def test_iris_pt(self):
"""
Third test for Pytorch.
:return:
"""
# Build PyTorchClassifier
victim_ptc = get_iris_classifier_pt()
class Model(nn.Module):
"""
Create Iris model for PyTorch.
"""
def __init__(self):
super(Model, self).__init__()
self.fully_connected1 = nn.Linear(4, 10)
self.fully_connected2 = nn.Linear(10, 10)
self.fully_connected3 = nn.Linear(10, 3)
# pylint: disable=W0221
# disable pylint because of API requirements for function
def forward(self, x):
x = self.fully_connected1(x)
x = self.fully_connected2(x)
logit_output = self.fully_connected3(x)
return logit_output
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.001)
# Get classifier
thieved_ptc = PyTorchClassifier(model=model,
loss=loss_fn,
optimizer=optimizer,
input_shape=(4, ),
nb_classes=3,
clip_values=(0, 1),
channel_index=1)
# Create attack
copycat_cnn = CopycatCNN(classifier=victim_ptc,
batch_size_fit=BATCH_SIZE,
batch_size_query=BATCH_SIZE,
nb_epochs=NB_EPOCHS,
nb_stolen=NB_STOLEN)
thieved_ptc = copycat_cnn.extract(x=self.x_train,
thieved_classifier=thieved_ptc)
victim_preds = np.argmax(victim_ptc.predict(x=self.x_train[:100]),
axis=1)
thieved_preds = np.argmax(thieved_ptc.predict(x=self.x_train[:100]),
axis=1)
acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)
self.assertGreater(acc, 0.3)
def main(config_filepath):
config = load_config(config_filepath)
if os.path.isfile(config.metrics_output_path):
click.confirm(f"Overwrite {config.metrics_output_path}?", abort=True)
np.random.seed(config.seed)
torch.manual_seed(config.seed)
# Load data
x = torch.load(config.x_filepath)
y = torch.load(config.y_filepath)
# Flatten
x = x.reshape(x.shape[0], -1)
model = torch.load(config.trained_model_filepath)
clip_values = {}
with open(config.clip_values_filepath, "r") as f:
clip_values = json.load(f)
clip_values = (
clip_values.get("min_pixel_value"),
clip_values.get("max_pixel_value"),
)
classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=model.criterion,
optimizer=model.optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
) # TODO: move these parameters to config
# Evaluate the classifier on benign data
predictions = classifier.predict(x)
# Convert one-hots to numbers for metrics
y = utils.one_hot_to_num(y)
predictions = utils.one_hot_to_num(predictions)
accuracy = {
"Accuracy": metrics.accuracy_score(y, predictions),
"Confusion Matrix": metrics.confusion_matrix(y, predictions).tolist(),
}
# Save data
with open(config.metrics_output_path, "w") as f:
json.dump(
accuracy,
f,
ensure_ascii=False,
sort_keys=True,
indent=4,
separators=(",", ": "),
)
def __init__(self, model, dataset):
model.eval()
self.model = model
self.dataset = dataset
optimizer = torch.optim.Adam(model.parameters()) # Useless
self.nb_classes = nb_classes[dataset]
self.classifier = PyTorchClassifier((0., 1.),
model=self.model,
loss=nn.CrossEntropyLoss(),
optimizer=optimizer,
input_shape=input_shape[dataset],
nb_classes=self.nb_classes)
def test_device(self):
# Define the network
model = nn.Sequential(nn.Conv2d(1, 2, 5),
nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
nn.Linear(288, 10))
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# First test cpu
classifier_cpu = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
device_type="cpu",
)
self.assertTrue(classifier_cpu._device == torch.device("cpu"))
self.assertFalse(classifier_cpu._device == torch.device("cuda"))
# Then test gpu
if torch.cuda.device_count() >= 2:
with torch.cuda.device(0):
classifier_gpu0 = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
)
self.assertTrue(
classifier_gpu0._device == torch.device("cuda:0"))
self.assertFalse(
classifier_gpu0._device == torch.device("cuda:1"))
with torch.cuda.device(1):
classifier_gpu1 = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
)
self.assertTrue(
classifier_gpu1._device == torch.device("cuda:1"))
self.assertFalse(
classifier_gpu1._device == torch.device("cuda:0"))
def __init__(self, model_container, theta=0.1, gamma=1.0, batch_size=16):
super(SaliencyContainer, self).__init__(model_container)
dim_data = model_container.data_container.dim_data
assert len(dim_data) == 3, \
'Jacobian Saliency Map attack only works on images'
self._params = {
'theta': theta,
'gamma': gamma,
'batch_size': batch_size
}
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
logger.debug('clip_values = %s', str(clip_values))
