def get_errors(penalty=0):
#Build network.
input_layer = lasagne.layers.InputLayer((None,d), name="input_layer")
output_layer = lasagne.layers.DenseLayer(incoming=input_layer,num_units=1, name="output_layer", nonlinearity=None)
#Build cost and symbolic variables.
X = input_layer.input_var
y = theano.tensor.matrix("y")
prediction = lasagne.layers.get_output(output_layer)
hard_prediction = theano.tensor.round(prediction)
mse = theano.tensor.mean((y-prediction)**2)
accuracy = theano.tensor.mean(theano.tensor.eq(y,hard_prediction))
L1_penalty = penalty*lasagne.regularization.regularize_layer_params(output_layer, lasagne.regularization.l1)
cost = mse+L1_penalty
lower_index, upper_index = theano.tensor.lscalar("lower_index"), theano.tensor.lscalar("upper_index")
#Get updates
learning_rate = 0.01
updates = lasagne.updates.sgd(loss_or_grads=cost, params = lasagne.layers.get_all_params(output_layer),
learning_rate=learning_rate)
#Compile functions.
train_foo = theano.function(inputs=[lower_index,upper_index],updates=updates,
givens={X:train_X[lower_index:upper_index,:],
y:train_y[lower_index:upper_index,:]})
get_cost = theano.function(inputs=[X,y], outputs=mse)
get_acc = theano.function(inputs=[X,y], outputs=accuracy)
#Training time.
n_epochs = 10000
mini_batch_size = 3000
costs = []
for epoch in range(n_epochs):
current_cost = get_cost(val_X.get_value(borrow=True), val_y.get_value(borrow=True))
costs.append(current_cost)
a = get_acc(val_X.get_value(borrow=True), val_y.get_value(borrow=True))
print "Epoch: %s, Validation MSE: %s Accuracy: %s" % (epoch, current_cost, a)
for index in range(0,N,mini_batch_size ):
train_foo(index,index+mini_batch_size)
return costs
#Save results.
save = False
if save:
W = output_layer.W.get_value()
plot_path = "/home/harri/Dropbox/Work/CDT/DDS/weights.png"
helper.plot_image(W, save_path=plot_path)
params = {"W":W, "b":output_layer.b.get_value()}
pickle_path = "/home/harri/Dropbox/Work/CDT/DDS/params.pkl"
with open(pickle_path, "wb") as param_file:
cp.dump(params, param_file)
else:
W = output_layer.W.get_value()
helper.plot_image(W)
def attack(self, img, model, target=None, pixel_count=1,
maxiter=75, popsize=400, verbose=False, plot=False):
# Change the target class based on whether this is a targeted attack or not
targeted_attack = target is not None
target_class = target if targeted_attack else self.y_test[img,0]
# Define bounds for a flat vector of x,y,r,g,b values
# For more pixels, repeat this layout
dim_x, dim_y = self.dimensions
bounds = [(0,dim_x), (0,dim_y), (0,256), (0,256), (0,256)] * pixel_count
# Population multiplier, in terms of the size of the perturbation vector x
popmul = max(1, popsize // len(bounds))
# Format the predict/callback functions for the differential evolution algorithm
predict_fn = lambda xs: self.predict_classes(
xs, self.x_test[img], target_class, model, target is None)
callback_fn = lambda x, convergence: self.attack_success(
x, self.x_test[img], target_class, model, targeted_attack, verbose)
# Call Scipy's Implementation of Differential Evolution
attack_result = differential_evolution(
predict_fn, bounds, maxiter=maxiter, popsize=popmul,
recombination=1, atol=-1, callback=callback_fn, polish=False)
# Calculate some useful statistics to return from this function
attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0]
prior_probs = model.predict(np.array([self.x_test[img]]))[0]
predicted_probs = model.predict(np.array([attack_image]))[0]
predicted_class = np.argmax(predicted_probs)
actual_class = self.y_test[img,0]
success = predicted_class != actual_class
cdiff = prior_probs[actual_class] - predicted_probs[actual_class]
# Show the best attempt at a solution (successful or not)
if plot:
helper.plot_image(attack_image, actual_class, self.class_names, predicted_class)
return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x]
keras.backend.set_learning_phase(0)
# (x_train, y_train), (x_test, y_test) = cifar10.load_data()
class_names = [
