def attack():
x_train, x_test, y_train, y_test = load_data('cifar10', 2)
min_pixel_value = x_train.min()
max_pixel_value = x_train.max()
print('min_pixel_value ', min_pixel_value)
print('max_pixel_value ', max_pixel_value)
s = time.time()
# model = BNN(['../binary/checkpoints/cifar10_mlpbnn_approx_%d.h5' % (i) for i in range(100)])
model = BNN([
'../binary/checkpoints/cifar10_mlpbnn_approx_ep004_%d.h5' % (i)
for i in range(100)
])
pred_y = model.predict(x_test)
print('pred_y: ', pred_y)
np.savetxt('pred_y', pred_y)
np.savetxt('y_test', y_test)
print('pred_y[0], pred_y[288], pred_y[888], pred_y[1990], y[-1]',
pred_y[0], pred_y[288], pred_y[888], pred_y[1990], y[-1])
print('Accuracy: ', accuracy_score(y_true=y_test, y_pred=pred_y))
# Create a model wrapper
predictWrapper = modelWrapper(model)
classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
input_shape=(32 * 32 * 3, ),
nb_classes=2,
clip_values=(min_pixel_value,
max_pixel_value))
print('----- generate adv data -----')
attack = BoundaryAttack(estimator=classifier,
targeted=False,
delta=0.01,
epsilon=0.01,
max_iter=100,
num_trial=100,
sample_size=100,
init_size=100)
print('----- generate adv test data -----')
x_test = x_test[288]
# Input data shape should be 2D
x_test = x_test.reshape((-1, 32 * 32 * 3))
x_test_adv = attack.generate(x=x_test)
print('x_test ', x_test)
print('x_test_adv ', x_test_adv)
dist2 = utils.computeDist2(x_test, x_test_adv)
print('test data dist2: ', dist2)
distInf = utils.computeDistInf(x_test, x_test_adv)
print('test data distInf: ', distInf)
print('Cost time: ', time.time() - s)
def attackmodel(args, classifier, x_test, y_test, queries):
acc = []
for num_query in queries:
if args['method'] == 'square':
attack = SquareAttack(estimator=classifier,
eps=args['epsilon'],
max_iter=num_query,
norm=2)
elif args['method'] == 'zoo':
attack = ZooAttack(classifier=classifier,
max_iter=num_query,
use_resize=False,
use_importance=False)
elif args['method'] == 'boundary':
attack = BoundaryAttack(estimator=classifier,
targeted=False,
max_iter=num_query)
else:
print("wrong method")
x_test_adv = attack.generate(x=x_test)
predictions = classifier.predict(x_test_adv)
accuracy = np.sum(
np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(
y_test)
print("Query:{}, and Accuracy: {:.4f}".format(num_query, accuracy))
acc.append(accuracy)
return acc
def test_images(art_warning, fix_get_mnist_subset,
image_dl_estimator_for_attack, framework, targeted):
try:
classifier = image_dl_estimator_for_attack(BoundaryAttack)
attack = BoundaryAttack(estimator=classifier,
targeted=targeted,
max_iter=20)
if targeted:
backend_targeted_images(attack, fix_get_mnist_subset)
else:
back_end_untargeted_images(attack, fix_get_mnist_subset, framework)
except ARTTestException as e:
art_warning(e)
def test_tabular(art_warning, tabular_dl_estimator, framework,
get_iris_dataset, clipped_classifier, targeted):
try:
classifier = tabular_dl_estimator(clipped=clipped_classifier)
attack = BoundaryAttack(classifier, targeted=targeted, max_iter=10)
if targeted:
backend_targeted_tabular(attack, get_iris_dataset)
else:
backend_untargeted_tabular(attack,
get_iris_dataset,
clipped=clipped_classifier)