self.classifier = PyTorchClassifier(model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def __init__(self,
model_container,
eps=0.3,
eps_step=0.1,
max_iter=100,
targeted=False,
batch_size=64):
super(BIMContainer, self).__init__(model_container)
params_received = {
'eps': eps,
'eps_step': eps_step,
'max_iter': max_iter,
'targeted': targeted,
'batch_size': batch_size
}
self._params = params_received
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
self.classifier = PyTorchClassifier(model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def __init__(self,
model_container,
max_iter=100,
epsilon=1e-6,
nb_grads=10,
batch_size=16):
super(DeepFoolContainer, self).__init__(model_container, )
self._params = {
'max_iter': max_iter,
'epsilon': epsilon,
'nb_grads': nb_grads,
'batch_size': batch_size
}
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
self.classifier = PyTorchClassifier(model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def artattack(fcn, model, images, criterion, epsilon, kwargs):
"""
adversarial robustness toolbox ported attack implementation
:param fcn: the foolbox_custom attack function
:param model: network in DAGModule
:param images: test samples
:param criterion: labels/criterion object
:param epsilon: epsilon to test with
:param kwargs: other arguments to the model
:return: perturbed image, whether the attack is successful or not
"""
artmodel = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=nn.CrossEntropyLoss(),
optimizer=None,
input_shape=(0,),
nb_classes=10
)
device = model.device
attack = fcn(classifier=artmodel, **kwargs)
adv_imgs = torch.as_tensor(attack.generate(x=images.clone().cpu())).to(device)
linf = LpDistance(ep.inf)
adv_imgs = linf.clip_perturbation(images, adv_imgs, epsilon)
return adv_imgs
def test_one_channel(self):
(x_train, _), (_, _), _, _ = load_mnist()
x_train = x_train[:2, 10:15, 15:20, :]
x_train = x_train.astype(np.float32)
x_train_original = x_train.copy()
# Define the network
model = ModelImage()
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
self.pixelcnn = PyTorchClassifier(model=model,
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
clip_values=(0, 1))
preprocess = PixelDefend(eps=5, pixel_cnn=self.pixelcnn)
x_defended, _ = preprocess(x_train)
self.assertEqual(x_defended.shape, x_train.shape)
self.assertTrue((x_defended <= 1.0).all())
self.assertTrue((x_defended >= 0.0).all())
# Check that x_train has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_train_original -
x_train))),
0.0,
delta=0.00001)
def __init__(self, net, num_classes, attack_type, eps, batch_size):
self.num_classes = num_classes
self.net = net
self.fmodel = foolbox.models.PyTorchModel(net,
bounds=(0, 1),
num_classes=10)
if attack_type == "DeepFool":
attacker = foolbox.attacks.DeepFoolLinfinityAttack(self.fmodel)
elif attack_type == "MIFGSM":
attacker = foolbox.attacks.MomentumIterativeAttack(
self.fmodel, distance=foolbox.distances.Linfinity)
elif attack_type == "CW":
a0 = 2 * eps / 20
classifier = PyTorchClassifier(clip_values=(0, 1),
model=net,
loss=None,
optimizer=None,
input_shape=(batch_size, 3, 32, 32),
nb_classes=num_classes,
channel_index=3,
defences=None,
preprocessing=(0, 1))
attacker = carlini.CarliniLInfMethod(classifier,
learning_rate=a0 / 2,
targeted=False,
max_iter=40,
eps=eps,
batch_size=128)
self.attacker = attacker
self.attack_type = attack_type
self.eps = eps
def __init__(self, model_container, norm=np.inf, eps=.3, eps_step=0.1,
targeted=False, num_random_init=0, batch_size=64, minimal=False):
"""
Fast Gradient Sign Method. Use L-inf norm as default
"""
super(FGSMContainer, self).__init__(model_container)
self._params = {
'norm': norm,
'eps': eps,
'eps_step': eps_step,
'targeted': targeted,
'num_random_init': num_random_init,
'batch_size': batch_size,
'minimal': minimal}
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
self.classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def wrap(model, target_type, **config):
assert model is not None
if target_type == 'sklearnclassifier':
nb_classes = config.get('nb_classes', 10)
return SklearnClassifier(model=model, clip_values=(0, nb_classes))
elif target_type == 'pytorchclassifier':
loss = config.get('loss', None)
optimizer = config.get('optimizer', None)
input_shape = config.get('input_shape', None)
nb_classes = config.get('nb_classes', None)
clip_values = config.get('clip_values', (0., 1.))
