test_aug.shape[0]
print("TEST: %.2f%% \n" % (acc * 100))
preds = np.argmax(classifier.predict(x_test_adv), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print('TEST-ADVERSARY: %.2f%% \n' % (acc * 100))
def load_data(backdoor_type="pixel",
sources=np.arange(10),
targets=(np.arange(10) + 1) % 10):
#f = np.load('mnist.npz')
#x_train, y_train = f['x_train'], f['y_train']
#x_test, y_test = f['x_test'], f['y_test']
#f.close()
#n_train = np.shape(x_train)[0]
#num_selection = 10000
#random_selection_indices = np.random.choice(n_train, num_selection)
#x_train = x_train[random_selection_indices]
#y_train = y_train[random_selection_indices]
## (x_train, y_train), (x_test, y_test) = mnist.load_data() #overrides above with direct mnist data
(x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True)
n_train = np.shape(x_raw)[0]
num_selection = 10000
random_selection_indices = np.random.choice(n_train, num_selection)
x_raw = x_raw[random_selection_indices]
y_raw = y_raw[random_selection_indices]
# Poison training data
perc_poison = .33
(is_poison_train, x_poisoned_raw,
y_poisoned_raw) = generate_backdoor(x_raw,
y_raw,
perc_poison,
backdoor_type=backdoor_type,
sources=sources,
targets=targets)
x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw)
# Add channel axis:
x_train = np.expand_dims(x_train, axis=3)
# Poison test data
(is_poison_test, x_poisoned_raw_test,
y_poisoned_raw_test) = generate_backdoor(x_raw_test,
y_raw_test,
perc_poison,
backdoor_type=backdoor_type,
sources=sources,
targets=targets)
x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test)
# Add channel axis:
x_test = np.expand_dims(x_test, axis=3)
# Shuffle training data so poison is not together
n_train = np.shape(y_train)[0]
shuffled_indices = np.arange(n_train)
np.random.shuffle(shuffled_indices)
x_train = x_train[shuffled_indices]
y_train = y_train[shuffled_indices]
is_poison_train = is_poison_train[shuffled_indices]
y_train = np.argmax(y_train, axis=1)
y_test = np.argmax(y_test, axis=1)
return (x_train, y_train), (x_test, y_test), (min_, max_), is_poison_test
def test_preprocess(self):
(x, y), (_, _), _, _ = load_mnist()
x = (255 * x).astype("int")[:100]
y = np.argmax(y, axis=1)[:100]
x_, y_ = preprocess(x, y, clip_values=(0, 255))
self.assertEqual(x_.shape, x.shape)
self.assertEqual(y_.shape, (y.shape[0], 10))
self.assertEqual(x_.max(), 1.0)
self.assertEqual(x_.min(), 0)
(x, y), (_, _), _, _ = load_mnist()
x = (5 * x).astype("int")[:100]
y = np.argmax(y, axis=1)[:100]
x_, y_ = preprocess(x, y, nb_classes=20, clip_values=(0, 5))
self.assertEqual(x_.shape, x.shape)
self.assertEqual(y_.shape, (y.shape[0], 20))
self.assertEqual(x_.max(), 1.0)
self.assertEqual(x_.min(), 0)
def def_GaussianAugmentation(x_raw, x_raw_test, y_raw, y_raw_test, x_train_adv, x_test_adv, y_train, y_test, min_, max_, file):
train_num = 60000
test_num = 10000
# gaussian augmentation
ga = GaussianAugmentation(sigma=150)
x_train_aug, y_train_aug = ga(x_raw, y_raw)
x_test_aug, y_test_aug = ga(x_raw_test, y_raw_test)
x_train_aug, y_train_aug = preprocess(x_train_aug, y_train_aug)
x_test_aug, y_test_aug = preprocess(x_test_aug, y_test_aug)
x_train_aug = x_train_aug.reshape(2*train_num, 784)
x_test_aug = x_test_aug.reshape(2*test_num, 784)
# train network
classifier = create_Neural_Network(min_, max_)
classifier.fit(x_train_aug, y_train_aug, nb_epochs=5, batch_size=50)
# print result
print("After GaussianAugmentation Defense\n")
file.write("==== GaussianAugmentation Defense==== \n")
for k in range (5):
file.write("==== Attack %i ====\n" % (k))
evaluate(x_train_aug, x_test_aug, y_train_aug, y_test_aug, x_train_adv[k*train_num:(k+1)*train_num], x_test_adv[k*test_num:(k+1)*test_num], y_train, y_test, classifier, file)