except ARTTestException as e:
art_warning(e)
def test_images(fix_get_mnist_subset, get_image_classifier_list_for_attack, framework, targeted):
classifier_list = get_image_classifier_list_for_attack(BoundaryAttack)
if classifier_list is None:
logging.warning("Couldn't perform this test because no classifier is defined")
return
for classifier in classifier_list:
attack = BoundaryAttack(estimator=classifier, targeted=targeted, max_iter=20)
if targeted:
backend_targeted_images(attack, fix_get_mnist_subset)
else:
back_end_untargeted_images(attack, fix_get_mnist_subset, framework)
def test_tabular(get_tabular_classifier_list, framework, get_iris_dataset, clipped_classifier, targeted):
classifier_list = get_tabular_classifier_list(BoundaryAttack, clipped=clipped_classifier)
if classifier_list is None:
logging.warning("Couldn't perform this test because no classifier is defined")
return
for classifier in classifier_list:
attack = BoundaryAttack(classifier, targeted=targeted, max_iter=10)
if targeted:
backend_targeted_tabular(attack, get_iris_dataset)
else:
backend_untargeted_tabular(attack, get_iris_dataset, clipped=clipped_classifier)
def boundary_attack_run(model_to_attack, target_image, iterations=100):
"""
This fonction runs the black box boundary attack
inputs:
-model_to_attack (tensorflow Model instance): model that will be attacked
-target_image (numpy array (32*32)): image that will be attack
-iterations (int): number of times to run the attack
output:
-degree_of_change (dict): keys: the number of the iteration, values: the degree of change
between target and adversarial image
"""
classifier = TensorFlowV2Classifier(
model=model_to_attack,
input_shape=(32, 32, 3),
clip_values=(0, 255),
nb_classes=10,
)
final_degree_of_change = {}
attack = BoundaryAttack(estimator=classifier,
targeted=False,
max_iter=0,
delta=0.001,
epsilon=0.01)
iter_step = 1
image_list = []
target = target_image
x_adv = None
for i in range(iterations):
x_adv = attack.generate(x=np.array([target]), x_adv_init=x_adv)
# clear_output()
print(
"Adversarial image at step %d." % (i * iter_step),
"L2 error",
np.linalg.norm(np.reshape(x_adv[0] - target, [-1])),
"and class label %d." % np.argmax(classifier.predict(x_adv)[0]),
)
plt.imshow(x_adv[0][..., ::-1].astype("int32"))
image_list.append(x_adv[0][..., ::-1].astype(np.uint))
plt.show(block=False)
final_degree_of_change[i * iter_step] = degree_of_change([x_adv[0]],
[target])
if hasattr(attack, "curr_delta") and hasattr(attack, "curr_epsilon"):
attack.max_iter = iter_step
attack.delta = attack.curr_delta
attack.epsilon = attack.curr_epsilon
else:
break
return final_degree_of_change
def main():
with open('data.json') as data_json:
data_params = json.load(data_json)
parser = argparse.ArgumentParser()
parser.add_argument('--data', type=str)
parser.add_argument('--data_path', type=str, default='data')
parser.add_argument('--output_path', type=str, default='results')
parser.add_argument('--pretrained', type=str, required=True)
parser.add_argument('--batch_size', type=int, default=128)
parser.add_argument('--attack', type=str, required=True, choices=data_params['attacks'])
parser.add_argument('--eps', type=float, default=0.3)
