def generate(self):
attacker = DeepFoolAttack(model=self.raw_model,
overshoot=self.overshoot,
max_iters=self.max_iters)
adv_samples = attacker.perturbation(xs=self.nature_samples,
device=self.device)
# prediction for the adversarial examples
adv_labels = predict(model=self.raw_model,
samples=adv_samples,
device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save(
'{}{}_AdvExamples.npy'.format(self.adv_examples_dir,
self.attack_name), adv_samples)
np.save(
'{}{}_AdvLabels.npy'.format(self.adv_examples_dir,
self.attack_name), adv_labels)
np.save(
'{}{}_TrueLabels.npy'.format(self.adv_examples_dir,
self.attack_name),
self.labels_samples)
mis = 0
for i in range(len(adv_samples)):
if self.labels_samples[i].argmax(axis=0) != adv_labels[i]:
mis = mis + 1
print(
'\nFor **{}** on **{}**: misclassification ratio is {}/{}={:.1f}%\n'
.format(self.attack_name, self.dataset, mis, len(adv_samples),
mis / len(adv_labels) * 100))
def generate(self):
attacker = OMAttack(model=self.raw_model,
kappa=self.kappa,
init_const=self.init_const,
lr=self.lr,
binary_search_steps=self.binary_search_steps,
max_iters=self.max_iter,
lower_bound=self.lower_bound,
upper_bound=self.upper_bound,
noise_count=self.noise_count,
noise_magnitude=self.noise_mag)
# get the true labels
true_labels = np.argmax(self.labels_samples, axis=1)
adv_samples = attacker.batch_perturbation(
xs=self.nature_samples,
ys=true_labels,
batch_size=self.attack_batch_size,
device=self.device)
adv_labels = predict(model=self.raw_model,
samples=adv_samples,
device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save(
'{}{}_AdvExamples.npy'.format(self.adv_examples_dir,
self.attack_name), adv_samples)
np.save(
'{}{}_AdvLabels.npy'.format(self.adv_examples_dir,
self.attack_name), adv_labels)
np.save(
'{}{}_TrueLabels.npy'.format(self.adv_examples_dir,
self.attack_name),
self.labels_samples)
mis = 0
for i in range(len(adv_samples)):
if true_labels[i] != adv_labels[i]:
mis += 1
print(
'\nFor **{}** on **{}**: misclassification ratio is {}/{}={:.1f}%\n'
.format(self.attack_name, self.dataset, mis, len(adv_samples),
mis / len(adv_labels) * 100))
def generate(self):
attacker = ILLCAttack(model=self.raw_model,
epsilon=self.epsilon,
eps_iter=self.epsilon_iter,
num_steps=self.num_steps)
# prepare the Least Likely Class labels
llc_labels = np.argmax(self.targets_samples, 1)
# generating
adv_samples = attacker.batch_perturbation(
xs=self.nature_samples,
ys_target=llc_labels,
batch_size=self.attack_batch_size,
device=self.device)
adv_labels = predict(model=self.raw_model,
samples=adv_samples,
device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save(
'{}{}_AdvExamples.npy'.format(self.adv_examples_dir,
self.attack_name), adv_samples)
np.save(
'{}{}_AdvLabels.npy'.format(self.adv_examples_dir,
self.attack_name), adv_labels)
np.save(
'{}{}_TrueLabels.npy'.format(self.adv_examples_dir,
self.attack_name),
self.labels_samples)
mis_target = 0
for i in range(len(adv_samples)):
if llc_labels[i] == adv_labels[i]:
mis_target += 1
print(
'\nFor the **{}** (targeted attack) on **{}**, the misclassified rate = {}/{} = {:.1f}%\n'
.format(self.attack_name, self.dataset, mis_target,
len(adv_samples), mis_target / len(adv_samples) * 100))
def generate(self):
attacker = JSMAAttack(model=self.raw_model, theta=self.theta, gamma=self.gamma)
# get the targeted labels
targets = np.argmax(self.targets_samples, axis=1)
# generating
adv_samples = attacker.perturbation(xs=self.nature_samples, ys_target=targets, device=self.device)
adv_labels = predict(model=self.raw_model, samples=adv_samples, device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save('{}{}_AdvExamples.npy'.format(self.adv_examples_dir, self.attack_name), adv_samples)
np.save('{}{}_AdvLabels.npy'.format(self.adv_examples_dir, self.attack_name), adv_labels)
np.save('{}{}_TrueLabels.npy'.format(self.adv_examples_dir, self.attack_name), self.labels_samples)
mis_target = 0
for i in range(len(adv_samples)):
if targets[i] == adv_labels[i]:
