def test_tensorflow_iris(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_tf()
# Test untargeted attack
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
expected_x_test_adv = np.asarray([0.8479195, 0.42525578, 0.70166135, 0.28664514])
np.testing.assert_array_almost_equal(x_test_adv[0, :], expected_x_test_adv, decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
np.testing.assert_array_equal(predictions_adv, np.asarray(
[1, 2, 2, 2, 1, 1, 1, 2, 1, 2, 1, 1, 1, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 1, 0, 2,
2, 1, 2, 0, 2, 2, 1, 1, 2]))
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (accuracy * 100))
# Test targeted attack
targets = random_targets(y_test, nb_classes=3)
attack = ElasticNet(classifier, targeted=True, max_iter=10)
x_test_adv = attack.generate(x_test, **{'y': targets})
expected_x_test_adv = np.asarray([0.8859426, 0.51877, 0.5014498, 0.05447771])
np.testing.assert_array_almost_equal(x_test_adv[0, :], expected_x_test_adv, decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
np.testing.assert_array_equal(predictions_adv, np.asarray(
[0, 0, 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, 0, 2, 0, 0, 2, 2, 0, 2, 2, 2, 2, 2, 2, 0, 0, 0, 2, 0, 2, 2, 2, 2, 2, 0,
0, 0, 2, 2, 2, 2, 2, 0, 2]))
accuracy = np.sum(predictions_adv == np.argmax(targets, axis=1)) / y_test.shape[0]
logger.info('Targeted EAD success rate on Iris: %.2f%%', (accuracy * 100))
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Build PyTorchClassifier
ptc = get_classifier_pt()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
x_test = np.swapaxes(x_test, 1, 3)
# First attack
ead = ElasticNet(classifier=ptc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=ptc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target != y_pred_adv).any())
def test_iris_tf(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_tf()
# Test untargeted attack
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = 1. - np.sum(
preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (acc * 100))
# Test targeted attack
targets = random_targets(y_test, nb_classes=3)
attack = ElasticNet(classifier, targeted=True, max_iter=10)
x_test_adv = attack.generate(x_test, **{'y': targets})
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == preds_adv).any())
acc = np.sum(preds_adv == np.argmax(targets, axis=1)) / y_test.shape[0]
logger.info('Targeted EAD success rate on Iris: %.2f%%', (acc * 100))
def test_scikitlearn(self):
from sklearn.linear_model import LogisticRegression
from sklearn.svm import SVC, LinearSVC
from art.classifiers.scikitlearn import SklearnClassifier
scikitlearn_test_cases = [
LogisticRegression(solver="lbfgs", multi_class="auto"),
SVC(gamma="auto"),
LinearSVC(),
]
x_test_original = self.x_test_iris.copy()
for model in scikitlearn_test_cases:
classifier = SklearnClassifier(model=model, clip_values=(0, 1))
classifier.fit(x=self.x_test_iris, y=self.y_test_iris)
# Test untargeted attack
attack = ElasticNet(classifier, targeted=False, max_iter=2)
x_test_adv = attack.generate(self.x_test_iris)
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(self.y_test_iris,
axis=1) == predictions_adv).all())
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(
self.y_test_iris, axis=1)) / self.y_test_iris.shape[0]
logger.info(
"EAD success rate of " + classifier.__class__.__name__ +
" on Iris: %.2f%%", (accuracy * 100))
# Test targeted attack
targets = random_targets(self.y_test_iris, nb_classes=3)
attack = ElasticNet(classifier, targeted=True, max_iter=2)
x_test_adv = attack.generate(self.x_test_iris, **{"y": targets})
self.assertFalse((self.x_test_iris == x_test_adv).all())
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets,
axis=1) == predictions_adv).any())
accuracy = np.sum(predictions_adv == np.argmax(
targets, axis=1)) / self.y_test_iris.shape[0]
logger.info(
"Targeted EAD success rate of " +
classifier.__class__.__name__ + " on Iris: %.2f%%",
(accuracy * 100))
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(
np.max(np.abs(x_test_original - self.x_test_iris))),
0.0,
delta=0.00001)
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Initialize a tf session
session = tf.Session()
k.set_session(session)
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Create simple CNN
model = Sequential()
model.add(Conv2D(4, kernel_size=(5, 5), activation='relu', input_shape=(28, 28, 1)))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(10, activation='softmax'))
model.compile(loss=keras.losses.categorical_crossentropy, optimizer=keras.optimizers.Adam(lr=0.01),
metrics=['accuracy'])
# Get classifier
krc = KerasClassifier((0, 1), model, use_logits=False)
krc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# First attack
ead = ElasticNet(classifier=krc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=krc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Kill Keras
k.clear_session()
def test_failure_attack(self):
"""
Test the corner case when attack fails.
