def test_keras_iris_unbounded(self):
classifier = get_tabular_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channels_first=True)
attack = ProjectedGradientDescent(classifier, eps=1, eps_step=0.2, max_iter=5)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv > 1).any())
self.assertTrue((x_test_adv < 0).any())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with PGD adversarial examples: %.2f%%", (acc * 100))
def __init__(
self, attack_alias, attack_pars, data, labels, data_conf, target_models
):
pars_descriptors = {} # No additional parameters
inference_attacks = []
for target_model in target_models:
target_classifier = KerasClassifier(target_model, clip_values=(0, 1))
inference_attacks.append(
membership_inference.MembershipInferenceBlackBoxRuleBased(
classifier=target_classifier
)
)
super().__init__(
attack_alias,
data,
labels,
data_conf,
target_models,
inference_attacks,
pars_descriptors,
)
self.report_section = report.ReportSection(
"Membership Inference Black-Box Rule-Based",
self.attack_alias,
"ART_MembershipInferenceBlackBoxRuleBased",
)
def _get_image_classifier_list_defended(one_classifier=False, **kwargs):
sess = None
classifier_list = None
if framework == "keras":
classifier = utils.get_image_classifier_kr()
# Get the ready-trained Keras model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier_list = [
KerasClassifier(model=classifier._model,
clip_values=(0, 1),
preprocessing_defences=fs)
]
if framework == "tensorflow":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "pytorch":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "scikitlearn":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if classifier_list is None:
return None, None
if one_classifier:
return classifier_list[0], sess
return classifier_list, sess
def _get_tabular_classifier_list(clipped=True):
if framework == "keras":
if clipped:
classifier_list = [get_tabular_classifier_kr()]
else:
classifier = get_tabular_classifier_kr()
classifier_list = [
KerasClassifier(model=classifier.model,
use_logits=False,
channels_first=True)
]
if framework == "tensorflow":
if clipped:
classifier, _ = get_tabular_classifier_tf()
classifier_list = [classifier]
else:
logging.warning(
"{0} doesn't have an uncliped classifier defined yet".
format(framework))
classifier_list = None
if framework == "pytorch":
if clipped:
classifier_list = [get_tabular_classifier_pt()]
else:
logging.warning(
"{0} doesn't have an uncliped classifier defined yet".
format(framework))
classifier_list = None
if framework == "scikitlearn":
return get_tabular_classifier_scikit_list(clipped=False)
return classifier_list
def get_art_model(model_kwargs, wrapper_kwargs, weights_path=None):
model = make_model(**model_kwargs)
if weights_path:
model.load_weights(weights_path)
wrapped_model = KerasClassifier(model=model, **wrapper_kwargs)
return wrapped_model
def __init__(self, linf_args={}, cond_ratio=0.01, ref_data=None, **kwds):
super().__init__(**kwds)
self.metric = LInf(**linf_args)
self.cond_ratio = cond_ratio
self.ref_data = ref_data
## define a global attacker
classifier = KerasClassifier(clip_values=(MIN, -MIN), model=self.dnn)
self.adv_crafter = FastGradientMethod(classifier)
def generate_adv_samples(self, model_path, name):
name = name
model = models.load_model(model_path)
x_train, x_test, y_train, y_test = self.data_pre_process(name)
classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model)
fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35,
targeted=False, batch_size=128)
x_adv_test = fgsm.generate(x=x_test)
return x_adv_test
def __init__(self, linf_args={}, cond_ratio=0.01, ref_data=None, **kwds):
"""
TODO: FGM also accepts the L1 and L2 norms, in addition to Linf.
"""
super().__init__(**kwds)
self.metric = LInf(**linf_args)
self.cond_ratio = cond_ratio
self.ref_data = ref_data
## define a global attacker
classifier = KerasClassifier(clip_values=(MIN, -MIN), model=self.dnn)
self.adv_crafter = FastGradientMethod(classifier)
def _image_dl_estimator_defended(one_classifier=False, **kwargs):
sess = None
classifier = None
clip_values = (0, 1)
fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values)
defenses = []
if kwargs.get("defenses") is None:
defenses.append(fs)
else:
if "FeatureSqueezing" in kwargs.get("defenses"):
defenses.append(fs)
if "JpegCompression" in kwargs.get("defenses"):
defenses.append(
JpegCompression(clip_values=clip_values,
apply_predict=True))
if "SpatialSmoothing" in kwargs.get("defenses"):
defenses.append(SpatialSmoothing())
del kwargs["defenses"]
if framework == "keras":
kr_classifier = get_image_classifier_kr(**kwargs)
# Get the ready-trained Keras model
classifier = KerasClassifier(model=kr_classifier._model,
clip_values=(0, 1),
preprocessing_defences=defenses)
if framework == "kerastf":
kr_tf_classifier = get_image_classifier_kr_tf(**kwargs)
classifier = KerasClassifier(model=kr_tf_classifier._model,
clip_values=(0, 1),
preprocessing_defences=defenses)
if classifier is None:
raise ARTTestFixtureNotImplemented(
"no defended image estimator",
image_dl_estimator_defended.__name__, framework,
{"defenses": defenses})
return classifier, sess
def __init__(
self, attack_alias, attack_pars, data, labels, data_conf, target_models
):
pars_descriptors = {
"attack_model_type": "Attack model type",
"input_type": "Input type",
"attack_model": "Attack model",
}
# Display warning if no Keras model is provided
if (
"attack_model" in attack_pars
and not isinstance(attack_pars["attack_model"], KerasClassifier)
) or "attack_model" not in attack_pars:
logger.warning(
"The provided Attack Model (attack_model) seems not to be a Keras "
"classifier. This may result in stability issues and your runtime may "
"crash! It is recommended to use a Keras model for this attack."
