def main(image_path):
alexnet = mx.gluon.model_zoo.vision.alexnet(pretrained=True)
# print(alexnet)
orig = cv2.imread(image_path)[..., ::-1]
orig = cv2.resize(orig, (224, 224))
img = orig.copy().astype(np.float32)
mean = [0.485, 0.456, 0.406]
std = [0.229, 0.224, 0.225]
img /= 255.0
img = old_div((img - mean), std)
img = img.transpose(2, 0, 1)
img = np.expand_dims(img, axis=0)
#array = mx.nd.array(img)
# advbox demo
m = MxNetModel(alexnet, None, (-1, 1), channel_axis=1)
attack = FGSMT(m)
#attack = FGSM(m)
# 静态epsilons
attack_config = {"epsilons": 0.2, "epsilon_steps": 1, "steps": 100}
inputs = img
#labels=388
labels = None
print(inputs.shape)
adversary = Adversary(inputs, labels)
#adversary = Adversary(inputs, 388)
tlabel = 538
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
adv = adversary.adversarial_example[0]
adv = adv.transpose(1, 2, 0)
adv = (adv * std) + mean
adv = adv * 255.0
adv = adv[..., ::-1] # RGB to BGR
adv = np.clip(adv, 0, 255).astype(np.uint8)
cv2.imwrite('img_adv.png', adv)
else:
print('attack failed')
print("fgsm attack done")
def main():
m = graphpipeBlackBoxModel(
"http://127.0.0.1:9000", (0, 255),
channel_axis=0)
#不定向攻击
attack = LocalSearchAttack(m)
# R 攻击次数
# r p 绕定系数
# t 每次攻击的点数
# d 搜索半径
attack_config = {"R": 200,"r":1.4,"p":0.3,"t":5}
data = np.array(Image.open("mug227.png"))
data = data.reshape([1] + list(data.shape))
data = np.rollaxis(data, 3, 1).astype(np.float32) # channels first
print(data.shape)
original_data=np.copy(data)
# 猫对应的标签 imagenet 2012 对应链接https://blog.csdn.net/LegenDavid/article/details/73335578
original_label = None
adversary = Adversary(original_data, original_label)
logger.info("Non-targeted Attack...")
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print(
'attack success, original_label=%d, adversarial_label=%d'
% (adversary.original_label, adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image=np.copy(adversary.adversarial_example)
adversary_image = np.array(adversary_image[0]).astype("uint8").transpose([1, 2, 0])
im = Image.fromarray(adversary_image)
im.save("adversary_image.jpg")
else:
print('attack failed, original_label=%d' % (adversary.original_label))
logger.info("LocalSearchAttack attack done")
def get_adversarial_examples_from_model2():
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'img'
LABEL_NAME = 'label'
#保存对抗样本
x = []
y = []
img = fluid.layers.data(name=IMG_NAME, shape=[1, 28, 28], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
#logits = mnist_cnn_model(img)
logits = mnist_mlp_model(img)
#logits = vgg_bn_drop(img)
#logits = resnet_cifar10(img,32)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
# use CPU
place = fluid.CPUPlace()
# use GPU
#place = fluid.CUDAPlace(0)
exe = fluid.Executor(place)
BATCH_SIZE = 1
test_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.mnist.test(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
#fluid.io.load_params(
# exe, model1_path, main_program=fluid.default_main_program())
fluid.io.load_params(exe,
model2_path,
main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1)
#attack = FGSM(m)
attack = FGSMT(m)
attack_config = {"epsilons": 0.3}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
# FGSMT targeted attack
#tlabel = 8
#adversary.set_target(is_targeted_attack=True, target_label=tlabel)
#adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
adversarial_example = adversary.adversarial_example
x.append(adversarial_example)
y.append(data[0][1])
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsm attack done")
return x, y
def main(image_path):
# Define what device we are using
logging.info("CUDA Available: {}".format(torch.cuda.is_available()))
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
orig = cv2.imread(image_path)[..., ::-1]
orig = cv2.resize(orig, (224, 224))
img = orig.copy().astype(np.float32)
mean = [0.485, 0.456, 0.406]
std = [0.229, 0.224, 0.225]
img /= 255.0
img = (img - mean) / std
img = img.transpose(2, 0, 1)
img = Variable(
torch.from_numpy(img).to(device).float().unsqueeze(0)).cpu().numpy()
# Initialize the network
#Alexnet
model = models.alexnet(pretrained=True).to(device).eval()
#model = models.resnet18(pretrained=True).to(device).eval()
#print(model)
#设置为不保存梯度值 自然也无法修改
for param in model.parameters():
#print(param)
#print(param.requires_grad)
param.requires_grad = False
#loss_func=nn.CrossEntropyLoss()
# advbox demo
m = PytorchModel(model, None, (-1, 1), channel_axis=1)
attack = FGSMT(m)
#attack = FGSM(m)
# 静态epsilons
attack_config = {"epsilons": 0.2, "epsilon_steps": 1, "steps": 100}
