def test_jpeg_compress(self, image_batch, channels_first):
test_input, test_output = image_batch
jpeg_compression = JpegCompression(clip_values=(0, 255))
image_mode = "RGB" if test_input.shape[-1] == 3 else "L"
test_single_input = np.squeeze(test_input[0]).astype(np.uint8)
test_single_output = np.squeeze(test_output[0]).astype(np.uint8)
assert_array_equal(jpeg_compression._compress(test_single_input, image_mode), test_single_output)
def test_jpeg_compress(art_warning, image_batch, channels_first):
try:
test_input, test_output = image_batch
# Run only for grayscale [1] and RGB [3] data because testing `_compress` which is applied internally only to
# either grayscale or RGB data.
if test_input.shape[-1] in [1, 3]:
jpeg_compression = JpegCompression(clip_values=(0, 255))
image_mode = "RGB" if test_input.shape[-1] == 3 else "L"
test_single_input = np.squeeze(test_input[0]).astype(np.uint8)
test_single_output = np.squeeze(test_output[0]).astype(np.uint8)
assert_array_equal(jpeg_compression._compress(test_single_input, image_mode), test_single_output)
except ARTTestException as e:
art_warning(e)
def test_defences_predict(self):
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier_ = get_image_classifier_kr_tf()
classifier = KerasClassifier(clip_values=clip_values,
model=classifier_._model,
preprocessing_defences=[fs, jpeg, smooth])
self.assertEqual(len(classifier.preprocessing_defences), 3)
predictions_classifier = classifier.predict(self.x_test_mnist)
# Apply the same defences by hand
x_test_defense = self.x_test_mnist
x_test_defense, _ = fs(x_test_defense, self.y_test_mnist)
x_test_defense, _ = jpeg(x_test_defense, self.y_test_mnist)
x_test_defense, _ = smooth(x_test_defense, self.y_test_mnist)
classifier = get_image_classifier_kr_tf()
predictions_check = classifier._model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier,
predictions_check,
decimal=4)
def test_maximum_clip_values_error(art_warning):
try:
exc_msg = "'clip_values' max value must be either 1 or 255."
with pytest.raises(ValueError, match=exc_msg):
JpegCompression(clip_values=(0, 2), channels_first=True)
except ARTTestException as e:
art_warning(e)
def test_defences_predict(get_default_mnist_subset, get_image_classifier_list):
(x_train_mnist, y_train_mnist), (x_test_mnist,
y_test_mnist) = get_default_mnist_subset
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier_, _ = get_image_classifier_list(one_classifier=True)
classifier = KerasClassifier(clip_values=clip_values,
model=classifier_.model,
preprocessing_defences=[fs, jpeg, smooth])
assert len(classifier.preprocessing_defences) == 3
predictions_classifier = classifier.predict(x_test_mnist)
# Apply the same defences by hand
x_test_defense = x_test_mnist
x_test_defense, _ = fs(x_test_defense, y_test_mnist)
x_test_defense, _ = jpeg(x_test_defense, y_test_mnist)
x_test_defense, _ = smooth(x_test_defense, y_test_mnist)
classifier, _ = get_image_classifier_list(one_classifier=True)
predictions_check = classifier.model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier,
predictions_check,
decimal=4)
def test_non_spatial_data_error(self, tabular_batch):
test_input = tabular_batch
jpeg_compression = JpegCompression(clip_values=(0, 255), channels_first=True)
exc_msg = "Unrecognized input dimension. JPEG compression can only be applied to image and video data."
with pytest.raises(ValueError, match=exc_msg):
jpeg_compression(test_input)
def test_negative_clip_values_error(art_warning):
try:
exc_msg = "'clip_values' min value must be 0."
