def setUpClass(cls):
master_seed(seed=1234)
super().setUpClass()
cls.x_train_mnist = np.reshape(
cls.x_train_mnist,
(cls.x_train_mnist.shape[0], 1, 28, 28)).astype(np.float32)
cls.x_test_mnist = np.reshape(
cls.x_test_mnist,
(cls.x_test_mnist.shape[0], 1, 28, 28)).astype(np.float32)
# Define the network
model = nn.Sequential(nn.Conv2d(1, 2, 5),
nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
nn.Linear(288, 10))
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
classifier = PyTorchClassifier(model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10)
classifier.fit(cls.x_train_mnist,
cls.y_train_mnist,
batch_size=100,
nb_epochs=1)
cls.seq_classifier = classifier
# Define the network
model = Model()
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
classifier_2 = PyTorchClassifier(model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10)
classifier_2.fit(cls.x_train_mnist,
cls.y_train_mnist,
batch_size=100,
nb_epochs=1)
cls.module_classifier = classifier_2
cls.x_train_mnist = np.reshape(
cls.x_train_mnist,
(cls.x_train_mnist.shape[0], 28, 28, 1)).astype(np.float32)
cls.x_test_mnist = np.reshape(
cls.x_test_mnist,
(cls.x_test_mnist.shape[0], 28, 28, 1)).astype(np.float32)
def test_device(self):
# Define the network
model = nn.Sequential(nn.Conv2d(1, 2, 5),
nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
nn.Linear(288, 10))
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# First test cpu
classifier_cpu = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
device_type="cpu",
)
self.assertTrue(classifier_cpu._device == torch.device("cpu"))
self.assertFalse(classifier_cpu._device == torch.device("cuda"))
# Then test gpu
if torch.cuda.device_count() >= 2:
with torch.cuda.device(0):
classifier_gpu0 = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
)
self.assertTrue(
classifier_gpu0._device == torch.device("cuda:0"))
self.assertFalse(
classifier_gpu0._device == torch.device("cuda:1"))
with torch.cuda.device(1):
classifier_gpu1 = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
)
self.assertTrue(
classifier_gpu1._device == torch.device("cuda:1"))
self.assertFalse(
classifier_gpu1._device == torch.device("cuda:0"))
def get_art_model(model_kwargs, wrapper_kwargs, weights_file=None):
model = models.resnet50(**model_kwargs)
model.to(DEVICE)
if weights_file:
filepath = maybe_download_weights_from_s3(weights_file)
checkpoint = torch.load(filepath, map_location=DEVICE)
model.load_state_dict(checkpoint)
wrapped_model = PyTorchClassifier(
model,
loss=torch.nn.CrossEntropyLoss(),
optimizer=torch.optim.Adam(model.parameters(), lr=0.003),
input_shape=(224, 224, 3),
**wrapper_kwargs,
clip_values=(
np.array([
0.0 - IMAGENET_MEANS[0] / IMAGENET_STDEV[0],
0.0 - IMAGENET_MEANS[1] / IMAGENET_STDEV[1],
0.0 - IMAGENET_MEANS[2] / IMAGENET_STDEV[2],
]),
np.array([
1.0 - IMAGENET_MEANS[0] / IMAGENET_STDEV[0],
1.0 - IMAGENET_MEANS[1] / IMAGENET_STDEV[1],
1.0 - IMAGENET_MEANS[2] / IMAGENET_STDEV[2],
]),
),
)
return wrapped_model
def __init__(self,
model_container,
eps=0.3,
eps_step=0.1,
max_iter=100,
targeted=False,
batch_size=64):
super(BIMContainer, self).__init__(model_container)
params_received = {
'eps': eps,
'eps_step': eps_step,
'max_iter': max_iter,
'targeted': targeted,
'batch_size': batch_size
}
self._params = params_received
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
