def poison_dataset(x_clean, y_clean, poison_func): x_poison = np.copy(x_clean) y_poison = np.copy(y_clean) is_poison = np.zeros(np.shape(y_poison)[0]) for i in range(10): src = i tgt = (i + 1) % 10 n_points_in_tgt = np.round( np.sum(np.argmax(y_clean, axis=1) == tgt)) num_poison = int((PP_POISON * n_points_in_tgt) / (1 - PP_POISON)) src_imgs = np.copy(x_clean[np.argmax(y_clean, axis=1) == src]) n_points_in_src = np.shape(src_imgs)[0] if num_poison: indices_to_be_poisoned = np.random.choice( n_points_in_src, num_poison) imgs_to_be_poisoned = src_imgs[indices_to_be_poisoned] backdoor_attack = PoisoningAttackBackdoor(poison_func) poison_images, poison_labels = backdoor_attack.poison( imgs_to_be_poisoned, y=to_categorical(np.ones(num_poison) * tgt, 10)) x_poison = np.append(x_poison, poison_images, axis=0) y_poison = np.append(y_poison, poison_labels, axis=0) is_poison = np.append(is_poison, np.ones(num_poison)) is_poison = is_poison != 0 return is_poison, x_poison, y_poison
def test_image_failure_modes(self): """ Tests failure modes for image perturbation functions """ backdoor_attack = PoisoningAttackBackdoor(self.poison_func_5) adv_target = np.argmax(self.y_train_mnist) + 1 % 10 with self.assertRaises(ValueError) as context: backdoor_attack.poison(self.x_train_mnist, y=adv_target) self.assertIn("Backdoor does not fit inside original image", str(context.exception)) backdoor_attack = PoisoningAttackBackdoor(self.poison_func_6) with self.assertRaises(ValueError) as context: backdoor_attack.poison(np.zeros(5), y=np.ones(5)) self.assertIn("Invalid array shape", str(context.exception))
def test_keras(self): """ Test with a KerasClassifier. :return: """ # Build KerasClassifier krc = get_image_classifier_kr_tf(loss_type="label") # Get MNIST (x_train, y_train), (_, _) = self.mnist target_idx = 9 target = np.zeros(10) target[target_idx] = 1 target2 = np.zeros(10) target2[(target_idx + 1) % 10] = 1 backdoor = PoisoningAttackBackdoor(add_pattern_bd) emb_attack = PoisoningAttackAdversarialEmbedding( krc, backdoor, 2, target) classifier = emb_attack.poison_estimator(x_train, y_train, nb_epochs=NB_EPOCHS) data, labels, bd = emb_attack.get_training_data() self.assertEqual(x_train.shape, data.shape) self.assertEqual(y_train.shape, labels.shape) self.assertEqual(bd.shape, (len(x_train), 2)) # Assert successful cloning of classifier model self.assertTrue(classifier is not krc) emb_attack2 = PoisoningAttackAdversarialEmbedding( krc, backdoor, 2, [(target, target2)]) _ = emb_attack2.poison_estimator(x_train, y_train, nb_epochs=NB_EPOCHS) data, labels, bd = emb_attack2.get_training_data() self.assertEqual(x_train.shape, data.shape) self.assertEqual(y_train.shape, labels.shape) self.assertEqual(bd.shape, (len(x_train), 2)) _ = PoisoningAttackAdversarialEmbedding(krc, backdoor, 2, [(target, target2)], pp_poison=[0.4])
def test_errors(self): krc = get_image_classifier_kr_tf(loss_type="function") krc_valid = get_image_classifier_kr_tf(loss_type="label") backdoor = PoisoningAttackBackdoor(add_pattern_bd) target_idx = 9 target = np.zeros(10) target[target_idx] = 1 target2 = np.zeros(10) target2[(target_idx + 1) % 10] = 1 # invalid loss function with self.assertRaises(TypeError): _ = PoisoningAttackAdversarialEmbedding(krc, backdoor, 2, target) # feature layer not real name with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, "not a layer", target) # feature layer out of range with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, target) # target misshaped with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding( krc_valid, backdoor, 20, np.expand_dims(target, axis=0)) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, [target]) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, target, regularization=-1) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, target, discriminator_layer_1=-1) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, target, discriminator_layer_2=-1) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, target, pp_poison=-1) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, [(target, target2)], pp_poison=[]) with self.assertRaises(ValueError): _ = PoisoningAttackAdversarialEmbedding(krc_valid, backdoor, 20, [(target, target2)], pp_poison=[-1])
def test_check_params(self): with self.assertRaises(ValueError): _ = PoisoningAttackBackdoor("self.poison_func_5")