def test_preprocess(self):
# Get MNIST
(x, y), (_, _), _, _ = load_mnist()
x = (255 * x).astype('int')[:100]
y = np.argmax(y, axis=1)[:100]
x_, y_ = preprocess(x, y)
self.assertEqual(x_.shape, x.shape)
self.assertEqual(y_.shape, (y.shape[0], 10))
self.assertEqual(x_.max(), 1.0)
self.assertEqual(x_.min(), 0)
(x, y), (_, _), _, _ = load_mnist()
x = (5 * x).astype('int')[:100]
y = np.argmax(y, axis=1)[:100]
x_, y_ = preprocess(x, y, nb_classes=20, max_value=5)
self.assertEqual(x_.shape, x.shape)
self.assertEqual(y_.shape, (y.shape[0], 20))
self.assertEqual(x_.max(), 1.0)
self.assertEqual(x_.min(), 0)
def main():
try:
print('See if poison model has been previously trained ')
import pickle
classifier = pickle.load(open('my_poison_classifier.p', 'rb'))
print('Loaded model from pickle.... ')
data_train = np.load('data_training.npz')
x_train = data_train['x_train']
y_train = data_train['y_train']
is_poison_train = data_train['is_poison_train']
data_test = np.load('data_testing.npz')
x_test = data_test['x_test']
y_test = data_test['y_test']
is_poison_test = data_test['is_poison_test']
except:
# Read MNIST dataset (x_raw contains the original images):
(x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True)
n_train = np.shape(x_raw)[0]
num_selection = n_train
random_selection_indices = np.random.choice(n_train, num_selection)
x_raw = x_raw[random_selection_indices]
y_raw = y_raw[random_selection_indices]
# Poison training data
perc_poison = .33
(is_poison_train, x_poisoned_raw, y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison)
x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw)
# Add channel axis:
x_train = np.expand_dims(x_train, axis=3)
# Poison test data
(is_poison_test, x_poisoned_raw_test, y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test,
perc_poison)
x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test)
# Add channel axis:
x_test = np.expand_dims(x_test, axis=3)
# Shuffle training data so poison is not together
n_train = np.shape(y_train)[0]
shuffled_indices = np.arange(n_train)
np.random.shuffle(shuffled_indices)
x_train = x_train[shuffled_indices]
y_train = y_train[shuffled_indices]
is_poison_train = is_poison_train[shuffled_indices]
# Save data used for training and testing split:
np.savez('data_training.npz', x_train=x_train, y_train=y_train, is_poison_train=is_poison_train,
x_raw=x_poisoned_raw)
np.savez('data_testing.npz', x_test=x_test, y_test=y_test, is_poison_test=is_poison_test,
x_raw_test=x_poisoned_raw_test)
# Create Keras convolutional neural network - basic architecture from Keras examples
# Source here: https://github.com/keras-team/keras/blob/master/examples/mnist_cnn.py
k.set_learning_phase(1)
model = Sequential()
model.add(Conv2D(32, kernel_size=(3, 3), activation='relu', input_shape=x_train.shape[1:]))
model.add(Conv2D(64, (3, 3), activation='relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Dropout(0.25))
model.add(Flatten())
model.add(Dense(128, activation='relu'))
model.add(Dropout(0.5))
model.add(Dense(10, activation='softmax'))
model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])
classifier = KerasClassifier((min_, max_), model=model)
classifier.fit(x_train, y_train, nb_epochs=50, batch_size=128)
print('Saving poisoned model: ')
pickle.dump(classifier, open('my_poison_classifier.p', 'wb'))
# Also saving for Anu:
file_name = 'anu_poison_mnist'
model.save(file_name + '.hdf5')
model_json = model.to_json()
with open(file_name + '.json', "w") as json_file:
json_file.write(model_json)
# Evaluate the classifier on the test set
preds = np.argmax(classifier.predict(x_test), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print("\nTest accuracy: %.2f%%" % (acc * 100))