)
# Handle specific attack class parameters
params = {}
for k in pars_descriptors:
if k in attack_pars:
params[k] = attack_pars[k]
inference_attacks = []
for target_model in target_models:
target_classifier = KerasClassifier(target_model, clip_values=(0, 1))
inference_attacks.append(
membership_inference.MembershipInferenceBlackBox(
classifier=target_classifier, **params
)
)
if inference_attacks[-1].attack_model_type is "None":
inference_attacks[-1].attack_model_type = "Custom"
super().__init__(
attack_alias,
data,
labels,
data_conf,
target_models,
inference_attacks,
pars_descriptors,
)
self.report_section = report.ReportSection(
"Membership Inference Black-Box",
self.attack_alias,
"ART_MembershipInferenceBlackBox",
)
def wrap_classifier(self, model, X_test):
ret_status = True
try:
mix_pixel_value = np.amin(X_test)
max_pixel_value = np.amax(X_test)
classifier = KerasClassifier(model=model,
clip_values=(mix_pixel_value, max_pixel_value),
use_logits=False)
self.print_message(OK, 'Wrapped model using KerasClassifier.')
return True, classifier
except Exception as e:
ret_status = False
self.print_exception(e, 'Could not wrap classifier')
return ret_status, None
def get_art_model(model_kwargs: dict,
wrapper_kwargs: dict,
weights_path: Optional[str] = None):
model = make_model(**model_kwargs)
if weights_path:
model.load_weights(weights_path)
wrapper_kwargs2 = deepcopy(wrapper_kwargs)
if "clip_values" in wrapper_kwargs:
if isinstance(wrapper_kwargs["clip_values"], list):
wrapper_kwargs2["clip_values"] = np.array(
wrapper_kwargs2["clip_values"])
wrapped_model = KerasClassifier(model=model, **wrapper_kwargs2)
return wrapped_model
def adv_model_fit(self):
model = self.choose_model
x_train, x_test, y_train, y_test = self.data_pre_process()
classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model)
fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35,
targeted=False, batch_size=128)
x_train, x_test = self.data_reshape(self.model_choice, x_train, x_test)
x_adv_train = fgsm.generate(x=x_train)
history = model.fit(x_adv_train, y_train, epochs=self.epochs, batch_size=32, validation_split=0.2)
data_record = DataRecord()
data_record.model = model
data_record.summary = model.to_yaml()
data_record.history = history
data_record.epochs = self.epochs
self.result_save(data_record, self.save_adv_dir)
def __init__(
self, attack_alias, attack_pars, data, labels, data_conf, target_models
):
pars_descriptors = {
"distance_threshold_tau": "Threshold distance",
# HopSkipJump parameters
"norm": "Adversarial perturbation norm",
"max_iter": "Max. iterations",
"max_eval": "Max. evaluations",
"init_eval": "Initial evaluations",
"init_size": "Max. trials",
"verbose": "Verbose output",
}
# Save HopSkipJump parameters
self.hopskipjump_args = attack_pars.copy()
del self.hopskipjump_args["distance_threshold_tau"]
# Hide verbose parameter from report
if "verbose" in self.hopskipjump_args:
del self.hopskipjump_args["verbose"]
inference_attacks = []
for target_model in target_models:
target_classifier = KerasClassifier(target_model, clip_values=(0, 1))
inference_attacks.append(
membership_inference.LabelOnlyDecisionBoundary(
target_classifier,
distance_threshold_tau=attack_pars["distance_threshold_tau"],
)
)
super().__init__(
attack_alias,
data,
labels,
data_conf,
target_models,
inference_attacks,
pars_descriptors,
)
self.report_section = report.ReportSection(
"Label Only Decision Boundary",
self.attack_alias,
"ART_LabelOnlyDecisionBoundary",
)
def __init__(
self, attack_alias, attack_pars, data, labels, data_conf, target_models
):
pars_descriptors = {
"batch_size_fit": "Batch size (thieved classifier)",
"batch_size_query": "Batch size (victim classifier)",
"nb_epochs": "Number of epochs for training",
"nb_stolen": "Number of victim queries",
"use_probability": "Use probability",
"sampling_strategy": "Sampling strategy",
"reward": "Reward type",
"verbose": "Show progress bars",
}
# Handle specific attack class parameters
params = {}
for k in pars_descriptors:
if k in attack_pars:
params[k] = attack_pars[k]
extraction_attacks = []
for target_model in target_models:
target_classifier = KerasClassifier(target_model, clip_values=(0, 1))
