def test_tensorflow_model_non_diff(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) images_nd = tf.cast(images > 0, tf.float32) logits = mean_brightness_net(images_nd) with tf.Session(graph=g): model = TensorFlowModel( images, logits, bounds=bounds) assert model.session is not None test_images = np.random.rand(5, 5, channels).astype(np.float32) test_label = 7 test_gradient = model.gradient(test_images, test_label) assert (test_gradient == 0).all()
def test_tensorflow_backward(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with tf.Session(graph=g): model = TensorFlowModel(images, logits, bounds=bounds) assert model.session is not None test_image = np.random.rand(5, 5, channels).astype(np.float32) test_grad_pre = np.random.rand(num_classes).astype(np.float32) test_grad = model.backward_one(test_grad_pre, test_image) assert test_grad.shape == test_image.shape manual_grad = np.repeat(np.repeat((test_grad_pre / 25.).reshape( (1, 1, -1)), 5, axis=0), 5, axis=1) np.testing.assert_almost_equal(test_grad, manual_grad)
def test_tensorflow_backward(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with tf.Session(graph=g): model = TensorFlowModel( images, logits, bounds=bounds) assert model.session is not None test_image = np.random.rand(5, 5, channels).astype(np.float32) test_grad_pre = np.random.rand(num_classes).astype(np.float32) test_grad = model.backward(test_grad_pre, test_image) assert test_grad.shape == test_image.shape manual_grad = np.repeat(np.repeat( (test_grad_pre / 25.).reshape((1, 1, -1)), 5, axis=0), 5, axis=1) np.testing.assert_almost_equal( test_grad, manual_grad)
def create_fmodel(cls, cfg): model = cls.create_model(cfg) model.sess = model.load_checkpoint(cfg["checkpoint"], cfg.get("load_name_space", None)) with model.sess.as_default(): fmodel = TensorFlowModel(model._images, model._logits, bounds=(0, 255)) fmodel.model = model return fmodel
def attack(pb_path, image_path): with tf.Session() as session: with gfile.FastGFile(pb_path, 'rb') as f: graph_def = tf.GraphDef() graph_def.ParseFromString(f.read()) session.graph.as_default() tf.import_graph_def(graph_def, name='') session.run(tf.global_variables_initializer()) images = session.graph.get_tensor_by_name('input_1:0') logits = session.graph.get_tensor_by_name('dense_3/BiasAdd:0') output = session.graph.get_tensor_by_name('dense_3/Softmax:0') # for n in tf.get_default_graph().get_operations(): # print(n.values()) model = TensorFlowModel(images, logits, (-1, 1)) image = inception_preprocessing(open_image(image_path, 299, 299)) p, ext = os.path.splitext(image_path) values = model.predictions(image) label = np.argmax(values) print('label:', categories[label]) print('attacking...') target_class = 2 for prob in range(95, 100, 1): prob = prob / 100 print('probability is:', prob) adv_path = '{}-adv-{}{}'.format(p, prob, ext) pert_path = '{}-pert-{}{}'.format(p, prob, ext) criterion = TargetClassProbability(target_class, p=prob) # attack = LBFGSAttack(model, criterion) # attack = FGSM(model, criterion) # attack = ProjectedGradientDescentAttack(model, criterion) attack = LinfinityBasicIterativeAttack(model, criterion) # attack = L1BasicIterativeAttack(model, criterion) # attack = L2BasicIterativeAttack(model, criterion) # attack = MomentumIterativeAttack(model, criterion) # attack = FGSM(model) # attack = MomentumIterativeAttack(model) # attack = SinglePixelAttack(model) # attack = LocalSearchAttack(model) adversarial = attack(image, label=label) new_label = np.argmax(model.predictions(adversarial)) print('new label:', categories[new_label]) raw_image = inception_postprocessing(image) raw_adversarial = inception_postprocessing(adversarial) raw_pert = raw_adversarial - raw_image save_image(raw_adversarial, adv_path) save_image(raw_pert, pert_path)
