コード例 #1
0
ファイル: bnn.py プロジェクト: meiyan-xie/ibm-art-attack
def attack():
    x_train, x_test, y_train, y_test = load_data('cifar10', 2)
    min_pixel_value = x_train.min()
    max_pixel_value = x_train.max()
    print('min_pixel_value ', min_pixel_value)
    print('max_pixel_value ', max_pixel_value)

    s = time.time()

    # model = BNN(['../binary/checkpoints/cifar10_mlpbnn_approx_%d.h5' % (i) for i in range(100)])
    model = BNN([
        '../binary/checkpoints/cifar10_mlpbnn_approx_ep004_%d.h5' % (i)
        for i in range(100)
    ])

    pred_y = model.predict(x_test)
    print('pred_y: ', pred_y)
    np.savetxt('pred_y', pred_y)
    np.savetxt('y_test', y_test)
    print('pred_y[0], pred_y[288], pred_y[888], pred_y[1990], y[-1]',
          pred_y[0], pred_y[288], pred_y[888], pred_y[1990], y[-1])
    print('Accuracy: ', accuracy_score(y_true=y_test, y_pred=pred_y))

    # Create a model wrapper
    predictWrapper = modelWrapper(model)

    classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
                                    input_shape=(32 * 32 * 3, ),
                                    nb_classes=2,
                                    clip_values=(min_pixel_value,
                                                 max_pixel_value))

    print('----- generate adv data -----')
    attack = BoundaryAttack(estimator=classifier,
                            targeted=False,
                            delta=0.01,
                            epsilon=0.01,
                            max_iter=100,
                            num_trial=100,
                            sample_size=100,
                            init_size=100)

    print('----- generate adv test data -----')
    x_test = x_test[288]
    # Input data shape should be 2D
    x_test = x_test.reshape((-1, 32 * 32 * 3))
    x_test_adv = attack.generate(x=x_test)

    print('x_test ', x_test)
    print('x_test_adv ', x_test_adv)

    dist2 = utils.computeDist2(x_test, x_test_adv)
    print('test data dist2: ', dist2)

    distInf = utils.computeDistInf(x_test, x_test_adv)
    print('test data distInf: ', distInf)

    print('Cost time: ', time.time() - s)
コード例 #2
0
def attackmodel(args, classifier, x_test, y_test, queries):
    acc = []
    for num_query in queries:
        if args['method'] == 'square':
            attack = SquareAttack(estimator=classifier,
                                  eps=args['epsilon'],
                                  max_iter=num_query,
                                  norm=2)
        elif args['method'] == 'zoo':
            attack = ZooAttack(classifier=classifier,
                               max_iter=num_query,
                               use_resize=False,
                               use_importance=False)
        elif args['method'] == 'boundary':
            attack = BoundaryAttack(estimator=classifier,
                                    targeted=False,
                                    max_iter=num_query)
        else:
            print("wrong method")
        x_test_adv = attack.generate(x=x_test)
        predictions = classifier.predict(x_test_adv)
        accuracy = np.sum(
            np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(
                y_test)
        print("Query:{}, and Accuracy: {:.4f}".format(num_query, accuracy))
        acc.append(accuracy)
    return acc
コード例 #3
0
def test_images(art_warning, fix_get_mnist_subset,
                image_dl_estimator_for_attack, framework, targeted):
    try:
        classifier = image_dl_estimator_for_attack(BoundaryAttack)
        attack = BoundaryAttack(estimator=classifier,
                                targeted=targeted,
                                max_iter=20)
        if targeted:
            backend_targeted_images(attack, fix_get_mnist_subset)
        else:
            back_end_untargeted_images(attack, fix_get_mnist_subset, framework)
    except ARTTestException as e:
        art_warning(e)
コード例 #4
0
def test_tabular(art_warning, tabular_dl_estimator, framework,
                 get_iris_dataset, clipped_classifier, targeted):
    try:
        classifier = tabular_dl_estimator(clipped=clipped_classifier)
        attack = BoundaryAttack(classifier, targeted=targeted, max_iter=10)
        if targeted:
            backend_targeted_tabular(attack, get_iris_dataset)
        else:
            backend_untargeted_tabular(attack,
                                       get_iris_dataset,
                                       clipped=clipped_classifier)
    except ARTTestException as e:
        art_warning(e)
コード例 #5
0
def test_images(fix_get_mnist_subset, get_image_classifier_list_for_attack, framework, targeted):
    classifier_list = get_image_classifier_list_for_attack(BoundaryAttack)
    if classifier_list is None:
        logging.warning("Couldn't perform  this test because no classifier is defined")
        return

