def attack(self, img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else self.y_test[img, 0] # print("----------------------------------------------------",self.y_test[img,0]) # print("++++++++++++++++++++++++++++++++++++++++++++++++++++",target_class) # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions # bounds = [(0,dim_x), (0,dim_y), (0,256), (0,256), (0,256)] * pixel_count bounds = [(0, dim_x), (0, dim_y), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes( xs, self.x_test[img], target_class, model, target is None) # print(predict_fn) callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model, targeted_attack, verbose) # print(callback_fn) #print('模型的输入:',predict_fn,'类型为:',predict_fn.type) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution( predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0] #print('***********************************************') #print('attack_image',attack_image) temp_list = attack_image.tolist() #print('***********************************************') # Calculate the L2 norm to represent the revise size L2_img = attack_image - self.x_test[img] L2_img = np.array(L2_img) L2_img = L2_img.reshape(784) # print(L2_img) L2_norm = np.sqrt(np.sum(np.square(L2_img))) prior_probs = model.predict(np.array([self.x_test[img]]))[0] # print('-----------------------_test1', prior_probs) predicted_probs = model.predict(np.array([attack_image]))[0] # print('-----------------------_test2', predicted_probs) predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x, L2_norm,]
def predict_classes(self, xs, img, target_class, model, minimize=True): # Perturb the image with the given pixel(s) x and get the prediction of the model imgs_perturbed = helper.perturb_image(xs, img) predictions = model.predict(imgs_perturbed)[:, target_class] # print(predictions) # This function should always be minimized, so return its complement if needed return predictions if minimize else 1 - predictions, imgs_perturbed
def attack(self, img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False, preprocessing_cb=None): """ @img: index to the image you want to attack @model: the model to attack @target: the index to the target you want to aim for @pixel_count: how many pixels to have in your attack @maxiter: maximum number of iterations on optimization @popsize: size of the population to use at each iteration of the optimization @verbose: boolean, controls printing @plot: boolean, whether to plot the final results """ # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else self.y_test[img, 0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions bounds = [(0,dim_x), (0,dim_y), (0, 255), (0, 255), (0., 255)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes( xs, self.x_test[img], target_class, model, target is None, preprocessing_cb=preprocessing_cb) callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model, targeted_attack, verbose, preprocessing_cb=preprocessing_cb) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution( predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img].copy())[0] if preprocessing_cb is not None: original_img = preprocessing_cb(self.x_test[img].copy()) attack_image = preprocessing_cb(attack_image.copy()) else: original_img = self.x_test[img].copy() prior_probs = model.predict(np.array([original_img]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x]
def predict_classes(self, xs, img, target_class, model, minimize=True, preprocessing_cb=None): # Perturb the image with the given pixel(s) x and get the prediction of the model imgs_perturbed = helper.perturb_image(xs, img.copy()) if preprocessing_cb is not None: imgs_perturbed = preprocessing_cb(imgs_perturbed) predictions = model.predict(imgs_perturbed)[:, target_class] # This function should always be minimized, so return its complement if needed return predictions if minimize else 1 - predictions
def attack(self, img, model, pixel_count=1, maxiter=125, popsize=400, plot=False): # Change the target class based on whether this is a targeted attack or not target_class = self.y_test[img, 0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: model.predict( perturb_image(xs, self.x_test[img]))[0] callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0] prior_probs = model.predict(np.array([self.x_test[img]]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [ model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x ]
def attack_success(self, x, img, target_class, model, targeted_attack=False, verbose=False): # Perturb the image with the given pixel(s) and get the prediction of the model attack_image = helper.perturb_image(x, img) confidence = model.predict(attack_image)[0] predicted_class = np.argmax(confidence) # If the prediction is what we want (misclassification or # targeted classification), return True if (verbose): print('Confidence:', confidence[target_class]) if ((targeted_attack and predicted_class == target_class) or (not targeted_attack and predicted_class != target_class)): return True