inputs = img
#labels=388
labels = None
print(inputs.shape)
adversary = Adversary(inputs, labels)
#adversary = Adversary(inputs, 388)
tlabel = 538
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
adv = adversary.adversarial_example[0]
adv = adv.transpose(1, 2, 0)
adv = (adv * std) + mean
adv = adv * 255.0
adv = adv[..., ::-1] # RGB to BGR
adv = np.clip(adv, 0, 255).astype(np.uint8)
cv2.imwrite('img_adv.png', adv)
else:
print('attack failed')
print("fgsm attack done")
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'img'
LABEL_NAME = 'label'
img = fluid.layers.data(name=IMG_NAME, shape=[1, 28, 28], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
logits = mnist_cnn_model(img)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
#根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
BATCH_SIZE = 1
test_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.mnist.test(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
fluid.io.load_params(exe,
"./mnist/",
main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(
fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1,
preprocess=(-1,
2)) # x within(0,1) so we should do some transformation
attack = CW_L2(m, learning_rate=0.1)
#######
# change parameter later
#######
attack_config = {
"nb_classes": 10,
"learning_rate": 0.1,
"attack_iterations": 50,
"epsilon": 0.5,
"targeted": True,
"k": 0,
"noise": 2
}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# CW_L2 targeted attack
tlabel = 0
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("CW attack done")
def main(dirname, imagename):
"""
Advbox demo which demonstrate how to use advbox.
"""
image_data = tf.gfile.FastGFile(imagename, 'rb').read()
session = tf.Session()
def create_graph(dirname):
with tf.gfile.FastGFile(dirname, 'rb') as f:
graph_def = session.graph_def
graph_def.ParseFromString(f.read())
_ = tf.import_graph_def(graph_def, name='')
create_graph(dirname)
# 初始化参数 非常重要
session.run(tf.global_variables_initializer())
#tensorlist=[n.name for n in session.graph_def.node]
#logger.info(tensorlist)
#获取softmax层而非logit层
softmax = session.graph.get_tensor_by_name('softmax:0')
#获取softmax/logits
logits = session.graph.get_tensor_by_name('softmax/logits:0')
x = session.graph.get_tensor_by_name('DecodeJpeg/contents:0')
y = tf.placeholder(tf.int64, None, name='label')
cross_entropy = tf.nn.sparse_softmax_cross_entropy_with_logits(
labels=y, logits=logits)
#tf.gradients(tf.nn.softmax(self._logits)[:, label], self._input)[0]
print('!!!!!!!')
#print(logits[:, 0])
#print(tf.nn.softmax(logits[:, 0]) )
#print(x)
#print(cross_entropy)
#print(g)
#print(logits)
#print(softmax)
g = session.run(logits, feed_dict={x: image_data})
print(g)
g = session.run(softmax, feed_dict={x: image_data})
print(g)
#tf.gradients(tf.nn.softmax(self._logits)[:, label], self._input_ph)[0]
#print(logits[:, 1])
g = tf.gradients(logits, x)
print(g)
g = tf.gradients(softmax, x)
print(g)
z = tf.placeholder(tf.int64, None)
z = 2 * y
g = tf.gradients(z, y)
print(g)
#grads = session.run(g, feed_dict={x: image_data})
#print(grads)
# advbox demo
m = TensorflowPBModel(session,
x,
y,
softmax,
cross_entropy, (0, 1),
channel_axis=1)
attack = FGSM(m)
attack_config = {"epsilons": 0.3}
#print(x.shape)
#print(y.shape)
adversary = Adversary(image_data, None)
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
print("fgsm attack done")
def main():
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 50
IMG_NAME = 'img'
LABEL_NAME = 'label'
img = fluid.layers.data(name=IMG_NAME, shape=[1, 28, 28], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
logits = mnist_cnn_model(img)
#logits = vgg_bn_drop(img)
#logits = resnet_cifar10(img,32)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
# use CPU
place = fluid.CPUPlace()
# use GPU
#place = fluid.CUDAPlace(0)
exe = fluid.Executor(place)
BATCH_SIZE = 1
test_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.mnist.test(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
fluid.io.load_params(exe,
"mnist/",
main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1)
#attack = FGSM(m)
attack = FGSMT(m)
attack_config = {"epsilons": 0.3}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# FGSM non-targeted attack
#adversary = attack(adversary, **attack_config)
# FGSMT targeted attack
tlabel = 8
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
adversarial_example = adversary.adversarial_example
#print adversarial_example
#原始数据归一化到(-1,1)之间了 需要还原到(0,255)
adversarial_example /= 2.
adversarial_example += 0.5
adversarial_example *= 255.