:return:
"""
# Build TFClassifier
tfc, sess = get_classifier_tf()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# Failure attack
ead = ElasticNet(classifier=tfc,
targeted=True,
max_iter=0,
binary_search_steps=0,
learning_rate=0,
initial_const=1)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
np.testing.assert_almost_equal(x_test, x_test_adv, 3)
# Kill TF
sess.close()
tf.reset_default_graph()
def test_keras_mnist(self):
"""
Second test with the KerasClassifier.
:return:
"""
(_, _), (x_test, y_test) = self.mnist
x_test_original = x_test.copy()
# Build KerasClassifier
krc = get_classifier_kr()
# First attack
ead = ElasticNet(classifier=krc, targeted=True, max_iter=2)
y_target = to_categorical(np.asarray([6, 6, 7, 4, 9, 7, 9, 0, 1, 0]), nb_classes=10)
x_test_adv = ead.generate(x_test, y=y_target)
expected_x_test_adv = np.asarray([0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.00183569, 0.0,
0.0, 0.49765405, 1., 0.6467149, 0.0033755, 0.0052456,
0.0, 0.01104407, 0.00495547, 0.02747423, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0])
np.testing.assert_array_almost_equal(x_test_adv[2, 14, :, 0], expected_x_test_adv, decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(y_target, axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f%%', (100 * sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=krc, targeted=False, max_iter=2)
y_target = to_categorical(np.asarray([9, 5, 6, 7, 1, 6, 1, 5, 8, 5]), nb_classes=10)
x_test_adv = ead.generate(x_test, y=y_target)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', y_target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f', (100 * sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
np.testing.assert_array_equal(y_pred_adv, np.asarray([7, 1, 1, 4, 4, 1, 4, 4, 4, 4]))
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_test_original - x_test))), 0.0, delta=0.00001)
k.clear_session()
def test_scikitlearn(self):
from sklearn.linear_model import LogisticRegression
from art.classifiers.scikitlearn import ScikitlearnLogisticRegression
scikitlearn_test_cases = {LogisticRegression: ScikitlearnLogisticRegression} # ,
# SVC: ScikitlearnSVC,
# LinearSVC: ScikitlearnSVC}
(_, _), (x_test, y_test) = self.iris
x_test_original = x_test.copy()
for (model_class, classifier_class) in scikitlearn_test_cases.items():
model = model_class()
classifier = classifier_class(model=model, clip_values=(0, 1))
classifier.fit(x=x_test, y=y_test)
# Test untargeted attack
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == predictions_adv).all())
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate of ' + classifier.__class__.__name__ + ' on Iris: %.2f%%', (accuracy * 100))
# Test targeted attack
targets = random_targets(y_test, nb_classes=3)
attack = ElasticNet(classifier, targeted=True, max_iter=10)
x_test_adv = attack.generate(x_test, **{'y': targets})
self.assertFalse((x_test == x_test_adv).all())
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertTrue((np.argmax(targets, axis=1) == predictions_adv).any())
accuracy = np.sum(predictions_adv == np.argmax(targets, axis=1)) / y_test.shape[0]
logger.info('Targeted EAD success rate of ' + classifier.__class__.__name__ + ' on Iris: %.2f%%',
(accuracy * 100))
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_test_original - x_test))), 0.0, delta=0.00001)
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# First attack
ead = ElasticNet(classifier=krc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f%%',
(100 * sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=krc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f',
(100 * sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Kill Keras
k.clear_session()
def test_ptclassifier(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
x_train = np.swapaxes(x_train, 1, 3)
x_test = np.swapaxes(x_test, 1, 3)
# Define the network
model = Model()
# Define a loss function and optimizer
loss_fn = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.01)
# Get classifier
ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10)
ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# First attack
ead = ElasticNet(classifier=ptc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=ptc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, ptc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target != y_pred_adv).any())
def test_pytorch_mnist(self):
"""
Third test with the PyTorchClassifier.