def test_tf_keras_exception(): bounds = (0, 255) def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits model = mean_brightness_net with pytest.raises(ValueError): TensorFlowModel.from_keras(model, bounds=bounds) TensorFlowModel.from_keras(model, bounds=bounds, input_shape=(5, 5, 3))
def main(image_path, ckpt_path, predict_status=False): images = tf.placeholder(tf.float32, (None, 224, 224, 3)) preprocessed_images = vgg_preprocessing(images) logits, _ = vgg.vgg_19(preprocessed_images, is_training=False) restorer = tf.train.Saver(tf.trainable_variables()) image = open_image(image_path) p, ext = os.path.splitext(image_path) adv_path = p + '-adv' + ext pert_path = p + '-pert' + ext with tf.Session() as session: restorer.restore(session, ckpt_path) model = TensorFlowModel(images, logits, (0, 255)) label = np.argmax(model.predictions(image)) print('label:', label) if predict_status: return # target_class = 22 # criterion = TargetClassProbability(target_class, p=0.99) # attack = LBFGSAttack(model, criterion) # attack = FGSM(model, criterion) attack = FGSM(model) # attack = MomentumIterativeAttack(model, criterion) # attack = MomentumIterativeAttack(model) # attack = SinglePixelAttack(model) # attack = LocalSearchAttack(model) adversarial = attack(image, label=label) new_label = np.argmax(model.predictions(adversarial)) print('new label:', new_label) image = image.astype(np.uint8) adversarial = adversarial.astype(np.uint8) pert = adversarial - image save_image(adversarial, adv_path) save_image(pert, pert_path) # show images plt.subplot(1, 3, 1) plt.imshow(image) plt.subplot(1, 3, 2) plt.imshow(adversarial) plt.subplot(1, 3, 3) plt.imshow(pert) plt.show()
def test_tensorflow_model_cm(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with TensorFlowModel(images, logits, bounds=bounds) as model: test_images = np.random.rand(2, 5, 5, channels).astype(np.float32) test_label = 7 assert model.forward(test_images).shape \ == (2, num_classes) test_logits = model.forward_one(test_images[0]) assert test_logits.shape == (num_classes, ) test_gradient = model.gradient_one(test_images[0], test_label) assert test_gradient.shape == test_images[0].shape np.testing.assert_almost_equal( model.forward_and_gradient_one(test_images[0], test_label)[0], test_logits) np.testing.assert_almost_equal( model.forward_and_gradient_one(test_images[0], test_label)[1], test_gradient) assert model.num_classes() == num_classes
def create_ir_model(sess=None, x_input=None, foolbox=True): # Allow to reuse a session and put the model on top of an existing input assert (sess is not None) == (x_input is not None) if sess is not None: graph, saver, images, logits = _create_model(sess.graph, x_input) else: graph, saver, images, logits = _create_model(None, None) sess = tf.Session(graph=graph) path = os.path.dirname(os.path.abspath(__file__)) path = os.path.join(path, 'checkpoints', 'bnfix_735572_adv_resnet-e78-acc0.7346.ckpt') #path = os.path.join(path, 'checkpoints', 'bnfix_225411_yuv_resnet-e99-acc0.7448.ckpt') #path = os.path.join(path, 'checkpoints', 'bnfix_551110_hsv_resnet-e70-acc0.6783.ckpt') with graph.as_default(): saver.restore(sess, path) # tf.train.latest_checkpoint(path)) if foolbox: with sess.as_default(): fmodel = TensorFlowModel(images, logits, bounds=(0, 255)) return fmodel else: return images, logits, sess
def bn_model(): """Creates a simple brightness model that does not require training. """ import tensorflow as tf bounds = (0, 1) channel_axis = 3 channels = 10 # == num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with tf.Session(): model = TensorFlowModel( images, logits, bounds=bounds, channel_axis=channel_axis) yield model