adversarial_example = adversarial_example.astype(np.uint8)
#print adversarial_example
adversarial_example = np.reshape(adversarial_example, (28, 28))
im = Image.fromarray(adversarial_example)
filename = "original-%d-adversarial-%d-targeted-by-fgsm.jpg" % (
data[0][1], adversary.adversarial_label)
im.save("output/" + filename)
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsmt attack done")
def main(modulename, imagename):
'''
Kera的应用模块Application提供了带有预训练权重的Keras模型,这些模型可以用来进行预测、特征提取和finetune
模型的预训练权重将下载到~/.keras/models/并在载入模型时自动载入
'''
# 设置为测试模式
keras.backend.set_learning_phase(0)
model = ResNet50(weights=modulename)
#model = InceptionV3(weights=modulename)
logging.info(model.summary())
img = image.load_img(imagename, target_size=(224, 224))
raw_imagedata = image.img_to_array(img)
raw_imagedata = np.expand_dims(raw_imagedata, axis=0)
# 'RGB'->'BGR'
imagedata = raw_imagedata[:, :, :, ::-1]
#logging.info(raw_imagedata)
#logging.info(imagedata)
#logit fc1000
logits = model.get_layer('fc1000').output
#keras中获取指定层的方法为:
#base_model.get_layer('block4_pool').output)
# advbox demo
# 因为原始数据没有归一化 所以bounds=(0, 255) KerasMode内部在进行预测和计算梯度时会进行预处理
# imagenet数据集归一化时 标准差为1 mean为[104, 116, 123]
# featurefqueezing_bit_depth featurefqueezing防御算法 提高生成攻击样本的质量 为特征数据的bit位 一般8就ok了
m = KerasModel(model,
model.input,
None,
logits,
None,
bounds=(0, 255.0),
channel_axis=3,
preprocess=([104, 116, 123], 1),
featurefqueezing_bit_depth=8)
attack = FGSM(m)
#设置epsilons时不用考虑特征范围 算法实现时已经考虑了取值范围的问题 epsilons取值范围为(0,1)
#epsilon支持动态调整 epsilon_steps为epsilon变化的个数
#epsilons为下限 epsilons_max为上限
#attack_config = {"epsilons": 0.3, "epsilons_max": 0.5, "epsilon_steps": 100}
#静态epsilons
attack_config = {
"epsilons": 1,
"epsilons_max": 10,
"epsilon_steps": 1,
"steps": 100
}
#y设置为空 会自动计算
adversary = Adversary(imagedata.copy(), None)
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
logging.info("adversary_image label={0} ".format(
np.argmax(m.predict(adversary_image))))
#logging.info(adversary_image)
#强制类型转换 之前是float 现在要转换成uint8
adversary_image = np.array(adversary_image).astype("uint8").reshape(
[224, 224, 3])
#logging.info(adversary_image)
adversary_image = adversary_image[:, :, ::-1]
logging.info(adversary_image - raw_imagedata)
img = array_to_img(adversary_image)
img.save('adversary_image_nontarget.jpg')
print("fgsm non-target attack done")
attack = FGSMT(m)
#静态epsilons
attack_config = {
"epsilons": 10,
"epsilons_max": 10,
"epsilon_steps": 1,
"steps": 100
}
adversary = Adversary(imagedata, None)
tlabel = 489
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
# FGSM targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#强制类型转换 之前是float 现在要转换成int8
adversary_image = np.array(adversary_image).astype("uint8").reshape(
[224, 224, 3])
adversary_image = adversary_image[:, :, ::-1]
logging.info(adversary_image - raw_imagedata)
img = array_to_img(adversary_image)
img.save('adversary_image_target.jpg')
print("fgsm target attack done")
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
class_dim = 1000
IMG_NAME = 'img'
LABEL_NAME = 'label'
#模型路径 http://paddle-imagenet-models.bj.bcebos.com/resnet_50_model.tar 下载并解压
#pretrained_model = "models/resnet_50/115"
pretrained_model = "models/alexnet/116/"
image_shape = [3, 224, 224]
image = fluid.layers.data(name=IMG_NAME,
shape=image_shape,
dtype='float32')
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
# model definition
model = AlexNet()
out = model.net(input=image, class_dim=class_dim)
# 根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
#加载模型参数
if pretrained_model:
def if_exist(var):
return os.path.exists(os.path.join(pretrained_model, var.name))
logger.info("Load pretrained_model")
fluid.io.load_vars(exe, pretrained_model, predicate=if_exist)
cost = fluid.layers.cross_entropy(input=out, label=label)
avg_cost = fluid.layers.mean(x=cost)
logging.info("Build advbox")
# advbox demo 黑盒攻击 直接传入测试版本的program
m = PaddleBlackBoxModel(fluid.default_main_program().clone(for_test=True),
IMG_NAME,
LABEL_NAME,
out.name, (-1, 1),
channel_axis=0)
#不定向攻击
# 形状为[1,28,28] channel_axis=0 形状为[28,28,1] channel_axis=2
attack = LocalSearchAttack(m)
attack_config = {"R": 200, "r": 1.0}
test_data = get_image("cat.jpg")
original_data = np.copy(test_data)
# 猫对应的标签 imagenet 2012 对应链接https://blog.csdn.net/LegenDavid/article/details/73335578
original_label = None
adversary = Adversary(original_data, original_label)
logger.info("Non-targeted Attack...")