:return:
"""
(_, _), (x_test, y_test) = self.mnist
x_test = np.reshape(x_test, (x_test.shape[0], 1, 28, 28)).astype(np.float32)
x_test_original = x_test.copy()
# Build PyTorchClassifier
ptc = get_classifier_pt(from_logits=False)
# First attack
ead = ElasticNet(classifier=ptc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, ptc.nb_classes())}
x_test_adv = ead.generate(x_test, **params)
expected_x_test_adv = np.asarray([0.01678124, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.00665895, 0.0, 0.11374763,
0.36250514, 0.5472948, 0.9308808, 1.0, 0.99920374, 0.86274165, 0.6346757,
0.5597227, 0.24191494, 0.25882354, 0.0091916, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0])
np.testing.assert_array_almost_equal(x_test_adv[2, 0, :, 14], expected_x_test_adv, decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=ptc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, ptc.nb_classes())}
x_test_adv = ead.generate(x_test, **params)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
self.assertTrue((target != y_pred_adv).any())
np.testing.assert_array_equal(y_pred_adv, np.asarray([7, 1, 1, 4, 4, 1, 4, 4, 4, 4]))
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(np.max(np.abs(x_test_original - x_test))), 0.0, delta=0.00001)
def test_iris_pt(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_pt()
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1).all())
self.assertTrue((x_test_adv >= 0).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = 1. - np.sum(
preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (acc * 100))
def test_keras_iris_clipped(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_kr()
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
expected_x_test_adv = np.asarray([0.85931635, 0.44633555, 0.65658355, 0.23840423])
np.testing.assert_array_almost_equal(x_test_adv[0, :], expected_x_test_adv, decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
np.testing.assert_array_equal(predictions_adv, np.asarray([1, 1, 1, 2, 1, 1, 1, 2, 1, 2, 1, 1, 1, 2, 1, 1, 2, 2,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 2, 1, 2, 1, 0, 1,
1, 1, 2, 0, 2, 2, 1, 1, 2]))
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (accuracy * 100))
def test_keras_iris_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model, use_logits=False, channel_index=1)
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
expected_x_test_adv = np.asarray([0.85931635, 0.44633555, 0.65658355, 0.23840423])
np.testing.assert_array_almost_equal(x_test_adv[0, :], expected_x_test_adv, decimal=6)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
np.testing.assert_array_equal(predictions_adv, np.asarray([1, 1, 1, 2, 1, 1, 1, 2, 1, 2, 1, 1, 1, 2, 1, 1, 2, 2,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 2, 1, 2, 1, 0, 1,
1, 1, 2, 0, 2, 2, 1, 1, 2]))
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (accuracy * 100))
def test_iris_k_unbounded(self):
(_, _), (x_test, y_test) = self.iris
classifier, _ = get_iris_classifier_kr()
# Recreate a classifier without clip values
classifier = KerasClassifier(model=classifier._model,
use_logits=False,
channel_index=1)
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
preds_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == preds_adv).all())
acc = 1. - np.sum(
preds_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (acc * 100))
def test_pytorch_iris(self):
(_, _), (x_test, y_test) = self.iris
classifier = get_iris_classifier_pt()
attack = ElasticNet(classifier, targeted=False, max_iter=10)
x_test_adv = attack.generate(x_test.astype(np.float32))
expected_x_test_adv = np.asarray([0.8479194, 0.42525578, 0.70166135, 0.28664517])
np.testing.assert_array_almost_equal(x_test_adv[0, :], expected_x_test_adv, decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
predictions_adv = np.argmax(classifier.predict(x_test_adv), axis=1)
np.testing.assert_array_equal(predictions_adv, np.asarray(
[1, 2, 2, 2, 1, 1, 1, 2, 1, 2, 1, 1, 1, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 1, 0, 2,
2, 1, 2, 0, 2, 2, 1, 1, 2]))
accuracy = 1.0 - np.sum(predictions_adv == np.argmax(y_test, axis=1)) / y_test.shape[0]
logger.info('EAD success rate on Iris: %.2f%%', (accuracy * 100))
def test_failure_attack(self):
"""
Test the corner case when attack fails.
