def craft(dataset,
gen_test=True,
method=ATTACK.FGSM,
trans_type=TRANSFORMATION.clean):
print('loading original images...')
if gen_test:
# generate for test set
_, (X, Y) = load_data(dataset)
prefix = 'test'
else:
# generate for train set (the last 20% of the original train set)
(X, Y), _ = load_data(dataset)
nb_trainings = int(X.shape[0] * 0.8)
X = X[nb_trainings:]
Y = Y[nb_trainings:]
prefix = 'val'
"""
In debugging mode, crafting for 50 samples.
"""
if MODE.DEBUG:
X = X[:30]
Y = Y[:30]
X = transform(X, trans_type)
model_name = 'model-{}-cnn-{}'.format(dataset, trans_type)
if method == ATTACK.FGSM:
for eps in ATTACK.get_fgsm_eps():
print('{}: (eps={})'.format(method.upper(), eps))
X_adv, _ = get_adversarial_examples(model_name,
method,
X,
Y,
eps=eps)
attack_params = 'eps{}'.format(int(1000 * eps))
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.BIM:
for ord in ATTACK.get_bim_norm():
for nb_iter in ATTACK.get_bim_nbIter():
for eps in ATTACK.get_bim_eps(ord):
print('{}: (ord={}, nb_iter={}, eps={})'.format(
method.upper(), ord, nb_iter, eps))
X_adv, _ = get_adversarial_examples(model_name,
method,
X,
Y,
ord=ord,
nb_iter=nb_iter,
eps=eps)
if ord == np.inf:
norm = 'inf'
else:
norm = ord
attack_params = 'ord{}_nbIter{}_eps{}'.format(
norm, nb_iter, int(1000 * eps))
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.DEEPFOOL:
for order in [2]:
for overshoot in ATTACK.get_df_overshoots(order):
print('attack {} -- order: {}; overshoot: {}'.format(
method.upper(), order, overshoot))
X_adv, _ = get_adversarial_examples(model_name,
method,
X,
Y,
ord=order,
overshoot=overshoot)
attack_params = 'l{}_overshoot{}'.format(order, int(overshoot))
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.CW_L2:
binary_search_steps = 16 #9
cw_batch_size = 2 #1
initial_const = 1 #10
for learning_rate in ATTACK.get_cwl2_lr():
for max_iter in ATTACK.get_cwl2_maxIter():
print('{}: (ord={}, max_iterations={})'.format(
method.upper(), 2, max_iter))
X_adv, _ = get_adversarial_examples(
model_name,
method,
X,
Y,
ord=2,
max_iterations=max_iter,
binary_search_steps=binary_search_steps,
cw_batch_size=cw_batch_size,
initial_const=initial_const,
learning_rate=learning_rate)
attack_params = 'lr{}_maxIter{}'.format(
int(learning_rate * 1000), max_iter)
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.CW_Linf:
initial_const = 1e-5
# X *= 255.
for learning_rate in ATTACK.get_cwl2_lr():
for max_iter in ATTACK.get_cwl2_maxIter():
print('{}: (ord={}, max_iterations={})'.format(
method.upper(), np.inf, max_iter))
X_adv, _ = get_adversarial_examples(
model_name,
method,
X,
Y,
max_iterations=max_iter,
initial_const=initial_const,
learning_rate=learning_rate)
attack_params = 'lr{}_maxIter{}'.format(
int(learning_rate * 10), max_iter)
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.CW_L0:
initial_const = 1e-5
for learning_rate in ATTACK.get_cwl2_lr():
for max_iter in ATTACK.get_cwl2_maxIter():
print('{}: (ord={}, max_iterations={})'.format(
method.upper(), np.inf, max_iter))
X_adv, _ = get_adversarial_examples(
model_name,
method,
X,
Y,
max_iterations=max_iter,
initial_const=initial_const,
learning_rate=learning_rate)
attack_params = 'lr{}_maxIter{}'.format(
int(learning_rate * 10), max_iter)
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.JSMA:
for theta in ATTACK.get_jsma_theta():
for gamma in ATTACK.get_jsma_gamma():
print('{}: (theta={}, gamma={})'.format(
method.upper(), theta, gamma))
X_adv, _ = get_adversarial_examples(model_name,
method,
X,
Y,
theta=theta,
gamma=gamma)
attack_params = 'theta{}_gamma{}'.format(
int(100 * theta), int(100 * gamma))
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.PGD:
nb_iter = 1000
eps_iter = 0.05 #0.01
for eps in ATTACK.get_pgd_eps():
if eps < 0.05:
eps_iter = 0.01
elif eps <= 0.01:
eps_iter = 0.005
