def test_back(self):
model = Model()
# Exception is thrown when back is not tf or th
with self.assertRaises(Exception) as context:
Attack(model, back='test', sess=None)
self.assertTrue(context.exception)
def test_cache():
# Test that _CorrectFactory can be cached
model = Model()
factory_1 = _CorrectFactory(model)
factory_2 = _CorrectFactory(model)
cache = {}
cache[factory_1] = True
assert factory_2 in cache
def test_get_layer_names(self):
# Define empty model
model = Model()
# Exception is thrown when `get_layer_names` not implemented
with self.assertRaises(Exception) as context:
model.get_layer_names()
self.assertTrue(context.exception)
def test_cache(self):
"""test_cache: Test that _CorrectFactory can be cached"""
model = Model()
factory_1 = _CorrectFactory(model)
factory_2 = _CorrectFactory(model)
cache = {}
cache[factory_1] = True
self.assertTrue(factory_2 in cache)
def test_get_probs(self):
# Define empty model
model = Model()
x = []
# Exception is thrown when `get_probs` not implemented
with self.assertRaises(Exception) as context:
model.get_probs(x)
self.assertTrue(context.exception)
def test_fprop(self):
# Define empty model
model = Model('model', 10, {})
x = []
# Exception is thrown when `fprop` not implemented
with self.assertRaises(Exception) as context:
model.fprop(x)
self.assertTrue(context.exception)
def test_sess_generate_np(self):
model = Model('model', 10, {})
class DummyAttack(Attack):
def generate(self, x, **kwargs):
return x
attack = DummyAttack(model, back='tf', sess=None)
with self.assertRaises(Exception) as context:
attack.generate_np(0.)
self.assertTrue(context.exception)
def test_sess_generate_np(self):
model = Model('model', 10, {})
class DummyAttack(Attack):
def generate(self, x, **kwargs):
return x
# Test that generate_np is NOT permitted without a session.
# The session still needs to be created prior to running the attack.
with tf.Session() as sess:
attack = DummyAttack(model, sess=None)
with self.assertRaises(Exception) as context:
attack.generate_np(0.)
self.assertTrue(context.exception)
def __init__(self, model, max_l2_distortion=4, label_to_examples={}):
self.max_l2_distortion = max_l2_distortion
class Model:
def bounds(self):
return [0, 1]
def predictions(self, img):
return model(img[np.newaxis, :, :, :])[0]
def batch_predictions(self, img):
return model(img)
self.label_to_examples = label_to_examples
self.attack = FoolboxBoundaryAttack(model=Model())
def __init__(self,
model,
image_shape_hwc,
max_l2_distortion=4,
label_to_examples=None):
if label_to_examples is None:
label_to_examples = {}
self.max_l2_distortion = max_l2_distortion
class Model:
def bounds(self):
return [0, 1]
def predictions(self, img):
return model(img[np.newaxis, :, :, :])[0]
def batch_predictions(self, img):
return model(img)
self.label_to_examples = label_to_examples
h, w, c = image_shape_hwc
mse_threshold = max_l2_distortion**2 / (h * w * c)
try:
# Foolbox 1.5 allows us to use a threshold the attack will abort after
# reaching. Because we only care about a distortion of less than 4, as soon
# as we reach it, we can just abort and move on to the next image.
self.attack = FoolboxBoundaryAttack(model=Model(),
threshold=mse_threshold)
except:
# Fall back to the original implementation.
print("WARNING: Using foolbox version < 1.5 will cuase the "
"boundary attack to perform more work than is required. "
"Please upgrade to version 1.5")
self.attack = FoolboxBoundaryAttack(model=Model())
def __init__(self, f): dummy_model = Model() super(Wrapper, self).__init__(model=dummy_model) self.f = f
def test_sess(self):