# NOTE: In CW_L2 attack, eps is the upper bound of c.
parser.add_argument('--n_samples', type=int, default=2000)
parser.add_argument('--random_state', type=int, default=1234)
args = parser.parse_args()
print(args)
set_seeds(args.random_state)
if not os.path.exists(args.output_path):
print('Output folder does not exist. Create:', args.output_path)
os.mkdir(args.output_path)
print('Dataset:', args.data)
print('Pretrained model:', args.pretrained)
print('Running attack: {}'.format(args.attack))
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
print('Device: {}'.format(device))
# Prepare data
transforms = tv.transforms.Compose([tv.transforms.ToTensor()])
if args.data == 'mnist':
dataset_train = datasets.MNIST(args.data_path, train=True, download=True, transform=transforms)
dataset_test = datasets.MNIST(args.data_path, train=False, download=True, transform=transforms)
elif args.data == 'cifar10':
dataset_train = datasets.CIFAR10(args.data_path, train=True, download=True, transform=transforms)
dataset_test = datasets.CIFAR10(args.data_path, train=False, download=True, transform=transforms)
else:
data_path = os.path.join(args.data_path, data_params['data'][args.data]['file_name'])
print('Read file:', data_path)
X, y = load_csv(data_path)
X_train, X_test, y_train, y_test = train_test_split(
X, y,
test_size=data_params['data'][args.data]['n_test'],
random_state=args.random_state)
scaler = MinMaxScaler().fit(X_train)
X_train = scaler.transform(X_train)
X_test = scaler.transform(X_test)
dataset_train = TensorDataset(torch.from_numpy(X_train).type(torch.float32), torch.from_numpy(y_train).type(torch.long))
dataset_test = TensorDataset(torch.from_numpy(X_test).type(torch.float32), torch.from_numpy(y_test).type(torch.long))
dataloader_train = DataLoader(dataset_train, 256, shuffle=False)
dataloader_test = DataLoader(dataset_test, 256, shuffle=False)
shape_train = get_shape(dataloader_train.dataset)
shape_test = get_shape(dataloader_test.dataset)
print('Train set:', shape_train)
print('Test set:', shape_test)
# Load model
use_prob = args.attack not in ['apgd', 'apgd1', 'apgd2', 'cw2', 'cwinf']
print('Attack:', args.attack)
print('Using softmax layer:', use_prob)
if args.data == 'mnist':
model = BaseModel(use_prob=use_prob).to(device)
model_name = 'basic'
elif args.data == 'cifar10':
model_name = args.pretrained.split('_')[1]
if model_name == 'resnet':
model = Resnet(use_prob=use_prob).to(device)
elif model_name == 'vgg':
model = Vgg(use_prob=use_prob).to(device)
else:
raise ValueError('Unknown model: {}'.format(model_name))
else:
n_features = data_params['data'][args.data]['n_features']
n_classes = data_params['data'][args.data]['n_classes']
model = NumericModel(
n_features,
n_hidden=n_features * 4,
n_classes=n_classes,
use_prob=use_prob).to(device)
model_name = 'basic' + str(n_features * 4)
optimizer = optim.SGD(model.parameters(), lr=0.01,
momentum=0.9, weight_decay=5e-4)
loss = nn.CrossEntropyLoss()
pretrained_path = os.path.join(args.output_path, args.pretrained)
model.load_state_dict(torch.load(pretrained_path, map_location=device))
_, acc_train = validate(model, dataloader_train, loss, device)
_, acc_test = validate(model, dataloader_test, loss, device)
print('Accuracy on train set: {:.4f}%'.format(acc_train * 100))
print('Accuracy on test set: {:.4f}%'.format(acc_test * 100))
# Create a subset which only contains recognisable samples.
tensor_test_X, tensor_test_y = get_correct_examples(
model, dataset_test, device=device, return_tensor=True)
dataset_perfect = TensorDataset(tensor_test_X, tensor_test_y)
loader_perfect = DataLoader(dataset_perfect, batch_size=512, shuffle=False)
_, acc_perfect = validate(model, loader_perfect, loss, device)
print('Accuracy on {} filtered test examples: {:.4f}%'.format(
len(dataset_perfect), acc_perfect * 100))
# Generate adversarial examples
n_features = data_params['data'][args.data]['n_features']
n_classes = data_params['data'][args.data]['n_classes']
if isinstance(n_features, int):
n_features = (n_features,)
classifier = PyTorchClassifier(
model=model,
loss=loss,
input_shape=n_features,
optimizer=optimizer,
nb_classes=n_classes,
clip_values=(0.0, 1.0),
device_type='gpu')
if args.attack == 'apgd':
eps_step = args.eps / 10.0 if args.eps <= 0.1 else 0.1
attack = AutoProjectedGradientDescent(
estimator=classifier,
eps=args.eps,
eps_step=eps_step,
max_iter=1000,
batch_size=args.batch_size,
targeted=False)
elif args.attack == 'apgd1':
attack = AutoProjectedGradientDescent(
estimator=classifier,
norm=1,
eps=args.eps,
eps_step=0.1,
max_iter=1000,
batch_size=args.batch_size,
targeted=False)
elif args.attack == 'apgd2':
attack = AutoProjectedGradientDescent(
estimator=classifier,
norm=2,
eps=args.eps,
eps_step=0.1,
max_iter=1000,
batch_size=args.batch_size,
targeted=False)
elif args.attack == 'bim':
eps_step = args.eps / 10.0
attack = BasicIterativeMethod(
estimator=classifier,
eps=args.eps,
eps_step=eps_step,
max_iter=1000,
batch_size=args.batch_size,
targeted=False)
elif args.attack == 'boundary':
attack = BoundaryAttack(
estimator=classifier,
max_iter=1000,
sample_size=args.batch_size,
targeted=False)
elif args.attack == 'cw2':
