def test_keras_iris_unbounded(self):
classifier = get_tabular_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
# Norm=2
attack = HopSkipJump(classifier, targeted=False, max_iter=2, max_eval=100, init_eval=10)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with HopSkipJump adversarial examples: %.2f%%", (acc * 100))
# Norm=np.inf
attack = HopSkipJump(classifier, targeted=False, max_iter=2, max_eval=100, init_eval=10, norm=np.Inf)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with HopSkipJump adversarial examples: %.2f%%", (acc * 100))
# Clean-up session
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, _) = self.mnist
# Create simple CNN
model = Sequential()
model.add(
Conv2D(4,
kernel_size=(5, 5),
activation='relu',
input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(10, activation='softmax'))
model.compile(loss=keras.losses.categorical_crossentropy,
optimizer=keras.optimizers.Adam(lr=0.01),
metrics=['accuracy'])
# Get classifier
krc = KerasClassifier((0, 1), model, use_logits=False)
krc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=2)
# Attack
# import time
nf = NewtonFool(krc, max_iter=5)
# print("Test Keras....")
# starttime = time.clock()
# x_test_adv = nf.generate(x_test, batch_size=1)
# endtime = time.clock()
# print(1, endtime - starttime)
# starttime = time.clock()
# x_test_adv = nf.generate(x_test, batch_size=10)
# endtime = time.clock()
# print(10, endtime - starttime)
# starttime = time.clock()
x_test_adv = nf.generate(x_test, batch_size=100)
# endtime = time.clock()
# print(100, endtime - starttime)
#
# starttime = time.clock()
# x_test_adv = nf.generate(x_test, batch_size=1000)
# endtime = time.clock()
# print(1000, endtime - starttime)
self.assertFalse((x_test == x_test_adv).all())
y_pred = krc.predict(x_test)
y_pred_adv = krc.predict(x_test_adv)
y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred
y_pred_max = y_pred.max(axis=1)
y_pred_adv_max = y_pred_adv[y_pred_bool]
self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def _test_fit_generator(self, custom_activation=False):
from art.classifiers.keras import generator_fit
from art.data_generators import KerasDataGenerator
labels = np.argmax(self.mnist[1][1], axis=1)
classifier = KerasClassifier((0, 1),
self.model_mnist,
use_logits=False,
custom_activation=custom_activation)
acc = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels) / NB_TEST
logger.info('Accuracy: %.2f%%', (acc * 100))
gen = generator_fit(self.mnist[0][0],
self.mnist[0][1],
batch_size=BATCH_SIZE)
data_gen = KerasDataGenerator(generator=gen,
size=NB_TRAIN,
batch_size=BATCH_SIZE)
classifier.fit_generator(generator=data_gen, nb_epochs=2)
acc2 = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels) / NB_TEST
logger.info('Accuracy: %.2f%%', (acc2 * 100))
self.assertTrue(acc2 >= .8 * acc)
def _test_fit_image_generator(self, custom_activation=False):
from keras.preprocessing.image import ImageDataGenerator
from art.data_generators import KerasDataGenerator
x_train, y_train = self.mnist[0]
labels_test = np.argmax(self.mnist[1][1], axis=1)
classifier = KerasClassifier((0, 1),
self.model_mnist,
use_logits=False,
custom_activation=custom_activation)
acc = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels_test) / NB_TEST
logger.info('Accuracy: %.2f%%', (acc * 100))
keras_gen = ImageDataGenerator(width_shift_range=0.075,
height_shift_range=0.075,
rotation_range=12,
shear_range=0.075,
zoom_range=0.05,
fill_mode='constant',
cval=0)
keras_gen.fit(x_train)
data_gen = KerasDataGenerator(generator=keras_gen.flow(
x_train, y_train, batch_size=BATCH_SIZE),
size=NB_TRAIN,
batch_size=BATCH_SIZE)
classifier.fit_generator(generator=data_gen, nb_epochs=2)
acc2 = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels_test) / NB_TEST
logger.info('Accuracy: %.2f%%', (acc2 * 100))
self.assertTrue(acc2 >= .8 * acc)
def adversarial_training(self):
# Data augmentation: expand the training set with the adversarial samples
x_train = np.append(self.x_train, self.adv_train, axis=0)
y_train = np.append(self.y_train, self.y_train, axis=0)
# Retrain the CNN on the extended dataset
classifier = KerasClassifier((min_, max_), model=model)
classifier.fit(x_train, y_train, nb_epochs=5, batch_size=50)
with open(out_file, 'a+') as f:
preds = np.argmax(classifier.predict(x_train), axis=1)
acc = np.sum(
preds == np.argmax(y_train, axis=1)) / y_train.shape[0]
print("TRAIN: %.2f%% \n" % (acc * 100), file=f)
preds = np.argmax(classifier.predict(self.adv_train), axis=1)
acc = np.sum(
preds == np.argmax(y_train, axis=1)) / y_train.shape[0]
print("TRAIN-ADVERSARY: %.2f%% \n" % (acc * 100), file=f)
preds = np.argmax(classifier.predict(x_test), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print("TEST: %.2f%% \n" % (acc * 100), file=f)
preds = np.argmax(classifier.predict(self.adv_test), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print('TEST-ADVERSARY: %.2f%% \n' % (acc * 100), file=f)
def test_with_defences(self):
(x_train, y_train), (x_test, y_test) = self.mnist
# Get the ready-trained Keras model
model = self.classifier_k._model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier = KerasClassifier(model=model, clip_values=(0, 1), defences=fs)
# Wrap the classifier
classifier = QueryEfficientBBGradientEstimation(classifier, 20, 1 / 64., round_samples=1 / 255.)
attack = FastGradientMethod(classifier, eps=1)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
preds = classifier.predict(x_train_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(y_train, axis=1)) / y_train.shape[0]
logger.info('Accuracy on adversarial train examples with feature squeezing and limited query info: %.2f%%',
(acc * 100))
preds = classifier.predict(x_test_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on adversarial test examples with feature squeezing and limited query info: %.2f%%',
(acc * 100))
def _test_with_defences(self, custom_activation=False):
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Get the ready-trained Keras model
model = self.classifier_k._model
classifier = KerasClassifier((0, 1), model, defences='featsqueeze1', custom_activation=custom_activation)
attack = FastGradientMethod(classifier, eps=1)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
preds = classifier.predict(x_train_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(y_train, axis=1)) / y_train.shape[0]
logger.info('Accuracy on adversarial train examples with feature squeezing: %.2f%%', (acc * 100))
preds = classifier.predict(x_test_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on adversarial test examples: %.2f%%', (acc * 100))
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Initialize a tf session
session = tf.Session()
k.set_session(session)
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Create simple CNN
model = Sequential()
model.add(Conv2D(4, kernel_size=(5, 5), activation='relu', input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(10, activation='softmax'))
model.compile(loss=keras.losses.categorical_crossentropy, optimizer=keras.optimizers.Adam(lr=0.01),
metrics=['accuracy'])
# Get classifier
krc = KerasClassifier((0, 1), model, use_logits=False)
krc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# First attack
ead = ElasticNet(classifier=krc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=krc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Kill Keras
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Initialize a tf session
session = tf.Session()
k.set_session(session)
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Create simple CNN
model = Sequential()
model.add(
Conv2D(4,
kernel_size=(5, 5),
activation='relu',
input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(10, activation='softmax'))
model.compile(loss=keras.losses.categorical_crossentropy,
optimizer=keras.optimizers.Adam(lr=0.01),
metrics=['accuracy'])
# Get classifier
krc = KerasClassifier((0, 1), model, use_logits=False)
krc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=2)
# Attack
attack_params = {
"max_iter": 1,
"attacker": "ead",
"attacker_params": {
"max_iter": 5,
"targeted": False
}
}
up = UniversalPerturbation(krc)
x_train_adv = up.generate(x_train, **attack_params)
self.assertTrue((up.fooling_rate >= 0.2) or not up.converged)
x_test_adv = x_test + up.v
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = np.argmax(krc.predict(x_train_adv), axis=1)
test_y_pred = np.argmax(krc.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == test_y_pred).all())