    for classifier in classifier_list:

        attack = BoundaryAttack(estimator=classifier, targeted=targeted, max_iter=20)
        if targeted:
            backend_targeted_images(attack, fix_get_mnist_subset)
        else:
            back_end_untargeted_images(attack, fix_get_mnist_subset, framework)
コード例 #6
0
def test_tabular(get_tabular_classifier_list, framework, get_iris_dataset, clipped_classifier, targeted):
    classifier_list = get_tabular_classifier_list(BoundaryAttack, clipped=clipped_classifier)
    if classifier_list is None:
        logging.warning("Couldn't perform  this test because no classifier is defined")
        return

    for classifier in classifier_list:

        attack = BoundaryAttack(classifier, targeted=targeted, max_iter=10)
        if targeted:
            backend_targeted_tabular(attack, get_iris_dataset)
        else:
            backend_untargeted_tabular(attack, get_iris_dataset, clipped=clipped_classifier)
コード例 #7
0
def boundary_attack_run(model_to_attack, target_image, iterations=100):
    """
    This fonction runs the black box boundary attack

    inputs:
    -model_to_attack (tensorflow Model instance): model that will be attacked
    -target_image (numpy array (32*32)): image that will be attack
    -iterations (int): number of times to run the attack

    output:
    -degree_of_change (dict): keys: the number of the iteration, values: the degree of change
        between target and adversarial image

    """
    classifier = TensorFlowV2Classifier(
        model=model_to_attack,
        input_shape=(32, 32, 3),
        clip_values=(0, 255),
        nb_classes=10,
    )
    final_degree_of_change = {}
    attack = BoundaryAttack(estimator=classifier,
                            targeted=False,
                            max_iter=0,
                            delta=0.001,
                            epsilon=0.01)
    iter_step = 1
    image_list = []
    target = target_image
    x_adv = None
    for i in range(iterations):
        x_adv = attack.generate(x=np.array([target]), x_adv_init=x_adv)

        # clear_output()
        print(
            "Adversarial image at step %d." % (i * iter_step),
            "L2 error",
            np.linalg.norm(np.reshape(x_adv[0] - target, [-1])),
            "and class label %d." % np.argmax(classifier.predict(x_adv)[0]),
        )
        plt.imshow(x_adv[0][..., ::-1].astype("int32"))
        image_list.append(x_adv[0][..., ::-1].astype(np.uint))
        plt.show(block=False)
        final_degree_of_change[i * iter_step] = degree_of_change([x_adv[0]],
                                                                 [target])

        if hasattr(attack, "curr_delta") and hasattr(attack, "curr_epsilon"):
            attack.max_iter = iter_step
            attack.delta = attack.curr_delta
            attack.epsilon = attack.curr_epsilon
        else:
            break
    return final_degree_of_change
コード例 #8
0
ファイル: train_attacks.py プロジェクト: changx03/baard_exp2
def main():
    with open('data.json') as data_json:
        data_params = json.load(data_json)

    parser = argparse.ArgumentParser()
    parser.add_argument('--data', type=str)
    parser.add_argument('--data_path', type=str, default='data')
    parser.add_argument('--output_path', type=str, default='results')
    parser.add_argument('--pretrained', type=str, required=True)
    parser.add_argument('--batch_size', type=int, default=128)
    parser.add_argument('--attack', type=str, required=True, choices=data_params['attacks'])
    parser.add_argument('--eps', type=float, default=0.3)
    # NOTE: In CW_L2 attack, eps is the upper bound of c.
    parser.add_argument('--n_samples', type=int, default=2000)
    parser.add_argument('--random_state', type=int, default=1234)
    args = parser.parse_args()
    print(args)

    set_seeds(args.random_state)
    
    if not os.path.exists(args.output_path):
        print('Output folder does not exist. Create:', args.output_path)
        os.mkdir(args.output_path)
        
    print('Dataset:', args.data)
    print('Pretrained model:', args.pretrained)
    print('Running attack: {}'.format(args.attack))
    device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
    print('Device: {}'.format(device))

