def generate_universal_perturbation_examples(sess, model, x, y, X, Y, attack_params, verbose, attack_log_fpath): """ Untargeted attack. Y is not needed. """ # TODO: insert a uint8 filter to f. f, grad_fs = prepare_attack(sess, model, x, y, X, Y) params = {'delta': 0.2, 'max_iter_uni': np.inf, 'xi': 10, 'p': np.inf, 'num_classes': 10, 'overshoot': 0.02, 'max_iter_df': 10, } params = override_params(params, attack_params) if not verbose: disablePrint(attack_log_fpath) # X is randomly shuffled in unipert. X_copy = X.copy() v = universal_perturbation(X_copy, f, grad_fs, **params) del X_copy if not verbose: enablePrint() return X + v
def deepfool_eval(model, imgs, delta=0.2): def f(image_input): return model.sess.run(model.output, {model.input: image_input}) def f_grad(image_input, inds): return model.sess.run(model.jacobians, {model._input: image_input}) v = universal_perturbation(imgs, f, f_grad, delta=delta)
def generate_adv_exmp(pool_size, dataset_size): # 从检查点提取模型路径 ckpt = tf.train.get_checkpoint_state(FLAGS.model_dir) model_path = ckpt.model_checkpoint_path #元数据meta路径 model_meta_path = '.'.join([model_path, 'meta']) # 加载模型 new_saver = tf.train.import_meta_graph(model_meta_path, clear_devices=True) with tf.Session() as sess: # 恢复模型参数 new_saver.restore(sess, model_path) # 从Graph中提取模型的输入和输出tensor # input[50, 28, 28, 1], softmax[50, 10] input_op = tf.get_collection('input_op')[0] softmax_linear_op = tf.get_collection('softmax_linear_op')[0] # gradient计算的是所有输出w.r.t每一个输入特征的导数之和,不能直接得到雅可比矩阵形式的结果, # 所以必须每次取出一个输出值,分别计算关于输入的导数,最后组装起来 scalar_out = [tf.slice(softmax_linear_op, [0, i], [1, 1]) for i in range(10)] dydx = [tf.gradients(scalar_out[i], [input_op])[0] for i in range(10)] # why extract [0]? def ff(image_inp): """ 前馈导数计算函数 """ return sess.run(softmax_linear_op, feed_dict={ input_op: np.reshape(image_inp, (-1, 28, 28, 1))}) def grads(image_inp, inds): """ 梯度计算函数 """ return [sess.run(dydx[i], feed_dict={input_op: image_inp}) for i in inds] # 获取样本池(默认500),并随机抽取size_dataset的样本,提供给对抗干扰生成函数 image_pool, label_pool = generate_fix_data_batch(sess=sess, pool_size=pool_size) index_for_pool = np.arange(poolsize) np.random.shuffle(index_for_pool) images = image_pool[index_for_pool[:dataset_size]] labels = label_pool[index_for_pool[:dataset_size]] # 根据样本子集构造universal adversarial perturbation v = universal_perturbation(images, ff, grads, delta=0.2) return v # def _test_pert(v): """
X = create_imagenet_npy(path_train_imagenet) print ">> Saving the pre-processed imagenet data" if not os.path.exists('data'): os.makedirs('data') # Save the pre-processed images # Caution: This can take take a lot of space. Comment this part to discard saving. np.save(os.path.join('data', 'imagenet_data.npy'), X) else: print ">> Pre-processed imagenet data detected" X = np.load(datafile) # Running universal perturbation v = universal_perturbation(X, f, grad_fs, delta=0.2) # Saving the universal perturbation np.save(os.path.join(file_perturbation), v) else: print ">> Found a pre-computed universal perturbation! Retrieving it from ", file_perturbation v = np.load(file_perturbation) print ">> Testing the universal perturbation on an image" # Test the perturbation on the image labels = open(os.path.join('data', 'labels.txt'), 'r').read().split('\n') image_original = preprocess_image_batch([path_test_image], img_size=(256, 256), crop_size=(224, 224), color_mode="rgb") label_original = np.argmax(f(image_original), axis=1).flatten()
print('>> Saving the pre-processed imagenet data') if not os.path.exists('data'): os.makedirs('data') # Save the pre-processed images # Caution: This can take take a lot of space. Comment this part to discard saving. np.save(os.path.join('data', 'imagenet_train_data.npy'), X) else: print('>> Pre-processed imagenet test data detected') X = np.load(datafile) # Running universal perturbation v = universal_perturbation(X, f, grad_fs, delta=0.2, num_classes=num_classes) # Saving the universal perturbation np.save(os.path.join(file_perturbation), v) else: print( '>> Found a pre-computed universal perturbation! Retrieving it from ", file_perturbation' ) v = np.load(file_perturbation) print('>> Testing the universal perturbation on an image') # Test the perturbation on the image
