def main(argv=None):
keras.layers.core.K.set_learning_phase(0)
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
X_train = X_train[:10000]
Y_train = Y_train[:10000]
X_test = X_test[:2000]
Y_test = Y_test[:2000]
assert Y_train.shape[1] == 10.
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
predictions = model(x)
print("Defined TensorFlow model graph.")
# Train an MNIST model
train_params = {
'nb_epochs': FLAGS.nb_epochs,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess, x, y, predictions, X_train, Y_train, args=train_params)
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions,
X_test,
Y_test,
args=eval_params)
assert accuracy > 0.8, accuracy
def prep_bbox(sess, x, y, X_train, Y_train, X_test, Y_test, nb_epochs,
batch_size, learning_rate):
"""
Define and train a model that simulates the "remote"
black-box oracle described in the original paper.
:param sess: the TF session
:param x: the input placeholder for MNIST
:param y: the ouput placeholder for MNIST
:param X_train: the training data for the oracle
:param Y_train: the training labels for the oracle
:param X_test: the testing data for the oracle
:param Y_test: the testing labels for the oracle
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:return:
"""
# Define TF model graph (for the black-box model)
model = cnn_model()
predictions = model(x)
print("Defined TensorFlow model graph.")
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
model_train(sess,
x,
y,
predictions,
X_train,
Y_train,
verbose=False,
args=train_params)
# Print out the accuracy on legitimate data
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess,
x,
y,
predictions,
X_test,
Y_test,
args=eval_params)
print('Test accuracy of black-box on legitimate test '
'examples: ' + str(accuracy))
return model, predictions, accuracy
def setup_model_and_sess():
'''
Sets up and loads the model used for classifying
the signs with the help of keras
and the corresponding TF session. (Code from cleverhans example)
Needs FLAGS.model_path in order to locate the stored model
:return: a tuple (model, sess)
'''
# print all parameters for the current run
# print "Parameters"
# for k in sorted(FLAGS.__dict__["__flags"].keys()):
# print k, FLAGS.__dict__["__flags"][k]
###### setup code from cleverhans example ######
# Set TF random seed to improve reproducibility
tf.set_random_seed(FLAGS.tf_seed)
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print(
"INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
print("Created TensorFlow session and set Keras backend.")
# Define TF model graph
model = cnn_model(img_rows=FLAGS.img_rows,
img_cols=FLAGS.img_cols,
channels=FLAGS.nb_channels,
nb_classes=FLAGS.nb_classes)
# Restore the model from previously saved parameters
saver = tf.train.Saver()
saver.restore(sess, FLAGS.model_path)
print("Loaded the parameters for the model from %s" % FLAGS.model_path)
return model, sess
def prep_cnn_bbox(sess, x, y, X_train, Y_train, X_test, Y_test):
"""
Define and train a model that simulates the "remote"
black-box oracle described in the original paper.
:param sess: the TF session
:param x: the input placeholder for MNIST
:param y: the ouput placeholder for MNIST
:param X_train: the training data for the oracle
:param Y_train: the training labels for the oracle
:param X_test: the testing data for the oracle
:param Y_test: the testing labels for the oracle
:return:
"""
# Define TF model graph (for the black-box model)
model = cnn_model()
predictions = model(x)
# Train an MNIST model
train_params = {
'nb_epochs': 6,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess, x, y, predictions, X_train, Y_train,
init_all=False, verbose=False, args=train_params)
# """
if args.ae:
print("Denoising...")
num_data = X_test.shape[0]
autoencoder.visualize(sess, X_test.reshape(num_data, -1), "bbox")
filtered_data = autoencoder.run(sess, X_test.reshape(num_data, -1))
X_test = filtered_data.reshape(num_data, 28, 28, 1)
# """
# Print out the accuracy on legitimate data
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess, x, y, predictions, X_test, Y_test,
args=eval_params)
print("Test accuracy = {}".format(accuracy))
return model, predictions
def main():
keras.backend.set_image_dim_ordering('th')
# We can't use argparse in a test because it reads the arguments to nosetests
# e.g., nosetests -v passes the -v to the test
args = {
"batch_size": 128,
"nb_epochs": 2,
"learning_rate": .5
}
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
X_train = X_train[:10000]
Y_train = Y_train[:10000]
X_test = X_test[:2000]
Y_test = Y_test[:2000]
assert Y_train.shape[1] == 10.