    # Prepare data
    transforms = tv.transforms.Compose([tv.transforms.ToTensor()])

    if args.data == 'mnist':
        dataset_train = datasets.MNIST(args.data_path, train=True, download=True, transform=transforms)
        dataset_test = datasets.MNIST(args.data_path, train=False, download=True, transform=transforms)
    elif args.data == 'cifar10':
        dataset_train = datasets.CIFAR10(args.data_path, train=True, download=True, transform=transforms)
        dataset_test = datasets.CIFAR10(args.data_path, train=False, download=True, transform=transforms)
    else:
        data_path = os.path.join(args.data_path, data_params['data'][args.data]['file_name'])
        print('Read file:', data_path)
        X, y = load_csv(data_path)

        X_train, X_test, y_train, y_test = train_test_split(
            X, y,
            test_size=data_params['data'][args.data]['n_test'],
            random_state=args.random_state)
        scaler = MinMaxScaler().fit(X_train)
        X_train = scaler.transform(X_train)
        X_test = scaler.transform(X_test)
        dataset_train = TensorDataset(torch.from_numpy(X_train).type(torch.float32), torch.from_numpy(y_train).type(torch.long))
        dataset_test = TensorDataset(torch.from_numpy(X_test).type(torch.float32), torch.from_numpy(y_test).type(torch.long))

    dataloader_train = DataLoader(dataset_train, 256, shuffle=False)
    dataloader_test = DataLoader(dataset_test, 256, shuffle=False)

    shape_train = get_shape(dataloader_train.dataset)
    shape_test = get_shape(dataloader_test.dataset)
    print('Train set:', shape_train)
    print('Test set:', shape_test)

    # Load model
    use_prob = args.attack not in ['apgd', 'apgd1', 'apgd2', 'cw2', 'cwinf']
    print('Attack:', args.attack)
    print('Using softmax layer:', use_prob)
    if args.data == 'mnist':
        model = BaseModel(use_prob=use_prob).to(device)
        model_name = 'basic'
    elif args.data == 'cifar10':
        model_name = args.pretrained.split('_')[1]
        if model_name == 'resnet':
            model = Resnet(use_prob=use_prob).to(device)
        elif model_name == 'vgg':
            model = Vgg(use_prob=use_prob).to(device)
        else:
            raise ValueError('Unknown model: {}'.format(model_name))
    else:
        n_features = data_params['data'][args.data]['n_features']
        n_classes = data_params['data'][args.data]['n_classes']
        model = NumericModel(
            n_features,
            n_hidden=n_features * 4,
            n_classes=n_classes,
            use_prob=use_prob).to(device)
        model_name = 'basic' + str(n_features * 4)

    optimizer = optim.SGD(model.parameters(), lr=0.01,
                          momentum=0.9, weight_decay=5e-4)
    loss = nn.CrossEntropyLoss()
    pretrained_path = os.path.join(args.output_path, args.pretrained)
    model.load_state_dict(torch.load(pretrained_path, map_location=device))

    _, acc_train = validate(model, dataloader_train, loss, device)
    _, acc_test = validate(model, dataloader_test, loss, device)
    print('Accuracy on train set: {:.4f}%'.format(acc_train * 100))
    print('Accuracy on test set: {:.4f}%'.format(acc_test * 100))

    # Create a subset which only contains recognisable samples.
    tensor_test_X, tensor_test_y = get_correct_examples(
        model, dataset_test, device=device, return_tensor=True)
    dataset_perfect = TensorDataset(tensor_test_X, tensor_test_y)
    loader_perfect = DataLoader(dataset_perfect, batch_size=512, shuffle=False)
    _, acc_perfect = validate(model, loader_perfect, loss, device)
    print('Accuracy on {} filtered test examples: {:.4f}%'.format(
        len(dataset_perfect), acc_perfect * 100))

    # Generate adversarial examples
    n_features = data_params['data'][args.data]['n_features']
    n_classes = data_params['data'][args.data]['n_classes']
    if isinstance(n_features, int):
        n_features = (n_features,)

    classifier = PyTorchClassifier(
        model=model,
        loss=loss,
        input_shape=n_features,
        optimizer=optimizer,
        nb_classes=n_classes,
        clip_values=(0.0, 1.0),
        device_type='gpu')

