def get_at_model(sess, x_train, y_train, x_test, y_test): x_train, y_train, x_test, y_test = process_data(x_train, y_train, x_test, y_test) model = get_vanilla_model() wrap = KerasModelWrapper(model) fgsm = FastGradientMethod(wrap, sess=sess) fgsm_params = {'eps': 0.3} adv_x = fgsm.generate(x, **fgsm_params) adv_x = tf.stop_gradient(adv_x) """ def evaluate_2(): # Accuracy of adversarially trained model on legitimate test inputs eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, model_at(x), x_test, y_test, args=eval_params) print('Test accuracy on legitimate examples: %0.4f' % accuracy) # Accuracy of the adversarially trained model on adversarial examples accuracy = model_eval(sess, x, y, model_at(adv_x_at), x_test, y_test, args=eval_params) print('Test accuracy on adversarial examples: %0.4f' % accuracy) """ model_train(sess, x, y, model(x), x_train, y_train, predictions_adv=model(adv_x), evaluate=None,#evaluate_2, args=train_params, save=False) eval_par = {'batch_size': batch_size} x_test = x_test.reshape(x_test.shape[0], 28, 28, 1) x_test = x_test.astype('float32') x_test /= 255 y_test = keras.utils.to_categorical(y_test, 10) acc = model_eval(sess, x, y, model(x), x_test, y_test, args=eval_par) print('Test accuracy on test examples: %0.4f\n' % acc) acc = model_eval(sess, x, y, model(adv_x), x_test, y_test, args=eval_par) print('Test accuracy on adversarial examples: %0.4f\n' % acc) return model_at
def get_DeepFool_adversarial(targeted, xs, classifier, batch_size): # Targeted DeepFool attack not possible if targeted: print('DeepFool attack cannot be targeted.') exit() ATTACK_BATCH = batch_size samples_range = int(xs.shape[0] / ATTACK_BATCH) wrap = KerasModelWrapper(classifier) attack = DeepFool(wrap, sess=K.get_session()) fgsm_params = { 'overshoot': 0.02, 'max_iter': 50, 'nb_candidate': 2, 'clip_min': -5, 'clip_max': 5 } attack_xs = attack.generate_np(xs[:ATTACK_BATCH, :, :, :], **fgsm_params) for ii in range(1, samples_range): print('ITER', ii) new_attack_batch = attack.generate_np( xs[ii * ATTACK_BATCH:(ii + 1) * ATTACK_BATCH, :, :, :], **fgsm_params) attack_xs = np.concatenate((attack_xs, new_attack_batch), axis=0) return attack_xs
def FGSM(model, x, y): sess = K.get_session() model_wrap = KerasModelWrapper(model) fgsm = FastGradientMethod(model_wrap, sess=sess) fgsm_params = {'y': y, 'eps': 0.2, 'clip_min': 0., 'clip_max': 1.} adv = fgsm.generate_np(x, **fgsm_params) return adv
def generate_jsma_examples(sess, model, x, y, X, Y, attack_params, verbose, attack_log_fpath): """ Targeted attack, with target classes in Y. """ Y_target = Y nb_classes = Y.shape[1] jsma = SaliencyMapMethod(KerasModelWrapper(model), back='tf', sess=sess) jsma_params = {'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1.} adv_x_list = [] with click.progressbar(range(0, len(X)), file=sys.stderr, show_pos=True, width=40, bar_template=' [%(bar)s] JSMA Attacking %(info)s', fill_char='>', empty_char='-') as bar: # Loop over the samples we want to perturb into adversarial examples for sample_ind in bar: sample = X[sample_ind:(sample_ind + 1)] adv_x = jsma.generate_np(sample, **jsma_params) adv_x_list.append(adv_x) return np.vstack(adv_x_list)
def train(self, X_tr, y_tr, X_val, y_val, dataObject, model): datagen = dataObject.data_generator() datagen.fit(X_tr) attacks = FLAGS.attack.split(',') if len(attacks) > 1: attacks = attacks[1:] attack_params = [] clever_wrapper = KerasModelWrapper(model) for attack in attacks: attack_params.append(helpers.get_appropriate_attack(FLAGS.dataset, dataObject.get_range(), attack, clever_wrapper, common.sess, harden=True, attack_type="None")) else: attack_params=None def scheduler(epoch): if epoch <= 75: return 0.1 if epoch <= 115: return 0.01 return 0.001 early_stop = None if FLAGS.early_stopping: print("Early stopping activated") early_stop = (0.005, 20) # min_delta, patience lr_plateau = None if FLAGS.lr_plateau: print("Dynamic LR activated") lr_plateau = (0.001, 0.1, 10, 0.005) # min_lr, factor, patience, min_delta if FLAGS.lr_plateau or FLAGS.early_stopping: print("LR scheduler disabled") scheduler = None # Override scheduler helpers.customTrainModel(model, X_tr, y_tr, X_val, y_val, datagen, self.nb_epochs, scheduler, self.batch_size, attacks=attack_params, early_stop=early_stop, lr_plateau=lr_plateau)