self.classifier = PyTorchClassifier(model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def __init__(self, net, num_classes, attack_type, eps, batch_size):
self.num_classes = num_classes
self.net = net
self.fmodel = foolbox.models.PyTorchModel(net,
bounds=(0, 1),
num_classes=10)
if attack_type == "DeepFool":
attacker = foolbox.attacks.DeepFoolLinfinityAttack(self.fmodel)
elif attack_type == "MIFGSM":
attacker = foolbox.attacks.MomentumIterativeAttack(
self.fmodel, distance=foolbox.distances.Linfinity)
elif attack_type == "CW":
a0 = 2 * eps / 20
classifier = PyTorchClassifier(clip_values=(0, 1),
model=net,
loss=None,
optimizer=None,
input_shape=(batch_size, 3, 32, 32),
nb_classes=num_classes,
channel_index=3,
defences=None,
preprocessing=(0, 1))
attacker = carlini.CarliniLInfMethod(classifier,
learning_rate=a0 / 2,
targeted=False,
max_iter=40,
eps=eps,
batch_size=128)
self.attacker = attacker
self.attack_type = attack_type
self.eps = eps
def wrap(model, target_type, **config):
assert model is not None
if target_type == 'sklearnclassifier':
nb_classes = config.get('nb_classes', 10)
return SklearnClassifier(model=model, clip_values=(0, nb_classes))
elif target_type == 'pytorchclassifier':
loss = config.get('loss', None)
optimizer = config.get('optimizer', None)
input_shape = config.get('input_shape', None)
nb_classes = config.get('nb_classes', None)
clip_values = config.get('clip_values', (0., 1.))
return PyTorchClassifier(model=model,
loss=loss,
optimizer=optimizer,
input_shape=input_shape,
nb_classes=nb_classes,
clip_values=clip_values)
else:
raise NotImplementedError(
'Wrapper for {} is not implemented.'.format(target_type))
def setUpClass(cls):
(x_train, y_train), (x_test, y_test), _, _ = load_dataset('mnist')
x_train = np.swapaxes(x_train, 1, 3).astype(np.float32)
x_test = np.swapaxes(x_test, 1, 3).astype(np.float32)
cls.x_train = x_train[:NB_TRAIN]
cls.y_train = y_train[:NB_TRAIN]
cls.x_test = x_test[:NB_TEST]
cls.y_test = y_test[:NB_TEST]
# Define the internal classifier
classifier = get_classifier_pt()
# Define the internal detector
conv = nn.Conv2d(1, 16, 5)
linear = nn.Linear(2304, 1)
torch.nn.init.xavier_uniform_(conv.weight)
torch.nn.init.xavier_uniform_(linear.weight)
model = nn.Sequential(conv, nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
linear)
model = Model(model)
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
detector = PyTorchClassifier(model=model,
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=1,
clip_values=(0, 1))
# Define the detector-classifier
cls.detector_classifier = DetectorClassifier(classifier=classifier,
detector=detector)
def __init__(self,
model_container,
max_iter=100,
epsilon=1e-6,
nb_grads=10,
batch_size=16):
super(DeepFoolContainer, self).__init__(model_container, )
self._params = {
'max_iter': max_iter,
'epsilon': epsilon,
'nb_grads': nb_grads,
'batch_size': batch_size
}
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
self.classifier = PyTorchClassifier(model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
x_train = np.swapaxes(x_train, 1, 3)
x_test = np.swapaxes(x_test, 1, 3)
# Create simple CNN
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28),
10)
ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=1)
# Attack
nf = NewtonFool(ptc, max_iter=5)
x_test_adv = nf.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