    if args.attack == 'apgd':
        eps_step = args.eps / 10.0 if args.eps <= 0.1 else 0.1
        attack = AutoProjectedGradientDescent(
            estimator=classifier,
            eps=args.eps,
            eps_step=eps_step,
            max_iter=1000,
            batch_size=args.batch_size,
            targeted=False)
    elif args.attack == 'apgd1':
        attack = AutoProjectedGradientDescent(
            estimator=classifier,
            norm=1,
            eps=args.eps,
            eps_step=0.1,
            max_iter=1000,
            batch_size=args.batch_size,
            targeted=False)
    elif args.attack == 'apgd2':
        attack = AutoProjectedGradientDescent(
            estimator=classifier,
            norm=2,
            eps=args.eps,
            eps_step=0.1,
            max_iter=1000,
            batch_size=args.batch_size,
            targeted=False)
    elif args.attack == 'bim':
        eps_step = args.eps / 10.0
        attack = BasicIterativeMethod(
            estimator=classifier,
            eps=args.eps,
            eps_step=eps_step,
            max_iter=1000,
            batch_size=args.batch_size,
            targeted=False)
    elif args.attack == 'boundary':
        attack = BoundaryAttack(
            estimator=classifier,
            max_iter=1000,
            sample_size=args.batch_size,
            targeted=False)
    elif args.attack == 'cw2':
        # NOTE: Do NOT increase the batch size!
        attack = CarliniWagnerAttackL2(
            model=model,
            n_classes=n_classes,
            confidence=args.eps,
            verbose=True,
            check_prob=False,
            batch_size=args.batch_size,
            targeted=False)
    elif args.attack == 'cwinf':
        attack = CarliniLInfMethod(
            classifier=classifier,
            confidence=args.eps,
            max_iter=1000,
            batch_size=args.batch_size,
            targeted=False)
    elif args.attack == 'deepfool':
        attack = DeepFool(
            classifier=classifier,
            epsilon=args.eps,
            batch_size=args.batch_size)
    elif args.attack == 'fgsm':
        attack = FastGradientMethod(
            estimator=classifier,
            eps=args.eps,
            batch_size=args.batch_size)
    elif args.attack == 'jsma':
        attack = SaliencyMapMethod(
            classifier=classifier,
            gamma=args.eps,
            batch_size=args.batch_size)
    elif args.attack == 'line':
        if args.data == 'mnist':
            color = args.eps
        elif args.data == 'cifar10':
            color = (args.eps, args.eps, args.eps)
        else:
            raise NotImplementedError
        attack = LineAttack(color=color, thickness=1)
    elif args.attack == 'shadow':
        attack = ShadowAttack(
            estimator=classifier,
            batch_size=args.batch_size,
            targeted=False,
            verbose=False)
    elif args.attack == 'watermark':
        attack = WaterMarkAttack(
            eps=args.eps,
            n_classes=data_params['data'][args.data]['n_classes'],
            x_min=0.0,
            x_max=1.0,
            targeted=False)

        X_train, y_train = get_correct_examples(model, dataset_train, device=device, return_tensor=True)
        X_train = X_train.cpu().detach().numpy()
        y_train = y_train.cpu().detach().numpy()
        attack.fit(X_train, y_train)
    else:
        raise NotImplementedError

    if len(dataset_perfect) > args.n_samples:
        n = args.n_samples
    else:
        n = len(dataset_perfect)

    X_benign = tensor_test_X[:n].cpu().detach().numpy()
    y = tensor_test_y[:n].cpu().detach().numpy()

    print('Creating {} adversarial examples with eps={} (Not all attacks use eps)'.format(n, args.eps))
    time_start = time.time()
    # Shadow attack only takes single sample!
    if args.attack == 'shadow':
        adv = np.zeros_like(X_benign)
        for i in trange(len(X_benign)):
            adv[i] = attack.generate(x=np.expand_dims(X_benign[i], axis=0))
    elif args.attack == 'watermark':
        # This is untargeted.
        adv = attack.generate(X_benign, y)
    else:
        adv = attack.generate(x=X_benign)
    time_elapsed = time.time() - time_start
    print('Total time spend: {}'.format(str(datetime.timedelta(seconds=time_elapsed))))

    pred_benign = np.argmax(classifier.predict(X_benign), axis=1)
    acc_benign = np.sum(pred_benign == y) / n
    pred_adv = np.argmax(classifier.predict(adv), axis=1)
    acc_adv = np.sum(pred_adv == y) / n
    print("Accuracy on benign samples: {:.4f}%".format(acc_benign * 100))
    print("Accuracy on adversarial examples: {:.4f}%".format(acc_adv * 100))

