"""The CarliniWagnerL2 attack
"""
import logging
import numpy as np
import tensorflow as tf
from cleverhans.attacks.attack import Attack
from cleverhans.compat import reduce_sum, reduce_max
from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits
from cleverhans import utils
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.carlini_wagner_l2")
_logger.setLevel(logging.INFO)
class CarliniWagnerL2(Attack):
"""
This attack was originally proposed by Carlini and Wagner. It is an
iterative attack that finds adversarial examples on many defenses that
are robust to other attacks.
Paper link: https://arxiv.org/abs/1608.04644
At a high level, this attack is an iterative attack using Adam and
a specially-chosen loss function to find adversarial examples with
lower distortion than other attacks. This comes at the cost of speed,
as this attack is often much slower than others.
from cleverhans.attacks_tf import jacobian_graph
from cleverhans import utils_tf
from cleverhans import utils
import copy
FLAGS = flags.FLAGS
# NOTE: I found 4 attack method in Cifar-10 untargeted attack has low successful rate, which are
# 1. VirtualAdversarialMethod, 2. L2 norm of MomentumIterativeMethod,
# 3. L2 norm of BasicIterativeMethod, 4. L infinity version of deep_fool(the original cleverhans deepfool is L2 norm, I extend it to L-inf version according to original paper,
# In addition, I also test a L-infinity version of DeepFool, this code is just little modifed of original cleverhans' DeepFool
# to add L-inf functionality, which is described in original paper's page 5.
# paper can be downloaded from https://arxiv.org/abs/1511.04599. But it also test FAILED! SUCCESSFUL RATE is so LOW!
# implementation of L-infinity version of DeepFool, just modified little code of original L2 version cleverhans deepfool
_logger = utils.create_logger("cleverhans.attacks.tf")
def deepfool_batch(sess,
x,
pred,
logits,
grads,
X,
nb_candidate,
overshoot,
max_iter,
clip_min,
clip_max,
nb_classes,
Lp_norm=2,
feed=None,
):
"""The LBFGS attack
"""
import numpy as np
import tensorflow as tf
from cleverhans.attacks.attack import Attack
from cleverhans.compat import reduce_sum, softmax_cross_entropy_with_logits
from cleverhans.model import CallableModelWrapper, Model, wrapper_warning
from cleverhans import utils
from cleverhans import utils_tf
_logger = utils.create_logger("cleverhans.attacks.lbfgs")
tf_dtype = tf.as_dtype('float32')
class LBFGS(Attack):
"""
LBFGS is the first adversarial attack for convolutional neural networks,
and is a target & iterative attack.
Paper link: "https://arxiv.org/pdf/1312.6199.pdf"
:param model: cleverhans.model.Model
:param sess: tf.Session
:param dtypestr: dtype of the data
:param kwargs: passed through to super constructor
"""
def __init__(self, model, sess, dtypestr='float32', **kwargs):
"""
Note: the model parameter should be an instance of the
cleverhans.model.Model abstraction provided by CleverHans.
import numpy as np
import warnings
import cleverhans.utils as utils
from cleverhans.model import Model, CallableModelWrapper
from cleverhans.attacks import Attack
_logger = utils.create_logger("EOT_attacks")
class EOT_ATTACK(Attack):
"""
This attack was originally proposed by Carlini and Wagner. It is an
iterative attack that finds adversarial examples on many defenses that
are robust to other attacks.
Paper link: https://arxiv.org/abs/1608.04644
At a high level, this attack is an iterative attack using Adam and
a specially-chosen loss function to find adversarial examples with
lower distortion than other attacks. This comes at the cost of speed,
as this attack is often much slower than others.
"""
def __init__(self, model, back='tf', sess=None, dtypestr='float32'):
"""
Note: the model parameter should be an instance of the
cleverhans.model.Model abstraction provided by CleverHans.
