def _test_mnist_targeted(self, classifier):
# Get MNIST
(_, _), (x_test, _) = self.mnist
# Test FGSM with np.inf norm
attack = BasicIterativeMethod(classifier,
eps=1.0,
eps_step=0.01,
targeted=True,
batch_size=128)
# y_test_adv = to_categorical((np.argmax(y_test, axis=1) + 1) % 10, 10)
pred_sort = classifier.predict(x_test).argsort(axis=1)
y_test_adv = np.zeros((x_test.shape[0], 10))
for i in range(x_test.shape[0]):
y_test_adv[i, pred_sort[i, -2]] = 1.0
x_test_adv = attack.generate(x_test, y=y_test_adv)
self.assertFalse((x_test == x_test_adv).all())
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertEqual(y_test_adv.shape, test_y_pred.shape)
# This doesn't work all the time, especially with small networks
self.assertGreaterEqual((y_test_adv == test_y_pred).sum(),
x_test.shape[0] // 2)
def _test_backend_mnist(self, classifier):
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Test BIM with np.inf norm
attack = BasicIterativeMethod(classifier,
eps=1,
eps_step=0.1,
batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
acc = np.sum(
np.argmax(train_y_pred, axis=1) == np.argmax(
y_train, axis=1)) / y_train.shape[0]
logger.info('Accuracy on adversarial train examples: %.2f%%',
(acc * 100))
acc = np.sum(
np.argmax(test_y_pred, axis=1) == np.argmax(
y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on adversarial test examples: %.2f%%',
(acc * 100))
def ifgsm(clf, x_train, x_test, epsilon=0.1, max_iter=10):
from art.attacks.iterative_method import BasicIterativeMethod
ifgsm_adv_crafter = BasicIterativeMethod(clf,
eps=epsilon,
eps_step=0.1,
max_iter=max_iter)
x_test_ifgsm_adv = ifgsm_adv_crafter.generate(x=x_test)
x_train_ifgsm_adv = ifgsm_adv_crafter.generate(x=x_train)
return x_train_ifgsm_adv, x_test_ifgsm_adv
def test_iris_k_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model,
use_logits=False,
channel_index=1)
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.2)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv > 1).any())
self.assertTrue((x_test_adv < 0).any())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on Iris with BIM adversarial examples: %.2f%%',
(acc * 100))
def test_iris_pt(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_pt()
# Test untargeted attack
attack = BasicIterativeMethod(classifier, eps=1, eps_step=0.1)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = np.sum(preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on Iris with BIM adversarial examples: %.2f%%',
(acc * 100))
# Test targeted attack
targets = random_targets(y_test, nb_classes=3)
attack = BasicIterativeMethod(classifier,
targeted=True,
eps=1,
eps_step=0.1,
batch_size=128)
x_test_adv = attack.generate(x_test, **{'y': targets})
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == preds_adv).any())
acc = np.sum(preds_adv == np.argmax(targets, axis=1)) / y_test.shape[0]
logger.info('Success rate of targeted BIM on Iris: %.2f%%',
(acc * 100))
nat_img[0].reshape(28, 28), adv_nse[0].reshape(28, 28),
adv_img[0].reshape(28, 28)
])
fig = plt.figure()
plt.imshow(adv_plt)
plt.title("y_test:{},y_adv:{} -- Var: {}".format(np.argmax(y_test[0]),
adv_prd[0], adv_var))
fig.set_size_inches(24, 12)
fo = ddir + "O{}A{}_varx{}_examp.png".format(np.argmax(y_test[0]), adv_prd[0],
adv_var)
fig.savefig(fo, dpi=100)
################ IFGSM;
epsilon = .05 # Maximum perturbation
adv_crafter = BasicIterativeMethod(classifier)
x_test_adv = adv_crafter.generate(x=x_test,
norm=2,
eps=epsilon,
eps_step=epsilon / 3)
# Evaluate the classifier on the adversarial examples
preds = np.argmax(classifier.predict(x_test_adv), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
print("\nTest accuracy on adversarial sample: %.2f%%" % (acc * 100))
# grab a particular example to play wit
a = (preds != np.argmax(y_test, axis=1))
nat_img = x_test[a]
adv_img = x_test_adv[a]
adv_nse = adv_img - nat_img
adv_prd = preds[a]
# compute variance and plot (some) example(s)
def attack(self, model=None, attack_str=""):
imgs = self._load_images(attack_str, self._test_or_val_dataset)
if self._test_or_val_dataset == "_x_test_set_":
X = self.__data.x_test
Y = self.__data.y_test
else:
X = self.__data.x_val
Y = self.__data.y_val
if type(imgs) != type(None):
print('\n{0} adversarial examples using {1} attack loaded...\n'.