with pytest.raises(ValueError, match=exc_msg):
JpegCompression(clip_values=(-1, 255), channels_first=True)
except ARTTestException as e:
art_warning(e)
def test_defences_predict(get_default_mnist_subset,
image_dl_estimator_defended, image_dl_estimator):
(_, _), (x_test_mnist, y_test_mnist) = get_default_mnist_subset
classifier, _ = image_dl_estimator_defended(
one_classifier=True,
defenses=["FeatureSqueezing", "JpegCompression", "SpatialSmoothing"])
if classifier is not None:
assert len(classifier.preprocessing_defences) == 3
predictions_classifier = classifier.predict(x_test_mnist)
# Apply the same defences by hand
x_test_defense = x_test_mnist
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
x_test_defense, _ = fs(x_test_defense, y_test_mnist)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
x_test_defense, _ = jpeg(x_test_defense, y_test_mnist)
smooth = SpatialSmoothing()
x_test_defense, _ = smooth(x_test_defense, y_test_mnist)
# classifier, _ = get_image_classifier_list(one_classifier=True, from_logits=True)
classifier, _ = image_dl_estimator(one_classifier=True)
predictions_check = classifier._model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier,
predictions_check,
decimal=4)
def test_jpeg_compression_video_data(art_warning, video_batch, channels_first):
try:
test_input, test_output = video_batch
jpeg_compression = JpegCompression(clip_values=(0, 255), channels_first=channels_first)
assert_array_equal(jpeg_compression(test_input)[0], test_output)
except ARTTestException as e:
art_warning(e)
def _JpegCompression(data):
'''
:param data: tensor.cuda() | [N,C,H,W] | [0,1]
:return: tensor.cuda() | [N,C,H,W] | [0,1]
'''
# defence
data = np.transpose(data.cpu().numpy(), [0, 3, 2, 1])
res = JpegCompression(clip_values=(0, 1))(data)[0]
return torch.from_numpy(np.transpose(res, [0, 3, 2, 1])).cuda()
def test_check_params(art_warning):
try:
with pytest.raises(ValueError):
JpegCompression(clip_values=(-1, 255))
with pytest.raises(ValueError):
_ = JpegCompression(clip_values=(0, 2))
with pytest.raises(ValueError):
_ = JpegCompression(clip_values=(0, 1), quality=-1)
with pytest.raises(ValueError):
_ = JpegCompression(clip_values=(0, 1, 2))
with pytest.raises(ValueError):
_ = JpegCompression(clip_values=(0, 1), verbose="False")
except ARTTestException as e:
art_warning(e)
def test_defences_predict(art_warning, get_default_mnist_subset,
image_dl_estimator_defended, image_dl_estimator):
try:
(_, _), (x_test_mnist, y_test_mnist) = get_default_mnist_subset
classifier, _ = image_dl_estimator()
y_check_clean = classifier.predict(x_test_mnist)
clip_values = (0, 1)
classifier_defended, _ = image_dl_estimator_defended(
defenses=["FeatureSqueezing"])
assert len(classifier_defended.preprocessing_defences) == 1
y_defended = classifier_defended.predict(x_test_mnist)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
x_test_defense, _ = fs(x_test_mnist, y_test_mnist)
y_check = classifier.predict(x_test_defense)
np.testing.assert_array_almost_equal(y_defended, y_check, decimal=4)
np.testing.assert_raises(AssertionError, np.testing.assert_array_equal,
y_check, y_check_clean)
classifier_defended, _ = image_dl_estimator_defended(
defenses=["JpegCompression"])
assert len(classifier_defended.preprocessing_defences) == 1
y_defended = classifier_defended.predict(x_test_mnist)
jpeg = JpegCompression(
clip_values=clip_values,
apply_predict=True,
channels_first=classifier_defended.channels_first)
x_test_defense, _ = jpeg(x_test_mnist, y_test_mnist)
y_check = classifier.predict(x_test_defense)
np.testing.assert_array_almost_equal(y_defended, y_check, decimal=4)
np.testing.assert_raises(AssertionError, np.testing.assert_array_equal,
y_check, y_check_clean)
classifier_defended, _ = image_dl_estimator_defended(
defenses=["SpatialSmoothing"])
assert len(classifier_defended.preprocessing_defences) == 1
y_defended = classifier_defended.predict(x_test_mnist)
smooth = SpatialSmoothing(
channels_first=classifier_defended.channels_first)
x_test_defense, _ = smooth(x_test_mnist, y_test_mnist)
y_check = classifier.predict(x_test_defense)
np.testing.assert_array_almost_equal(y_defended, y_check, decimal=4)
np.testing.assert_raises(AssertionError, np.testing.assert_array_equal,
