def test_common_corruptions(): model_fn = create_undefended_keras_model_fn() severity = 1 spatial_attack = attacks.CommonCorruptionsAttack(severity=severity) ds_size = 10 spatial_attack._stop_after_n_datapoints = ds_size dataset_iter = bird_or_bicycle.get_iterator('train', batch_size=2, verify_dataset=False) evaluate_two_class_unambiguous_model( model_fn, dataset_iter, model_name='test_common_corruption,severity=%s' % severity, attack_list=[spatial_attack])
def test_spatial_speed(): # Set up standard attack params bird_or_bicycle_shape = (224, 224, 3) bird_or_bicycle_spatial_limits = [18, 18, 30] bird_or_bicycle_black_border_size = 20 grid_granularity = [5, 5, 31] model_fn = create_undefended_keras_model_fn() spatial_attack = attacks.FastSpatialGridAttack( model_fn, image_shape_hwc=bird_or_bicycle_shape, spatial_limits=bird_or_bicycle_spatial_limits, grid_granularity=grid_granularity, black_border_size=bird_or_bicycle_black_border_size, ) ds_size = 4 spatial_attack._stop_after_n_datapoints = ds_size dataset_iter = bird_or_bicycle.get_iterator('train', batch_size=2, verify_dataset=False) return evaluate_two_class_unambiguous_model(model_fn, dataset_iter, model_name='test_spatial', attack_list=[spatial_attack])
def test_spatial_speed(): # Keras isn't being found by travis for some reason from tensorflow.keras.applications.resnet50 import preprocess_input # Variable scoping lets us use our _graph in our model_fn _graph = tf.Graph() with _graph.as_default(): k_model = tf.keras.applications.resnet50.ResNet50( include_top=True, weights='imagenet', input_tensor=None, input_shape=None, pooling=None, classes=1000) def undefended_keras_model_fn(x_np): """A normal keras resnet that was pretrained on ImageNet""" x_np = preprocess_input(x_np * 255) with _graph.as_default(): prob1000 = k_model.predict_on_batch(x_np) / 10 # Keras returns softmax-ed probs, we convert them back to logits fake_logits1000 = np.log(prob1000) bird_max_logit = np.max( fake_logits1000[:, CLASS_NAME_TO_IMAGENET_CLASS['bird']], axis=1) bicycle_max_logit = np.max( fake_logits1000[:, CLASS_NAME_TO_IMAGENET_CLASS['bicycle']], axis=1) two_class_logits = np.concatenate(( bicycle_max_logit[:, None], bird_max_logit[:, None]), axis=1) return two_class_logits # Set up standard attack params bird_or_bicycle_shape = (224, 224, 3) bird_or_bicycle_spatial_limits = [18, 18, 30] bird_or_bicycle_black_border_size = 20 grid_granularity = [5, 5, 31] model_fn = undefended_keras_model_fn spatial_attack = attacks.FastSpatialGridAttack( model_fn, image_shape_hwc=bird_or_bicycle_shape, spatial_limits=bird_or_bicycle_spatial_limits, grid_granularity=grid_granularity, black_border_size=bird_or_bicycle_black_border_size, ) ds_size = 32 spatial_attack._stop_after_n_datapoints = ds_size dataset_iter = bird_or_bicycle.get_iterator( 'train', batch_size=32, verify_dataset=False) return evaluate_two_class_unambiguous_model( model_fn, dataset_iter, model_name='undefended_keras_resnet_test_spatial', attack_list=[spatial_attack])
def test_confidence_always_right(): fake_data_iter = [[np.zeros([batch_size, 28, 28, 1]), np.ones(batch_size)]] results = eval_kit.evaluate_two_class_unambiguous_model( model_fn=always_one_model_fn, data_iter=fake_data_iter, model_name='always_right_model', attack_list=attack_list) assert results['clean']['accuracy@100'] == 1.0 assert results['clean']['accuracy@80'] == 1.0
def test_confidence_random(): fake_data_iter = [[ np.zeros([batch_size, 28, 28, 1]), np.zeros(batch_size) ]] results = eval_kit.evaluate_two_class_unambiguous_model( model_fn=random_model_fn, data_iter=fake_data_iter, model_name='random_model', attack_list=attack_list) assert_approx_equal(results['clean']['accuracy@100'], 0.5, significant=2) assert_approx_equal(results['clean']['accuracy@80'], 0.5, significant=2)
def test_simple_spatial(): # Set up standard attack params bird_or_bicycle_spatial_limits = [18, 18, 30] grid_granularity = [5, 5, 31] model_fn = create_undefended_keras_model_fn() spatial_attack = attacks.SimpleSpatialAttack( spatial_limits=bird_or_bicycle_spatial_limits, grid_granularity=grid_granularity, black_border_frac=0.15, ) ds_size = 4 spatial_attack._stop_after_n_datapoints = ds_size dataset_iter = bird_or_bicycle.get_iterator('train', batch_size=2, verify_dataset=False) evaluate_two_class_unambiguous_model(model_fn, dataset_iter, model_name='test_spatial', attack_list=[spatial_attack])
def test_two_class_mnist_accuracy(): """ Train an mnist model on a subset of mnist and then evaluate it on small attacks *on the training set*. """ model_fn = train_overfit_classifier(num_batches=32, batch_size=1) dataset_iter = mnist_utils.get_two_class_iterator('train', num_datapoints=32, batch_size=1) mnist_spatial_limits = [10, 10, 10] mnist_shape = (28, 28, 1) mnist_black_border_size = 4 attack_list = [ attacks.CleanData(), attacks.SpsaAttack( model_fn, epsilon=0.3, image_shape_hwc=mnist_shape, ), attacks.SpsaWithRandomSpatialAttack( model_fn, epsilon=0.3, spatial_limits=mnist_spatial_limits, black_border_size=mnist_black_border_size, image_shape_hwc=mnist_shape, ), attacks.SpatialGridAttack( grid_granularity=[5, 5, 11], valid_check=mnist_utils.mnist_valid_check, spatial_limits=mnist_spatial_limits, black_border_size=mnist_black_border_size, image_shape_hwc=mnist_shape, ), ] boundary_attack = attacks.BoundaryWithRandomSpatialAttack( model_fn, max_l2_distortion=4, label_to_examples=eval_kit._get_mnist_labels_to_examples(), spatial_limits=mnist_spatial_limits, black_border_size=mnist_black_border_size, image_shape_hwc=mnist_shape, ) # We limit the boundary attack to the first datapoint to speed up eval boundary_attack._stop_after_n_datapoints = 1 attack_list.append(boundary_attack) results = eval_kit.evaluate_two_class_unambiguous_model( model_fn, data_iter=dataset_iter, model_name="overfit_mnist", attack_list=attack_list) # Make sure that clean data has high accuracy assert results['clean']['accuracy@100'] >= 0.9 # Make sure that attacks reduce accuracy assert results['spatial_grid']['accuracy@100'] <= 0.7 assert results['spsa']['accuracy@100'] <= 0.6 assert results['spsa_with_random_spatial']['accuracy@100'] <= 0.5 # Run a smoke test on all attacks with a batch size of one # TODO: Split this into a separate test dataset_iter = mnist_utils.get_two_class_iterator('train', num_datapoints=1, batch_size=1) eval_kit.evaluate_two_class_mnist_model(model_fn, dataset_iter=dataset_iter, model_name="overfit_mnist")