    # Save results
    if args.n_samples < 2000:
        output_file = '{}_{}_{}_{}_size{}'.format(args.data, model_name, args.attack, str(args.eps), args.n_samples)
    else:
        output_file = '{}_{}_{}_{}'.format(args.data, model_name, args.attack, str(args.eps))

    path_x = os.path.join(args.output_path, '{}_x.npy'.format(output_file))
    path_y = os.path.join(args.output_path, '{}_y.npy'.format(output_file))
    path_adv = os.path.join(args.output_path, '{}_adv.npy'.format(output_file))
    np.save(path_x, X_benign)
    np.save(path_y, y)
    np.save(path_adv, adv)

    print('Saved to:', '{}_adv.npy'.format(output_file))
    print()
コード例 #9
0
def main():
    with open('data.json') as data_json:
        data_params = json.load(data_json)

    parser = argparse.ArgumentParser()
    parser.add_argument('--data', type=str, required=True, choices=data_params['datasets'])
    parser.add_argument('--model', type=str, default='svm', choices=['svm', 'tree'])
    parser.add_argument('--data_path', type=str, default='data')
    parser.add_argument('--output_path', type=str, default='results')
    parser.add_argument('--attack', type=str, required=True, choices=ATTACKS)
    parser.add_argument('--eps', type=float, default=0.3)
    # NOTE: In CW_L2 attack, eps is the upper bound of c.
    parser.add_argument('--batch_size', type=int, default=128)
    parser.add_argument('--n_samples', type=int, default=2000)
    parser.add_argument('--random_state', type=int, default=1234)
    args = parser.parse_args()
    print(args)

    set_seeds(args.random_state)

    if not os.path.exists(args.output_path):
        print('Output folder does not exist. Create:', args.output_path)
        os.mkdir(args.output_path)
        
    print('Dataset:', args.data)
    print('Running attack:', args.attack)

    # Prepare data
    data_path = os.path.join(args.data_path, data_params['data'][args.data]['file_name'])
    print('Read file: {}'.format(data_path))
    X, y = load_csv(data_path)

    # Apply scaling
    scaler = MinMaxScaler().fit(X)
    X = scaler.transform(X)

    n_test = data_params['data'][args.data]['n_test']
    random_state = args.random_state
    X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=n_test, random_state=random_state)

    # Train model
    if args.model == 'svm':
        model = SVC(kernel="linear", C=1.0, gamma="scale", random_state=random_state)
    elif args.model == 'tree':
        model = ExtraTreeClassifier(random_state=random_state)
    else:
        raise NotImplementedError
    model.fit(X_train, y_train)
    acc_train = model.score(X_train, y_train)
    acc_test = model.score(X_test, y_test)
    print(('Train Acc: {:.4f}, ' + 'Test Acc: {:.4f}').format(acc_train, acc_test))

    # Get perfect subset
    pred_test = model.predict(X_test)
    idx_correct = np.where(pred_test == y_test)[0]
    X_test = X_test[idx_correct]
    y_test = y_test[idx_correct]

    classifier = SklearnClassifier(model=model, clip_values=(0.0, 1.0))

    if args.attack == 'bim':
        eps_step = args.eps / 10.0
        attack = BasicIterativeMethod(
            estimator=classifier,
            eps=args.eps,
            eps_step=eps_step,
            max_iter=100,
            targeted=False,
            batch_size=args.batch_size)
    elif args.attack == 'boundary':
        attack = BoundaryAttack(
            estimator=classifier,
            max_iter=1000,
            sample_size=20,
            targeted=False)
    elif args.attack == 'fgsm':
        attack = FastGradientMethod(
            estimator=classifier,
            eps=args.eps,
            batch_size=args.batch_size)
    elif args.attack == 'tree':
        attack = DecisionTreeAttack(
            classifier=classifier)
    else:
        raise NotImplementedError

    # How many examples do we have?
    if len(X_test) > args.n_samples:
        n = args.n_samples
    else:
        n = len(X_test)

