def setUpClass(cls):
k.clear_session()
k.set_learning_phase(1)
# Get MNIST
(x_train, y_train), (x_test, y_test), _, _ = load_mnist()
x_train, y_train, x_test, y_test = x_train[:
NB_TRAIN], y_train[:
NB_TRAIN], x_test[:
NB_TEST], y_test[:
NB_TEST]
cls.mnist = (x_train, y_train), (x_test, y_test)
# Load small Keras model
cls.model_mnist, _ = get_classifier_kr()
cls.functional_model = cls.functional_model()
import requests
import tempfile
import os
# Temporary folder for tests
cls.test_dir = tempfile.mkdtemp()
# Download one ImageNet pic for tests
url = 'http://farm1.static.flickr.com/163/381342603_81db58bea4.jpg'
result = requests.get(url, stream=True)
if result.status_code == 200:
image = result.raw.read()
f = open(os.path.join(cls.test_dir, 'test.jpg'), 'wb')
f.write(image)
f.close()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(x_train, _), (x_test, _) = self.mnist
# Attack
attack_params = {"max_translation": 10.0, "num_translations": 3, "max_rotation": 30.0, "num_rotations": 3}
attack_st = SpatialTransformation(krc)
x_train_adv = attack_st.generate(x_train, **attack_params)
self.assertTrue(abs(x_train_adv[0, 8, 13, 0] - 0.49004024) <= 0.01)
self.assertTrue(abs(attack_st.fooling_rate - 0.707) <= 0.01)
self.assertTrue(attack_st.attack_trans_x == 3)
self.assertTrue(attack_st.attack_trans_y == 3)
self.assertTrue(attack_st.attack_rot == 30.0)
x_test_adv = attack_st.generate(x_test)
self.assertTrue(abs(x_test_adv[0, 14, 14, 0] - 0.013572651) <= 0.01)
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, _ = get_classifier_kr()
# Get MNIST
(x_train, _), (_, _) = self.mnist
# Attack
attack_ap = AdversarialPatch(krc,
rotation_max=22.5,
scale_min=0.1,
scale_max=1.0,
learning_rate=5.0,
patch_shape=(28, 28, 1),
batch_size=10)
patch_adv, _ = attack_ap.generate(x_train)
self.assertTrue(patch_adv[8, 8, 0] - (-3.2501425017774923) < 0.01)
self.assertTrue(patch_adv[14, 14, 0] - 20.48400094881169 < 0.01)
self.assertTrue(np.sum(patch_adv) - 1764.7681744376168 < 0.01)
k.clear_session()
def test_krclassifier(self):
"""
Test with a KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# First attack (without EoT):
fgsm = FastGradientMethod(classifier=krc, targeted=True)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = fgsm.generate(x_test, **params)
# Second attack (with EoT):
def t(x):
return x
def transformation():
while True:
yield t
eot = ExpectationOverTransformations(sample_size=1, transformation=transformation)
fgsm_with_eot = FastGradientMethod(classifier=krc,
expectation=eot,
targeted=True)
self.assertFalse(fgsm_with_eot.expectation is None)
x_test_adv_with_eot = fgsm_with_eot.generate(x_test, **params)
self.assertTrue((np.abs(x_test_adv - x_test_adv_with_eot) < 0.001).all())
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(x_train, y_train), (x_test, y_test) = self.mnist
# Attack
up = UniversalPerturbation(krc,
max_iter=1,
attacker="ead",
attacker_params={
"max_iter": 5,
"targeted": False
})
x_train_adv = up.generate(x_train)
self.assertTrue((up.fooling_rate >= 0.2) or not up.converged)
x_test_adv = x_test + up.noise
self.assertFalse((x_test == x_test_adv).all())
train_y_pred = np.argmax(krc.predict(x_train_adv), axis=1)
test_y_pred = np.argmax(krc.predict(x_test_adv), axis=1)
self.assertFalse((np.argmax(y_test, axis=1) == test_y_pred).all())
self.assertFalse((np.argmax(y_train, axis=1) == train_y_pred).all())
def setUpClass(cls):
k.set_learning_phase(1)
# Get MNIST
(x_train, y_train), (x_test, y_test), _, _ = load_mnist()
x_train, y_train, x_test, y_test = x_train[:NB_TRAIN], y_train[:NB_TRAIN], x_test[:NB_TEST], y_test[:NB_TEST]
cls.mnist = (x_train, y_train), (x_test, y_test)
# Keras classifier
cls.classifier_k, _ = get_classifier_kr()
def setUpClass(cls):
# Build KerasClassifier
cls.classifier, sess = get_classifier_kr()
(x_train, y_train), (x_test, y_test), _, _ = load_mnist()
x_train, y_train = x_train[:NB_TRAIN], y_train[:NB_TRAIN]
cls.mnist = (x_train, y_train), (x_test, y_test)
cls.defence = ActivationDefence(cls.classifier, x_train, y_train)
def setUpClass(cls):
k.clear_session()
k.set_learning_phase(1)
# Get MNIST
(x_train, y_train), (x_test, y_test), _, _ = load_mnist()
x_train, y_train, x_test, y_test = x_train[:NB_TRAIN], y_train[:NB_TRAIN], x_test[:NB_TEST], y_test[:NB_TEST]
cls.mnist = (x_train, y_train), (x_test, y_test)
# Load small Keras model
cls.model_mnist, _ = get_classifier_kr()
def setUpClass(cls):
k.set_learning_phase(1)
