def test_defences_predict(get_default_mnist_subset, get_image_classifier_list):
(x_train_mnist, y_train_mnist), (x_test_mnist, y_test_mnist) = get_default_mnist_subset
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier_, _ = get_image_classifier_list(one_classifier=True)
classifier = KerasClassifier(
clip_values=clip_values, model=classifier_._model, preprocessing_defences=[fs, jpeg, smooth]
)
assert len(classifier.preprocessing_defences) == 3
predictions_classifier = classifier.predict(x_test_mnist)
# Apply the same defences by hand
x_test_defense = x_test_mnist
x_test_defense, _ = fs(x_test_defense, y_test_mnist)
x_test_defense, _ = jpeg(x_test_defense, y_test_mnist)
x_test_defense, _ = smooth(x_test_defense, y_test_mnist)
classifier, _ = get_image_classifier_list(one_classifier=True)
predictions_check = classifier._model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier, predictions_check, decimal=4)
def test_pickle(self):
import os
filename = 'my_classifier.p'
from art import DATA_PATH
full_path = os.path.join(DATA_PATH, filename)
folder = os.path.split(full_path)[0]
if not os.path.exists(folder):
os.makedirs(folder)
import pickle
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
keras_model = KerasClassifier((0, 1),
self.functional_model,
input_layer=1,
output_layer=1,
defences=fs)
with open(full_path, 'wb') as save_file:
pickle.dump(keras_model, save_file)
# Unpickle:
with open(full_path, 'rb') as load_file:
loaded = pickle.load(load_file)
self.assertTrue(keras_model._clip_values == loaded._clip_values)
self.assertTrue(
keras_model._channel_index == loaded._channel_index)
self.assertTrue(keras_model._use_logits == loaded._use_logits)
self.assertTrue(keras_model._input_layer == loaded._input_layer)
self.assertTrue(self.functional_model.get_config() ==
loaded._model.get_config())
self.assertTrue(isinstance(loaded.defences[0], FeatureSqueezing))
os.remove(full_path)
def _parse_defences(self, defences):
self.defences = defences
if defences:
import re
pattern = re.compile("featsqueeze[1-8]?")
for d in defences:
if pattern.match(d):
try:
from art.defences import FeatureSqueezing
bit_depth = int(d[-1])
self.feature_squeeze = FeatureSqueezing(bit_depth=bit_depth)
except:
raise ValueError('You must specify the bit depth for feature squeezing: featsqueeze[1-8]')
# Add label smoothing
if d == 'labsmooth':
from art.defences import LabelSmoothing
self.label_smooth = LabelSmoothing()
# Add spatial smoothing
if d == 'smooth':
from art.defences import SpatialSmoothing
self.smooth = SpatialSmoothing()
def test_data_range(self):
x = np.arange(5)
preproc = FeatureSqueezing(clip_values=(0, 4), bit_depth=2)
x_squeezed, _ = preproc(x)
self.assertTrue(np.array_equal(x, np.arange(5)))
self.assertTrue(
np.allclose(x_squeezed, [0, 1.33, 2.67, 2.67, 4], atol=1e-1))
def test_with_defences(self):
(x_train, y_train), (x_test, y_test) = self.mnist
# Get the ready-trained Keras model
model = self.classifier_k._model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier = KerasClassifier(model=model, clip_values=(0, 1), defences=fs)
# Wrap the classifier
classifier = QueryEfficientBBGradientEstimation(classifier, 20, 1 / 64., round_samples=1 / 255.)
attack = FastGradientMethod(classifier, eps=1)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
preds = classifier.predict(x_train_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(y_train, axis=1)) / y_train.shape[0]
logger.info('Accuracy on adversarial train examples with feature squeezing and limited query info: %.2f%%',
(acc * 100))
preds = classifier.predict(x_test_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('Accuracy on adversarial test examples with feature squeezing and limited query info: %.2f%%',
(acc * 100))
def _get_image_classifier_list_defended(one_classifier=False, **kwargs):
sess = None
classifier_list = None
if framework == "keras":
classifier = utils.get_image_classifier_kr()
# Get the ready-trained Keras model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier_list = [
KerasClassifier(model=classifier._model,
clip_values=(0, 1),
preprocessing_defences=fs)
]
if framework == "tensorflow":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "pytorch":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if framework == "scikitlearn":
logging.warning(
"{0} doesn't have a defended image classifier defined yet".