return PyTorchClassifier(model=model,
loss=loss,
optimizer=optimizer,
input_shape=input_shape,
nb_classes=nb_classes,
clip_values=clip_values)
else:
raise NotImplementedError(
'Wrapper for {} is not implemented.'.format(target_type))
def setUpClass(cls):
(x_train, y_train), (x_test, y_test), _, _ = load_dataset('mnist')
x_train = np.swapaxes(x_train, 1, 3).astype(np.float32)
x_test = np.swapaxes(x_test, 1, 3).astype(np.float32)
cls.x_train = x_train[:NB_TRAIN]
cls.y_train = y_train[:NB_TRAIN]
cls.x_test = x_test[:NB_TEST]
cls.y_test = y_test[:NB_TEST]
# Define the internal classifier
classifier = get_classifier_pt()
# Define the internal detector
conv = nn.Conv2d(1, 16, 5)
linear = nn.Linear(2304, 1)
torch.nn.init.xavier_uniform_(conv.weight)
torch.nn.init.xavier_uniform_(linear.weight)
model = nn.Sequential(conv, nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
linear)
model = Model(model)
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
detector = PyTorchClassifier(model=model,
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=1,
clip_values=(0, 1))
# Define the detector-classifier
cls.detector_classifier = DetectorClassifier(classifier=classifier,
detector=detector)
def get_art_model(model_kwargs, wrapper_kwargs, weights_file=None):
model = models.resnet50(**model_kwargs)
model.to(DEVICE)
if weights_file:
filepath = maybe_download_weights_from_s3(weights_file)
checkpoint = torch.load(filepath, map_location=DEVICE)
model.load_state_dict(checkpoint)
wrapped_model = PyTorchClassifier(
model,
loss=torch.nn.CrossEntropyLoss(),
optimizer=torch.optim.Adam(model.parameters(), lr=0.003),
input_shape=(224, 224, 3),
**wrapper_kwargs,
clip_values=(
np.array([
0.0 - IMAGENET_MEANS[0] / IMAGENET_STDEV[0],
0.0 - IMAGENET_MEANS[1] / IMAGENET_STDEV[1],
0.0 - IMAGENET_MEANS[2] / IMAGENET_STDEV[2],
]),
np.array([
1.0 - IMAGENET_MEANS[0] / IMAGENET_STDEV[0],
1.0 - IMAGENET_MEANS[1] / IMAGENET_STDEV[1],
1.0 - IMAGENET_MEANS[2] / IMAGENET_STDEV[2],
]),
),
)
return wrapped_model
def general_test(model,
optimizer,
input_shape,
nb_classes,
test_loader,
method,
btrain=False,
model_file='last_model_92_sgd.pkl'):
global _classes
if not btrain:
model.load_state_dict(torch.load(model_file))
model.eval()
loss = nn.CrossEntropyLoss()
warped_model = PyTorchClassifier(model,
loss,
optimizer,
input_shape,
nb_classes,
clip_values=(.0, 1.))