y_pred = ptc.predict(x_test)
y_pred_adv = ptc.predict(x_test_adv)
y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred
y_pred_max = y_pred.max(axis=1)
y_pred_adv_max = y_pred_adv[y_pred_bool]
self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def artattack(fcn, model, images, criterion, epsilon, kwargs):
"""
adversarial robustness toolbox ported attack implementation
:param fcn: the foolbox_custom attack function
:param model: network in DAGModule
:param images: test samples
:param criterion: labels/criterion object
:param epsilon: epsilon to test with
:param kwargs: other arguments to the model
:return: perturbed image, whether the attack is successful or not
"""
artmodel = PyTorchClassifier(
model=model,
clip_values=(0, 1),
loss=nn.CrossEntropyLoss(),
optimizer=None,
input_shape=(0,),
nb_classes=10
)
device = model.device
attack = fcn(classifier=artmodel, **kwargs)
adv_imgs = torch.as_tensor(attack.generate(x=images.clone().cpu())).to(device)
linf = LpDistance(ep.inf)
adv_imgs = linf.clip_perturbation(images, adv_imgs, epsilon)
return adv_imgs
def __init__(self, model_container, theta=0.1, gamma=1.0, batch_size=16):
super(SaliencyContainer, self).__init__(model_container)
dim_data = model_container.data_container.dim_data
assert len(dim_data) == 3, \
'Jacobian Saliency Map attack only works on images'
self._params = {
'theta': theta,
'gamma': gamma,
'batch_size': batch_size
}
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
logger.debug('clip_values = %s', str(clip_values))
self.classifier = PyTorchClassifier(model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def test_iris_pt(self):
"""
Third test for Pytorch.
:return:
"""
# Build PyTorchClassifier
victim_ptc = get_iris_classifier_pt()
class Model(nn.Module):
"""
Create Iris model for PyTorch.
"""
def __init__(self):
super(Model, self).__init__()
self.fully_connected1 = nn.Linear(4, 10)
self.fully_connected2 = nn.Linear(10, 10)
self.fully_connected3 = nn.Linear(10, 3)
# pylint: disable=W0221
# disable pylint because of API requirements for function
def forward(self, x):
x = self.fully_connected1(x)
x = self.fully_connected2(x)
logit_output = self.fully_connected3(x)
return logit_output
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.001)
# Get classifier
thieved_ptc = PyTorchClassifier(model=model,
loss=loss_fn,
optimizer=optimizer,
input_shape=(4, ),
nb_classes=3,
clip_values=(0, 1),
channel_index=1)
# Create attack
copycat_cnn = CopycatCNN(classifier=victim_ptc,
batch_size_fit=BATCH_SIZE,
batch_size_query=BATCH_SIZE,
nb_epochs=NB_EPOCHS,
nb_stolen=NB_STOLEN)
thieved_ptc = copycat_cnn.extract(x=self.x_train,
thieved_classifier=thieved_ptc)
victim_preds = np.argmax(victim_ptc.predict(x=self.x_train[:100]),
axis=1)
thieved_preds = np.argmax(thieved_ptc.predict(x=self.x_train[:100]),
axis=1)
acc = np.sum(victim_preds == thieved_preds) / len(victim_preds)
self.assertGreater(acc, 0.3)
def test_one_channel(self):
(x_train, _), (_, _), _, _ = load_mnist()
x_train = x_train[:2, 10:15, 15:20, :]
x_train = x_train.astype(np.float32)
x_train_original = x_train.copy()
# Define the network
model = ModelImage()
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
self.pixelcnn = PyTorchClassifier(model=model,
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
clip_values=(0, 1))