self.assertFalse((np.argmax(y_train, axis=1) == train_y_pred).all())
def test_iris_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_kr()
def t(x):
return x
def transformation():
while True:
yield t
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model,
use_logits=False,
channel_index=1)
classifier = ExpectationOverTransformations(
classifier, sample_size=1, transformation=transformation)
attack = FastGradientMethod(classifier, eps=1)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv > 1).any())
self.assertTrue((x_test_adv < 0).any())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on Iris with limited query info: %.2f%%',
(acc * 100))
def test_defences_predict(self):
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier_ = get_classifier_kr()
classifier = KerasClassifier(clip_values=clip_values,
model=classifier_._model,
defences=[fs, jpeg, smooth])
self.assertEqual(len(classifier.defences), 3)
predictions_classifier = classifier.predict(self.x_test)
# Apply the same defences by hand
x_test_defense = self.x_test
x_test_defense, _ = fs(x_test_defense, self.y_test)
x_test_defense, _ = jpeg(x_test_defense, self.y_test)
x_test_defense, _ = smooth(x_test_defense, self.y_test)
classifier = get_classifier_kr()
predictions_check = classifier._model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier,
predictions_check,
decimal=4)
def test_defences_predict(self):
from art.defences import FeatureSqueezing, JpegCompression, SpatialSmoothing
(_, _), (x_test, y_test) = self.mnist
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier = KerasClassifier(clip_values=clip_values,
model=self.model_mnist._model,
defences=[fs, jpeg, smooth])
self.assertEqual(len(classifier.defences), 3)
preds_classifier = classifier.predict(x_test)
# Apply the same defences by hand
x_test_defense = x_test
x_test_defense, _ = fs(x_test_defense, y_test)
x_test_defense, _ = jpeg(x_test_defense, y_test)
x_test_defense, _ = smooth(x_test_defense, y_test)
preds_check = self.model_mnist._model.predict(x_test_defense)
# Check that the prediction results match
self.assertTrue((preds_classifier - preds_check <= 1e-5).all())
def test_iris_k_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model,
use_logits=False,
channel_index=1)
attack_params = {
"max_iter": 1,
"attacker": "newtonfool",
"attacker_params": {
"max_iter": 5
}
}
attack = UniversalPerturbation(classifier)
attack.set_params(**attack_params)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info(
'Accuracy on Iris with universal adversarial examples: %.2f%%',
(acc * 100))
def test_defences_predict(get_default_mnist_subset, get_image_classifier_list):
(x_train_mnist, y_train_mnist), (x_test_mnist, y_test_mnist) = get_default_mnist_subset
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier_, _ = get_image_classifier_list(one_classifier=True)
classifier = KerasClassifier(
clip_values=clip_values, model=classifier_._model, preprocessing_defences=[fs, jpeg, smooth]
)
assert len(classifier.preprocessing_defences) == 3
predictions_classifier = classifier.predict(x_test_mnist)
# Apply the same defences by hand
x_test_defense = x_test_mnist
x_test_defense, _ = fs(x_test_defense, y_test_mnist)
x_test_defense, _ = jpeg(x_test_defense, y_test_mnist)
x_test_defense, _ = smooth(x_test_defense, y_test_mnist)
classifier, _ = get_image_classifier_list(one_classifier=True)
predictions_check = classifier._model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier, predictions_check, decimal=4)
def test_fit(self):
labels = np.argmax(self.mnist[1][1], axis=1)
classifier = KerasClassifier((0, 1),
self.model_mnist,
use_logits=False)
acc = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels) / NB_TEST
print("\nAccuracy: %.2f%%" % (acc * 100))
classifier.fit(self.mnist[0][0],
self.mnist[0][1],
batch_size=BATCH_SIZE,
nb_epochs=5)
acc2 = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels) / NB_TEST
print("\nAccuracy: %.2f%%" % (acc2 * 100))
self.assertTrue(acc2 >= acc)
def _test_fit(self, custom_activation=False):
labels = np.argmax(self.mnist[1][1], axis=1)
classifier = KerasClassifier((0, 1),
self.model_mnist,
use_logits=False,
custom_activation=custom_activation)
acc = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels) / NB_TEST
