def test_blackbox_existing_predictions_fuzzy(art_warning):
try:
x = np.array([0, 3])
fuzzy_x = np.array([0, 3.00001])
y = np.array([[1, 0], [0, 1]])
bb = BlackBoxClassifier((x, y), (1, ), 2, fuzzy_float_compare=True)
assert np.array_equal(bb.predict(fuzzy_x), y)
except ARTTestException as e:
art_warning(e)
def test_blackbox_existing_predictions(art_warning, get_mnist_dataset):
try:
_, (x_test, y_test) = get_mnist_dataset
limited_x_test = x_test[:500]
limited_y_test = y_test[:500]
bb = BlackBoxClassifier((limited_x_test, limited_y_test), (28, 28, 1),
10,
clip_values=(0, 255))
assert np.array_equal(bb.predict(limited_x_test), limited_y_test)
with pytest.raises(ValueError):
bb.predict(x_test[:600])
except ARTTestException as e:
art_warning(e)
def extract(self,
x: np.ndarray,
y: Optional[np.ndarray] = None,
delta_0: float = 0.05,
fraction_true: float = 0.3,
rel_diff_slope: float = 0.00001,
rel_diff_value: float = 0.000001,
delta_init_value: float = 0.1,
delta_value_max: int = 50,
d2_min: float = 0.0004,
d_step: float = 0.01,
delta_sign: float = 0.02,
unit_vector_scale: int = 10000,
**kwargs) -> BlackBoxClassifier:
"""
Extract the targeted model.
:param x: Samples of input data of shape (num_samples, num_features).
:param y: Correct labels or target labels for `x`, depending if the attack is targeted
or not. This parameter is only used by some of the attacks.
:param delta_0: Initial step size of binary search.
:param fraction_true: Fraction of output predictions that have to fulfill criteria for critical point.
:param rel_diff_slope: Relative slope difference at critical points.
:param rel_diff_value: Relative value difference at critical points.
:param delta_init_value: Initial delta of weight value search.
:param delta_value_max: Maximum delta of weight value search.
:param d2_min: Minimum acceptable value of sum of absolute second derivatives.
:param d_step: Step size of delta increase.
:param delta_sign: Delta of weight sign search.
:param unit_vector_scale: Multiplicative scale of the unit vector `e_j`.
:return: ART :class:`.BlackBoxClassifier` of the extracted model.
"""
self._critical_point_search(
delta_0=delta_0,
fraction_true=fraction_true,
rel_diff_slope=rel_diff_slope,
rel_diff_value=rel_diff_value,
)
self._weight_recovery(
delta_init_value=delta_init_value,
delta_value_max=delta_value_max,
d2_min=d2_min,
d_step=d_step,
delta_sign=delta_sign,
)
self._sign_recovery(unit_vector_scale=unit_vector_scale)
self._last_layer_extraction(x)
def predict(x: np.ndarray) -> np.ndarray:
"""
Predict extracted model.
:param x: Samples of input data of shape `(num_samples, num_features)`.
:return: Predictions with the extracted model of shape `(num_samples, num_classes)`.
"""
layer_0 = np.maximum(np.matmul(self.w_0.T, x.T) + self.b_0,
0.0) # type: ignore
layer_1 = np.matmul(self.w_1.T, layer_0) + self.b_1 # type: ignore
return layer_1.T
extracted_classifier = BlackBoxClassifier(
predict,
input_shape=self.estimator.input_shape,
nb_classes=self.estimator.nb_classes,
clip_values=self.estimator.clip_values,
preprocessing_defences=self.estimator.preprocessing_defences,
preprocessing=self.estimator.preprocessing,
)
return extracted_classifier