    X_benign = X_test[:n]
    y_true = y_test[:n]
    adv = attack.generate(X_benign)
    acc = model.score(adv, y_true)
    print('Acc on adv:', acc)

    output_file = '{}_{}_{}_{}'.format(args.data, args.model, args.attack, str(args.eps))
    path_x = os.path.join(args.output_path, '{}_x.npy'.format(output_file))
    path_y = os.path.join(args.output_path, '{}_y.npy'.format(output_file))
    path_adv = os.path.join(args.output_path, '{}_adv.npy'.format(output_file))
    np.save(path_x, X_benign)
    np.save(path_y, y_true)
    np.save(path_adv, adv)

    print('Saved to:', path_adv)
    print()
コード例 #10
0
def test_check_params(art_warning, image_dl_estimator_for_attack):
    try:
        classifier = image_dl_estimator_for_attack(BoundaryAttack)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, max_iter=1.0)
        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, max_iter=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, num_trial=1.0)
        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, num_trial=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, sample_size=1.0)
        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, sample_size=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, init_size=1.0)
        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, init_size=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, epsilon=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, delta=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, step_adapt=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, min_epsilon="1.0")
        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, min_epsilon=-1)

        with pytest.raises(ValueError):
            _ = BoundaryAttack(classifier, verbose="true")

    except ARTTestException as e:
        art_warning(e)
コード例 #11
0
def attack():
    x_train, x_test, y_train, y_test = load_data('cifar10_binary', 2)
    x_train = x_train.reshape((-1, 32, 32, 3)).transpose(
        (0, 3, 1, 2)).astype(np.float32)
    x_test = x_test.reshape((-1, 32, 32, 3)).transpose(
        (0, 3, 1, 2)).astype(np.float32)

    min_pixel_value = x_train.min()
    max_pixel_value = x_train.max()
    print('min_pixel_value ', min_pixel_value)
    print('max_pixel_value ', max_pixel_value)

    s = time.time()

    path = '../binary/checkpoints/cifar10_binary_lenet_100.pkl'
    with open(path, 'rb') as f:
        model = pickle.load(f)

    # Predict
    # Lent and simpleNet input data shape is (-1,3, 32, 32)
    # The other net input data shape is vector
    # Mlp01 need to add: cuda=False
    print('xtest shape1', x_test.shape)
    pred_y = model.predict(x_test)
    print('xtest shape1', x_test.shape)
    print('pred_y: ', pred_y)

    # Create a model wrapper
    predictWrapper = modelWrapper(model)

    classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
                                    input_shape=(3 * 32 * 32, ),
                                    nb_classes=2,
                                    clip_values=(min_pixel_value,
                                                 max_pixel_value))

    print('----- generate adv data -----')
    attack = BoundaryAttack(estimator=classifier,
                            targeted=False,
                            delta=0.01,
                            epsilon=0.01,
                            max_iter=100,
                            num_trial=100,
                            sample_size=100,
                            init_size=100)

    print('----- generate adv test data -----')
    x_test = x_test[288]
    # Input data shape should be 2D
    x_test = x_test.reshape((-1, 3 * 32 * 32))
    x_test_adv = attack.generate(x=x_test)

    np.save('x', x_test)
    np.save('adv_x', x_test_adv)

    print('x_test ', x_test)
    print('x_test_adv ', x_test_adv)

    # dist1 = utils.computeDist1(x_test, x_test_adv)
    # print('test data dist1: ', dist1)

    dist2 = utils.computeDist2(x_test, x_test_adv)
    print('test data dist2: ', dist2)

    distInf = utils.computeDistInf(x_test, x_test_adv)
    print('test data distInf: ', distInf)

    # avg_dist2, med_dist2 = utils.computeDist2(x_test, x_test_adv)
    # print('test avg_dist2: ', avg_dist2)
    # # print('test med_dist2: ', med_dist2)

    # avg_distInf, med_distInf = utils.computeDistInf(x_test, x_test_adv)
    # print('test avg_distInf: ', avg_distInf)
    # # print('test med_distInf: ', med_distInf)

    print('Cost time: ', time.time() - s)
コード例 #12
0
ファイル: mlp01.py プロジェクト: meiyan-xie/ibm-art-attack
def attack():
    x_train, x_test, y_train, y_test = load_data('cifar10_binary', 2)
    min_pixel_value = x_train.min()
    max_pixel_value = x_train.max()
    print('min_pixel_value ', min_pixel_value)
    print('max_pixel_value ', max_pixel_value)

    s = time.time()

    path = '../binary/checkpoints/cifar10_binary_scd01mlp_100_br02_h500_nr075_ni25000_i1.pkl'

    with open(path, 'rb') as f:
        model = pickle.load(f)

    pred_y = model.predict(x_test, cuda=False)
    # np.savetxt('pred_y_mpl2', pred_y)
    print('pred_y: ', pred_y)

