def attack(pb_path, image_path):
with tf.Session() as session:
with gfile.FastGFile(pb_path, 'rb') as f:
graph_def = tf.GraphDef()
graph_def.ParseFromString(f.read())
session.graph.as_default()
tf.import_graph_def(graph_def, name='')
session.run(tf.global_variables_initializer())
images = session.graph.get_tensor_by_name('input_1:0')
logits = session.graph.get_tensor_by_name('dense_3/BiasAdd:0')
output = session.graph.get_tensor_by_name('dense_3/Softmax:0')
# for n in tf.get_default_graph().get_operations():
# print(n.values())
model = TensorFlowModel(images, logits, (-1, 1))
image = inception_preprocessing(open_image(image_path, 299, 299))
p, ext = os.path.splitext(image_path)
values = model.predictions(image)
label = np.argmax(values)
print('label:', categories[label])
print('attacking...')
target_class = 2
for prob in range(95, 100, 1):
prob = prob / 100
print('probability is:', prob)
adv_path = '{}-adv-{}{}'.format(p, prob, ext)
pert_path = '{}-pert-{}{}'.format(p, prob, ext)
criterion = TargetClassProbability(target_class, p=prob)
# attack = LBFGSAttack(model, criterion)
# attack = FGSM(model, criterion)
# attack = ProjectedGradientDescentAttack(model, criterion)
attack = LinfinityBasicIterativeAttack(model, criterion)
# attack = L1BasicIterativeAttack(model, criterion)
# attack = L2BasicIterativeAttack(model, criterion)
# attack = MomentumIterativeAttack(model, criterion)
# attack = FGSM(model)
# attack = MomentumIterativeAttack(model)
# attack = SinglePixelAttack(model)
# attack = LocalSearchAttack(model)
adversarial = attack(image, label=label)
new_label = np.argmax(model.predictions(adversarial))
print('new label:', categories[new_label])
raw_image = inception_postprocessing(image)
raw_adversarial = inception_postprocessing(adversarial)
raw_pert = raw_adversarial - raw_image
save_image(raw_adversarial, adv_path)
save_image(raw_pert, pert_path)
def main(image_path, ckpt_path, predict_status=False):
images = tf.placeholder(tf.float32, (None, 224, 224, 3))
preprocessed_images = vgg_preprocessing(images)
logits, _ = vgg.vgg_19(preprocessed_images, is_training=False)
restorer = tf.train.Saver(tf.trainable_variables())
image = open_image(image_path)
p, ext = os.path.splitext(image_path)
adv_path = p + '-adv' + ext
pert_path = p + '-pert' + ext
with tf.Session() as session:
restorer.restore(session, ckpt_path)
model = TensorFlowModel(images, logits, (0, 255))
label = np.argmax(model.predictions(image))
print('label:', label)
if predict_status:
return
# target_class = 22
# criterion = TargetClassProbability(target_class, p=0.99)
# attack = LBFGSAttack(model, criterion)
# attack = FGSM(model, criterion)
attack = FGSM(model)
# attack = MomentumIterativeAttack(model, criterion)
# attack = MomentumIterativeAttack(model)
# attack = SinglePixelAttack(model)
# attack = LocalSearchAttack(model)
adversarial = attack(image, label=label)
new_label = np.argmax(model.predictions(adversarial))
print('new label:', new_label)
image = image.astype(np.uint8)
adversarial = adversarial.astype(np.uint8)
pert = adversarial - image
save_image(adversarial, adv_path)
save_image(pert, pert_path)
# show images
plt.subplot(1, 3, 1)
plt.imshow(image)
plt.subplot(1, 3, 2)
plt.imshow(adversarial)
plt.subplot(1, 3, 3)
plt.imshow(pert)
plt.show()
def main():
with tf.Session() as sess:
# End2End
tf_model = prepare_GBPdenoising_end2end(sess=sess,
saved='./Models/CIFAR10-32_End2End.ckpt')
# # pure Resnet
# tf_model = prepare_resnet(sess=sess,
# load_weights='./Models/CIFAR10-32_Resnet.ckpt',
# num_classes=10)
input_pl = tf_model.inputs
logits = tf_model.logits
# foolbox - construct a tensorflow model
model = TensorFlowModel(input_pl, logits, bounds=(0, 255))
# load in the data
num_advs = 0.
num_mis = 0.