def __init__(self, model, source_samples=2, binary_search_steps=5, cw_learning_rate=5e-3, confidence=0, attack_iterations=1000, attack_initial_const=1e-2): super(Attack, self).__init__() model_wrap = KerasModelWrapper(model.model) self.model = model_wrap self.sess = model.sess self.x = model.input_ph self.y = Input(shape=(model.num_classes, ), dtype='float32') abort_early = True self.cw = CarliniWagnerL2(self.model, sess=self.sess) self.cw_params = { 'binary_search_steps': binary_search_steps, "y": None, 'abort_early': True, 'max_iterations': attack_iterations, 'learning_rate': cw_learning_rate, 'batch_size': source_samples, 'initial_const': attack_initial_const, 'confidence': confidence, 'clip_min': 0.0, }
def adversarial_noise(model, image, target_class, noise_limit, sess, confidence=0.99, eps=1.0, max_iter=200): original = np.expand_dims(image, axis=0) target = np.array([target_class]) encoded_target = to_categorical(target, num_classes=1000) wrap = KerasModelWrapper(model) fgsm = FastGradientMethod(wrap, sess=sess) fgsm_params = { 'eps': eps, 'clip_min': 0.0, 'clip_max': 255.0, 'y_target': encoded_target } noisy = original for i in range(0, max_iter): noisy = fgsm.generate_np(noisy, **fgsm_params) current_confidence = model.predict(prep_image(noisy))[0][target_class] print(decode_predictions(model.predict(prep_image(noisy)), top=3)[0]) print(current_confidence) if current_confidence > confidence: break return np.reshape(noisy, noisy.shape[1:])
def attacks(model, X_test, Y_test): from keras import backend as K K.set_learning_phase(1) run_config = tf.ConfigProto() run_config.gpu_options.allow_growth=True with tf.Session(config=run_config) as sess: # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, *X_test.shape[1:])) y = tf.placeholder(tf.float32, shape=(None, *Y_test.shape[1:])) wrap = KerasModelWrapper(model) fgsm = FastGradientMethod(wrap, sess=sess) fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} adv_x = fgsm.generate(x, **fgsm_params) # Consider the attack to be constant adv_x = tf.stop_gradient(adv_x) preds_adv = model(adv_x) eval_par = {'batch_size': 10} initialize_uninitialized_global_variables(sess) acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) return acc
def train_sub_no_augmn(data, target_model, sess): print("Loading a substitute model...") x = tf.placeholder(tf.float32, shape=(None, BBOX_IMAGE_SIZE, BBOX_IMAGE_SIZE, NUM_OF_CHANNELS)) model = get_model_category_by_id(SUBSTITUTE_MODEL_ID) # model = get_simple_model(num_classes=NB_CLASSES, image_size=IMAGE_SIZE) #model.compile(optimizer=SGD(), loss="categorical_crossentropy", metrics=[age_mae]) model_sub = KerasModelWrapper(model) print("Substitute model loaded") print("Labeling samples...") labels = bbox_predict(target_model, data, sess, x, batch_size=1) print("Samples labeled") print("Training a substitute model...") train_gen = TransferGenerator(data=data, labels=labels, num_classes=NB_CLASSES, batch_size=BATCH_SIZE, image_size=SUB_IMAGE_SIZE) model_sub.model.fit_generator(generator=train_gen, epochs=NUM_EPOCHS, verbose=1) print("Subsitute model trained") return model_sub