def binarized2_bn_model(): """Creates a simple brightness model that does not require training. """ import tensorflow as tf bounds = (0, 1) channel_axis = 3 channels = 10 # == num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) def preprocessing(x): x = binarize(x, (0, 1), included_in='lower') def backward(x): return x return x, backward with tf.Session(): model = TensorFlowModel( images, logits, bounds=bounds, channel_axis=channel_axis, preprocessing=preprocessing) yield model
def sn_bn_model(): """Creates a simple brightness model that does not require training with stochastic noise to simulate the behaviour of e.g. bayesian networks. """ import tensorflow as tf bounds = (0, 1) channel_axis = 3 channels = 10 # == num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) + tf.reduce_mean( images * tf.random.normal(shape=(1, 1, 1, 1), stddev=1e-4), axis=(1, 2)) return logits images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with tf.Session(): model = TensorFlowModel(images, logits, bounds=bounds, channel_axis=channel_axis) yield model
def __call__(self, session): inputs = tf.compat.v1.placeholder(tf.float32, shape=[None, self._image_height, self._image_width, self._n_channels]) logits = self.calculate_logits(inputs) restorer = tf.compat.v1.train.Saver() restorer.restore(session, self._checkpoint_path) return TensorFlowModel(inputs=inputs, logits=logits, bounds=(-1, 1))
def main(): with tf.Session() as sess: # End2End tf_model = prepare_GBPdenoising_end2end(sess=sess, saved='./Models/CIFAR10-32_End2End.ckpt') # # pure Resnet # tf_model = prepare_resnet(sess=sess, # load_weights='./Models/CIFAR10-32_Resnet.ckpt', # num_classes=10) input_pl = tf_model.inputs logits = tf_model.logits # foolbox - construct a tensorflow model model = TensorFlowModel(input_pl, logits, bounds=(0, 255)) # load in the data num_advs = 0. num_mis = 0. for attack in Attacks: print(attack) # (x_test, y_test) = pickle_load("./", "ADVs_CIFAR10_Resnet_off_Linf_{}.pkl".format(attack)) (x_train, y_train), (x_test, y_test) = prepare_CIFAR10() for index, adv in enumerate(x_train[:1000]): num_advs = num_advs + 1 preds = model.predictions(adv) if y_test[index] != np.argmax(preds): # print("misclassified") num_mis = num_mis + 1 print("Total number of ADVs = {}".format(num_advs)) print("Accuracy = {}".format((num_advs - num_mis) / num_advs))
def create_fmodel(): graph, saver, images, logits = create_model() sess = tf.Session(graph=graph) path = os.path.dirname(os.path.abspath(__file__)) path = os.path.join(path, 'resnet18', 'checkpoints', 'model') saver.restore(sess, tf.train.latest_checkpoint(path)) with sess.as_default(): fmodel = TensorFlowModel(images, logits, bounds=(0, 255)) return fmodel
def main(): model_exp = os.path.expanduser( '/face/etc/20170511-185253/20170511-185253.pb') if os.path.isfile(model_exp): logging.info('Model filename: %s' % model_exp) with gfile.FastGFile(model_exp, 'rb') as f: graph_def = tf.GraphDef() graph_def.ParseFromString(f.read()) tf.import_graph_def(graph_def, name='') model = TensorFlowModel(images, logits, bounds=(0, 255))
def __init__(self, kmodel, method, criterion): ''' Adversarial Trainingを行うクラス params :kmodel: Kerasモデル(学習済み) :method: foolboxのbatch_attacksモジュール ''' self.kmodel = kmodel self.fmodel = TensorFlowModel.from_keras(kmodel, bounds=(0, 1)) self.criterion = criterion self.method_base = method