def predict_classes(self, xs, img, target_class, model, minimize=True): # Perturb the image with the given pixel(s) x and get the prediction of the model imgs_perturbed = helper.perturb_image(xs, img) target_class = int(target_class) predictions = model.predict(imgs_perturbed)[:, target_class] # print('模型的输入:',predictions,'输入的形状:',predictions.shape) # print('目标类别是:',target_class) # print('target_class is') # print(target_class) # This function should always be minimized, so return its complement if needed # print('predictions shape is') # print(predictions.shape) return predictions if minimize else 1 - predictions
def attack_success(self, x, img, target_class, model, targeted_attack=False, verbose=False): # Perturb the image with the given pixel(s) and get the prediction of the model attack_image = helper.perturb_image(x, img) confidence = model.predict(attack_image)[0] predicted_class = np.argmax(confidence) # If the prediction is what we want (misclassification or # targeted classification), return True if (verbose): print('Confidence:', confidence[target_class]) if ((targeted_attack and predicted_class == target_class) or (not targeted_attack and predicted_class != target_class)): return True
def attack(img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else y_test[img, 0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout bounds = [(0, 32), (0, 32), (0, 256), (0, 256), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: predict_classes(xs, x_test[img], target_class, model, target is None) callback_fn = lambda x, convergence: attack_success( x, img, target_class, model, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = perturb_image(attack_result.x, x_test[img])[0] prior_probs = model.predict_one(x_test[img]) predicted_probs = model.predict_one(attack_image) predicted_class = np.argmax(predicted_probs) actual_class = y_test[img, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) # helper.plot_image(attack_image, actual_class, class_names, predicted_class) return [ model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x ]
def attack_success(self, x, img, target_class, model, targeted_attack=False, verbose=False, preprocessing_cb=None): # Perturb the image with the given pixel(s) and get the prediction of the model attack_image = helper.perturb_image(x, img.copy()) if preprocessing_cb is not None: attack_image = preprocessing_cb(attack_image) confidence = model.predict(attack_image)[0] predicted_class = np.argmax(confidence) # If the prediction is what we want (misclassification or # targeted classification), return True if (verbose): print('Confidence {}: x={}'.format(confidence[target_class], x)) if ((targeted_attack and predicted_class == target_class) or (not targeted_attack and predicted_class != target_class)): return True
def attack(self, img, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else self.y_test[img,0] # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = self.dimensions bounds = [(0,dim_x), (0,dim_y), (0,256), (0,256), (0,256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm predict_fn = lambda xs: self.predict_classes( xs, self.x_test[img], target_class, model, target is None) callback_fn = lambda x, convergence: self.attack_success( x, self.x_test[img], target_class, model, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution( predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, self.x_test[img])[0] prior_probs = model.predict(np.array([self.x_test[img]]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = self.y_test[img,0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, self.class_names, predicted_class) return [model.name, pixel_count, img, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x]
model = resnet labels = labels.reshape(10, 1) list = single_pixel_attack(images, labels, class_names, images_id, model, pixel_count=10, verbose=True, plot=True) print("扰动点坐标", list[10]) #获取敏感点在干净图片上的值 clean_rgb = clean_pixels(list[10], images[images_id]) #过滤敏感点 用干净值替代对抗样本对应位置 生成防御图 defense_image = helper.perturb_image(np.array(clean_rgb), adversarial)[0] #绘画防御图 helper.plot_image(defense_image) #绘画敏感点 helper.plot_image(adversarial - defense_image) ##########将扰动样本与敏感点化成一张图 plt.figure() plt.subplot(1, 2, 1) plt.xticks([]) plt.yticks([]) adv_images = adversarial - images[images_id] plt.imshow(adv_images.astype(np.uint8)) plt.subplot(1, 2, 2) sen_points = adversarial - defense_image plt.imshow(sen_points.astype(np.uint8))