preprocess = PixelDefend(eps=5, pixel_cnn=self.pixelcnn)
x_defended, _ = preprocess(x_train)
self.assertEqual(x_defended.shape, x_train.shape)
self.assertTrue((x_defended <= 1.0).all())
self.assertTrue((x_defended >= 0.0).all())
# Check that x_train has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_train_original -
x_train))),
0.0,
delta=0.00001)
def __init__(self, model_container, norm=np.inf, eps=.3, eps_step=0.1,
targeted=False, num_random_init=0, batch_size=64, minimal=False):
"""
Fast Gradient Sign Method. Use L-inf norm as default
"""
super(FGSMContainer, self).__init__(model_container)
self._params = {
'norm': norm,
'eps': eps,
'eps_step': eps_step,
'targeted': targeted,
'num_random_init': num_random_init,
'batch_size': batch_size,
'minimal': minimal}
# use IBM ART pytorch module wrapper
# the model used here should be already trained
model = self.model_container.model
loss_fn = self.model_container.model.loss_fn
dc = self.model_container.data_container
clip_values = get_range(dc.x_train, dc.data_type == 'image')
optimizer = self.model_container.model.optimizer
num_classes = self.model_container.data_container.num_classes
dim_data = self.model_container.data_container.dim_data
self.classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=loss_fn,
optimizer=optimizer,
input_shape=dim_data,
nb_classes=num_classes)
def general_test(model,
optimizer,
input_shape,
nb_classes,
test_loader,
method,
btrain=False,
model_file='last_model_92_sgd.pkl'):
global _classes
if not btrain:
model.load_state_dict(torch.load(model_file))
model.eval()
loss = nn.CrossEntropyLoss()
warped_model = PyTorchClassifier(model,
loss,
optimizer,
input_shape,
nb_classes,
clip_values=(.0, 1.))
if method == 'Deepfool':
adv_crafter = DeepFool(warped_model)
elif method == 'BIM':
adv_crafter = BasicIterativeMethod(warped_model, batch_size=20)
elif method == 'JSMA':
adv_crafter = SaliencyMapMethod(warped_model, batch_size=20)
elif method == 'CW2':
adv_crafter = CarliniL2Method(warped_model, batch_size=20)
elif method == 'CWI':
adv_crafter = CarliniLInfMethod(warped_model, batch_size=20)
correct, total = 0, 0
class_correct = list(0. for _ in range(10))
class_total = list(0. for _ in range(10))
for images, labels in test_loader:
images = adv_crafter.generate(images.numpy())
images = Variable(torch.from_numpy(images).cuda())
labels = Variable(labels.cuda())
outputs = model(images)
_, predicted = torch.max(outputs.data, 1)
total += labels.size(0)
correct += (predicted == labels.data).sum()
c = (predicted == labels.data).squeeze()
for i in range(20):
label = labels.data[i]
class_correct[label] += c[i]
class_total[label] += 1
print('Accuracy of the model on the test images: %d %%' %
(100 * float(correct) / total))
print('Accuracy of the model on the test images:', float(correct) / total)
for i in range(10):
print('Accuracy of %5s : %2d %%' %
(_classes[i], 100 * class_correct[i] / class_total[i]))
return correct / total
def general_test_v2(model,
optimizer,
input_shape,
nb_classes,
test_loader,
method,
conf,
btrain=False,
model_file='last_model_92_sgd.pkl'):
global _classes
if not btrain:
checked_state = torch.load(model_file)['state_dict']
model.load_state_dict(checked_state)
model.eval()
loss = nn.CrossEntropyLoss()
warped_model = PyTorchClassifier(model,
loss,
optimizer,
input_shape,
nb_classes,
clip_values=(.0, 1.))
