Exemple #1
0
    def read_data(self, train_path_list, test_path_list, class_num):
        x_train = []
        y_train = []
        x_test = []
        y_test = []

        for image_file_path, label in train_path_list:
            image = cv2.imread(image_file_path)
            image = cv2.resize(image, (IMG_SIZE["CUB"], IMG_SIZE["CUB"]))
            x_train.append(image)
            y_train.append(label)

        for image_file_path, label in test_path_list:
            image = cv2.imread(image_file_path)
            image = cv2.resize(image, (IMG_SIZE["CUB"], IMG_SIZE["CUB"]))
            x_test.append(image)
            y_test.append(label)
        x_train = np.asarray(x_train)
        x_test = np.asarray(x_test)
        x_train = convert_image(x_train)
        x_test = convert_image(x_test)
        y_train = utils.to_categorical(np.array(y_train),
                                       nb_classes=class_num).astype(np.float32)
        y_test = utils.to_categorical(np.array(y_test),
                                      nb_classes=class_num).astype(np.float32)
        return x_train, y_train, x_test, y_test
Exemple #2
0
def data_AWA2(datadir, class_num=len(AWA2_ALL_FOLDER)):

    x_train = []
    y_train = []
    x_test = []
    y_test = []

    for folder in os.listdir(datadir):

        label = AWA2_ALL_FOLDER.index(folder)
        if folder in AWA2_TRAIN_CLASSES:
            x = x_train
            y = y_train
        elif folder in AWA2_TEST_CLASSES:
            x = x_test
            y = y_test
        else:
            raise Exception("class {} is not in train and test".format(folder))
        for image_file_name in os.listdir(datadir + "/" + folder):
            image_file_path = os.path.join(datadir, folder, image_file_name)
            image = cv2.imread(image_file_path)
            image = cv2.resize(image, (IMG_SIZE["AWA2"], IMG_SIZE["AWA2"]))
            x.append(image)
            y.append(label)

    x_train = np.asarray(x_train)
    x_test = np.asarray(x_test)
    x_train = convert_image(x_train)
    x_test = convert_image(x_test)
    y_train = utils.to_categorical(np.array(y_train),
                                   nb_classes=class_num).astype(np.float32)
    y_test = utils.to_categorical(np.array(y_test),
                                  nb_classes=class_num).astype(np.float32)

    return x_train, y_train, x_test, y_test
Exemple #3
0
def data_imagenet_train(datadir,
                        class_num,
                        train_start=0,
                        train_end=60000,
                        test_start=0,
                        test_end=10000):
    assert isinstance(train_start, int)
    assert isinstance(train_end, int)
    assert isinstance(test_start, int)
    assert isinstance(test_end, int)
    x_train = []
    y_train = []
    MiniImageNet_All_Category = sorted(os.listdir(datadir))
    for folder in os.listdir(datadir):
        label = MiniImageNet_All_Category.index(folder)
        for image_file_name in os.listdir(datadir + "/" + folder):
            image_file_path = os.path.join(datadir, folder, image_file_name)
            image = cv2.imread(image_file_path)  # FIXME BGR
            image = cv2.resize(image, (224, 224))
            x_train.append(image)
            y_train.append(label)
    x_train = np.asarray(x_train)
    y_train = np.asarray(y_train, dtype=np.int32)
    x_train = convert_image(x_train).astype('float32')
    y_train = utils.to_categorical(y_train,
                                   nb_classes=class_num).astype('float32')
    return x_train, y_train
Exemple #4
0
def data_imagenet_validation(datadir,
                             class_num,
                             category_names,
                             train_start=0,
                             train_end=60000,
                             test_start=0,
                             test_end=10000):
    assert isinstance(train_start, int)
    assert isinstance(train_end, int)
    assert isinstance(test_start, int)
    assert isinstance(test_end, int)

    x_val = []
    y_val = []
    file_name_to_category_id = {}
    with open(datadir + "/val_annotations.txt", "r") as file_obj:
        for line in file_obj:
            image_file_name, category_name, *_ = line.split()
            file_name_to_category_id[datadir + "/images/{}".format(
                image_file_name)] = category_names.index(category_name)
    for image_file_path, label in file_name_to_category_id.items():
        image = cv2.imread(image_file_path)
        x_val.append(image)
        y_val.append(label)
    x_val = np.asarray(x_val)
    y_val = np.asarray(y_val, dtype=np.int32)
    x_val = convert_image(x_val).astype('float32')
    y_val = utils.to_categorical(y_val, nb_classes=class_num).astype('float32')
    return x_val, y_val
Exemple #5
0
def data_imagenet_train(datadir,
                        class_num,
                        category_names,
                        train_start=0,
                        train_end=60000,
                        test_start=0,
                        test_end=10000):
    assert isinstance(train_start, int)
    assert isinstance(train_end, int)
    assert isinstance(test_start, int)
    assert isinstance(test_end, int)
    x_train = []
    y_train = []
    for folder in os.listdir(datadir):
        label = category_names.index(folder)
        for image_file_name in os.listdir(datadir + "/" + folder + "/images"):
            image_file_path = os.path.join(datadir, folder, "images",
                                           image_file_name)
            image = cv2.imread(image_file_path)
            x_train.append(image)
            y_train.append(label)
    x_train = np.asarray(x_train)
    y_train = np.asarray(y_train, dtype=np.int32)
    x_train = convert_image(x_train).astype('float32')
    y_train = utils.to_categorical(y_train,
                                   nb_classes=class_num).astype('float32')
    return x_train, y_train
Exemple #6
0
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes,
              nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
              rng):
    """
    This function creates the substitute by alternatively
    augmenting the training data and training the substitute.
    :param sess: TF session
    :param x: input TF placeholder
    :param y: output TF placeholder
    :param bbox_preds: output of black-box model predictions
    :param X_sub: initial substitute training data
    :param Y_sub: initial substitute training labels
    :param nb_classes: number of output classes
    :param nb_epochs_s: number of epochs to train substitute model
    :param batch_size: size of training batches
    :param learning_rate: learning rate for training
    :param data_aug: number of times substitute training data is augmented
    :param lmbda: lambda from arxiv.org/abs/1602.02697
    :param rng: numpy.random.RandomState instance
    :return:
    """
    # Define TF model graph (for the black-box model)
    model_sub = substitute_model()
    preds_sub = model_sub(x)
    log_raw.info("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)

    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        log_raw.info("Substitute training epoch #" + str(rho))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': learning_rate
        }
        model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub),
                    init_all=False, verbose=False, args=train_params,
                    rng=rng)

        # If we are not at last substitute training iteration, augment dataset
        if rho < data_aug - 1:
            log_raw.info("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda)

            log_raw.info("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box
            Y_sub = np.hstack([Y_sub, Y_sub])
            X_sub_prev = X_sub[int(len(X_sub)/2):]
            eval_params = {'batch_size': batch_size}
            bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
                                  args=eval_params)[0]
            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model
            Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1)

    return model_sub, preds_sub
Exemple #7
0
def data_mnist(
    datadir=tempfile.gettempdir(),
    train_start=0,
    train_end=60000,
    test_start=0,
    test_end=10000,
):
    """
    Load and preprocess MNIST dataset
    :param datadir: path to folder where data should be stored
    :param train_start: index of first training set example
    :param train_end: index of last training set example
    :param test_start: index of first test set example
    :param test_end: index of last test set example
    :return: tuple of four arrays containing training data, training labels,
             testing data and testing labels.
    """
    assert isinstance(train_start, int)
    assert isinstance(train_end, int)
    assert isinstance(test_start, int)
    assert isinstance(test_end, int)

    X_train = (
        download_and_parse_mnist_file("train-images-idx3-ubyte.gz", datadir=datadir)
        / 255.0
    )
    Y_train = download_and_parse_mnist_file(
        "train-labels-idx1-ubyte.gz", datadir=datadir
    )
    X_test = (
        download_and_parse_mnist_file("t10k-images-idx3-ubyte.gz", datadir=datadir)
        / 255.0
    )
    Y_test = download_and_parse_mnist_file("t10k-labels-idx1-ubyte.gz", datadir=datadir)

    X_train = np.expand_dims(X_train, -1)
    X_test = np.expand_dims(X_test, -1)

    X_train = X_train[train_start:train_end]
    Y_train = Y_train[train_start:train_end]
    X_test = X_test[test_start:test_end]
    Y_test = Y_test[test_start:test_end]