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input Theano placeholder
x_shape = (None, 1, 28, 28)
x = T.tensor4('x')
y = T.matrix('y')
# Define Theano model graph
model = cnn_model()
model.build(x_shape)
predictions = model(x)
print("Defined Theano model graph.")
# Train an MNIST model
th_model_train(x, y, predictions, model.trainable_weights,
X_train, Y_train, args=args)
accuracy = th_model_eval(x, y, predictions, X_test, Y_test, args=args)
assert accuracy > 0.8, accuracy
def mnist_tutorial_jsma(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
viz_enabled=True,
nb_epochs=6,
batch_size=128,
nb_classes=10,
source_samples=10,
learning_rate=0.1):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# MNIST-specific dimensions
img_rows = 28
img_cols = 28
channels = 1
# Disable Keras learning phase since we will be serving through tensorflow
keras.layers.core.K.set_learning_phase(0)
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Image dimensions ordering should follow the TensorFlow convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' "
"to 'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
print("Created TensorFlow session and set Keras backend.")
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
preds = model(x)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
model_train(sess, x, y, preds, X_train, Y_train, args=train_params)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params)
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(source_samples) + ' * ' + str(nb_classes - 1) +
' adversarial examples')
# Keep track of success (adversarial example classified in target)
results = np.zeros((nb_classes, source_samples), dtype='i')
# Rate of perturbed features for each test set example and target class
perturbations = np.zeros((nb_classes, source_samples), dtype='f')
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, channels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Instantiate a SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'nb_classes': nb_classes,
'clip_min': 0.,
'clip_max': 1.,
'targets': y,
'y_val': None
}
figure = None
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, source_samples):
print('--------------------------------------')
print('Attacking input %i/%i' % (sample_ind + 1, source_samples))
sample = X_test[sample_ind:(sample_ind + 1)]
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(Y_test[sample_ind]))
target_classes = other_classes(nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
sample, (img_rows, img_cols, channels))
# Loop over all target classes
for target in target_classes:
print('Generating adv. example for target class %i' % target)
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, nb_classes), dtype=np.float32)
one_hot_target[0, target] = 1
jsma_params['y_val'] = one_hot_target
adv_x = jsma.generate_np(sample, **jsma_params)
# Check if success was achieved
res = int(model_argmax(sess, x, preds, adv_x) == target)
# Computer number of modified features
adv_x_reshape = adv_x.reshape(-1)
test_in_reshape = X_test[sample_ind].reshape(-1)
nb_changed = np.where(adv_x_reshape != test_in_reshape)[0].shape[0]
percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
# Display the original and adversarial images side-by-side
if viz_enabled:
figure = pair_visual(np.reshape(sample, (img_rows, img_cols)),
np.reshape(adv_x, (img_rows, img_cols)),
figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (img_rows, img_cols, channels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
nb_targets_tried = ((nb_classes - 1) * source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.4f}'.format(succ_rate))
report.clean_train_adv_eval = 1. - succ_rate
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.4f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.4f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
plt.close(figure)
_ = grid_visual(grid_viz_data)
return report
def main(argv=None):
"""
MNIST cleverhans tutorial
:return:
"""
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
assert Y_train.shape[1] == 10.
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
predictions = model(x)
print("Defined TensorFlow model graph.")
