def def_GaussianAugmentation(x_raw, x_raw_test, y_raw, y_raw_test, x_train_adv, x_test_adv, y_train, y_test, min_, max_): ga = GaussianAugmentation(sigma=150) x_train_aug, y_train_aug = ga(x_raw, y_raw) x_test_aug, y_test_aug = ga(x_raw_test, y_raw_test) x_train_aug, y_train_aug = preprocess(x_train_aug, y_train_aug) x_test_aug, y_test_aug = preprocess(x_test_aug, y_test_aug) x_train_aug = x_train_aug.reshape(120000, 784) x_test_aug = x_test_aug.reshape(20000, 784) # train network classifier = create_Neural_Network(min_, max_) classifier.fit(x_train_aug, y_train_aug, nb_epochs=5, batch_size=50) # print result print("After Defense\n") preds = np.argmax(classifier.predict(x_train_aug), axis=1) acc = np.sum( preds == np.argmax(y_train_aug, axis=1)) / y_train_aug.shape[0] print("TRAIN: %.2f%% \n" % (acc * 100)) preds = np.argmax(classifier.predict(x_train_adv), axis=1) acc = np.sum(preds == np.argmax(y_train, axis=1)) / y_train.shape[0] print("TRAIN-ADVERSARY: %.2f%% \n" % (acc * 100)) preds = np.argmax(classifier.predict(x_test_aug), axis=1) acc = np.sum(preds == np.argmax(y_test_aug, axis=1)) / y_test_aug.shape[0] print("TEST: %.2f%% \n" % (acc * 100)) preds = np.argmax(classifier.predict(x_test_adv), axis=1) acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0] print('TEST-ADVERSARY: %.2f%% \n' % (acc * 100))
def load_data(backdoor_type="pixel", sources=np.arange(10), targets=(np.arange(10) + 1) % 10): #f = np.load('mnist.npz') #x_train, y_train = f['x_train'], f['y_train'] #x_test, y_test = f['x_test'], f['y_test'] #f.close() #n_train = np.shape(x_train)[0] #num_selection = 10000 #random_selection_indices = np.random.choice(n_train, num_selection) #x_train = x_train[random_selection_indices] #y_train = y_train[random_selection_indices] ## (x_train, y_train), (x_test, y_test) = mnist.load_data() #overrides above with direct mnist data (x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True) n_train = np.shape(x_raw)[0] num_selection = 10000 random_selection_indices = np.random.choice(n_train, num_selection) x_raw = x_raw[random_selection_indices] y_raw = y_raw[random_selection_indices] # Poison training data perc_poison = .33 (is_poison_train, x_poisoned_raw, y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison, backdoor_type=backdoor_type, sources=sources, targets=targets) x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw) # Add channel axis: x_train = np.expand_dims(x_train, axis=3) # Poison test data (is_poison_test, x_poisoned_raw_test, y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test, perc_poison, backdoor_type=backdoor_type, sources=sources, targets=targets) x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test) # Add channel axis: x_test = np.expand_dims(x_test, axis=3) # Shuffle training data so poison is not together n_train = np.shape(y_train)[0] shuffled_indices = np.arange(n_train) np.random.shuffle(shuffled_indices) x_train = x_train[shuffled_indices] y_train = y_train[shuffled_indices] is_poison_train = is_poison_train[shuffled_indices] y_train = np.argmax(y_train, axis=1) y_test = np.argmax(y_test, axis=1) return (x_train, y_train), (x_test, y_test), (min_, max_), is_poison_test
def test_preprocess(self): (x, y), (_, _), _, _ = load_mnist() x = (255 * x).astype("int")[:100] y = np.argmax(y, axis=1)[:100] x_, y_ = preprocess(x, y, clip_values=(0, 255)) self.assertEqual(x_.shape, x.shape) self.assertEqual(y_.shape, (y.shape[0], 10)) self.assertEqual(x_.max(), 1.0) self.assertEqual(x_.min(), 0) (x, y), (_, _), _, _ = load_mnist() x = (5 * x).astype("int")[:100] y = np.argmax(y, axis=1)[:100] x_, y_ = preprocess(x, y, nb_classes=20, clip_values=(0, 5)) self.assertEqual(x_.shape, x.shape) self.assertEqual(y_.shape, (y.shape[0], 20)) self.assertEqual(x_.max(), 1.0) self.assertEqual(x_.min(), 0)