format(framework))
if classifier_list is None:
return None, None
if one_classifier:
return classifier_list[0], sess
return classifier_list, sess
def test_pickle(self):
filename = "my_classifier.p"
full_path = os.path.join(ART_DATA_PATH, filename)
folder = os.path.split(full_path)[0]
if not os.path.exists(folder):
os.makedirs(folder)
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
keras_model = KerasClassifier(
self.functional_model, clip_values=(0, 1), input_layer=1, output_layer=1, preprocessing_defences=fs
)
with open(full_path, "wb") as save_file:
pickle.dump(keras_model, save_file)
# Unpickle:
with open(full_path, "rb") as load_file:
loaded = pickle.load(load_file)
self.assertEqual(keras_model._clip_values, loaded._clip_values)
self.assertEqual(keras_model._channel_index, loaded._channel_index)
self.assertEqual(keras_model._use_logits, loaded._use_logits)
self.assertEqual(keras_model._input_layer, loaded._input_layer)
self.assertEqual(self.functional_model.get_config(), loaded._model.get_config())
self.assertTrue(isinstance(loaded.preprocessing_defences[0], FeatureSqueezing))
os.remove(full_path)
def test_defences_predict(self):
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier_ = get_classifier_kr()
classifier = KerasClassifier(clip_values=clip_values,
model=classifier_._model,
defences=[fs, jpeg, smooth])
self.assertEqual(len(classifier.defences), 3)
predictions_classifier = classifier.predict(self.x_test)
# Apply the same defences by hand
x_test_defense = self.x_test
x_test_defense, _ = fs(x_test_defense, self.y_test)
x_test_defense, _ = jpeg(x_test_defense, self.y_test)
x_test_defense, _ = smooth(x_test_defense, self.y_test)
classifier = get_classifier_kr()
predictions_check = classifier._model.predict(x_test_defense)
# Check that the prediction results match
np.testing.assert_array_almost_equal(predictions_classifier,
predictions_check,
decimal=4)
def test_defences_predict(self):
from art.defences import FeatureSqueezing, JpegCompression, SpatialSmoothing
(_, _), (x_test, y_test) = self.mnist
clip_values = (0, 1)
fs = FeatureSqueezing(clip_values=clip_values, bit_depth=2)
jpeg = JpegCompression(clip_values=clip_values, apply_predict=True)
smooth = SpatialSmoothing()
classifier = KerasClassifier(clip_values=clip_values,
model=self.model_mnist._model,
defences=[fs, jpeg, smooth])
self.assertEqual(len(classifier.defences), 3)
preds_classifier = classifier.predict(x_test)
# Apply the same defences by hand
x_test_defense = x_test
x_test_defense, _ = fs(x_test_defense, y_test)
x_test_defense, _ = jpeg(x_test_defense, y_test)
x_test_defense, _ = smooth(x_test_defense, y_test)
preds_check = self.model_mnist._model.predict(x_test_defense)
# Check that the prediction results match
self.assertTrue((preds_classifier - preds_check <= 1e-5).all())
def test_ones(self):
m, n = 10, 2
x = np.ones((m, n))
for depth in range(1, 50):
preproc = FeatureSqueezing(clip_values=(0, 1), bit_depth=depth)
x_squeezed, _ = preproc(x)
self.assertTrue((x_squeezed == 1).all())
def test_random(self):
m, n = 1000, 20
x = np.random.rand(m, n)
x_zero = np.where(x < 0.5)
x_one = np.where(x >= 0.5)
preproc = FeatureSqueezing(clip_values=(0, 1), bit_depth=1)
x_squeezed, _ = preproc(x)
self.assertTrue((x_squeezed[x_zero] == 0.).all())
self.assertTrue((x_squeezed[x_one] == 1.).all())
preproc = FeatureSqueezing(clip_values=(0, 1), bit_depth=2)
x_squeezed, _ = preproc(x)
self.assertFalse(
np.logical_and(0. < x_squeezed, x_squeezed < 0.33).any())
self.assertFalse(
np.logical_and(0.34 < x_squeezed, x_squeezed < 0.66).any())
self.assertFalse(
np.logical_and(0.67 < x_squeezed, x_squeezed < 1.).any())
def test_random(self):
m, n = 1000, 20
x = np.random.rand(m, n)
x_original = x.copy()
x_zero = np.where(x < 0.5)
x_one = np.where(x >= 0.5)