# Evaluate the classifier on poisonous data
preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1)
acc = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0]
print("\nPoisonous test set accuracy (i.e. effectiveness of poison): %.2f%%" % (acc * 100))
# Evaluate the classifier on clean data
preds = np.argmax(classifier.predict(x_test[is_poison_test == 0]), axis=1)
acc = np.sum(preds == np.argmax(y_test[is_poison_test == 0], axis=1)) / y_test[is_poison_test == 0].shape[0]
print("\nClean test set accuracy: %.2f%%" % (acc * 100))
# Calling poisoning defence:
defence = ActivationDefence(classifier, x_train, y_train)
# End-to-end method:
print("------------------- Results using size metric -------------------")
print(defence.get_params())
defence.detect_poison(n_clusters=2, ndims=10, reduce="PCA")
# Now fix the model
x_new, y_fix = correct_poisoned_labels(x_train, y_train, is_poison_train)
improvement = defence.relabel_poison_ground_truth(x_new, y_fix, test_set_split=0.7, tolerable_backdoor=0.001,
max_epochs=5, batch_epochs=10)
# Evaluate the classifier on poisonous data after backdoor fix:
preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1)
acc_after = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0]
print("\nPoisonous test set accuracy (i.e. effectiveness of poison) after backdoor fix: %.2f%%" % (acc_after * 100))
print("\n Improvement after training: ", improvement)
print('before: ', acc, ' after: ', acc_after)
print("done :) ")
def main():
# Read MNIST dataset (x_raw contains the original images):
(x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True)
n_train = np.shape(x_raw)[0]
num_selection = 5000
random_selection_indices = np.random.choice(n_train, num_selection)
x_raw = x_raw[random_selection_indices]
y_raw = y_raw[random_selection_indices]
# Poison training data
perc_poison = 0.33
(is_poison_train, x_poisoned_raw,
y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison)
x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw)
# Add channel axis:
x_train = np.expand_dims(x_train, axis=3)
# Poison test data
(is_poison_test, x_poisoned_raw_test,
y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test,
perc_poison)
x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test)
# Add channel axis:
x_test = np.expand_dims(x_test, axis=3)
# Shuffle training data so poison is not together
n_train = np.shape(y_train)[0]
shuffled_indices = np.arange(n_train)
np.random.shuffle(shuffled_indices)
x_train = x_train[shuffled_indices]
y_train = y_train[shuffled_indices]
is_poison_train = is_poison_train[shuffled_indices]
# Create Keras convolutional neural network - basic architecture from Keras examples
# Source here: https://github.com/keras-team/keras/blob/master/examples/mnist_cnn.py
model = Sequential()
model.add(
Conv2D(32,
kernel_size=(3, 3),
activation="relu",
input_shape=x_train.shape[1:]))
model.add(Conv2D(64, (3, 3), activation="relu"))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Dropout(0.25))
model.add(Flatten())
model.add(Dense(128, activation="relu"))
model.add(Dropout(0.5))
model.add(Dense(10, activation="softmax"))
model.compile(loss="categorical_crossentropy",
optimizer="adam",
metrics=["accuracy"])
classifier = KerasClassifier(model=model, clip_values=(min_, max_))
classifier.fit(x_train, y_train, nb_epochs=30, batch_size=128)
# Evaluate the classifier on the test set
preds = np.argmax(classifier.predict(x_test), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print("\nTest accuracy: %.2f%%" % (acc * 100))
# Evaluate the classifier on poisonous data
preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1)
acc = np.sum(preds == np.argmax(y_test[is_poison_test],
