def cw(datasets, sample, model_name, target,
store_path, ini_con=10, start=0, end=10000, batch_size=32, epoch=9, mu=False, mu_var='gf', de=False, attack='fgsm'):
"""
Carlini and Wagner's attack
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
# sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=epoch)
sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=epoch, mu=mu, mu_var=mu_var, de=de, attack=attack)
print('load successfule')
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
'''
if 'mnist' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(28, 28, 1)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'cifar10' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32, 32, 3)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'svhn' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
'''
input_shape, nb_classes = get_shape(datasets)
sample=sample[start:end]
probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
current_class=[]
for i in range(0, probabilities.shape[0]):
current_class.append(np.argmax(probabilities[i]))
if not os.path.exists(store_path):
os.makedirs(store_path)
'''
if target == current_class:
return 'The target is equal to its original class'
elif target >= nb_classes or target < 0:
return 'The target is out of range'
'''
#only for correct:
Y_test=Y_test[start:end]
#sample=sample[start:end]
acc_pre_index=[]
for i in range(0, sample.shape[0]):
if current_class[i]==np.argmax(Y_test[i]):
acc_pre_index.append(i)
print('current_class',current_class)
print('Start generating adv. example for target class %i' % target)
# Instantiate a CW attack object
sample_acc=np.zeros(shape=(len(acc_pre_index),input_shape[1], input_shape[2], input_shape[3]), dtype='float')
current_class_acc=np.zeros(shape=(len(acc_pre_index)), dtype=int)
for i in range(0, len(acc_pre_index)):
sample_acc[i]=sample[acc_pre_index[i]]
current_class_acc[i]=current_class[acc_pre_index[i]]
print('current_class_acc',current_class_acc)
cw = CarliniWagnerL2(model, back='tf', sess=sess)
one_hot = np.zeros((1, nb_classes), dtype=np.float32)
one_hot[0, target] = 1
adv_ys = one_hot
yname = "y_target"
if 'mnist' == datasets:
cw_params = {'binary_search_steps': 1,
yname: adv_ys,
'max_iterations': 1000,
'learning_rate': 0.1,
'batch_size': 1,
'initial_const': ini_con}
elif 'cifar10' == datasets:
cw_params = {'binary_search_steps': 1,
yname: adv_ys,
'max_iterations': 1000,
'learning_rate': 0.1,
'batch_size': 1,
'initial_const': ini_con}
suc=0
nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size))
for batch in range(nb_batches):
start_batch=batch*batch_size
end_batch=(batch+1)*batch_size
if end_batch>sample_acc.shape[0]:
end_batch=sample_acc.shape[0]
adv_inputs=sample_acc[start_batch:end_batch]
for j in range(start_batch, end_batch):
if current_class_acc[j]!=target:
adv_input=adv_inputs[j-start_batch].reshape(1,input_shape[1],input_shape[2],input_shape[3])
adv = cw.generate_np(adv_input, **cw_params)
#print(adv.shape)
#print(adv)
new_class_labels = model_argmax(sess, x, preds, adv, feed=feed_dict)
res = int(new_class_labels == target)
if res == 1:
adv=adv.reshape(adv.shape[1],adv.shape[2],adv.shape[3])
#adv_img_deprocessed = deprocess_image_1(adv)
#adv_img_deprocessed=adv_img_deprocessed.reshape(adv_img_deprocessed.shape[1],adv_img_deprocessed.shape[2])
suc+=1
path = store_path + '/' + str(start+acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_labels)
#path = store_path + '/' + str(start+acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_labels)+'.png'
#path=store_path + '/' + str(j)+ '_'+ str(current_class_acc[j]) +'.png'
#imsave(path, adv)
np.save(path, adv)
#print(adv.shape)
sess.close()
return suc, len(acc_pre_index)
def model_training(datasets,
model_name,
samples_path=None,
nb_epochs=6,
batch_size=256,
learning_rate=0.001,
attack=None,
mu=False,
mu_var='gf'):
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
#config.gpu_options.per_process_gpu_memory_fraction = 0.9
# Create TF session and set as Keras backend session
sess = tf.Session(config=config)
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
X_train, Y_train, X_test, Y_test = get_data(datasets)
def y_one_hot(label):
y = np.zeros(10)
y[label] = 1
return y
if samples_path != None:
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
#samples_adv = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list])
samples_adv = np.asarray(image_list)
#print(samples_adv.shape)
labels_adv = np.asarray(
[y_one_hot(int(label)) for label in real_labels])
samples = np.concatenate((X_train, samples_adv))
#print(samples.shape)
labels = np.concatenate((Y_train, labels_adv))
if mu == True:
model_path = path.mude_model_path + mu_var + '/' + attack + '/' + datasets + "_" + model_name
else:
model_path = path.de_model_path + attack + '/' + datasets + "_" + model_name
else:
samples = X_train
labels = Y_train
model_path = path.model_path + datasets + "_" + model_name
input_shape, nb_classes = get_shape(datasets)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=input_shape)
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
feed_dict = None
model = model_dict[model_name](input_shape, nb_classes)
preds = model(x)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': model_path,
'filename': model_name + '.model'
}
sess.run(tf.global_variables_initializer())
rng = np.random.RandomState([2017, 8, 30])
model_train(sess,
x,
y,
preds,
samples,
labels,
args=train_params,
rng=rng,
save=True)
# Evaluate the accuracy of the model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params,
feed=feed_dict)
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
#accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params, feed=feed_dict)
# Close TF session
sess.close()
print('Finish model training.')