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, original_label=%d, adversarial_label=%d' %
(adversary.original_label, adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#从[3,224,224]转换成[224,224,3]
adversary_image *= img_std
adversary_image += img_mean
adversary_image = np.array(adversary_image *
255).astype("uint8").transpose([1, 2, 0])
im = Image.fromarray(adversary_image)
im.save("adversary_image.jpg")
else:
print('attack failed, original_label=%d' % (adversary.original_label))
logger.info("LocalSearchAttack attack done")
def main(dirname):
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
mnist = input_data.read_data_sets("MNIST_data/", one_hot=False)
x = tf.placeholder(tf.float32, [None, 784])
y_ = tf.placeholder(tf.int64, [None])
#keep_prob = tf.placeholder(tf.float32)
keep_prob = 1.0
logits = mnist_cnn_model(x, keep_prob)
cross_entropy = tf.losses.sparse_softmax_cross_entropy(labels=y_,
logits=logits)
cross_entropy = tf.reduce_mean(cross_entropy)
BATCH_SIZE = 1
# advbox demo
m = TensorflowModel(dirname,
x,
cross_entropy,
logits, (-1, 1),
channel_axis=1)
attack = FGSM(m)
attack_config = {"epsilons": 0.3}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for _ in range(10000):
data = mnist.test.next_batch(BATCH_SIZE, shuffle=False)
total_count += 1
(x, y) = data
y = y[0]
#print(x.shape)
#print(y.shape)
adversary = Adversary(x, y)
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (y, adversary.adversarial_label, total_count))
else:
print('attack failed, original_label=%d, count=%d' %
(y, total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsm attack done")
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'image'
LABEL_NAME = 'label'
weight_file = "fluid/lenet/lenet.npy"
#1, define network topology
images = fluid.layers.data(name=IMG_NAME,
shape=[1, 28, 28],
dtype='float32')
# gradient should flow
images.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
net = LeNet({'data': images})
prediction = net.layers['prob']
cost = fluid.layers.cross_entropy(input=prediction, label=label)
avg_cost = fluid.layers.mean(x=cost)
#根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
#这句很关键 没有的话会报错
# AttributeError: 'NoneType' object has no attribute 'get_tensor'
exe.run(fluid.default_startup_program())
#加载参数
net.load(data_path=weight_file, exe=exe, place=place)
BATCH_SIZE = 1
test_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.mnist.test(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
prediction.name,
avg_cost.name, (-1, 1),
channel_axis=1)
attack = FGSM(m)
# attack = FGSMT(m)
attack_config = {"epsilons": 0.3}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsm attack done")
def main():
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 10
pretrained_model = "./cifar-pytorch/net.pth"
loss_func = torch.nn.CrossEntropyLoss()
test_loader = torch.utils.data.DataLoader(datasets.CIFAR10(
'./cifar-pytorch/data',
train=False,
download=True,
transform=transforms.Compose([
transforms.ToTensor(),
])),
batch_size=1,
shuffle=False)
# Define what device we are using
logging.info("CUDA Available: {}".format(torch.cuda.is_available()))
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# Initialize the network
model = Net().to(device)
# Load the pretrained model
model.load_state_dict(torch.load(pretrained_model, map_location='cpu'))
# Set the model in evaluation mode. In this case this is for the Dropout layers
model.eval()
attack_config = {
"epsilons": 0.005,
"epsilon_steps": 40,
"epsilons_max": 0.2,
"norm_ord": 1,
"steps": 100
}
print(attack_config)
for idx in [-10, -5, -2, -1, 0, 1, 2, 5, 10]:
print('grad_conf:', idx)
# advbox demo
m = PytorchModel(model,
loss_func, (0, 1),
channel_axis=1,
grad_conf=idx)
attack = FGSM(m)
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
m_dists = []
e_dists = []
for i, data in enumerate(test_loader):
inputs, labels = data
#inputs, labels = inputs.to(device), labels.to(device)
inputs, labels = inputs.numpy(), labels.numpy()
#inputs.requires_grad = True
#print(inputs.shape)
total_count += 1
adversary = Adversary(inputs, labels[0])
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