format(self.__dataset, self.__attack))
return imgs
if type(model) == type(None):
model = self.surrogate_model.fit(self.__data.x_train,
self.__data.y_train,
verbose=1,
epochs=self.__epochs,
batch_size=128)
wrap = KerasClassifier((0., 1.), model=self.surrogate_model)
else:
wrap = KerasClassifier((0., 1.), model=model)
if self.__attack == 'FGSM':
print('\nCrafting adversarial examples using FGSM attack...\n')
fgsm = FastGradientMethod(wrap)
if self.__data.dataset_name == 'MNIST':
x_adv_images = fgsm.generate(x=X[self.idx_adv][:self._length],
eps=0.2)
else:
x_adv_images = fgsm.generate(x=X[self.idx_adv][:self._length],
eps=0.025)
path = os.path.join(
self._attack_dir,
self.__dataset.lower() + self._test_or_val_dataset +
"fgsm.pkl")
helpers.save_pkl(x_adv_images, path)
elif self.__attack.startswith("CW"):
print('\nCrafting adversarial examples using CW attack...\n')
cw = CarliniL2Method(wrap,
confidence=0.0,
targeted=False,
binary_search_steps=1,
learning_rate=0.2,
initial_const=10,
max_iter=100)
x_adv_images = cw.generate(X[self.idx_adv][:self._length])
path = os.path.join(
self._attack_dir,
self.__dataset.lower() + self._test_or_val_dataset + "cw.pkl")
helpers.save_pkl(x_adv_images, path)
elif self.__attack == 'BIM':
print('\nCrafting adversarial examples using BIM attack...\n')
if self.__dataset == 'MNIST':
bim = BasicIterativeMethod(wrap,
eps=0.25,
eps_step=0.2,
max_iter=100,
norm=np.inf)
if self.__dataset == 'CIFAR':
bim = BasicIterativeMethod(wrap,
eps=0.025,
eps_step=0.01,
max_iter=1000,
norm=np.inf)
x_adv_images = bim.generate(x=X[self.idx_adv][:self._length])
path = os.path.join(
self._attack_dir,
self.__dataset.lower() + self._test_or_val_dataset + "bim.pkl")
helpers.save_pkl(x_adv_images, path)
elif self.__attack == 'DEEPFOOL':
print('\nCrafting adversarial examples using DeepFool attack...\n')
deepfool = DeepFool(wrap)
x_adv_images = deepfool.generate(x=X[self.idx_adv][:self._length])
path = os.path.join(
self._attack_dir,
self.__dataset.lower() + self._test_or_val_dataset +
"deepfool.pkl")
helpers.save_pkl(x_adv_images, path)
return x_adv_images
min_ = np.min(x_train)
max_ = np.max(x_train)
# # ResNet29v2 Model trained for 200 epochs as defined in
# # https://github.com/keras-team/keras/blob/58399c111a4639526f8d13d4bfa62fc3d0695b02/examples/cifar10_resnet.py
DIR_PATH = os.path.dirname(os.path.realpath(__file__))
save_dir = os.path.join(DIR_PATH, 'saved_models')
model_name = 'cifar10_ResNet29v2_model.196'
filepath = os.path.join(save_dir, model_name + '.h5')
model = load_model(filepath)
classifier = KerasClassifier(model, clip_values=(min_, max_))
epsilon = 0.01
adv_crafter = BasicIterativeMethod(classifier, eps=epsilon, eps_step=0.001)
# adv_crafter = CarliniL2Method(classifier, targeted=False)
# x_train_adv = adv_crafter.generate(x_train)
x_test_adv = adv_crafter.generate(x_test[:100])
# Evaluate the classifier on the adversarial samples
preds = np.argmax(classifier.predict(x_test_adv), axis=1)
originalpreds = np.argmax(classifier.predict(x_test[:100]), axis=1)
acc = np.sum(preds == np.argmax(y_test[:100], axis=1)) / y_test.shape[0]
print('Accuracy on adversarial samples: %.2f%%' % (acc * 100))
success_adv_indices = (preds != originalpreds)
success_adv = x_test_adv[success_adv_indices]
def evaluation(x_test, y_test, classify_idx_lst, model, test_acc, ws,
