def fprop(self, x, y, **kwargs): x_adv = self.attack.generate(x) d1 = self.model.fprop(x, **kwargs) d2 = self.model.fprop(x_adv, **kwargs) pairing_loss = [tf.reduce_mean(tf.square(a - b)) for a, b in zip(d1[Model.O_FEATURES], d2[Model.O_FEATURES])] pairing_loss = tf.reduce_mean(pairing_loss) loss = tf.reduce_mean(softmax_cross_entropy_with_logits( labels=y, logits=d1[Model.O_LOGITS])) loss += tf.reduce_mean(softmax_cross_entropy_with_logits( labels=y, logits=d2[Model.O_LOGITS])) return loss + self.weight * pairing_loss
def __init__(self, sess, x, logits, targeted_label, binary_search_steps, max_iterations, initial_const, clip_min, clip_max, nb_classes, batch_size): self.sess = sess self.x = x self.logits = logits assert logits.op.type != 'Softmax' self.targeted_label = targeted_label self.binary_search_steps = binary_search_steps self.max_iterations = max_iterations self.initial_const = initial_const self.clip_min = clip_min self.clip_max = clip_max self.batch_size = batch_size self.repeat = self.binary_search_steps >= 10 self.shape = tuple([self.batch_size] + list(self.x.get_shape().as_list()[1:])) self.ori_img = tf.Variable(np.zeros(self.shape), dtype=tf_dtype, name='ori_img') self.const = tf.Variable(np.zeros(self.batch_size), dtype=tf_dtype, name='const') self.score = softmax_cross_entropy_with_logits( labels=self.targeted_label, logits=self.logits) self.l2dist = reduce_sum(tf.square(self.x - self.ori_img)) # small self.const will result small adversarial perturbation self.loss = reduce_sum(self.score * self.const) + self.l2dist self.grad, = tf.gradients(self.loss, self.x)
def fprop(self, x, y, **kwargs): kwargs.update(self.kwargs) if self.attack is not None: attack_params = copy.copy(self.attack_params) if attack_params is None: attack_params = {} if self.pass_y: attack_params['y'] = y x = x, self.attack.generate(x, **attack_params) coeffs = [1. - self.adv_coeff, self.adv_coeff] if self.adv_coeff == 1.: x = (x[1],) coeffs = (coeffs[1],) else: x = tuple([x]) coeffs = [1.] assert np.allclose(sum(coeffs), 1.) # Catching RuntimeError: Variable -= value not supported by tf.eager. try: y -= self.smoothing * (y - 1. / tf.cast(y.shape[-1], y.dtype)) except RuntimeError: y.assign_sub(self.smoothing * (y - 1. / tf.cast(y.shape[-1], y.dtype))) logits = [self.model.get_logits(x, **kwargs) for x in x] loss = sum( coeff * tf.reduce_mean(softmax_cross_entropy_with_logits(labels=y, logits=logit)) for coeff, logit in safe_zip(coeffs, logits)) return loss
def body(i, ax, m): """Do a momentum step""" logits = self.model.get_logits(ax) loss = softmax_cross_entropy_with_logits(labels=y, logits=logits) if targeted: loss = -loss # Define gradient of loss wrt input grad, = tf.gradients(ys=loss, xs=ax) # Normalize current gradient and add it to the accumulated gradient red_ind = list(range(1, len(grad.get_shape()))) avoid_zero_div = tf.cast(1e-12, grad.dtype) grad = grad / tf.maximum( avoid_zero_div, reduce_mean(tf.abs(grad), red_ind, keepdims=True)) m = self.decay_factor * m + grad optimal_perturbation = optimize_linear(m, self.eps_iter, self.ord) if self.ord == 1: raise NotImplementedError("This attack hasn't been tested for ord=1." "It's not clear that FGM makes a good inner " "loop step for iterative optimization since " "it updates just one coordinate at a time.") # Update and clip adversarial example in current iteration ax = ax + optimal_perturbation ax = x + utils_tf.clip_eta(ax - x, self.ord, self.eps) if self.clip_min is not None and self.clip_max is not None: ax = utils_tf.clip_by_value(ax, self.clip_min, self.clip_max) ax = tf.stop_gradient(ax) return i + 1, ax, m