mis_target += 1
print('\nFor **{}**(targeted attack) on **{}**, {}/{}={:.1f}% samples are misclassified as the specified targeted label\n'.format(
self.attack_name, self.dataset, mis_target, len(adv_samples), mis_target / len(adv_samples) * 100.0))
def generate(self):
attacker = EADAttack(model=self.raw_model, kappa=self.kappa, init_const=self.init_const, lr=self.lr,
binary_search_steps=self.binary_search_steps, max_iters=self.max_iter, lower_bound=self.lower_bound,
upper_bound=self.upper_bound, beta=self.beta, EN=self.EN)
# get the targeted labels
targets = np.argmax(self.targets_samples, axis=1)
# generating
adv_samples = attacker.batch_perturbation(xs=self.nature_samples, ys_target=targets, batch_size=self.attack_batch_size,
device=self.device)
adv_labels = predict(model=self.raw_model, samples=adv_samples, device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save('{}{}_AdvExamples.npy'.format(self.adv_examples_dir, self.attack_name), adv_samples)
np.save('{}{}_AdvLabels.npy'.format(self.adv_examples_dir, self.attack_name), adv_labels)
np.save('{}{}_TrueLabels.npy'.format(self.adv_examples_dir, self.attack_name), self.labels_samples)
mis_target = 0
for i in range(len(adv_samples)):
if targets[i] == adv_labels[i]:
mis_target += 1
print('\nFor **{}**(targeted attack) on **{}**, {}/{}={:.1f}% samples are misclassified as the specified targeted label\n'.format(
self.attack_name, self.dataset, mis_target, len(adv_samples), mis_target / len(adv_samples) * 100.0))
def defense_predication(self, DefenseModelDirs, defense_name, **kwargs):
"""
:param DefenseModelDirs:
:param defense_name:
:param kwargs:
:return:
"""
re_train_defenses = {'NAT', 'EAT', 'PAT', 'DD', 'IGR'}
input_transformation_defenses = {'EIT', 'RT', 'PD', 'TE'}
other_defenses = {'RC'}
defense_name = defense_name.upper().strip()
assert defense_name in re_train_defenses or input_transformation_defenses or other_defenses
if defense_name in re_train_defenses:
print(
'\n##{}## defense is a kind of complete defenses that retrain the model'
.format(defense_name))
# load the defense-enhanced model
defended_model_location = '{}/{}/{}_{}_enhanced.pt'.format(
DefenseModelDirs, defense_name, self.dataset, defense_name)
defended_model = MNISTConvNet().to(
self.device) if self.dataset == 'MNIST' else resnet20_cifar(
).to(self.device)
defended_model.load(path=defended_model_location,
device=self.device)
defended_model.eval()
predication = predict(model=defended_model,
samples=self.adv_samples,
device=self.device)
labels = torch.argmax(predication, 1).cpu().numpy()
return labels
elif defense_name in input_transformation_defenses:
print(
'\n##{}## defense is a kind of complete defense that need to transform the images ... '
.format(defense_name))
if defense_name == 'EIT':
from Defenses.DefenseMethods.EIT import EITDefense
eit_params = {
'crop_size': kwargs['crop_size'],
'lambda_tv': kwargs['lambda_tv'],
'JPEG_quality': kwargs['JPEG_quality'],
'bit_depth': kwargs['bit_depth']
}
defended_model = MNISTConvNet().to(
self.device
) if self.dataset == 'MNIST' else resnet20_cifar().to(
self.device)
defended_model_location = '{}/{}/{}_{}_enhanced.pt'.format(
'../DefenseEnhancedModels', defense_name, self.dataset,
defense_name)
defended_model = defended_model.to(self.device)
defended_model.load(path=defended_model_location,
device=self.device)
defended_model.eval()
EIT = EITDefense(model=defended_model,
defense_name=defense_name,
dataset=self.dataset,
re_training=False,
training_parameters=None,
device=self.device,
**eit_params)
transformed_images = EIT.ensemble_input_transformations(
images=self.adv_samples)
predication = predict(model=defended_model,
samples=transformed_images,
device=self.device)
labels = torch.argmax(predication, 1).cpu().numpy()
return labels
elif defense_name == 'RT':
assert 'rt_resize' in kwargs
final_size = kwargs['rt_resize']
assert isinstance(final_size, int)
warnings.warn(
message=
'For the RT defense, the #resize# parameter is specified as {}, please check ...'