    Y_train = utils.to_categorical(Y_train, nb_classes=10)
    Y_test = utils.to_categorical(Y_test, nb_classes=10)
    return X_train, Y_train, X_test, Y_test
Exemple #8
0
 def __init__(self,
              data_dir,
              train_start=0,
              train_end=60000,
              test_start=0,
              test_end=10000,
              center=False,
              max_val=1.,
              num_classes=20,
              arch=""):
     kwargs = locals()
     if '__class__' in kwargs:
         del kwargs['__class__']
     super(MiniImageNet, self).__init__(kwargs)
     adv_root_dir = ILSVRC12_ROOT_DIR + "/adversarial_images/{}".format(
         arch)
     train_clean_file = adv_root_dir + "/clean_untargeted_train.npz"
     test_clean_file = adv_root_dir + "/clean_untargeted_test.npz"
     if os.path.exists(train_clean_file) and os.path.exists(
             test_clean_file
     ):  # for saving memory, directly load pre-generated data (pixel value range: [0,1])
         train_npz = np.load(train_clean_file)
         test_npz = np.load(test_clean_file)
         x_train, y_train = train_npz["adv_images"], utils.to_categorical(
             train_npz["gt_label"],
             nb_classes=num_classes).astype('float32')
         print('npz train data read over')
         x_test, y_test = test_npz["adv_images"], utils.to_categorical(
             test_npz["gt_label"], nb_classes=num_classes).astype('float32')
         print('npz test data read over')
     else:
         x_test, y_test = data_imagenet_validation(data_dir + "/test",
                                                   num_classes,
                                                   train_start=train_start,
                                                   train_end=train_end,
                                                   test_start=test_start,
                                                   test_end=test_end)
         print('test original image data read over')
         x_train, y_train = data_imagenet_train(
             data_dir + "/train", num_classes)  # dummpy useless
         print('train original image data read over')
     self.x_test = x_test
     self.y_test = y_test
     self.x_train = x_train
     self.y_train = y_train
Exemple #9
0
def train_sub(sess, x, y, bb_model, X_sub, Y_sub, nb_classes,
              nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
              rng):
    """
    This function creates the substitute by alternatively
    augmenting the training data and training the substitute.
    :param sess: TF session
    :param x: input TF placeholder
    :param y: output TF placeholder
    :param bbox_preds: output of black-box model predictions
    :param X_sub: initial substitute training data
    :param Y_sub: initial substitute training labels
    :param nb_classes: number of output classes
    :param nb_epochs_s: number of epochs to train substitute model
    :param batch_size: size of training batches
    :param learning_rate: learning rate for training
    :param data_aug: number of times substitute training data is augmented
    :param lmbda: lambda from arxiv.org/abs/1602.02697
    :param rng: numpy.random.RandomState instance
    :return:
    """
    # Define TF model graph (for the black-box model)
    model_sub = substitute_model(img_cols=X_sub.shape[1])
    preds_sub = model_sub(x)
    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)
    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': learning_rate
        }
        with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
            model_train(sess, x, y, preds_sub, X_sub,
                        to_categorical(Y_sub, nb_classes),
                        init_all=False, args=train_params, rng=rng)

        # If we are not at last substitute training iteration, augment dataset
        if rho < data_aug - 1:
            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
            X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
                                          lmbda_coef * lmbda)
            
            print("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box
            Y_sub = numpy.hstack([Y_sub, Y_sub])
            X_sub_prev = X_sub[int(len(X_sub)/2):] #on a double le dataset donc prev = ce qu'il y a de nouveau = la moitie
            eval_params = {'batch_size': batch_size}
            bbox_val = bb_model.predict(X_sub_prev)
            Y_sub[int(len(X_sub)/2):] = numpy.argmax(bbox_val, axis=1)
    return model_sub, preds_sub
Exemple #10
0
 def __init__(self,
              data_dir,
              train_start=0,
              train_end=60000,
              test_start=0,
              test_end=10000,
              center=False,
              max_val=1.,
              num_classes=200):
     kwargs = locals()
     if '__class__' in kwargs:
         del kwargs['__class__']
     super(TinyImageNet, self).__init__(kwargs)
     category_names = sorted(os.listdir(data_dir + "/train/"))
     adv_root_dir = "{}/conv4/".format(TINY_IMAGENET_OUTPUT_DATA_DIR)
     train_clean_file = adv_root_dir + "/clean_untargeted_train.npz"
     test_clean_file = adv_root_dir + "/clean_untargeted_test.npz"
     if os.path.exists(train_clean_file) and os.path.exists(
             test_clean_file):
         train_npz = np.load(train_clean_file)
         test_npz = np.load(test_clean_file)
         x_train, y_train = train_npz["adv_images"], utils.to_categorical(
             train_npz["gt_label"],
             nb_classes=num_classes).astype('float32')
         print('npz train data read over')
         x_test, y_test = test_npz["adv_images"], utils.to_categorical(
             test_npz["gt_label"], nb_classes=num_classes).astype('float32')
         print('npz test data read over')
     else:
         x_test, y_test = data_imagenet_validation(data_dir + "/val",
                                                   num_classes,
                                                   category_names,
                                                   train_start=train_start,
                                                   train_end=train_end,
                                                   test_start=test_start,
                                                   test_end=test_end)
         print('test original image data read over')
         x_train, y_train = data_imagenet_train(data_dir + "/train",
                                                num_classes, category_names)
         print('train original image data read over')
     self.x_test = x_test
     self.y_test = y_test
     self.x_train = x_train
     self.y_train = y_train
Exemple #11
0
def data_svhn(datadir=tempfile.gettempdir(),
              train_start=0,
              train_end=73257,
              test_start=0,
              test_end=26032):
    """
    Load and preprocess MNIST dataset
    :param datadir: path to folder where data should be stored
    :param train_start: index of first training set example
    :param train_end: index of last training set example
    :param test_start: index of first test set example
    :param test_end: index of last test set example
    :return: tuple of four arrays containing training data, training labels,
             testing data and testing labels.
    """
    assert isinstance(train_start, int)
    assert isinstance(train_end, int)
    assert isinstance(test_start, int)
    assert isinstance(test_end, int)

    train_set = download_and_parse_svhn_file('train_32x32.mat',
                                             datadir=datadir)
    test_set = download_and_parse_svhn_file('test_32x32.mat', datadir=datadir)
    # change format from [H, W, C, B] to [B, H, W, C] for feeding to Tensorflow
    X_train = np.transpose(train_set['X'], [3, 0, 1, 2]) / 255.
    Y_train = train_set['y'] - 1  # 0-based label
    X_test = np.transpose(test_set['X'], [3, 0, 1, 2]) / 255.
    Y_test = test_set['y'] - 1  # 0-based label

    X_train = X_train[train_start:train_end]
    Y_train = Y_train[train_start:train_end]
    X_test = X_test[test_start:test_end]
    Y_test = Y_test[test_start:test_end]

    Y_train = utils.to_categorical(Y_train, num_classes=10)
    Y_test = utils.to_categorical(Y_test, num_classes=10)
    return X_train, Y_train, X_test, Y_test
Exemple #12
0
def train_substitute(bbox_preds, x_sub, y_sub, nb_classes,
              nb_epochs_s, batch_size, lr, data_aug, lmbda,
              aug_batch_size, rng, img_rows=28, img_cols=28,
              nchannels=1):
    model_sub = ModelSubstitute('model_s', nb_classes)
    preds_sub = model_sub.get_logits(x)
    loss_sub = CrossEntropy(model_sub, smoothing=0)

    print("Defined TensorFlow model graph for the substitute.")

    grads = jacobian_graph(preds_sub, x, nb_classes)

    for i in xrange(data_aug):
        print("Substitute training epoch #" + str(i))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': lr
        }
        with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
            train(sess, loss_sub, x_sub, to_categorical(y_sub, nb_classes),
                  init_all=False, args=train_params, rng=rng,
                  var_list=model_sub.get_params())

        if i < data_aug - 1:
            print("Augmenting substitute training data.")
            lmbda_coef = 2 * int(int(i / 3) != 0) - 1
            x_sub = jacobian_augmentation(sess, x, x_sub, y_sub, grads,
                                          lmbda_coef * lmbda, aug_batch_size)

            print("Labeling substitute training data.")
            y_sub = np.hstack([y_sub, y_sub])
            x_sub_prev = x_sub[int(len(x_sub) / 2):]
            eval_params = {'batch_size': batch_size}
            bbox_val = batch_eval(sess, [x], [bbox_preds], [x_sub_prev],
                                  args=eval_params)[0]

            y_sub[int(len(x_sub) / 2):] = np.argmax(bbox_val, axis=1)
    show_plot(x_sub, y_sub)
    return model_sub, preds_sub, x_sub, y_sub
Exemple #13
0
 def test_to_categorical_no_nb_classes_arg(self):
     vec = np.asarray([0, 1, 2])
     cat = np.asarray([[1, 0, 0],
                       [0, 1, 0],
                       [0, 0, 1]])
     self.assertTrue(np.all(utils.to_categorical(vec) == cat))
Exemple #14
0
def train_sub(sess,
              x,
              y,
              bbox_preds,
              X_sub,
              Y_sub,
              nb_classes,
              nb_epochs_s,
              batch_size,
              learning_rate,
              data_aug,
              lmbda,
              rng,
              substitute_model=None):
    """This function trains the substitute model as described in
        arxiv.org/abs/1602.02697

    Args:
        sess: TF session
        x: input TF placeholder
        y: output TF placeholder
        bbox_preds: output of black-box model predictions
        X_sub: initial substitute training data
        Y_sub: initial substitute training labels
        nb_classes: number of output classes
        nb_epochs_s: number of epochs to train substitute model
        batch_size: size of training batches
        learning_rate: learning rate for training
        data_aug: number of times substitute training data is augmented
        lmbda: lambda from arxiv.org/abs/1602.02697
        rng: numpy.random.RandomState instance
    