preproc = FeatureSqueezing(clip_values=(0, 1), bit_depth=1)
x_squeezed, _ = preproc(x)
self.assertTrue((x_squeezed[x_zero] == 0.0).all())
self.assertTrue((x_squeezed[x_one] == 1.0).all())
preproc = FeatureSqueezing(clip_values=(0, 1), bit_depth=2)
x_squeezed, _ = preproc(x)
self.assertFalse(np.logical_and(0.0 < x_squeezed, x_squeezed < 0.33).any())
self.assertFalse(np.logical_and(0.34 < x_squeezed, x_squeezed < 0.66).any())
self.assertFalse(np.logical_and(0.67 < x_squeezed, x_squeezed < 1.0).any())
# Check that x has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_original - x))), 0.0, delta=0.00001)
def def_FeatureSqueezing(x_train, x_test, y_train, y_test, x_train_adv,
x_test_adv, min_, max_):
squeezer = FeatureSqueezing()
x_train_squeeze = squeezer(x_train, bit_depth=2)
x_test_squeeze = squeezer(x_test, bit_depth=2)
x_train_adv_squeeze = squeezer(x_train_adv, bit_depth=2)
x_test_adv_squeeze = squeezer(x_test_adv, bit_depth=2)
# train network
classifier = create_Neural_Network(min_, max_)
classifier.fit(x_train_squeeze, y_train, nb_epochs=5, batch_size=50)
# print result
print("After Defense\n")
evaluate(x_train_squeeze, x_test_squeeze, y_train, y_test,
x_train_adv_squeeze, x_test_adv_squeeze, classifier)
def def_FeatureSqueezing(x_train, x_test, y_train, y_test, x_train_adv, x_test_adv, min_, max_, file):
squeezer = FeatureSqueezing()
x_train_squeeze = squeezer(x_train, bit_depth=2)
x_test_squeeze = squeezer(x_test, bit_depth=2)
x_train_adv_squeeze = squeezer(x_train_adv, bit_depth=2)
x_test_adv_squeeze = squeezer(x_test_adv, bit_depth=2)
# train network
classifier = create_Neural_Network(min_, max_)
classifier.fit(x_train_squeeze, y_train, nb_epochs=5, batch_size=50)
# print result
print("After FeatureSqueezing Defense\n")
file.write("==== FeatureSqueezing Defense==== \n")
train_num = 60000
test_num = 10000
for k in range (5):
file.write("==== Attack %i ====\n" % (k))
evaluate(x_train_squeeze, x_test_squeeze, y_train, y_test, x_train_adv_squeeze[k*train_num:(k+1)*train_num], x_test_adv_squeeze[k*test_num:(k+1)*test_num], y_train, y_test, classifier, file)
def _test_with_defences(self, custom_activation=False):
from art.defences import FeatureSqueezing
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Get the ready-trained Keras model
model = self.classifier_k._model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier = KerasClassifier(model=model,
clip_values=(0, 1),
defences=fs,
custom_activation=custom_activation)
attack = FastGradientMethod(classifier, eps=1, batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())
preds = classifier.predict(x_train_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(
y_train, axis=1)) / y_train.shape[0]
logger.info(
'Accuracy on MNIST with FGM adversarial train examples with feature squeezing: %.2f%%',
(acc * 100))
preds = classifier.predict(x_test_adv)
acc = np.sum(np.argmax(preds, axis=1) == np.argmax(
y_test, axis=1)) / y_test.shape[0]
logger.info(
'Accuracy on MNIST with FGM adversarial test examples: %.2f%%',
(acc * 100))
def test_keras_with_defences(self):
(x_train, y_train), (x_test, y_test) = self.mnist
classifier = get_classifier_kr()
# Get the ready-trained Keras model
model = classifier._model
fs = FeatureSqueezing(bit_depth=1, clip_values=(0, 1))
classifier = KerasClassifier(model=model,
clip_values=(0, 1),
defences=fs)
attack = FastGradientMethod(classifier, eps=1, batch_size=128)
x_train_adv = attack.generate(x_train)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_train == x_train_adv).all())
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = get_labels_np_array(classifier.predict(x_train_adv))
test_y_pred = get_labels_np_array(classifier.predict(x_test_adv))
self.assertFalse((y_train == train_y_pred).all())
self.assertFalse((y_test == test_y_pred).all())