def run_batch_with_goal(sess, model, x, y, adv_x_val, criteria, attack_configs, run_counts, goal, report, report_path, attack_batch_size=BATCH_SIZE): """ Runs attack bundling on one batch of data. This function is mostly intended to be called by `bundle_attacks_with_goal`. :param sess: tf.session.Session :param model: cleverhans.model.Model :param x: numpy array containing clean example inputs to attack :param y: numpy array containing true labels :param adv_x_val: numpy array containing the adversarial examples made so far by earlier work in the bundling process :param criteria: dict mapping string names of criteria to numpy arrays with their values for each example (Different AttackGoals track different criteria) :param run_counts: dict mapping AttackConfigs to numpy arrays reporting how many times they have been run on each example :param goal: the AttackGoal to work on :param report: dict, see `bundle_attacks_with_goal` :param report_path: str, path to save the report to """ attack_config = goal.get_attack_config(attack_configs, run_counts, criteria) idxs = goal.request_examples(attack_config, criteria, run_counts, attack_batch_size) x_batch = x[idxs] assert x_batch.shape[0] == attack_batch_size y_batch = y[idxs] assert y_batch.shape[0] == attack_batch_size adv_x_batch = run_attack(sess, model, x_batch, y_batch, attack_config.attack, attack_config.params, attack_batch_size, devices, pass_y=attack_config.pass_y) criteria_batch = goal.get_criteria(sess, model, adv_x_batch, y_batch, batch_size=min(attack_batch_size, BATCH_SIZE)) # This can't be parallelized because some orig examples are copied more # than once into the batch cur_run_counts = run_counts[attack_config] for batch_idx, orig_idx in enumerate(idxs): cur_run_counts[orig_idx] += 1 should_copy = goal.new_wins(criteria, orig_idx, criteria_batch, batch_idx) if should_copy: adv_x_val[orig_idx] = adv_x_batch[batch_idx] for key in criteria: criteria[key][orig_idx] = criteria_batch[key][batch_idx] assert np.allclose(y[orig_idx], y_batch[batch_idx]) report['bundled'] = ConfidenceReportEntry(criteria['correctness'], criteria['confidence']) should_save = False new_time = time.time() if hasattr(report, 'time'): if new_time - report.time > REPORT_TIME_INTERVAL: should_save = True else: should_save = True if should_save: report.time = new_time goal.print_progress(criteria, run_counts) save(criteria, report, report_path, adv_x_val)
def make_confidence_report(filepath, train_start=TRAIN_START, train_end=TRAIN_END, test_start=TEST_START, test_end=TEST_END, batch_size=BATCH_SIZE, which_set=WHICH_SET, mc_batch_size=MC_BATCH_SIZE, report_path=REPORT_PATH, base_eps_iter=BASE_EPS_ITER, nb_iter=NB_ITER, save_advx=SAVE_ADVX): """ Load a saved model, gather its predictions, and save a confidence report. This function works by running a single MaxConfidence attack on each example. This provides a reasonable estimate of the true failure rate quickly, so long as the model does not suffer from gradient masking. However, this estimate is mostly intended for development work and not for publication. A more accurate estimate may be obtained by running make_confidence_report_bundled.py instead. :param filepath: path to model to evaluate :param train_start: index of first training set example to use :param train_end: index of last training set example to use :param test_start: index of first test set example to use :param test_end: index of last test set example to use :param batch_size: size of evaluation batches :param which_set: 'train' or 'test' :param mc_batch_size: batch size for MaxConfidence attack :param base_eps_iter: step size if the data were in [0,1] (Step size will be rescaled proportional to the actual data range) :param nb_iter: Number of iterations of PGD to run per class :param save_advx: bool. If True, saves the adversarial examples to disk. On by default, but can be turned off to save memory, etc. """ # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Set logging level to see debug information set_log_level(logging.INFO) # Create TF session sess = tf.Session() if report_path is None: assert filepath.endswith('.joblib') report_path = filepath[:-len('.joblib')] + "_report.joblib" with sess.as_default(): model = load(filepath) assert len(model.get_params()) > 0 factory = model.dataset_factory factory.kwargs['train_start'] = train_start factory.kwargs['train_end'] = train_end factory.kwargs['test_start'] = test_start factory.kwargs['test_end'] = test_end dataset = factory() center = dataset.kwargs['center'] max_val = dataset.kwargs['max_val'] value_range = max_val * (1. + center) min_value = 0. - center * max_val if 'CIFAR' in str(factory.cls): base_eps = 8. / 255. if base_eps_iter is None: base_eps_iter = 2. / 255. elif 'MNIST' in str(factory.cls): base_eps = .3 if base_eps_iter is None: base_eps_iter = .1 else: raise NotImplementedError(str(factory.cls)) mc_params = { 'eps': base_eps * value_range, 'eps_iter': base_eps_iter * value_range, 'nb_iter': nb_iter, 'clip_min': min_value, 'clip_max': max_val } x_data, y_data = dataset.get_set(which_set) report = ConfidenceReport() semantic = Semantic(model, center, max_val, sess) mc = MaxConfidence(model, sess=sess) jobs = [('clean', None, None, None, False), ('Semantic', semantic, None, None, False), ('mc', mc, mc_params, mc_batch_size, True)] for job in jobs: name, attack, attack_params, job_batch_size, save_this_job = job if job_batch_size is None: job_batch_size = batch_size t1 = time.time() if save_advx and save_this_job: # If we want to save the adversarial examples to the filesystem, we need # to fetch all of them. Otherwise they're just computed one batch at a # time and discarded # The path to save to assert report_path.endswith('.joblib') advx_path = report_path[:-len('.joblib')] + '_advx_' + name + '.npy' # Fetch the adversarial examples x_data = run_attack(sess, model, x_data, y_data, attack, attack_params, batch_size=job_batch_size, devices=devices) # Turn off the attack so `correctness_and_confidence` won't run it a # second time. attack = None attack_params = None # Save the adversarial examples np.save(advx_path, x_data) # Run correctness and confidence evaluation on adversarial examples packed = correctness_and_confidence(sess, model, x_data, y_data, batch_size=job_batch_size, devices=devices, attack=attack, attack_params=attack_params) t2 = time.time() print("Evaluation took", t2 - t1, "seconds") correctness, confidence = packed report[name] = ConfidenceReportEntry(correctness=correctness, confidence=confidence) print_stats(correctness, confidence, name) save(report_path, report)