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions,
X_test,
Y_test,
args=eval_params)
assert X_test.shape[0] == 10000, X_test.shape
print('Test accuracy on legitimate test examples: ' + str(accuracy))
# Train an MNIST model
train_params = {
'nb_epochs': FLAGS.nb_epochs,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess,
x,
y,
predictions,
X_train,
Y_train,
evaluate=evaluate,
args=train_params)
# Craft adversarial examples using Fast Gradient Sign Method (FGSM)
adv_x = fgsm(x, predictions, eps=0.3)
eval_params = {'batch_size': FLAGS.batch_size}
X_test_adv, = batch_eval(sess, [x], [adv_x], [X_test], args=eval_params)
assert X_test_adv.shape[0] == 10000, X_test_adv.shape
# Evaluate the accuracy of the MNIST model on adversarial examples
accuracy = model_eval(sess,
x,
y,
predictions,
X_test_adv,
Y_test,
args=eval_params)
print('Test accuracy on adversarial examples: ' + str(accuracy))
print("Repeating the process, using adversarial training")
# Redefine TF model graph
model_2 = cnn_model()
predictions_2 = model_2(x)
adv_x_2 = fgsm(x, predictions_2, eps=0.3)
predictions_2_adv = model_2(adv_x_2)
def evaluate_2():
# Evaluate the accuracy of the adversarialy trained MNIST model on
# legitimate test examples
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions_2,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on legitimate test examples: ' + str(accuracy))
# Evaluate the accuracy of the adversarially trained MNIST model on
# adversarial examples
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on adversarial examples: ' + str(accuracy_adv))
# Perform adversarial training
model_train(sess,
x,
y,
predictions_2,
X_train,
Y_train,
predictions_adv=predictions_2_adv,
evaluate=evaluate_2,
args=train_params)
def main(argv=None):
"""
MNIST cleverhans tutorial
:return:
"""
keras.layers.core.K.set_learning_phase(
0) # a bool tensor (0 = test, 1 = train)
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
# print('X_train shape =' + str(X_train.shape))
# print('Y_train shape =' + str(Y_train.shape))
# print('X_test shape =' + str(X_test.shape))
# print('Y_test shape =' + str(Y_test.shape))
assert Y_train.shape[1] == 10.
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
predictions = model(x)
model.summary()
print("Defined TensorFlow model graph.")
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions,
X_test,
Y_test,
args=eval_params)
assert X_test.shape[0] == 10000, X_test.shape
print('Test accuracy on legitimate test examples: %0.4f' % accuracy)
# Train an MNIST model
train_params = {
'nb_epochs': FLAGS.nb_epochs,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess,
x,
y,
predictions,
X_train,
Y_train,
evaluate=evaluate,
args=train_params)
# Initialize the Fast Gradient Sign Method (FGSM) attack object and graph
fgsm = FastGradientMethod(model, sess=sess) # new object
fgsm_params = {'eps': 0.3} # parameters
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
eval_par = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Test accuracy on adversarial examples: %0.4f\n' % accuracy)
print("Repeating the process, using adversarial training")
# Redefine TF model graph
model_2 = cnn_model()
predictions_2 = model_2(x)
fgsm2 = FastGradientMethod(model_2, sess=sess)
predictions_2_adv = model_2(fgsm2.generate(x, **fgsm_params))
def evaluate_2():
# Accuracy of adversarially trained model on legitimate test inputs
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions_2,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on legitimate test examples: %0.4f' % accuracy)
# Accuracy of the adversarially trained model on adversarial examples
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on adversarial examples: %0.4f' % accuracy_adv)
# Perform and evaluate adversarial training
model_train(sess,
x,
y,
predictions_2,
X_train,
Y_train,
predictions_adv=predictions_2_adv,
evaluate=evaluate_2,
args=train_params)
def main(argv=None):
"""
MNIST cleverhans tutorial
:return:
"""
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
assert Y_train.shape[1] == 10.
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
predictions = model(x)
print("Defined TensorFlow model graph.")