extraction_attacks.append(
art.attacks.extraction.KnockoffNets(
classifier=target_classifier, **params
)
)
super().__init__(
attack_alias,
{"stolen_models": attack_pars["stolen_models"]},
data,
labels,
data_conf,
target_models,
extraction_attacks,
pars_descriptors,
)
self.report_section = report.ReportSection(
"Knockoff Nets",
self.attack_alias,
"ART_KnockoffNets",
)
def cnn_mnist_k(input_shape):
# Create simple CNN
model = Sequential()
model.add(
Conv2D(4,
kernel_size=(5, 5),
activation="relu",
input_shape=input_shape))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(10, activation="softmax"))
model.compile(loss=keras.losses.categorical_crossentropy,
optimizer=keras.optimizers.Adam(lr=0.01),
metrics=["accuracy"])
classifier = KerasClassifier(model=model, clip_values=(0, 1))
return classifier
def _tabular_dl_estimator(clipped=True):
classifier = None
if framework == "keras":
if clipped:
classifier = get_tabular_classifier_kr()
else:
kr_classifier = get_tabular_classifier_kr()
classifier = KerasClassifier(model=kr_classifier.model, use_logits=False, channels_first=True)
if framework == "tensorflow1" or framework == "tensorflow2":
if clipped:
classifier, _ = get_tabular_classifier_tf()
if framework == "pytorch":
if clipped:
classifier = get_tabular_classifier_pt()
if classifier is None:
raise ARTTestFixtureNotImplemented(
"no deep learning tabular estimator available", tabular_dl_estimator.__name__, framework
)
return classifier
def pre_adv_model_fit(self):
model = models.load_model(os.path.join(self.save_dir, f'{self.model_choice}/model.h5'))
x_train, x_test, y_train, y_test = self.data_pre_process()
classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model)
fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35,
targeted=False, batch_size=32)
x_train, x_test = self.data_reshape(self.model_choice, x_train, x_test)
x_adv_train = fgsm.generate(x=x_train)
# x_adv_test = fgsm.generate(x=x_test)
# adv_trainer = AdversarialTrainer(classifier, attacks=fgsm, ratio=1.0)
# # samples = np.array(list(range(0, y_train.shape[0])))
# # y_train = np.column_stack((samples, y_train))
# y_train = np.reshape(y_train, (y_train.shape[0],))
# print(y_train.shape)
# adv_trainer.fit(x_adv_train, y_train, batch_size=128, nb_epochs=10)
history = model.fit(x_adv_train, y_train, epochs=self.epochs, batch_size=32, validation_split=0.2)
data_record = DataRecord()
data_record.model = model
data_record.summary = model.to_yaml()
data_record.history = history
data_record.epochs = self.epochs
self.result_save(data_record, self.save_pre_adv_dir)
def gen_adv_data(model, x, y, attack_name, dataset_name, batch_size=2048):
logging.getLogger().setLevel(logging.CRITICAL)
classifier_param = classifier_params[dataset_name]
classifier = KerasClassifier(model, **classifier_param)
attack_param = attack_params[attack_name][dataset_name]
if attack_name not in [ST]:
if "batch_size" not in attack_param:
attack_param["batch_size"] = batch_size
if attack_name not in [
FGSM, BIM
]: ## some attacks don't have verbose parameter, e.g. bim
attack_param["verbose"] = VERBOSE
attack = call_function_by_attack_name(attack_name)(classifier,
**attack_param)
data_num = x.shape[0]
adv_x = attack.generate(x=x, y=y)
logging.getLogger().setLevel(logging.INFO)
return adv_x
def __init__(
self, attack_alias, attack_pars, data, labels, data_conf, target_models
):
super().__init__(
attack_alias,
{},
data,
labels,
data_conf,
target_models,
)
self.pars_descriptors = {
"max_iter": "Max. iterations",
"window_length": "Window length",
"threshold": "Stopping threshold",
"batch_size": "Batch size",
"verbose": "Verbose output",
}
# Handle specific attack class parameters
params = {}
for k in self.pars_descriptors:
if k in attack_pars:
params[k] = attack_pars[k]
self.inference_attacks = []
for target_model in target_models:
target_classifier = KerasClassifier(target_model, clip_values=(0, 1))
self.inference_attacks.append(
model_inversion.MIFace(target_classifier, **params)
)
self.report_section = report.ReportSection(
"Model Inversion MIFace",
self.attack_alias,
"ART_MIFace",
)
kernel_size=(3, 3),
activation="relu",
input_shape=x_train.shape[1:]))
