def test_defences_predict(self): clip_values = (0, 1) fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2) jpeg = JpegCompression(clip_values=clip_values, apply_predict=True) smooth = SpatialSmoothing() classifier_ = get_image_classifier_kr_tf() classifier = KerasClassifier(clip_values=clip_values, model=classifier_._model, preprocessing_defences=[fs, jpeg, smooth]) self.assertEqual(len(classifier.preprocessing_defences), 3) predictions_classifier = classifier.predict(self.x_test_mnist) # Apply the same defences by hand x_test_defense = self.x_test_mnist x_test_defense, _ = fs(x_test_defense, self.y_test_mnist) x_test_defense, _ = jpeg(x_test_defense, self.y_test_mnist) x_test_defense, _ = smooth(x_test_defense, self.y_test_mnist) classifier = get_image_classifier_kr_tf() predictions_check = classifier._model.predict(x_test_defense) # Check that the prediction results match np.testing.assert_array_almost_equal(predictions_classifier, predictions_check, decimal=4)
def test_maximum_clip_values_error(art_warning): try: exc_msg = "'clip_values' max value must be either 1 or 255." with pytest.raises(ValueError, match=exc_msg): JpegCompression(clip_values=(0, 2), channels_first=True) except ARTTestException as e: art_warning(e)
def test_defences_predict(get_default_mnist_subset, image_dl_estimator_defended, image_dl_estimator): (_, _), (x_test_mnist, y_test_mnist) = get_default_mnist_subset classifier, _ = image_dl_estimator_defended( one_classifier=True, defenses=["FeatureSqueezing", "JpegCompression", "SpatialSmoothing"]) if classifier is not None: assert len(classifier.preprocessing_defences) == 3 predictions_classifier = classifier.predict(x_test_mnist) # Apply the same defences by hand x_test_defense = x_test_mnist clip_values = (0, 1) fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2) x_test_defense, _ = fs(x_test_defense, y_test_mnist) jpeg = JpegCompression(clip_values=clip_values, apply_predict=True) x_test_defense, _ = jpeg(x_test_defense, y_test_mnist) smooth = SpatialSmoothing() x_test_defense, _ = smooth(x_test_defense, y_test_mnist) # classifier, _ = get_image_classifier_list(one_classifier=True, from_logits=True) classifier, _ = image_dl_estimator(one_classifier=True) predictions_check = classifier._model.predict(x_test_defense) # Check that the prediction results match np.testing.assert_array_almost_equal(predictions_classifier, predictions_check, decimal=4)
def test_non_spatial_data_error(self, tabular_batch): test_input = tabular_batch jpeg_compression = JpegCompression(clip_values=(0, 255), channels_first=True) exc_msg = "Unrecognized input dimension. JPEG compression can only be applied to image and video data." with pytest.raises(ValueError, match=exc_msg): jpeg_compression(test_input)
def test_negative_clip_values_error(art_warning): try: exc_msg = "'clip_values' min value must be 0." with pytest.raises(ValueError, match=exc_msg): JpegCompression(clip_values=(-1, 255), channels_first=True) except ARTTestException as e: art_warning(e)
def test_defences_predict(get_default_mnist_subset, get_image_classifier_list): (x_train_mnist, y_train_mnist), (x_test_mnist, y_test_mnist) = get_default_mnist_subset clip_values = (0, 1) fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2) jpeg = JpegCompression(clip_values=clip_values, apply_predict=True) smooth = SpatialSmoothing() classifier_, _ = get_image_classifier_list(one_classifier=True) classifier = KerasClassifier(clip_values=clip_values, model=classifier_.model, preprocessing_defences=[fs, jpeg, smooth]) assert len(classifier.preprocessing_defences) == 3 predictions_classifier = classifier.predict(x_test_mnist) # Apply the same defences by hand x_test_defense = x_test_mnist x_test_defense, _ = fs(x_test_defense, y_test_mnist) x_test_defense, _ = jpeg(x_test_defense, y_test_mnist) x_test_defense, _ = smooth(x_test_defense, y_test_mnist) classifier, _ = get_image_classifier_list(one_classifier=True) predictions_check = classifier.model.predict(x_test_defense) # Check that the prediction results match np.testing.assert_array_almost_equal(predictions_classifier, predictions_check, decimal=4)