if method == 'Deepfool':
adv_crafter = DeepFool(warped_model)
elif method == 'BIM':
adv_crafter = BasicIterativeMethod(warped_model, batch_size=32)
elif method == 'JSMA':
adv_crafter = SaliencyMapMethod(warped_model, batch_size=32)
elif method == 'CW2':
adv_crafter = CarliniL2Method(warped_model, batch_size=32)
elif method == 'CWI':
adv_crafter = CarliniLInfMethod(warped_model, batch_size=32)
elif method == 'FGSM':
adv_crafter = FastGradientMethod(warped_model, batch_size=32)
correct, total = 0, 0
adv_dataset = adv_generalization(test_loader, adv_crafter, conf)
temp_loader = DataLoader(dataset=adv_dataset,
batch_size=32,
shuffle=False,
drop_last=True)
# temp_loader = test_loader
for images, labels in temp_loader:
images = Variable(images.cuda())
labels = Variable(labels.cuda())
outputs = model(images)
_, predicted = torch.max(outputs.data, 1)
total += labels.size(0)
correct += (predicted == labels.data).sum()
print('Accuracy of the model on the test images: %d %%' %
(100 * float(correct) / total))
print('Accuracy of the model on the test images:', float(correct) / total)
return correct / total
def main(config_filepath):
config = load_config(config_filepath)
if os.path.isfile(config.metrics_output_path):
click.confirm(f"Overwrite {config.metrics_output_path}?", abort=True)
np.random.seed(config.seed)
torch.manual_seed(config.seed)
# Load data
x = torch.load(config.x_filepath)
y = torch.load(config.y_filepath)
# Flatten
x = x.reshape(x.shape[0], -1)
model = torch.load(config.trained_model_filepath)
clip_values = {}
with open(config.clip_values_filepath, "r") as f:
clip_values = json.load(f)
clip_values = (
clip_values.get("min_pixel_value"),
clip_values.get("max_pixel_value"),
)
classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=model.criterion,
optimizer=model.optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
) # TODO: move these parameters to config
# Evaluate the classifier on benign data
predictions = classifier.predict(x)
# Convert one-hots to numbers for metrics
y = utils.one_hot_to_num(y)
predictions = utils.one_hot_to_num(predictions)
accuracy = {
"Accuracy": metrics.accuracy_score(y, predictions),
"Confusion Matrix": metrics.confusion_matrix(y, predictions).tolist(),
}
# Save data
with open(config.metrics_output_path, "w") as f:
json.dump(
accuracy,
f,
ensure_ascii=False,
sort_keys=True,
indent=4,
separators=(",", ": "),
)
def get_art_model(model_kwargs, wrapper_kwargs):
model = resnet50(**model_kwargs)
wrapped_model = PyTorchClassifier(
model,
loss=nn.CrossEntropyLoss(),
optimizer=None,
input_shape=(224, 224, 3),
**wrapper_kwargs,
)
return wrapped_model
def _cnn_mnist_py():
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
classifier = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10)
return classifier
def get_iris_classifier_pt():
"""
Standard PyTorch classifier for unit testing on Iris dataset.
:return: Trained model for Iris dataset.
:rtype: :class:`.PyTorchClassifier`
"""
from art.classifiers import PyTorchClassifier
class Model(nn.Module):
"""
Create Iris model for PyTorch.
The weights and biases are identical to the Tensorflow model in `get_iris_classifier_tf`.
"""
def __init__(self):
super(Model, self).__init__()
w_dense1 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE1_IRIS.npy'))
b_dense1 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE1_IRIS.npy'))
w_dense2 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE2_IRIS.npy'))
b_dense2 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE2_IRIS.npy'))
w_dense3 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE3_IRIS.npy'))
b_dense3 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE3_IRIS.npy'))
self.fully_connected1 = nn.Linear(4, 10)
self.fully_connected1.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense1)))
self.fully_connected1.bias = nn.Parameter(torch.Tensor(b_dense1))
self.fully_connected2 = nn.Linear(10, 10)
self.fully_connected2.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense2)))