'airplane', 'automobile', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse',
'ship', 'truck'
]
images_id = 2
images, labels = foolbox.utils.samples(dataset='cifar10',
index=0,
batchsize=10)
images = np.array([img_to_array(original) for original in images
]) # Convert the PIL image to a numpy array
# 绘画干净图片
helper.plot_image(images[images_id])
# print(np.shape(images))
# print(np.shape(labels))
#
# print(images[images_id][27,22])
# print(images[images_id][21][24][1])
# print(images[images_id][22][7][2])
#自定义网络
# lenet = LeNet()
# resnet = ResNet()
# resnet.train()
model_filename = 'networks/models/resnet.h5'
resnet = load_model(model_filename)
models = [resnet]
def single_pixel_attack(images,
labels,
class_names,
img_id,
model,
target=None,
pixel_count=1,
maxiter=75,
popsize=400,
verbose=False,
plot=False,
dimensions=(32, 32)):
# Change the target class based on whether this is a targeted attack or not
targeted_attack = target is not None
target_class = target if targeted_attack else labels[img_id, 0]
ack = PixelAttacker([model], (images, labels), class_names)
# Define bounds for a flat vector of x,y,r,g,b values
# For more pixels, repeat this layout
dim_x, dim_y = dimensions
bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256),
(0, 256)] * pixel_count
# Population multiplier, in terms of the size of the perturbation vector x
popmul = max(1, popsize // len(bounds))
# Format the predict/callback functions for the differential evolution algorithm
def predict_fn(xs):
return ack.predict_classes(xs, images[img_id], target_class, model,
target is None)
def callback_fn(x, convergence):
return ack.attack_success(x, images[img_id], target_class, model,
targeted_attack, verbose)
# Call Scipy's Implementation of Differential Evolution
attack_result = differential_evolution(predict_fn,
bounds,
maxiter=maxiter,
popsize=popmul,
recombination=1,
atol=-1,
callback=callback_fn,
polish=False)
# Calculate some useful statistics to return from this function
attack_image = helper.perturb_image(attack_result.x, images[img_id])[0]
prior_probs = model.predict(np.array([images[img_id]]))[0]
predicted_probs = model.predict(np.array([attack_image]))[0]
predicted_class = np.argmax(predicted_probs)
actual_class = labels[img_id, 0]
success = predicted_class != actual_class
cdiff = prior_probs[actual_class] - predicted_probs[actual_class]
# Show the best attempt at a solution (successful or not)
if plot:
helper.plot_image(attack_image, actual_class, class_names,
predicted_class)
return [
attack_image, model.name, pixel_count, img_id, actual_class,
predicted_class, success, cdiff, prior_probs, predicted_probs,
attack_result.x
]
filenames = ['data/balloon.jpg']
# The labels of each corresponding image
labels = [word_to_class['balloon']]
# Download all image files
# for url, filename in zip(urls, filenames):
# print('Downloading', filename)
# helper.download_from_url(url, filename)
originals = [
load_img(filename, target_size=(224, 224)) for filename in filenames
] # Load an image in PIL format
images = np.array([img_to_array(original) for original in originals
]) # Convert the PIL image to a numpy array
helper.plot_image(images[0])
#加载模型
model = keras.applications.ResNet50()
#processed_images = preprocess_input(images.copy()) # Prepare the image for the model
processed_images = images
predictions = model.predict(
processed_images) # Get the predicted probabilities for each class
label = decode_predictions(
predictions) # Convert the probabilities to class labels
print(label)
#扰动图片
pixel = np.array([112, 112, 255, 255, 0]) # pixel = x,y,r,g,b
def attack(self,
img,
model,
target=None,
pixel_count=1,
maxiter=75,
popsize=400,
verbose=False,
plot=False):
# Change the target class based on whether this is a targeted attack or not
targeted_attack = target is not None
target_class = target if targeted_attack else self.y_test[img, 0]