for attack in Attacks:
print(attack)
# (x_test, y_test) = pickle_load("./", "ADVs_CIFAR10_Resnet_off_Linf_{}.pkl".format(attack))
(x_train, y_train), (x_test, y_test) = prepare_CIFAR10()
for index, adv in enumerate(x_train[:1000]):
num_advs = num_advs + 1
preds = model.predictions(adv)
if y_test[index] != np.argmax(preds):
# print("misclassified")
num_mis = num_mis + 1
print("Total number of ADVs = {}".format(num_advs))
print("Accuracy = {}".format((num_advs - num_mis) / num_advs))
def test_tensorflow_model(num_classes):
bounds = (0, 255)
channels = num_classes
def mean_brightness_net(images):
logits = tf.reduce_mean(images, axis=(1, 2))
return logits
g = tf.Graph()
with g.as_default():
images = tf.placeholder(tf.float32, (None, 5, 5, channels))
logits = mean_brightness_net(images)
with tf.Session(graph=g):
model = TensorFlowModel(
images,
logits,
bounds=bounds)
assert model.session is not None
test_images = np.random.rand(2, 5, 5, channels).astype(np.float32)
test_label = 7
assert model.batch_predictions(test_images).shape \
== (2, num_classes)
test_logits = model.predictions(test_images[0])
assert test_logits.shape == (num_classes,)
test_gradient = model.gradient(test_images[0], test_label)
assert test_gradient.shape == test_images[0].shape
np.testing.assert_almost_equal(
model.predictions_and_gradient(test_images[0], test_label)[0],
test_logits)
np.testing.assert_almost_equal(
model.predictions_and_gradient(test_images[0], test_label)[1],
test_gradient)
assert model.num_classes() == num_classes
def predict(pb_path, image_path):
with tf.Session() as session:
with gfile.FastGFile(pb_path, 'rb') as f:
graph_def = tf.GraphDef()
graph_def.ParseFromString(f.read())
session.graph.as_default()
tf.import_graph_def(graph_def, name='')
session.run(tf.global_variables_initializer())
images = session.graph.get_tensor_by_name('input_1:0')
logits = session.graph.get_tensor_by_name('dense_3/BiasAdd:0')
output = session.graph.get_tensor_by_name('dense_3/Softmax:0')
# for n in tf.get_default_graph().get_operations():
# print(n.values())
model = TensorFlowModel(images, output, (0, 255))
if os.path.isdir(image_path):
predict_dir(model, image_path)
else:
image = open_image(image_path, 299, 299)
image = inception_preprocessing(image)
values = model.predictions(image)
print('values:', values)
label = np.argmax(values)
print('label:', categories[label])
model = TensorFlowModel(cnn.inputs,cnn.network,bounds=(0, 255)) from foolbox.criteria import TargetClassProbability target_class = 9 criterion = TargetClassProbability(target_class, p=0.99) from foolbox.attacks import FGSM attack=FGSM(model) image = train_images[0].reshape((28, 28, 1)) label = np.argmax(model.predictions(image)) adversarial = attack(image,label=label,epsilons=1,max_epsilon=0.03*255) import matplotlib.pyplot as plt plt.subplot(1, 3, 1) plt.imshow(image.reshape((28, 28)), cmap='gray',vmin=0, vmax=255) plt.gca().set_title(label) plt.subplot(1, 3, 2) plt.imshow(adversarial.reshape((28, 28)), cmap='gray',vmin=0, vmax=255) plt.gca().set_title(np.argmax(model.predictions(adversarial))) plt.subplot(1, 3, 3)
def main():
data_dir = "data_imagenet"
train_dir = "adv_results_vgg16"
# read in the prob image
img1 = imread(os.path.join(data_dir, '{}.png'.format(name1)), mode='RGB')
img1 = imresize(img1, (224, 224)).astype(
np.float32) # cut the image to 224 * 224
label1 = image_dict[name1]
# image placeholder
imgs = tf.placeholder(tf.float32, [None, 224, 224, 3])
vgg16 = Vgg16(imgs)
logits = vgg16.logits
# tf session
with tf.Session() as sess:
vgg16.load_weights('vgg16_weights.npz', sess)
fmodel = TensorFlowModel(imgs, logits, bounds=(0, 255))
print('true label: {}'.format(label1))
preds = fmodel.predictions(img1)
label_orig = np.argmax(preds)
prob_orig = np.max(softmax_np(preds))
print('labels_orig: {} ({:.2f})'.format(label_orig, prob_orig))
# apply attack on source image
print("Attacking {} in {} with criterion ({})...".format(
name1, attack_type, criterion_type))
if attack_type == "FGSM":
attack = foolbox.attacks.FGSM(
fmodel, criterion=criteria_dict[criterion_type])
elif attack_type == "IterGS":
attack = foolbox.attacks.IterativeGradientSignAttack(
fmodel, criterion=criteria_dict[criterion_type])
elif attack_type == "SalMap":
attack = foolbox.attacks.SaliencyMapAttack(
fmodel, criterion=criteria_dict[criterion_type])
else:
warning("Unknown attack type!")
attack = foolbox.attacks.FGSM(
fmodel, criterion=criteria_dict[criterion_type])
adversarial = attack(img1, label1)
preds_adv = fmodel.predictions(adversarial)
label_adv = np.argmax(preds_adv)
prob_adv = np.max(softmax_np(preds_adv))
print('labels_adv: {} ({:.2f})'.format(label_adv, prob_adv))
X_tmps = [img1 / 255., adversarial / 255., (adversarial - img1) / 255.]
print('\nPlotting results')
fig = plt.figure()
gs = gridspec.GridSpec(3, 1, wspace=0.1, hspace=0.1)
for t in range(3):
ax = fig.add_subplot(gs[t, 0])
ax.imshow(X_tmps[t])
ax.set_xticks([])
ax.set_yticks([])
if t == 2:
ax.set_xlabel(
'true_label: {}, label_orig: {} ({:.2f}) to label_adv: {} ({:.2f})'
.format(label1, label_orig, prob_orig, label_adv,
prob_adv),
fontsize=8)
print('\nSaving figure to ' + train_dir)
gs.tight_layout(fig)
saveimg_dir = os.path.join(train_dir)
if not os.path.exists(saveimg_dir):
os.makedirs(saveimg_dir)
plt.savefig(
os.path.join(
saveimg_dir, '{}_3_{}_{}.png'.format(name1, attack_type,
criterion_type)))
imsave(
os.path.join(
data_dir, '{}_adv_{}_{}.png'.format(name1, attack_type,
criterion_type)),
adversarial)