    Returns:
        model_sub: The substitute model function.
        preds_sub: The substitute prediction tensor.
    """
    # Define TF model graph (for the black-box model).
    model_sub = substitute_model
    preds_sub = model_sub(x)
    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow.
    grads = jacobian_graph(preds_sub, x, nb_classes)

    # Train the substitute and augment dataset alternatively.
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': learning_rate
        }
        model_train(sess,
                    x,
                    y,
                    preds_sub,
                    X_sub,
                    to_categorical(Y_sub),
                    init_all=False,
                    args=train_params,
                    rng=rng,
                    feed={K.learning_phase(): 1})

        # If we are not at last substitute training iteration, augment dataset.
        if rho < data_aug - 1:

            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation.
            X_sub = jacobian_augmentation(sess,
                                          x,
                                          X_sub,
                                          Y_sub,
                                          grads,
                                          lmbda,
                                          feed={K.learning_phase(): 0})

            print("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box.
            Y_sub = np.hstack([Y_sub, Y_sub])
            X_sub_prev = X_sub[int(len(X_sub) / 2):]
            eval_params = {'batch_size': batch_size}

            # To initialize the local variables of Defense-GAN.
            sess.run(tf.local_variables_initializer())

            bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
                                  args=eval_params,
                                  feed={K.learning_phase(): 0})[0]
            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model.
            Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)

    return model_sub, preds_sub
Exemple #15
0
def mdt(model,
        data_dir,
        checkpoint_dir,
        train_dir='./tmp/cifar10_train',
        adversarial_dir='./tmp/cifar10_adv',
        batch_size=128,
        data_aug=False,
        data_norm=True):

    # train model
    if not tf.gfile.Exists(train_dir):
        # set input and get logits
        images, labels = mdt_cifar10_input.inputs(False, data_dir, batch_size,
                                                  data_aug, data_norm)

        labels = tf.cast(labels, tf.int64)
        # target = False
        # adv_output_layer = 'adv_bounddecoder6'
        # loss = adv_net_loss(images, model, labels, target, adv_output_layer, 0, 10)
        logits = model(images)
        loss = stand_loss(logits, labels)
        train_process(model, loss, images, label, train_dir, batch_size)

    # define dataset format
    img_rows = 32
    img_cols = 32
    channels = 3
    nb_classes = 10

    # Define input TF placeholder
    x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
    y = tf.placeholder(tf.float32, shape=(None, nb_classes))

    # Get predict tensor
    pred = model(x)

    sess = tf.Session()

    if not checkpoint_load(sess, checkpoint_dir):
        return False

    # fetch data
    cifar10_data.maybe_download_and_return_python(data_dir)
    X, Y = mdt_cifar10_input.numpy_input(True, data_dir)

    # create one-hot Y
    one_hot_Y = to_categorical(Y, nb_classes)

    # create mode feed
    train_feed = mode_feed(sess, True)
    eval_feed = mode_feed(sess, False)

    fgsm_params = {'eps': 1, 'clip_min': 0., 'clip_max': 255.}
    fgsm = FastGradientMethod(model, sess=sess)
    adv_x = fgsm.generate(x, **fgsm_params)
    preds_adv = model.get_probs(adv_x)

    # eval model accuracy
    class_accuracy, accuracy = model_eval_each_class(sess,
                                                     x,
                                                     y,
                                                     pred,
                                                     10,
                                                     X,
                                                     one_hot_Y,
                                                     feed=eval_feed,
                                                     args={'batch_size': 128})
    print('model accuracy: {0}'.format(accuracy))

    for i in range(10):
        print('class {0} accuracy: {1}'.format(i, class_accuracy[i]))

    # eval model's accuacy in cw adversarial examples
    fgsm_accuracy = model_eval(sess,
                               x,
                               y,
                               preds_adv,
                               X,
                               one_hot_Y,
                               feed=eval_feed,
                               args={'batch_size': 128})
    print('model fgsm_accuracy: {0}'.format(fgsm_accuracy))

    jsma_params = {
        'theta': 1.,
        'gamma': 0.1,
        'clip_min': 0.,
        'clip_max': 1.,
        'y_target': None
    }

    X = X[:128]
    Y = one_hot_Y[:128]
    adv_feed = {x: X, y: one_hot_Y}
    adv_feed.update(eval_feed)
    sta = time.time()
    adv_X_ = sess.run(adv_x, feed_dict=adv_feed)
    end = time.time()
    duration = end - sta
    print('finished in {0} seconds'.format(duration))

    l2_dis = calculate_l2_dis(X / 255, adv_X_ / 255)
    print('adversarial examples\' mean l2 distance: {0}'.format(l2_dis))
Exemple #16
0
# loading data
select_data_id = int(sys.argv[1])
count = select_data_id - 1
record = "A{:05d}".format(select_data_id)

# select attack target
target = int(sys.argv[2])
# perturb window size
perturb_window = int(sys.argv[3])


print("Loading ground truth file")
csvfile = list(csv.reader(open('REFERENCE-v3.csv')))
ground_truth_label = csvfile[count][1]
ground_truth = classes.index(ground_truth_label)
ground_truth_a = utils.to_categorical(ground_truth, num_classes=4)
print("Record {} ground truth: {}".format(record, ground_truth_label))

# loading perturbation
filename = './output/' + str(ground_truth) + '/LDM_Attack_w' + str(perturb_window) + '_l2_A' + record + 'T' + str(target) + '.out'
perturb = genfromtxt(filename, delimiter=',')
perturb = np.expand_dims(perturb, axis=0)
perturb = np.expand_dims(perturb, axis=2)

# max possible shifting transformation
if perturb_window == 9000:
    maxpos = 9000
else:
    maxpos = 9000-perturb_window

# select target samples
Exemple #17
0
    #data = mat_data['val'].squeeze()
    data = mat_data['val']
    print(data.shape)

    #--- Processing data
    data = preprocess(data, WINDOW_SIZE)
    X_test = np.float32(data)

    #--- Read the ground truth label, Change it to one-shot form
    ground_truth_label = csvfile[fid - 1][1]
    ground_truth = classes.index(ground_truth_label)
    print('Ground truth:{}'.format(ground_truth))

    Y_test = np.zeros((1, 1))
    Y_test[0, 0] = ground_truth
    Y_test = utils.to_categorical(Y_test, num_classes=4)

    #--- Prepare the target labels for targeted attack
    for i in range(4):
        if (i == ground_truth):
            continue

        target = np.zeros((1, 1))
        target[0, 0] = i
        target = utils.to_categorical(target, num_classes=4)
        target = np.float32(target)

        #--- Attacking...
        ecgadvDiff_params = {'y_target': target}
        start_time = time.time()
        adv_x = ecgadvDiff.generate(x, **ecgadvDiff_params)
Exemple #18
0
def adv_net_exp(data_dir, checkpoint_dir, train_mode,
        train_dir='./tmp/cifar10_train_adv_encoder', batch_size=128,
        data_aug=False,clip_norm=1.5, target=0, lr=0.0001):
    
    # sess get setting
    sess = tf.Session()

    model = make_vgg16_model(name = 'vgg16_eval_mode', eval_mode=True)

    # create mode feed
    train_feed = mode_feed(sess, True)
    eval_feed = mode_feed(sess, False)

    # train model
    if train_mode:
        # set input and get logits
        data_norm = False
        images, labels = mdt_cifar10_input.inputs(False, data_dir, batch_size,
                                                  data_aug, data_norm)

        labels = tf.constant(target,dtype=tf.int64, shape=(batch_size,))

        # dis_loss, output_images = adv_net(images)
        dis_loss, output_images = adv_target_net(images, clip_norm)

        logits = model(output_images)

        # attack seeting
        # c = 0.005
        c=1
        confidence = 0
        target = True

        # define model loss
        loss = adv_loss(dis_loss, logits, labels, target, confidence, c)

        global_step = tf.train.get_or_create_global_step()

        # train setting
        nb_epochs = 100
        lr = 0.0001
        # decay_rate = 0.99
        # decay_epochs = 1
        # decay_steps = decay_epochs*NUM_EXAMPLES_PER_EPOCH_FOR_TRAIN//batch_size
        # lr = tf.train.exponential_decay(initial_lr,
        #                                 global_step,
        #                                 decay_steps,
        #                                 decay_rate,
        #                                 staircase=True)
        tf.summary.scalar('learning_rate', lr)
        opt = tf.train.AdamOptimizer(lr)

        # define train variables
        adv_variables = tf.get_collection(tf.GraphKeys.TRAINABLE_VARIABLES,
                                          "adv_encoder")
        train_op = create_train_op(loss, global_step, adv_variables, opt)

        # ini all variables
        init_op = tf.global_variables_initializer()
        sess.run(init_op)  

        # restore pre variables
        ckpt = tf.train.get_checkpoint_state(checkpoint_dir)
        var_info = tf.train.list_variables(ckpt.model_checkpoint_path)
        # print(var_info)
        var_name = [v[0] for v in var_info]

        restore_map = {variable.op.name:variable for variable in tf.global_variables()
                           if variable.op.name in var_name}
        # print(restore_map) 
        saver = tf.train.Saver(restore_map)
        saver.restore(sess, ckpt.model_checkpoint_path)
        