model.add(Conv2D(64, (3, 3), activation="relu"))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Dropout(0.25))
model.add(Flatten())
model.add(Dense(128, activation="relu"))
model.add(Dropout(0.5))
model.add(Dense(10, activation="softmax"))
model.compile(loss="categorical_crossentropy",
optimizer="adam",
metrics=["accuracy"])
classifier = KerasClassifier(model=model, clip_values=(min_, max_))
classifier.fit(x_train, y_train, nb_epochs=5, batch_size=128)
# Evaluate the classifier on the test set
preds = np.argmax(classifier.predict(x_test), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print("\nTest accuracy: %.2f%%" % (acc * 100))
# Craft adversarial samples with FGSM
epsilon = 0.1 # Maximum perturbation
adv_crafter = FastGradientMethod(classifier, eps=epsilon)
x_test_adv = adv_crafter.generate(x=x_test)
# Evaluate the classifier on the adversarial examples
preds = np.argmax(classifier.predict(x_test_adv), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
def run_svc(test_object, outs):
print('To run svc\n')
setup_layer = \
lambda l, i, **kwds: CoverableLayer (layer = l, layer_index = i, **kwds)
cover_layers = get_cover_layers(test_object.dnn,
setup_layer,
layer_indices=test_object.layer_indices,
activation_of_conv_or_dense_only=True,
exclude_direct_input_succ=True)
f_results = outs.stamped_filename('SVC_report', suff='.txt')
## define a global attacker
classifier = KerasClassifier(clip_values=(MIN, -MIN),
model=test_object.dnn)
adv_crafter = FastGradientMethod(classifier)
test_cases = []
adversarials = []
count = 0
while True:
dec_layer_index, dec_pos = get_ssc_next(cover_layers)
if dec_layer_index == 1 and is_input_layer(test_object.dnn.layers[0]):
continue
print('dec_layer_index', cover_layers[dec_layer_index].layer_index)
###
cond_layer = cover_layers[dec_layer_index - 1]
dec_layer = cover_layers[dec_layer_index]
cond_cover = np.ones(cond_layer.ssc_map.shape, dtype=bool)
###
## skip if dec_pos is a padding
if is_padding(dec_pos, dec_layer, cond_layer):
continue
cond_pos = np.random.randint(0, cond_cover.size)
print('cond, dec layer index: ', cond_layer.layer_index,
dec_layer.layer_index)
print('dec_layer_index: ', cover_layers[dec_layer_index].layer_index)
count += 1
dec_ub = dec_layer.ubs.item(dec_pos) + 0.001
#for act in activations[dec_layer.layer_index]:
# v=act.item(dec_pos)
# if v>dec_ub: dec_ub=v
print('dec_ub: ', dec_ub)
d_min, d_norm, new_image, old_image = svc_search(
test_object, cond_layer, cond_pos, dec_layer, dec_pos, adv_crafter,
dec_ub)
print('d_min is', d_min, 'd_norm is', d_norm)
feasible = (d_min <= test_object.cond_ratio * cond_layer.ssc_map.size
or d_min == 1)
top1_adv_flag = False
top5_adv_flag = False
top5b_adv_flag = False
y1s = []
y2s = []
y1_flag = False
y2_flag = False
labels = test_object.labels #[555, 920]
l0_d = None
top_classes = test_object.top_classes
inp_ub = test_object.inp_ub
if feasible:
test_cases.append((new_image, old_image))
if inp_ub == 255:
new_image = new_image.astype('uint8')
old_image = old_image.astype('uint8')
diff_image = np.abs(new_image - old_image)
l0_d = np.count_nonzero(diff_image) / (new_image.size * 1.0)
y1s = (np.argsort(test_object.dnn.predict(np.array(
[new_image]))))[0][-top_classes:]
y2s = (np.argsort(test_object.dnn.predict(np.array(
[old_image]))))[0][-top_classes:]
if y1s[top_classes - 1] != y2s[top_classes - 1]:
top1_adv_flag = True
if not y1s[top_classes - 1] in y2s: top5b_adv_flag = True
for label in labels:
if label in y1s: y1_flag = True
if label in y2s: y2_flag = True
if y1_flag != y2_flag: top5_adv_flag = True
if top5_adv_flag:
print('found an adversarial example')
adversarials.append((new_image, old_image))
save_an_image(
new_image / (inp_ub * 1.0),
'{0}-adv-{1}.png'.format(len(adversarials),
y1s[top_classes - 1]),
f_results.split('/')[0])
save_an_image(
old_image / (inp_ub * 1.0),
'{0}-original-{1}.png'.format(len(adversarials),
y2s[top_classes - 1]),
f_results.split('/')[0])
save_an_image(diff_image / (inp_ub * 1.0),
'{0}-diff.png'.format(len(adversarials)),
f_results.split('/')[0])
adv_flag = True
else:
print("not feasible")
append_in_file(
f_results,
'{0} {1} {2} {3} {4} {5} {6} {7} {8} {9} {10} {11} {12} {13}\n'.