if method == 'Deepfool':
adv_crafter = DeepFool(warped_model)
elif method == 'BIM':
adv_crafter = BasicIterativeMethod(warped_model, batch_size=20)
elif method == 'JSMA':
adv_crafter = SaliencyMapMethod(warped_model, batch_size=20)
elif method == 'CW2':
adv_crafter = CarliniL2Method(warped_model, batch_size=20)
elif method == 'CWI':
adv_crafter = CarliniLInfMethod(warped_model, batch_size=20)
correct, total = 0, 0
class_correct = list(0. for _ in range(10))
class_total = list(0. for _ in range(10))
for images, labels in test_loader:
images = adv_crafter.generate(images.numpy())
images = Variable(torch.from_numpy(images).cuda())
labels = Variable(labels.cuda())
outputs = model(images)
_, predicted = torch.max(outputs.data, 1)
total += labels.size(0)
correct += (predicted == labels.data).sum()
c = (predicted == labels.data).squeeze()
for i in range(20):
label = labels.data[i]
class_correct[label] += c[i]
class_total[label] += 1
print('Accuracy of the model on the test images: %d %%' %
(100 * float(correct) / total))
print('Accuracy of the model on the test images:', float(correct) / total)
for i in range(10):
print('Accuracy of %5s : %2d %%' %
(_classes[i], 100 * class_correct[i] / class_total[i]))
return correct / total
def test():
(x_train, y_train), (x_test, y_test), min_, max_ = load_dataset(str('cifar10'))
x_train = np.swapaxes(x_train, 1, 3).astype(np.float32)
x_test = np.swapaxes(x_test, 1, 3).astype(np.float32)
model = VGG('VGG16')
model.load_state_dict(torch.load("./logs/pytorch_vgg16.h5.model"))
criterion = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=1e-2)
classifier = PyTorchClassifier(model=model, clip_values=(min_, max_ ), loss=criterion,
optimizer=optimizer, input_shape=(3, 32, 32), nb_classes=10)
predictions = classifier.predict(x_test)
accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(y_test)
print('Accuracy on benign test examples: {}%'.format(accuracy * 100))
def general_test_v2(model,
optimizer,
input_shape,
nb_classes,
test_loader,
method,
conf,
btrain=False,
model_file='last_model_92_sgd.pkl'):
global _classes
if not btrain:
checked_state = torch.load(model_file)['state_dict']
model.load_state_dict(checked_state)
model.eval()
loss = nn.CrossEntropyLoss()
warped_model = PyTorchClassifier(model,
loss,
optimizer,
input_shape,
nb_classes,
clip_values=(.0, 1.))
if method == 'Deepfool':
adv_crafter = DeepFool(warped_model)
elif method == 'BIM':
adv_crafter = BasicIterativeMethod(warped_model, batch_size=32)
elif method == 'JSMA':
adv_crafter = SaliencyMapMethod(warped_model, batch_size=32)
elif method == 'CW2':
adv_crafter = CarliniL2Method(warped_model, batch_size=32)
elif method == 'CWI':
adv_crafter = CarliniLInfMethod(warped_model, batch_size=32)
elif method == 'FGSM':
adv_crafter = FastGradientMethod(warped_model, batch_size=32)
correct, total = 0, 0
adv_dataset = adv_generalization(test_loader, adv_crafter, conf)
temp_loader = DataLoader(dataset=adv_dataset,
batch_size=32,
shuffle=False,
drop_last=True)
# temp_loader = test_loader
for images, labels in temp_loader:
images = Variable(images.cuda())
labels = Variable(labels.cuda())
outputs = model(images)
_, predicted = torch.max(outputs.data, 1)
total += labels.size(0)
correct += (predicted == labels.data).sum()
print('Accuracy of the model on the test images: %d %%' %
(100 * float(correct) / total))
print('Accuracy of the model on the test images:', float(correct) / total)
return correct / total
def main(config_filepath):
config = load_config(config_filepath)
if os.path.isfile(config.model_output_path):
click.confirm(f"Overwrite {config.model_output_path}?", abort=True)
np.random.seed(config.seed)
torch.manual_seed(config.seed)
# Load data
x = torch.load(config.x_filepath)
y = torch.load(config.y_filepath)
# Flatten training set
x = x.reshape(x.shape[0], -1)
clip_values = {}
with open(config.clip_values_filepath, "r") as f:
clip_values = json.load(f)
clip_values = (
clip_values.get("min_pixel_value"),
clip_values.get("max_pixel_value"),
)
model = get_model_from_module(mnist.models, config.model_class_name)
if not model:
sys.exit(f"Could not load provided model {config.model_class_name}")
classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=model.criterion,
optimizer=model.optimizer,
input_shape=(784),
nb_classes=10,
) # TODO: move these parameters to config
# Train classifier
classifier.fit(x, y, batch_size=config.batch_size, nb_epochs=config.num_epochs)