def fprop(self, x, y, **kwargs): x_adv = self.attack(x) d1 = self.model.fprop(x, **kwargs) d2 = self.model.fprop(x_adv, **kwargs) pairing_loss = [tf.reduce_mean(tf.square(a - b)) for a, b in zip(d1[Model.O_FEATURES], d2[Model.O_FEATURES])] pairing_loss = tf.reduce_mean(pairing_loss) loss = softmax_cross_entropy_with_logits( labels=y, logits=d1[Model.O_LOGITS]) loss += softmax_cross_entropy_with_logits( labels=y, logits=d2[Model.O_LOGITS]) warnings.warn("LossFeaturePairing is deprecated, switch to " "FeaturePairing. LossFeaturePairing may be removed " "on or after 2019-03-06.") return loss + self.weight * pairing_loss
def body(i, ax, m): """Do a momentum step""" if loss_type == 'softmax': logits = self.model.get_logits(ax) early_stop = False if early_stop: # i = tf.cond(tf.less(loss, early_stop_loss_threshold), lambda: self.nb_iter, lambda: i) max_y = tf.argmax(y, axis=-1, name='max_y') max_logits = tf.argmax(logits, axis=-1, name='max_logits') eq = tf.equal(max_y, max_logits) eq = tf.cast(eq, dtype=tf.float32) cnt_eq = tf.reduce_sum(1 - eq) # len_txt = max_y.get_shape().as_list()[1] tot_eq = tf.equal(cnt_eq, 0) i = tf.cond(tot_eq, lambda: self.nb_iter, lambda: i) loss = softmax_cross_entropy_with_logits(labels=y, logits=logits) loss = tf.reduce_mean(loss, name='softmax_loss') elif loss_type == "ctc": time_major_logits, output_seq_len = self.model.get_logits(ax) ctc_loss = tf.nn.ctc_loss(labels=y, inputs=time_major_logits, sequence_length=output_seq_len, time_major=True, ctc_merge_repeated=True, ignore_longer_outputs_than_inputs=True) loss = tf.reduce_mean(ctc_loss, name='ctc_loss') if targeted: loss = -loss # Define gradient of loss wrt input grad, = tf.gradients(loss, ax) # Normalize current gradient and add it to the accumulated gradient red_ind = list(range(1, len(grad.get_shape()))) avoid_zero_div = tf.cast(1e-12, grad.dtype) grad = grad / tf.maximum(avoid_zero_div, tf.reduce_mean(tf.abs(grad), red_ind, keepdims=True)) m = self.decay_factor * m + grad # optimal_perturbation = optimize_linear(m, self.eps_iter, self.ord) optimal_perturbation = optimize_linear_pos(m, self.eps_iter, self.ord, self.pert_type) optimal_perturbation = tf.multiply(optimal_perturbation, self.mask, name="op_multiply") if self.ord == 1: raise NotImplementedError("This attack hasn't been tested for ord=1. It's not clear that FGM makes a good inner loop step " "for iterative optimization since it updates just one coordinate at a time.") # Update and clip adversarial example in current iteration ax = ax + optimal_perturbation ax = x + utils_tf.clip_eta(ax - x, self.ord, self.eps) if self.clip_min is not None and self.clip_max is not None: ax = utils_tf.clip_by_value(ax, self.clip_min, self.clip_max) ax = tf.stop_gradient(ax) return i + 1, ax, m
def fprop(self, x, y, **kwargs): mix = tf_distributions.Beta(self.beta, self.beta) mix = mix.sample([tf.shape(x)[0]] + [1] * (len(x.shape) - 1)) xm = x + mix * (x[::-1] - x) ym = y + mix * (y[::-1] - y) logits = self.model.get_logits(xm, **kwargs) loss = softmax_cross_entropy_with_logits(labels=ym, logits=logits) warnings.warn("LossMixUp is deprecated, switch to " "MixUp. LossFeaturePairing may be removed " "on or after 2019-03-06.") return loss
def attack_softmax_cross_entropy(y, probs, mean=True): """ Define target loss for an Attack. :param y: 2D tensor, one hot labels. :param probs: 2D tensor, probability distribution output from the model. :param mean: bool, reduce mean loss when true. :return: return mean of loss if True, otherwise return vector with per sample loss """ logits = probs.op.inputs[0] if probs.op.type == 'Softmax' else probs out = softmax_cross_entropy_with_logits(logits=logits, labels=y) return tf.reduce_mean(out) if mean else out
