Example #1
0
    def test_tfclassifier(self):
        """
        First test with the TensorFlowClassifier.
        :return:
        """
        # Build TensorFlowClassifiers
        victim_tfc, sess = get_classifier_tf()

        # Define input and output placeholders
        input_ph = tf.placeholder(tf.float32, shape=[None, 28, 28, 1])
        output_ph = tf.placeholder(tf.int32, shape=[None, 10])

        # Define the tensorflow graph
        conv = tf.layers.conv2d(input_ph, 1, 7, activation=tf.nn.relu)
        conv = tf.layers.max_pooling2d(conv, 4, 4)
        flattened = tf.layers.flatten(conv)

        # Logits layer
        logits = tf.layers.dense(flattened, 10)

        # Train operator
        loss = tf.reduce_mean(
            tf.losses.softmax_cross_entropy(logits=logits,
                                            onehot_labels=output_ph))
        optimizer = tf.train.AdamOptimizer(learning_rate=0.001)
        train = optimizer.minimize(loss)

        # TensorFlow session and initialization
        sess.run(tf.global_variables_initializer())

        # Create the classifier
        thieved_tfc = TensorFlowClassifier(clip_values=(0, 1),
                                           input_ph=input_ph,
                                           output=logits,
                                           labels_ph=output_ph,
                                           train=train,
                                           loss=loss,
                                           learning=None,
                                           sess=sess)

        # Create attack
        copycat_cnn = CopycatCNN(classifier=victim_tfc,
                                 batch_size_query=BATCH_SIZE,
                                 batch_size_fit=BATCH_SIZE,
                                 nb_epochs=NB_EPOCHS,
                                 nb_stolen=NB_STOLEN)
        thieved_tfc = copycat_cnn.extract(x=self.x_train,
                                          thieved_classifier=thieved_tfc)

        victim_preds = np.argmax(victim_tfc.predict(x=self.x_train[:100]),
                                 axis=1)
        thieved_preds = np.argmax(thieved_tfc.predict(x=self.x_train[:100]),
                                  axis=1)
        acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)

        self.assertGreater(acc, 0.3)

        # Clean-up session
        sess.close()
        tf.reset_default_graph()
Example #2
0
    def test_iris_pt(self):
        """
        Third test for Pytorch.
        :return:
        """
        # Build PyTorchClassifier
        victim_ptc = get_iris_classifier_pt()

        class Model(nn.Module):
            """
            Create Iris model for PyTorch.
            """
            def __init__(self):
                super(Model, self).__init__()

                self.fully_connected1 = nn.Linear(4, 10)
                self.fully_connected2 = nn.Linear(10, 10)
                self.fully_connected3 = nn.Linear(10, 3)

            # pylint: disable=W0221
            # disable pylint because of API requirements for function
            def forward(self, x):
                x = self.fully_connected1(x)
                x = self.fully_connected2(x)
                logit_output = self.fully_connected3(x)

                return logit_output

        # Define the network
        model = Model()

        # Define a loss function and optimizer
        loss_fn = nn.CrossEntropyLoss()
        optimizer = optim.Adam(model.parameters(), lr=0.001)

        # Get classifier
        thieved_ptc = PyTorchClassifier(model=model,
                                        loss=loss_fn,
                                        optimizer=optimizer,
                                        input_shape=(4, ),
                                        nb_classes=3,
                                        clip_values=(0, 1),
                                        channel_index=1)

        # Create attack
        copycat_cnn = CopycatCNN(classifier=victim_ptc,
                                 batch_size_fit=BATCH_SIZE,
                                 batch_size_query=BATCH_SIZE,
                                 nb_epochs=NB_EPOCHS,
                                 nb_stolen=NB_STOLEN)
        thieved_ptc = copycat_cnn.extract(x=self.x_train,
                                          thieved_classifier=thieved_ptc)

        victim_preds = np.argmax(victim_ptc.predict(x=self.x_train[:100]),
                                 axis=1)
        thieved_preds = np.argmax(thieved_ptc.predict(x=self.x_train[:100]),
                                  axis=1)
        acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)

        self.assertGreater(acc, 0.3)
Example #3
0
    def test_iris_tf(self):
        """
        First test for TF.
        :return:
        """
        # Get the TF classifier
        victim_tfc, sess = get_iris_classifier_tf()

        # Define input and output placeholders
        input_ph = tf.placeholder(tf.float32, shape=[None, 4])
        output_ph = tf.placeholder(tf.int32, shape=[None, 3])

        # Define the tensorflow graph
        dense1 = tf.layers.dense(input_ph, 10)
        dense2 = tf.layers.dense(dense1, 10)
        logits = tf.layers.dense(dense2, 3)

        # Train operator
        loss = tf.reduce_mean(
            tf.losses.softmax_cross_entropy(logits=logits,
                                            onehot_labels=output_ph))
        optimizer = tf.train.AdamOptimizer(learning_rate=0.001)
        train = optimizer.minimize(loss)

        # Tensorflow session and initialization
        sess.run(tf.global_variables_initializer())

        # Train the classifier
        thieved_tfc = TensorFlowClassifier(clip_values=(0, 1),
                                           input_ph=input_ph,
                                           output=logits,
                                           labels_ph=output_ph,
                                           train=train,
                                           loss=loss,
                                           learning=None,
                                           sess=sess,
                                           channel_index=1)

        # Create attack
        copycat_cnn = CopycatCNN(classifier=victim_tfc,
                                 batch_size_fit=BATCH_SIZE,
                                 batch_size_query=BATCH_SIZE,
                                 nb_epochs=NB_EPOCHS,
                                 nb_stolen=NB_STOLEN)
        thieved_tfc = copycat_cnn.extract(x=self.x_train,
                                          thieved_classifier=thieved_tfc)

        victim_preds = np.argmax(victim_tfc.predict(x=self.x_train[:100]),
                                 axis=1)
        thieved_preds = np.argmax(thieved_tfc.predict(x=self.x_train[:100]),
                                  axis=1)
        acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)

        self.assertGreater(acc, 0.3)

