def _test_backend_mnist(self, classifier, x_train, y_train, x_test, y_test):
x_test_original = x_test.copy()
# Test BIM with np.inf norm
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.1, batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
acc = np.sum(np.argmax(train_y_pred, axis=1) == np.argmax(y_train, axis=1)) / y_train.shape[0]
logger.info("Accuracy on adversarial train examples: %.2f%%", (acc * 100))
acc = np.sum(np.argmax(test_y_pred, axis=1) == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info("Accuracy on adversarial test examples: %.2f%%", (acc * 100))
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_test_original - x_test))), 0.0, delta=0.00001)
def test_pytorch_iris(self):
classifier = get_tabular_classifier_pt()
# Test untargeted attack
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.1)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with BIM adversarial examples: %.2f%%", (acc * 100))
# Test targeted attack
targets = random_targets(self.y_test_iris, nb_classes=3)
attack = BasicIterativeMethod(classifier, targeted=True, eps=1, eps_step=0.1, batch_size=128)
x_test_adv = attack.generate(self.x_test_iris, **{"y": targets})
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == preds_adv).any())
acc = np.sum(preds_adv == np.argmax(targets, axis=1)) / self.y_test_iris.shape[0]
logger.info("Success rate of targeted BIM on Iris: %.2f%%", (acc * 100))
def _test_backend_mnist(self, classifier):
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Test BIM with np.inf norm
attack = BasicIterativeMethod(classifier,
eps=1,
eps_step=0.1,
batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
acc = np.sum(
np.argmax(train_y_pred, axis=1) == np.argmax(
y_train, axis=1)) / y_train.shape[0]
logger.info('Accuracy on adversarial train examples: %.2f%%',
(acc * 100))
acc = np.sum(
np.argmax(test_y_pred, axis=1) == np.argmax(
y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on adversarial test examples: %.2f%%',
(acc * 100))
def test_tensorflow_iris(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_tf()
# Test untargeted attack
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.1)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on Iris with BIM adversarial examples: %.2f%%',
(acc * 100))
# Test targeted attack
targets = random_targets(y_test, nb_classes=3)
attack = BasicIterativeMethod(classifier,
targeted=True,
eps=1,
eps_step=0.1)
x_test_adv = attack.generate(x_test, **{'y': targets})
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == preds_adv).any())
acc = np.sum(preds_adv == np.argmax(targets, axis=1)) / y_test.shape[0]
logger.info('Success rate of targeted BIM on Iris: %.2f%%',
(acc * 100))
def atk_BasicIterative(x_train, x_test, y_train, y_test, classifier):
#print('Create BasicIterativeMethod attack \n')
adv_crafter = BasicIterativeMethod(classifier, eps=1, eps_step=0.1)
x_train_adv = adv_crafter.generate(x_train)
x_test_adv = adv_crafter.generate(x_test)
print("After BasicIterative Attack \n")
evaluate(x_train, x_test, y_train, y_test, x_train_adv, x_test_adv, classifier)
return x_test_adv, x_train_adv
def test_scikitlearn(self):
from sklearn.linear_model import LogisticRegression
from sklearn.svm import SVC, LinearSVC
from art.classifiers.scikitlearn import ScikitlearnLogisticRegression, ScikitlearnSVC
scikitlearn_test_cases = {
LogisticRegression: ScikitlearnLogisticRegression,
SVC: ScikitlearnSVC,
LinearSVC: ScikitlearnSVC
}
(_, _), (x_test, y_test) = self.iris
for (model_class, classifier_class) in scikitlearn_test_cases.items():
model = model_class()
classifier = classifier_class(model=model, clip_values=(0, 1))
classifier.fit(x=x_test, y=y_test)
# Test untargeted attack
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.1)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(
preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info(
'Accuracy of ' + classifier.__class__.__name__ +
' on Iris with BIM adversarial examples: '
'%.2f%%', (acc * 100))
# Test targeted attack
targets = random_targets(y_test, nb_classes=3)
attack = BasicIterativeMethod(classifier,
targeted=True,
eps=1,
eps_step=0.1,
batch_size=128)
x_test_adv = attack.generate(x_test, **{'y': targets})
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == preds_adv).any())
acc = np.sum(
preds_adv == np.argmax(targets, axis=1)) / y_test.shape[0]
logger.info(
'Success rate of ' + classifier.__class__.__name__ +
' on targeted BIM on Iris: %.2f%%', (acc * 100))