def def_GaussianAugmentation(x_raw, x_raw_test, y_raw, y_raw_test, x_train_adv, x_test_adv, y_train, y_test, min_, max_, file): train_num = 60000 test_num = 10000 # gaussian augmentation ga = GaussianAugmentation(sigma=150) x_train_aug, y_train_aug = ga(x_raw, y_raw) x_test_aug, y_test_aug = ga(x_raw_test, y_raw_test) x_train_aug, y_train_aug = preprocess(x_train_aug, y_train_aug) x_test_aug, y_test_aug = preprocess(x_test_aug, y_test_aug) x_train_aug = x_train_aug.reshape(2*train_num, 784) x_test_aug = x_test_aug.reshape(2*test_num, 784) # train network classifier = create_Neural_Network(min_, max_) classifier.fit(x_train_aug, y_train_aug, nb_epochs=5, batch_size=50) # print result print("After GaussianAugmentation Defense\n") file.write("==== GaussianAugmentation Defense==== \n") for k in range (5): file.write("==== Attack %i ====\n" % (k)) evaluate(x_train_aug, x_test_aug, y_train_aug, y_test_aug, x_train_adv[k*train_num:(k+1)*train_num], x_test_adv[k*test_num:(k+1)*test_num], y_train, y_test, classifier, file)
def test_preprocess(self): # Get MNIST (x, y), (_, _), _, _ = load_mnist() x = (255 * x).astype('int')[:100] y = np.argmax(y, axis=1)[:100] x_, y_ = preprocess(x, y) self.assertEqual(x_.shape, x.shape) self.assertEqual(y_.shape, (y.shape[0], 10)) self.assertEqual(x_.max(), 1.0) self.assertEqual(x_.min(), 0) (x, y), (_, _), _, _ = load_mnist() x = (5 * x).astype('int')[:100] y = np.argmax(y, axis=1)[:100] x_, y_ = preprocess(x, y, nb_classes=20, max_value=5) self.assertEqual(x_.shape, x.shape) self.assertEqual(y_.shape, (y.shape[0], 20)) self.assertEqual(x_.max(), 1.0) self.assertEqual(x_.min(), 0)
def main(): try: print('See if poison model has been previously trained ') import pickle classifier = pickle.load(open('my_poison_classifier.p', 'rb')) print('Loaded model from pickle.... ') data_train = np.load('data_training.npz') x_train = data_train['x_train'] y_train = data_train['y_train'] is_poison_train = data_train['is_poison_train'] data_test = np.load('data_testing.npz') x_test = data_test['x_test'] y_test = data_test['y_test'] is_poison_test = data_test['is_poison_test'] except: # Read MNIST dataset (x_raw contains the original images): (x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True) n_train = np.shape(x_raw)[0] num_selection = n_train random_selection_indices = np.random.choice(n_train, num_selection) x_raw = x_raw[random_selection_indices] y_raw = y_raw[random_selection_indices] # Poison training data perc_poison = .33 (is_poison_train, x_poisoned_raw, y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison) x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw) # Add channel axis: x_train = np.expand_dims(x_train, axis=3) # Poison test data (is_poison_test, x_poisoned_raw_test, y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test, perc_poison) x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test) # Add channel axis: x_test = np.expand_dims(x_test, axis=3) # Shuffle training data so poison is not together n_train = np.shape(y_train)[0] shuffled_indices = np.arange(n_train) np.random.shuffle(shuffled_indices) x_train = x_train[shuffled_indices] y_train = y_train[shuffled_indices] is_poison_train = is_poison_train[shuffled_indices] # Save data used for training and testing split: np.savez('data_training.npz', x_train=x_train, y_train=y_train, is_poison_train=is_poison_train, x_raw=x_poisoned_raw) np.savez('data_testing.npz', x_test=x_test, y_test=y_test, is_poison_test=is_poison_test, x_raw_test=x_poisoned_raw_test) # Create Keras convolutional neural network - basic architecture from Keras examples # Source here: https://github.com/keras-team/keras/blob/master/examples/mnist_cnn.py k.set_learning_phase(1) model = Sequential() model.add(Conv2D(32, kernel_size=(3, 3), activation='relu', input_shape=x_train.shape[1:])) model.add(Conv2D(64, (3, 3), activation='relu')) model.add(MaxPooling2D(pool_size=(2, 2))) model.add(Dropout(0.25)) model.add(Flatten()) model.add(Dense(128, activation='relu')) model.add(Dropout(0.5)) model.add(Dense(10, activation='softmax')) model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy']) classifier = KerasClassifier((min_, max_), model=model) classifier.fit(x_train, y_train, nb_epochs=50, batch_size=128) print('Saving poisoned model: ') pickle.dump(classifier, open('my_poison_classifier.p', 'wb')) # Also saving for Anu: file_name = 'anu_poison_mnist' model.save(file_name + '.hdf5') model_json = model.to_json() with open(file_name + '.json', "w") as json_file: json_file.write(model_json) # Evaluate the classifier on the test set preds = np.argmax(classifier.predict(x_test), axis=1) acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0] print("\nTest accuracy: %.2f%%" % (acc * 100)) # Evaluate the classifier on poisonous data preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1) acc = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0] print("\nPoisonous test set accuracy (i.e. effectiveness of poison): %.2f%%" % (acc * 100)) # Evaluate the classifier on clean data preds = np.argmax(classifier.predict(x_test[is_poison_test == 0]), axis=1) acc = np.sum(preds == np.argmax(y_test[is_poison_test == 0], axis=1)) / y_test[is_poison_test == 0].shape[0] print("\nClean test set accuracy: %.2f%%" % (acc * 100)) # Calling poisoning defence: defence = ActivationDefence(classifier, x_train, y_train) # End-to-end method: print("------------------- Results using size metric -------------------") print(defence.get_params()) defence.detect_poison(n_clusters=2, ndims=10, reduce="PCA") # Now fix the model x_new, y_fix = correct_poisoned_labels(x_train, y_train, is_poison_train) improvement = defence.relabel_poison_ground_truth(x_new, y_fix, test_set_split=0.7, tolerable_backdoor=0.001, max_epochs=5, batch_epochs=10) # Evaluate the classifier on poisonous data after backdoor fix: preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1) acc_after = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0] print("\nPoisonous test set accuracy (i.e. effectiveness of poison) after backdoor fix: %.2f%%" % (acc_after * 100)) print("\n Improvement after training: ", improvement) print('before: ', acc, ' after: ', acc_after) print("done :) ")
def main(): # Read MNIST dataset (x_raw contains the original images): (x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True) n_train = np.shape(x_raw)[0] num_selection = 5000 random_selection_indices = np.random.choice(n_train, num_selection) x_raw = x_raw[random_selection_indices] y_raw = y_raw[random_selection_indices] # Poison training data perc_poison = 0.33 (is_poison_train, x_poisoned_raw, y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison) x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw) # Add channel axis: x_train = np.expand_dims(x_train, axis=3) # Poison test data (is_poison_test, x_poisoned_raw_test, y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test, perc_poison) x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test) # Add channel axis: x_test = np.expand_dims(x_test, axis=3) # Shuffle training data so poison is not together n_train = np.shape(y_train)[0] shuffled_indices = np.arange(n_train) np.random.shuffle(shuffled_indices) x_train = x_train[shuffled_indices] y_train = y_train[shuffled_indices] is_poison_train = is_poison_train[shuffled_indices] # Create Keras convolutional neural network - basic architecture from Keras examples # Source here: https://github.com/keras-team/keras/blob/master/examples/mnist_cnn.py model = Sequential() model.add( Conv2D(32, kernel_size=(3, 3), activation="relu", input_shape=x_train.shape[1:])) model.add(Conv2D(64, (3, 3), activation="relu")) model.add(MaxPooling2D(pool_size=(2, 2))) model.add(Dropout(0.25)) model.add(Flatten()) model.add(Dense(128, activation="relu")) model.add(Dropout(0.5)) model.add(Dense(10, activation="softmax")) model.compile(loss="categorical_crossentropy", optimizer="adam", metrics=["accuracy"]) classifier = KerasClassifier(model=model, clip_values=(min_, max_)) classifier.fit(x_train, y_train, nb_epochs=30, batch_size=128) # Evaluate the classifier on the test set preds = np.argmax(classifier.predict(x_test), axis=1) acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0] print("\nTest accuracy: %.2f%%" % (acc * 100)) # Evaluate the classifier on poisonous data preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1) acc = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0] print( "\nPoisonous test set accuracy (i.e. effectiveness of poison): %.2f%%" % (acc * 100)) # Evaluate the classifier on clean data preds = np.argmax(classifier.predict(x_test[is_poison_test == 0]), axis=1) acc = np.sum(preds == np.argmax(y_test[ is_poison_test == 0], axis=1)) / y_test[is_poison_test == 0].shape[0] print("\nClean test set accuracy: %.2f%%" % (acc * 100)) # Calling poisoning defence: defence = ActivationDefence(classifier, x_train, y_train) # End-to-end method: print("------------------- Results using size metric -------------------") print(defence.get_params()) defence.detect_poison(nb_clusters=2, nb_dims=10, reduce="PCA") # Evaluate method when ground truth is known: is_clean = is_poison_train == 0 confusion_matrix = defence.evaluate_defence(is_clean) print("Evaluation defence results for size-based metric: ") jsonObject = json.loads(confusion_matrix) for label in jsonObject: print(label) pprint.pprint(jsonObject[label]) # Visualize clusters: print("Visualize clusters") sprites_by_class = defence.visualize_clusters(x_train, "mnist_poison_demo") # Show plots for clusters of class 5 n_class = 5 try: import matplotlib.pyplot as plt plt.imshow(sprites_by_class[n_class][0]) plt.title("Class " + str(n_class) + " cluster: 0") plt.show() plt.imshow(sprites_by_class[n_class][1]) plt.title("Class " + str(n_class) + " cluster: 1") plt.show() except ImportError: print( "matplotlib not installed. For this reason, cluster visualization was not displayed" ) # Try again using distance analysis this time: print( "------------------- Results using distance metric -------------------" ) print(defence.get_params()) defence.detect_poison(nb_clusters=2, nb_dims=10, reduce="PCA", cluster_analysis="distance") confusion_matrix = defence.evaluate_defence(is_clean) print("Evaluation defence results for distance-based metric: ") jsonObject = json.loads(confusion_matrix) for label in jsonObject: print(label) pprint.pprint(jsonObject[label]) # Other ways to invoke the defence: kwargs = {"nb_clusters": 2, "nb_dims": 10, "reduce": "PCA"} defence.cluster_activations(**kwargs) kwargs = {"cluster_analysis": "distance"} defence.analyze_clusters(**kwargs) defence.evaluate_defence(is_clean) kwargs = {"cluster_analysis": "smaller"} defence.analyze_clusters(**kwargs) defence.evaluate_defence(is_clean) print("done :) ")
def main(): # Read MNIST dataset (x_raw contains the original images): (x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist(raw=True) n_train = np.shape(x_raw)[0] num_selection = 5000 random_selection_indices = np.random.choice(n_train, num_selection) x_raw = x_raw[random_selection_indices] y_raw = y_raw[random_selection_indices] # Poison training data perc_poison = .33 (is_poison_train, x_poisoned_raw, y_poisoned_raw) = generate_backdoor(x_raw, y_raw, perc_poison) x_train, y_train = preprocess(x_poisoned_raw, y_poisoned_raw) # Add channel axis: x_train = np.expand_dims(x_train, axis=3) # Poison test data (is_poison_test, x_poisoned_raw_test, y_poisoned_raw_test) = generate_backdoor(x_raw_test, y_raw_test, perc_poison) x_test, y_test = preprocess(x_poisoned_raw_test, y_poisoned_raw_test) # Add channel axis: x_test = np.expand_dims(x_test, axis=3) # Shuffle training data so poison is not together n_train = np.shape(y_train)[0] shuffled_indices = np.arange(n_train) np.random.shuffle(shuffled_indices) x_train = x_train[shuffled_indices] y_train = y_train[shuffled_indices] is_poison_train = is_poison_train[shuffled_indices] # Create Keras