:return:
"""
# Build a TFClassifier
# Define input and output placeholders
input_ph = tf.placeholder(tf.float32, shape=[None, 28, 28, 1])
output_ph = tf.placeholder(tf.int32, shape=[None, 10])
# Define the tensorflow graph
conv = tf.layers.conv2d(input_ph, 4, 5, activation=tf.nn.relu)
conv = tf.layers.max_pooling2d(conv, 2, 2)
fc = tf.contrib.layers.flatten(conv)
# Logits layer
logits = tf.layers.dense(fc, 10)
# Train operator
loss = tf.reduce_mean(tf.losses.softmax_cross_entropy(logits=logits, onehot_labels=output_ph))
optimizer = tf.train.AdamOptimizer(learning_rate=0.01)
train = optimizer.minimize(loss)
# Tensorflow session and initialization
sess = tf.Session()
sess.run(tf.global_variables_initializer())
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Train the classifier
tfc = TFClassifier((0, 1), input_ph, logits, output_ph, train, loss, None, sess)
tfc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# Failure attack
ead = ElasticNet(classifier=tfc, targeted=True, max_iter=0, binary_search_steps=0, learning_rate=0,
initial_const=1)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
np.testing.assert_almost_equal(x_test, x_test_adv, 3)
# Kill TF
sess.close()
tf.reset_default_graph()
def test_tensorflow_failure_attack(self):
"""
Test the corner case when attack fails.
:return:
"""
(_, _), (x_test, y_test) = self.mnist
# Build TensorFlowClassifier
tfc, sess = get_classifier_tf()
# Failure attack
ead = ElasticNet(classifier=tfc, targeted=True, max_iter=0, binary_search_steps=0, learning_rate=0,
initial_const=1)
params = {'y': random_targets(y_test, tfc.nb_classes())}
x_test_adv = ead.generate(x_test, **params)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
np.testing.assert_almost_equal(x_test, x_test_adv, 3)
# Clean-up session
sess.close()
model=classifier_model,
use_logits=False,
preprocessing=(0.5, 1))
classifier_model.summary()
x_test_pred = np.argmax(classifier.predict(x_test[:100]), axis=1)
nb_correct_pred = np.sum(x_test_pred == np.argmax(y_test[:100], axis=1))
print("Original test data (first 100 images):")
print("Correctly classified: {}".format(nb_correct_pred))
print("Incorrectly classified: {}".format(100 - nb_correct_pred))
attack_fgsm = FastGradientMethod(classifier=classifier, eps=0.05)
fgsm_test_adv = attack_fgsm.generate(x_test[:2])
attack_elastic = ElasticNet(classifier=classifier,
binary_search_steps=3,
max_iter=10)
elastic_test_adv = attack_elastic.generate(x_test[:2])
fig = plt.figure()
ax1 = fig.add_subplot(131)
ax2 = fig.add_subplot(132)
ax3 = fig.add_subplot(133)
ax1.imshow(fgsm_test_adv[1])
ax2.imshow(elastic_test_adv[1])
ax3.imshow(x_test[1])
plt.show()
def test_tensorflow_mnist(self):
"""
First test with the TensorFlowClassifier.