y_check, y_check_clean)
except ARTTestException as e:
art_warning(e)
def _image_dl_estimator_defended(one_classifier=False, **kwargs):
sess = None
classifier = None
clip_values = (0, 1)
fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values)
defenses = []
if kwargs.get("defenses") is None:
defenses.append(fs)
else:
if "FeatureSqueezing" in kwargs.get("defenses"):
defenses.append(fs)
if "JpegCompression" in kwargs.get("defenses"):
defenses.append(
JpegCompression(clip_values=clip_values,
apply_predict=True))
if "SpatialSmoothing" in kwargs.get("defenses"):
defenses.append(SpatialSmoothing())
del kwargs["defenses"]
if framework == "tensorflow2":
classifier, _ = get_image_classifier_tf(**kwargs)
if framework == "keras":
classifier = get_image_classifier_kr(**kwargs)
if framework == "kerastf":
classifier = get_image_classifier_kr_tf(**kwargs)
if framework == "pytorch":
classifier = get_image_classifier_pt(**kwargs)
for i, defense in enumerate(defenses):
if "channels_first" in defense.params:
defenses[i].channels_first = classifier.channels_first
if classifier is not None:
classifier.set_params(preprocessing_defences=defenses)
else:
raise ARTTestFixtureNotImplemented(
"no defended image estimator",
image_dl_estimator_defended.__name__, framework,
{"defenses": defenses})
return classifier, sess
def _image_dl_estimator_defended(one_classifier=False, **kwargs):
sess = None
classifier = None
clip_values = (0, 1)
fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values)
defenses = []
if kwargs.get("defenses") is None:
defenses.append(fs)
else:
if "FeatureSqueezing" in kwargs.get("defenses"):
defenses.append(fs)
if "JpegCompression" in kwargs.get("defenses"):
defenses.append(
JpegCompression(clip_values=clip_values,
apply_predict=True))
if "SpatialSmoothing" in kwargs.get("defenses"):
defenses.append(SpatialSmoothing())
del kwargs["defenses"]
if framework == "keras":
kr_classifier = get_image_classifier_kr(**kwargs)
# Get the ready-trained Keras model
classifier = KerasClassifier(model=kr_classifier._model,
clip_values=(0, 1),
preprocessing_defences=defenses)
if framework == "kerastf":
kr_tf_classifier = get_image_classifier_kr_tf(**kwargs)
classifier = KerasClassifier(model=kr_tf_classifier._model,
clip_values=(0, 1),
preprocessing_defences=defenses)
if classifier is None:
raise ARTTestFixtureNotImplemented(
"no defended image estimator",
image_dl_estimator_defended.__name__, framework,
{"defenses": defenses})
return classifier, sess
def test_jpeg_compression_video_data(self, video_batch, channels_first):
test_input, test_output = video_batch
jpeg_compression = JpegCompression(clip_values=(0, 255),
channels_first=channels_first)
assert_array_equal(jpeg_compression(test_input)[0], test_output)
def test_maximum_clip_values_error(self):
exc_msg = "'clip_values' max value must be either 1 or 255."
with pytest.raises(ValueError, match=exc_msg):
JpegCompression(clip_values=(0, 2), channels_first=True)
def test_negative_clip_values_error(self):
exc_msg = "'clip_values' min value must be 0."
with pytest.raises(ValueError, match=exc_msg):
JpegCompression(clip_values=(-1, 255), channels_first=True)
model = ModelImage()
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
pixelcnn = PyTorchClassifier(
model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, clip_values=(0, 1)
)
preproc = PixelDefend(eps=32, pixel_cnn=pixelcnn)
X_def, _ = preproc(X_adv)
preds_X_def = np.argmax(classifier.predict(X_def), axis=1)
fooling_rate = np.sum(preds_X_def != np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Fooling rate after Pixel Defend: %.2f%%', (fooling_rate * 100))
img_plot(y_test, preds_x_test, preds_X_adv, preds_X_def, x_test, X_adv, X_def, "pixel_defend")
# JPEG compression https://arxiv.org/abs/1608.00853
preproc = JpegCompression(clip_values=(0, 1))
X_def, _ = preproc(X_adv)
preds_X_def = np.argmax(classifier.predict(X_def), axis=1)
fooling_rate = np.sum(preds_X_def != np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Fooling rate after Jpeg Compression: %.2f%%', (fooling_rate * 100))
img_plot(y_test, preds_x_test, preds_X_adv, preds_X_def, x_test, X_adv, X_def, "JPEG_compression")