# Save data
torch.save(model, config.model_output_path)
def apply_attack(model_path, dataset, model_attack_config):
model = torch.load(model_path, map_location='cpu').model
input_shape = model_attack_config[lookup.input_shape]
criterion = model_attack_config[lookup.criterion]
optimizer = model_attack_config[lookup.optimizer]
nb_classes = model_attack_config[lookup.nb_classes]
attack_method = model_attack_config[lookup.attack_method]
robust_db_name = model_attack_config[lookup.robust_db_name]
if criterion == 'cross_entropy':
criterion = nn.CrossEntropyLoss()
else:
raise ValueError
if optimizer == 'SGD':
optimizer = optim.SGD(model.parameters(), lr=0.01, momentum=0.5)
elif optimizer == 'Adam':
optimizer = optim.Adam(model.parameters(), lr=1e-4)
else:
raise ValueError
classifier = PyTorchClassifier(model=model, input_shape=input_shape, loss=criterion, optimizer=optimizer, nb_classes=nb_classes)
x = np.array([x_element.numpy()[0] for x_element in dataset[0]])
y = np.array(dataset[1])
predictions = classifier.predict(x)
accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y, axis=1)) / len (y)
print('Accuracy on benign test examples: {}%'.format(accuracy * 100))
attack_function = get_attack_method(attack_method)
attack_instance = attack_function(classifier=classifier)
x_adv = attack_instance.generate(x=x)
predictions = classifier.predict(x_adv)
accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y, axis=1)) / len(y)
print('Accuracy on adversarial test examples: {}%'.format(accuracy * 100))
path_to_directory = join(abspath(lookup.get_db_dirs()[lookup.dataset]), fs.get_uuid())
fs.make_dir(path_to_directory)
db_uuid = processor.convert_to_image(path_to_directory, robust_db_name, x_adv)
return db_uuid
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
x_train = np.swapaxes(x_train, 1, 3)
x_test = np.swapaxes(x_test, 1, 3)
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28),
10)
ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# First attack
cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=10)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = cl2m.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target == y_pred_adv).any())
# Second attack
cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = cl2m.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target != y_pred_adv).any())
# Third attack
cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10)
params = {}
x_test_adv = cl2m.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
y_pred = np.argmax(ptc.predict(x_test), axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((y_pred != y_pred_adv).any())
def get_art_model(model_kwargs, wrapper_kwargs):
model = resnet50(**model_kwargs)
wrapped_model = PyTorchClassifier(
model,
loss=nn.CrossEntropyLoss(),
optimizer=None,
input_shape=(224, 224, 3),
**wrapper_kwargs,
)
return wrapped_model
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
x_train = np.swapaxes(x_train, 1, 3)
x_test = np.swapaxes(x_test, 1, 3)
# Create simple CNN
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28),
10)
ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=1)
# Attack
attack_params = {
"max_translation": 10.0,
"num_translations": 3,
"max_rotation": 30.0,
"num_rotations": 3
}
attack_st = SpatialTransformation(ptc)
x_train_adv = attack_st.generate(x_train, **attack_params)
self.assertTrue(abs(x_train_adv[0, 0, 13, 5] - 0.374206543) <= 0.01)
# self.assertTrue(abs(attack_st.fooling_rate - 0.781) <= 0.01)
self.assertTrue(attack_st.attack_trans_x == 0)
self.assertTrue(attack_st.attack_trans_y == -3)
self.assertTrue(attack_st.attack_rot == 30.0)
x_test_adv = attack_st.generate(x_test)
self.assertTrue(abs(x_test_adv[0, 0, 14, 14] - 0.008591662) <= 0.01)
def setUpClass(cls):
master_seed(seed=1234)
super().setUpClass()
cls.x_train_mnist = np.reshape(
cls.x_train_mnist,
(cls.x_train_mnist.shape[0], 1, 28, 28)).astype(np.float32)
cls.x_test_mnist = np.reshape(
cls.x_test_mnist,
(cls.x_test_mnist.shape[0], 1, 28, 28)).astype(np.float32)
# Define the network
model = nn.Sequential(nn.Conv2d(1, 2, 5),
nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
nn.Linear(288, 10))
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
classifier = PyTorchClassifier(model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10)
classifier.fit(cls.x_train_mnist,
cls.y_train_mnist,
batch_size=100,
nb_epochs=1)
cls.seq_classifier = classifier
# Define the network
model = Model()