        #intialize global steps
        sess.run(global_step.initializer)

        # print(adv_variables)
        train_adv_encoder(sess, logits, loss, labels, train_op, train_dir, batch_size,
                          eval_feed, nb_epochs)

        sess.close()

    else:
        # define dataset format
        img_rows = 32
        img_cols = 32
        channels = 3
        nb_classes = 10

        # fetch data
        cifar10_data.maybe_download_and_return_python(data_dir)
        X, Y = mdt_cifar10_input.numpy_input(True, data_dir)

        Y = np.zeros_like(Y)
        Y[:] = target
        # Define input TF placeholder
        x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
        y = tf.placeholder(tf.float32, shape=(None, nb_classes))

        # dis_loss, output_images = adv_net(images)
        dis_loss, output_images = adv_target_net(x, clip_norm)

        logits = model(output_images)

        # restore trained model 
        if not checkpoint_load(sess, train_dir):
            return False
        # saver = tf.train.Saver()
        # ckpt = tf.train.get_checkpoint_state(train_dir)
        # saver.restore(sess, ckpt.model_checkpoint_path)

        # create one-hot Y
        one_hot_Y = to_categorical(Y, nb_classes)

        # eval model accuracy
        accuracy = model_eval(sess, x, y, logits, X, one_hot_Y,
                              feed=eval_feed,
                              args={'batch_size': batch_size})
        print('model accuracy: {0}'.format(accuracy))

        sta_time = time.time()
        adv_imgs = adv_generate(sess, output_images, x, X, eval_feed, batch_size)
        end_time = time.time()
        duration = end_time - sta_time
        print('adv crafting time: {0}'.format(duration))

        #eval adv's l2 distance
        l2_dis = calculate_l2_dis(X/255, adv_imgs/255)
        print('adversarial examples\' mean l2 distance: {0}'.format(l2_dis))
        adv_imgs = np.around(adv_imgs).astype(int)
        # compare_show(X[9], adv_imgs[9])
        compare_show(X[16], adv_imgs[16])
        import matplotlib
        matplotlib.image.imsave('i_{0}_target_{1}.png'.format(FLAGS.i,FLAGS.target), adv_imgs[16])
Exemple #19
0
def adv_net_exp(data_dir,
                checkpoint_dir,
                train_mode,
                train_dir='./tmp/cifar10_train_adv_encoder',
                batch_size=128,
                data_aug=False,
                clip_norm=1.5,
                target=0,
                lr=0.0001):

    # sess get setting
    sess = tf.Session()

    model = make_vgg16_model(name='vgg16_eval_mode', eval_mode=True)

    # create mode feed
    train_feed = mode_feed(sess, True)
    eval_feed = mode_feed(sess, False)

    # train model
    if train_mode:
        # set input and get logits
        data_norm = False
        images, labels = mdt_cifar10_input.inputs(False, data_dir, batch_size,
                                                  data_aug, data_norm)

        labels = tf.constant(target, dtype=tf.int64, shape=(batch_size, ))

        # dis_loss, output_images = adv_net(images)
        dis_loss, output_images = adv_target_net(images, clip_norm)

        logits = model(output_images)

        # attack seeting
        # c = 0.005
        c = 1
        confidence = 0
        target = True

        # define model loss
        loss = adv_loss(dis_loss, logits, labels, target, confidence, c)

        global_step = tf.train.get_or_create_global_step()

        # train setting
        nb_epochs = 100
        lr = 0.0001
        # decay_rate = 0.99
        # decay_epochs = 1
        # decay_steps = decay_epochs*NUM_EXAMPLES_PER_EPOCH_FOR_TRAIN//batch_size
        # lr = tf.train.exponential_decay(initial_lr,
        #                                 global_step,
        #                                 decay_steps,
        #                                 decay_rate,
        #                                 staircase=True)
        tf.summary.scalar('learning_rate', lr)
        opt = tf.train.AdamOptimizer(lr)

        # define train variables
        adv_variables = tf.get_collection(tf.GraphKeys.TRAINABLE_VARIABLES,
                                          "adv_encoder")
        train_op = create_train_op(loss, global_step, adv_variables, opt)

        # ini all variables
        init_op = tf.global_variables_initializer()
        sess.run(init_op)

        # restore pre variables
        ckpt = tf.train.get_checkpoint_state(checkpoint_dir)
        var_info = tf.train.list_variables(ckpt.model_checkpoint_path)
        # print(var_info)
        var_name = [v[0] for v in var_info]

        restore_map = {
            variable.op.name: variable
            for variable in tf.global_variables()
            if variable.op.name in var_name
        }
        # print(restore_map)
        saver = tf.train.Saver(restore_map)
        saver.restore(sess, ckpt.model_checkpoint_path)

        #intialize global steps
        sess.run(global_step.initializer)

        # print(adv_variables)
        train_adv_encoder(sess, logits, loss, labels, train_op, train_dir,
                          batch_size, eval_feed, nb_epochs)

        sess.close()

    else:
        # define dataset format
        img_rows = 32
        img_cols = 32
        channels = 3
        nb_classes = 10

        # fetch data
        cifar10_data.maybe_download_and_return_python(data_dir)
        X, Y = mdt_cifar10_input.numpy_input(True, data_dir)

        Y = np.zeros_like(Y)
        Y[:] = target
        # Define input TF placeholder
        x = tf.placeholder(tf.float32,
                           shape=(None, img_rows, img_cols, channels))
        y = tf.placeholder(tf.float32, shape=(None, nb_classes))

        # dis_loss, output_images = adv_net(images)
        dis_loss, output_images = adv_target_net(x, clip_norm)

        logits = model(output_images)

        # restore trained model
        if not checkpoint_load(sess, train_dir):
            return False
        # saver = tf.train.Saver()
        # ckpt = tf.train.get_checkpoint_state(train_dir)
        # saver.restore(sess, ckpt.model_checkpoint_path)

        # create one-hot Y
        one_hot_Y = to_categorical(Y, nb_classes)

        # eval model accuracy
        accuracy = model_eval(sess,
                              x,
                              y,
                              logits,
                              X,
                              one_hot_Y,
                              feed=eval_feed,
                              args={'batch_size': batch_size})
        print('model accuracy: {0}'.format(accuracy))

        sta_time = time.time()
        adv_imgs = adv_generate(sess, output_images, x, X, eval_feed,
                                batch_size)
        end_time = time.time()
        duration = end_time - sta_time
        print('adv crafting time: {0}'.format(duration))

        #eval adv's l2 distance
        l2_dis = calculate_l2_dis(X / 255, adv_imgs / 255)
        print('adversarial examples\' mean l2 distance: {0}'.format(l2_dis))
        adv_imgs = np.around(adv_imgs).astype(int)
        # compare_show(X[9], adv_imgs[9])
        compare_show(X[16], adv_imgs[16])
        import matplotlib
        matplotlib.image.imsave(
            'i_{0}_target_{1}.png'.format(FLAGS.i, FLAGS.target), adv_imgs[16])
Exemple #20
0
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s,
              batch_size, learning_rate, data_aug, lmbda, rng, model_arch_sub,
              merged, opt_type, blocking_option):
    """
    This function creates the substitute by alternatively
    augmenting the training data and training the substitute.
    """
    # Define TF model graph (for the black-box model)
    model_sub = substitute_model(model_arch_sub=model_arch_sub,
                                 blocking_option=blocking_option)
    preds_sub = model_sub(x)
    #return model_sub, preds_sub

    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)

    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': learning_rate
        }
        model_train(
            sess,
            x,
            y,
            preds_sub,
            X_sub,
            to_categorical(Y_sub),
            init_all=False,
            args=train_params,
            rng=rng,
            opt_type=opt_type,
            #summary=merged
        )

        # If we are not at last substitute training iteration, augment dataset
        if rho < data_aug - 1:
            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
            X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
                                          lmbda_coef * lmbda)

            print("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box
            Y_sub = np.hstack([Y_sub, Y_sub])
            X_sub_prev = X_sub[int(len(X_sub) / 2):]
            eval_params = {'batch_size': batch_size}
            bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
                                  args=eval_params)[0]
            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model
            Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)

    return model_sub, preds_sub
Exemple #21
0
def mdt(model, data_dir, checkpoint_dir,
        train_dir='./tmp/cifar10_train',
        adversarial_dir='./tmp/cifar10_adv', batch_size=128,
        data_aug=False, data_norm=True):

    # train model
    if not tf.gfile.Exists(train_dir):
        # set input and get logits
        images, labels = mdt_cifar10_input.inputs(False, data_dir, batch_size,
                                                  data_aug, data_norm)

        labels = tf.cast(labels, tf.int64)
        # target = False
        # adv_output_layer = 'adv_bounddecoder6'
        # loss = adv_net_loss(images, model, labels, target, adv_output_layer, 0, 10)
        logits = model(images)
        loss = stand_loss(logits, labels)
        train_process(model, loss, images, label, train_dir, batch_size)
    
    # define dataset format
    img_rows = 32
    img_cols = 32
    channels = 3
    nb_classes = 10

    # Define input TF placeholder
    x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
    y = tf.placeholder(tf.float32, shape=(None, nb_classes))