"""
if not isinstance(model, Model):
model = CallableModelWrapper(model, 'logits')
super(EOT_ATTACK, self).__init__(model, back, sess, dtypestr)
self.feedable_kwargs = {'y': self.tf_dtype,
"""
# pylint: disable=missing-docstring
import logging
import numpy as np
import tensorflow as tf
from cleverhans.attacks.attack import Attack
from cleverhans.compat import reduce_sum, reduce_max
from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits
from cleverhans import utils
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.bpda_l2")
_logger.setLevel(logging.INFO)
class BPDAL2(Attack):
"""
:param model: cleverhans.model.Model
:param sess: tf.Session
:param dtypestr: dtype of the data
:param kwargs: passed through to super constructor
"""
def __init__(self,
model,
reconstructor,
sess,
dtypestr='float32',
""" Boundary Attack++
"""
import logging
import numpy as np
import tensorflow as tf
from warnings import warn
from cleverhans.attacks import Attack
from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits
from cleverhans import utils, utils_tf
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.hop_skip_jump_attack")
_logger.setLevel(logging.INFO)
class HopSkipJumpAttack(Attack):
"""
HopSkipJumpAttack was originally proposed by Chen, Jordan and Wainwright.
It is a decision-based attack that requires access to output
labels of a model alone.
Paper link: https://arxiv.org/abs/1904.02144
At a high level, this attack is an iterative attack composed of three
steps: Binary search to approach the boundary; gradient estimation;
stepsize search. HopSkipJumpAttack requires fewer model queries than
Boundary Attack which was based on rejective sampling.
:param model: cleverhans.model.Model
:param sess: tf.Session
:param dtypestr: dtype of the data
:param kwargs: passed through to super constructor.
import copy
import logging
import warnings
import numpy as np
import tensorflow as tf
from cleverhans.attacks import Attack
from cleverhans.model import Model, wrapper_warning_logits, CallableModelWrapper
from cleverhans import utils
from cleverhans import utils_tf
from cleverhans.utils_tf import clip_eta
from six.moves import xrange
np_dtype = np.dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.deep_fool")
_logger.setLevel(logging.INFO)
def jacobian_graph(predictions, x, nb_classes):
"""
Create the Jacobian graph to be ran later in a TF session
:param predictions: the model's symbolic output (linear output,
pre-softmax)
:param x: the input placeholder
:param nb_classes: the number of classes the model has
:return:
"""
# This function will return a list of TF gradients
list_derivatives = []
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import math
import numpy as np
from six.moves import xrange
import tensorflow as tf
import time
import cleverhans.utils as utils
import cleverhans.utils_tf as utils_tf
import itertools
from mysoftdtw_c_wd import mysoftdtw
_logger = utils.create_logger("myattacks.tf")
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
data_len = 9000
def ZERO():
return np.asarray(0., dtype=np_dtype)
def EOT_time(x, start, ensemble_size):
def randomizing_EOT(x, start):
rand_i = tf.expand_dims(tf.random_uniform((),
start + 1,
data_len + 1,
import logging
import numpy as np
import tensorflow as tf
from cleverhans.attacks.attack import Attack
from cleverhans.model import CallableModelWrapper, Model
from cleverhans import utils
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.MadryEtAl")
_logger.setLevel(logging.INFO)
class MadryEtAl(Attack):
"""
The Projected Gradient Descent Attack (Madry et al. 2017).
Paper link: https://arxiv.org/pdf/1706.06083.pdf
"""
def __init__(self, model, sess, dtypestr='float32', **kwargs):
"""
Create a MadryEtAl instance.
"""
if not isinstance(model, Model):
model = CallableModelWrapper(model, 'probs')
super(MadryEtAl, self).__init__(model, sess, dtypestr, **kwargs)
"""
Attacks for TensorFlow Eager
"""
from distutils.version import LooseVersion
import numpy as np
import tensorflow as tf
from cleverhans import attacks
from cleverhans import utils
from cleverhans.model import CallableModelWrapper, wrapper_warning
from cleverhans.model import Model
from cleverhans.loss import LossCrossEntropy
_logger = utils.create_logger("cleverhans.attacks_tfe")
if LooseVersion(tf.__version__) < LooseVersion("1.8.0"):
error_msg = ("For eager execution",
"use Tensorflow version greather than 1.8.0.")
raise ValueError(error_msg)
class Attack(attacks.Attack):
"""
Abstract base class for all eager attack classes.
:param model: An instance of the cleverhans.model.Model class.
:param back: The backend to use. Inherited from AttackBase class.
:param dtypestr: datatype of the input data samples and crafted
adversarial attacks.