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
classifier_2 = PyTorchClassifier(model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10)
classifier_2.fit(cls.x_train_mnist,
cls.y_train_mnist,
batch_size=100,
nb_epochs=1)
cls.module_classifier = classifier_2
cls.x_train_mnist = np.reshape(
cls.x_train_mnist,
(cls.x_train_mnist.shape[0], 28, 28, 1)).astype(np.float32)
cls.x_test_mnist = np.reshape(
cls.x_test_mnist,
(cls.x_test_mnist.shape[0], 28, 28, 1)).astype(np.float32)
def _cnn_mnist_py():
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
classifier = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10)
return classifier
def get_iris_classifier_pt():
"""
Standard PyTorch classifier for unit testing on Iris dataset.
:return: Trained model for Iris dataset.
:rtype: :class:`.PyTorchClassifier`
"""
from art.classifiers import PyTorchClassifier
class Model(nn.Module):
"""
Create Iris model for PyTorch.
The weights and biases are identical to the Tensorflow model in `get_iris_classifier_tf`.
"""
def __init__(self):
super(Model, self).__init__()
w_dense1 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE1_IRIS.npy'))
b_dense1 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE1_IRIS.npy'))
w_dense2 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE2_IRIS.npy'))
b_dense2 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE2_IRIS.npy'))
w_dense3 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE3_IRIS.npy'))
b_dense3 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE3_IRIS.npy'))
self.fully_connected1 = nn.Linear(4, 10)
self.fully_connected1.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense1)))
self.fully_connected1.bias = nn.Parameter(torch.Tensor(b_dense1))
self.fully_connected2 = nn.Linear(10, 10)
self.fully_connected2.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense2)))
self.fully_connected2.bias = nn.Parameter(torch.Tensor(b_dense2))
self.fully_connected3 = nn.Linear(10, 3)
self.fully_connected3.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense3)))
self.fully_connected3.bias = nn.Parameter(torch.Tensor(b_dense3))
def forward(self, x):
x = self.fully_connected1(x)
x = self.fully_connected2(x)
logit_output = self.fully_connected3(x)
return logit_output
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(4,), nb_classes=3,
clip_values=(0, 1), channel_index=1)
return ptc
def load_classifier(model, data):
"""
Load ART PyTorch classifier from pytorch model
:param model: pytorch model instance
:param data: data class
:return: ART classifier
"""
# not used but mandatory for ART
criterion = torch.nn.CrossEntropyLoss()
optimizer = torch.optim.SGD(model.parameters(), lr=0.01)
classifier = PyTorchClassifier(
model=model,
clip_values=(data.min_pixel_value, data.max_pixel_value),
loss=criterion,
optimizer=optimizer,
input_shape=tuple(data.trainset.data.shape[1:]),
nb_classes=data.num_classes,
device_type="gpu" if USE_CUDA else "cpu")
classifier.set_learning_phase(False)
return classifier
def main(config_filepath):
config = load_config(config_filepath)
if os.path.isfile(config.x_adv_output_path):
click.confirm(f"Overwrite {config.x_adv_output_path}?", abort=True)
np.random.seed(config.seed)
torch.manual_seed(config.seed)
# Load data
x = torch.load(config.x_filepath)
x_shape = x.shape
x = x.reshape(x.shape[0], -1)
y = torch.load(config.y_filepath)
ace = torch.load(config.ace_filepath).cpu()
interventions = torch.load(config.interventions_filepath).cpu()
model = torch.load(config.model_filepath)
clip_values = {}
with open(config.clip_values_filepath, "r") as f:
clip_values = json.load(f)
clip_values = (
clip_values.get("min_pixel_value"),
clip_values.get("max_pixel_value"),
)
classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=model.criterion,
optimizer=model.optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
) # TODO: move these parameters to config
# Target the attacks to a particular class
y_adv = torch.zeros_like(torch.from_numpy(y))
y_adv[:, 0] = 1.0
# Generate attacks
x_adv = ace_attack(
ace,
interventions,
torch.from_numpy(x),
target_classes=y_adv,
norm=2,
budget=5.0,
) # TODO: move these parameters to config
# Unflatten for saving
x_adv = x_adv.reshape(x_shape)
torch.save(x_adv, config.x_adv_output_path)
def get_classifier_pt():
"""
Standard PyTorch classifier for unit testing
:return: PyTorchClassifier
"""
from art.classifiers import PyTorchClassifier
class Model(nn.Module):
"""
Create model for pytorch.