    # Get predict tensor
    pred = model(x)

    sess = tf.Session()

    if not checkpoint_load(sess, checkpoint_dir):
        return False

    # fetch data
    cifar10_data.maybe_download_and_return_python(data_dir)
    X, Y = mdt_cifar10_input.numpy_input(True, data_dir)

    # create one-hot Y
    one_hot_Y = to_categorical(Y, nb_classes)

    # create mode feed
    train_feed = mode_feed(sess, True)
    eval_feed = mode_feed(sess, False)

    fgsm_params = {'eps': 1,
                   'clip_min': 0.,
                   'clip_max': 255.}
    fgsm = FastGradientMethod(model, sess=sess)
    adv_x = fgsm.generate(x, **fgsm_params)
    preds_adv = model.get_probs(adv_x)
 
    # eval model accuracy
    class_accuracy, accuracy = model_eval_each_class(sess, x, y, pred, 10, X, one_hot_Y,
                          feed=eval_feed,
                          args={'batch_size': 128})
    print('model accuracy: {0}'.format(accuracy))

    for i in range(10):
        print('class {0} accuracy: {1}'.format(i, class_accuracy[i]))

    # eval model's accuacy in cw adversarial examples
    fgsm_accuracy = model_eval(sess, x, y, preds_adv, X, one_hot_Y,
                             feed=eval_feed,
                             args={'batch_size': 128})
    print('model fgsm_accuracy: {0}'.format(fgsm_accuracy))


    jsma_params = {'theta': 1., 'gamma': 0.1,
                   'clip_min': 0., 'clip_max': 1.,
                   'y_target': None}
                   

    X = X[:128]
    Y=one_hot_Y[:128]
    adv_feed = {x:X, y:one_hot_Y}
    adv_feed.update(eval_feed)
    sta = time.time()
    adv_X_ = sess.run(adv_x,feed_dict=adv_feed)
    end = time.time()
    duration = end - sta
    print('finished in {0} seconds'.format(duration))

    l2_dis = calculate_l2_dis(X/255, adv_X_/255)
    print('adversarial examples\' mean l2 distance: {0}'.format(l2_dis))
Exemple #22
0
 def test_to_categorical_with_nb_classes_arg(self):
     vec = np.asarray([0])
     cat = np.asarray([[1, 0, 0]])
     self.assertTrue(np.all(utils.to_categorical(vec, 3) == cat))
Exemple #23
0
def train_sub(sess, x, y, bbox_preds, x_sub, y_sub, nb_classes,
              nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
              aug_batch_size, rng, img_rows=48, img_cols=48,
              nchannels=3):
    """
    This function creates the substitute by alternatively
    augmenting the training data and training the substitute.
    :param sess: TF session
    :param x: input TF placeholder
    :param y: output TF placeholder
    :param bbox_preds: output of black-box model predictions
    :param x_sub: initial substitute training data
    :param y_sub: initial substitute training labels
    :param nb_classes: number of output classes
    :param nb_epochs_s: number of epochs to train substitute model
    :param batch_size: size of training batches
    :param learning_rate: learning rate for training
    :param data_aug: number of times substitute training data is augmented
    :param lmbda: lambda from arxiv.org/abs/1602.02697
    :param rng: numpy.random.RandomState instance
    :return:
    """
    assert(y_sub.shape[1]>1)

    try:
        saver.restore(sess, "./model.ckpt")
        model_sub = tf.get_variable("logits", shape=[1])
        preds_sub = tf.get_variable("probs", shape=[1])
        return model_sub, preds_sub
    except:
        print("Model ckpt is not found. Retrain substitute starts.")

    # Define TF model graph (for the black-box model)
    model_sub = ModelSubstitute('model_s',nb_classes, session=sess, istrain=True)
    logits = model_sub.get_logits(x)
    loss = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits_v2(logits=logits, labels=y))
    optimiser = tf.train.AdamOptimizer().minimize(loss)
    preds_sub = tf.nn.softmax(logits=logits)

    saver = tf.train.Saver()

    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)
    sess.run(tf.global_variables_initializer())

    def evaluate():
        acc = model_eval(sess, x, y, preds_sub, x_sub, y_sub, args=eval_params)
        print('Test accuracy on test examples: %0.4f' % (acc))

    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))

        for s in range(batch_size):
            batch_xs = x_sub[s*batch_size: (s+1)*batch_size]
            batch_ys = y_sub[s*batch_size: (s+1)*batch_size]
            feed_dict = {x:batch_xs, y:batch_ys}
            op, lval,pre = sess.run([optimiser, loss, preds_sub], feed_dict=feed_dict)
        print("rho = {0}. loss : {1}".format(rho, sess.run(loss, feed_dict={x:batch_xs, y:batch_ys})))

        # If we are not at last substitute training iteration, augment dataset
        if 0: # rho < data_aug - 1:
            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
            y_sub_labels = np.argmax(y_sub, axis=1).reshape(-1,1)
            x_sub = jacobian_augmentation(sess, x, x_sub, y_sub_labels, grads,
                                          lmbda_coef * lmbda, aug_batch_size)

            # Label the newly generated synthetic points using the black-box
            new_y_sub_labels = np.vstack((y_sub_labels, y_sub_labels))
            x_sub_prev = x_sub[int(len(x_sub)/2):]
            eval_params = {'batch_size': batch_size}
            tmp = batch_eval(sess,[x],[bbox_preds],[x_sub_prev],batch_size=batch_size)
            bbox_val = tmp[0]

            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model
            tmp1 = np.argmax(bbox_val, axis=1)
            tmp2 = y_sub_labels[int(len(x_sub)/2):]
            new_y_sub_labels[int(len(x_sub)/2):] = np.argmax(bbox_val, axis=1).reshape(-1,1)
            y_sub = to_categorical(new_y_sub_labels, nb_classes)

    save_path = saver.save(sess, "./model.ckpt")
    print("Model saved in path: %s" % save_path)

    print(preds_sub.shape)
    print(model_sub.shape)

    return model_sub, preds_sub
Exemple #24
0
def adv_net_exp(data_dir,
                adv_dir,
                target_model_dir='./tmp/cifar10_train_adv_encoder',
                clip_norm=1.5):

    # sess get setting
    sess = tf.Session()

    # define dataset format
    img_rows = 32
    img_cols = 32
    channels = 3
    nb_classes = 10

    # fetch data
    cifar10_data.maybe_download_and_return_python(data_dir)
    X, Y = mdt_cifar10_input.numpy_input(True, data_dir)

    # create one-hot Y
    one_hot_Y = to_categorical(Y, nb_classes)

    # Define input TF placeholder
    x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
    y = tf.placeholder(tf.float32, shape=(None, nb_classes))

    model = make_vgg16_clipRelu_model(name='vgg16_clipRelu_eval_mode',
                                      eval_mode=True)

    eval_feed = mode_feed(sess, False)
    # Get predict tensor
    pred = model(x)
    if not checkpoint_load(sess, target_model_dir):
        return False

    # eval model accuracy
    accuracy = model_eval(sess,
                          x,
                          y,
                          pred,
                          X,
                          one_hot_Y,
                          feed=eval_feed,
                          args={'batch_size': 128})
    print('model accuracy: {0}'.format(accuracy))

    dis_loss, output_images = adv_train_net(x, clip_norm)

    logits = model(output_images)

    # restore adv variables
    ckpt = tf.train.get_checkpoint_state(adv_dir)
    # define adv variables
    adv_variables = tf.get_collection(tf.GraphKeys.TRAINABLE_VARIABLES,
                                      "adv_encoder")
    saver = tf.train.Saver(adv_variables)
    saver.restore(sess, ckpt.model_checkpoint_path)

    # eval adv accuracy
    accuracy = model_eval(sess,
                          x,
                          y,
                          logits,
                          X,
                          one_hot_Y,
                          feed=eval_feed,
                          args={'batch_size': 128})
    print('transfer rate: {0}'.format(accuracy))

    # universal adversarial examples
    adv_imgs = adv_generate(sess, output_images, x, X, None, 128)
    mean_dif = adv_imgs[1] - X[1]
    print('mean dif\'s size: {0}'.format(mean_dif.shape))
    universal_adv_X = X + mean_dif
    # eval universal adv accuracy
    accuracy = model_eval(sess,
                          x,
                          y,
                          pred,
                          universal_adv_X,
                          one_hot_Y,
                          feed=eval_feed,
                          args={'batch_size': 128})
    print('universal adv transfer rate: {0}'.format(accuracy))
Exemple #25
0
def main(argv):

    model_file = tf.train.latest_checkpoint(FLAGS.checkpoint_dir)

    if model_file is None:
        print('No model found')
        sys.exit()

    cifar = cifar10_input.CIFAR10Data(FLAGS.dataset_dir)

    nb_classes = 10
    X_test = cifar.eval_data.xs
    Y_test = to_categorical(cifar.eval_data.ys, nb_classes)
    assert Y_test.shape[1] == 10.