current_line, attack_name, flag, column_i):
classifier = KerasClassifier((0., 1.), model=model)
if attack_name == "FGM":
# ===========================参数设置========================= #
# Maximum perturbation
# Order of the norm
parameter_lst = [[10, 1], [20, 1], [30, 1], [40, 1], [50, 1], [60, 1],
[70, 1], [80, 1], [90, 1], [100, 1], [1, 2], [2, 2],
[3, 2], [4, 2], [5, 2], [6, 2], [7, 2], [8, 2],
[9, 2], [10, 2], [0.05, np.inf], [0.10, np.inf],
[0.15, np.inf], [0.20, np.inf], [0.25, np.inf],
[0.30, np.inf], [0.35, np.inf], [0.40, np.inf],
[0.45, np.inf], [0.50, np.inf]]
# ===========================进行攻击========================= #
for [epsilon, norm_type] in parameter_lst:
# print("current parameter: " + str(epsilon) + ", " + str(norm_type))
adv_crafter = FastGradientMethod(classifier)
x_test_adv = adv_crafter.generate(x=x_test[classify_idx_lst],
eps=epsilon,
norm=norm_type)
score = model.evaluate(x_test_adv,
y_test[classify_idx_lst],
verbose=0)
acc = score[1]
ws.write(current_line, 0, attack_name)
ws.write(
current_line, 1,
"(" + str(round(epsilon, 4)) + ", " + str(norm_type) + ")")
if flag == "ori":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
elif flag == "adv":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
else:
ws.write(current_line, 0 + 3 * column_i, test_acc)
ws.write(current_line, 1 + 3 * column_i, acc)
current_line += 1
elif attack_name == "BIM":
# ===========================参数设置========================= #
# Order of the norm
# Maximum perturbation that the attacker can introduce
# Attack step size (input variation) at each iteration
# The maximum number of iterations.
parameter_lst = [[1, 20.0, 2.0, 10], [1, 20.0, 4.0, 10],
[1, 20.0, 6.0, 10], [1, 20.0, 8.0, 10],
[1, 20.0, 10.0, 10], [1, 20.0, 2.0, 50],
[1, 20.0, 4.0, 50], [1, 20.0, 6.0, 50],
[1, 20.0, 8.0, 50], [1, 20.0, 10.0, 50],
[2, 2.0, 0.2, 10], [2, 2.0, 0.4,
10], [2, 2.0, 0.6, 10],
[2, 2.0, 0.8, 10], [2, 2.0, 1.0,
10], [2, 2.0, 0.2, 50],
[2, 2.0, 0.4, 50], [2, 2.0, 0.6, 50],
[2, 2.0, 0.8, 50], [2, 2.0, 1.0, 50],
[np.inf, 0.1, 0.002, 10], [np.inf, 0.1, 0.004, 10],
[np.inf, 0.1, 0.006, 10], [np.inf, 0.1, 0.008, 10],
[np.inf, 0.1, 0.010, 10], [np.inf, 0.1, 0.002, 50],
[np.inf, 0.1, 0.004, 50], [np.inf, 0.1, 0.006, 50],
[np.inf, 0.1, 0.008, 50], [np.inf, 0.1, 0.010, 50]]
# ===========================进行攻击========================= #
for [norm_type, epsilon, epsilon_step, max_iteration] in parameter_lst:
# print("current parameter: " + str(norm_type) + ", " + str(epsilon) + ", " + str(epsilon_step) + ", " + str(
# max_iteration))
adv_crafter = BasicIterativeMethod(classifier)
x_test_adv = adv_crafter.generate(x=x_test[classify_idx_lst],
norm=norm_type,
eps=epsilon,
eps_step=epsilon_step,
max_iter=max_iteration)
score = model.evaluate(x_test_adv,
y_test[classify_idx_lst],
verbose=0)
acc = score[1]
ws.write(current_line, 0, attack_name)
ws.write(
current_line, 1,
"(" + str(norm_type) + ", " + str(round(epsilon, 4)) + ", " +
str(round(epsilon_step, 4)) + ", " + str(max_iteration) + ")")
if flag == "ori":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
elif flag == "adv":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
else:
ws.write(current_line, 0 + 3 * column_i, test_acc)
ws.write(current_line, 1 + 3 * column_i, acc)
current_line += 1
elif attack_name == "JSMA":