def fprop(self, x, y, **kwargs): with tf.device('/CPU:0'): # Prevent error complaining GPU kernels unavailable for this. mix = tf.distributions.Beta(self.beta, self.beta) mix = mix.sample([tf.shape(x)[0]] + [1] * (len(x.shape) - 1)) mix = tf.maximum(mix, 1 - mix) xm = x + mix * (x[::-1] - x) ym = y + mix * (y[::-1] - y) logits = self.model.get_logits(xm, **kwargs) loss = tf.reduce_mean( softmax_cross_entropy_with_logits(labels=ym, logits=logits)) return loss
def __init__(self, sess, x, logits, targeted_label, binary_search_steps, max_iterations, initial_const, clip_min, clip_max, nb_classes, batch_size): """ Return a tensor that constructs adversarial examples for the given input. Generate uses tf.py_func in order to operate over tensors. :param sess: a TF session. :param x: A tensor with the inputs. :param logits: A tensor with model's output logits. :param targeted_label: A tensor with the target labels. :param binary_search_steps: The number of times we perform binary search to find the optimal tradeoff- constant between norm of the purturbation and cross-entropy loss of classification. :param max_iterations: The maximum number of iterations. :param initial_const: The initial tradeoff-constant to use to tune the relative importance of size of the purturbation and cross-entropy loss of the classification. :param clip_min: Minimum input component value :param clip_max: Maximum input component value :param num_labels: The number of classes in the model's output. :param batch_size: Number of attacks to run simultaneously. """ self.sess = sess self.x = x self.logits = logits assert logits.op.type != 'Softmax' self.targeted_label = targeted_label self.binary_search_steps = binary_search_steps self.max_iterations = max_iterations self.initial_const = initial_const self.clip_min = clip_min self.clip_max = clip_max self.batch_size = batch_size self.repeat = self.binary_search_steps >= 10 self.shape = tuple([self.batch_size] + list(self.x.get_shape().as_list()[1:])) self.ori_img = tf.Variable( np.zeros(self.shape), dtype=tf_dtype, name='ori_img') self.const = tf.Variable( np.zeros(self.batch_size), dtype=tf_dtype, name='const') self.score = softmax_cross_entropy_with_logits( labels=self.targeted_label, logits=self.logits) self.l2dist = reduce_sum(tf.square(self.x - self.ori_img)) # small self.const will result small adversarial perturbation self.loss = reduce_sum(self.score * self.const) + self.l2dist self.grad, = tf.gradients(self.loss, self.x)
def attack_softmax_cross_entropy(y, probs, mean=True): """ Define target loss for an Attack. :param y: 2D tensor, one hot labels. :param probs: 2D tensor, probability distribution output from the model. :param mean: bool, reduce mean loss when true. :return: return mean of loss if True, otherwise return vector with per sample loss """ if probs.op.type == 'Softmax': assert len(probs.op.inputs) == 1 logits = probs.op.inputs[0] else: raise TypeError("Not clear how to recover logits from " + str(probs)) out = softmax_cross_entropy_with_logits(logits=logits, labels=y) return tf.reduce_mean(out) if mean else out
def fprop(self, x, y, **kwargs): kwargs.update(self.kwargs) if self.attack is not None: x = x, self.attack(x) else: x = tuple([x]) # Catching RuntimeError: Variable -= value not supported by tf.eager. try: y -= self.smoothing * (y - 1. / tf.cast(y.shape[-1], y.dtype)) except RuntimeError: y.assign_sub(self.smoothing * (y - 1. / tf.cast(y.shape[-1], y.dtype))) logits = [self.model.get_logits(x, **kwargs) for x in x] loss = sum( tf.reduce_mean( softmax_cross_entropy_with_logits(labels=y, logits=logit)) for logit in logits) return loss