self.fully_connected2.bias = nn.Parameter(torch.Tensor(b_dense2))
self.fully_connected3 = nn.Linear(10, 3)
self.fully_connected3.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense3)))
self.fully_connected3.bias = nn.Parameter(torch.Tensor(b_dense3))
def forward(self, x):
x = self.fully_connected1(x)
x = self.fully_connected2(x)
logit_output = self.fully_connected3(x)
return logit_output
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(4,), nb_classes=3,
clip_values=(0, 1), channel_index=1)
return ptc
def setUpClass(cls):
(x_train, y_train), (x_test, y_test), _, _ = load_dataset('mnist')
x_train = np.reshape(x_train,
(x_train.shape[0], 1, 28, 28)).astype(np.float32)
x_test = np.reshape(x_test,
(x_test.shape[0], 1, 28, 28)).astype(np.float32)
cls.x_train = x_train[:NB_TRAIN]
cls.y_train = y_train[:NB_TRAIN]
cls.x_test = x_test[:NB_TEST]
cls.y_test = y_test[:NB_TEST]
# Define the network
model = nn.Sequential(nn.Conv2d(1, 2, 5),
nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(),
nn.Linear(288, 10))
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
classifier = PyTorchClassifier(model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10)
classifier.fit(cls.x_train, cls.y_train, batch_size=100, nb_epochs=1)
cls.seq_classifier = classifier
# Define the network
model = Model()
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
classifier_2 = PyTorchClassifier(model=model,
clip_values=(0, 1),
loss=loss_fn,
optimizer=optimizer,
input_shape=(1, 28, 28),
nb_classes=10)
classifier_2.fit(x_train, y_train, batch_size=100, nb_epochs=1)
cls.module_classifier = classifier_2
def get_classifier_pt():
"""
Standard PyTorch classifier for unit testing
:return: PyTorchClassifier
"""
from art.classifiers import PyTorchClassifier
class Model(nn.Module):
"""
Create model for pytorch.
The weights and biases are identical to the Tensorflow model in get_classifier_tf().
"""
def __init__(self):
super(Model, self).__init__()
w_conv2d = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_CONV2D_MNIST.npy'))
b_conv2d = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_CONV2D_MNIST.npy'))
w_dense = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE_MNIST.npy'))
b_dense = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE_MNIST.npy'))
self.conv = nn.Conv2d(in_channels=1, out_channels=1, kernel_size=7)
w_conv2d_pt = np.swapaxes(w_conv2d, 0, 2)
w_conv2d_pt = np.swapaxes(w_conv2d_pt, 1, 3)
self.conv.weight = nn.Parameter(torch.Tensor(w_conv2d_pt))
self.conv.bias = nn.Parameter(torch.Tensor(b_conv2d))
self.pool = nn.MaxPool2d(4, 4)
self.fullyconnected = nn.Linear(25, 10)
self.fullyconnected.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense)))
self.fullyconnected.bias = nn.Parameter(torch.Tensor(b_dense))
def forward(self, x):
import torch.nn.functional as f
x = self.pool(f.relu(self.conv(x)))
x = x.view(-1, 25)
logit_output = self.fullyconnected(x)
return logit_output
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10,
clip_values=(0, 1))
return ptc
def main(config_filepath):
config = load_config(config_filepath)
if os.path.isfile(config.x_adv_output_path):
click.confirm(f"Overwrite {config.x_adv_output_path}?", abort=True)
np.random.seed(config.seed)
torch.manual_seed(config.seed)
# Load data
x = torch.load(config.x_filepath)
x_shape = x.shape
x = x.reshape(x.shape[0], -1)
y = torch.load(config.y_filepath)
ace = torch.load(config.ace_filepath).cpu()
interventions = torch.load(config.interventions_filepath).cpu()
model = torch.load(config.model_filepath)
clip_values = {}
with open(config.clip_values_filepath, "r") as f:
clip_values = json.load(f)
clip_values = (
clip_values.get("min_pixel_value"),
clip_values.get("max_pixel_value"),
)
classifier = PyTorchClassifier(
model=model,
clip_values=clip_values,
loss=model.criterion,
optimizer=model.optimizer,
input_shape=(1, 28, 28),
nb_classes=10,
) # TODO: move these parameters to config
# Target the attacks to a particular class
y_adv = torch.zeros_like(torch.from_numpy(y))