convolutional neural network - basic architecture from Keras examples # Source here: https://github.com/keras-team/keras/blob/master/examples/mnist_cnn.py k.set_learning_phase(1) model = Sequential() model.add(Conv2D(32, kernel_size=(3, 3), activation='relu', input_shape=x_train.shape[1:])) model.add(Conv2D(64, (3, 3), activation='relu')) model.add(MaxPooling2D(pool_size=(2, 2))) model.add(Dropout(0.25)) model.add(Flatten()) model.add(Dense(128, activation='relu')) model.add(Dropout(0.5)) model.add(Dense(10, activation='softmax')) model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy']) classifier = KerasClassifier((min_, max_), model=model) classifier.fit(x_train, y_train, nb_epochs=30, batch_size=128) # Evaluate the classifier on the test set preds = np.argmax(classifier.predict(x_test), axis=1) acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0] print("\nTest accuracy: %.2f%%" % (acc * 100)) # Evaluate the classifier on poisonous data preds = np.argmax(classifier.predict(x_test[is_poison_test]), axis=1) acc = np.sum(preds == np.argmax(y_test[is_poison_test], axis=1)) / y_test[is_poison_test].shape[0] print("\nPoisonous test set accuracy (i.e. effectiveness of poison): %.2f%%" % (acc * 100)) # Evaluate the classifier on clean data preds = np.argmax(classifier.predict(x_test[is_poison_test == 0]), axis=1) acc = np.sum(preds == np.argmax(y_test[is_poison_test == 0], axis=1)) / y_test[is_poison_test == 0].shape[0] print("\nClean test set accuracy: %.2f%%" % (acc * 100)) # Calling poisoning defence: defence = ActivationDefence(classifier, x_train, y_train, verbose=True) # End-to-end method: print("------------------- Results using size metric -------------------") print(defence.get_params()) defence.detect_poison(n_clusters=2, ndims=10, reduce="PCA") # Evaluate method when ground truth is known: is_clean = (is_poison_train == 0) confusion_matrix = defence.evaluate_defence(is_clean) print("Evaluation defence results for size-based metric: ") pprint.pprint(confusion_matrix) # Visualize clusters: print("Visualize clusters") defence.visualize_clusters(x_train, 'mnist_poison_demo') # Try again using distance analysis this time: print("------------------- Results using distance metric -------------------") print(defence.get_params()) defence.detect_poison(n_clusters=2, ndims=10, reduce="PCA", cluster_analysis='distance') confusion_matrix = defence.evaluate_defence(is_clean) print("Evaluation defence results for distance-based metric: ") pprint.pprint(confusion_matrix) # Other ways to invoke the defence: defence.cluster_activations(n_clusters=2, ndims=10, reduce='PCA') defence.analyze_clusters(cluster_analysis='distance') defence.evaluate_defence(is_clean) defence.analyze_clusters(cluster_analysis='smaller') defence.evaluate_defence(is_clean) print("done :) ")
from os.path import abspath import sys sys.path.append(abspath('.')) from keras.models import Sequential from keras.layers import Dense import numpy as np from art.attacks import CarliniL2Method from art.defences import LabelSmoothing from art.classifiers import KerasClassifier from art.utils import load_mnist_raw, preprocess, random_targets # Read MNIST dataset (x_raw contains the original images): (x_raw, y_raw), (x_raw_test, y_raw_test), min_, max_ = load_mnist_raw() x_train, y_train = preprocess(x_raw, y_raw) x_test, y_test = preprocess(x_raw_test, y_raw_test) x_train = x_train.reshape(60000, 784) x_test = x_test.reshape(10000, 784) ## Create simple 2 hidden layer 64 nodes neural network model = Sequential() model.add(Dense(64, input_dim=784, activation='relu')) model.add(Dense(64, activation='relu')) model.add(Dense(10, activation='softmax')) model.compile(loss='mse', optimizer='adam', metrics=['accuracy']) classifier = KerasClassifier((min_, max_), model=model) classifier.fit(x_train, y_train, nb_epochs=5, batch_size=50) ## Create CarliniL2Method adversarial samples print('Create CarliniL2Method attack \n')