logger.info('Accuracy: %.2f%%', (acc * 100))
classifier.fit(self.mnist[0][0],
self.mnist[0][1],
batch_size=BATCH_SIZE,
nb_epochs=2)
acc2 = np.sum(
np.argmax(classifier.predict(self.mnist[1][0]), axis=1) ==
labels) / NB_TEST
logger.info('Accuracy: %.2f%%', (acc2 * 100))
self.assertTrue(acc2 >= .9 * acc)
def _test_with_defences(self, custom_activation=False):
from art.defences import FeatureSqueezing
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Get the ready-trained Keras model
model = self.classifier_k._model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier = KerasClassifier(model=model,
clip_values=(0, 1),
defences=fs,
custom_activation=custom_activation)
attack = FastGradientMethod(classifier, eps=1, batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
preds = classifier.predict(x_train_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(
y_train, axis=1)) / y_train.shape[0]
logger.info(
'Accuracy on MNIST with FGM adversarial train examples with feature squeezing: %.2f%%',
(acc * 100))
preds = classifier.predict(x_test_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(
y_test, axis=1)) / y_test.shape[0]
logger.info(
'Accuracy on MNIST with FGM adversarial test examples: %.2f%%',
(acc * 100))
def test_resnet(self):
keras.backend.set_learning_phase(0)
model = ResNet50(weights='imagenet')
classifier = KerasClassifier(model, clip_values=(0, 255))
image = img_to_array(load_img(os.path.join(self.test_dir, 'test.jpg'), target_size=(224, 224)))
image = image.reshape((1, image.shape[0], image.shape[1], image.shape[2]))
prediction = classifier.predict(image)
label = decode_predictions(prediction)[0][0]
self.assertEqual(label[1], 'Weimaraner')
self.assertAlmostEqual(prediction[0, 178], 0.2658045, places=3)
def test_keras_iris_unbounded_LInf(self):
classifier = get_tabular_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = CarliniLInfMethod(classifier, targeted=False, max_iter=10, eps=1)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == predictions_adv).all())
accuracy = np.sum(predictions_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with C&W adversarial examples: %.2f%%", (accuracy * 100))
def test_iris_k_unbounded(self):
classifier, _ = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = DeepFool(classifier, max_iter=5, batch_size=128)
x_test_adv = attack.generate(self.x_test)
self.assertFalse((self.x_test == x_test_adv).all())
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test, axis=1) == predictions_adv).all())
accuracy = np.sum(predictions_adv == np.argmax(self.y_test, axis=1)) / self.y_test.shape[0]
logger.info('Accuracy on Iris with DeepFool adversarial examples: %.2f%%', (accuracy * 100))
def test_resnet(create_test_image):
image_file_path = create_test_image
keras.backend.set_learning_phase(0)
model = ResNet50(weights="imagenet")
classifier = KerasClassifier(model, clip_values=(0, 255))
image = img_to_array(load_img(image_file_path, target_size=(224, 224)))
image = image.reshape((1, image.shape[0], image.shape[1], image.shape[2]))
prediction = classifier.predict(image)
label = decode_predictions(prediction)[0][0]
assert label[1] == "Weimaraner"
np.testing.assert_array_almost_equal(prediction[0, 178], 0.2658045, decimal=3)
def test_keras_with_defences(self):
(x_train, y_train), (x_test, y_test) = self.mnist
classifier = get_classifier_kr()
# Get the ready-trained Keras model
model = classifier._model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier = KerasClassifier(model=model,
clip_values=(0, 1),
defences=fs)
attack = FastGradientMethod(classifier, eps=1, batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
def test_iris_k_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = CarliniLInfMethod(classifier, targeted=False, max_iter=10, eps=1)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on Iris with C&W adversarial examples: %.2f%%', (acc * 100))
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Get MNIST
batch_size, nb_train, nb_test = 100, 1000, 10
(x_train, y_train), (x_test, y_test), _, _ = load_mnist()
x_train, y_train = x_train[:nb_train], y_train[:nb_train]
x_test, y_test = x_test[:nb_test], y_test[:nb_test]
# Create simple CNN
model = Sequential()