# print("----------------------------------------------------",self.y_test[img,0])
# print("++++++++++++++++++++++++++++++++++++++++++++++++++++",target_class)
# Define bounds for a flat vector of x,y,r,g,b values
# For more pixels, repeat this layout
dim_x, dim_y = self.dimensions
# bounds = [(0,dim_x), (0,dim_y), (0,256), (0,256), (0,256)] * pixel_count
bounds = [(0, dim_x), (0, dim_y), (0, 256)] * pixel_count
# Population multiplier, in terms of the size of the perturbation vector x
popmul = max(1, popsize // len(bounds))
# Format the predict/callback functions for the differential evolution algorithm
predict_fn = lambda xs: self.predict_classes(xs, self.x_test[
img], target_class, model, target is None)
# print(predict_fn)
callback_fn = lambda x, convergence: self.attack_success(
x, self.x_test[img], target_class, model, targeted_attack, verbose)
# print(callback_fn)
#print('模型的输入:',predict_fn,'类型为:',predict_fn.type)
# Call Scipy's Implementation of Differential Evolution
# attack_result = differential_evolution(
# predict_fn, bounds, maxiter=maxiter, popsize=popmul,
# recombination=1, atol=-1, callback=callback_fn, polish=False)
attack_result = Random_Attack(pixel_count)
# Calculate some useful statistics to return from this function
attack_image = helper.perturb_image(attack_result, self.x_test[img])[0]
# Calculate the L2 norm to represent the revise size
L2_img = attack_image - self.x_test[img]
L2_img = np.array(L2_img)
L2_img = L2_img.reshape(784)
# print(L2_img)
L2_norm = np.sqrt(np.sum(np.square(L2_img)))
prior_probs = model.predict(np.array([self.x_test[img]]))[0]
# print('-----------------------_test1', prior_probs)
predicted_probs = model.predict(np.array([attack_image]))[0]
# print('-----------------------_test2', predicted_probs)
predicted_class = np.argmax(predicted_probs)
actual_class = self.y_test[img, 0]
success = predicted_class != actual_class
cdiff = prior_probs[actual_class] - predicted_probs[actual_class]
# Show the best attempt at a solution (successful or not)
if plot:
helper.plot_image(attack_image, actual_class, self.class_names,
predicted_class)
return [
model.name, pixel_count, img, actual_class, predicted_class,
success, cdiff, prior_probs, predicted_probs, attack_result,
L2_norm
]
model_filename = 'networks/models/resnet.h5'
resnet = load_model(model_filename)
models = [resnet]
#样本个数
n = 100
#成功的个数
m = 0
fmodel = foolbox.models.KerasModel(resnet, bounds=(0, 255))
# 攻击
attack_ = foolbox.v1.attacks.RandomProjectedGradientDescent(fmodel)
for images_id in range(1, 2):
print("images_id", images_id)
# 绘画干净图片
helper.plot_image(images[images_id])
# 预测干净图片的类别
clean_image_label = np.argmax(
resnet.predict(np.asarray([images[images_id]], dtype=np.float32)))
print("干净图片的类别:", clean_image_label)
adversarial = attack_(images[images_id], labels[images_id])
# try:
# # 生成对抗样本
# adversarial = attack_(images[images_id], labels[images_id])
# except:
# continue
# 预测对抗样本的类别
adversarial_label = np.argmax(resnet.predict(np.asarray([adversarial])))
print("对抗样本的类比:", adversarial_label)
network_stats, correct_imgs = helper.evaluate_models(models, images, labels)
correct_imgs = pd.DataFrame(
correct_imgs, columns=['name', 'img', 'label', 'confidence', 'pred'])
network_stats = pd.DataFrame(network_stats,
columns=['name', 'accuracy', 'param_count'])
print(network_stats)
pixel = np.array([16, 20, 0, 255, 255])
model = resnet
image_id = 1
true_class = labels[image_id, 0]
prior_confidence = model.predict_one(images[image_id])[true_class]
confidence = helper.predict_classes(pixel, images[image_id], true_class,
model)[0]
print('Confidence in true class', class_names[true_class], 'is', confidence)
print('Prior confidence was', prior_confidence)
helper.plot_image(helper.perturb_image(pixel, images[image_id])[0])
list = attack(images,
labels,
class_names,
image_id,
model,
pixel_count=3,
verbose=True,
plot=True)
print(list[10])
def attack(self,
img,
model,
target=None,
pixel_count=1,
maxiter=75,
popsize=400,
verbose=False,
plot=False):
"""
@img: index to the image you want to attack
@model: the model to attack
@target: the index to the target you want to aim for