def foolbox_generate_adversarial_example( label: int, create_model, input_fn: Callable[[], tf.Tensor], attack_fn: Callable[..., Attack], model_dir=None, checkpoint_path=None, preprocessing=(0, 1), channel_axis=1, bounds=(0, 1), attack_params={}, **kwargs, ) -> Optional[np.ndarray]: # Check that model has been trained. if not checkpoint_path: checkpoint_path = saver.latest_checkpoint(model_dir) if not checkpoint_path: raise ValueError( "Could not find trained model in model_dir: {}.".format(model_dir)) with tf.Graph().as_default(): features = input_fn() model = create_model() image_tensor = tf.placeholder(features.dtype, features.shape) logits = model(image_tensor) sm = SessionManager() with sm.prepare_session( master="", saver=tf.train.Saver(), checkpoint_filename_with_path=checkpoint_path, config=new_session_config(), ) as sess: image = sess.run(features)[0] attack_model = TensorFlowModel( image_tensor, logits, bounds=bounds, channel_axis=channel_axis, preprocessing=preprocessing, ) if attack_fn is None: return image[np.newaxis] attack = attack_fn(attack_model) # adversarial_example = attack(image, label=label, **kwargs) adversarial_example = attack(image, label=label, **attack_params) # diff = np.abs(image - adversarial_example) # print(diff.max()*255) if adversarial_example is None: return None else: return adversarial_example[np.newaxis]
def get_foolbox_model(self) -> TensorFlowModel: """ Returns an instance of a foolbox Model (more specifically, a TensorFlowModel) which is configured to use the x-placeholder and the logits of this model. It specifies pre-processing settings as expected by the model. """ images = self.x logits = self.logits sess = tf.get_default_session() self.restore(sess) # this pre-processing setup normalizes the image's values to be in [-1, 1], as expected by the model fmodel = TensorFlowModel(images, logits, bounds=(0, 255), preprocessing=(127.5, 127.5)) return fmodel
def predict(pb_path, image_path): with tf.Session() as session: with gfile.FastGFile(pb_path, 'rb') as f: graph_def = tf.GraphDef() graph_def.ParseFromString(f.read()) session.graph.as_default() tf.import_graph_def(graph_def, name='') session.run(tf.global_variables_initializer()) images = session.graph.get_tensor_by_name('input_1:0') logits = session.graph.get_tensor_by_name('dense_3/BiasAdd:0') output = session.graph.get_tensor_by_name('dense_3/Softmax:0') # for n in tf.get_default_graph().get_operations(): # print(n.values()) model = TensorFlowModel(images, output, (0, 255)) if os.path.isdir(image_path): predict_dir(model, image_path) else: image = open_image(image_path, 299, 299) image = inception_preprocessing(image) values = model.predictions(image) print('values:', values) label = np.argmax(values) print('label:', categories[label])
def create_imagenet_irn_v2_model(sess=None, x_input=None, use_adv_trained_tramer=False): # Allow to reuse a session and put the model on top of an existing input if sess is None: sess = tf.Session() vars_before = tf.get_collection(tf.GraphKeys.GLOBAL_VARIABLES, scope=tf.get_variable_scope().name) with sess.graph.as_default(): if x_input is None: x_input = tf.placeholder(tf.float32, (None, 299, 299, 3)) with tf.contrib.slim.arg_scope( inception_resnet_v2.inception_resnet_v2_arg_scope()): logits, end_points = inception_resnet_v2.inception_resnet_v2( x_input, num_classes=1001, is_training=False, create_aux_logits=True) logits = logits[:, 1:] # ignore background class vars_after = tf.get_collection(tf.GraphKeys.GLOBAL_VARIABLES, scope=tf.get_variable_scope().name) vars_new = set(vars_after).difference(vars_before) with tf.variable_scope('utilities'): saver = tf.train.Saver(list(vars_new)) path = os.path.dirname(os.path.abspath(__file__)) if use_adv_trained_tramer: path = os.path.join(path, 'checkpoints', 'ens_adv_inception_resnet_v2.ckpt') else: path = os.path.join(path, 'checkpoints', 'inception_resnet_v2_2016_08_30.ckpt') with sess.graph.as_default(): saver.restore(sess, path) # tf.train.latest_checkpoint(path)) with sess.as_default(): fmodel = TensorFlowModel(x_input, logits, bounds=(0, 255)) return fmodel