    # Create a model wrapper
    predictWrapper = modelWrapper(model)

    classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
                                    input_shape=(3 * 32 * 32, ),
                                    nb_classes=2,
                                    clip_values=(min_pixel_value,
                                                 max_pixel_value))

    print('----- generate adv data -----')
    attack = BoundaryAttack(estimator=classifier,
                            targeted=False,
                            delta=0.01,
                            epsilon=0.01,
                            max_iter=100,
                            num_trial=100,
                            sample_size=100,
                            init_size=100)

    print('----- generate adv test data -----')
    x_test = x_test[-1]
    # Input data shape should be 2D
    x_test = x_test.reshape((-1, 3 * 32 * 32))
    x_test_adv = attack.generate(x=x_test)

    np.save('x', x_test)
    np.save('adv_x', x_test_adv)

    print('x_test ', x_test)
    print('x_test_adv ', x_test_adv)

    # dist1 = utils.computeDist1(x_test, x_test_adv)
    # print('test data dist1: ', dist1)

    dist2 = utils.computeDist2(x_test, x_test_adv)
    print('test data dist2: ', dist2)

    distInf = utils.computeDistInf(x_test, x_test_adv)
    print('test data distInf: ', distInf)

    # avg_dist2, med_dist2 = utils.computeDist2(x_test, x_test_adv)
    # print('test avg_dist2: ', avg_dist2)
    # # print('test med_dist2: ', med_dist2)

    # avg_distInf, med_distInf = utils.computeDistInf(x_test, x_test_adv)
    # print('test avg_distInf: ', avg_distInf)
    # # print('test med_distInf: ', med_distInf)

    print('Cost time: ', time.time() - s)
コード例 #13
0
ファイル: mlp.py プロジェクト: meiyan-xie/ibm-art-attack
def attack():
    x_train, x_test, y_train, y_test = load_data('cifar10', 2)
    # x_train, y_train, x_test, y_test = utils.loadData()
    min_pixel_value = x_train.min()
    max_pixel_value = x_train.max()
    print('min_pixel_value ', min_pixel_value)
    print('max_pixel_value ', max_pixel_value)

    s = time.time()

    path = '../binary/checkpoints/cifar10_scd01mlp_100_br02_nr075_ni1000_i1_ep2.pkl'
    # path = '/home/y/yx277/research/scd01mc/binary/checkpoints/cifar10_mlp.pkl'
    # path = '/research/datasci/mx42/adversarial_machine_learning/IBM_ART/checkpoints_scd_01/scd_stl10_01_v7.pkl'
    with open(path, 'rb') as f:
        model = pickle.load(f)

    pred_y = model.predict(x_test)
    # np.savetxt('pred_y_mpl2', pred_y)
    print('pred_y: ', pred_y)

    # Create a model wrapper
    predictWrapper = modelWrapper(model)

    classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
                                    input_shape=(32 * 32 * 3, ),
                                    nb_classes=2,
                                    clip_values=(min_pixel_value,
                                                 max_pixel_value))

    print('----- generate adv data -----')
    attack = BoundaryAttack(estimator=classifier,
                            targeted=False,
                            delta=0.01,
                            epsilon=0.01,
                            max_iter=500,
                            num_trial=100,
                            sample_size=100,
                            init_size=100)

    print('----- generate adv test data -----')
    x_test = x_test[0]
    # Input data shape should be 2D
    x_test = x_test.reshape((-1, 32 * 32 * 3))
    x_test_adv = attack.generate(x=x_test)

    np.save('x', x_test)
    np.save('adv_x', x_test_adv)

    print('x_test ', x_test)
    print('x_test_adv ', x_test_adv)

    # dist1 = utils.computeDist1(x_test, x_test_adv)
    # print('test data dist1: ', dist1)

    dist2 = utils.computeDist2(x_test, x_test_adv)
    print('test data dist2: ', dist2)

    distInf = utils.computeDistInf(x_test, x_test_adv)
    print('test data distInf: ', distInf)

    # avg_dist2, med_dist2 = utils.computeDist2(x_test, x_test_adv)
    # print('test avg_dist2: ', avg_dist2)
    # # print('test med_dist2: ', med_dist2)

    # avg_distInf, med_distInf = utils.computeDistInf(x_test, x_test_adv)
    # print('test avg_distInf: ', avg_distInf)
    # # print('test med_distInf: ', med_distInf)

    print('Cost time: ', time.time() - s)