:return:
"""
x_test_original = self.x_test_mnist.copy()
# Build TensorFlowClassifier
tfc, sess = get_image_classifier_tf(from_logits=True)
# First attack
ead = ElasticNet(classifier=tfc, targeted=True, max_iter=2)
params = {"y": random_targets(self.y_test_mnist, tfc.nb_classes())}
x_test_adv = ead.generate(self.x_test_mnist, **params)
expected_x_test_adv = np.asarray([
0.45704955,
0.43627003,
0.57238287,
1.0,
0.11541145,
0.12619308,
0.48318917,
0.3457903,
0.17863746,
0.09060935,
0.0,
0.00963121,
0.0,
0.04749763,
0.4058206,
0.17860745,
0.0,
0.9153206,
0.84564775,
0.20603634,
0.10586322,
0.00947509,
0.0,
0.0,
0.0,
0.0,
0.0,
0.0,
])
np.testing.assert_array_almost_equal(x_test_adv[0, 14, :, 0],
expected_x_test_adv,
decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(params["y"], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug("EAD target: %s", target)
logger.debug("EAD actual: %s", y_pred_adv)
logger.info("EAD success rate on MNIST: %.2f%%",
(100 * sum(target == y_pred_adv) / len(target)))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=tfc, targeted=False, max_iter=2)
params = {"y": random_targets(self.y_test_mnist, tfc.nb_classes())}
x_test_adv = ead.generate(self.x_test_mnist, **params)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(params["y"], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug("EAD target: %s", target)
logger.debug("EAD actual: %s", y_pred_adv)
logger.info("EAD success rate on MNIST: %.2f%%",
(100 * sum(target != y_pred_adv) / float(len(target))))
np.testing.assert_array_equal(
y_pred_adv, np.asarray([7, 1, 1, 4, 4, 1, 4, 4, 4, 4]))
# Third attack
ead = ElasticNet(classifier=tfc, targeted=False, max_iter=2)
params = {}
x_test_adv = ead.generate(self.x_test_mnist, **params)
expected_x_test_adv = np.asarray([
0.22866514,
0.21826893,
0.22902338,
0.06268515,
0.0,
0.0,
0.04822975,
0.0,
0.0,
0.0,
0.05555382,
0.0,
0.0,
0.0,
0.38986346,
0.10653087,
0.32385707,
0.98043066,
0.75790393,
0.16486718,
0.16069527,
0.0,
0.0,
0.0,
0.0,
0.0,
0.0,
0.0,
])
np.testing.assert_array_almost_equal(x_test_adv[0, 14, :, 0],
expected_x_test_adv,
decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
y_pred = np.argmax(tfc.predict(self.x_test_mnist), axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug("EAD target: %s", y_pred)
logger.debug("EAD actual: %s", y_pred_adv)
logger.info("EAD success rate: %.2f%%",
(100 * sum(y_pred != y_pred_adv) / float(len(y_pred))))
np.testing.assert_array_equal(
y_pred_adv, np.asarray([0, 4, 7, 9, 0, 7, 7, 3, 0, 7]))
# First attack without batching
ead_wob = ElasticNet(classifier=tfc,
targeted=True,
max_iter=2,
batch_size=1)
params = {"y": random_targets(self.y_test_mnist, tfc.nb_classes())}
x_test_adv = ead_wob.generate(self.x_test_mnist, **params)
expected_x_test_adv = np.asarray([
0.3287169,
0.31374657,
0.42853343,
0.8994576,
0.19850709,
0.11997936,
0.5622535,
0.43854535,
0.19387433,
0.12516324,
0.0,
0.10933565,
0.02162433,
0.07120894,
0.95224255,
0.3072921,
0.48966524,
1.0,
0.3814998,
0.15782641,
0.52283823,
0.12852049,
0.0,
0.0,
0.0,
0.0,
0.0,
0.0,
])
np.testing.assert_array_almost_equal(x_test_adv[0, 14, :, 0],
expected_x_test_adv,
decimal=6)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(params["y"], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug("EAD target: %s", target)
logger.debug("EAD actual: %s", y_pred_adv)
logger.info("EAD success rate: %.2f%%",
(100 * sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack without batching
ead_wob = ElasticNet(classifier=tfc,
targeted=False,
max_iter=2,
batch_size=1)
params = {"y": random_targets(self.y_test_mnist, tfc.nb_classes())}
x_test_adv = ead_wob.generate(self.x_test_mnist, **params)
self.assertLessEqual(np.amax(x_test_adv), 1.0)
self.assertGreaterEqual(np.amin(x_test_adv), 0.0)
target = np.argmax(params["y"], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug("EAD target: %s", target)
logger.debug("EAD actual: %s", y_pred_adv)
logger.info("EAD success rate: %.2f%%",
(100 * sum(target != y_pred_adv) / float(len(target))))
np.testing.assert_array_equal(
y_pred_adv, np.asarray([7, 1, 1, 4, 4, 1, 4, 4, 4, 4]))
# Check that x_test has not been modified by attack and classifier
self.assertAlmostEqual(float(
np.max(np.abs(x_test_original - self.x_test_mnist))),
0.0,
delta=0.00001)
# Close session
if sess is not None:
sess.close()
def test_tfclassifier(self):
"""
First test with the TFClassifier.