# Test that it is permitted to provide no session.
# The session still needs to be created prior to running the attack.
with tf.Session() as sess:
Attack(Model('model', 10, {}), sess=None)
def test_parse(self):
sess = tf.Session()
test_attack = Attack(Model('model', 10, {}), sess=sess)
self.assertTrue(test_attack.parse_params({}))
def test_sess(self):
# Test that it is permitted to provide no session
Attack(Model('model', 10, {}), back='tf', sess=None)
def test_sess(self):
# Define empty model
model = Model()
# Test that it is permitted to provide no session
Attack(model, back='tf', sess=None)
def test_parse(self):
sess = tf.Session()
test_attack = Attack(Model(), back='tf', sess=sess)
self.assertTrue(test_attack.parse_params({}))
def __init__(self, sess, model, cl_model, batch_size, confidence, targeted,
learning_rate, binary_search_steps, max_iterations,
abort_early, initial_const, clip_min, clip_max, num_labels,
shape):
self.sess = sess
self.TARGETED = targeted
self.LEARNING_RATE = learning_rate
self.MAX_ITERATIONS = max_iterations
self.BINARY_SEARCH_STEPS = binary_search_steps
self.ABORT_EARLY = abort_early
self.CONFIDENCE = confidence
self.initial_const = initial_const
self.batch_size = batch_size
self.clip_min = clip_min
self.clip_max = clip_max
self.model = model
self.cl_model = cl_model
latent_layer_model = Model(inputs=model.input,
outputs=model.get_layer("latent").output)
self.repeat = binary_search_steps >= 10
self.shape = shape = tuple([batch_size] + list(shape))
#print("shape: ", shape)
# the variable we're going to optimize over
modifier = tf.Variable(np.zeros(shape, dtype=np_dtype))
# these are variables to be more efficient in sending data to tf
self.timg = tf.Variable(np.zeros(shape), dtype=tf_dtype, name='timg')
self.targimg = tf.Variable(np.zeros(shape),
dtype=tf_dtype,
name='targimg')
#self.tlab = tf.Variable(
# np.zeros((batch_size, num_labels)), dtype=tf_dtype, name='tlab')
self.const = tf.Variable(np.zeros(batch_size),
dtype=tf_dtype,
name='const')
# and here's what we use to assign them
self.assign_timg = tf.placeholder(tf_dtype, shape, name='assign_timg')
self.assign_targimg = tf.placeholder(tf_dtype,
shape,
name='assign_targimg')
#self.assign_tlab = tf.placeholder(
# tf_dtype, (batch_size, num_labels), name='assign_tlab')
self.assign_const = tf.placeholder(tf_dtype, [batch_size],
name='assign_const')
# the resulting instance, tanh'd to keep bounded from clip_min
# to clip_max
self.newimg = (tf.tanh(modifier + self.timg) + 1) / 2
self.newimg = self.newimg * (clip_max - clip_min) + clip_min
targimg_lat = latent_layer_model.predict(self.targimg)
self.x_hat = model.predict(self.newimg, steps=1)
self.x_hat_lat = latent_layer_model.predict(self.newimg)
self.y_hat_logit = cl_model.prediction(self.x_hat_lat, steps=1)
self.y_hat = tf.argmax(self.y_hat_logit, axis=1)
self.y_targ_logit = cl_model.predict(targimg_lat, steps=1)
self.y_targ = tf.argmax(self.y_targ_logit, axis=1)
# distance to the input data
self.other = (tf.tanh(self.timg) + 1) / 2
self.other = self.other * (clip_max - clip_min) + clip_min
self.l2dist = reduce_sum(tf.square(self.newimg - self.other),
list(range(1, len(shape))))
print("shape of l2_dist: ", np.shape(self.l2dist))
epsilon = 10e-8
loss1 = reduce_sum(tf.square(self.x_hat_lat - targimg_lat))
# sum up the losses
self.loss2 = reduce_sum(self.l2dist)
self.loss1 = reduce_sum(self.const * loss1)
self.loss = self.loss1 + self.loss2
# Setup the adam optimizer and keep track of variables we're creating
start_vars = set(x.name for x in tf.global_variables())
optimizer = tf.train.AdamOptimizer(self.LEARNING_RATE)
self.train = optimizer.minimize(self.loss, var_list=[modifier])
end_vars = tf.global_variables()
new_vars = [x for x in end_vars if x.name not in start_vars]
# these are the variables to initialize when we run
self.setup = []
self.setup.append(self.timg.assign(self.assign_timg))
self.setup.append(self.targimg.assign(self.assign_targimg))
#self.setup.append(self.tlab.assign(self.assign_tlab))
self.setup.append(self.const.assign(self.assign_const))
self.init = tf.variables_initializer(var_list=[modifier] + new_vars)