format(count, len(test_cases), len(adversarials), feasible,
top1_adv_flag, top5_adv_flag, top5b_adv_flag, d_min, d_norm,
l0_d, dec_layer.layer_index, cond_layer.ssc_map.size, y1s,
y2s))
elif dataset == 'mnist':
input_shape = [32, 32, 3]
elif dataset == 'ddsm':
input_shape = [116, 116, 3]
elif dataset == 'cifar':
input_shape = [32, 32, 3]
elif dataset == 'lidc':
input_shape = (116, 116, 3)
# load model
model = load_model(path + 'models/' + dataset + '/' + dataset +
'_vgg16_model.h5')
############### create robust classifier ###############
robust_classifier = KerasClassifier(clip_values=(0, 1),
model=model,
use_logits=False)
# evaluate original classifier accuracy on training set
acc = accuracy_score(y_train, (robust_classifier.predict(x_train) > 0.5))
print("Accuracy of original classifier on train set: %.2f%%, " % (acc * 100))
# auc = roc_auc_score(y_train, robust_classifier.predict(x_train), average='macro')
# print("Auc of original classifier on train set: %.2f%%\n" % (auc * 100))
# Evaluate classifier accuracy on the test set
acc = accuracy_score(y_test, (robust_classifier.predict(x_test) > 0.5))
print("Accuracy of original classifier on test set: %.2f%%, " % (acc * 100))
# auc = roc_auc_score(y_test, robust_classifier.predict(x_test), average='macro')
# print("Auc of original classifier on test set: %.2f%%\n" % (auc * 100))
# Craft adversarial samples
def main():
Ad = np.load(AD_MAT_FILE) # Load adjacency matrix
NUM_TEST = 50
NUM_GRAPH = 200
array_std, array_mean_values, array_overlap_ratio = load_raw_result_csv(
RAW_RESULT_FILE)
NUM_CLASS = array_mean_values.shape[1]
print(array_mean_values.shape)
with open("result_PGD.csv", "w", newline='') as csvfile:
writer = csv.writer(csvfile)
writer.writerow([
"overlap ratio", "acc_test_L", "acc_test_WL", "acc_adv_with_Lip",
"acc_adv_without_Lip"
])
for i in range(NUM_TEST):
x_test, y_test = reconstruct_test_data(array_std[i],
array_mean_values[i], Ad,
NUM_GRAPH)
model_with_Lip_constr = tf.keras.models.load_model(
"saved_model/fit{}_model_with_Lip_constr.h5".format(i))
print(model_with_Lip_constr.summary())
model_without_Lip_constr = tf.keras.models.load_model(
"saved_model/fit{}_model_without_Lip_constr.h5".format(i))
print(
"Evaluation of model WITH Lipschitz constant constraint on TEST data"
)
loss_test_L, acc_test_L = model_with_Lip_constr.evaluate(
x_test, y_test, batch_size=x_test.shape[0], verbose=0)
print("Loss: {:.4f}, accuracy: {:.4f}".format(loss_test_L, acc_test_L))
print(
"Evaluation of model WITHOUT Lipschitz constant constraint on TEST data"
)
loss_test_WL, acc_test_WL = model_without_Lip_constr.evaluate(
x_test, y_test, batch_size=x_test.shape[0], verbose=0)
print("Loss: {:.4f}, accuracy: {:.4f}".format(loss_test_WL,
acc_test_WL))
# Reshape model output
reshape_with_Lip = Reshape(
(x_test.shape[1] * NUM_CLASS, ),
name="added_reshape_layer_L")(model_with_Lip_constr.output)
new_model_with_Lip = Model(inputs=model_with_Lip_constr.input,
outputs=reshape_with_Lip)
reshape_without_Lip = Reshape(
(x_test.shape[1] * NUM_CLASS, ),
name="added_reshape_layer_WL")(model_without_Lip_constr.output)
new_model_without_Lip = Model(inputs=model_without_Lip_constr.input,
outputs=reshape_without_Lip)
new_model_with_Lip.compile(loss='categorical_crossentropy',
optimizer='adam',
metrics=['accuracy'])
new_model_without_Lip.compile(loss='categorical_crossentropy',
optimizer='adam',
metrics=['accuracy'])
min_value = np.min(array_mean_values[i]) - 100 * array_std[i]
max_value = np.max(array_mean_values[i]) + 100 * array_std[i]
classifier_with_Lip = KerasClassifier(model=new_model_with_Lip,
clip_values=(min_value,
max_value),
use_logits=False)
classifier_without_Lip = KerasClassifier(model=new_model_without_Lip,
clip_values=(min_value,
max_value),
use_logits=False)