:return:
"""
# Build TFClassifier
tfc, sess = get_classifier_tf()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# First attack
ead = ElasticNet(classifier=tfc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate on MNIST: %.2f%%',
(100 * sum(target == y_pred_adv) / len(target)))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=tfc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate on MNIST: %.2f%%',
(100 * sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Third attack
ead = ElasticNet(classifier=tfc, targeted=False, max_iter=2)
params = {}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
y_pred = np.argmax(tfc.predict(x_test), axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', y_pred)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f%%',
(100 * sum(y_pred != y_pred_adv) / float(len(y_pred))))
self.assertTrue((y_pred != y_pred_adv).any())
# First attack without batching
ead_wob = ElasticNet(classifier=tfc,
targeted=True,
max_iter=2,
batch_size=1)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead_wob.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f%%',
(100 * sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack without batching
ead_wob = ElasticNet(classifier=tfc,
targeted=False,
max_iter=2,
batch_size=1)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead_wob.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f%%',
(100 * sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Kill TF
sess.close()
tf.reset_default_graph()
def test_tfclassifier(self):
"""
First test with the TFClassifier.
:return:
"""
# Build a TFClassifier
# Define input and output placeholders
input_ph = tf.placeholder(tf.float32, shape=[None, 28, 28, 1])
output_ph = tf.placeholder(tf.int32, shape=[None, 10])
# Define the tensorflow graph
conv = tf.layers.conv2d(input_ph, 4, 5, activation=tf.nn.relu)
conv = tf.layers.max_pooling2d(conv, 2, 2)
fc = tf.contrib.layers.flatten(conv)
# Logits layer
logits = tf.layers.dense(fc, 10)
# Train operator
loss = tf.reduce_mean(tf.losses.softmax_cross_entropy(logits=logits, onehot_labels=output_ph))
optimizer = tf.train.AdamOptimizer(learning_rate=0.01)
train = optimizer.minimize(loss)
# Tensorflow session and initialization
sess = tf.Session()
sess.run(tf.global_variables_initializer())
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Train the classifier
tfc = TFClassifier((0, 1), input_ph, logits, output_ph, train, loss, None, sess)
tfc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
# First attack
ead = ElasticNet(classifier=tfc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=tfc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Third attack
ead = ElasticNet(classifier=tfc, targeted=False, max_iter=2)
params = {}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
y_pred = np.argmax(tfc.predict(x_test), axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', y_pred)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(y_pred != y_pred_adv) / float(len(y_pred))))
self.assertTrue((y_pred != y_pred_adv).any())
# First attack without batching
ead_wob = ElasticNet(classifier=tfc, targeted=True, max_iter=2, batch_size=1)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead_wob.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack without batching
ead_wob = ElasticNet(classifier=tfc, targeted=False, max_iter=2, batch_size=1)
params = {'y': random_targets(y_test, tfc.nb_classes)}
x_test_adv = ead_wob.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
logger.debug('EAD Target: %s', target)
logger.debug('EAD Actual: %s', y_pred_adv)
logger.info('EAD Success Rate: %.2f', (sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Kill TF
sess.close()
tf.reset_default_graph()
