def poison_dataset(x_clean, y_clean, poison_func):
x_poison = np.copy(x_clean)
y_poison = np.copy(y_clean)
is_poison = np.zeros(np.shape(y_poison)[0])
for i in range(10):
src = i
tgt = (i + 1) % 10
n_points_in_tgt = np.round(
np.sum(np.argmax(y_clean, axis=1) == tgt))
num_poison = int((PP_POISON * n_points_in_tgt) / (1 - PP_POISON))
src_imgs = np.copy(x_clean[np.argmax(y_clean, axis=1) == src])
n_points_in_src = np.shape(src_imgs)[0]
if num_poison:
indices_to_be_poisoned = np.random.choice(
n_points_in_src, num_poison)
imgs_to_be_poisoned = src_imgs[indices_to_be_poisoned]
backdoor_attack = PoisoningAttackBackdoor(poison_func)
poison_images, poison_labels = backdoor_attack.poison(
imgs_to_be_poisoned,
y=to_categorical(np.ones(num_poison) * tgt, 10))
x_poison = np.append(x_poison, poison_images, axis=0)
y_poison = np.append(y_poison, poison_labels, axis=0)
is_poison = np.append(is_poison, np.ones(num_poison))
is_poison = is_poison != 0
return is_poison, x_poison, y_poison
def test_image_failure_modes(self):
"""
Tests failure modes for image perturbation functions
"""
backdoor_attack = PoisoningAttackBackdoor(self.poison_func_5)
adv_target = np.argmax(self.y_train_mnist) + 1 % 10
with self.assertRaises(ValueError) as context:
backdoor_attack.poison(self.x_train_mnist, y=adv_target)
self.assertIn("Backdoor does not fit inside original image", str(context.exception))
backdoor_attack = PoisoningAttackBackdoor(self.poison_func_6)
with self.assertRaises(ValueError) as context:
backdoor_attack.poison(np.zeros(5), y=np.ones(5))
self.assertIn("Invalid array shape", str(context.exception))
def test_keras(self):
"""
Test with a KerasClassifier.
:return:
"""
# Build KerasClassifier
krc = get_image_classifier_kr_tf(loss_type="label")
# Get MNIST
(x_train, y_train), (_, _) = self.mnist
target_idx = 9
target = np.zeros(10)
target[target_idx] = 1
target2 = np.zeros(10)
target2[(target_idx + 1) % 10] = 1
backdoor = PoisoningAttackBackdoor(add_pattern_bd)
emb_attack = PoisoningAttackAdversarialEmbedding(
krc, backdoor, 2, target)
classifier = emb_attack.poison_estimator(x_train,
y_train,
nb_epochs=NB_EPOCHS)
data, labels, bd = emb_attack.get_training_data()
self.assertEqual(x_train.shape, data.shape)
self.assertEqual(y_train.shape, labels.shape)
self.assertEqual(bd.shape, (len(x_train), 2))
# Assert successful cloning of classifier model
self.assertTrue(classifier is not krc)
emb_attack2 = PoisoningAttackAdversarialEmbedding(
krc, backdoor, 2, [(target, target2)])
_ = emb_attack2.poison_estimator(x_train, y_train, nb_epochs=NB_EPOCHS)
data, labels, bd = emb_attack2.get_training_data()
self.assertEqual(x_train.shape, data.shape)
self.assertEqual(y_train.shape, labels.shape)
self.assertEqual(bd.shape, (len(x_train), 2))
_ = PoisoningAttackAdversarialEmbedding(krc,
backdoor,
2, [(target, target2)],
pp_poison=[0.4])
def test_errors(self):
krc = get_image_classifier_kr_tf(loss_type="function")
krc_valid = get_image_classifier_kr_tf(loss_type="label")
backdoor = PoisoningAttackBackdoor(add_pattern_bd)
target_idx = 9
target = np.zeros(10)
target[target_idx] = 1
target2 = np.zeros(10)
target2[(target_idx + 1) % 10] = 1
# invalid loss function
with self.assertRaises(TypeError):
_ = PoisoningAttackAdversarialEmbedding(krc, backdoor, 2, target)
# feature layer not real name
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor,
"not a layer", target)
# feature layer out of range
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20,
target)
# target misshaped
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(
krc_valid, backdoor, 20, np.expand_dims(target, axis=0))
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20,
[target])
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid,
backdoor,
20,
target,
regularization=-1)
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid,
backdoor,
20,
target,
discriminator_layer_1=-1)
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid,
backdoor,
20,
target,
discriminator_layer_2=-1)
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid,
backdoor,
20,
target,
pp_poison=-1)
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid,
backdoor,
20, [(target, target2)],
pp_poison=[])
with self.assertRaises(ValueError):
_ = PoisoningAttackAdversarialEmbedding(krc_valid,
backdoor,
20, [(target, target2)],
pp_poison=[-1])
def test_check_params(self):
with self.assertRaises(ValueError):
_ = PoisoningAttackBackdoor("self.poison_func_5")