def test_jpeg_compression_video_data(art_warning, video_batch, channels_first): try: test_input, test_output = video_batch jpeg_compression = JpegCompression(clip_values=(0, 255), channels_first=channels_first) assert_array_equal(jpeg_compression(test_input)[0], test_output) except ARTTestException as e: art_warning(e)
def test_jpeg_compress(self, image_batch, channels_first): test_input, test_output = image_batch jpeg_compression = JpegCompression(clip_values=(0, 255)) image_mode = "RGB" if test_input.shape[-1] == 3 else "L" test_single_input = np.squeeze(test_input[0]).astype(np.uint8) test_single_output = np.squeeze(test_output[0]).astype(np.uint8) assert_array_equal(jpeg_compression._compress(test_single_input, image_mode), test_single_output)
def _JpegCompression(data): ''' :param data: tensor.cuda() | [N,C,H,W] | [0,1] :return: tensor.cuda() | [N,C,H,W] | [0,1] ''' # defence data = np.transpose(data.cpu().numpy(), [0, 3, 2, 1]) res = JpegCompression(clip_values=(0, 1))(data)[0] return torch.from_numpy(np.transpose(res, [0, 3, 2, 1])).cuda()
def test_check_params(art_warning): try: with pytest.raises(ValueError): JpegCompression(clip_values=(-1, 255)) with pytest.raises(ValueError): _ = JpegCompression(clip_values=(0, 2)) with pytest.raises(ValueError): _ = JpegCompression(clip_values=(0, 1), quality=-1) with pytest.raises(ValueError): _ = JpegCompression(clip_values=(0, 1, 2)) with pytest.raises(ValueError): _ = JpegCompression(clip_values=(0, 1), verbose="False") except ARTTestException as e: art_warning(e)
def test_jpeg_compress(art_warning, image_batch, channels_first): try: test_input, test_output = image_batch # Run only for grayscale [1] and RGB [3] data because testing `_compress` which is applied internally only to # either grayscale or RGB data. if test_input.shape[-1] in [1, 3]: jpeg_compression = JpegCompression(clip_values=(0, 255)) image_mode = "RGB" if test_input.shape[-1] == 3 else "L" test_single_input = np.squeeze(test_input[0]).astype(np.uint8) test_single_output = np.squeeze(test_output[0]).astype(np.uint8) assert_array_equal(jpeg_compression._compress(test_single_input, image_mode), test_single_output) except ARTTestException as e: art_warning(e)
def test_defences_predict(art_warning, get_default_mnist_subset, image_dl_estimator_defended, image_dl_estimator): try: (_, _), (x_test_mnist, y_test_mnist) = get_default_mnist_subset classifier, _ = image_dl_estimator() y_check_clean = classifier.predict(x_test_mnist) clip_values = (0, 1) classifier_defended, _ = image_dl_estimator_defended( defenses=["FeatureSqueezing"]) assert len(classifier_defended.preprocessing_defences) == 1 y_defended = classifier_defended.predict(x_test_mnist) fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2) x_test_defense, _ = fs(x_test_mnist, y_test_mnist) y_check = classifier.predict(x_test_defense) np.testing.assert_array_almost_equal(y_defended, y_check, decimal=4) np.testing.assert_raises(AssertionError, np.testing.assert_array_equal, y_check, y_check_clean) classifier_defended, _ = image_dl_estimator_defended( defenses=["JpegCompression"]) assert len(classifier_defended.preprocessing_defences) == 1 y_defended = classifier_defended.predict(x_test_mnist) jpeg = JpegCompression( clip_values=clip_values, apply_predict=True, channels_first=classifier_defended.channels_first) x_test_defense, _ = jpeg(x_test_mnist, y_test_mnist) y_check = classifier.predict(x_test_defense) np.testing.assert_array_almost_equal(y_defended, y_check, decimal=4) np.testing.assert_raises(AssertionError, np.testing.assert_array_equal, y_check, y_check_clean) classifier_defended, _ = image_dl_estimator_defended( defenses=["SpatialSmoothing"]) assert len(classifier_defended.preprocessing_defences) == 1 y_defended = classifier_defended.predict(x_test_mnist) smooth = SpatialSmoothing( channels_first=classifier_defended.channels_first) x_test_defense, _ = smooth(x_test_mnist, y_test_mnist) y_check = classifier.predict(x_test_defense) np.testing.assert_array_almost_equal(y_defended, y_check, decimal=4) np.testing.assert_raises(AssertionError, np.testing.assert_array_equal, y_check, y_check_clean) except ARTTestException as e: art_warning(e)