def generate_adversarial(original_input, method, model, target=None, target_class=None, sess=None, **kwargs): if not hasattr(generate_adversarial, "attack_types"): generate_adversarial.attack_types = { 'fgsm': FastGradientMethod, 'jsma': SaliencyMapMethod, 'cw': CarliniWagnerL2, 'bim': BasicIterativeMethod } if sess is None: sess = K.get_session() if method in generate_adversarial.attack_types: attacker = generate_adversarial.attack_types[method](KerasModelWrapper(model), sess) else: raise Exception("Method not supported") if type(original_input) is list: original_input = np.asarray(original_input) else: original_input = np.asarray([original_input]) if target_class is not None: target_class = [target_class] if target is None and target_class is not None: target = np.zeros((len(target_class), model.output_shape[1])) target[np.arange(len(target_class)), target_class] = 1 if target is not None: kwargs['y_target'] = target return attacker.generate_np(original_input, **kwargs)
def untargeted_attack(model, images): sess = backend.get_session() wrap = KerasModelWrapper(model) df = DeepFool(wrap, back='tf', sess=sess) adv_x = df.generate_np(images) return adv_x
def main(argv=None): dataObject = data_load.get_appropriate_data(FLAGS.dataset)(None, None) datagen = dataObject.data_generator() (X_train, Y_train), (X_test, Y_test) = dataObject.get_blackbox_data() (X_validation, Y_validation) = dataObject.get_validation_data() datagen.fit(X_train) n_classes, is_mnist = Y_train.shape[1], (FLAGS.dataset == "mnist") if is_mnist: model, _ = lenet.lenet_network(n_classes=10, is_mnist=is_mnist) else: model, _ = resnet.residual_network(n_classes=n_classes, stack_n=FLAGS.stack_n, mnist=is_mnist, get_logits=False) attack, attack_params = helpers.get_appropriate_attack( FLAGS.dataset, dataObject.get_range(), FLAGS.attack_name, KerasModelWrapper(model), common.sess, harden=True, attack_type="None") helpers.customTrainModel(model, X_train, Y_train, X_validation, Y_validation, datagen, FLAGS.nb_epochs, densenet.scheduler, FLAGS.batch_size, attacks=[(attack, attack_params)]) model.save(FLAGS.save_here)
def __init__(self): Model.__init__(self) from keras.applications.vgg16 import VGG16, preprocess_input, decode_predictions self.keras_model = VGG16(weights='imagenet') self.model = KerasModelWrapper(self.keras_model) self.preprocess_input = preprocess_input self.decode_predictions = decode_predictions
def fgsm_attack_iter(model, x_input, input_img, sess, n): wrap = KerasModelWrapper(model) imgs_stamp_tf.append(input_img) fgsm = FastGradientMethod(wrap) fgsm_params = {'eps': 0.1, 'clip_min': -1., 'clip_max': 1.} import time start_time = time.time() x_adv = fgsm.generate(x_input, **fgsm_params) for i in range(n): if i == 0: adv_image = sess.run(x_adv, feed_dict={x_input: input_img}) else: adv_image = sess.run(x_adv, feed_dict={x_input: adv_image}) imgs_stamp_tf.append(adv_image) attack_time = time.time() - start_time ## save gif image ## """ sv_img = [] for img in adv_iamges : d_img = deprocess(img[0]).astype(np.uint8) sv_img.append(Image.fromarray(d_img)) print('save gif image.') sv_img[0].save('anitest.gif', save_all=True, append_images=sv_img[1:], duration=100, loop=0) """ return adv_image, attack_time
def main(argv=None): dataObject = data_load.get_appropriate_data(FLAGS.dataset)(None, None) datagen = dataObject.data_generator() atack_X, attack_Y = None, None if FLAGS.mode == "harden": attack_X, attack_Y = dataObject.get_hardening_data() elif FLAGS.mode == "attack": attack_X, attack_Y = dataObject.get_attack_data() else: raise Exception("Invalid mode specified!") exit() n_classes, model = attack_Y.shape[1], load_model(FLAGS.model) attack, attack_params = helpers.get_appropriate_attack( FLAGS.dataset, dataObject.get_range(), FLAGS.attack_name, KerasModelWrapper(model), common.sess, harden=True, attack_type="None") perturbed_X = helpers.performBatchwiseAttack(attack_X, attack, attack_params, FLAGS.batch_size) fooled_rate = 1 - model.evaluate( perturbed_X, attack_Y, batch_size=FLAGS.batch_size)[1] print("\nError on adversarial examples: %f" % (fooled_rate)) if FLAGS.save_here: np.save(FLAGS.save_here + "_x.npy", perturbed_X) np.save(FLAGS.save_here + "_y.npy", attack_Y)