def data_set_maker(model, attack, image_list, labels): """ This function creates the data set that will be used to train the autoencoder (denoiser) This data set is made of couples of adversarial/bening images inputs: -model (tensorflow model): the model that will be attacked to produced the adversarial examples -attack (foolbox attack): attack that will produce the adversarial images -image_list (list of arrays): images that will be attacked -labels (list on one hot encoded labels): labels of the image output: -adv_list (list of numpy arrays): adversarial images -benign_list (list of numpy arrays): benign images corresponding to the images in adv_list -adv_true_label: true labels of the images (attention here the are not one hot encoded) """ model_to_fool = TensorFlowModel(model, bounds=(0, 255)) adv_list, benign_list, adv_true_label = [], [], [] epsilon = [5] labels = list(map(np.argmax, labels)) print("======epsilon: " + str(epsilon[0]) + "======") for i, image in enumerate(tqdm(image_list, position=0)): if i != 0 and i % (len(labels) // 3) == 0: print("======adv_list_size: " + str(len(adv_list)) + "======") epsilon = [epsilon[0] * 1.5] print("======epsilon: " + str(epsilon[0]) + "======") image = np.asarray(image)[:, :, :3].astype("float32") image = convert_to_tensor(np.expand_dims(image, axis=0)) label = labels[i] label = tf.convert_to_tensor(np.array([label])) _, clipped, is_adv = attack(model_to_fool, image, label, epsilons=epsilon) if bool(is_adv[0]): adv_list.append(np.array(clipped[0][0])) adv_true_label.append(labels[i]) benign_list.append(image) for i, image in enumerate(benign_list): benign_list[i] = np.squeeze(image) return (list(adv_list), list(benign_list), adv_true_label)
def create_imagenet_iv3_model(sess=None, x_input=None): # Allow to reuse a session if sess is None: sess = tf.Session() # Allow to put model on top of an existing input if x_input is None: x_input = tf.placeholder(tf.float32, (None, 299, 299, 3)) # NOTE: don't norm here. For some reason this InceptionV3 accepts preproc only in specific scopes, # so it is done in imagenet_inception_v3.py. logits, preds = model(sess=sess, image=x_input) with sess.as_default(): fmodel = TensorFlowModel(x_input, logits, bounds=(0, 255)) return fmodel
def attack_performances_computer(model_to_attack, predicting_model, attack, image_list, labels, epsilon): # pylint: disable=too-many-arguments """ This fonction launch an attack against a model and returns the performances of the attack inputs: -model_to_attack (tensorflow model): model that will be attacked -predicting_model (tensorflow model): model that will predict the label of the generated adv example (most of the time it is the same that model_to_attack) but sometimes it is usefull to have another model taking care of the prediction -attack (foolbox attack) -image_list: list of images array (32*32*3) to attack -labels: labels (one hot encoding) of the image -epsilon (float): epsilon is the amount of noise added into the image at each step outputs: -DOC_attack (float) : average degreee of change of the attack -SR_on_attacked_model (float): success rate of the attack on the first model of the inputs (model_to_attack) -SR_on_predicting_model (float) : success rate of the attack on the second model of the inputs (predicting_model) """ model_to_attack = TensorFlowModel(model_to_attack, bounds=(0, 255)) success = {"attacked_model": [], "predicting_model": []} adv_list = [] labels = list(map(np.argmax, labels)) for i, image in enumerate(tqdm(image_list, position=0)): image = np.asarray(image)[:, :, :3].astype("float32") image = convert_to_tensor(np.expand_dims(image, axis=0)) label = tf.convert_to_tensor(np.array([labels[i]])) _, clipped, is_adv = attack(model_to_attack, image, label, epsilons=epsilon) success["attacked_model"].append(bool(is_adv[0])) adv_list.append(np.array(clipped[0])) prediction = predicting_model.predict(clipped[0]) success["predicting_model"].append(np.argmax(prediction) != labels[i]) return (degree_of_change(adv_list, image_list), success_rate(success["attacked_model"]), success_rate(success["predicting_model"]))