# Redefine TF model graph
model_2 = cnn_model()
predictions_2 = model_2(x)
adv_x_2 = fgsm(x, predictions_2, eps=0.2)
predictions_2_adv = model_2(adv_x_2)
train_params = {
'nb_epochs': FLAGS.nb_epochs,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
ytest_fgsm = np.load("fgsm/ytest.npy")
xadv_fgsm = np.load("fgsm/xadv.npy")
xtest_fgsm = np.load("fgsm/xtest.npy")
xtest_black = np.load("black/xtest.npy")
ytest_black = np.load("black/ytest.npy")
xadv_black = np.load("black/xadv.npy")
xtest_jsma = np.load("jsma/xtest.npy")
ytest_jsma = np.load("jsma/ytest.npy")
xadv_jsma = np.load("jsma/xadv.npy")
yadv_jsma = np.load("jsma/ytest2.npy")
b = []
for a in xadv_jsma:
b.append(a[0])
xadv_jsma = np.array(b)
print(ytest_jsma.shape)
print(yadv_jsma.shape)
#ytest_jsma = get_yarray((len(ytest_jsma), 10),ytest_jsma)
yadv_jsma = get_yarray((len(yadv_jsma), 10), yadv_jsma)
def evaluate_2():
# Evaluate the accuracy of the adversarialy trained MNIST model on
# legitimate test examples
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions_2,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on legitimate test examples: ' + str(accuracy))
# Evaluate the accuracy of the adversarially trained MNIST model on
# adversarial examples
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on adversarial examples: ' + str(accuracy_adv))
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
xtest_fgsm,
ytest_fgsm,
args=eval_params)
print('Test accuracy on adversarial examples1: ' + str(accuracy_adv))
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
xadv_fgsm,
ytest_fgsm,
args=eval_params)
print('Test accuracy on adversarial examples2: ' + str(accuracy_adv))
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
xtest_black,
ytest_black,
args=eval_params)
print('Test accuracy on adversarial examples3: ' + str(accuracy_adv))
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
xadv_black,
ytest_black,
args=eval_params)
print('Test accuracy on adversarial examples4: ' + str(accuracy_adv))
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
xtest_jsma,
ytest_jsma,
args=eval_params)
print('Test accuracy on adversarial examples5: ' + str(accuracy_adv))
accuracy_adv = model_eval(sess,
x,
y,
predictions_2_adv,
xadv_jsma,
yadv_jsma,
args=eval_params)
print('Test accuracy on adversarial examples6: ' + str(accuracy_adv))
# Perform adversarial training
model_train(sess,
x,
y,
predictions_2,
X_train,
Y_train,
predictions_adv=predictions_2_adv,
evaluate=evaluate_2,
args=train_params)
def mnist_tutorial_cw(train_start=0, train_end=60000, test_start=0,
test_end=10000, viz_enabled=True, nb_epochs=6,
batch_size=128, nb_classes=10, source_samples=10,
learning_rate=0.001, attack_iterations=100,
model_path=os.path.join("models", "mnist"),
targeted=True):
"""
MNIST tutorial for Carlini and Wagner's attack
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:param model_path: path to the model file
:param targeted: should we run a targeted attack? or untargeted?
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# MNIST-specific dimensions
img_rows = 28
img_cols = 28
channels = 1
# Disable Keras learning phase since we will be serving through tensorflow
keras.layers.core.K.set_learning_phase(0)
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Image dimensions ordering should follow the TensorFlow convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' "
"to 'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
print("Created TensorFlow session and set Keras backend.")
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
preds = model(x)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': os.path.join(*os.path.split(model_path)[:-1]),
'filename': os.path.split(model_path)[-1]
}
# check if we've trained before, and if we have, use that pre-trained model
if os.path.exists(model_path+".meta"):
tf_model_load(sess, model_path)
else:
model_train(sess, x, y, preds, X_train, Y_train, args=train_params,
save=os.path.exists("models"))
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params)
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
print('Crafting ' + str(source_samples) + ' * ' + str(nb_classes-1) +
' adversarial examples')
print("This could take some time ...")