X_adv, _ = get_adversarial_examples(model_name,
method,
X,
Y,
eps=eps,
nb_iter=nb_iter,
eps_iter=eps_iter)
attack_params = 'eps{}_nbIter{}_epsIter{}'.format(
int(1000 * eps), nb_iter, int(1000 * eps_iter))
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.ONE_PIXEL:
for pixel_counts in ATTACK.get_op_pxCnt():
for max_iter in ATTACK.get_op_maxIter():
for pop_size in ATTACK.get_op_popsize():
attack_params = {
'pixel_counts': pixel_counts,
'max_iter': max_iter,
'pop_size': pop_size
}
X_adv, _ = get_adversarial_examples(
model_name, method, X, Y, **attack_params)
X_adv = np.asarray(X_adv)
attack_params = 'pxCount{}_maxIter{}_popsize{}'.format(
pixel_counts, max_iter, pop_size)
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
elif method == ATTACK.MIM:
for eps in ATTACK.get_mim_eps():
for nb_iter in ATTACK.get_mim_nbIter():
attack_params = {'eps': eps, 'nb_iter': nb_iter}
X_adv, _ = get_adversarial_examples(model_name, method, X, Y,
**attack_params)
attack_params = 'eps{}_nbIter{}'.format(
int(eps * 100), nb_iter)
reset(X, trans_type)
reset(X_adv, trans_type)
save_adv_examples(X_adv,
prefix=prefix,
bs_samples=X,
dataset=dataset,
transformation=trans_type,
attack_method=method,
attack_params=attack_params)
del X
del Y
def gen_greedy(dataset,
attacker=ATTACK.FGSM,
attack_count=None,
strategy=ATTACK_STRATEGY.RANDOM.value):
config = tf.ConfigProto(intra_op_parallelism_threads=4,
inter_op_parallelism_threads=4)
sess = tf.Session(config=config)
keras.backend.set_session(sess)
candidates = init_candidate_targets(
'ensemble/mnist_weak_defenses_fsgm.list')
print('...In total {} weak defenses.'.format(len(candidates)))
prefix = 'wb' # white-box
if attack_count == None or attack_count <= 0:
prefix = 'gb' # gray-box
attack_count = len(candidates.keys())
X_adv = []
_, (X, Y) = load_data(dataset=dataset)
# generate 500 samples
batch_size = 100
nb_samples = Y.shape[0]
nb_iter = int(nb_samples / batch_size)
start = time.monotonic()
for i in range(nb_iter):
start_idx = i * batch_size
end_idx = min((i + 1) * batch_size, nb_samples)
print(start_idx, end_idx)
X_batch = X[start_idx:end_idx]
Y_batch = Y[start_idx:end_idx]
print('...In total {} inputs.'.format(Y.shape[0]))
idx = 0
for x, y in zip(X_batch, Y_batch):
print('{}-th input...'.format(idx))
x = np.expand_dims(x, axis=0)
strategy = ATTACK_STRATEGY.RANDOM.value
'''
generate_single(sess, x, y, attacker=ATTACK.FGSM,
candidates=None,
attack_count=None,
max_perturb=get_perturb_upperbound(),
strategy=ATTACK_STRATEGY.RANDOM.value)
'''
start_sample = time.monotonic()
X_adv.append(
generate_single(sess,
x,
y,
attacker,
candidates,
attack_count,
strategy=strategy))
end_sample = time.monotonic()
print('({}, {})-th sample: {}\n\n'.format(
i, idx, (end_sample - start_sample)))
idx += 1
save_adv_examples(np.asarray(X_adv),
prefix=prefix,
bs_samples=X_batch,
dataset=dataset,
transformation=strategy,
attack_method=attacker,
attack_params='eps100_batchsize{}_{}'.format(
batch_size, i))
duration = time.monotonic() - start
print('----------------------------------')
print(' Summary')
print('----------------------------------')
print('Number of inputs:', Y.shape[0])
print('Adversary:', attacker)
print('Strategy:', strategy)
print('Time cost:', duration)
sess.close()
def craft(model_name, method, X, Y):
'''
input:
X: nSamples X <dimension of a sample>
Y: 2D numpy array - nSamples X nClasses
'''
model_prefix, dataset, architect, trans_type = model_name.split('-')
prefix = "BB_{}".format(model_prefix)
if method == ATTACK.FGSM:
eps = 0.3
print('{}: (eps={})'.format(method.upper(), eps))
X_adv, _ = get_adversarial_examples(model_name, method, X, Y, eps=eps)
attack_params = 'eps{}'.format(int(1000 * eps))
save_adv_examples(X_adv, prefix=prefix, dataset=dataset, transformation=trans_type,
attack_method=method, attack_params=attack_params)