# print(
# 'attack success, original_label=%d, adversarial_label=%d, count=%d'
# % (labels, adversary.adversarial_label, total_count))
m_dist = mahalanobis_dist(adversary.original,
adversary.adversarial_example)
e_dist = eu_dist(adversary.original,
adversary.adversarial_example)
m_dists = m_dists + [m_dist]
e_dists = e_dists + [e_dist]
# else:
# print('attack failed, original_label=%d, count=%d' %
# (labels, total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
print("mahalanobis_dist:", np.mean(m_dists))
print("eu_dist", np.mean(e_dists))
break
print("done")
print('all done')
def main(modulename, imagename):
'''
Kera的应用模块Application提供了带有预训练权重的Keras模型,这些模型可以用来进行预测、特征提取和finetune
模型的预训练权重将下载到~/.keras/models/并在载入模型时自动载入
'''
# 设置为测试模式
keras.backend.set_learning_phase(0)
model = ResNet50(weights=modulename)
img = image.load_img(imagename, target_size=(224, 224))
original_image = image.img_to_array(img)
imagedata = np.expand_dims(original_image, axis=0)
#获取logit层
logits = model.get_layer('fc1000').output
# 创建keras对象
# imagenet数据集归一化时 标准差为1 mean为[104, 116, 123]
m = KerasModel(model,
model.input,
None,
logits,
None,
bounds=(0, 255),
channel_axis=3,
preprocess=([104, 116, 123], 1),
featurefqueezing_bit_depth=8)
attack = FGSM(m)
#静态epsilon
attack_config = {
"epsilons": 1,
"epsilons_max": 10,
"epsilon_steps": 1,
"steps": 100
}
#y设置为空 会自动计算
adversary = Adversary(imagedata[:, :, ::-1], None)
# fgsm non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
adversary_image = np.copy(adversary.adversarial_example)
#强制类型转换 之前是float 现在要转换成uint8
#BGR -> RGB
adversary_image = adversary_image[:, :, ::-1]
#adversary_image = np.array(adversary_image).astype("uint8").reshape([224,224,3])
#original_image=np.array(original_image).astype("uint8").reshape([224, 224, 3])
adversary_image = np.array(adversary_image).reshape([224, 224, 3])
original_image = np.array(original_image).reshape([224, 224, 3])
show_images_diff(original_image, adversary_image)
print("FGSM non-target attack done")
def main(dirname, imagename):
#加载解码的图像 这里是个大坑 tf提供的imagenet预训练好的模型pb文件中 包含针对图像的预处理环节 即解码jpg文件 这部分没有梯度
#需要直接处理解码后的数据
image = None
with tf.gfile.Open(imagename, 'rb') as f:
image = np.array(Image.open(f).convert('RGB')).astype(np.float)
image = [image]
session = tf.Session()
def create_graph(dirname):
with tf.gfile.FastGFile(dirname, 'rb') as f:
graph_def = session.graph_def
graph_def.ParseFromString(f.read())
_ = tf.import_graph_def(graph_def, name='')
create_graph(dirname)
# 初始化参数 非常重要
session.run(tf.global_variables_initializer())
tensorlist = [n.name for n in session.graph_def.node]
logger.info(tensorlist)
#获取logits
logits = session.graph.get_tensor_by_name('softmax/logits:0')
x = session.graph.get_tensor_by_name('ExpandDims:0')
#y = tf.placeholder(tf.int64, None, name='label')
# advbox demo
# 因为原始数据没有归一化 所以bounds=(0, 255)
m = TensorflowPBModel(session,
x,
None,
logits,
None,
bounds=(0, 255),
channel_axis=3,
preprocess=None)
attack = DeepFoolAttack(m)
attack_config = {"iterations": 100, "overshoot": 0.02}
#y设置为空 会自动计算
adversary = Adversary(image, None)
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#print(adversary_image - image)
#强制类型转换 之前是float 现在要转换成int8
adversary_image = np.array(adversary_image).astype("uint8").reshape(
[100, 100, 3])
logging.info(adversary_image - image)
#print(adversary_image - image)
im = Image.fromarray(adversary_image)
im.save("adversary_image_nontarget.jpg")
print("DeepFool non-target attack done")
attack = DeepFoolAttack(m)
attack_config = {"iterations": 100, "overshoot": 0.05}
adversary = Adversary(image, None)
#麦克风
tlabel = 651
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
# FGSM targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#强制类型转换 之前是float 现在要转换成int8
logging.info(adversary_image - image)
adversary_image = np.array(adversary_image).astype("uint8").reshape(
[100, 100, 3])
im = Image.fromarray(adversary_image)
im.save("adversary_image_target.jpg")
print("DeepFool target attack done")
def main(modulename, imagename):
'''
Kera的应用模块Application提供了带有预训练权重的Keras模型,这些模型可以用来进行预测、特征提取和finetune