# Get MNIST
(x_train, y_train), (x_test, y_test), _, _ = load_dataset('mnist')
x_train, y_train, x_test, y_test = x_train[:
NB_TRAIN], y_train[:
NB_TRAIN], x_test[:
NB_TEST], y_test[:
NB_TEST]
cls.mnist = (x_train, y_train), (x_test, y_test)
# Keras classifier
cls.classifier_k, sess = get_classifier_kr()
scores = cls.classifier_k._model.evaluate(x_train, y_train)
logger.info('[Keras, MNIST] Accuracy on training set: %.2f%%',
(scores[1] * 100))
scores = cls.classifier_k._model.evaluate(x_test, y_test)
logger.info('[Keras, MNIST] Accuracy on test set: %.2f%%',
(scores[1] * 100))
# Create basic CNN on MNIST using TensorFlow
cls.classifier_tf, sess = get_classifier_tf()
scores = get_labels_np_array(cls.classifier_tf.predict(x_train))
acc = np.sum(np.argmax(scores, axis=1) == np.argmax(
y_train, axis=1)) / y_train.shape[0]
logger.info('[TF, MNIST] Accuracy on training set: %.2f%%',
(acc * 100))
scores = get_labels_np_array(cls.classifier_tf.predict(x_test))
acc = np.sum(np.argmax(scores, axis=1) == np.argmax(
y_test, axis=1)) / y_test.shape[0]
logger.info('[TF, MNIST] Accuracy on test set: %.2f%%', (acc * 100))
# Create basic PyTorch model
cls.classifier_py = get_classifier_pt()
x_train, x_test = np.swapaxes(x_train, 1, 3), np.swapaxes(x_test, 1, 3)
scores = get_labels_np_array(cls.classifier_py.predict(x_train))
acc = np.sum(np.argmax(scores, axis=1) == np.argmax(
y_train, axis=1)) / y_train.shape[0]
logger.info('[PyTorch, MNIST] Accuracy on training set: %.2f%%',
(acc * 100))
scores = get_labels_np_array(cls.classifier_py.predict(x_test))
acc = np.sum(np.argmax(scores, axis=1) == np.argmax(
y_test, axis=1)) / y_test.shape[0]
logger.info('[PyTorch, MNIST] Accuracy on test set: %.2f%%',
(acc * 100))
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, _) = self.mnist
# Attack
# import time
nf = NewtonFool(krc, max_iter=5)
# print("Test Keras....")
# starttime = time.clock()
# x_test_adv = nf.generate(x_test, batch_size=1)
# endtime = time.clock()
# print(1, endtime - starttime)
# starttime = time.clock()
# x_test_adv = nf.generate(x_test, batch_size=10)
# endtime = time.clock()
# print(10, endtime - starttime)
# starttime = time.clock()
x_test_adv = nf.generate(x_test, batch_size=100)
# endtime = time.clock()
# print(100, endtime - starttime)
#
# starttime = time.clock()
# x_test_adv = nf.generate(x_test, batch_size=1000)
# endtime = time.clock()
# print(1000, endtime - starttime)
self.assertFalse((x_test == x_test_adv).all())
y_pred = krc.predict(x_test)
y_pred_adv = krc.predict(x_test_adv)
y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred
y_pred_max = y_pred.max(axis=1)
y_pred_adv_max = y_pred_adv[y_pred_bool]
self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# First attack
ead = ElasticNet(classifier=krc, targeted=True, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f%%',
(100 * sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
ead = ElasticNet(classifier=krc, targeted=False, max_iter=2)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = ead.generate(x_test, **params)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('EAD target: %s', target)
logger.debug('EAD actual: %s', y_pred_adv)
logger.info('EAD success rate: %.2f',
(100 * sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Kill Keras
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# First attack
cl2m = CarliniL2Method(classifier=krc, targeted=True, max_iter=10)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = cl2m.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('CW2 Target: %s', target)
logger.debug('CW2 Actual: %s', y_pred_adv)
logger.info('CW2 Success Rate: %.2f',
(np.sum(target == y_pred_adv) / float(len(target))))
self.assertTrue((target == y_pred_adv).any())
# Second attack
cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=10)
x_test_adv = cl2m.generate(x_test)
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('CW2 Target: %s', target)
logger.debug('CW2 Actual: %s', y_pred_adv)
logger.info('CW2 Success Rate: %.2f',
(np.sum(target != y_pred_adv) / float(len(target))))
self.assertTrue((target != y_pred_adv).any())
# Clean-up
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, _ = get_classifier_kr()
# Get MNIST and test with 3 channels
x_test, y_test = self.mnist
# First attack
zoo = ZooAttack(classifier=krc, targeted=True, batch_size=5)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = zoo.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
logger.debug('ZOO target: %s', target)