@pixel_count: how many pixels to have in your attack
@maxiter: maximum number of iterations on optimization
@popsize: size of the population to use at each iteration of the optimization
@verbose: boolean, controls printing
@plot: boolean, whether to plot the final results
"""
# Change the target class based on whether this is a targeted attack or not
targeted_attack = target is not None
target_class = target if targeted_attack else self.y_test[img, 0]
# Define bounds for a flat vector of x,y,r,g,b values
# For more pixels, repeat this layout
dim_x, dim_y = self.dimensions
bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256),
(0, 256)] * pixel_count
# Population multiplier, in terms of the size of the perturbation vector x
popmul = max(1, popsize // len(bounds))
# Format the predict/callback functions for the differential evolution algorithm
predict_fn = lambda xs: self.predict_classes(xs, self.x_test[
img], target_class, model, target is None)
callback_fn = lambda x, convergence: self.attack_success(
x, self.x_test[img], target_class, model, targeted_attack, verbose)
# Call Scipy's Implementation of Differential Evolution
attack_result = differential_evolution(predict_fn,
bounds,
maxiter=maxiter,
popsize=popmul,
recombination=1,
atol=-1,
callback=callback_fn,
polish=False)
# Calculate some useful statistics to return from this function
attack_image = helper.perturb_image(attack_result.x,
self.x_test[img])[0]
prior_probs = model.predict(np.array([self.x_test[img]]))[0]
predicted_probs = model.predict(np.array([attack_image]))[0]
predicted_class = np.argmax(predicted_probs)
actual_class = self.y_test[img, 0]
success = predicted_class != actual_class
cdiff = prior_probs[actual_class] - predicted_probs[actual_class]
# Show the best attempt at a solution (successful or not)
if plot:
helper.plot_image(attack_image, actual_class, self.class_names,
predicted_class)
return [
model.name, pixel_count, img, actual_class, predicted_class,
success, cdiff, prior_probs, predicted_probs, attack_result.x
]
def attack(self,
img,
model,
target=None,
pixel_count=1,
maxiter=75,
popsize=400,
verbose=False,
plot=False):
# img 只是测试图片在测试集中的index
# Change the target class based on whether this is a targeted attack or not
targeted_attack = target is not None
# target_class 应该是图片属于的类
target_class = target if targeted_attack else self.y_test[img, 0]
# Define bounds for a flat vector of x,y,r,g,b values
# For more pixels, repeat this layout
dim_x, dim_y = self.dimensions
bounds = [(0, dim_x), (0, dim_y), (0, 256)] * pixel_count
# Population multiplier, in terms of the size of the perturbation vector x
popmul = max(1, popsize // len(bounds))
# Format the predict/callback functions for the differential evolution algorithm
predict_fn = lambda xs: self.predict_classes(xs, self.x_test[
img], target_class, model, target is None)
callback_fn = lambda x, convergence: self.attack_success(
x, self.x_test[img], target_class, model, targeted_attack, verbose)
# Call Scipy's Implementation of Differential Evolution
attack_result = differential_evolution(predict_fn,
bounds,
maxiter=maxiter,
popsize=popmul,
recombination=1,
atol=-1,
callback=callback_fn,
polish=False)
#
# print(attack_result)
# Calculate some useful statistics to return from this function
attack_image = helper.perturb_image(attack_result.x,
self.x_test[img])[0]
prior_probs = model.predict(np.array([self.x_test[img]]))[0]
predicted_probs = model.predict(np.array([attack_image]))[0]
predicted_class = np.argmax(predicted_probs)
actual_class = self.y_test[img, 0]
success = predicted_class != actual_class
cdiff = prior_probs[int(actual_class)] - predicted_probs[int(
actual_class)]
# Show the best attempt at a solution (successful or not)
if plot:
helper.plot_image(attack_image, actual_class, self.class_names,
predicted_class)
return [
model.name, pixel_count, img, actual_class, predicted_class,
success, cdiff, prior_probs, predicted_probs, attack_result.x,
attack_result.img
]