# Instantiate a CW attack object
wrap = KerasModelWrapper(model)
cw = CarliniWagnerL2(wrap, back='tf', sess=sess)
idxs = [np.where(np.argmax(Y_test, axis=1) == i)[0][0] for i in range(10)]
if targeted:
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, channels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
one_hot = np.zeros((10, 10))
one_hot[np.arange(10), np.arange(10)] = 1
adv_inputs = np.array([[instance] * 10 for instance in X_test[idxs]],
dtype=np.float32)
adv_inputs = adv_inputs.reshape((100, 28, 28, 1))
adv_ys = np.array([one_hot] * 10, dtype=np.float32).reshape((100, 10))
yname = "y_target"
else:
# Initialize our array for grid visualization
grid_shape = (nb_classes, 2, img_rows, img_cols, channels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = X_test[idxs]
adv_ys = None
yname = "y"
cw_params = {'binary_search_steps': 1,
yname: adv_ys,
'max_iterations': attack_iterations,
'learning_rate': 0.1,
'batch_size': 100 if targeted else 10,
'initial_const': 10}
adv = cw.generate_np(adv_inputs,
**cw_params)
if targeted:
adv_accuracy = model_eval(sess, x, y, preds, adv, adv_ys,
args={'batch_size': 10})
else:
adv_accuracy = 1-model_eval(sess, x, y, preds, adv, Y_test[idxs],
args={'batch_size': 10})
for j in range(10):
if targeted:
for i in range(10):
grid_viz_data[i, j] = adv[i * 10 + j]
else:
grid_viz_data[j, 0] = adv_inputs[j]
grid_viz_data[j, 1] = adv[j]
print(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
print('Avg. rate of successful adv. examples {0:.4f}'.format(adv_accuracy))
report.clean_train_adv_eval = 1.-adv_accuracy
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(np.sum((adv - adv_inputs)**2,
axis=(1, 2, 3))**.5)
print('Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
_ = grid_visual(grid_viz_data)
return report
def main(argv=None):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:return:
"""
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
###########################################################################
# Define the dataset and model
###########################################################################
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' "
"to 'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
print("Created TensorFlow session and set Keras backend.")
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
print("Loaded MNIST test data.")
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
predictions = model(x)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model if it does not exist in the train_dir folder
saver = tf.train.Saver()
save_path = os.path.join(FLAGS.train_dir, FLAGS.filename)
if os.path.isfile(save_path):
saver.restore(sess, os.path.join(FLAGS.train_dir, FLAGS.filename))
else:
train_params = {
'nb_epochs': FLAGS.nb_epochs,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess,
x,
y,
predictions,
X_train,
Y_train,
args=train_params)
saver.save(sess, save_path)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
x,
y,
predictions,
X_test,
Y_test,
args=eval_params)
assert X_test.shape[0] == 10000, X_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(FLAGS.source_samples) + ' * ' +
str(FLAGS.nb_classes - 1) + ' adversarial examples')
# This array indicates whether an adversarial example was found for each
# test set sample and target class
results = np.zeros((FLAGS.nb_classes, FLAGS.source_samples), dtype='i')
# This array contains the fraction of perturbed features for each test set
# sample and target class
perturbations = np.zeros((FLAGS.nb_classes, FLAGS.source_samples),
dtype='f')
# Define the TF graph for the model's Jacobian
grads = jacobian_graph(predictions, x, FLAGS.nb_classes)
# Initialize our array for grid visualization
grid_shape = (FLAGS.nb_classes, FLAGS.nb_classes, FLAGS.img_rows,
FLAGS.img_cols, FLAGS.nb_channels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, FLAGS.source_samples):
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(Y_test[sample_ind]))
target_classes = other_classes(FLAGS.nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
X_test[sample_ind:(sample_ind + 1)],
(FLAGS.img_rows, FLAGS.img_cols, FLAGS.nb_channels))
# Loop over all target classes
for target in target_classes:
print('--------------------------------------')
print('Creating adv. example for target class ' + str(target))
# This call runs the Jacobian-based saliency map approach
adv_x, res, percent_perturb = jsma(sess,
x,
predictions,
grads,
X_test[sample_ind:(sample_ind +
1)],
target,
theta=1,
gamma=0.1,
increase=True,
back='tf',
clip_min=0,
clip_max=1)
# Display the original and adversarial images side-by-side
if FLAGS.viz_enabled:
if 'figure' not in vars():
figure = pair_visual(
np.reshape(X_test[sample_ind:(sample_ind + 1)],
(FLAGS.img_rows, FLAGS.img_cols)),
np.reshape(adv_x, (FLAGS.img_rows, FLAGS.img_cols)))
else:
figure = pair_visual(
np.reshape(X_test[sample_ind:(sample_ind + 1)],
(FLAGS.img_rows, FLAGS.img_cols)),
np.reshape(adv_x, (FLAGS.img_rows, FLAGS.img_cols)),
figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (FLAGS.img_rows, FLAGS.img_cols, FLAGS.nb_channels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
# Compute the number of adversarial examples that were successfuly found
nb_targets_tried = ((FLAGS.nb_classes - 1) * FLAGS.source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.2f}'.format(succ_rate))
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.2f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.2f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if FLAGS.viz_enabled:
_ = grid_visual(grid_viz_data)
def main(argv=None):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:return:
"""
# Disable Keras learning phase since we will be serving through tensorflow
keras.layers.core.K.set_learning_phase(0)
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' "
"to 'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
print("Created TensorFlow session and set Keras backend.")