模型的预训练权重将下载到~/.keras/models/并在载入模型时自动载入
'''
# 设置为测试模式
keras.backend.set_learning_phase(0)
model = ResNet50(weights=modulename)
logging.info(model.summary())
img = image.load_img(imagename, target_size=(224, 224))
imagedata = image.img_to_array(img)
#imagedata=imagedata[:, :, ::-1]
imagedata = np.expand_dims(imagedata, axis=0)
#logit fc1000
logits = model.get_layer('fc1000').output
#keras中获取指定层的方法为:
#base_model.get_layer('block4_pool').output)
# advbox demo
# 因为原始数据没有归一化 所以bounds=(0, 255) KerasMode内部在进行预测和计算梯度时会进行预处理
# imagenet数据集归一化时 标准差为1 mean为[104, 116, 123]
m = KerasModel(model,
model.input,
None,
logits,
None,
bounds=(0, 255),
channel_axis=3,
preprocess=([104, 116, 123], 1),
featurefqueezing_bit_depth=8)
attack = DeepFoolAttack(m)
attack_config = {"iterations": 100, "overshoot": 10}
#y设置为空 会自动计算
adversary = Adversary(imagedata[:, :, ::-1], None)
# deepfool non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#强制类型转换 之前是float 现在要转换成iunt8
#::-1 reverses the color channels, because Keras ResNet50 expects BGR instead of RGB
adversary_image = adversary_image[:, :, ::-1]
adversary_image = np.array(adversary_image).astype("uint8").reshape(
[224, 224, 3])
logging.info(adversary_image - imagedata)
img = array_to_img(adversary_image)
img.save('adversary_image_nontarget.jpg')
print("deepfool non-target attack done")
attack = DeepFoolAttack(m)
attack_config = {"iterations": 100, "overshoot": 10}
adversary = Adversary(imagedata[:, :, ::-1], None)
tlabel = 489
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
# deepfool targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#强制类型转换 之前是float 现在要转换成int8
#::-1 reverses the color channels, because Keras ResNet50 expects BGR instead of RGB
adversary_image = adversary_image[:, :, ::-1]
adversary_image = np.array(adversary_image).astype("uint8").reshape(
[224, 224, 3])
logging.info(adversary_image - imagedata)
img = array_to_img(adversary_image)
img.save('adversary_image_target.jpg')
print("deepfool target attack done")
def main(modulename, imagename):
'''
Kera的应用模块Application提供了带有预训练权重的Keras模型,这些模型可以用来进行预测、特征提取和finetune
模型的预训练权重将下载到~/.keras/models/并在载入模型时自动载入
'''
# 设置为测试模式
keras.backend.set_learning_phase(0)
model = ResNet50(weights=modulename)
logging.info(model.summary())
img = image.load_img(imagename, target_size=(224, 224))
imagedata = image.img_to_array(img)
imagedata = np.expand_dims(imagedata, axis=0)
#keras数据预处理后范围为(-128,128)
imagedata = preprocess_input(imagedata)
preds = model.predict(imagedata)
#logit fc1000
logits = model.get_layer('fc1000').output
print('Predicted:', decode_predictions(preds, top=3)[0])
#keras中获取指定层的方法为:
#base_model.get_layer('block4_pool').output)
# advbox demo
# 因为原始数据没有归一化 所以bounds=(0, 255)
m = KerasModel(model,
model.input,
None,
logits,
None,
bounds=(-128, 128),
channel_axis=3,
preprocess=None)
attack = FGSM(m)
#设置epsilons时不用考虑特征范围 算法实现时已经考虑了取值范围的问题 epsilons取值范围为(0,1)
#epsilon支持动态调整 epsilon_steps为epsilon变化的个数
#epsilons为下限 epsilons_max为上限
attack_config = {
"epsilons": 0.1,
"epsilons_max": 0.5,
"epsilon_steps": 100
}
#y设置为空 会自动计算
adversary = Adversary(imagedata, None)
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, adversarial_label=%d' %
(adversary.adversarial_label))
#对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
#强制类型转换 之前是float 现在要转换成int8
#print(adversary_image)
adversary_image = np.array(adversary_image).astype("int8").reshape(
[224, 224, 3])
#logging.info(adversary_image-imagedata)
#logging.info(adversary_image)
im = Image.fromarray(adversary_image)
im.save("adversary_image_nontarget.jpg")
print("fgsm non-target attack done")
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'img'
LABEL_NAME = 'label'
img = fluid.layers.data(name=IMG_NAME, shape=[1, 28, 28], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
logits = mnist_cnn_model(img)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
#根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
BATCH_SIZE = 1
test_reader = paddle.batch(
paddle.reader.shuffle(
paddle.dataset.mnist.test(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
fluid.io.load_params(