The weights and biases are identical to the Tensorflow model in get_classifier_tf().
"""
def __init__(self):
super(Model, self).__init__()
w_conv2d = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_CONV2D_MNIST.npy'))
b_conv2d = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_CONV2D_MNIST.npy'))
w_dense = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE_MNIST.npy'))
b_dense = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE_MNIST.npy'))
self.conv = nn.Conv2d(in_channels=1, out_channels=1, kernel_size=7)
w_conv2d_pt = np.swapaxes(w_conv2d, 0, 2)
w_conv2d_pt = np.swapaxes(w_conv2d_pt, 1, 3)
self.conv.weight = nn.Parameter(torch.Tensor(w_conv2d_pt))
self.conv.bias = nn.Parameter(torch.Tensor(b_conv2d))
self.pool = nn.MaxPool2d(4, 4)
self.fullyconnected = nn.Linear(25, 10)
self.fullyconnected.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense)))
self.fullyconnected.bias = nn.Parameter(torch.Tensor(b_dense))
def forward(self, x):
import torch.nn.functional as f
x = self.pool(f.relu(self.conv(x)))
x = x.view(-1, 25)
logit_output = self.fullyconnected(x)
return logit_output
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10,
clip_values=(0, 1))
return ptc
def main(args):
(x_train, y_train), (x_test,
y_test), min_, max_ = load_dataset(str('cifar10'))
x_train = np.swapaxes(x_train, 1, 3).astype(np.float32)
x_test = np.swapaxes(x_test, 1, 3).astype(np.float32)
x_train = x_train
y_train = y_train
model = VGG('VGG16')
model.load_state_dict(torch.load("./logs/pytorch_vgg16.model"))
criterion = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=1e-2)
classifier = PyTorchClassifier(model=model,
clip_values=(min_, max_),
loss=criterion,
optimizer=optimizer,
input_shape=(3, 32, 32),
nb_classes=10)
predictions = classifier.predict(x_test)
accuracy = np.sum(
np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(
y_test)
print('Accuracy on benign test examples: {}%'.format(accuracy * 100))
pred_y = classifier.predict(x_train)
v_max = 0
n = 1000
n_sp = list(split_list(x_train, n))
for i, X_t in enumerate(n_sp):
print(f'split_No {i + 1}')
v_max = simulated_anniling(classifier, X_t, args)
# Compute fooling rate
adv_x = x_train + v_max
adv_y = classifier.predict(adv_x)
fooling_rate = loss_fn(pred_y, adv_y, mode="fool_rate")
print(fooling_rate)
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
x_train = np.swapaxes(x_train, 1, 3)
x_test = np.swapaxes(x_test, 1, 3)
# Create simple CNN
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28),
10)
ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=1)
# Attack
nf = NewtonFool(ptc, max_iter=5)
x_test_adv = nf.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
y_pred = ptc.predict(x_test)
y_pred_adv = ptc.predict(x_test_adv)
y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred
y_pred_max = y_pred.max(axis=1)
y_pred_adv_max = y_pred_adv[y_pred_bool]
self.assertTrue((y_pred_max >= y_pred_adv_max).all())