axis=1)) / y_test[is_poison_test].shape[0]
print(
"\nPoisonous test set accuracy (i.e. effectiveness of poison): %.2f%%"
% (acc * 100))
# Evaluate the classifier on clean data
preds = np.argmax(classifier.predict(x_test[is_poison_test == 0]), axis=1)
acc = np.sum(preds == np.argmax(y_test[
is_poison_test == 0], axis=1)) / y_test[is_poison_test == 0].shape[0]
print("\nClean test set accuracy: %.2f%%" % (acc * 100))
# Calling poisoning defence:
defence = ActivationDefence(classifier, x_train, y_train)
# End-to-end method:
print("------------------- Results using size metric -------------------")
print(defence.get_params())
defence.detect_poison(nb_clusters=2, nb_dims=10, reduce="PCA")
# Evaluate method when ground truth is known:
is_clean = is_poison_train == 0
confusion_matrix = defence.evaluate_defence(is_clean)
print("Evaluation defence results for size-based metric: ")
jsonObject = json.loads(confusion_matrix)
for label in jsonObject:
print(label)
pprint.pprint(jsonObject[label])
# Visualize clusters:
print("Visualize clusters")
sprites_by_class = defence.visualize_clusters(x_train, "mnist_poison_demo")
# Show plots for clusters of class 5
n_class = 5
try:
import matplotlib.pyplot as plt
plt.imshow(sprites_by_class[n_class][0])
plt.title("Class " + str(n_class) + " cluster: 0")
plt.show()
plt.imshow(sprites_by_class[n_class][1])
plt.title("Class " + str(n_class) + " cluster: 1")
plt.show()
except ImportError:
print(
"matplotlib not installed. For this reason, cluster visualization was not displayed"
)
# Try again using distance analysis this time:
print(
"------------------- Results using distance metric -------------------"
)
print(defence.get_params())
defence.detect_poison(nb_clusters=2,
nb_dims=10,
reduce="PCA",
cluster_analysis="distance")
confusion_matrix = defence.evaluate_defence(is_clean)
print("Evaluation defence results for distance-based metric: ")
jsonObject = json.loads(confusion_matrix)
for label in jsonObject:
print(label)
pprint.pprint(jsonObject[label])
# Other ways to invoke the defence:
kwargs = {"nb_clusters": 2, "nb_dims": 10, "reduce": "PCA"}
defence.cluster_activations(**kwargs)
kwargs = {"cluster_analysis": "distance"}
defence.analyze_clusters(**kwargs)
defence.evaluate_defence(is_clean)
kwargs = {"cluster_analysis": "smaller"}
defence.analyze_clusters(**kwargs)
defence.evaluate_defence(is_clean)
print("done :) ")
def main():
# Read MNIST dataset (x_raw contains the original images):
(x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True)
n_train = np.shape(x_raw)[0]
num_selection = 5000
random_selection_indices = np.random.choice(n_train, num_selection)
x_raw = x_raw[random_selection_indices]
y_raw = y_raw[random_selection_indices]
# Poison training data
perc_poison = .33
(is_poison_train, x_poisoned_raw, y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison)
x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw)
# Add channel axis:
x_train = np.expand_dims(x_train, axis=3)
# Poison test data
(is_poison_test, x_poisoned_raw_test, y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test, perc_poison)
x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test)
# Add channel axis:
x_test = np.expand_dims(x_test, axis=3)
# Shuffle training data so poison is not together
n_train = np.shape(y_train)[0]
shuffled_indices = np.arange(n_train)
np.random.shuffle(shuffled_indices)
x_train = x_train[shuffled_indices]
y_train = y_train[shuffled_indices]
is_poison_train = is_poison_train[shuffled_indices]
# Create Keras convolutional neural network - basic architecture from Keras examples
# Source here: https://github.com/keras-team/keras/blob/master/examples/mnist_cnn.py
k.set_learning_phase(1)