def _image_dl_estimator_defended(one_classifier=False, **kwargs): sess = None classifier = None clip_values = (0, 1) fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values) defenses = [] if kwargs.get("defenses") is None: defenses.append(fs) else: if "FeatureSqueezing" in kwargs.get("defenses"): defenses.append(fs) if "JpegCompression" in kwargs.get("defenses"): defenses.append( JpegCompression(clip_values=clip_values, apply_predict=True)) if "SpatialSmoothing" in kwargs.get("defenses"): defenses.append(SpatialSmoothing()) del kwargs["defenses"] if framework == "tensorflow2": classifier, _ = get_image_classifier_tf(**kwargs) if framework == "keras": classifier = get_image_classifier_kr(**kwargs) if framework == "kerastf": classifier = get_image_classifier_kr_tf(**kwargs) if framework == "pytorch": classifier = get_image_classifier_pt(**kwargs) for i, defense in enumerate(defenses): if "channels_first" in defense.params: defenses[i].channels_first = classifier.channels_first if classifier is not None: classifier.set_params(preprocessing_defences=defenses) else: raise ARTTestFixtureNotImplemented( "no defended image estimator", image_dl_estimator_defended.__name__, framework, {"defenses": defenses}) return classifier, sess
def _image_dl_estimator_defended(one_classifier=False, **kwargs): sess = None classifier = None clip_values = (0, 1) fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values) defenses = [] if kwargs.get("defenses") is None: defenses.append(fs) else: if "FeatureSqueezing" in kwargs.get("defenses"): defenses.append(fs) if "JpegCompression" in kwargs.get("defenses"): defenses.append( JpegCompression(clip_values=clip_values, apply_predict=True)) if "SpatialSmoothing" in kwargs.get("defenses"): defenses.append(SpatialSmoothing()) del kwargs["defenses"] if framework == "keras": kr_classifier = get_image_classifier_kr(**kwargs) # Get the ready-trained Keras model classifier = KerasClassifier(model=kr_classifier._model, clip_values=(0, 1), preprocessing_defences=defenses) if framework == "kerastf": kr_tf_classifier = get_image_classifier_kr_tf(**kwargs) classifier = KerasClassifier(model=kr_tf_classifier._model, clip_values=(0, 1), preprocessing_defences=defenses) if classifier is None: raise ARTTestFixtureNotImplemented( "no defended image estimator", image_dl_estimator_defended.__name__, framework, {"defenses": defenses}) return classifier, sess
def test_jpeg_compression_video_data(self, video_batch, channels_first): test_input, test_output = video_batch jpeg_compression = JpegCompression(clip_values=(0, 255), channels_first=channels_first) assert_array_equal(jpeg_compression(test_input)[0], test_output)
def test_maximum_clip_values_error(self): exc_msg = "'clip_values' max value must be either 1 or 255." with pytest.raises(ValueError, match=exc_msg): JpegCompression(clip_values=(0, 2), channels_first=True)
def test_negative_clip_values_error(self): exc_msg = "'clip_values' min value must be 0." with pytest.raises(ValueError, match=exc_msg): JpegCompression(clip_values=(-1, 255), channels_first=True)
def _image_dl_estimator_defended(one_classifier=False, **kwargs): sess = None classifier_list = None clip_values = (0, 1) fs = FeatureSqueezing(bit_depth=2, clip_values=clip_values) defenses = [] if kwargs.get("defenses") is None: defenses.append(fs) else: if "FeatureSqueezing" in kwargs.get("defenses"): defenses.append(fs) if "JpegCompression" in kwargs.get("defenses"): defenses.append( JpegCompression(clip_values=clip_values, apply_predict=True)) if "SpatialSmoothing" in kwargs.get("defenses"): defenses.append(SpatialSmoothing()) del kwargs["defenses"] if framework == "keras": classifier = get_image_classifier_kr(**kwargs) # Get the ready-trained Keras model classifier_list = [ KerasClassifier(model=classifier._model, clip_values=(0, 1), preprocessing_defences=defenses) ] if framework == "tensorflow": logging.warning( "{0} doesn't have a defended image classifier defined yet". format(framework)) if framework == "pytorch": logging.warning( "{0} doesn't have a defended image classifier defined yet". format(framework)) if framework == "scikitlearn": logging.warning( "{0} doesn't have a defended image classifier defined yet". format(framework)) if framework == "kerastf": classifier = get_image_classifier_kr_tf(**kwargs) classifier_list = [ KerasClassifier(model=classifier._model, clip_values=(0, 1), preprocessing_defences=defenses) ] if classifier_list is None: return None, None if one_classifier: return classifier_list[0], sess return classifier_list, sess
