def fprop(self, x, y, **kwargs):
x_adv = self.attack.generate(x)
d1 = self.model.fprop(x, **kwargs)
d2 = self.model.fprop(x_adv, **kwargs)
pairing_loss = [
tf.reduce_mean(tf.square(a - b))
for a, b in zip(d1[Model.O_FEATURES], d2[Model.O_FEATURES])
]
pairing_loss = tf.reduce_mean(pairing_loss)
loss = tf.reduce_mean(
softmax_cross_entropy_with_logits(labels=y,
logits=d1[Model.O_LOGITS]))
loss += tf.reduce_mean(
softmax_cross_entropy_with_logits(labels=y,
logits=d2[Model.O_LOGITS]))
return loss + self.weight * pairing_loss
def body(i, ax, m):
logits = self.model.get_logits(ax)
loss = softmax_cross_entropy_with_logits(labels=y, logits=logits)
if targeted:
loss = -loss
# Define gradient of loss wrt input
grad, = tf.gradients(loss, ax)
# Normalize current gradient and add it to the accumulated gradient
red_ind = list(range(1, len(grad.get_shape())))
avoid_zero_div = tf.cast(1e-12, grad.dtype)
grad = grad / tf.maximum(
avoid_zero_div,
reduce_mean(tf.abs(grad), red_ind, keepdims=True))
m = self.decay_factor * m + grad
optimal_perturbation = optimize_linear(m, self.eps_iter, self.ord)
if self.ord == 1:
raise NotImplementedError(
"This attack hasn't been tested for ord=1."
"It's not clear that FGM makes a good inner "
"loop step for iterative optimization since "
"it updates just one coordinate at a time.")
# Update and clip adversarial example in current iteration
ax = ax + optimal_perturbation
ax = x + utils_tf.clip_eta(ax - x, self.ord, self.eps)
if self.clip_min is not None and self.clip_max is not None:
ax = utils_tf.clip_by_value(ax, self.clip_min, self.clip_max)
ax = tf.stop_gradient(ax)
return i + 1, ax, m
def fprop(self, x, y, **kwargs):
kwargs.update(self.kwargs)
if self.attack is not None:
attack_params = copy.copy(self.attack_params)
if attack_params is None:
attack_params = {}
if self.pass_y:
attack_params['y'] = y
x = x, self.attack.generate(x, **attack_params)
coeffs = [1. - self.adv_coeff, self.adv_coeff]
if self.adv_coeff == 1.:
x = (x[1], )
coeffs = (coeffs[1], )
else:
x = tuple([x])
coeffs = [1.]
assert np.allclose(sum(coeffs), 1.)
# Catching RuntimeError: Variable -= value not supported by tf.eager.
try:
y -= self.smoothing * (y - 1. / tf.cast(y.shape[-1], y.dtype))
except RuntimeError:
y.assign_sub(self.smoothing *
(y - 1. / tf.cast(y.shape[-1], y.dtype)))
logits = [self.model.get_logits(x, **kwargs) for x in x]
loss = sum(coeff * tf.reduce_mean(
softmax_cross_entropy_with_logits(labels=y, logits=logit))
for coeff, logit in safe_zip(coeffs, logits))
return loss
def fprop(self, x, y, **kwargs):
x_adv = self.attack(x)
d1 = self.model.fprop(x, **kwargs)
d2 = self.model.fprop(x_adv, **kwargs)
pairing_loss = [
tf.reduce_mean(tf.square(a - b))
for a, b in zip(d1[Model.O_FEATURES], d2[Model.O_FEATURES])
]
pairing_loss = tf.reduce_mean(pairing_loss)
loss = softmax_cross_entropy_with_logits(labels=y,
logits=d1[Model.O_LOGITS])
loss += softmax_cross_entropy_with_logits(labels=y,
logits=d2[Model.O_LOGITS])
warnings.warn("LossFeaturePairing is deprecated, switch to "
"FeaturePairing. LossFeaturePairing may be removed "
"on or after 2019-03-06.")
return loss + self.weight * pairing_loss
def fprop(self, x, y, **kwargs):
mix = tf_distributions.Beta(self.beta, self.beta)
mix = mix.sample([tf.shape(x)[0]] + [1] * (len(x.shape) - 1))
xm = x + mix * (x[::-1] - x)
ym = y + mix * (y[::-1] - y)
logits = self.model.get_logits(xm, **kwargs)
loss = softmax_cross_entropy_with_logits(labels=ym, logits=logits)
warnings.warn("LossMixUp is deprecated, switch to "
"MixUp. LossFeaturePairing may be removed "
"on or after 2019-03-06.")
return loss
def fprop(self, x, y, **kwargs):
with tf.device('/CPU:0'):
# Prevent error complaining GPU kernels unavailable for this.
mix = tf_distributions.Beta(self.beta, self.beta)
mix = mix.sample([tf.shape(x)[0]] + [1] * (len(x.shape) - 1))
mix = tf.maximum(mix, 1 - mix)
mix_label = tf.reshape(mix, [-1, 1])
xm = x + mix * (x[::-1] - x)
ym = y + mix_label * (y[::-1] - y)
logits = self.model.get_logits(xm, **kwargs)
loss = tf.reduce_mean(
softmax_cross_entropy_with_logits(labels=ym, logits=logits))
return loss
def __init__(self, sess, x, logits, targeted_label,
binary_search_steps, max_iterations, initial_const, clip_min,
clip_max, nb_classes, batch_size):
"""
Return a tensor that constructs adversarial examples for the given
input. Generate uses tf.py_func in order to operate over tensors.
:param sess: a TF session.
:param x: A tensor with the inputs.