def generate_model(): model2 = Sequential() model2.add(Convolution2D(32, 3, 3, border_mode='same', input_shape=(32,32,3))) model2.add(Activation('relu')) model2.add(Convolution2D(32,3,3, border_mode='same')) model2.add(Activation('relu')) model2.add(MaxPooling2D(pool_size=(2, 2))) model2.add(Dropout(0.25)) model2.add(Convolution2D(64, 3, 3, border_mode='same')) model2.add(Activation('relu')) model2.add(Convolution2D(64,3,3, border_mode='same')) model2.add(Activation('relu')) model2.add(MaxPooling2D(pool_size=(2, 2))) model2.add(Dropout(0.25)) model2.add(Convolution2D(128, 3, 3, border_mode='same')) model2.add(Activation('relu')) model2.add(Convolution2D(128,3,3, border_mode='same')) model2.add(Activation('relu')) model2.add(MaxPooling2D(pool_size=(2, 2))) model2.add(Dropout(0.25)) model2.add(Flatten()) model2.add(Dense(512)) model2.add(Activation('relu')) model2.add(Dropout(0.5)) model2.add(Dense(256)) model2.add(Activation('relu')) model2.add(Dropout(0.5)) model2.add(Dense(10, activation='softmax')) # Compile the model model2.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy']) return KerasModelWrapper(model2)
def generate(sess, model, data_feeder, source, target, adv_dump_dir, nb_samples, perturbation=0.35): wrap = KerasModelWrapper(model.model) fgsm = FastGradientMethod(wrap, sess=sess) fgsm_params = { 'eps': perturbation, 'clip_min': 0.0, 'clip_max': 1.0, 'y_target': data_feeder.get_labels(target, nb_samples) } craft_data = data_feeder.get_evasion_craft_data(source_class=source, total_count=nb_samples) adv_data = fgsm.generate_np(craft_data, **fgsm_params) # Commit data adv_writer = AdversarialWriterEvasion(source_class=source, target_class=target, attack_params={'eps': perturbation}, adversarial_data_path=adv_dump_dir) adv_writer.batch_put(craft_data, adv_data) adv_writer.commit()
def _load_model(self, path): if os.path.exists(path): self.model = load_model(path) self.cleverhans_model = KerasModelWrapper(self.model) print("loaded keras model from ", path) else: print("keras model path not exit", path) return self.model
def prep_bbox(): root_dir = os.path.dirname(os.path.dirname(__file__)) relative_path = os.path.join(root_dir, BBOX_MODEL_PATH) model = load_model(relative_path, compile=False) model.compile(optimizer=Adam(), loss="categorical_crossentropy", metrics=[age_mae]) wrap = KerasModelWrapper(model) print("Model loaded") return wrap
def __init__(self, model, x=None, y=None): # :param: x: placeholder for inputs # :param: y: placeholder for labels self.keras_model = model model_wrap = KerasModelWrapper(model) self.predictions = model_wrap.get_logits(x) self.probs = tf.nn.softmax(logits=self.predictions) self.loss = tf.nn.softmax_cross_entropy_with_logits( labels=y, logits=self.predictions)
def __init__(self, n_feats, n_classes, model, sess, lbl_enc, ord): self.sess = sess self.model = model self.ord = ord self.x = tf.placeholder(tf.float32, shape=(None, n_feats)) self.y = tf.placeholder(tf.float32, shape=(None, n_classes)) self.wrap = KerasModelWrapper(model) self.lbl_enc = lbl_enc
def build_attack(model, sess, eps=0.3, clip_min=0.0, clip_max=1.0): # Wrap model with cleverhans and init the attack method wrapped_model = KerasModelWrapper(model) pgd = ProjectedGradientDescent(wrapped_model, sess=sess) # Build acc and loss pgd_params = {"eps": eps, "clip_min": clip_min, "clip_max": clip_max} adv_acc_metric = get_adversarial_acc_metric(model, pgd, pgd_params) adv_loss = get_adversarial_loss(model, pgd, pgd_params) return pgd, adv_acc_metric, adv_loss
def lbfgs(model): wrap = KerasModelWrapper(model) att = LBFGS(wrap, sess=session) def attack(X): for i in tqdm(range(0, len(X), CHILD_BATCH_SIZE), desc=f'LBFGS: ', file=sys.stdout, leave=False): # print(X[i:i+CHILD_BATCH_SIZE].shape) tensor = tf.convert_to_tensor(X[i:i + CHILD_BATCH_SIZE]) tensor = att.generate(tensor, batch_size=len(X[i:i + CHILD_BATCH_SIZE]), max_iterations=4, binary_search_steps=3) X[i:i + CHILD_BATCH_SIZE] = session.run(tensor) return attack
