def main(image_path, ckpt_path, predict_status=False): images = tf.placeholder(tf.float32, (None, 224, 224, 3)) preprocessed_images = vgg_preprocessing(images) logits, _ = vgg.vgg_19(preprocessed_images, is_training=False) restorer = tf.train.Saver(tf.trainable_variables()) image = open_image(image_path) p, ext = os.path.splitext(image_path) adv_path = p + '-adv' + ext pert_path = p + '-pert' + ext with tf.Session() as session: restorer.restore(session, ckpt_path) model = TensorFlowModel(images, logits, (0, 255)) label = np.argmax(model.predictions(image)) print('label:', label) if predict_status: return # target_class = 22 # criterion = TargetClassProbability(target_class, p=0.99) # attack = LBFGSAttack(model, criterion) # attack = FGSM(model, criterion) attack = FGSM(model) # attack = MomentumIterativeAttack(model, criterion) # attack = MomentumIterativeAttack(model) # attack = SinglePixelAttack(model) # attack = LocalSearchAttack(model) adversarial = attack(image, label=label) new_label = np.argmax(model.predictions(adversarial)) print('new label:', new_label) image = image.astype(np.uint8) adversarial = adversarial.astype(np.uint8) pert = adversarial - image save_image(adversarial, adv_path) save_image(pert, pert_path) # show images plt.subplot(1, 3, 1) plt.imshow(image) plt.subplot(1, 3, 2) plt.imshow(adversarial) plt.subplot(1, 3, 3) plt.imshow(pert) plt.show()
def run(): run_button.config(state='disabled') test_loader = load_data() torch_model = select_model() if use_cuda.get(): log_text = 'Move model to cuda.' torch_model = torch_model.cuda() torch_model.eval() fmodel = PyTorchModel(torch_model, bounds=[0, 1], num_classes=10) method = attack_comboxlist.get() log_text = 'Perform {} attack... \n'.format(method) send_information(Receive_window, log_text) if method == 'FGSM': from foolbox.attacks import FGSM attack = FGSM(model=fmodel, criterion=Misclassification()) if method == 'iFGSM': from foolbox.attacks import IterativeGradientSignAttack attack = IterativeGradientSignAttack(model=fmodel, criterion=Misclassification()) if method == 'DeepFool': from foolbox.attacks import DeepFoolAttack attack = DeepFoolAttack(model=fmodel, criterion=Misclassification()) attack_root = 'attacks/' + comboxlist.get() + '/' + method + '_ms' hacked_path = attack_root + '/hacked' hacked_data_path = attack_root + '/hacked_data' original_path = attack_root + '/original' original_data_path = attack_root + '/original_data' if os.path.exists(attack_root) is False: os.makedirs(attack_root) os.mkdir(hacked_path) os.mkdir(hacked_data_path) os.mkdir(original_path) os.mkdir(original_data_path) count = 1 for data, label in test_loader: data = data[0].numpy() label = label.item() adversarial = attack(data, label) if adversarial is not None: if np.linalg.norm(adversarial - data) == 0: continue adv_label = np.argmax(fmodel.predictions(adversarial)) if np.linalg.norm(adversarial - data) > 0: dataset = comboxlist.get() if dataset == 'MNIST': image_data = adversarial[0] * 255 ori_data = data[0] * 255 if dataset == 'CIFAR10': image_data = adversarial.transpose(1, 2, 0) * 255 ori_data = data.transpose(1, 2, 0) * 255 if save_adv.get(): hackedname = hacked_data_path + '/' + str( count) + '-' + str(label) + '-' + str( adv_label) + ".npy" np.save(hackedname, image_data) image = Image.fromarray(image_data.astype(np.uint8)) image.save( "{hackedpath}/{name}-{label}-{adv_label}.png".format( hackedpath=hacked_path, name=count, label=label, adv_label=adv_label)) if save_ori.get(): oriname = original_data_path + '/' + str( count) + '-' + str(label) + ".npy" np.save(oriname, ori_data) oriimage = Image.fromarray(ori_data.astype(np.uint8)) oriimage.save("{originalpath}/{name}-{label}.png".format( originalpath=original_path, name=count, label=label)) count = count + 1 if count % (int(att_num.get()) / 10) == 0: log_text = "Attack: {}/{}".format(count, att_num.get()) send_information(Receive_window, log_text) if count > int(att_num.get()): break log_text = "Done! The adversarial images and correspoinding data are stored in attacks for next use in step4!" send_information(Receive_window, log_text) run_button.config(state='normal')
# preds_adv = model.get_probs(adv_x) model = TensorFlowModel(cnn.inputs,cnn.network,bounds=(0, 255)) from foolbox.criteria import TargetClassProbability target_class = 9 criterion = TargetClassProbability(target_class, p=0.99) from foolbox.attacks import FGSM attack=FGSM(model) image = train_images[0].reshape((28, 28, 1)) label = np.argmax(model.predictions(image)) adversarial = attack(image,label=label,epsilons=1,max_epsilon=0.03*255) import matplotlib.pyplot as plt plt.subplot(1, 3, 1) plt.imshow(image.reshape((28, 28)), cmap='gray',vmin=0, vmax=255) plt.gca().set_title(label) plt.subplot(1, 3, 2) plt.imshow(adversarial.reshape((28, 28)), cmap='gray',vmin=0, vmax=255) plt.gca().set_title(np.argmax(model.predictions(adversarial)))
plot_samples = 100 # Define plot path. if plot_sample: path = './adv_samples/' path += dataset if not os.path.exists(path): os.makedirs(path) # ------------------------------------------------- # ADVERSARIAL SAMPLE GENERATION # ------------------------------------------------- # Create Foolbox model from Keras ResNet classifier and FGSM attack type. foolbox_model = KerasModel(model, (0, 1)) attack = FGSM(foolbox_model) # Turn all test set samples into adversarial samples. for i in tqdm(range(len(X_te))): # Try to create an adversarial sample. adv_sample = attack(np.reshape(X_te[i], orig_dims), label=y_te[i], max_epsilon=max_epsilon) # In rare cases, sample generation might fail, which leaves adv_sample empty. if adv_sample is not None: # Successful adversarial samples are written back into the original matrix. X_te[i] = np.reshape(adv_sample, np.prod(orig_dims))