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
print("Loaded MNIST test data.")
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = cnn_model()
preds = model(x)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model if it does not exist in the train_dir folder
saver = tf.train.Saver()
save_path = os.path.join(FLAGS.train_dir, FLAGS.filename)
if os.path.isfile(save_path):
saver.restore(sess, os.path.join(FLAGS.train_dir, FLAGS.filename))
else:
train_params = {
'nb_epochs': FLAGS.nb_epochs,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess, x, y, preds, X_train, Y_train,
args=train_params)
saver.save(sess, save_path)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess, x, y, preds, X_test, Y_test,
args=eval_params)
assert X_test.shape[0] == 10000, X_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(FLAGS.source_samples) + ' * ' +
str(FLAGS.nb_classes-1) + ' adversarial examples')
# Keep track of success (adversarial example classified in target)
results = np.zeros((FLAGS.nb_classes, FLAGS.source_samples), dtype='i')
# Rate of perturbed features for each test set example and target class
perturbations = np.zeros((FLAGS.nb_classes, FLAGS.source_samples),
dtype='f')
# Initialize our array for grid visualization
grid_shape = (FLAGS.nb_classes,
FLAGS.nb_classes,
FLAGS.img_rows,
FLAGS.img_cols,
FLAGS.nb_channels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Define the SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, FLAGS.source_samples):
print('--------------------------------------')
print('Attacking input %i/%i' % (sample_ind + 1, FLAGS.source_samples))
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(Y_test[sample_ind]))
target_classes = other_classes(FLAGS.nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
X_test[sample_ind:(sample_ind+1)],
(FLAGS.img_rows, FLAGS.img_cols, FLAGS.nb_channels))
# Loop over all target classes
for target in target_classes:
print('Generating adv. example for target class %i' % target)
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, FLAGS.nb_classes), dtype=np.float32)
one_hot_target[0, target] = 1
jsma_params = {'theta': 1., 'gamma': 0.1,
'nb_classes': FLAGS.nb_classes, 'clip_min': 0.,
'clip_max': 1., 'targets': y,
'y_val': one_hot_target}
adv_x = jsma.generate_np(X_test[sample_ind:(sample_ind+1)],
**jsma_params)
# Check if success was achieved
res = int(model_argmax(sess, x, preds, adv_x) == target)
# Computer number of modified features
adv_x_reshape = adv_x.reshape(-1)
test_in_reshape = X_test[sample_ind].reshape(-1)
nb_changed = np.where(adv_x_reshape != test_in_reshape)[0].shape[0]
percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
# Display the original and adversarial images side-by-side
if FLAGS.viz_enabled:
if 'figure' not in vars():
figure = pair_visual(
np.reshape(X_test[sample_ind:(sample_ind+1)],
(FLAGS.img_rows, FLAGS.img_cols)),
np.reshape(adv_x,
(FLAGS.img_rows, FLAGS.img_cols)))
else:
figure = pair_visual(
np.reshape(X_test[sample_ind:(sample_ind+1)],
(FLAGS.img_rows, FLAGS.img_cols)),
np.reshape(adv_x, (FLAGS.img_rows,
FLAGS.img_cols)), figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (FLAGS.img_rows, FLAGS.img_cols, FLAGS.nb_channels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
nb_targets_tried = ((FLAGS.nb_classes - 1) * FLAGS.source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.4f}'.format(succ_rate))
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.4f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.4f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if FLAGS.viz_enabled:
_ = grid_visual(grid_viz_data)
def main():
"""
MNIST cleverhans tutorial
:return:
"""
if not hasattr(backend, "theano"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the Theano backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'th':
keras.backend.set_image_dim_ordering('th')
print(
"INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to 'tf', temporarily setting to 'th'"
)
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--batch_size',
'-b',
default=128,
help='Size of training batches')
parser.add_argument('--train_dir',
'-d',
default='/tmp',
help='Directory storing the saved model.')