model.add(Conv2D(4, kernel_size=(5, 5), activation='relu', input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(10, activation='softmax'))
model.compile(loss=keras.losses.categorical_crossentropy, optimizer=keras.optimizers.Adam(lr=0.01),
metrics=['accuracy'])
# Get classifier
krc = KerasClassifier((0, 1), model, use_logits=False)
krc.fit(x_train, y_train, batch_size=batch_size, nb_epochs=2)
# Attack
nf = NewtonFool(krc)
nf.set_params(max_iter=5)
x_test_adv = nf.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
y_pred = krc.predict(x_test)
y_pred_adv = krc.predict(x_test_adv)
y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred
y_pred_max = y_pred.max(axis=1)
y_pred_adv_max = y_pred_adv[y_pred_bool]
self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def test_keras_classifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
victim_krc = get_image_classifier_kr()
# Create simple CNN
model = Sequential()
model.add(
Conv2D(1,
kernel_size=(7, 7),
activation="relu",
input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(4, 4)))
model.add(Flatten())
model.add(Dense(10, activation="softmax"))
loss = keras.losses.categorical_crossentropy
model.compile(loss=loss,
optimizer=keras.optimizers.Adam(lr=0.001),
metrics=["accuracy"])
# Get classifier
thieved_krc = KerasClassifier(model,
clip_values=(0, 1),
use_logits=False)
# Create attack
copycat_cnn = CopycatCNN(
classifier=victim_krc,
batch_size_fit=self.batch_size,
batch_size_query=self.batch_size,
nb_epochs=NB_EPOCHS,
nb_stolen=NB_STOLEN,
)
thieved_krc = copycat_cnn.extract(x=self.x_train_mnist,
thieved_classifier=thieved_krc)
victim_preds = np.argmax(
victim_krc.predict(x=self.x_train_mnist[:100]), axis=1)
thieved_preds = np.argmax(
thieved_krc.predict(x=self.x_train_mnist[:100]), axis=1)
acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)
self.assertGreater(acc, 0.3)
# Clean-up
k.clear_session()
def test_keras_iris_unbounded(self):
classifier = get_tabular_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.2, batch_size=128)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertTrue((x_test_adv > 1).any())
self.assertTrue((x_test_adv < 0).any())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info("Accuracy on Iris with BIM adversarial examples: %.2f%%", (acc * 100))
def test_shapes(self):
x_test, y_test = self.mnist[1]
classifier = KerasClassifier((0, 1), self.model_mnist)
preds = classifier.predict(self.mnist[1][0])
self.assertTrue(preds.shape == y_test.shape)
self.assertTrue(classifier.nb_classes == 10)
class_grads = classifier.class_gradient(x_test[:11])
self.assertTrue(class_grads.shape == tuple([11, 10] +
list(x_test[1].shape)))
loss_grads = classifier.loss_gradient(x_test[:11], y_test[:11])
self.assertTrue(loss_grads.shape == x_test[:11].shape)
def test_keras_iris_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
expected_x_test_adv = np.asarray([0.85931635, 0.44633555, 0.65658355, 0.23840423])
np.testing.assert_array_almost_equal(x_test_adv[0, :], expected_x_test_adv, decimal=6)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
np.testing.assert_array_equal(predictions_adv, np.asarray([1, 1, 1, 2, 1, 1, 1, 2, 1, 2, 1, 1, 1, 2, 1, 1, 2, 2,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 2, 1, 2, 1, 0, 1,
1, 1, 2, 0, 2, 2, 1, 1, 2]))
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (accuracy * 100))
def test_keras_iris_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = VirtualAdversarialMethod(classifier, eps=1)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv > 1).any())
self.assertTrue((x_test_adv < 0).any())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on Iris with VAT adversarial examples: %.2f%%', (acc * 100))
def test_resnet(self):
import os
from keras.applications.resnet50 import ResNet50, decode_predictions
from keras.preprocessing.image import load_img, img_to_array
keras.backend.set_learning_phase(0)
model = ResNet50(weights='imagenet')
classifier = KerasClassifier((0, 255), model)
# Load image from file
image = img_to_array(load_img(os.path.join(self.test_dir, 'test.jpg'), target_size=(224, 224)))
image = image.reshape((1, image.shape[0], image.shape[1], image.shape[2]))
label = decode_predictions(classifier.predict(image))[0][0]
self.assertEqual(label[1], 'Weimaraner')