# NOTE: Do NOT increase the batch size!
attack = CarliniWagnerAttackL2(
model=model,
n_classes=n_classes,
confidence=args.eps,
verbose=True,
check_prob=False,
batch_size=args.batch_size,
targeted=False)
elif args.attack == 'cwinf':
attack = CarliniLInfMethod(
classifier=classifier,
confidence=args.eps,
max_iter=1000,
batch_size=args.batch_size,
targeted=False)
elif args.attack == 'deepfool':
attack = DeepFool(
classifier=classifier,
epsilon=args.eps,
batch_size=args.batch_size)
elif args.attack == 'fgsm':
attack = FastGradientMethod(
estimator=classifier,
eps=args.eps,
batch_size=args.batch_size)
elif args.attack == 'jsma':
attack = SaliencyMapMethod(
classifier=classifier,
gamma=args.eps,
batch_size=args.batch_size)
elif args.attack == 'line':
if args.data == 'mnist':
color = args.eps
elif args.data == 'cifar10':
color = (args.eps, args.eps, args.eps)
else:
raise NotImplementedError
attack = LineAttack(color=color, thickness=1)
elif args.attack == 'shadow':
attack = ShadowAttack(
estimator=classifier,
batch_size=args.batch_size,
targeted=False,
verbose=False)
elif args.attack == 'watermark':
attack = WaterMarkAttack(
eps=args.eps,
n_classes=data_params['data'][args.data]['n_classes'],
x_min=0.0,
x_max=1.0,
targeted=False)
X_train, y_train = get_correct_examples(model, dataset_train, device=device, return_tensor=True)
X_train = X_train.cpu().detach().numpy()
y_train = y_train.cpu().detach().numpy()
attack.fit(X_train, y_train)
else:
raise NotImplementedError
if len(dataset_perfect) > args.n_samples:
n = args.n_samples
else:
n = len(dataset_perfect)
X_benign = tensor_test_X[:n].cpu().detach().numpy()
y = tensor_test_y[:n].cpu().detach().numpy()
print('Creating {} adversarial examples with eps={} (Not all attacks use eps)'.format(n, args.eps))
time_start = time.time()
# Shadow attack only takes single sample!
if args.attack == 'shadow':
adv = np.zeros_like(X_benign)
for i in trange(len(X_benign)):
adv[i] = attack.generate(x=np.expand_dims(X_benign[i], axis=0))
elif args.attack == 'watermark':