#print(anepval) totalsuccess=0 for abool in anepval: abool1=np.array(abool) #print(abool1) if abool1==True: totalsuccess+=1 listsuccess.append(totalsuccess) listsuccessPGD=listsuccess #apply FGSM attack attack=FGSM() epsilons=[0.0, 0.001, 0.01, 0.03, 0.1, 0.3, 0.5, 1.0] t0=time.process_time() _, advsFGSM, success = attack(fmodel, images, labels, epsilons=epsilons) t1=time.process_time() attacktimeFGSM=t1-t0 # print("done with attack") #print(success) listsuccessFGSM=[] for anepval in success: #print(anepval) totalsuccess=0 for abool in anepval: abool1=np.array(abool) #print(abool1)
def foolbox_attack(filter=None, filter_preserve='low', free_parm='eps', plot_num=None): # get model. model = get_model() model = nn.DataParallel(model).to(device) model = model.eval() preprocessing = dict(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225], axis=-3) fmodel = PyTorchModel(model, bounds=(0, 1), preprocessing=preprocessing) if plot_num: free_parm = '' val_loader = get_val_loader(plot_num) else: # Load images. val_loader = get_val_loader(args.attack_batch_size) if 'eps' in free_parm: epsilons = [0.001, 0.003, 0.005, 0.008, 0.01, 0.1] else: epsilons = [0.01] if 'step' in free_parm: steps = [1, 5, 10, 30, 40, 50] else: steps = [args.iteration] for step in steps: # Adversarial attack. if args.attack_type == 'LinfPGD': attack = LinfPGD(steps=step) elif args.attack_type == 'FGSM': attack = FGSM() clean_acc = 0.0 for i, data in enumerate(val_loader, 0): # Samples (attack_batch_size * attack_epochs) images for adversarial attack. if i >= args.attack_epochs: break images, labels = data[0].to(device), data[1].to(device) if step == steps[0]: clean_acc += (get_acc( fmodel, images, labels )) / args.attack_epochs # accumulate for attack epochs. _images, _labels = ep.astensors(images, labels) raw_advs, clipped_advs, success = attack(fmodel, _images, _labels, epsilons=epsilons) if plot_num: grad = torch.from_numpy( raw_advs[0].numpy()).to(device) - images grad = grad.clone().detach_() return grad if filter: robust_accuracy = torch.empty(len(epsilons)) for eps_id in range(len(epsilons)): grad = torch.from_numpy( raw_advs[eps_id].numpy()).to(device) - images grad = grad.clone().detach_() freq = dct.dct_2d(grad) if filter_preserve == 'low': mask = torch.zeros(freq.size()).to(device) mask[:, :, :filter, :filter] = 1 elif filter_preserve == 'high': mask = torch.zeros(freq.size()).to(device) mask[:, :, filter:, filter:] = 1 masked_freq = torch.mul(freq, mask) new_grad = dct.idct_2d(masked_freq) x_adv = torch.clamp(images + new_grad, 0, 1).detach_() robust_accuracy[eps_id] = (get_acc(fmodel, x_adv, labels)) else: robust_accuracy = 1 - success.float32().mean(axis=-1) if i == 0: robust_acc = robust_accuracy / args.attack_epochs else: robust_acc += robust_accuracy / args.attack_epochs if step == steps[0]: print("sample size is : ", args.attack_batch_size * args.attack_epochs) print(f"clean accuracy: {clean_acc * 100:.1f} %") print( f"Model {args.model} robust accuracy for {args.attack_type} perturbations with" ) for eps, acc in zip(epsilons, robust_acc): print( f" Step {step}, Linf norm ≤ {eps:<6}: {acc.item() * 100:4.1f} %" ) print(' -------------------')
#!/usr/bin/env python3 from foolbox.attacks import FGSM from robust_vision_benchmark import attack_server fgsm = FGSM() attack_server(fgsm)
# out_path = './tianchi2021_adv/pgd_resnet50_at/' # if not os.path.exists(out_path): # os.makedirs(out_path) # pgd = attacker.attack(model, inputs=images, labels=labels) # for t in range(args.batch_size): # pgd = np.transpose(pgd[t].detach().cpu().numpy(), (1, 2, 0)) # name = filenames[t] # if not os.path.exists(out_path): # os.makedirs(out_path) # out = out_path + name # scipy.misc.imsave(out, pgd) if args.fgsm is True: FGSM = attack_integrated(images, labels, 'FGSM') predictions = model(FGSM).argmax(1) print(FGSM.shape, FGSM.max(), FGSM.min(), predictions) adv_accuracy = (predictions == labels).float().mean() print("adv_accuracy ", adv_accuracy) accs_advs += adv_accuracy.item() if epoch < 5 or (epoch + 1) % 50 == 0: print(epoch, "fgsm adv: ", accs_advs / (epoch + 1)) for t in range(args.batch_size): ddn2 = np.transpose(FGSM[t].detach().cpu().numpy(), (1, 2, 0)) name = filenames[t] out_path = './tianchi2021_adv/fgsm_resnet152/' if not os.path.exists(out_path): os.makedirs(out_path) # print(out_path) out = out_path + name # ddn2 = scipy.misc.imresize(ddn2) scipy.misc.imsave(out, ddn2)