logger.debug('ZOO actual: %s', y_pred_adv)
logger.info('ZOO success rate: %.2f',
(sum(target == y_pred_adv) / float(len(target))))
# Second attack
zoo = ZooAttack(classifier=krc, targeted=False, max_iter=20)
x_test_adv = zoo.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
y_pred = np.argmax(krc.predict(x_test), axis=1)
logger.debug('ZOO actual: %s', y_pred_adv)
logger.info('ZOO success rate: %.2f',
(sum(y_pred != y_pred_adv) / float(len(y_pred))))
# Clean-up
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, _ = get_classifier_kr()
# Get MNIST
(x_train, _), (_, _) = self.mnist
# Attack
attack_params = {"rotation_max": 22.5, "scale_min": 0.1, "scale_max": 1.0,
"learning_rate": 5.0, "number_of_steps": 5, "patch_shape": (28, 28, 1), "batch_size": 10}
attack_ap = AdversarialPatch(krc)
patch_adv, _ = attack_ap.generate(x_train, **attack_params)
self.assertTrue(patch_adv[8, 8, 0] - (-3.2501425017774923) < 0.01)
self.assertTrue(patch_adv[14, 14, 0] - 20.48400094881169 < 0.01)
self.assertTrue(np.sum(patch_adv) - 1764.7681744376168 < 0.01)
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, y_test) = self.mnist
# First targeted attack
boundary = Boundary(classifier=krc, targeted=True, max_iter=20)
params = {'y': random_targets(y_test, krc.nb_classes)}
x_test_adv = boundary.generate(x_test, **params)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
target = np.argmax(params['y'], axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
self.assertTrue((target == y_pred_adv).any())
# Second untargeted attack
boundary = Boundary(classifier=krc, targeted=False, max_iter=20)
x_test_adv = boundary.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
self.assertTrue((x_test_adv <= 1.0001).all())
self.assertTrue((x_test_adv >= -0.0001).all())
y_pred = np.argmax(krc.predict(x_test), axis=1)
y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
self.assertTrue((y_pred != y_pred_adv).any())
# Clean-up session
k.clear_session()
def test_krclassifier(self):
"""
Second test with the KerasClassifier.
:return:
"""
# Build KerasClassifier
krc, sess = get_classifier_kr()
# Get MNIST
(_, _), (x_test, _) = self.mnist
# Attack
nf = NewtonFool(krc, max_iter=5, batch_size=100)
x_test_adv = nf.generate(x_test)
self.assertFalse((x_test == x_test_adv).all())
y_pred = krc.predict(x_test)
y_pred_adv = krc.predict(x_test_adv)
y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred
y_pred_max = y_pred.max(axis=1)
y_pred_adv_max = y_pred_adv[y_pred_bool]
self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def test_binary_input_detector(self):
"""
Test the binary input detector end-to-end.
:return:
"""
# Get MNIST
nb_train, nb_test = 1000, 10
(x_train, y_train), (x_test, y_test), _, _ = load_mnist()
x_train, y_train = x_train[:NB_TRAIN], y_train[:NB_TRAIN]
x_test, y_test = x_test[:NB_TEST], y_test[:NB_TEST]
# Keras classifier
classifier, _ = get_classifier_kr()
# Generate adversarial samples:
attacker = FastGradientMethod(classifier, eps=0.1)
x_train_adv = attacker.generate(x_train[:nb_train])
x_test_adv = attacker.generate(x_test[:nb_test])
# Compile training data for detector:
x_train_detector = np.concatenate((x_train[:nb_train], x_train_adv),
axis=0)
y_train_detector = np.concatenate(
(np.array([[1, 0]] * nb_train), np.array([[0, 1]] * nb_train)),
axis=0)
# Create a simple CNN for the detector
input_shape = x_train.shape[1:]
model = Sequential()
model.add(
Conv2D(4,
kernel_size=(5, 5),
activation='relu',
input_shape=input_shape))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(2, activation='softmax'))
model.compile(loss=keras.losses.categorical_crossentropy,
optimizer=keras.optimizers.Adam(lr=0.01),
metrics=['accuracy'])
# Create detector and train it:
detector = BinaryInputDetector(
KerasClassifier((0, 1), model, use_logits=False))
detector.fit(x_train_detector,
y_train_detector,
nb_epochs=2,
batch_size=128)
# Apply detector on clean and adversarial test data:
test_detection = np.argmax(detector.predict(x_test), axis=1)
test_adv_detection = np.argmax(detector.predict(x_test_adv), axis=1)
# Assert there is at least one true positive and negative:
nb_true_positives = len(np.where(test_adv_detection == 1)[0])
nb_true_negatives = len(np.where(test_detection == 0)[0])
logger.debug('Number of true positives detected: %i',
nb_true_positives)
logger.debug('Number of true negatives detected: %i',
nb_true_negatives)
self.assertTrue(nb_true_positives > 0)
self.assertTrue(nb_true_negatives > 0)