def fprop(self, x, y, **kwargs): if self.attack is not None: x = x, self.attack(x) else: x = tuple([x]) # Catching RuntimeError: Variable -= value not supported by tf.eager. try: y -= self.smoothing * (y - 1. / tf.cast(y.shape[-1], tf.float32)) except RuntimeError: y.assign_sub(self.smoothing * (y - 1. / tf.cast(y.shape[-1], tf.float32))) logits = [self.model.get_logits(x, **kwargs) for x in x] loss = sum( softmax_cross_entropy_with_logits(labels=y, logits=logit) for logit in logits) warnings.warn("LossCrossEntropy is deprecated, switch to " "CrossEntropy. LossCrossEntropy may be removed on " "or after 2019-03-06.") return loss
def body(i, ax, m): logits = self.model.get_logits(ax) loss = softmax_cross_entropy_with_logits(labels=y, logits=logits) if targeted: loss = -loss # print("body", loss, ax) # Define gradient of loss wrt input grad, = tf.gradients(loss, ax) grad = self.grad_smooth(grad) # Normalize current gradient and add it to the accumulated gradient grad = self.grad_norm(grad) #momentom m = self.decay_factor * m + grad m = self.grad_norm(m) optimal_perturbation = optimize_linear(m, self.eps_iter, self.ord) if self.ord == 1: raise NotImplementedError( "This attack hasn't been tested for ord=1." "It's not clear that FGM makes a good inner " "loop step for iterative optimization since " "it updates just one coordinate at a time.") # Update and clip adversarial example in current iteration ax = ax + optimal_perturbation ax = x + utils_tf.clip_eta(ax - x, self.ord, self.eps) if self.clip_min is not None and self.clip_max is not None: ax = utils_tf.clip_by_value(ax, self.clip_min, self.clip_max) ax = tf.stop_gradient(ax) return i + 1, ax, m
def model_loss(y, model, mean=True): """ Define loss of TF graph :param y: correct labels :param model: output of the model :param mean: boolean indicating whether should return mean of loss or vector of losses for each input of the batch :return: return mean of loss if True, otherwise return vector with per sample loss """ warnings.warn('This function is deprecated.') op = model.op if op.type == "Softmax": logits, = op.inputs else: logits = model out = softmax_cross_entropy_with_logits(logits=logits, labels=y) if mean: out = reduce_mean(out) return out
def model_loss(y, model, mean=True): """ Define loss of TF graph :param y: correct labels :param model: output of the model :param mean: boolean indicating whether should return mean of loss or vector of losses for each input of the batch :return: return mean of loss if True, otherwise return vector with per sample loss """ warnings.warn("This function is deprecated and will be removed on or after" " 2019-04-05. Switch to cleverhans.train.train.") op = model.op if op.type == "Softmax": (logits, ) = op.inputs else: logits = model out = softmax_cross_entropy_with_logits(logits=logits, labels=y) if mean: out = reduce_mean(out) return out
def generate(self, x, **kwargs): assert self.parse_params(**kwargs) asserts = [] if self.clip_min is not None: asserts.append(utils_tf.assert_greater_equal( x, tf.cast(self.clip_min,x.dtype))) if self.clip_max is not None: asserts.append(utils_tf.assert_less_equal( x, tf.cast(self.clip_max, x.dtype))) m_cache = tf.zeros_like(x) v_cache = tf.zeros_like(x) adv_x = x y, _nb_classes = self.get_or_guess_labels(x, kwargs) y = y / reduce_sum(y, 1, keepdims=True) targeted = (self.y_target is not None) def save_batch(directory, images, labels, iteration, batch_idx): for idx, (image, label) in enumerate(zip(images, labels)): filename = "id{}_b{}_it{}_l{}.png".format(idx, batch_idx, iteration, np.argmax(label)) save_image_np(join(directory, filename), image) for i in range(self.nb_iter): self.logger.debug("Starting #{} iteration".format(i + 1)) logits = self.model.get_logits(adv_x) loss = softmax_cross_entropy_with_logits(labels=y, logits=logits) if targeted: loss = -loss grad, = tf.gradients(loss, adv_x) red_ind = list(range(1, len(grad.get_shape()))) avoid_zero_div = tf.cast(1e-8, grad.dtype) grad = grad / tf.maximum( avoid_zero_div, reduce_mean(tf.abs(grad), red_ind, keepdims=True)) m_cache = self.betha1 * m_cache + (1 - self.betha1) * grad v_cache = self.betha2 * v_cache + (1 - self.betha2) * tf.square(grad) update = tf.divide(m_cache, tf.sqrt(v_cache + avoid_zero_div)) optimal_perturbation = optimize_linear(update, self.eps_iter, self.ord) if self.ord == 1: raise NotImplementedError("This attack hasn't been tested for ord=1." "It's not clear that FGM makes a good inner " "loop step for iterative optimization since " "it updates just one coordinate at a time.") adv_x = adv_x + optimal_perturbation adv_x = x + utils_tf.clip_eta(adv_x - x, self.ord, self.eps) if self.clip_min is not None and self.clip_max is not None: adv_x = utils_tf.clip_by_value(adv_x, self.clip_min, self.clip_max) adv_x = tf.stop_gradient(adv_x) if self.sanity_checks: with tf.control_dependencies(asserts): adv_x = tf.identity(adv_x) with self.sess.as_default(): self.sess.run(self.init_op) for batch in range(self.nb_batches): adv_x_np, y_np = self.sess.run([adv_x, y]) self.logger.debug("Saving attacked batch #{}".format(batch + 1)) save_batch(self.adv_dir, adv_x_np, y_np, i, batch)
def fgm(x, logits, y=None, eps=0.3, ord=np.inf, clip_min=None, clip_max=None, targeted=False, sanity_checks=True): """ TensorFlow implementation of the Fast Gradient Method. :param x: the input placeholder :param logits: output of model.get_logits :param y: (optional) A placeholder for the true labels. If targeted is true, then provide the target label. Otherwise, only provide this parameter if you'd like to use true labels when crafting adversarial samples. Otherwise, model predictions are used as labels to avoid the "label leaking" effect (explained in this paper: https://arxiv.org/abs/1611.01236). Default is None. Labels should be one-hot-encoded. :param eps: the epsilon (input variation parameter) :param ord: (optional) Order of the norm (mimics NumPy). Possible values: np.inf, 1 or 2. :param clip_min: Minimum float value for adversarial example components :param clip_max: Maximum float value for adversarial example components :param targeted: Is the attack targeted or untargeted? Untargeted, the default, will try to make the label incorrect. Targeted will instead try to move in the direction of being more like y. :return: a tensor for the adversarial example """ asserts = [] # If a data range was specified, check that the input was in that range if clip_min is not None: asserts.append( utils_tf.assert_greater_equal(x, tf.cast(clip_min, x.dtype))) if clip_max is not None: asserts.append( utils_tf.assert_less_equal(x, tf.cast(clip_max, x.dtype))) # Make sure the caller has not passed probs by accident assert logits.op.type != 'Softmax' if y is None: # Using model predictions as ground truth to avoid label leaking preds_max = reduce_max(logits, 1, keepdims=True) y = tf.to_float(tf.equal(logits, preds_max)) y = tf.stop_gradient(y) y = y / reduce_sum(y, 1, keepdims=True) # Compute loss loss = softmax_cross_entropy_with_logits(labels=y, logits=logits) if targeted: loss = -loss # Define gradient of loss wrt input grad, = tf.gradients(loss, x) optimal_perturbation = optimize_linear(grad, eps, ord) # Add perturbation to original example to obtain adversarial example adv_x = x + optimal_perturbation # If clipping is needed, reset all values outside of [clip_min, clip_max] if (clip_min is not None) or (clip_max is not None): # We don't currently support one-sided clipping assert clip_min is not None and clip_max is not None adv_x = utils_tf.clip_by_value(adv_x, clip_min, clip_max) if sanity_checks: with tf.control_dependencies(asserts): adv_x = tf.identity(adv_x) return adv_x