y_adv[:, 0] = 1.0
# Generate attacks
x_adv = ace_attack(
ace,
interventions,
torch.from_numpy(x),
target_classes=y_adv,
norm=2,
budget=5.0,
) # TODO: move these parameters to config
# Unflatten for saving
x_adv = x_adv.reshape(x_shape)
torch.save(x_adv, config.x_adv_output_path)
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
x_train = np.swapaxes(x_train, 1, 3)
x_test = np.swapaxes(x_test, 1, 3)
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28),
10)
ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# First attack
cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=10)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = cl2m.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target == y_pred_adv).any())
# Second attack
cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = cl2m.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target != y_pred_adv).any())
# Third attack
cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10)
params = {}
x_test_adv = cl2m.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
y_pred = np.argmax(ptc.predict(x_test), axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((y_pred != y_pred_adv).any())
def __init__(self, model, dataset):
model.eval()
self.model = model
self.dataset = dataset
optimizer = torch.optim.Adam(model.parameters()) # Useless
self.nb_classes = nb_classes[dataset]
self.classifier = PyTorchClassifier((0., 1.),
model=self.model,
loss=nn.CrossEntropyLoss(),
optimizer=optimizer,
input_shape=input_shape[dataset],
nb_classes=self.nb_classes)
def load_model(model_path):
''' Carica i pesi del modello preaddestrato e li inserisce nella classe PytorchClassifier, che fa da interfaccia tra modello e ART'''
config = bzu.load_json('/'.join([model_path, 'config.json']))
model_args = config['model_args']
model_name = model_args['model']
model_class = image.ImagePolicyModelSS
model = model_class(**config['model_args'])
model.load_state_dict(torch.load('/'.join([model_path, 'model-10.th'])))
criterion = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(),lr=0.0001)
classifier = PyTorchClassifier(model=model, loss=criterion,optimizer=optimizer, input_shape=(3, 160, 384),
nb_classes=10,device_type='gpu')
return classifier
def transform(self, classifier):
if not isinstance(classifier, PyTorchClassifier):
raise ValueError("classifier is not a PyTorchClassifier")
# double ._model is needed due to ART's creation of an extra torch wrapper
model = super().transform(classifier._model._model)
return PyTorchClassifier(
model,
loss=classifier._loss,
optimizer=classifier._optimizer,
input_shape=classifier._input_shape,
nb_classes=classifier._nb_classes,
preprocessing=None,
)
def get_art_model(model_kwargs, wrapper_kwargs, weights_file=None):
model = sail(weights_file=weights_file)
model.to(DEVICE)
wrapped_model = PyTorchClassifier(
model,
loss=torch.nn.CrossEntropyLoss(),
optimizer=torch.optim.Adam(model.parameters(),
lr=model_kwargs['lr'],
betas=(.5, .999)),
input_shape=(WINDOW_LENGTH, ),
nb_classes=40,
)
return wrapped_model
def fgsm(model, X, y, optimizer,epsilon=0.1):
""" Construct FGSM adversarial examples on the examples X"""
classifier = PyTorchClassifier(
model=model_concetenate,
loss = custom_loss,
optimizer=optimizer,
input_shape=(1,28,28),
nb_classes=10,
device_type='gpu'
)
attack = FastGradientMethod(classifier=classifier,eps=epsilon)
x_adv = attack.generate(X.numpy(),y=y.numpy())
return torch.Tensor(x_adv)
def load_model(model_path):
config = bzu.load_json('/'.join([model_path, 'config.json']))
model_args = config['model_args']
model_name = model_args['model']
model_class = image.ImagePolicyModelSS
model = model_class(**config['model_args'])
model.load_state_dict(torch.load('/'.join([model_path, 'model-10.th'])))
criterion = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(),lr=0.0001)
classifier = PyTorchClassifier(model=model, loss=criterion,optimizer=optimizer, input_shape=(3, 160, 184),
nb_classes=10,device_type='gpu')
return classifier