model = Sequential()
model.add(Conv2D(32, kernel_size=(3, 3), activation='relu', input_shape=x_train.shape[1:]))
model.add(Conv2D(64, (3, 3), activation='relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Dropout(0.25))
model.add(Flatten())
model.add(Dense(128, activation='relu'))
model.add(Dropout(0.5))
model.add(Dense(10, activation='softmax'))
model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])
classifier = KerasClassifier((min_, max_), model=model)
classifier.fit(x_train, y_train, nb_epochs=30, batch_size=128)
# Evaluate the classifier on the test set
preds = np.argmax(classifier.predict(x_test), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print("\nTest accuracy: %.2f%%" % (acc * 100))
# Evaluate the classifier on poisonous data
preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1)
acc = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0]
print("\nPoisonous test set accuracy (i.e. effectiveness of poison): %.2f%%" % (acc * 100))
# Evaluate the classifier on clean data
preds = np.argmax(classifier.predict(x_test[is_poison_test == 0]), axis=1)
acc = np.sum(preds == np.argmax(y_test[is_poison_test == 0], axis=1)) / y_test[is_poison_test == 0].shape[0]
print("\nClean test set accuracy: %.2f%%" % (acc * 100))
# Calling poisoning defence:
defence = ActivationDefence(classifier, x_train, y_train, verbose=True)
# End-to-end method:
print("------------------- Results using size metric -------------------")
print(defence.get_params())
defence.detect_poison(n_clusters=2, ndims=10, reduce="PCA")
# Evaluate method when ground truth is known:
is_clean = (is_poison_train == 0)
confusion_matrix = defence.evaluate_defence(is_clean)
print("Evaluation defence results for size-based metric: ")
pprint.pprint(confusion_matrix)
# Visualize clusters:
print("Visualize clusters")
defence.visualize_clusters(x_train, 'mnist_poison_demo')
# Try again using distance analysis this time:
print("------------------- Results using distance metric -------------------")
print(defence.get_params())
defence.detect_poison(n_clusters=2, ndims=10, reduce="PCA", cluster_analysis='distance')
confusion_matrix = defence.evaluate_defence(is_clean)
print("Evaluation defence results for distance-based metric: ")
pprint.pprint(confusion_matrix)
# Other ways to invoke the defence:
defence.cluster_activations(n_clusters=2, ndims=10, reduce='PCA')
defence.analyze_clusters(cluster_analysis='distance')
defence.evaluate_defence(is_clean)
defence.analyze_clusters(cluster_analysis='smaller')
defence.evaluate_defence(is_clean)
print("done :) ")
from os.path import abspath
import sys
sys.path.append(abspath('.'))
from keras.models import Sequential
from keras.layers import Dense
import numpy as np
from art.attacks import CarliniL2Method
from art.defences import LabelSmoothing
from art.classifiers import KerasClassifier
from art.utils import load_mnist_raw, preprocess, random_targets
# Read MNIST dataset (x_raw contains the original images):
(x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist_raw()
x_train, y_train = preprocess(x_raw, y_raw)
x_test, y_test = preprocess(x_raw_test, y_raw_test)
x_train = x_train.reshape(60000, 784)
x_test = x_test.reshape(10000, 784)
## Create simple 2 hidden layer 64 nodes neural network
model = Sequential()
model.add(Dense(64, input_dim=784, activation='relu'))
model.add(Dense(64, activation='relu'))
model.add(Dense(10, activation='softmax'))
model.compile(loss='mse', optimizer='adam', metrics=['accuracy'])
classifier = KerasClassifier((min_, max_), model=model)
classifier.fit(x_train, y_train, nb_epochs=5, batch_size=50)
## Create CarliniL2Method adversarial samples
print('Create CarliniL2Method attack \n')