    set_log_level(logging.DEBUG)

    with tf.Session() as sess:

        x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
        y = tf.placeholder(tf.float32, shape=(None, 10))

        from madry_cifar10_model import make_madry_wresnet
        model = make_madry_wresnet()

        saver = tf.train.Saver()

        # Restore the checkpoint
        saver.restore(sess, model_file)

        nb_samples = FLAGS.nb_samples

        attack_params = {'batch_size': FLAGS.batch_size,
                         'clip_min': 0., 'clip_max': 255.}

        if FLAGS.attack_type == 'cwl2':
            from cleverhans.attacks import CarliniWagnerL2
            attacker = CarliniWagnerL2(model, sess=sess)
            attack_params.update({'binary_search_steps': 1,
                                  'max_iterations': 100,
                                  'learning_rate': 0.1,
                                  'initial_const': 10,
                                  'batch_size': 10
                                  })

        else:  # eps and eps_iter in range 0-255
            attack_params.update({'eps': 8, 'ord': np.inf})
            if FLAGS.attack_type == 'fgsm':
                from cleverhans.attacks import FastGradientMethod
                attacker = FastGradientMethod(model, sess=sess)

            elif FLAGS.attack_type == 'pgd':
                attack_params.update({'eps_iter': 2, 'nb_iter': 20})
                from cleverhans.attacks import MadryEtAl
                attacker = MadryEtAl(model, sess=sess)

        eval_par = {'batch_size': FLAGS.batch_size}

        if FLAGS.sweep:
            max_eps = 16
            epsilons = np.linspace(1, max_eps, max_eps)
            for e in epsilons:
                t1 = time.time()
                attack_params.update({'eps': e})
                x_adv = attacker.generate(x, **attack_params)
                preds_adv = model.get_probs(x_adv)
                acc = model_eval(sess, x, y, preds_adv, X_test[
                    :nb_samples], Y_test[:nb_samples], args=eval_par)
                print('Epsilon %.2f, accuracy on adversarial' % e,
                      'examples %0.4f\n' % acc)
            t2 = time.time()
        else:
            t1 = time.time()
            x_adv = attacker.generate(x, **attack_params)
            preds_adv = model.get_probs(x_adv)
            acc = model_eval(sess, x, y, preds_adv, X_test[
                :nb_samples], Y_test[:nb_samples], args=eval_par)
            t2 = time.time()
            print('Test accuracy on adversarial examples %0.4f\n' % acc)
        print("Took", t2 - t1, "seconds")
Exemple #26
0
def main(argv):

    model_file = tf.train.latest_checkpoint(FLAGS.checkpoint_dir)

    if model_file is None:
        print("No model found")
        sys.exit()

    cifar = cifar10_input.CIFAR10Data(FLAGS.dataset_dir)

    nb_classes = 10
    X_test = cifar.eval_data.xs
    Y_test = to_categorical(cifar.eval_data.ys, nb_classes)
    assert Y_test.shape[1] == 10.0

    set_log_level(logging.DEBUG)

    with tf.Session() as sess:

        x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
        y = tf.placeholder(tf.float32, shape=(None, 10))

        from cleverhans.model_zoo.madry_lab_challenges.cifar10_model import make_wresnet

        model = make_wresnet()

        saver = tf.train.Saver()

        # Restore the checkpoint
        saver.restore(sess, model_file)

        nb_samples = FLAGS.nb_samples

        attack_params = {
            "batch_size": FLAGS.batch_size,
            "clip_min": 0.0,
            "clip_max": 255.0,
        }

        if FLAGS.attack_type == "cwl2":
            from cleverhans.attacks import CarliniWagnerL2

            attacker = CarliniWagnerL2(model, sess=sess)
            attack_params.update(
                {
                    "binary_search_steps": 1,
                    "max_iterations": 100,
                    "learning_rate": 0.1,
                    "initial_const": 10,
                    "batch_size": 10,
                }
            )

        else:  # eps and eps_iter in range 0-255
            attack_params.update({"eps": 8, "ord": np.inf})
            if FLAGS.attack_type == "fgsm":
                from cleverhans.attacks import FastGradientMethod

                attacker = FastGradientMethod(model, sess=sess)

            elif FLAGS.attack_type == "pgd":
                attack_params.update({"eps_iter": 2, "nb_iter": 20})
                from cleverhans.attacks import MadryEtAl

                attacker = MadryEtAl(model, sess=sess)

        eval_par = {"batch_size": FLAGS.batch_size}

        if FLAGS.sweep:
            max_eps = 16
            epsilons = np.linspace(1, max_eps, max_eps)
            for e in epsilons:
                t1 = time.time()
                attack_params.update({"eps": e})
                x_adv = attacker.generate(x, **attack_params)
                preds_adv = model.get_probs(x_adv)
                acc = model_eval(
                    sess,
                    x,
                    y,
                    preds_adv,
                    X_test[:nb_samples],
                    Y_test[:nb_samples],
                    args=eval_par,
                )
                print(
                    "Epsilon %.2f, accuracy on adversarial" % e,
                    "examples %0.4f\n" % acc,
                )
            t2 = time.time()
        else:
            t1 = time.time()
            x_adv = attacker.generate(x, **attack_params)
            preds_adv = model.get_probs(x_adv)
            acc = model_eval(
                sess,
                x,
                y,
                preds_adv,
                X_test[:nb_samples],
                Y_test[:nb_samples],
                args=eval_par,
            )
            t2 = time.time()
            print("Test accuracy on adversarial examples %0.4f\n" % acc)
        print("Took", t2 - t1, "seconds")
Exemple #27
0
def adv_net_exp(data_dir, adv_dir,
                target_model_dir='./tmp/cifar10_train_adv_encoder',
                clip_norm=1.5):
    
    # sess get setting
    sess = tf.Session()


    # define dataset format
    img_rows = 32
    img_cols = 32
    channels = 3
    nb_classes = 10

    # fetch data
    cifar10_data.maybe_download_and_return_python(data_dir)
    X, Y = mdt_cifar10_input.numpy_input(True, data_dir)
    
    # create one-hot Y
    one_hot_Y = to_categorical(Y, nb_classes)

    # Define input TF placeholder
    x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
    y = tf.placeholder(tf.float32, shape=(None, nb_classes))

    model = make_vgg16_clipRelu_model(name = 'vgg16_clipRelu_eval_mode', eval_mode=True)
    
    eval_feed = mode_feed(sess, False)
    # Get predict tensor
    pred = model(x)
    if not checkpoint_load(sess, target_model_dir):
        return False

    # eval model accuracy
    accuracy = model_eval(sess, x, y, pred, X, one_hot_Y,
                          feed = eval_feed,
                          args={'batch_size': 128})
    print('model accuracy: {0}'.format(accuracy))

    dis_loss, output_images = adv_train_net(x, clip_norm)

    logits = model(output_images)

    # restore adv variables
    ckpt = tf.train.get_checkpoint_state(adv_dir)
    # define adv variables
    adv_variables = tf.get_collection(tf.GraphKeys.TRAINABLE_VARIABLES,
                                      "adv_encoder")
    saver = tf.train.Saver(adv_variables)
    saver.restore(sess, ckpt.model_checkpoint_path)

    # eval adv accuracy
    accuracy = model_eval(sess, x, y, logits, X, one_hot_Y,
                          feed = eval_feed,
                          args={'batch_size': 128})
    print('transfer rate: {0}'.format(accuracy))


    # universal adversarial examples
    adv_imgs = adv_generate(sess, output_images, x, X, None, 128)
    mean_dif = adv_imgs[1]-X[1]
    print('mean dif\'s size: {0}'.format(mean_dif.shape))
    universal_adv_X = X+mean_dif
    # eval universal adv accuracy
    accuracy = model_eval(sess, x, y, pred, universal_adv_X, one_hot_Y,
                          feed = eval_feed,
                          args={'batch_size': 128})
    print('universal adv transfer rate: {0}'.format(accuracy))
Exemple #28
0
def train_sub(sess,
              logits_scalar,
              x,
              y,
              bbox_preds,
              X_sub,
              Y_sub,
              nb_classes,
              nb_epochs_s,
              batch_size,
              learning_rate,
              data_aug,
              lmbda,
              rng,
              binary=False,
              phase=None,
              model_path=None):
    """
    This function creates the substitute by alternatively
    augmenting the training data and training the substitute.
    :param sess: TF session
    :param x: input TF placeholder
    :param y: output TF placeholder
    :param bbox_preds: output of black-box model predictions
    :param X_sub: initial substitute training data
    :param Y_sub: initial substitute training labels
    :param nb_classes: number of output classes
    :param nb_epochs_s: number of epochs to train substitute model
    :param batch_size: size of training batches
    :param learning_rate: learning rate for training
    :param data_aug: number of times substitute training data is augmented
    :param lmbda: lambda from arxiv.org/abs/1602.02697
    :param rng: numpy.random.RandomState instance
    :param phase: placeholder for batch_norm phase (training or testing)
    :param phase_val: True if training, False if testing
    :return:
    """
    # Define TF model graph (for the black-box model)
    model_sub = substitute_model()
    preds_sub = model_sub(x)
    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)

    train_params = {
        'binary': False,
        'nb_epochs': nb_epochs_s,
        'batch_size': batch_size,
        'learning_rate': learning_rate,
        'filename': 'sub_model',
        'train_scope': 'sub_model',
        'reuse_global_step': False,
        'is_training': True
    }