.format(final_size))
from Defenses.DefenseMethods.RT import RTDefense
rt = RTDefense(model=self.raw_model,
defense_name='RT',
dataset=self.dataset,
device=self.device)
transformed_images = rt.randomization_transformation(
samples=self.adv_samples,
original_size=self.adv_samples.shape[-1],
final_size=final_size)
predication = predict(model=self.raw_model,
samples=transformed_images,
device=self.device)
labels = torch.argmax(predication, 1).cpu().numpy()
return labels
elif defense_name == 'PD':
assert 'pd_eps' in kwargs
epsilon = kwargs['pd_eps']
warnings.warn(
message=
'For the PixelDefend defense, the #epsilon# parameter is specified as {}, please check ...'
.format(epsilon))
from Defenses.DefenseMethods.PD import PixelDefend
pd = PixelDefend(model=self.raw_model,
defense_name='PD',
dataset=self.dataset,
pixel_cnn_dir='../Defenses/',
device=self.device)
purified_images = pd.de_noising_samples_batch(
samples=self.adv_samples, batch_size=20, eps=epsilon)
predication = predict(model=self.raw_model,
samples=purified_images,
device=self.device)
labels = torch.argmax(predication, 1).cpu().numpy()
return labels
else:
assert 'te_level' in kwargs
level = kwargs['te_level']
assert defense_name == 'TE' and isinstance(level, int)
warnings.warn(
message=
'For the TE defense, the #level# parameter is specified as {}, please check ...'
.format(level))
# load the defense-enhanced model (for TE)
defended_model_location = '{}/{}/{}_{}_enhanced.pt'.format(
'../DefenseEnhancedModels', defense_name, self.dataset,
defense_name)
te_defended_model = MNISTConvNet(thermometer=True, level=level).to(self.device) if self.dataset == 'MNIST' \
else resnet20_cifar(thermometer=True, level=level).to(self.device)
te_defended_model.load(path=defended_model_location,
device=self.device)
te_defended_model.eval()
from Defenses.DefenseMethods.TE import thermometer_encoding
therm_inputs = thermometer_encoding(samples=torch.from_numpy(
self.adv_samples).to(self.device),
level=level,
device=self.device)
predication = predict(model=te_defended_model,
samples=therm_inputs,
device=self.device)
labels = torch.argmax(predication, 1).cpu().numpy()
return labels
else:
if defense_name == 'RC':
print(
'\n##{}## defense is a kind of region-based classification defenses ... '
.format(defense_name))
from Defenses.DefenseMethods.RC import RCDefense
num_points = 1000
assert 'rc_radius' in kwargs
radius = kwargs['rc_radius']
rc = RCDefense(model=self.raw_model,
defense_name='RC',
dataset=self.dataset,
device=self.device,
num_points=num_points)
labels = rc.region_based_classification(
samples=self.adv_samples, radius=radius)
return labels
else:
raise ValueError('{} is not supported!!!'.format(defense_name))
def generate(self):
attacker = UniversalAttack(model=self.raw_model,
fooling_rate=self.fooling_rate,
max_iter_universal=self.max_iter_uni,
epsilon=self.epsilon,
overshoot=self.overshoot,
max_iter_deepfool=self.max_iter_df)
assert self.dataset.upper() == 'MNIST' or self.dataset.upper(
) == 'CIFAR10', "dataset should be MNIST or CIFAR10!"