def submodel_training(datasets,
submodel_name,
target_model,
batch_size=256,
learning_rate=0.001,
data_aug=6,
lmbda=0.1,
nb_epochs=10,
holdout=150):
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
config = tf.ConfigProto()
#config.gpu_options.per_process_gpu_memory_fraction = 0.7
config.gpu_options.allow_growth = True
# Create TF session and set as Keras backend session
sess = tf.Session(config=config)
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
model_path = path.model_path + datasets + "_" + submodel_name + "_" + target_model
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
# Define input TF placeholder
sess, preds, x, y, model, feed_dict = model_load(datasets, target_model)
rng = np.random.RandomState([2017, 8, 30])
# Initialize substitute training set reserved for adversary
X_sub = X_test[:holdout]
Y_sub = np.argmax(Y_test[:holdout], axis=1)
model_sub = model_dict[submodel_name](input_shape, nb_classes)
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': model_path,
'filename': 'substitute.model'
}
with TemporaryLogLevel(logging.WARNING, "nmutant_util.utils.tf"):
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub, nb_classes),
init_all=False,
args=train_params,
rng=rng,
save=True)
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
lmbda_coef * lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [preds], [X_sub_prev],
args=eval_params,
feed=feed_dict)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
# Close TF session
sess.close()
print('Finish model training.')
def fgsm(datasets, sample, model_name, epoch, store_path, step_size='0.3', batch_size=256):
"""
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch)
###########################################################################
# Craft adversarial examples using the FGSM approach
###########################################################################
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
'''
if 'mnist' == datasets:
#sample = np.asarray([np.asarray(imread(sample_path)).reshape(28,28,1)]).astype('float32')
#sample = preprocess_image_1(sample)
print('1')
elif 'cifar10' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'svhn' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
#print(sample.shape)
'''
probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
if sample.shape[0] == 1:
current_class = np.argmax(probabilities)
else:
current_class = np.argmax(probabilities, axis=1)
if not os.path.exists(store_path):
os.makedirs(store_path)
# only for correct:
acc_pre_index=[]
for i in range(0, sample.shape[0]):
if current_class[i]==np.argmax(Y_test[i]):
acc_pre_index.append(i)
sample_acc=np.zeros(shape=(len(acc_pre_index),input_shape[1], input_shape[2], input_shape[3]), dtype='float32')
probabilities_acc=np.zeros(shape=(len(acc_pre_index),nb_classes), dtype='float32')
current_class_acc=np.zeros(shape=(len(acc_pre_index)), dtype=int)
for i in range(0, len(acc_pre_index)):
sample_acc[i]=sample[acc_pre_index[i]]
probabilities_acc[i]=probabilities[acc_pre_index[i]]
current_class_acc[i]=current_class[acc_pre_index[i]]
print('Start generating adv. example')
#print(float(step_size))
if 'mnist' == datasets:
fgsm_params = {'eps': float(step_size),
'clip_min': 0.,
'clip_max': 1.}
elif 'cifar10' == datasets:
fgsm_params = {'eps': float(step_size),
'clip_min': 0.,
'clip_max': 1.}
elif 'svhn' == datasets:
fgsm_params = {'eps': float(step_size),
'clip_min': 0.,
'clip_max': 1.}
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size))
suc=0
for batch in range(nb_batches):
#start, end = batch_indices(batch, sample_acc.shape[0], batch_size)
print(batch)
start=batch*batch_size
end=(batch+1)*batch_size
if end>sample_acc.shape[0]:
end=sample_acc.shape[0]
adv= sess.run(adv_x,feed_dict={x: sample_acc[start:end], y: probabilities_acc[start:end]})
adv_img_deprocessed = deprocess_image_1(adv)
# Check if success was achieved
#probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
new_class_label = model_argmax(sess, x, preds, adv, feed=feed_dict) # Predicted class of the generated adversary
for i in range(0, len(new_class_label)):
j=batch*batch_size+i
if new_class_label[i]!=current_class_acc[j]:
suc+=1
path = store_path + '/adv_'+ str(time.time()*1000) + '_' + str(acc_pre_index[j]) + '_' + str(current_class_acc[j]) + '_' + str(new_class_label[i]) + '_.png'
# path = store_path + '/' + str(acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_label[i]) + '.png'
imsave(path, adv_img_deprocessed[i])
# Close TF session
sess.close()
return suc, len(acc_pre_index)
def ccv(datasets='mnist',
model='lenet1',
de_model='lenet1',
attack='fgsm',
epoch=49,
de_epoch=49):
"""
:param datasets
:param model
:param samples_path
:return:
"""
tf.reset_default_graph()
# Object used to keep track of (and return) key accuracies
print("load defense model.")