# This is untargeted.
adv = attack.generate(X_benign, y)
else:
adv = attack.generate(x=X_benign)
time_elapsed = time.time() - time_start
print('Total time spend: {}'.format(str(datetime.timedelta(seconds=time_elapsed))))
pred_benign = np.argmax(classifier.predict(X_benign), axis=1)
acc_benign = np.sum(pred_benign == y) / n
pred_adv = np.argmax(classifier.predict(adv), axis=1)
acc_adv = np.sum(pred_adv == y) / n
print("Accuracy on benign samples: {:.4f}%".format(acc_benign * 100))
print("Accuracy on adversarial examples: {:.4f}%".format(acc_adv * 100))
# Save results
if args.n_samples < 2000:
output_file = '{}_{}_{}_{}_size{}'.format(args.data, model_name, args.attack, str(args.eps), args.n_samples)
else:
output_file = '{}_{}_{}_{}'.format(args.data, model_name, args.attack, str(args.eps))
path_x = os.path.join(args.output_path, '{}_x.npy'.format(output_file))
path_y = os.path.join(args.output_path, '{}_y.npy'.format(output_file))
path_adv = os.path.join(args.output_path, '{}_adv.npy'.format(output_file))
np.save(path_x, X_benign)
np.save(path_y, y)
np.save(path_adv, adv)
print('Saved to:', '{}_adv.npy'.format(output_file))
print()
def main():
with open('data.json') as data_json:
data_params = json.load(data_json)
parser = argparse.ArgumentParser()
parser.add_argument('--data', type=str, required=True, choices=data_params['datasets'])
parser.add_argument('--model', type=str, default='svm', choices=['svm', 'tree'])
parser.add_argument('--data_path', type=str, default='data')
parser.add_argument('--output_path', type=str, default='results')
parser.add_argument('--attack', type=str, required=True, choices=ATTACKS)
parser.add_argument('--eps', type=float, default=0.3)
# NOTE: In CW_L2 attack, eps is the upper bound of c.
parser.add_argument('--batch_size', type=int, default=128)
parser.add_argument('--n_samples', type=int, default=2000)
parser.add_argument('--random_state', type=int, default=1234)
args = parser.parse_args()
print(args)
set_seeds(args.random_state)
if not os.path.exists(args.output_path):
print('Output folder does not exist. Create:', args.output_path)
os.mkdir(args.output_path)
print('Dataset:', args.data)
print('Running attack:', args.attack)
# Prepare data
data_path = os.path.join(args.data_path, data_params['data'][args.data]['file_name'])
print('Read file: {}'.format(data_path))
X, y = load_csv(data_path)
# Apply scaling
scaler = MinMaxScaler().fit(X)
X = scaler.transform(X)
n_test = data_params['data'][args.data]['n_test']
random_state = args.random_state
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=n_test, random_state=random_state)
# Train model
if args.model == 'svm':
model = SVC(kernel="linear", C=1.0, gamma="scale", random_state=random_state)
elif args.model == 'tree':
model = ExtraTreeClassifier(random_state=random_state)
else:
raise NotImplementedError
model.fit(X_train, y_train)
acc_train = model.score(X_train, y_train)
acc_test = model.score(X_test, y_test)
print(('Train Acc: {:.4f}, ' + 'Test Acc: {:.4f}').format(acc_train, acc_test))
# Get perfect subset
pred_test = model.predict(X_test)
idx_correct = np.where(pred_test == y_test)[0]
X_test = X_test[idx_correct]
y_test = y_test[idx_correct]
classifier = SklearnClassifier(model=model, clip_values=(0.0, 1.0))
if args.attack == 'bim':
eps_step = args.eps / 10.0
attack = BasicIterativeMethod(
estimator=classifier,
eps=args.eps,
eps_step=eps_step,
max_iter=100,
targeted=False,
batch_size=args.batch_size)
elif args.attack == 'boundary':
attack = BoundaryAttack(
estimator=classifier,
max_iter=1000,
sample_size=20,
targeted=False)
elif args.attack == 'fgsm':
attack = FastGradientMethod(
estimator=classifier,
eps=args.eps,
batch_size=args.batch_size)
elif args.attack == 'tree':
attack = DecisionTreeAttack(
classifier=classifier)
else:
raise NotImplementedError
# How many examples do we have?
if len(X_test) > args.n_samples:
n = args.n_samples
else:
n = len(X_test)
X_benign = X_test[:n]
y_true = y_test[:n]
adv = attack.generate(X_benign)
acc = model.score(adv, y_true)
print('Acc on adv:', acc)
output_file = '{}_{}_{}_{}'.format(args.data, args.model, args.attack, str(args.eps))
path_x = os.path.join(args.output_path, '{}_x.npy'.format(output_file))
path_y = os.path.join(args.output_path, '{}_y.npy'.format(output_file))
path_adv = os.path.join(args.output_path, '{}_adv.npy'.format(output_file))
np.save(path_x, X_benign)
np.save(path_y, y_true)
np.save(path_adv, adv)
print('Saved to:', path_adv)
print()
def test_check_params(art_warning, image_dl_estimator_for_attack):
try:
classifier = image_dl_estimator_for_attack(BoundaryAttack)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, max_iter=1.0)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, max_iter=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, num_trial=1.0)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, num_trial=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, sample_size=1.0)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, sample_size=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, init_size=1.0)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, init_size=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, epsilon=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, delta=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, step_adapt=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, min_epsilon="1.0")
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, min_epsilon=-1)
with pytest.raises(ValueError):
_ = BoundaryAttack(classifier, verbose="true")
except ARTTestException as e:
art_warning(e)
def attack():
x_train, x_test, y_train, y_test = load_data('cifar10_binary', 2)
x_train = x_train.reshape((-1, 32, 32, 3)).transpose(
(0, 3, 1, 2)).astype(np.float32)
x_test = x_test.reshape((-1, 32, 32, 3)).transpose(
(0, 3, 1, 2)).astype(np.float32)
min_pixel_value = x_train.min()
max_pixel_value = x_train.max()
print('min_pixel_value ', min_pixel_value)
print('max_pixel_value ', max_pixel_value)
s = time.time()
path = '../binary/checkpoints/cifar10_binary_lenet_100.pkl'
with open(path, 'rb') as f:
model = pickle.load(f)
# Predict
# Lent and simpleNet input data shape is (-1,3, 32, 32)
# The other net input data shape is vector
# Mlp01 need to add: cuda=False
print('xtest shape1', x_test.shape)
pred_y = model.predict(x_test)
print('xtest shape1', x_test.shape)
print('pred_y: ', pred_y)
# Create a model wrapper
predictWrapper = modelWrapper(model)
classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
input_shape=(3 * 32 * 32, ),
nb_classes=2,
clip_values=(min_pixel_value,
max_pixel_value))
print('----- generate adv data -----')
attack = BoundaryAttack(estimator=classifier,
targeted=False,
delta=0.01,
epsilon=0.01,
max_iter=100,
num_trial=100,
sample_size=100,
init_size=100)
print('----- generate adv test data -----')
x_test = x_test[288]
# Input data shape should be 2D
x_test = x_test.reshape((-1, 3 * 32 * 32))
x_test_adv = attack.generate(x=x_test)
np.save('x', x_test)
np.save('adv_x', x_test_adv)
print('x_test ', x_test)
print('x_test_adv ', x_test_adv)
# dist1 = utils.computeDist1(x_test, x_test_adv)
# print('test data dist1: ', dist1)
dist2 = utils.computeDist2(x_test, x_test_adv)
print('test data dist2: ', dist2)
distInf = utils.computeDistInf(x_test, x_test_adv)
print('test data distInf: ', distInf)
# avg_dist2, med_dist2 = utils.computeDist2(x_test, x_test_adv)
# print('test avg_dist2: ', avg_dist2)
# # print('test med_dist2: ', med_dist2)
# avg_distInf, med_distInf = utils.computeDistInf(x_test, x_test_adv)
# print('test avg_distInf: ', avg_distInf)
# # print('test med_distInf: ', med_distInf)
print('Cost time: ', time.time() - s)