def test_tf_keras_constructor(): bounds = (0, 255) def create_model(): data_format = "channels_last" input_shape = [28, 28, 1] l = tf.keras.layers # noqa: E741 max_pool = l.MaxPooling2D((2, 2), (2, 2), padding="same", data_format=data_format) return tf.keras.Sequential([ l.Conv2D( 32, 5, padding="same", data_format=data_format, input_shape=input_shape, activation=tf.nn.relu, ), max_pool, l.Conv2D( 64, 5, padding="same", data_format=data_format, activation=tf.nn.relu, ), max_pool, l.Flatten(), l.Dense(1024, activation=tf.nn.relu), l.Dropout(0.4), l.Dense(10), ]) model = create_model() fmodel = TensorFlowModel.from_keras(model, bounds=bounds) assert fmodel.num_classes() == 10 fmodel.session.run(tf.global_variables_initializer()) test_images = np.random.rand(2, 28, 28, 1).astype(np.float32) assert fmodel.forward(test_images).shape == (2, 10)
def fit(self, x, y, epochs, validation_data=None, batch_size=32, verbose=1): ''' params :x: オリジナルデータ :y: オリジナルラベル :i: イテレーション数 ''' self.x = x self.y = y for i in range(epochs): print(f'\n{i+1} / {epochs} epochs') # rand_idx = np.random.permutation(np.arange(self.x.shape[0])) # 全データのAdversarial Examplesをランダムな順番で作成 rand_idx = np.random.choice( np.arange(self.x.shape[0]), size=batch_size) # 全データ作成している時間がないので、ランダムな10サンプル分を作成 self.fmodel = TensorFlowModel.from_keras(self.kmodel, bounds=(0, 1)) self.method = self.method_base(self.fmodel, criterion=self.criterion) self.adv_imgs, self.orig_cls = [], [] for r_idx in rand_idx: x_adv = self.method(self.x[r_idx], self.y[r_idx], unpack=False) if x_adv.image is None: continue self.adv_imgs.append(x_adv.image) self.orig_cls.append(x_adv.original_class) self.x = np.append(self.x, np.array(self.adv_imgs), axis=0) self.y = np.append(self.y, self.orig_cls) self.kmodel.fit(x=self.x, y=self.y, epochs=1, validation_data=validation_data, verbose=verbose)
def test_tensorflow_forward_gradient(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits q = ( np.arange(num_classes)[None, None], np.random.uniform(size=(5, 5, channels)) + 1, ) g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with TensorFlowModel(images, logits, bounds=bounds, preprocessing=q) as model: epsilon = 1e-2 np.random.seed(23) test_images = np.random.rand(5, 5, 5, channels).astype(np.float32) test_labels = [7] * 5 _, g1 = model.forward_and_gradient(test_images, test_labels) l1 = model._loss_fn(test_images - epsilon / 2 * g1, test_labels) l2 = model._loss_fn(test_images + epsilon / 2 * g1, test_labels) assert np.all(1e4 * (l2 - l1) > 1) # make sure that gradient is numerically correct np.testing.assert_array_almost_equal( 1e4 * (l2 - l1), 1e4 * epsilon * (np.linalg.norm(g1.reshape(len(g1), -1), axis=(-1))**2).sum(), decimal=1, )
def create_rn50_model(sess=None, x_input=None, foolbox=True): # Allow to reuse a session and put the model on top of an existing input assert (sess is not None) == (x_input is not None) if sess is not None: graph, saver, images, logits = _create_model(sess.graph, x_input) else: graph, saver, images, logits = _create_model(None, None) sess = tf.Session(graph=graph) path = os.path.dirname(os.path.abspath(__file__)) path = os.path.join(path, 'tiny_imagenet_alp05_2018_06_26.ckpt') saver.restore(sess, path) # tf.train.latest_checkpoint(path)) if foolbox: with sess.as_default(): fmodel = TensorFlowModel(images, logits, bounds=(0, 255)) return fmodel else: return images, logits, sess