attack1 = AutoProjectedGradientDescent(estimator=classifier_with_Lip,
norm="inf",
eps=0.6,
eps_step=1,
batch_size=200,
nb_random_init=5,
verbose=True,
targeted=False)
attack2 = AutoProjectedGradientDescent(
estimator=classifier_without_Lip,
norm="inf",
eps=0.6,
eps_step=1,
batch_size=200,
nb_random_init=5,
verbose=True,
targeted=False)
x_test_adv1 = attack1.generate(x=x_test,
mask=np.ones((1, x_test.shape[1],
x_test.shape[2])))
x_test_adv2 = attack2.generate(x=x_test,
mask=np.ones((1, x_test.shape[1],
x_test.shape[2])))
y_predict_adv_with_Lip = classifier_with_Lip.predict(x_test_adv1)
y_predict_adv_without_Lip = classifier_without_Lip.predict(x_test_adv2)
y_predict_adv_with_Lip = y_predict_adv_with_Lip.reshape((y_test.shape))
y_predict_adv_without_Lip = y_predict_adv_without_Lip.reshape(
(y_test.shape))
acc_adv_with_Lip = np.sum(
np.argmax(y_predict_adv_with_Lip, axis=2) == np.argmax(
y_test, axis=2)) / (y_test.shape[0] * y_test.shape[1])
print(
"Accuracy on adversarial test examples with Lipschitz constraint: {:.2f}%"
.format(acc_adv_with_Lip * 100))
acc_adv_without_Lip = np.sum(
np.argmax(y_predict_adv_without_Lip, axis=2) == np.argmax(
y_test, axis=2)) / (y_test.shape[0] * y_test.shape[1])
print(
"Accuracy on adversarial test examples without Lipschitz constraint: {:.2f}%"
.format(acc_adv_without_Lip * 100))
with open("result_PGD.csv", "a", newline='') as csvfile:
writer = csv.writer(csvfile)
writer.writerow([
array_overlap_ratio[i], acc_test_L, acc_test_WL,
acc_adv_with_Lip, acc_adv_without_Lip
])
x_test = x_test[0:num_samples_test]
y_test = y_test[0:num_samples_test]
class_descr = [
'airplane', 'automobile', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse',
'ship', 'truck'
]
path = get_file(
'cifar_alexnet.h5',
extract=False,
path=config.ART_DATA_PATH,
url='https://www.dropbox.com/s/ta75pl4krya5djj/cifar_alexnet.h5?dl=1')
classifier_model = load_model(path)
classifier = KerasClassifier(clip_values=(min_, max_),
model=classifier_model,
use_logits=False,
preprocessing=(0.5, 1))
target_class = "bird" # one of ['airplane', 'automobile', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck']
target_label = np.zeros(len(class_descr))
target_label[class_descr.index(target_class)] = 1
target_instance = np.expand_dims(
x_test[np.argmax(y_test, axis=1) == class_descr.index(target_class)][3],
axis=0)
# fig = plt.imshow(target_instance[0])
print('true_class: ' + target_class)
print('predicted_class: ' +
class_descr[np.argmax(classifier.predict(target_instance), axis=1)[0]])
feature_layer = classifier.layer_names[-2]
parameters = None
# Read parameters from file
with open(parameters_path) as parameters_file:
parameters = json.load(parameters_file)
# Get classifiers, wrap as ART classifiers
raw_training_data, raw_test_data = get_dataset(parameters['dataset'])
classifier, distilled_classifier = get_defensive_distilled_classifier(
parameters, raw_training_data, raw_test_data,
remove_incorrectly_predicted)
test_dataset = Dataset(raw_test_data[0], raw_test_data[1])
distilled_test_set = Dataset(raw_test_data[0],
convert_to_one_hot(raw_test_data[1], 10))
art_classifier = KerasClassifier(model=classifier,
clip_values=(0, 1),
use_logits=False)
art_classifier_distilled = KerasClassifier(model=distilled_classifier,
clip_values=(0, 1),
use_logits=False)
# Create adversarial data sets with low epsilon
fast_gradient_method_low_epsil = FastGradientMethod(
estimator=art_classifier, eps=0.1)
fast_gradient_method_high_epsil = FastGradientMethod(
estimator=art_classifier, eps=0.2)
adversarial_low_epsil = fast_gradient_method_low_epsil.generate(
x=test_dataset.images)
adversarial_high_epsil = fast_gradient_method_high_epsil.generate(
x=test_dataset.images)
adversarial_low_dataset = Dataset(adversarial_low_epsil,