def defencer(adv_data, defence_method, clip_values, eps=16, bit_depth=8, apply_fit=False, apply_predict=True): ''' :param adv_data: np.ndarray | [N C H W ] :param defence_method: | str :param clip_values:Tuple of the form `(min, max)` representing the minimum and maximum values allowed for features. | `tuple` :param bit_depth: The number of bits per channel for encoding the data. | 'int' :param apply_fit: True if applied during fitting/training. | bool :param apply_predict: True if applied during predicting. | bool :return: defended data | np.ndarray | [N C H W] ''' # step 1. define a defencer if defence_method == "FeatureSqueezing": defence = FeatureSqueezing(clip_values=clip_values, bit_depth=bit_depth, apply_fit=apply_fit, apply_predict=apply_predict) elif defence_method == "PixelDefend": criterion = nn.CrossEntropyLoss() # fm = 64 # pixel_cnn_model = nn.Sequential( # MaskedConv2d('A', 3, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # MaskedConv2d('B', fm, fm, 7, 1, 3, bias=False), nn.BatchNorm2d(fm), nn.ReLU(True), # nn.Conv2d(fm, 256, 1)) pixel_cnn_model = Pixel_cnn_net().cuda() pixel_cnn_model = torch.load("models/pixel_cnn_epoch_29.pth") # pixel_cnn_model = PixelCNN().cuda() # print(pixel_cnn_model) optimizer = optim.Adam(pixel_cnn_model.parameters()) pixel_cnn = PyTorchClassifier( model=pixel_cnn_model, clip_values=(0, 1), loss=criterion, optimizer=optimizer, input_shape=(3, 32, 32), nb_classes=10, ) defence = PixelDefend(clip_values=clip_values, eps=eps, pixel_cnn=pixel_cnn, apply_fit=apply_fit, apply_predict=apply_predict) adv_data = np.transpose(adv_data, [0, 3, 2, 1]) elif defence_method == "ThermometerEncoding": defence = ThermometerEncoding(clip_values=clip_values) elif defence_method == "TotalVarMin": defence = TotalVarMin(clip_values=clip_values) elif defence_method == "JPEGCompression": defence = JpegCompression(clip_values=clip_values) elif defence_method == "SpatialSmoothing": defence = SpatialSmoothing(clip_values=clip_values) adv_data = np.transpose(adv_data, [0, 3, 2, 1]) # step2. defend # print(adv_data.shape) res = defence(adv_data)[0] res = np.transpose(res, [0, 3, 2, 1]) # print(res.shape) return res
model = ModelImage() loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) pixelcnn = PyTorchClassifier( model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, clip_values=(0, 1) ) preproc = PixelDefend(eps=32, pixel_cnn=pixelcnn) X_def, _ = preproc(X_adv) preds_X_def = np.argmax(classifier.predict(X_def), axis=1) fooling_rate = np.sum(preds_X_def != np.argmax(y_test, axis=1)) / y_test.shape[0] logger.info('Fooling rate after Pixel Defend: %.2f%%', (fooling_rate * 100)) img_plot(y_test, preds_x_test, preds_X_adv, preds_X_def, x_test, X_adv, X_def, "pixel_defend") # JPEG compression https://arxiv.org/abs/1608.00853 preproc = JpegCompression(clip_values=(0, 1)) X_def, _ = preproc(X_adv) preds_X_def = np.argmax(classifier.predict(X_def), axis=1) fooling_rate = np.sum(preds_X_def != np.argmax(y_test, axis=1)) / y_test.shape[0] logger.info('Fooling rate after Jpeg Compression: %.2f%%', (fooling_rate * 100)) img_plot(y_test, preds_x_test, preds_X_adv, preds_X_def, x_test, X_adv, X_def, "JPEG_compression") # Defense GAN https://arxiv.org/abs/1805.06605 # run adversarial-robustness-toolbox/utils/resources/create_inverse_gan_models.py # for obtaining (training) Inverse GAN model. sess = tf.Session() gen_tf, enc_tf, z_ph, image_to_enc_ph = load_model(sess, "model-dcgan", "/home/takemoto/inverseGAN/") # model tarained with 10 epochs gan = TensorFlowGenerator(input_ph=z_ph, model=gen_tf, sess=sess,) inverse_gan = TensorFlowEncoder(input_ph=image_to_enc_ph, model=enc_tf, sess=sess,) preproc = InverseGAN(sess=sess, gan=gan, inverse_gan=None) X_def = preproc(X_adv, maxiter=20)