parser.add_argument('--filename',
'-f',
default='mnist.ckpt',
help='Filename to save model under.')
parser.add_argument('--nb_epochs',
'-e',
default=6,
type=int,
help='Number of epochs to train model')
parser.add_argument('--learning_rate',
'-lr',
default=0.5,
type=float,
help='Learning rate for training')
args = parser.parse_args()
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist()
print("Loaded MNIST test data.")
assert Y_train.shape[1] == 10.
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input Theano placeholder
x_shape = (None, 1, 28, 28)
y_shape = (None, 10)
x = T.tensor4('x')
y = T.matrix('y')
# Define Theano model graph
model = cnn_model()
model.build(x_shape)
predictions = model(x)
print("Defined Theano model graph.")
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test examples
accuracy = th_model_eval(x, y, predictions, X_test, Y_test, args=args)
assert X_test.shape[0] == 10000, X_test.shape
print('Test accuracy on legitimate test examples: ' + str(accuracy))
pass
# Train an MNIST model
th_model_train(x,
y,
predictions,
model.trainable_weights,
X_train,
Y_train,
evaluate=evaluate,
args=args)
# Craft adversarial examples using Fast Gradient Sign Method (FGSM)
adv_x = fgsm(x, predictions, eps=0.3)
X_test_adv, = batch_eval([x], [adv_x], [X_test], args=args)
assert X_test_adv.shape[0] == 10000, X_test_adv.shape
# Evaluate the accuracy of the MNIST model on adversarial examples
accuracy = th_model_eval(x, y, predictions, X_test_adv, Y_test, args=args)
print('Test accuracy on adversarial examples: ' + str(accuracy))
print("Repeating the process, using adversarial training")
# Redefine Theano model graph
model_2 = cnn_model()
model_2.build(x_shape)
predictions_2 = model_2(x)
adv_x_2 = fgsm(x, predictions_2, eps=0.3)
predictions_2_adv = model_2(adv_x_2)
def evaluate_2():
# Evaluate the accuracy of the adversarialy trained MNIST model on
# legitimate test examples
accuracy = th_model_eval(x,
y,
predictions_2,
X_test,
Y_test,
args=args)
print('Test accuracy on legitimate test examples: ' + str(accuracy))
# Evaluate the accuracy of the adversarially trained MNIST model on
# adversarial examples
accuracy_adv = th_model_eval(x,
y,
predictions_2_adv,
X_test,
Y_test,
args=args)
print('Test accuracy on adversarial examples: ' + str(accuracy_adv))
# Perform adversarial training
th_model_train(x,
y,
predictions_2,
model_2.trainable_weights,
X_train,
Y_train,
predictions_adv=predictions_2_adv,
evaluate=evaluate_2,
args=args)
y_test = np_utils.to_categorical(y_test, 10)
#x_train, y_train, x_test, y_test = data_mnist()
assert y_train.shape[1] == 10.
label_smooth = .1
y_train = y_train.clip(label_smooth / 9., 1. - label_smooth)
autoencoder.fit(x_train,
x_train,
epochs=25,
batch_size=128,
shuffle=True,
validation_data=(x_test, x_test))
model = cnn_model()
predictions_2 = model(input_img)
fgsm = FastGradientMethod(model, sess=sess) # new object
fgsm_params = {'eps': 0.3} # parameters
adv_x = fgsm.generate(input_img, **fgsm_params)
predictions_2_adv = encoder(adv_x)
def evaluate_2():
# Accuracy of adversarially trained model on legitimate test inputs
eval_params = {'batch_size': FLAGS.batch_size}
accuracy = model_eval(sess,
input_img,
y,
predictions_2,
x_test,