if self.dataset.upper() == 'MNIST':
samples_loader, valid_loader = get_mnist_train_validate_loader(
dir_name='../RawModels/MNIST/',
batch_size=1,
valid_size=0.3,
shuffle=True)
else: # 'CIFAR10':
mean = (0.4914, 0.4822, 0.4465)
std = (0.2023, 0.1994, 0.2010)
transform_train = transforms.Compose([
transforms.Resize((32, 32)),
transforms.ToTensor(),
transforms.Normalize((0.4914, 0.4822, 0.4465),
(0.2023, 0.1994, 0.2010)),
])
transform_test = transforms.Compose([
transforms.Resize((32, 32)),
transforms.ToTensor(),
transforms.Normalize((0.4914, 0.4822, 0.4465),
(0.2023, 0.1994, 0.2010)),
])
trainset = dset.CIFAR10(root='/home/user/PycharmProjects/data/',
train=True,
download=True,
transform=transform_train)
#samples_loader = torch.utils.data.DataLoader(trainset, batch_size=1, shuffle=True, num_workers=2)
testset = dset.CIFAR10(root='/home/user/PycharmProjects/data/',
train=False,
download=True,
transform=transform_test)
#valid_loader = torch.utils.data.DataLoader(testset, batch_size=1, shuffle=False, num_workers=2)
samples_loader, valid_loader = get_cifar10_train_validate_loader(
dir_name='../RawModels/CIFAR10/',
batch_size=1,
valid_size=0.5,
augment=False,
shuffle=True)
print(type(samples_loader))
#compute perturbation
universal_perturbation = attacker.universal_perturbation(
dataset=samples_loader,
validation=valid_loader,
device=self.device)
universal_perturbation = universal_perturbation.cpu().numpy()
np.save(
'{}{}_{}_universal_perturbation'.format(self.adv_examples_dir,
self.attack_name,
self.dataset),
universal_perturbation)
adv_samples = attacker.perturbation(xs=self.nature_samples,
uni_pert=universal_perturbation,
device=self.device)
adv_labels = predict(model=self.raw_model,
samples=adv_samples,
device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save(
'{}{}_AdvExamples.npy'.format(self.adv_examples_dir,
self.attack_name), adv_samples)
np.save(
'{}{}_AdvLabels.npy'.format(self.adv_examples_dir,
self.attack_name), adv_labels)
np.save(
'{}{}_TrueLabels.npy'.format(self.adv_examples_dir,
self.attack_name),
self.labels_samples)
mis = 0
for i in range(len(adv_samples)):
if self.labels_samples[i].argmax(axis=0) != adv_labels[i]:
mis = mis + 1
print(
'\nFor **{}** on **{}**: misclassification ratio is {}/{}={:.1f}%\n'
.format(self.attack_name, self.dataset, mis, len(adv_samples),
mis / len(adv_labels) * 100))
def generate(self):
attacker = UniversalAttack(model=self.raw_model,
fooling_rate=self.fooling_rate,
max_iter_universal=self.max_iter_uni,
epsilon=self.epsilon,
overshoot=self.overshoot,
max_iter_deepfool=self.max_iter_df)
assert self.dataset.upper() == 'MNIST' or self.dataset.upper(
) == 'CIFAR10', "dataset should be MNIST or CIFAR10!"
if self.dataset.upper() == 'MNIST':
samples_loader, valid_loader = get_mnist_train_validate_loader(
dir_name='../RawModels/MNIST/',
batch_size=1,
valid_size=0.9,
shuffle=True)
else: # 'CIFAR10':
samples_loader, valid_loader = get_cifar10_train_validate_loader(
dir_name='../RawModels/CIFAR10/',
batch_size=1,
valid_size=0.9,
augment=False,
shuffle=True)
universal_perturbation = attacker.universal_perturbation(
dataset=samples_loader,
validation=valid_loader,
device=self.device)
universal_perturbation = universal_perturbation.cpu().numpy()
np.save(
'{}{}_{}_universal_perturbation'.format(self.adv_examples_dir,
self.attack_name,
self.dataset),
universal_perturbation)
adv_samples = attacker.perturbation(xs=self.nature_samples,
uni_pert=universal_perturbation,
device=self.device)
adv_labels = predict(model=self.raw_model,
samples=adv_samples,
device=self.device)
adv_labels = torch.max(adv_labels, 1)[1]
adv_labels = adv_labels.cpu().numpy()
np.save(
'{}{}_AdvExamples.npy'.format(self.adv_examples_dir,
self.attack_name), adv_samples)
np.save(
'{}{}_AdvLabels.npy'.format(self.adv_examples_dir,
self.attack_name), adv_labels)
np.save(
'{}{}_TrueLabels.npy'.format(self.adv_examples_dir,
self.attack_name),
self.labels_samples)
mis = 0
for i in range(len(adv_samples)):
if self.labels_samples[i].argmax(axis=0) != adv_labels[i]:
mis = mis + 1
print(
'\nFor **{}** on **{}**: misclassification ratio is {}/{}={:.1f}%\n'
.format(self.attack_name, self.dataset, mis, len(adv_samples),
mis / len(adv_labels) * 100))