# ============================================================================= # if os.path.isfile(file_perturbation) == 0: # ============================================================================= if True: # TODO: Optimize this construction part! print('>> Compiling the gradient tensorflow functions. This might take some time...') y_flat = tf.reshape(persisted_output, (-1,)) inds = tf.placeholder(tf.int32, shape=(num_classes,)) dydx = jacobian(y_flat,persisted_input,inds) print('>> Computing gradient function...') def grad_fs(image_inp, indices): return persisted_sess.run(dydx, feed_dict={persisted_input: image_inp, inds: indices}).squeeze(axis=1) # Running universal perturbation v = universal_perturbation(x_train, f, grad_fs, delta=delta, xi=xi, max_iter_uni=max_iter_uni, num_classes=num_classes) # Saving the universal perturbation np.save(os.path.join(file_perturbation), v) else: print('>> Found a pre-computed universal perturbation! Retrieving it from ", file_perturbation') v = np.load(file_perturbation) print('>> Testing the universal perturbation on an image') # Test the perturbation on the image image_original = x_train[k:k+1] label_original = np.argmax(f(image_original)) # ============================================================================= # # Clip the perturbation to make sure images fit in uint8 # clipped_v = np.clip(image_original[0,:,:,:]+v[0,:,:,:], 0, 255) - np.clip(image_original[0,:,:,:], 0, 255)
if os.path.isfile(file_perturbation) == 0: # TODO: Optimize this construction part! print('>> Compiling the gradient tensorflow functions. This might take some time...') y_flat = tf.reshape(persisted_output, (-1,)) inds = tf.placeholder(tf.int32, shape=(num_classes,)) dydx = jacobian(y_flat,persisted_input,inds) print('>> Computing gradient function...') def grad_fs(image_inp, indices): return persisted_sess.run(dydx, feed_dict={persisted_input: image_inp, inds: indices}).squeeze(axis=1) # Load training data X = x_train[:100] # Running universal perturbation v,new_target = universal_perturbation(X, f, grad_fs, target=target, delta=0.8, max_iter_uni=np.inf, num_classes=num_classes, overshoot=0.02) # Saving the universal perturbation print('the final target label is:', new_target) np.save(os.path.join(file_perturbation), v) else: print('>> Found a pre-computed universal perturbation! Retrieving it from ", file_perturbation') v = np.load(file_perturbation) print('>> Testing the universal perturbation on an image') image_original = x_test[0:1] label_original = np.argmax(f(image_original), axis=1) str_label_original = classes[np.int(label_original)]
print('>> Saving the pre-processed imagenet data') if not os.path.exists('data'): os.makedirs('data') # Save the pre-processed images # Caution: This can take take a lot of space. Comment this part to discard saving. np.save(os.path.join('data', 'imagenet_data.npy'), X) else: print('>> Pre-processed imagenet data detected') X = np.load(datafile) # Running universal perturbation #v = universal_perturbation(X, f, grad_fs, delta=0.2,num_classes=num_classes) v2 = universal_perturbation(X, f, grad_fs, delta=212.8,num_classes=num_classes) # Saving the universal perturbation np.save(os.path.join(file_perturbation), v2) else: print('>> Found a pre-computed universal perturbation! Retrieving it from ", file_perturbation') v2 = np.load(file_perturbation) print('>> Testing the universal perturbation on an image') # Test the perturbation on the image labels = open(os.path.join('data', 'labels.txt'), 'r').read().split('\n') image_original = preprocess_image_batch([path_test_image], img_size=(256, 256), crop_size=(224, 224), color_mode="rgb") label_original = np.argmax(f(image_original), axis=1).flatten()
print('loader data') X = ImagetNet(training_data_path, 1000, 10, transforms = transform) # X = torch.utils.data.DataLoader( # ImageFolder(training_data_path, transforms.Compose([ # transforms.Resize((330, 330)), # transforms.CenterCrop(299), # transforms.ToTensor(), # ])), # batch_size = 1, shuffle=True, # pin_memory=True) val_loader = torch.utils.data.DataLoader( ImageFolder(testing_data_path, transforms = transform, batch_size = 50, shuffle=False, num_workers = 8, pin_memory=True) print('Computation') v = universal_perturbation(X, val_loader, net, epsilon)