def fgsm(model): wrap = KerasModelWrapper(model) att = FastGradientMethod(wrap, sess=session) def attack(X, eps): for i in tqdm(range(0, len(X), CHILD_BATCH_SIZE), desc=f'FGSM: ', file=sys.stdout, leave=False): # print(X[i:i+CHILD_BATCH_SIZE].shape) tensor = tf.convert_to_tensor(X[i:i + CHILD_BATCH_SIZE]) tensor = att.generate(tensor, eps=eps) X[i:i + CHILD_BATCH_SIZE] = session.run(tensor) return attack
def mim(model): wrap = KerasModelWrapper(model) att = MomentumIterativeMethod(wrap, sess=session) def attack(X, eps): for i in tqdm(range(0, len(X), CHILD_BATCH_SIZE), desc=f'MIM: ', file=sys.stdout, leave=False): # print(X[i:i+CHILD_BATCH_SIZE].shape) tensor = tf.convert_to_tensor(X[i:i + CHILD_BATCH_SIZE]) tensor = att.generate(tensor, eps=eps, eps_iter=eps * 0.2) X[i:i + CHILD_BATCH_SIZE] = session.run(tensor) return attack
def build_attack(model, sess, eps=0.3, clip_min=0.0, clip_max=1.0): # Wrap model with cleverhans and init the attack method wrapped_model = KerasModelWrapper(model) fgsm = FastGradientMethod(wrapped_model, sess=sess) # Build acc and loss fgsm_params = {"eps": eps, "clip_min": clip_min, "clip_max": clip_max} adv_acc_metric = get_adversarial_acc_metric(model, fgsm, fgsm_params) adv_loss = get_adversarial_loss(model, fgsm, fgsm_params) return fgsm, adv_acc_metric, adv_loss
def lbfgs(X, which): wrapped = LBFGS(KerasModelWrapper(which.model), sess=session) X = X.copy() for i in tqdm(range(0, len(X), CHILD_BATCH_SIZE), desc=f'batch: ', leave=False): tensor = tf.convert_to_tensor(X[i:i + CHILD_BATCH_SIZE]) tensor = wrapped.generate(tensor, eps=0.1) X[i:i + CHILD_BATCH_SIZE] = session.run(tensor) return X
def init_attack(model, attack_params_dict, sess): """ Initialize the adversarial attack using the cleverhans toolbox Parameters ---------- model : Keras Model The model to attack attack_params_dict : dict Self-defined dictionary specifying the attack and its parameters sess : Session The current tf session Returns ------- attack : cleverhans Attack The Attack object attack_params Dictionary with the value of the attack parameters, valid to generate adversarial examples with cleverhans. """ # Wrapper for the Keras model model_wrap = KerasModelWrapper(model) # Initialize attack batch_size = None if attack_params_dict['attack'] == 'fgsm': attack = FastGradientMethod(model_wrap, sess=sess) attack_params = {'eps': attack_params_dict['eps'], 'clip_min': 0., 'clip_max': 1.} elif attack_params_dict['attack'] == 'spsa': attack = SPSA(model_wrap, sess=sess) attack_params = {'epsilon': attack_params_dict['eps'], 'num_steps': attack_params_dict['n_steps']} batch_size = 1 elif attack_params_dict['attack'] == 'deepfool': attack = DeepFool(model_wrap, sess=sess) attack_params = {'clip_min': 0., 'clip_max': 1.} elif attack_params_dict['attack'] == 'pgd': attack = ProjectedGradientDescent(model_wrap, sess=sess) attack_params = {'eps': attack_params_dict['eps'], 'eps_iter': attack_params_dict['eps_iter'], 'nb_iter': attack_params_dict['n_steps'], 'clip_min': 0., 'clip_max': 1.} elif attack_params_dict['attack'] == 'carlini': attack = CarliniWagnerL2(model_wrap, sess=sess) attack_params = {'clip_min': 0., 'clip_max': 1.} else: raise NotImplementedError() return attack, attack_params, batch_size
def attack(img, d, eps): adversarial = img.copy() target = to_categorical([TARGET_CLASS], num_classes=1000) wrap = KerasModelWrapper(d) fgsm = FastGradientMethod(wrap, sess=sess) fgsm_params = {'eps': eps, 'clip_min': -1.0, 'clip_max': 1.0, 'y_target': target} adversarial = fgsm.generate_np(adversarial,**fgsm_params) return adversarial[0]
def bim_attack(train_data, model, sess): wrap = KerasModelWrapper(model) bim = BasicIterativeMethod(wrap, sess=sess) bim_params = { 'eps_iter': 0.01, 'nb_iter': 10, 'clip_min': 0., 'clip_max': 1. } adv_x = bim.generate_np(train_data, **bim_params) return adv_x