    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))

        if rho > 0:
            train_params.update({'reuse_global_step': True})
        if model_path is not None:
            train_params.update({'log_dir': model_path})
            model_train(sess,
                        x,
                        y,
                        preds_sub,
                        X_sub,
                        to_categorical(Y_sub),
                        phase=phase,
                        save=True,
                        init_all=False,
                        args=train_params,
                        rng=rng)
        else:
            model_train(sess,
                        x,
                        y,
                        preds_sub,
                        X_sub,
                        to_categorical(Y_sub),
                        phase=phase,
                        init_all=False,
                        args=train_params,
                        rng=rng)

        # If we are not at last substitute training iteration, augment dataset
        if rho < data_aug - 1:
            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda)

            print("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box
            Y_sub = np.hstack([Y_sub, Y_sub])
            X_sub_prev = X_sub[int(len(X_sub) / 2):]
            eval_params = {'batch_size': batch_size}
            bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
                                  feed={phase: False},
                                  args=eval_params)[0]
            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model
            Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)

    return model_sub, preds_sub
Exemple #29
0
def main(argv):

    model_file = tf.train.latest_checkpoint(FLAGS.checkpoint_dir)

    if model_file is None:
        print('No model found')
        sys.exit()

    cifar = cifar10_input.CIFAR10Data(FLAGS.dataset_dir)

    nb_classes = 10
    X_test = cifar.train_data.xs
    Y_test = to_categorical(cifar.train_data.ys, nb_classes)
    assert Y_test.shape[1] == 10.
    print("train data shape", X_test.shape)

    set_log_level(logging.DEBUG)

    with tf.Session() as sess:

        x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
        y = tf.placeholder(tf.float32, shape=(None, 10))

        from cleverhans.model_zoo.madry_lab_challenges.cifar10_model import make_wresnet
        model = make_wresnet()
        saver = tf.train.Saver()
        # Restore the checkpoint
        saver.restore(sess, model_file)
        SCOPE = "cifar10_challenge"
        model2 = make_wresnet(scope=SCOPE)
        assert len(model.get_vars()) == len(model2.get_vars())
        found = [False] * len(model2.get_vars())
        for var1 in model.get_vars():
            var1_found = False
            var2_name = SCOPE + "/" + var1.name
            for idx, var2 in enumerate(model2.get_vars()):
                if var2.name == var2_name:
                    var1_found = True
                    found[idx] = True
                    sess.run(tf.assign(var2, var1))
                    break
            assert var1_found, var1.name
        assert all(found)

        model = model2
        saver = tf.train.Saver()

        # Restore the checkpoint
        #saver.restore(sess, model_file)

        nb_samples = FLAGS.nb_samples

        attack_params = {
            'batch_size': FLAGS.batch_size,
            'clip_min': 0.,
            'clip_max': 255.
        }

        if FLAGS.attack_type == 'cwl2':
            from cleverhans.attacks import CarliniWagnerL2
            attacker = CarliniWagnerL2(model, sess=sess)
            attack_params.update({
                'binary_search_steps': 1,
                'confidence': 0,
                'max_iterations': 100,
                'learning_rate': 0.1,
                'initial_const': 10,
                'batch_size': 10
            })

        else:  # eps and eps_iter in range 0-255
            attack_params.update({'eps': 16, 'ord': np.inf})
            if FLAGS.attack_type == 'fgsm':
                from cleverhans.attacks import FastGradientMethod
                attacker = FastGradientMethod(model, sess=sess)

            elif FLAGS.attack_type == 'pgd':
                attack_params.update({
                    'eps': 8,
                    'eps_iter': .02,
                    'ord': np.inf,
                    'nb_iter': 10
                })
                from cleverhans.attacks import MadryEtAl
                attacker = MadryEtAl(model, sess=sess)
            elif FLAGS.attack_type == 'deepFool':
                print("here")
                attack_params.update({
                    'ord': np.inf,
                    'eps': 6.0,
                    'max_iter': 100
                })
                from CdeepFool_cleverhans import DeepFool

                attacker = DeepFool(model, sess=sess)

        eval_par = {'batch_size': FLAGS.batch_size}

        if FLAGS.sweep:
            max_eps = 16
            epsilons = np.linspace(1, max_eps, max_eps)
            for e in epsilons:
                t1 = time.time()
                attack_params.update({'eps': e})
                x_adv = attacker.generate(x, **attack_params)
                preds_adv = model.get_probs(x_adv)
                x1 = sess.run(x_adv, feed_dict={x: X_test[0], y: Y_test[0]})
                print(x1.shape)
                l_inf = np.amax(np.abs(X_test[0] - x1))
                print('perturbation found: {}'.format(l_inf))

                acc = model_eval(sess,
                                 x,
                                 y,
                                 preds_adv,
                                 X_test[:nb_samples],
                                 Y_test[:nb_samples],
                                 args=eval_par)
                print('Epsilon %.2f, accuracy on adversarial' % e,
                      'examples %0.4f\n' % acc)
            t2 = time.time()
        else:
            t1 = time.time()
            x_adv = attacker.generate(x, **attack_params)
            preds_adv = model.get_probs(x_adv)
            logits = model.get_logits(x)
            #print (len(x_adv))

            num_eval_examples = 1000
            eval_batch_size = 100
            num_batches = int(math.ceil(num_eval_examples / eval_batch_size))

            x_adv_all = []  # adv accumulator
            y_adv_all = []
            y_true = []
            print('Iterating over {} batches'.format(num_batches))

            for ibatch in range(num_batches):
                bstart = ibatch * eval_batch_size
                bend = min(bstart + eval_batch_size, num_eval_examples)
                print('batch size: {}'.format(bend - bstart))

                x_batch = X_test[bstart:bend, :]
                y_batch = Y_test[bstart:bend]
                y_clean = np.argmax(sess.run(logits, feed_dict={x: x_batch}),
                                    axis=1)
                x_b_adv, pred = sess.run([x_adv, preds_adv],
                                         feed_dict={
                                             x: x_batch,
                                             y: y_batch
                                         })
                y_b_adv = np.argmax(sess.run(logits, feed_dict={x: x_b_adv}),
                                    axis=1)

                count = 0
                y_batch = np.argmax(y_batch, axis=1)
                for i in range(eval_batch_size):

                    if (y_b_adv[i] != y_batch[i] and y_clean[i] == y_batch[i]):
                        l_inf = np.amax(np.abs(x_batch[i] - x_b_adv[i]))
                        print('perturbation found: {}'.format(l_inf))
                        #print (y_b_adv[i])
                        x_adv_all.append(x_b_adv[i])
                        y_adv_all.append(y_b_adv[i])
                        y_true.append(y_batch[i])
                        count += 1
                #print (y_adv_all[0:20])
                #print (y_true[0:20])
                print("Totat adversariak cound in this batch", count)

                #x_adv_all.extend(x_b_adv)
                #y_adv_all.extend(y_b_adv)

            x_adv_all = np.array(x_adv_all)
            y_true = np.array(y_true)
            y_adv_all = np.array(y_adv_all)

            print('Adv Label', y_adv_all[0:20])
            print('Ori Label', y_true[0:20])

            #y_adv = np.squeeze(y_adv)
            print(x_adv_all.shape)
            print(y_adv_all.shape)
            print(y_true.shape)

            count = 0
            for i in range(y_adv_all.shape[0]):
                if y_true[i] != y_adv_all[i]:
                    count += 1
            print("Total adversarial examples found", count)
            pickle.dump(
                (x_adv_all, y_true, y_adv_all),
                open(
                    '/scratch/kiani/Projects/CIFAR data/Adversarial/deepFool/iter_100/deepFool_E6_train.p',
                    'wb'))

            #from numpy import linalg as LA
            #l_2 = LA.norm(X_test[0] - x1[0])

            #l_inf = np.amax(np.abs(x - x_adv))

            t2 = time.time()
        print("Range of data should be 0-255 and actual is: ",
              str(np.min(x_adv_all)) + " " + str(np.max(x_adv_all)))
        image = ((x_adv_all[2])).astype(np.uint8)
        img = Image.fromarray(image)
        img.save("deepFool_attack.jpeg")
        print("Took", t2 - t1, "seconds")
Exemple #30
0
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes,
              nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
              aug_batch_size, rng, img_rows=28, img_cols=28,
              nchannels=1):
    """
    This function creates the substitute by alternatively
    augmenting the training data and training the substitute.
    :param sess: TF session
    :param x: input TF placeholder
    :param y: output TF placeholder
    :param bbox_preds: output of black-box model predictions
    :param X_sub: initial substitute training data
    :param Y_sub: initial substitute training labels
    :param nb_classes: number of output classes
    :param nb_epochs_s: number of epochs to train substitute model
    :param batch_size: size of training batches
    :param learning_rate: learning rate for training
    :param data_aug: number of times substitute training data is augmented
    :param lmbda: lambda from arxiv.org/abs/1602.02697
    :param rng: numpy.random.RandomState instance
    :return:
    """
    # Define TF model graph (for the black-box model)
    model_sub = ModelSubstitute('model_s', nb_classes)
    preds_sub = model_sub.get_logits(x)
    loss_sub = LossCrossEntropy(model_sub, smoothing=0)