"""
def __init__(self, model, dtypestr="float32"):
import numpy as np
import warnings
import cleverhans.utils as utils
from cleverhans.model import Model, CallableModelWrapper
from cleverhans.attacks import Attack
_logger = utils.create_logger("LDMF_EOT_attacks")
class LDMF_EOT_ATTACK(Attack):
"""
This attack was originally proposed by Carlini and Wagner. It is an
iterative attack that finds adversarial examples on many defenses that
are robust to other attacks.
Paper link: https://arxiv.org/abs/1608.04644
At a high level, this attack is an iterative attack using Adam and
a specially-chosen loss function to find adversarial examples with
lower distortion than other attacks. This comes at the cost of speed,
as this attack is often much slower than others.
"""
def __init__(self, model, back='tf', sess=None, dtypestr='float32'):
"""
Note: the model parameter should be an instance of the
cleverhans.model.Model abstraction provided by CleverHans.
"""
if not isinstance(model, Model):
model = CallableModelWrapper(model, 'logits')
super(LDMF_EOT_ATTACK, self).__init__(model, back, sess, dtypestr)
self.feedable_kwargs = {'y': self.tf_dtype,
""" Boundary Attack++
"""
import logging
import numpy as np
import tensorflow as tf
from cleverhans.attacks import Attack
from cleverhans.model import CallableModelWrapper, Model, wrapper_warning_logits
from cleverhans import utils, utils_tf
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.boundary_attack_plus_plus")
_logger.setLevel(logging.INFO)
class BoundaryAttackPlusPlus(Attack):
"""
Boundary Attack ++ was originally proposed by Chen and Jordan.
It is a decision-based attack that requires access to output
labels of a model alone.
Paper link: https://arxiv.org/abs/1904.02144
At a high level, this attack is an iterative attack composed of three
steps: Binary search to approach the boundary; gradient estimation;
stepsize search. Boundary Attack ++ requires fewer model queries than
Boundary Attack which was based on rejective sampling.
:param model: cleverhans.model.Model
:param sess: tf.Session
:param dtypestr: dtype of the data
:param kwargs: passed through to super constructor.
see parse_params for details.
import tensorflow as tf
from cleverhans.attacks import Noise
from cleverhans.attacks import ProjectedGradientDescent
from cleverhans.attacks import SPSA
from cleverhans.evaluation import correctness_and_confidence
from cleverhans.evaluation import batch_eval_multi_worker, run_attack
from cleverhans.model import Model
from cleverhans import serial
from cleverhans.utils import create_logger, deep_copy, safe_zip
from cleverhans.utils_tf import infer_devices
from cleverhans.confidence_report import ConfidenceReport
from cleverhans.confidence_report import ConfidenceReportEntry
from cleverhans.confidence_report import print_stats
_logger = create_logger("attack_bundling")
_logger.setLevel(logging.INFO)
devices = infer_devices()
num_devices = len(devices)
DEFAULT_EXAMPLES_PER_DEVICE = 128
BATCH_SIZE = DEFAULT_EXAMPLES_PER_DEVICE * num_devices
REPORT_TIME_INTERVAL = 60
# TODO: lower priority: make it possible to initialize one attack with
# the output of an earlier attack
def single_run_max_confidence_recipe(sess, model, x, y, nb_classes, eps,
clip_min, clip_max, eps_iter, nb_iter,
report_path,
return self.properties_to_hash == other.properties_to_hash
def __call__(self):
x_batch = self.model.make_input_placeholder()
y_batch = self.model.make_label_placeholder()
if LooseVersion(tf.__version__) < LooseVersion('1.0.0'):
raise NotImplementedError()
if self.attack is None:
x_input = x_batch
else:
attack_params = self.attack_params
if attack_params is None:
attack_params = {}
x_input = self.attack.generate(x_batch, y=y_batch, **attack_params)
predictions = self.model.get_probs(x_input)
correct = tf.equal(tf.argmax(y_batch, axis=-1),
tf.argmax(predictions, axis=-1))
max_probs = tf.reduce_max(predictions, axis=1)
return (x_batch, y_batch), (correct, max_probs)
_logger = create_logger("cleverhans.evaluation")
# Cache for storing output of `batch_eval_multi_worker`'s calls to
# `graph_factory`, to avoid making the tf graph too big
_batch_eval_multi_worker_cache = {}
import os
import time
