def test_common_corruptions():
model_fn = create_undefended_keras_model_fn()
severity = 1
spatial_attack = attacks.CommonCorruptionsAttack(severity=severity)
ds_size = 10
spatial_attack._stop_after_n_datapoints = ds_size
dataset_iter = bird_or_bicycle.get_iterator('train',
batch_size=2,
verify_dataset=False)
evaluate_two_class_unambiguous_model(
model_fn,
dataset_iter,
model_name='test_common_corruption,severity=%s' % severity,
attack_list=[spatial_attack])
def test_spatial_speed():
# Set up standard attack params
bird_or_bicycle_shape = (224, 224, 3)
bird_or_bicycle_spatial_limits = [18, 18, 30]
bird_or_bicycle_black_border_size = 20
grid_granularity = [5, 5, 31]
model_fn = create_undefended_keras_model_fn()
spatial_attack = attacks.FastSpatialGridAttack(
model_fn,
image_shape_hwc=bird_or_bicycle_shape,
spatial_limits=bird_or_bicycle_spatial_limits,
grid_granularity=grid_granularity,
black_border_size=bird_or_bicycle_black_border_size,
)
ds_size = 4
spatial_attack._stop_after_n_datapoints = ds_size
dataset_iter = bird_or_bicycle.get_iterator('train',
batch_size=2,
verify_dataset=False)
return evaluate_two_class_unambiguous_model(model_fn,
dataset_iter,
model_name='test_spatial',
attack_list=[spatial_attack])
def test_spatial_speed():
# Keras isn't being found by travis for some reason
from tensorflow.keras.applications.resnet50 import preprocess_input
# Variable scoping lets us use our _graph in our model_fn
_graph = tf.Graph()
with _graph.as_default():
k_model = tf.keras.applications.resnet50.ResNet50(
include_top=True, weights='imagenet', input_tensor=None,
input_shape=None, pooling=None, classes=1000)
def undefended_keras_model_fn(x_np):
"""A normal keras resnet that was pretrained on ImageNet"""
x_np = preprocess_input(x_np * 255)
with _graph.as_default():
prob1000 = k_model.predict_on_batch(x_np) / 10
# Keras returns softmax-ed probs, we convert them back to logits
fake_logits1000 = np.log(prob1000)
bird_max_logit = np.max(
fake_logits1000[:, CLASS_NAME_TO_IMAGENET_CLASS['bird']], axis=1)
bicycle_max_logit = np.max(
fake_logits1000[:, CLASS_NAME_TO_IMAGENET_CLASS['bicycle']], axis=1)
two_class_logits = np.concatenate((
bicycle_max_logit[:, None],
bird_max_logit[:, None]),
axis=1)
return two_class_logits
# Set up standard attack params
bird_or_bicycle_shape = (224, 224, 3)
bird_or_bicycle_spatial_limits = [18, 18, 30]
bird_or_bicycle_black_border_size = 20
grid_granularity = [5, 5, 31]
model_fn = undefended_keras_model_fn
spatial_attack = attacks.FastSpatialGridAttack(
model_fn,
image_shape_hwc=bird_or_bicycle_shape,
spatial_limits=bird_or_bicycle_spatial_limits,
grid_granularity=grid_granularity,
black_border_size=bird_or_bicycle_black_border_size,
)
ds_size = 32
spatial_attack._stop_after_n_datapoints = ds_size
dataset_iter = bird_or_bicycle.get_iterator(
'train', batch_size=32, verify_dataset=False)
return evaluate_two_class_unambiguous_model(
model_fn, dataset_iter,
model_name='undefended_keras_resnet_test_spatial',
attack_list=[spatial_attack])
def test_confidence_always_right():
fake_data_iter = [[np.zeros([batch_size, 28, 28, 1]), np.ones(batch_size)]]
results = eval_kit.evaluate_two_class_unambiguous_model(
model_fn=always_one_model_fn,
data_iter=fake_data_iter,