        # Clean-up session
        sess.close()
        tf.reset_default_graph()
    def test_keras_classifier(self):
        """
        Second test with the KerasClassifier.
        :return:
        """
        # Build KerasClassifier
        victim_krc = get_image_classifier_kr()

        # Create simple CNN
        model = Sequential()
        model.add(
            Conv2D(1,
                   kernel_size=(7, 7),
                   activation="relu",
                   input_shape=(28, 28, 1)))
        model.add(MaxPooling2D(pool_size=(4, 4)))
        model.add(Flatten())
        model.add(Dense(10, activation="softmax"))
        loss = keras.losses.categorical_crossentropy
        model.compile(loss=loss,
                      optimizer=keras.optimizers.Adam(lr=0.001),
                      metrics=["accuracy"])

        # Get classifier
        thieved_krc = KerasClassifier(model,
                                      clip_values=(0, 1),
                                      use_logits=False)

        # Create attack
        copycat_cnn = CopycatCNN(
            classifier=victim_krc,
            batch_size_fit=self.batch_size,
            batch_size_query=self.batch_size,
            nb_epochs=NB_EPOCHS,
            nb_stolen=NB_STOLEN,
        )
        thieved_krc = copycat_cnn.extract(x=self.x_train_mnist,
                                          thieved_classifier=thieved_krc)

        victim_preds = np.argmax(
            victim_krc.predict(x=self.x_train_mnist[:100]), axis=1)
        thieved_preds = np.argmax(
            thieved_krc.predict(x=self.x_train_mnist[:100]), axis=1)
        acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)

        self.assertGreater(acc, 0.3)

        # Clean-up
        k.clear_session()
    def test_keras_iris(self):
        """
        Second test for Keras.
        :return:
        """
        # Build KerasClassifier
        victim_krc = get_tabular_classifier_kr()

        # Create simple CNN
        model = Sequential()
        model.add(Dense(10, input_shape=(4, ), activation="relu"))
        model.add(Dense(10, activation="relu"))
        model.add(Dense(3, activation="softmax"))
        model.compile(loss="categorical_crossentropy",
                      optimizer=keras.optimizers.Adam(lr=0.001),
                      metrics=["accuracy"])

        # Get classifier
        thieved_krc = KerasClassifier(model,
                                      clip_values=(0, 1),
                                      use_logits=False,
                                      channels_first=True)

        # Create attack
        copycat_cnn = CopycatCNN(
            classifier=victim_krc,
            batch_size_fit=self.batch_size,
            batch_size_query=self.batch_size,
            nb_epochs=NB_EPOCHS,
            nb_stolen=NB_STOLEN,
        )
        thieved_krc = copycat_cnn.extract(x=self.x_train_iris,
                                          thieved_classifier=thieved_krc)

        victim_preds = np.argmax(victim_krc.predict(x=self.x_train_iris[:100]),
                                 axis=1)
        thieved_preds = np.argmax(
            thieved_krc.predict(x=self.x_train_iris[:100]), axis=1)
        acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)

        self.assertGreater(acc, 0.3)

        # Clean-up
        k.clear_session()
Example #6
0
    def test_ptclassifier(self):
        """
        Third test with the PyTorchClassifier.
        :return:
        """
        # Build PyTorchClassifier
        victim_ptc = get_classifier_pt()

        class Model(nn.Module):
            """
            Create model for pytorch.
            """
            def __init__(self):
                super(Model, self).__init__()

                self.conv = nn.Conv2d(in_channels=1,
                                      out_channels=1,
                                      kernel_size=7)
                self.pool = nn.MaxPool2d(4, 4)
                self.fullyconnected = nn.Linear(25, 10)

            # pylint: disable=W0221
            # disable pylint because of API requirements for function
            def forward(self, x):
                """
                Forward function to evaluate the model

                :param x: Input to the model
                :return: Prediction of the model
                """
                x = self.conv(x)
                x = torch.nn.functional.relu(x)
                x = self.pool(x)
                x = x.reshape(-1, 25)
                x = self.fullyconnected(x)
                x = torch.nn.functional.softmax(x)

                return x

        # Define the network
        model = Model()

        # Define a loss function and optimizer
        loss_fn = nn.CrossEntropyLoss()
        optimizer = optim.Adam(model.parameters(), lr=0.01)

        # Get classifier
        thieved_ptc = PyTorchClassifier(model=model,
                                        loss=loss_fn,
                                        optimizer=optimizer,
                                        input_shape=(1, 28, 28),
                                        nb_classes=10,
                                        clip_values=(0, 1))

        # Create attack
        copycat_cnn = CopycatCNN(classifier=victim_ptc,
                                 batch_size_fit=BATCH_SIZE,
                                 batch_size_query=BATCH_SIZE,
                                 nb_epochs=NB_EPOCHS,
                                 nb_stolen=NB_STOLEN)

        self.x_train = np.swapaxes(self.x_train, 1, 3)
        thieved_ptc = copycat_cnn.extract(x=self.x_train,
                                          thieved_classifier=thieved_ptc)
        victim_preds = np.argmax(victim_ptc.predict(x=self.x_train[:100]),
                                 axis=1)
        thieved_preds = np.argmax(thieved_ptc.predict(x=self.x_train[:100]),
                                  axis=1)
        self.x_train = np.swapaxes(self.x_train, 1, 3)

        acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)

        self.assertGreater(acc, 0.3)