# # Discarded iris and stl10 dataset
# (x_train, y_train), (x_test, y_test), min_, max_ = load_dataset('stl10')
# (x_train, y_train), (x_test, y_test), min_, max_ = load_dataset('iris')
# # path = get_file('cifar_resnet.h5',extract=False, path=ART_DATA_PATH,
# # url='https://www.dropbox.com/s/ta75pl4krya5djj/cifar_resnet.h5?dl=1')
# # classifier_model = load_model(path)
# classifier_model = KerasClassifier()
# classifier_model.fit(x = x_train, y = y_train)
test_num = adv_num = len(x_test)
# test_num = adv_num = 500
# test_num = 10
# adv_num = 10
classifier = KerasClassifier(clip_values=(min_, max_),
model=classifier_model,
use_logits=False)
# classifier_model.summary()
x_test_pred = np.argmax(classifier.predict(x_test[:test_num]), axis=1)
nb_correct_pred = np.sum(x_test_pred == np.argmax(y_test[:test_num], axis=1))
print(f"Original test data (first {test_num} images):")
print("Correctly classified: {}".format(nb_correct_pred))
print("Incorrectly classified: {}".format(test_num - nb_correct_pred))
start = timeit.default_timer()
# FGSM with extensions
attacker = FastGradientSignMethod(classifier, eps=5, batch_size=32)
# x_test_adv = attacker.generate(x_test[:adv_num]) # non-targeted
# x_test_adv = attacker.generate_targeted(x_test[:adv_num], aimed_target = x_test[0]) #targeted
x_test_adv = attacker.generate_iterative(
def mcdc(x, dnn, aveImg_binary, mcdc_cond_ratio=0.2, max_v=255, lb_v=-125.5, ub_v=125.5, opt=True, num=None, tot_iters=1000, outs = '/tmp/'):
x_test=np.array([x])
raw_data=raw_datat(x_test,None)
test_object=test_objectt(dnn, raw_data, 'ssc', 'linf')
test_object.cond_ratio=mcdc_cond_ratio
adv_object=adv_objectt(max_v, lb_v, ub_v)
predictResults = dnn.predict(np.array([x]), verbose=1)
res=np.argmax(predictResults)
f_results, layer_functions, cover_layers, _ = ssc_setup(test_object, outs)
d_advs=[]
append_in_file (f_results,
'#ssc runs; #test cases; #adversarial examples; is feasible; is top-1 adversarial example; is top-x adversarial example; condition feature size; L infinity distance; L0 distance; decision layer index; dec feature; #condition layer neurons; new labels; original labels; coverage; local coverage\n')
if not (num is None):
new_images=[]
tot_decs=0
if test_object.layer_indices==None:
for i in range(1, len(cover_layers)):
if i==1 and is_input_layer(test_object.dnn.layers[0]): continue
else:
csp=cover_layers[i].layer.input.shape
dsp=cover_layers[i].ssc_map.shape
if is_dense_layer(cover_layers[i].layer) or not (csp[1]==dsp[1] and csp[2]==dsp[2]):
tot_decs+=cover_layers[i].ssc_map.size
else:
ks=cover_layers[i].layer.kernel_size
sp=cover_layers[i].ssc_map.shape
tot_decs+=((sp[1]-ks[0]+1)*(sp[2]-ks[1]+1)*sp[3])
else:
print (test_object.layer_indices, test_object.feature_indices)
for i in range(1, len(cover_layers)):
if cover_layers[i].layer_index in test_object.layer_indices:
print ('****', i)
csp=cover_layers[i].layer.input.shape
dsp=cover_layers[i].ssc_map.shape
if is_dense_layer(cover_layers[i].layer) or not (csp[1]==dsp[1] and csp[2]==dsp[2]):
tmp_decs=cover_layers[i].ssc_map.size
else:
ks=cover_layers[i].layer.kernel_size
dsp=cover_layers[i].ssc_map.shape
tmp_decs=((dsp[1]-ks[0]+1)*(dsp[2]-ks[1]+1)*dsp[3])
if is_conv_layer(cover_layers[i].layer):
if not test_object.feature_indices==None:
tmp_decs=tmp_decs*(len(test_object.feature_indices)*1.0/dsp[3])
tot_decs+=tmp_decs
tot_coverage=0.0
## define a global attacker
#classifier=KerasClassifier((MIN, -MIN), model=test_object.dnn)
classifier=KerasClassifier(test_object.dnn)
adv_crafter = FastGradientMethod(classifier)
test_cases=[]
adversarials=[]
count=0
while count<tot_iters:
dec_layer_index, dec_pos=get_ssc_next(cover_layers)
cover_layers[dec_layer_index].ssc_map.itemset(dec_pos, False)
if dec_layer_index==1 and is_input_layer(test_object.dnn.layers[0]): continue
#print (dec_layer_index, dec_pos)