# ===========================参数设置========================= #
# Perturbation introduced to each modified feature per step (can be positive or negative).
# Maximum percentage of perturbed features (between 0 and 1).
parameter_lst = [[0.5, 0.5], [0.4, 0.5], [0.3, 0.5], [0.2, 0.5],
[0.1, 0.5], [-0.1, 0.5], [-0.2, 0.5], [-0.3, 0.5],
[-0.4, 0.5], [-0.5, 0.5]]
# ===========================进行攻击========================= #
for [theta, gamma] in parameter_lst:
# print("current parameter: " + str(theta) + ", " + str(gamma))
adv_crafter = SaliencyMapMethod(classifier)
x_test_adv = adv_crafter.generate(x=x_test[classify_idx_lst],
theta=theta,
gamma=gamma)
score = model.evaluate(x_test_adv,
y_test[classify_idx_lst],
verbose=0)
acc = score[1]
ws.write(current_line, 0, attack_name)
ws.write(
current_line, 1,
"(" + str(round(theta, 4)) + ", " + str(round(gamma, 4)) + ")")
if flag == "ori":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
elif flag == "adv":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
else:
ws.write(current_line, 0 + 3 * column_i, test_acc)
ws.write(current_line, 1 + 3 * column_i, acc)
current_line += 1
elif attack_name == "DeepFool":
# ===========================参数设置========================= #
# The maximum number of iterations.
# Overshoot parameter.
parameter_lst = [[2, 0.10], [4, 0.10], [6, 0.10], [8, 0.10],
[10, 0.10], [12, 0.10], [14, 0.10], [16, 0.10],
[18, 0.10], [20, 0.10]]
# ===========================进行攻击========================= #
for [max_iteration, epsilon] in parameter_lst:
# print("current parameter: " + str(max_iteration) + ", " + str(epsilon))
adv_crafter = DeepFool(classifier)
x_test_adv = adv_crafter.generate(x=x_test[classify_idx_lst],
max_iter=max_iteration,
epsilon=epsilon)
score = model.evaluate(x_test_adv,
y_test[classify_idx_lst],
verbose=0)
acc = score[1]
ws.write(current_line, 0, attack_name)
ws.write(
current_line, 1,
"(" + str(max_iteration) + ", " + str(round(epsilon, 4)) + ")")
if flag == "ori":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
elif flag == "adv":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, acc)
else:
ws.write(current_line, 0 + 3 * column_i, test_acc)
ws.write(current_line, 1 + 3 * column_i, acc)
current_line += 1
elif attack_name == "CW-L2":
# ===========================参数设置========================= #
# confidence: Confidence of adversarial examples: a higher value produces examples that are farther away,
# from the original input, but classified with higher confidence as the target class.
# The maximum number of iterations.
parameter_lst = [[0, 1], [0, 2], [0, 3], [0, 4], [0, 5]]
# ===========================进行攻击========================= #
for [confidence_value, max_iter_value] in parameter_lst:
# print("current parameter: " + str(confidence_value) + ", " + str(max_iter_value))
adv_crafter = CarliniL2Method(classifier)
sum_adv_acc = 0
for adv_label in range(0, 10):
one_hot_label = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
one_hot_label[adv_label] = 1
x_test_adv = adv_crafter.generate(
x=x_test[classify_idx_lst],
confidence=confidence_value,
targeted=True,
max_iter=max_iter_value,
y=np.array([one_hot_label] *
x_test[classify_idx_lst].shape[0]))
score = model.evaluate(x_test_adv,
y_test[classify_idx_lst],
verbose=0)
acc = score[1]
sum_adv_acc += acc
ws.write(current_line, 0, attack_name)
ws.write(
current_line, 1, "(" + str(round(confidence_value, 4)) + ", " +
str(max_iter_value) + ")")
if flag == "ori":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, sum_adv_acc / 10)
elif flag == "adv":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, sum_adv_acc / 10)
else:
ws.write(current_line, 0 + 3 * column_i, test_acc)
ws.write(current_line, 1 + 3 * column_i, sum_adv_acc / 10)
current_line += 1
elif attack_name == "CW-Linf":