def test_scikitlearn(self):
from sklearn.linear_model import LogisticRegression
from sklearn.svm import SVC, LinearSVC
from art.classifiers.scikitlearn import SklearnClassifier
scikitlearn_test_cases = [
LogisticRegression(solver="lbfgs", multi_class="auto"),
SVC(gamma="auto"),
LinearSVC(),
]
x_test_original = self.x_test_iris.copy()
for model in scikitlearn_test_cases:
classifier = SklearnClassifier(model=model, clip_values=(0, 1))
classifier.fit(x=self.x_test_iris, y=self.y_test_iris)
# Test untargeted attack
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.1, max_iter=5)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info(
"Accuracy of " + classifier.__class__.__name__ + " on Iris with BIM adversarial examples: " "%.2f%%",
(acc * 100),
)
# Test targeted attack
targets = random_targets(self.y_test_iris, nb_classes=3)
attack = BasicIterativeMethod(classifier, targeted=True, eps=1, eps_step=0.1, batch_size=128, max_iter=5)
x_test_adv = attack.generate(self.x_test_iris, **{"y": targets})
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == preds_adv).any())
acc = np.sum(preds_adv == np.argmax(targets, axis=1)) / self.y_test_iris.shape[0]
logger.info(
"Success rate of " + classifier.__class__.__name__ + " on targeted BIM on Iris: %.2f%%", (acc * 100)
)
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_test_original - self.x_test_iris))), 0.0, delta=0.00001)
def _test_mnist_targeted(self, classifier, x_test):
x_test_original = x_test.copy()
# Test FGSM with np.inf norm
attack = BasicIterativeMethod(classifier,
eps=1.0,
eps_step=0.01,
targeted=True,
batch_size=128)
# y_test_adv = to_categorical((np.argmax(y_test, axis=1) + 1) % 10, 10)
pred_sort = classifier.predict(x_test).argsort(axis=1)
y_test_adv = np.zeros((x_test.shape[0], 10))
for i in range(x_test.shape[0]):
y_test_adv[i, pred_sort[i, -2]] = 1.0
x_test_adv = attack.generate(x_test, y=y_test_adv)
self.assertFalse((x_test == x_test_adv).all())
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertEqual(y_test_adv.shape, test_y_pred.shape)
# This doesn't work all the time, especially with small networks
self.assertGreaterEqual((y_test_adv == test_y_pred).sum(),
x_test.shape[0] // 2)
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_test_original - x_test))),
0.0,
delta=0.00001)
class BIMAttack(AdversarialAttack):
def __init__(self,
model,
step_size_iter=0.1,
max_perturbation=0.3,
max_iterations=100,
targeted=False,
batch_size=16):
super().__init__(model=model)
self._targeted = targeted
self._step_size_iter = step_size_iter
self._max_perturbation = max_perturbation
self._max_iterations = max_iterations
self._method = BasicIterativeMethod(classifier=self.model,
targeted=self._targeted,
eps=self._max_perturbation,
eps_step=self._step_size_iter,
max_iter=self._max_iterations,
batch_size=batch_size)
def attack_method(self, x, y=None):
params = {}
if y is not None:
params['y'] = y
return self._method.generate(x=x, **params)
def _test_mnist_targeted(self, classifier):
# Get MNIST
(_, _), (x_test, _) = self.mnist
# Test FGSM with np.inf norm
attack = BasicIterativeMethod(classifier,
eps=1.0,
eps_step=0.01,
targeted=True,
batch_size=128)
# y_test_adv = to_categorical((np.argmax(y_test, axis=1) + 1) % 10, 10)
pred_sort = classifier.predict(x_test).argsort(axis=1)
y_test_adv = np.zeros((x_test.shape[0], 10))
for i in range(x_test.shape[0]):
y_test_adv[i, pred_sort[i, -2]] = 1.0
x_test_adv = attack.generate(x_test, y=y_test_adv)
self.assertFalse((x_test == x_test_adv).all())
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertEqual(y_test_adv.shape, test_y_pred.shape)
# This doesn't work all the time, especially with small networks
self.assertGreaterEqual((y_test_adv == test_y_pred).sum(),
x_test.shape[0] // 2)
def basic_iter(x_test, model, eps, eps_step, max_iter, targeted, batch_size):
classifier = KerasClassifier(model=model, clip_values=(0, 1))
attack_cw = BasicIterativeMethod(classifier=classifier,
eps=eps,
eps_step=eps_step,
max_iter=max_iter,
targeted=targeted,
batch_size=batch_size)
x_test_adv = attack_cw.generate(x_test)
return np.reshape(x_test_adv, (32, 32, 3))
def test_keras_iris_unbounded(self):
classifier = get_tabular_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.2, batch_size=128)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv > 1).any())
self.assertTrue((x_test_adv < 0).any())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with BIM adversarial examples: %.2f%%", (acc * 100))