import warnings
import math
import numpy as np
from six.moves import xrange
import tensorflow as tf
from cleverhans import canary
from cleverhans.utils import _ArgsWrapper, create_logger
from cleverhans.utils import safe_zip
from cleverhans.utils_tf import infer_devices
from cleverhans.utils_tf import initialize_uninitialized_global_variables
_logger = create_logger("train_ae")
_logger.setLevel(logging.INFO)
def train_ae(sess,
loss,
x_train,
x_train_target,
init_all=False,
evaluate=None,
feed=None,
args=None,
rng=None,
var_list=None,
fprop_args=None,
optimizer=None,
import time
import warnings
import math
import numpy as np
from six.moves import xrange
import tensorflow as tf
from cleverhans import canary
from cleverhans.utils import _ArgsWrapper, create_logger
from cleverhans.utils import safe_zip
from cleverhans.utils_tf import infer_devices
from cleverhans.utils_tf import initialize_uninitialized_global_variables
_logger = create_logger("train")
_logger.setLevel(logging.INFO)
def train(sess, loss, x_train, y_train,
init_all=False, evaluate=None, feed=None, args=None,
rng=None, var_list=None, fprop_args=None, optimizer=None,
devices=None, x_batch_preprocessor=None, use_ema=False,
ema_decay=.998, run_canary=None,
loss_threshold=1e5, dataset_train=None, dataset_size=None):
"""
Run (optionally multi-replica, synchronous) training to minimize `loss`
:param sess: TF session to use when training the graph
:param loss: tensor, the loss to minimize
:param x_train: numpy array with training inputs or tf Dataset
:param y_train: numpy array with training outputs or tf Dataset
"""
# pylint: disable=missing-docstring
import logging
import numpy as np
import tensorflow as tf
from cleverhans.attacks.attack import Attack
from cleverhans.compat import reduce_sum, reduce_max
from cleverhans.model import Model, CallableModelWrapper, wrapper_warning_logits
from cleverhans import utils
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
_logger = utils.create_logger("cleverhans.attacks.elastic_net_method")
_logger.setLevel(logging.INFO)
def ZERO():
return np.asarray(0., dtype=np_dtype)
class ElasticNetMethod(Attack):
"""
This attack features L1-oriented adversarial examples and includes the C&W L2 attack as a special case (when beta is set to 0).
Adversarial examples attain similar performance to those generated by the C&W L2 attack in the white-box case,
and more importantly, have improved transferability properties and complement adversarial training.
Paper link: https://arxiv.org/abs/1709.04114
:param model: cleverhans.model.Model
import os
import time
import warnings
import numpy as np
import six
from six.moves import xrange
import tensorflow as tf
from cleverhans.compat import device_lib
from cleverhans.compat import reduce_sum, reduce_mean
from cleverhans.compat import reduce_max
from cleverhans.compat import softmax_cross_entropy_with_logits
from cleverhans.utils import batch_indices, _ArgsWrapper, create_logger
_logger = create_logger("cleverhans.utils.tf")
_logger.setLevel(logging.INFO)
def model_loss(y, model, mean=True):
"""
Define loss of TF graph
:param y: correct labels
:param model: output of the model
:param mean: boolean indicating whether should return mean of loss
or vector of losses for each input of the batch
:return: return mean of loss if True, otherwise return vector with per
sample loss
"""
warnings.warn("This function is deprecated and will be removed on or after"
" 2019-04-05. Switch to cleverhans.train.train.")
"""
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import numpy as np
import tensorflow as tf
from cleverhans import utils
from cleverhans.attacks import CarliniWagnerL2
from cleverhans.compat import reduce_max
from cleverhans.compat import reduce_sum
_logger = utils.create_logger("cleverhans.cw_attacks")
np_dtype = np.dtype('float32')
tf_dtype = tf.as_dtype('float32')
def ZERO():
return np.asarray(0., dtype=np_dtype)
class CWL2_NNIF(object):
def __init__(self, sess, model, batch_size, confidence, targeted,
learning_rate, binary_search_steps, max_iterations,
abort_early, initial_const, clip_min, clip_max, num_labels,
shape):
"""
Return a tensor that constructs adversarial examples for the given