def sparse_l1_descent(x, logits, y=None, eps=1.0, q=99, clip_min=None, clip_max=None, clip_grad=False, targeted=False, sanity_checks=True): """ TensorFlow implementation of the Dense L1 Descent Method. :param x: the input placeholder :param logits: output of model.get_logits :param y: (optional) A placeholder for the true labels. If targeted is true, then provide the target label. Otherwise, only provide this parameter if you'd like to use true labels when crafting adversarial samples. Otherwise, model predictions are used as labels to avoid the "label leaking" effect (explained in this paper: https://arxiv.org/abs/1611.01236). Default is None. Labels should be one-hot-encoded. :param eps: the epsilon (input variation parameter) :param q: the percentile above which gradient values are retained. Either a scalar or a vector of same length as the input batch dimension. :param clip_min: Minimum float value for adversarial example components :param clip_max: Maximum float value for adversarial example components :param clip_grad: (optional bool) Ignore gradient components at positions where the input is already at the boundary of the domain, and the update step will get clipped out. :param targeted: Is the attack targeted or untargeted? Untargeted, the default, will try to make the label incorrect. Targeted will instead try to move in the direction of being more like y. :return: a tensor for the adversarial example """ asserts = [] # If a data range was specified, check that the input was in that range if clip_min is not None: asserts.append( utils_tf.assert_greater_equal(x, tf.cast(clip_min, x.dtype))) if clip_max is not None: asserts.append( utils_tf.assert_less_equal(x, tf.cast(clip_max, x.dtype))) # Make sure the caller has not passed probs by accident assert logits.op.type != 'Softmax' if y is None: # Using model predictions as ground truth to avoid label leaking preds_max = reduce_max(logits, 1, keepdims=True) y = tf.to_float(tf.equal(logits, preds_max)) y = tf.stop_gradient(y) y = y / reduce_sum(y, 1, keepdims=True) # Compute loss loss = softmax_cross_entropy_with_logits(labels=y, logits=logits) if targeted: loss = -loss # Define gradient of loss wrt input grad, = tf.gradients(loss, x) if clip_grad: grad = utils_tf.zero_out_clipped_grads(grad, x, clip_min, clip_max) red_ind = list(range(1, len(grad.get_shape()))) dim = tf.reduce_prod(tf.shape(x)[1:]) abs_grad = tf.reshape(tf.abs(grad), (-1, dim)) # if q is a scalar, broadcast it to a vector of same length as the batch dim q = tf.cast(tf.broadcast_to(q, tf.shape(x)[0:1]), tf.float32) k = tf.cast(tf.floor(q / 100 * tf.cast(dim, tf.float32)), tf.int32) # `tf.sort` is much faster than `tf.contrib.distributions.percentile`. # For TF <= 1.12, use `tf.nn.top_k` as `tf.sort` is not implemented. if LooseVersion(tf.__version__) <= LooseVersion('1.12.0'): # `tf.sort` is only available in TF 1.13 onwards sorted_grad = -tf.nn.top_k(-abs_grad, k=dim, sorted=True)[0] else: sorted_grad = tf.sort(abs_grad, axis=-1) idx = tf.stack((tf.range(tf.shape(abs_grad)[0]), k), -1) percentiles = tf.gather_nd(sorted_grad, idx) tied_for_max = tf.greater_equal(abs_grad, tf.expand_dims(percentiles, -1)) tied_for_max = tf.reshape(tf.cast(tied_for_max, x.dtype), tf.shape(grad)) num_ties = tf.reduce_sum(tied_for_max, red_ind, keepdims=True) optimal_perturbation = tf.sign(grad) * tied_for_max / num_ties # Add perturbation to original example to obtain adversarial example adv_x = x + utils_tf.mul(eps, optimal_perturbation) # If clipping is needed, reset all values outside of [clip_min, clip_max] if (clip_min is not None) or (clip_max is not None): # We don't currently support one-sided clipping assert clip_min is not None and clip_max is not None adv_x = utils_tf.clip_by_value(adv_x, clip_min, clip_max) if sanity_checks: with tf.control_dependencies(asserts): adv_x = tf.identity(adv_x) return adv_x