def attack():
x_train, x_test, y_train, y_test = load_data('cifar10_binary', 2)
min_pixel_value = x_train.min()
max_pixel_value = x_train.max()
print('min_pixel_value ', min_pixel_value)
print('max_pixel_value ', max_pixel_value)
s = time.time()
path = '../binary/checkpoints/cifar10_binary_scd01mlp_100_br02_h500_nr075_ni25000_i1.pkl'
with open(path, 'rb') as f:
model = pickle.load(f)
pred_y = model.predict(x_test, cuda=False)
# np.savetxt('pred_y_mpl2', pred_y)
print('pred_y: ', pred_y)
# Create a model wrapper
predictWrapper = modelWrapper(model)
classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
input_shape=(3 * 32 * 32, ),
nb_classes=2,
clip_values=(min_pixel_value,
max_pixel_value))
print('----- generate adv data -----')
attack = BoundaryAttack(estimator=classifier,
targeted=False,
delta=0.01,
epsilon=0.01,
max_iter=100,
num_trial=100,
sample_size=100,
init_size=100)
print('----- generate adv test data -----')
x_test = x_test[-1]
# Input data shape should be 2D
x_test = x_test.reshape((-1, 3 * 32 * 32))
x_test_adv = attack.generate(x=x_test)
np.save('x', x_test)
np.save('adv_x', x_test_adv)
print('x_test ', x_test)
print('x_test_adv ', x_test_adv)
# dist1 = utils.computeDist1(x_test, x_test_adv)
# print('test data dist1: ', dist1)
dist2 = utils.computeDist2(x_test, x_test_adv)
print('test data dist2: ', dist2)
distInf = utils.computeDistInf(x_test, x_test_adv)
print('test data distInf: ', distInf)
# avg_dist2, med_dist2 = utils.computeDist2(x_test, x_test_adv)
# print('test avg_dist2: ', avg_dist2)
# # print('test med_dist2: ', med_dist2)
# avg_distInf, med_distInf = utils.computeDistInf(x_test, x_test_adv)
# print('test avg_distInf: ', avg_distInf)
# # print('test med_distInf: ', med_distInf)
print('Cost time: ', time.time() - s)
def attack():
x_train, x_test, y_train, y_test = load_data('cifar10', 2)
# x_train, y_train, x_test, y_test = utils.loadData()
min_pixel_value = x_train.min()
max_pixel_value = x_train.max()
print('min_pixel_value ', min_pixel_value)
print('max_pixel_value ', max_pixel_value)
s = time.time()
path = '../binary/checkpoints/cifar10_scd01mlp_100_br02_nr075_ni1000_i1_ep2.pkl'
# path = '/home/y/yx277/research/scd01mc/binary/checkpoints/cifar10_mlp.pkl'
# path = '/research/datasci/mx42/adversarial_machine_learning/IBM_ART/checkpoints_scd_01/scd_stl10_01_v7.pkl'
with open(path, 'rb') as f:
model = pickle.load(f)
pred_y = model.predict(x_test)
# np.savetxt('pred_y_mpl2', pred_y)
print('pred_y: ', pred_y)
# Create a model wrapper
predictWrapper = modelWrapper(model)
classifier = BlackBoxClassifier(predict=predictWrapper.predict_one_hot,
input_shape=(32 * 32 * 3, ),
nb_classes=2,
clip_values=(min_pixel_value,
max_pixel_value))
print('----- generate adv data -----')
attack = BoundaryAttack(estimator=classifier,
targeted=False,
delta=0.01,
epsilon=0.01,
max_iter=500,
num_trial=100,
sample_size=100,
init_size=100)
print('----- generate adv test data -----')
x_test = x_test[0]
# Input data shape should be 2D
x_test = x_test.reshape((-1, 32 * 32 * 3))
x_test_adv = attack.generate(x=x_test)
np.save('x', x_test)
np.save('adv_x', x_test_adv)
print('x_test ', x_test)
print('x_test_adv ', x_test_adv)
# dist1 = utils.computeDist1(x_test, x_test_adv)
# print('test data dist1: ', dist1)
dist2 = utils.computeDist2(x_test, x_test_adv)
print('test data dist2: ', dist2)
distInf = utils.computeDistInf(x_test, x_test_adv)
print('test data distInf: ', distInf)
# avg_dist2, med_dist2 = utils.computeDist2(x_test, x_test_adv)
# print('test avg_dist2: ', avg_dist2)
# # print('test med_dist2: ', med_dist2)
# avg_distInf, med_distInf = utils.computeDistInf(x_test, x_test_adv)
# print('test avg_distInf: ', avg_distInf)
# # print('test med_distInf: ', med_distInf)
print('Cost time: ', time.time() - s)