exe, "./mnist/", main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(
fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1)
#使用静态FGSM epsilon不可变
attack = FGSM_static(m)
attack_config = {"epsilon": 0.01}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
#print(
# 'attack success, original_label=%d, adversarial_label=%d, count=%d'
# % (data[0][1], adversary.adversarial_label, total_count))
else:
logger.info('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsm attack done without any defence")
#使用FeatureFqueezingDefence
# advbox FeatureFqueezingDefence demo
n = PaddleFeatureFqueezingDefenceModel(
fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1,preprocess=None,
bit_depth=1,
clip_values=(-1, 1)
)
attack_new = FGSM_static(n)
attack_config = {"epsilon": 0.01}
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
#不设置y 会自动获取
adversary = Adversary(data[0][0], None)
# FGSM non-targeted attack
adversary = attack_new(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
logger.info(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count)
)
else:
logger.info('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsm attack done with FeatureFqueezingDefence")
def main():
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 5
pretrained_model = "./mnist-pytorch/net.pth"
loss_func = torch.nn.CrossEntropyLoss()
test_loader = torch.utils.data.DataLoader(datasets.MNIST(
'./mnist-pytorch/data',
train=False,
download=True,
transform=transforms.Compose([
transforms.ToTensor(),
])),
batch_size=1,
shuffle=False)
# Define what device we are using
logging.info("CUDA Available: {}".format(torch.cuda.is_available()))
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# Initialize the network
model = Net().to(device)
# Load the pretrained model
model.load_state_dict(torch.load(pretrained_model, map_location='cpu'))
# Set the model in evaluation mode. In this case this is for the Dropout layers
model.eval()
# advbox demo
m = PytorchModel(model, loss_func, (0, 1), channel_axis=1)
attack = BIM(m)
attack_config = {
"epsilons": 0.05,
"epsilon_steps": 1,
"epsilons_max": 0.05,
"norm_ord": 1,
"steps": 10
}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for i, data in enumerate(test_loader):
inputs, labels = data
#inputs, labels = inputs.to(device), labels.to(device)
inputs, labels = inputs.numpy(), labels.numpy()
#inputs.requires_grad = True
#print(inputs.shape)
total_count += 1
adversary = Adversary(inputs, labels[0])
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
print(adversary.original.shape)
pertubation = adversary.perturbation() # (1,1,28,28)
m_dist = mahalanobis_dist(adversary.original,
adversary.adversarial_example)
e_dist = eu_dist(adversary.original, adversary.adversarial_example)
print('###')
print(m_dist)
print(e_dist)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (labels, adversary.adversarial_label, total_count))
else:
print('attack failed, original_label=%d, count=%d' %
(labels, total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("fgsm attack done")
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'img'
LABEL_NAME = 'label'
img = fluid.layers.data(name=IMG_NAME, shape=[3, 32, 32], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
logits = resnet_cifar10(img, 32)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
#根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
BATCH_SIZE = 1
test_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.cifar.test10(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
fluid.io.load_params(exe,
"cifar10/resnet/",
main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (0, 255),
channel_axis=0)
#形状为[1,28,28] channel_axis=0 形状为[28,28,1] channel_axis=2
attack = SinglePixelAttack(m)
attack_config = {"max_pixels": 32 * 32}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
img = data[0][0]
img = np.reshape(img, [3, 32, 32])
adversary = Adversary(img, data[0][1])
#adversary = Adversary(data[0][0], data[0][1])
# SinglePixelAttack non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("SinglePixelAttack attack done")
def main(use_cuda):
"""
Advbox example which demonstrate how to use advbox.