# ===========================参数设置========================= #
# confidence: Confidence of adversarial examples: a higher value produces examples that are farther away,
# from the original input, but classified with higher confidence as the target class.
# The maximum number of iterations.
parameter_lst = [[0, 1], [0, 2], [0, 3], [0, 4], [0, 5]]
# ===========================进行攻击========================= #
for [confidence_value, max_iter_value] in parameter_lst:
# print("current parameter: " + str(confidence_value) + ", " + str(max_iter_value))
adv_crafter = CarliniLInfMethod(classifier)
sum_adv_acc = 0
for adv_label in range(0, 10):
one_hot_label = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
one_hot_label[adv_label] = 1
x_test_adv = adv_crafter.generate(
x=x_test[classify_idx_lst],
confidence=confidence_value,
targeted=True,
max_iter=max_iter_value,
y=np.array([one_hot_label] *
x_test[classify_idx_lst].shape[0]))
score = model.evaluate(x_test_adv,
y_test[classify_idx_lst],
verbose=0)
acc = score[1]
sum_adv_acc += acc
ws.write(current_line, 0, attack_name)
ws.write(
current_line, 1, "(" + str(round(confidence_value, 4)) + ", " +
str(max_iter_value) + ")")
if flag == "ori":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, sum_adv_acc / 10)
elif flag == "adv":
ws.write(current_line, 3, test_acc)
ws.write(current_line, 4, sum_adv_acc / 10)
else:
ws.write(current_line, 0 + 3 * column_i, test_acc)
ws.write(current_line, 1 + 3 * column_i, sum_adv_acc / 10)
current_line += 1
current_line += 1
# print("\n------------------------------------------------")
return ws, current_line
# ==============================2.进行对抗训练=================================== #
begin_time = time.time()
robust_classifier_model = load_model("./model/adv_model")
robust_classifier = KerasClassifier((0., 1.), robust_classifier_model)
# ==================================2-1.准备对抗训练的攻击方法 =============================== #
"""
The `ratio` determines how many of the clean samples in each batch are replaced with their adversarial counterpart.
warning: Both successful and unsuccessful adversarial samples are used for training. In the case of unbounded attacks
(e.g., DeepFool), this can result in invalid (very noisy) samples being included.
"""
if adv_train_attack == "FGM":
attacks = FastGradientMethod(robust_classifier, eps=attack_par["epsilon"], norm=attack_par["norm_type"])
elif adv_train_attack == "BIM":
attacks = BasicIterativeMethod(robust_classifier, norm=attack_par["norm_type"], eps=attack_par["epsilon"],
eps_step=attack_par["epsilon_step"], max_iter=attack_par["max_iteration"])
elif adv_train_attack == "PGD":
attacks = ProjectedGradientDescent(robust_classifier, norm=attack_par["norm_type"], eps=attack_par["epsilon"],
eps_step=attack_par["epsilon_step"], max_iter=attack_par["max_iteration"])
elif adv_train_attack == "JSMA":
attacks = SaliencyMapMethod(robust_classifier, theta=attack_par["theta"], gamma=attack_par["gamma"])
elif adv_train_attack == "DeepFool":
attacks = DeepFool(robust_classifier, max_iter=attack_par["max_iteration"], epsilon=attack_par["epsilon"])
# ==================================2-2.开始对抗训练 =============================== #
trainer = AdversarialTrainer(robust_classifier, attacks, ratio=ratio_value)
trainer.fit(x_train, y_train, nb_epochs=adv_train_num, batch_size=128, verbose=2)
robust_classifier_model.save("./model/adv_model")
end_time = time.time()
model = load_model("./model/adv_model")
model.add(Flatten())
model.add(Dense(512))
model.add(Activation('relu'))
model.add(Dropout(0.5))
model.add(Dense(10))
model.add(Activation('softmax'))
model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])
# Create classifier wrapper
classifier = KerasClassifier(clip_values=(0, 1), model=model)
classifier.fit(x_train, y_train, nb_epochs=10, batch_size=128)
# Craft adversarial samples with BIM
logger.info('Create BIM attack')
adv_crafter = BasicIterativeMethod(classifier, eps=0.3, eps_step=0.01, max_iter=40)
logger.info('Craft attack on training examples')
x_train_adv = adv_crafter.generate(x_train)
logger.info('Craft attack test examples')
x_test_adv = adv_crafter.generate(x_test)
# Evaluate the classifier on the adversarial samples
preds = np.argmax(classifier.predict(x_test_adv), axis=1)
acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Classifier before adversarial training')
logger.info('Accuracy on adversarial samples: %.2f%%', (acc * 100))
# Data augmentation: expand the training set with the adversarial samples
x_train = np.append(x_train, x_train_adv, axis=0)
y_train = np.append(y_train, y_train, axis=0)