elif method == "biml2": # BIM l2 norm
order = 2
nb_iter = 100
norm = order
eps = 2
print('{}: (ord={}, nb_iter={}, eps={})'.format(ATTACK.BIM.upper(), order, nb_iter, eps))
X_adv, _ = get_adversarial_examples(model_name, ATTACK.BIM, X, Y,
ord=order, nb_iter=nb_iter, eps=eps)
attack_params = 'ord{}_nbIter{}_eps{}'.format(norm, nb_iter, int(1000 * eps))
save_adv_examples(X_adv, prefix=prefix, dataset=dataset, transformation=trans_type,
attack_method=ATTACK.BIM, attack_params=attack_params)
elif method == "bimli": # BIM Inf norm
order = np.inf
nb_iter = 100
norm = 'inf'
eps = 0.3
print('{}: (ord={}, nb_iter={}, eps={})'.format(ATTACK.BIM.upper(), order, nb_iter, eps))
X_adv, _ = get_adversarial_examples(model_name, ATTACK.BIM, X, Y,
ord=order, nb_iter=nb_iter, eps=eps)
attack_params = 'ord{}_nbIter{}_eps{}'.format(norm, nb_iter, int(1000 * eps))
save_adv_examples(X_adv, prefix=prefix, dataset=dataset, transformation=trans_type,
attack_method=ATTACK.BIM, attack_params=attack_params)
elif method == ATTACK.DEEPFOOL:
order=2
overshoot = 0
print('attack {} -- order: {}; overshoot: {}'.format(method.upper(), order, overshoot))
X_adv, _ = get_adversarial_examples(model_name, method, X, Y,
ord=order, overshoot=overshoot)
attack_params = 'l{}_overshoot{}'.format(order, int(overshoot * 10))
save_adv_examples(X_adv, prefix=prefix, bs_samples=X, dataset=dataset, transformation=trans_type,
attack_method=method, attack_params=attack_params)
elif method == ATTACK.CW_L2:
binary_search_steps = 9
cw_batch_size = 1
initial_const = 10
learning_rate = 1
max_iter = 100
print('{}: (ord={}, max_iterations={})'.format(method.upper(), 2, max_iter))
X_adv, _ = get_adversarial_examples(model_name, method, X, Y,
ord=2, max_iterations=max_iter,
binary_search_steps=binary_search_steps,
cw_batch_size=cw_batch_size,
initial_const=initial_const,
learning_rate=learning_rate)
attack_params = 'lr{}_maxIter{}'.format(int(learning_rate * 100), max_iter)
save_adv_examples(
X_adv, prefix=prefix, bs_samples=X, dataset=dataset,
transformation=trans_type, attack_method=method, attack_params=attack_params)
elif method == ATTACK.JSMA:
theta = 0.5
gamma = 0.7
print('{}: (theta={}, gamma={})'.format(method.upper(), theta, gamma))
X_adv, _ = get_adversarial_examples(model_name, method, X, Y,
theta=theta, gamma=gamma)
attack_params = 'theta{}_gamma{}'.format(int(100 * theta), int(100 * gamma))
save_adv_examples(
X_adv, prefix=prefix, bs_samples=X, dataset=dataset,
transformation=trans_type, attack_method=method, attack_params=attack_params)
elif method == ATTACK.PGD:
nb_iter = 100
eps_iter = 0.01
eps = 0.30
X_adv, _ = get_adversarial_examples(model_name, method, X, Y,
eps=eps, nb_iter=nb_iter, eps_iter=eps_iter)
attack_params = 'eps{}'.format(int(1000 * eps))
save_adv_examples(
X_adv, prefix=prefix, bs_samples=X, dataset=dataset,
transformation=trans_type, attack_method=method, attack_params=attack_params)
elif method == ATTACK.ONE_PIXEL:
pixel_counts = 30
max_iter = 30
pop_size = 100
attack_params = {
'pixel_counts': pixel_counts,
'max_iter': max_iter,
'pop_size': pop_size
}
X_adv, _ = get_adversarial_examples(model_name, method, X, Y, **attack_params)
X_adv = np.asarray(X_adv)
attack_params = 'pxCount{}_maxIter{}_popsize{}'.format(pixel_counts, max_iter, pop_size)
save_adv_examples(
X_adv, prefix=prefix, bs_samples=X, dataset=dataset,
transformation=trans_type, attack_method=method, attack_params=attack_params)
elif method == ATTACK.MIM:
eps = 0.3
nb_iter = 1000
attack_params = {
'eps': eps,
'nb_iter': nb_iter
}
X_adv, _ = get_adversarial_examples(model_name, method, X, Y, **attack_params)
attack_params = 'eps{}_nbIter{}'.format(int(eps * 1000), nb_iter)
save_adv_examples(
X_adv, prefix=prefix, bs_samples=X, dataset=dataset,
transformation=trans_type, attack_method=method, attack_params=attack_params)
del X
del Y