:param logits: A tensor with model's output logits.
:param targeted_label: A tensor with the target labels.
:param binary_search_steps: The number of times we perform binary
search to find the optimal tradeoff-
constant between norm of the purturbation
and cross-entropy loss of classification.
:param max_iterations: The maximum number of iterations.
:param initial_const: The initial tradeoff-constant to use to tune the
relative importance of size of the purturbation
and cross-entropy loss of the classification.
:param clip_min: Minimum input component value
:param clip_max: Maximum input component value
:param num_labels: The number of classes in the model's output.
:param batch_size: Number of attacks to run simultaneously.
"""
self.sess = sess
self.x = x
self.logits = logits
assert logits.op.type != 'Softmax'
self.targeted_label = targeted_label
self.binary_search_steps = binary_search_steps
self.max_iterations = max_iterations
self.initial_const = initial_const
self.clip_min = clip_min
self.clip_max = clip_max
self.batch_size = batch_size
self.repeat = self.binary_search_steps >= 10
self.shape = tuple([self.batch_size] +
list(self.x.get_shape().as_list()[1:]))
self.ori_img = tf.Variable(
np.zeros(self.shape), dtype=tf_dtype, name='ori_img')
self.const = tf.Variable(
np.zeros(self.batch_size), dtype=tf_dtype, name='const')
self.score = softmax_cross_entropy_with_logits(
labels=self.targeted_label, logits=self.logits)
self.l2dist = reduce_sum(tf.square(self.x - self.ori_img))
# small self.const will result small adversarial perturbation
self.loss = reduce_sum(self.score * self.const) + self.l2dist
self.grad, = tf.gradients(self.loss, self.x)
def fprop(self, x, y, **kwargs):
if self.attack is not None:
x = x, self.attack(x)
else:
x = tuple([x])
# Catching RuntimeError: Variable -= value not supported by tf.eager.
try:
y -= self.smoothing * (y - 1. / tf.cast(y.shape[-1], tf.float32))
except RuntimeError:
y.assign_sub(self.smoothing *
(y - 1. / tf.cast(y.shape[-1], tf.float32)))
logits = [self.model.get_logits(x, **kwargs) for x in x]
loss = sum(
softmax_cross_entropy_with_logits(labels=y, logits=logit)
for logit in logits)
warnings.warn("LossCrossEntropy is deprecated, switch to "
"CrossEntropy. LossCrossEntropy may be removed on "
"or after 2019-03-06.")
return loss
def model_loss(y, model, mean=True):
"""
Define loss of TF graph
:param y: correct labels
:param model: output of the model
:param mean: boolean indicating whether should return mean of loss
or vector of losses for each input of the batch
:return: return mean of loss if True, otherwise return vector with per
sample loss
"""
warnings.warn("This function is deprecated and will be removed on or after"
" 2019-04-05. Switch to cleverhans.train.train.")
op = model.op
if op.type == "Softmax":
logits, = op.inputs
else:
logits = model
out = softmax_cross_entropy_with_logits(logits=logits, labels=y)
if mean:
out = reduce_mean(out)
return out
def fgm(x,
logits,
y=None,
eps=0.3,
ord=np.inf,
clip_min=None,
clip_max=None,
targeted=False,
sanity_checks=True):
"""
TensorFlow implementation of the Fast Gradient Method.
:param x: the input placeholder
:param logits: output of model.get_logits
:param y: (optional) A placeholder for the true labels. If targeted
is true, then provide the target label. Otherwise, only provide
this parameter if you'd like to use true labels when crafting
adversarial samples. Otherwise, model predictions are used as
labels to avoid the "label leaking" effect (explained in this
paper: https://arxiv.org/abs/1611.01236). Default is None.
Labels should be one-hot-encoded.
:param eps: the epsilon (input variation parameter)
:param ord: (optional) Order of the norm (mimics NumPy).
Possible values: np.inf, 1 or 2.
:param clip_min: Minimum float value for adversarial example components
:param clip_max: Maximum float value for adversarial example components
:param targeted: Is the attack targeted or untargeted? Untargeted, the
default, will try to make the label incorrect. Targeted
will instead try to move in the direction of being more
like y.
:return: a tensor for the adversarial example
"""
asserts = []
# If a data range was specified, check that the input was in that range
if clip_min is not None:
asserts.append(
utils_tf.assert_greater_equal(x, tf.cast(clip_min, x.dtype)))
if clip_max is not None:
asserts.append(
utils_tf.assert_less_equal(x, tf.cast(clip_max, x.dtype)))
# Make sure the caller has not passed probs by accident
assert logits.op.type != 'Softmax'
if y is None:
# Using model predictions as ground truth to avoid label leaking
preds_max = reduce_max(logits, 1, keepdims=True)
y = tf.to_float(tf.equal(logits, preds_max))
y = tf.stop_gradient(y)
y = y / reduce_sum(y, 1, keepdims=True)
# Compute loss
loss = softmax_cross_entropy_with_logits(labels=y, logits=logits)
if targeted:
loss = -loss
# Define gradient of loss wrt input
grad, = tf.gradients(loss, x)
optimal_perturbation = optimize_linear(grad, eps, ord)
# Add perturbation to original example to obtain adversarial example
adv_x = x + optimal_perturbation
# If clipping is needed, reset all values outside of [clip_min, clip_max]
if (clip_min is not None) or (clip_max is not None):
# We don't currently support one-sided clipping
assert clip_min is not None and clip_max is not None
adv_x = utils_tf.clip_by_value(adv_x, clip_min, clip_max)
if sanity_checks:
with tf.control_dependencies(asserts):
adv_x = tf.identity(adv_x)
return adv_x