print("For Image @ index {}, True label {}".format(target_img_idx, names[target_img_idx])) preprocessed_tgt_image = mobilenet_preprocess_input( processed_images[target_img_idx, ].copy()) prediction = model.predict(np.expand_dims(preprocessed_tgt_image, axis=0)) # helper.plot_image(images[target_img_idx,]) print("Model predictions") predictions = mobilenet_decode_predictions(prediction)[0] for item in predictions: print(item) # Change one pixel changed_pixel = np.array([200, 100, 255, 0, 255]) attack_image = helper.perturb_image( changed_pixel, processed_images[target_img_idx, ].copy())[0] preprocessed_attack_image = mobilenet_preprocess_input(attack_image.copy()) prediction = model.predict( np.expand_dims(preprocessed_attack_image, axis=0)) print("Attacked Image prediction") predictions = mobilenet_decode_predictions(prediction)[0] for item in predictions: print(item) # ----------------------------------------------------------------------------------- # Single Image Attack # ----------------------------------------------------------------------------------- print("Single Image Attack ...") start_time = datetime.now()
def predict_classes(self, xs, img, target_class, model, minimize=True): # Perturb the image with the given pixel(s) x and get the prediction of the model imgs_perturbed = helper.perturb_image(xs, img) predictions = model.predict(imgs_perturbed)[:,target_class] # This function should always be minimized, so return its complement if needed return predictions if minimize else 1 - predictions
network_stats, correct_imgs = helper.evaluate_models(models, images, labels) correct_imgs = pd.DataFrame( correct_imgs, columns=['name', 'img', 'label', 'confidence', 'pred']) network_stats = pd.DataFrame(network_stats, columns=['name', 'accuracy', 'param_count']) print(network_stats) pixel = np.array([16, 20, 0, 255, 255]) model = resnet image_id = 1 true_class = labels[image_id, 0] prior_confidence = model.predict_one(images[image_id])[true_class] confidence = helper.predict_classes(pixel, images[image_id], true_class, model)[0] print('Confidence in true class', class_names[true_class], 'is', confidence) print('Prior confidence was', prior_confidence) helper.plot_image(helper.perturb_image(pixel, images[image_id])[0]) list = attack(images, labels, class_names, image_id, model, pixel_count=3, verbose=True, plot=True) print(list[10])
def single_pixel_attack(images, labels, class_names, img_id, model, target=None, pixel_count=1, maxiter=75, popsize=400, verbose=False, plot=False, dimensions=(32, 32)): # Change the target class based on whether this is a targeted attack or not targeted_attack = target is not None target_class = target if targeted_attack else labels[img_id, 0] ack = PixelAttacker([model], (images, labels), class_names) # Define bounds for a flat vector of x,y,r,g,b values # For more pixels, repeat this layout dim_x, dim_y = dimensions bounds = [(0, dim_x), (0, dim_y), (0, 256), (0, 256), (0, 256)] * pixel_count # Population multiplier, in terms of the size of the perturbation vector x popmul = max(1, popsize // len(bounds)) # Format the predict/callback functions for the differential evolution algorithm def predict_fn(xs): return ack.predict_classes(xs, images[img_id], target_class, model, target is None) def callback_fn(x, convergence): return ack.attack_success(x, images[img_id], target_class, model, targeted_attack, verbose) # Call Scipy's Implementation of Differential Evolution attack_result = differential_evolution(predict_fn, bounds, maxiter=maxiter, popsize=popmul, recombination=1, atol=-1, callback=callback_fn, polish=False) # Calculate some useful statistics to return from this function attack_image = helper.perturb_image(attack_result.x, images[img_id])[0] prior_probs = model.predict(np.array([images[img_id]]))[0] predicted_probs = model.predict(np.array([attack_image]))[0] predicted_class = np.argmax(predicted_probs) actual_class = labels[img_id, 0] success = predicted_class != actual_class cdiff = prior_probs[actual_class] - predicted_probs[actual_class] # Show the best attempt at a solution (successful or not) if plot: helper.plot_image(attack_image, actual_class, class_names, predicted_class) return [ attack_image, model.name, pixel_count, img_id, actual_class, predicted_class, success, cdiff, prior_probs, predicted_probs, attack_result.x ]
#加载模型 model = keras.applications.ResNet50() #processed_images = preprocess_input(images.copy()) # Prepare the image for the model processed_images = images predictions = model.predict( processed_images) # Get the predicted probabilities for each class label = decode_predictions( predictions) # Convert the probabilities to class labels print(label) #扰动图片 pixel = np.array([112, 112, 255, 255, 0]) # pixel = x,y,r,g,b image_perturbed = helper.perturb_image(pixel, images) helper.plot_image(image_perturbed[0]) #preprocessed_perturbed = preprocess_input(image_perturbed.copy()) preprocessed_perturbed = image_perturbed predictions = model.predict(preprocessed_perturbed) label = decode_predictions(predictions) print(label) ''' #攻击 # Should output /device:GPU:0 K.tensorflow_backend._get_available_gpus() models = [model] test = processed_images, np.array([labels])