###
cond_layer=cover_layers[dec_layer_index-1]
dec_layer=cover_layers[dec_layer_index]
cond_cover=np.zeros(cond_layer.ssc_map.shape, dtype=bool)
###
if is_padding(dec_pos, dec_layer, cond_layer, False):
continue
tot_conds=cond_cover.size
if is_conv_layer(cond_layer.layer):
csp=cond_layer.layer.input.shape
dsp=cond_layer.ssc_map.shape
if (csp[1]==dsp[1] and csp[2]==dsp[2]):
ks=cond_layer.layer.kernel_size
dsp=cond_layer.ssc_map.shape
tot_decs=((dsp[1]-ks[0]+1)*(dsp[2]-ks[1]+1)*dsp[3])
non_increasing=0
step_coverage=0
count+=1
d_min, d_norm, new_image, old_image, old_labels, cond_diff_map=ssc_search(test_object, layer_functions, cond_layer, None, dec_layer, dec_pos, adv_crafter, adv_object)
#print ('d_min is', d_min, 'd_norm is', d_norm)
cond_ratio=test_object.cond_ratio
feasible=(d_min<=cond_ratio*cond_layer.ssc_map.size or d_min==1)
if feasible:
new_predictResults = dnn.predict(np.array([new_image]), verbose=1)
new_res=np.argmax(new_predictResults)
#print ('####', res, new_res, x.shape)
if res==new_res: continue
## to optimise the adversarial example
if opt:
for i in range(0, len(x)):
simple_x=x.copy()
for ii in range(0, i+1):
simple_x[ii]=new_image[ii]
simple_predictResults = dnn.predict(np.array([simple_x]), batch_size=5000, verbose=1)
simple_res=np.argmax(simple_predictResults)
if simple_res==res: continue
#for ii in range(0, i+1):
# plt.imshow(simple_x[ii],cmap='gray')
# #plt.imsave('new_{0}.png'.format(ii),simple_x[ii],cmap='gray')
# plt.show()
# plt.imshow(x[ii],cmap='gray')
# plt.show()
## #plt.imsave('origin_{0}.png'.format(ii),x[ii],cmap='gray')
if num is None: return True, simple_x
else: new_images.append(simple_x)
else:
if num is None: return True, new_image
else: new_images.append(new_image)
if not (num is None):
if len(new_images)>=num: return True, np.array(new_images)
if (num is None): return False, None
else: return False, np.array(new_images)
import tensorflow as tf
from tensorflow.python.keras.backend import set_session
from tensorflow.python.keras.models import load_model
from io import BytesIO
# IMPORTANT: models have to be loaded AFTER SETTING THE SESSION for keras!
# Otherwise, their weights will be unavailable in the threads after the session there has been set
sess = tf.Session()
set_session(sess)
graph = tf.get_default_graph()
model = load_model('./lenet.h5')
from art.estimators.classification import KerasClassifier
from art.attacks.evasion import HopSkipJump
classifier = KerasClassifier(clip_values=(0, 255), model=model)
app = Flask(__name__)
CORS(app, supports_credentials=True)
api = Api(app)
def predict(data):
global sess
global graph
with graph.as_default():
set_session(sess)
res = np.argmax(model.predict(data))
return res
model = Sequential()
model.add(Conv2D(filters=4, kernel_size=(5, 5), strides=1, activation="relu", input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(filters=10, kernel_size=(5, 5), strides=1, activation="relu", input_shape=(23, 23, 4)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(100, activation="relu"))
model.add(Dense(10, activation="softmax"))
model.compile(
loss=keras.losses.categorical_crossentropy, optimizer=keras.optimizers.Adam(lr=0.01), metrics=["accuracy"]
)
# Step 3: Create the ART classifier
classifier = KerasClassifier(model=model, clip_values=(min_pixel_value, max_pixel_value), use_logits=False)
# Step 4: Train the ART classifier
classifier.fit(x_train, y_train, batch_size=64, nb_epochs=3)
# Step 5: Evaluate the ART classifier on benign test examples
predictions = classifier.predict(x_test)
accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(y_test)
print("Accuracy on benign test examples: {}%".format(accuracy * 100))
# Step 6: Generate adversarial test examples
attack = FastGradientMethod(estimator=classifier, eps=0.2)
x_test_adv = attack.generate(x=x_test)