# Defense GAN https://arxiv.org/abs/1805.06605
# run adversarial-robustness-toolbox/utils/resources/create_inverse_gan_models.py
# for obtaining (training) Inverse GAN model.
sess = tf.Session()
gen_tf, enc_tf, z_ph, image_to_enc_ph = load_model(sess, "model-dcgan", "/home/takemoto/inverseGAN/") # model tarained with 10 epochs
gan = TensorFlowGenerator(input_ph=z_ph, model=gen_tf, sess=sess,)
inverse_gan = TensorFlowEncoder(input_ph=image_to_enc_ph, model=enc_tf, sess=sess,)
preproc = InverseGAN(sess=sess, gan=gan, inverse_gan=None)
X_def = preproc(X_adv, maxiter=20)
def defencer(adv_data,
defence_method,
clip_values,
eps=16,
bit_depth=8,
apply_fit=False,
apply_predict=True):
'''
:param adv_data: np.ndarray | [N C H W ]
:param defence_method: | str
:param clip_values:Tuple of the form `(min, max)` representing the minimum and maximum values allowed
for features. | `tuple`
:param bit_depth: The number of bits per channel for encoding the data. | 'int'
:param apply_fit: True if applied during fitting/training. | bool
:param apply_predict: True if applied during predicting. | bool
:return: defended data | np.ndarray | [N C H W]
'''
# step 1. define a defencer
if defence_method == "FeatureSqueezing":
defence = FeatureSqueezing(clip_values=clip_values,
bit_depth=bit_depth,
apply_fit=apply_fit,
apply_predict=apply_predict)
elif defence_method == "PixelDefend":
criterion = nn.CrossEntropyLoss()
# fm = 64
# pixel_cnn_model = nn.Sequential(
# MaskedConv2d('A', 3, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True),
# nn.Conv2d(fm, 256, 1))
pixel_cnn_model = Pixel_cnn_net().cuda()
pixel_cnn_model = torch.load("models/pixel_cnn_epoch_29.pth")
# pixel_cnn_model = PixelCNN().cuda()
# print(pixel_cnn_model)
optimizer = optim.Adam(pixel_cnn_model.parameters())
pixel_cnn = PyTorchClassifier(
model=pixel_cnn_model,
clip_values=(0, 1),
loss=criterion,
optimizer=optimizer,
input_shape=(3, 32, 32),
nb_classes=10,
)
defence = PixelDefend(clip_values=clip_values,
eps=eps,
pixel_cnn=pixel_cnn,
apply_fit=apply_fit,
apply_predict=apply_predict)
adv_data = np.transpose(adv_data, [0, 3, 2, 1])
elif defence_method == "ThermometerEncoding":
defence = ThermometerEncoding(clip_values=clip_values)
elif defence_method == "TotalVarMin":
defence = TotalVarMin(clip_values=clip_values)
elif defence_method == "JPEGCompression":
defence = JpegCompression(clip_values=clip_values)
elif defence_method == "SpatialSmoothing":
defence = SpatialSmoothing(clip_values=clip_values)
adv_data = np.transpose(adv_data, [0, 3, 2, 1])
# step2. defend
# print(adv_data.shape)
res = defence(adv_data)[0]
res = np.transpose(res, [0, 3, 2, 1])
# print(res.shape)
return res
def _image_dl_estimator_defended(one_classifier=False, **kwargs):
sess = None
classifier_list = None
clip_values = (0, 1)
fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values)
defenses = []
if kwargs.get("defenses") is None:
defenses.append(fs)
else:
if "FeatureSqueezing" in kwargs.get("defenses"):
defenses.append(fs)
if "JpegCompression" in kwargs.get("defenses"):
defenses.append(
JpegCompression(clip_values=clip_values,
apply_predict=True))
if "SpatialSmoothing" in kwargs.get("defenses"):
defenses.append(SpatialSmoothing())
del kwargs["defenses"]
if framework == "keras":
classifier = get_image_classifier_kr(**kwargs)
# Get the ready-trained Keras model
classifier_list = [
KerasClassifier(model=classifier._model,
clip_values=(0, 1),
preprocessing_defences=defenses)
]
if framework == "tensorflow":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "pytorch":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "scikitlearn":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "kerastf":
classifier = get_image_classifier_kr_tf(**kwargs)
classifier_list = [
KerasClassifier(model=classifier._model,
clip_values=(0, 1),
preprocessing_defences=defenses)
]
if classifier_list is None:
return None, None
if one_classifier:
return classifier_list[0], sess
return classifier_list, sess