sess, preds, x, y, model, feed_dict = model_load(datasets,
model,
epoch=epoch)
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
feed_dict_de = None
result_nor = model_prediction(sess,
x,
preds,
X_test,
feed=feed_dict,
datasets=datasets)
#result_nor=sess.run(preds, feed_dict={x:X_test[0:1000]})
#print(result_nor)
#print(model)
#print(get_model_dict())
tf.reset_default_graph()
sess, preds_de, x, y, model_de, feed_dict = model_load(datasets,
de_model,
True,
attack=attack,
epoch=de_epoch)
#result_de=sess.run(preds_de, feed_dict={x:X_test[0:1000]})
result_de = model_prediction(sess,
x,
preds_de,
X_test,
feed=feed_dict,
datasets=datasets)
#print(result_de)
# print('average confidence of adversarial class %.4f' %(result))
result = 0
num = 0
for i in range(Y_test.shape[0]):
if (np.argmax(Y_test[i]) == np.argmax(result_nor[i])) and (np.argmax(
Y_test[i]) == np.argmax(result_de[i])):
num += 1
result += abs(result_nor[i][np.argmax(Y_test[i])] -
result_de[i][np.argmax(Y_test[i])])
# Close TF session
print(result / num)
sess.close()
return result / num
def blackbox(datasets,
sample,
model_name,
submodel_name,
store_path,
step_size=0.3,
batch_size=256):
"""
the black-box attack from arxiv.org/abs/1602.02697
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
# Simulate the black-box model locally
# You could replace this by a remote labeling API for instance
print("Preparing the black-box model.")
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
sess, bbox_preds, x, y, model, feed_dict = model_load(datasets, model_name)
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Preparing the substitute model.")
model_sub, preds_sub = sub_model_load(sess, datasets, submodel_name,
model_name)
###########################################################################
# Craft adversarial examples using the Blackbox approach
###########################################################################
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
'''
if 'mnist' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(28,28,1)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'cifar10' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'svhn' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
'''
probabilities = model_prediction(sess, x, model(x), sample, feed=feed_dict)
if sample.shape[0] == 1:
current_class = np.argmax(probabilities)
else:
current_class = np.argmax(probabilities, axis=1)
if not os.path.exists(store_path):
os.makedirs(store_path)
# only for correct:
acc_pre_index = []
for i in range(0, sample.shape[0]):
if current_class[i] == np.argmax(Y_test[i]):
acc_pre_index.append(i)
sample_acc = np.zeros(shape=(len(acc_pre_index), input_shape[1],
input_shape[2], input_shape[3]),
dtype='float32')
probabilities_acc = np.zeros(shape=(len(acc_pre_index), nb_classes),
dtype='float32')
current_class_acc = np.zeros(shape=(len(acc_pre_index)), dtype=int)
for i in range(0, len(acc_pre_index)):
sample_acc[i] = sample[acc_pre_index[i]]
probabilities_acc[i] = probabilities[acc_pre_index[i]]
current_class_acc[i] = current_class[acc_pre_index[i]]
if datasets == 'mnist':
fgsm_par = {
'eps': step_size,
'ord': np.inf,
'clip_min': 0.,
'clip_max': 1.
}
elif 'cifar10' == datasets:
fgsm_par = {
'eps': step_size,
'ord': np.inf,
'clip_min': 0.,
'clip_max': 1.
}
elif 'svhn' == datasets:
fgsm_par = {
'eps': step_size,
'ord': np.inf,
'clip_min': 0.,
'clip_max': 1.
}
fgsm = FastGradientMethod(model_sub, sess=sess)
# Craft adversarial examples using the substitute
x_adv_sub = fgsm.generate(x, **fgsm_par)
nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size))
suc = 0
for batch in range(nb_batches):
#start, end = batch_indices(batch, sample_acc.shape[0], batch_size)
print(batch)
start = batch * batch_size
end = (batch + 1) * batch_size
if end > sample_acc.shape[0]:
end = sample_acc.shape[0]
adv = sess.run(x_adv_sub,
feed_dict={
x: sample_acc[start:end],
y: probabilities_acc[start:end]
})
adv_img_deprocessed = deprocess_image_1(adv)
# Check if success was achieved
#probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
new_class_label = model_argmax(
sess, x, model(x), adv,
feed=feed_dict) # Predicted class of the generated adversary
for i in range(0, len(new_class_label)):
j = batch * batch_size + i
if new_class_label[i] != current_class_acc[j]:
suc += 1
path = store_path + '/' + str(j) + '_' + str(
time.time() * 1000) + '_' + str(
current_class_acc[j]) + '_' + str(
new_class_label[i]) + '.png'
imsave(path, adv_img_deprocessed[i])
# Close TF session
sess.close()
return suc, len(acc_pre_index)
'''