    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)

    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': learning_rate
        }
        with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
            train(sess, loss_sub, x, y, X_sub,
                  to_categorical(Y_sub, nb_classes),
                  init_all=False, args=train_params, rng=rng,
                  var_list=model_sub.get_params())

        # If we are not at last substitute training iteration, augment dataset
        if rho < data_aug - 1:
            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
            X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
                                          lmbda_coef * lmbda, aug_batch_size)

            print("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box
            Y_sub = np.hstack([Y_sub, Y_sub])
            X_sub_prev = X_sub[int(len(X_sub)/2):]
            eval_params = {'batch_size': batch_size}
            bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
                                  args=eval_params)[0]
            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model
            Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1)

    return model_sub, preds_sub
Exemple #31
0
def train_sub(sess,
              x,
              y,
              bbox_preds,
              x_sub,
              y_sub,
              nb_classes,
              nb_epochs_s,
              batch_size,
              learning_rate,
              data_aug,
              lmbda,
              aug_batch_size,
              rng,
              img_rows=28,
              img_cols=28,
              nchannels=1):
    """
  This function creates the substitute by alternatively
  augmenting the training data and training the substitute.
  :param sess: TF session
  :param x: input TF placeholder
  :param y: output TF placeholder
  :param bbox_preds: output of black-box model predictions
  :param x_sub: initial substitute training data
  :param y_sub: initial substitute training labels
  :param nb_classes: number of output classes
  :param nb_epochs_s: number of epochs to train substitute model
  :param batch_size: size of training batches
  :param learning_rate: learning rate for training
  :param data_aug: number of times substitute training data is augmented
  :param lmbda: lambda from arxiv.org/abs/1602.02697
  :param rng: numpy.random.RandomState instance
  :return:
  """
    # Define TF model graph (for the black-box model)
    model_sub = ModelSubstitute('model_s', nb_classes)
    preds_sub = model_sub.get_logits(x)
    loss_sub = CrossEntropy(model_sub, smoothing=0)

    print("Defined TensorFlow model graph for the substitute.")

    # Define the Jacobian symbolically using TensorFlow
    grads = jacobian_graph(preds_sub, x, nb_classes)

    # Train the substitute and augment dataset alternatively
    for rho in xrange(data_aug):
        print("Substitute training epoch #" + str(rho))
        train_params = {
            'nb_epochs': nb_epochs_s,
            'batch_size': batch_size,
            'learning_rate': learning_rate
        }
        with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
            train(sess,
                  loss_sub,
                  x,
                  y,
                  x_sub,
                  to_categorical(y_sub, nb_classes),
                  init_all=False,
                  args=train_params,
                  rng=rng,
                  var_list=model_sub.get_params())

        # If we are not at last substitute training iteration, augment dataset
        if rho < data_aug - 1:
            print("Augmenting substitute training data.")
            # Perform the Jacobian augmentation
            lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
            x_sub = jacobian_augmentation(sess, x, x_sub, y_sub, grads,
                                          lmbda_coef * lmbda, aug_batch_size)

            print("Labeling substitute training data.")
            # Label the newly generated synthetic points using the black-box
            y_sub = np.hstack([y_sub, y_sub])
            x_sub_prev = x_sub[int(len(x_sub) / 2):]
            eval_params = {'batch_size': batch_size}
            bbox_val = batch_eval(sess, [x], [bbox_preds], [x_sub_prev],
                                  args=eval_params)[0]
            # Note here that we take the argmax because the adversary
            # only has access to the label (not the probabilities) output
            # by the black-box model
            y_sub[int(len(x_sub) / 2):] = np.argmax(bbox_val, axis=1)

    return model_sub, preds_sub
Exemple #32
0
def mdt(model, data_dir, checkpoint_dir,
        train_dir='./tmp/cifar10_train',
        adversarial_dir='./tmp/cifar10_adv', batch_size=128,
        data_aug=False, data_norm=True):

    # train model
    if not tf.gfile.Exists(train_dir):
        # set input and get logits
        images, labels = mdt_cifar10_input.inputs(False, data_dir, batch_size,
                                                  data_aug, data_norm)

        labels = tf.cast(labels, tf.int64)
        # target = False
        # adv_output_layer = 'adv_bounddecoder6'
        # loss = adv_net_loss(images, model, labels, target, adv_output_layer, 0, 10)
        logits = model(images)
        loss = stand_loss(logits, labels)
        train_process(model, loss, images, label, train_dir, batch_size)
    
    # define dataset format
    img_rows = 32
    img_cols = 32
    channels = 3
    nb_classes = 10

    # Define input TF placeholder
    x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
    y = tf.placeholder(tf.float32, shape=(None, nb_classes))

    # Get predict tensor
    pred = model(x)

    sess = tf.Session()
    if not checkpoint_load(sess, checkpoint_dir):
        return False

    # fetch data
    cifar10_data.maybe_download_and_return_python(data_dir)
    X, Y = mdt_cifar10_input.numpy_input(True, data_dir)

    # print(sess.run(bn_moving_vars))


    # create one-hot Y
    one_hot_Y = to_categorical(Y, nb_classes)

    # create mode feed
    train_feed = mode_feed(sess, True)
    eval_feed = mode_feed(sess, False)

    # craft cw adversarial examples
    if not os.path.exists(adversarial_dir):
        os.makedirs(adversarial_dir)
    cw_file = adversarial_dir+'/cw_adv'
    if os.path.isfile(cw_file):
        fr = open(cw_file, 'rb')
        cw_dict = pickle.load(fr)
        cw_adv = cw_dict['data']
        adv_ys = cw_dict['labels']
        assert cw_adv.shape[0] == adv_ys.shape[0]
        cw_setting = cw_dict['setting']
        print('settings of cw adversarial examples that have been loaded')
        print(cw_setting)
    else:
        print('crafting cw adversarial examples....')
        start_time = time.time()

        cw = CarliniWagnerL2(model, back='tf', sess=sess)
        num_for_test = 100
        adv_inputs = X[:num_for_test]
        yname = 'y'
        adv_ys = one_hot_Y[:num_for_test]

        cw_params = {'binary_search_steps': 5,
                     'confidence':0,
                     'max_iterations': 10000,
                     'learning_rate': 0.1,
                     'batch_size': 100,
                     'initial_const': 10,
                     'clip_min': 0,
                     'clip_max': 255}

        cw_setting = cw_params.copy()

        cw_params['feed'] = eval_feed
        cw_params[yname] = adv_ys

        cw_adv = cw.generate_np(adv_inputs,
                             **cw_params)
        cw_setting['model'] = model.name
        cw_dict = {'data':cw_adv, 'labels':adv_ys, 'setting':cw_setting}
        fw = open(cw_file, 'wb')
        pickle.dump(cw_dict, fw)

        end_time = time.time()
        duration = end_time - start_time
        print('finished in {0} seconds'.format(duration))

    # eval model accuracy
    class_accuracy, accuracy = model_eval_each_class(sess, x, y, pred, 10, X, one_hot_Y,
                          feed=eval_feed,
                          args={'batch_size': 128})
    print('model accuracy: {0}'.format(accuracy))

    for i in range(10):
        print('class {0} accuracy: {1}'.format(i, class_accuracy[i]))

    # eval model's accuacy in cw adversarial examples
    cw_accuracy = model_eval(sess, x, y, pred, cw_adv, adv_ys,
                             feed=eval_feed,
                             args={'batch_size': 128})
    print('model cw_accuracy: {0}'.format(cw_accuracy))

    part_X = X[:cw_adv.shape[0]]
    #eval adv's l2 distance
    l2_dis = calculate_l2_dis(part_X/255, cw_adv/255)
    print('adversarial examples\' mean l2 distance: {0}'.format(l2_dis))

    # show and save img
    import numpy as np
    adv_imgs = np.around(cw_adv).astype(int)
    print(np.max(adv_imgs))
    compare_show(X[16], adv_imgs[16])
    import matplotlib
    matplotlib.image.imsave('cw.png', adv_imgs[16])

    # eval model's uncertainty
    dropout_num = 30
    uncert = evaluate_uncertainty(sess, model, x, part_X, dropout_num,
                                  batch_size, nb_classes, train_feed)

    # eval model's cw_uncertainty
    cw_uncert = evaluate_uncertainty(sess, model, x, cw_adv, dropout_num,
                                     batch_size,nb_classes, train_feed)

    # plot uncertainty histogram
    plt.figure("uncertainty_X")
    n, bins, patches = plt.hist(uncert, bins=25,edgecolor='None',facecolor='blue')
    plt.show()

    plt.figure('uncertainty_CW')
    cw_n, cw_bins, cw_patches = plt.hist(cw_uncert, bins=25,
                                         edgecolor='None',facecolor='red')
    plt.show()

    plt.figure('uncertainty_collections')
    plt.hist(uncert, bins=25,edgecolor='None',facecolor='blue')
    plt.hist(cw_uncert, bins=25,edgecolor='None',facecolor='red')
    plt.show()