def create(): # fetch weights weights_path = zoo.fetch_weights( 'https://github.com/facebookresearch/ImageNet-Adversarial-Training/releases/download/v0.1/R152-Denoise.npz', unzip=False) # model constructer expects an ArgumentParser as argument parser = argparse.ArgumentParser() parser.add_argument('-d', '--depth', help='ResNet depth', type=int, default=152, choices=[50, 101, 152]) parser.add_argument('--arch', help='Name of architectures defined in nets.py', default='ResNetDenoise') args = parser.parse_args([]) model = getattr(nets, args.arch + 'Model')(args) image = tf.placeholder(tf.float32, shape=(None, 3, 224, 224)) with TowerContext(tower_name='', is_training=False): logits = model.get_logits(image) config = tf.ConfigProto() config.gpu_options.allow_growth = True session = tf.Session(config=config) with session.as_default(): model = get_model_loader(weights_path).init(session) fmodel = TensorFlowModel(image, logits, channel_axis=1, bounds=[0, 255.], preprocessing=(127.5, 127.5)) return fmodel
def test_tensorflow_preprocessing(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits q = (np.arange(num_classes)[None, None], np.random.uniform(size=(5, 5, channels)) + 1) g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with TensorFlowModel(images, logits, bounds=bounds, preprocessing=q) as model: test_images = np.random.rand(2, 5, 5, channels).astype(np.float32) test_label = 7 assert model.batch_predictions(test_images).shape \ == (2, num_classes) test_logits = model.predictions(test_images[0]) assert test_logits.shape == (num_classes, ) test_gradient = model.gradient(test_images[0], test_label) assert test_gradient.shape == test_images[0].shape np.testing.assert_almost_equal( model.predictions_and_gradient(test_images[0], test_label)[0], test_logits) np.testing.assert_almost_equal( model.predictions_and_gradient(test_images[0], test_label)[1], test_gradient) assert model.num_classes() == num_classes
def test_tensorflow_model(num_classes): bounds = (0, 255) channels = num_classes def mean_brightness_net(images): logits = tf.reduce_mean(images, axis=(1, 2)) return logits g = tf.Graph() with g.as_default(): images = tf.placeholder(tf.float32, (None, 5, 5, channels)) logits = mean_brightness_net(images) with tf.Session(graph=g): model = TensorFlowModel( images, logits, bounds=bounds) assert model.session is not None test_images = np.random.rand(2, 5, 5, channels).astype(np.float32) test_label = 7 assert model.batch_predictions(test_images).shape \ == (2, num_classes) test_logits = model.predictions(test_images[0]) assert test_logits.shape == (num_classes,) test_gradient = model.gradient(test_images[0], test_label) assert test_gradient.shape == test_images[0].shape np.testing.assert_almost_equal( model.predictions_and_gradient(test_images[0], test_label)[0], test_logits) np.testing.assert_almost_equal( model.predictions_and_gradient(test_images[0], test_label)[1], test_gradient) assert model.num_classes() == num_classes
# model=CallableModelWrapper(cnn.predict, output_layer='logits') # # # # fgm=FastGradientMethod(model,sess=sess) # # fgm_params = {'eps': 0.3, # 'clip_min': 0., # 'clip_max': 1.} # # adv_x = fgm.generate((train_images[:2]), **fgm_params) # preds_adv = model.get_probs(adv_x) model = TensorFlowModel(cnn.inputs,cnn.network,bounds=(0, 255)) from foolbox.criteria import TargetClassProbability target_class = 9 criterion = TargetClassProbability(target_class, p=0.99) from foolbox.attacks import FGSM attack=FGSM(model) image = train_images[0].reshape((28, 28, 1)) label = np.argmax(model.predictions(image)) adversarial = attack(image,label=label,epsilons=1,max_epsilon=0.03*255)