model_name='always_right_model',
attack_list=attack_list)
assert results['clean']['accuracy@100'] == 1.0
assert results['clean']['accuracy@80'] == 1.0
def test_confidence_random():
fake_data_iter = [[
np.zeros([batch_size, 28, 28, 1]),
np.zeros(batch_size)
]]
results = eval_kit.evaluate_two_class_unambiguous_model(
model_fn=random_model_fn,
data_iter=fake_data_iter,
model_name='random_model',
attack_list=attack_list)
assert_approx_equal(results['clean']['accuracy@100'], 0.5, significant=2)
assert_approx_equal(results['clean']['accuracy@80'], 0.5, significant=2)
def test_simple_spatial():
# Set up standard attack params
bird_or_bicycle_spatial_limits = [18, 18, 30]
grid_granularity = [5, 5, 31]
model_fn = create_undefended_keras_model_fn()
spatial_attack = attacks.SimpleSpatialAttack(
spatial_limits=bird_or_bicycle_spatial_limits,
grid_granularity=grid_granularity,
black_border_frac=0.15,
)
ds_size = 4
spatial_attack._stop_after_n_datapoints = ds_size
dataset_iter = bird_or_bicycle.get_iterator('train',
batch_size=2,
verify_dataset=False)
evaluate_two_class_unambiguous_model(model_fn,
dataset_iter,
model_name='test_spatial',
attack_list=[spatial_attack])
def test_two_class_mnist_accuracy():
""" Train an mnist model on a subset of mnist and then evaluate it
on small attacks *on the training set*.
"""
model_fn = train_overfit_classifier(num_batches=32, batch_size=1)
dataset_iter = mnist_utils.get_two_class_iterator('train',
num_datapoints=32,
batch_size=1)
mnist_spatial_limits = [10, 10, 10]
mnist_shape = (28, 28, 1)
mnist_black_border_size = 4
attack_list = [
attacks.CleanData(),
attacks.SpsaAttack(
model_fn,
epsilon=0.3,
image_shape_hwc=mnist_shape,
),
attacks.SpsaWithRandomSpatialAttack(
model_fn,
epsilon=0.3,
spatial_limits=mnist_spatial_limits,
black_border_size=mnist_black_border_size,
image_shape_hwc=mnist_shape,
),
attacks.SpatialGridAttack(
grid_granularity=[5, 5, 11],
valid_check=mnist_utils.mnist_valid_check,
spatial_limits=mnist_spatial_limits,
black_border_size=mnist_black_border_size,
image_shape_hwc=mnist_shape,
),
]
boundary_attack = attacks.BoundaryWithRandomSpatialAttack(
model_fn,
max_l2_distortion=4,
label_to_examples=eval_kit._get_mnist_labels_to_examples(),
spatial_limits=mnist_spatial_limits,
black_border_size=mnist_black_border_size,
image_shape_hwc=mnist_shape,
)
# We limit the boundary attack to the first datapoint to speed up eval
boundary_attack._stop_after_n_datapoints = 1
attack_list.append(boundary_attack)
results = eval_kit.evaluate_two_class_unambiguous_model(
model_fn,
data_iter=dataset_iter,
model_name="overfit_mnist",
attack_list=attack_list)
# Make sure that clean data has high accuracy
assert results['clean']['accuracy@100'] >= 0.9
# Make sure that attacks reduce accuracy
assert results['spatial_grid']['accuracy@100'] <= 0.7
assert results['spsa']['accuracy@100'] <= 0.6
assert results['spsa_with_random_spatial']['accuracy@100'] <= 0.5
# Run a smoke test on all attacks with a batch size of one
# TODO: Split this into a separate test
dataset_iter = mnist_utils.get_two_class_iterator('train',
num_datapoints=1,
batch_size=1)
eval_kit.evaluate_two_class_mnist_model(model_fn,
dataset_iter=dataset_iter,
model_name="overfit_mnist")