"""
# base marco
TOTAL_NUM = 100
IMG_NAME = 'image'
LABEL_NAME = 'label'
# parse args
args = parser.parse_args()
print_arguments(args)
# parameters from arguments
class_dim = args.class_dim
model_name = args.model
target_class = args.target
pretrained_model = args.pretrained_model
image_shape = [int(m) for m in args.image_shape.split(",")]
if args.log_debug:
logging.getLogger().setLevel(logging.INFO)
assert model_name in model_list, "{} is not in lists: {}".format(
args.model, model_list)
# model definition
model = models.__dict__[model_name]()
# declare vars
image = fluid.layers.data(name=IMG_NAME,
shape=image_shape,
dtype='float32')
logits = model.net(input=image, class_dim=class_dim)
# clone program and graph for inference
infer_program = fluid.default_main_program().clone(for_test=True)
image.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
BATCH_SIZE = 1
test_reader = paddle.batch(reader.test(TEST_LIST, DATA_PATH),
batch_size=BATCH_SIZE)
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (0, 1),
channel_axis=3)
# Adversarial method: FGSM
attack = FGSM(m)
attack_config = {"epsilons": 0.03}
enable_gpu = use_cuda and args.use_gpu
place = fluid.CUDAPlace(0) if enable_gpu else fluid.CPUPlace()
exe = fluid.Executor(place)
exe.run(fluid.default_startup_program())
# reload model vars
if pretrained_model:
def if_exist(var):
return os.path.exists(os.path.join(pretrained_model, var.name))
fluid.io.load_vars(exe, pretrained_model, predicate=if_exist)
# inference
pred_label = infer(infer_program, image, logits, place, exe)
# if only inference ,and exit
if args.inference:
exit(0)
print("--------------------adversary-------------------")
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
data_img = [data[0][0]]
filename = data[0][1]
org_data = data_img[0][0]
adversary = Adversary(org_data, pred_label[filename])
#target attack
if target_class != -1:
tlabel = target_class
adversary.set_target(is_targeted_attack=True, target_label=tlabel)
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (pred_label[filename], adversary.adversarial_label,
total_count))
#output original image, adversarial image and difference image
generation_image(total_count, org_data, pred_label[filename],
adversary.adversarial_example,
adversary.adversarial_label, "FGSM")
else:
print('attack failed, original_label=%d, count=%d' %
(pred_label[filename], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
# inference
pred_label2 = infer(infer_program, image, logits, place, exe)
print("fgsm attack done")
def main():
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'img'
LABEL_NAME = 'label'
img = fluid.layers.data(name=IMG_NAME, shape=[1, 28, 28], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
logits = mnist_cnn_model(img)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
# use CPU
place = fluid.CPUPlace()
# use GPU
# place = fluid.CUDAPlace(0)
exe = fluid.Executor(place)
BATCH_SIZE = 1
train_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.mnist.train(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
test_reader = paddle.batch(paddle.reader.shuffle(
paddle.dataset.mnist.test(), buf_size=128 * 10),
batch_size=BATCH_SIZE)
fluid.io.load_params(exe,
"./mnist/",
main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1)
attack = DeepFoolAttack(m)
attack_config = {"iterations": 100, "overshoot": 9}
# use train data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in train_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# DeepFool non-targeted attack
adversary = attack(adversary, **attack_config)
# DeepFool targeted attack
# tlabel = 0
# adversary.set_target(is_targeted_attack=True, target_label=tlabel)
# adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
# plt.imshow(adversary.target, cmap='Greys_r')
# plt.show()
# np.save('adv_img', adversary.target)
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TRAIN_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# DeepFool non-targeted attack
adversary = attack(adversary, **attack_config)
# DeepFool targeted attack
# tlabel = 0
# adversary.set_target(is_targeted_attack=True, target_label=tlabel)
# adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
# plt.imshow(adversary.target, cmap='Greys_r')
# plt.show()
# np.save('adv_img', adversary.target)
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
print("deelfool attack done")
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
TOTAL_NUM = 500
IMG_NAME = 'img'
LABEL_NAME = 'label'
img = fluid.layers.data(name=IMG_NAME, shape=[3, 32, 32], dtype='float32')
# gradient should flow
img.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
# logits = mnist_cnn_model(img)
# logits = vgg_bn_drop(img)
logits = resnet_cifar10(img, 32)
cost = fluid.layers.cross_entropy(input=logits, label=label)
avg_cost = fluid.layers.mean(x=cost)
#根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
BATCH_SIZE = 1
test_reader = paddle.batch(paddle.dataset.cifar.test10(),
batch_size=BATCH_SIZE)
fluid.io.load_params(exe,
"cifar10/resnet",
main_program=fluid.default_main_program())
# advbox demo
m = PaddleModel(fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
logits.name,
avg_cost.name, (-1, 1),
channel_axis=1)
# attack = FGSM(m)
attack = DeepFoolAttack(m)
# attack = FGSMT(m)
# attack_config = {"epsilons": 0.3}
attack_config = {"iterations": 100, "overshoot": 9}
# use test data to generate adversarial examples
total_count = 0
fooling_count = 0
for data in test_reader():
total_count += 1
adversary = Adversary(data[0][0], data[0][1])
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
# FGSMT targeted attack
# tlabel = 0
# adversary.set_target(is_targeted_attack=True, target_label=tlabel)
# adversary = attack(adversary, **attack_config)
if adversary.is_successful():
fooling_count += 1
print(
'attack success, original_label=%d, adversarial_label=%d, count=%d'
% (data[0][1], adversary.adversarial_label, total_count))
# plt.imshow(adversary.target, cmap='Greys_r')
# plt.show()
# np.save('adv_img', adversary.target)
else:
print('attack failed, original_label=%d, count=%d' %
(data[0][1], total_count))
if total_count >= TOTAL_NUM:
print(
"[TEST_DATASET]: fooling_count=%d, total_count=%d, fooling_rate=%f"
% (fooling_count, total_count,
float(fooling_count) / total_count))
break
# print("fgsm attack done")
print("deelfool attack done")
def main():
assert 0 <= options.r <= 2
assert options.c in [0, 1, 2, 3]
assert options.m in ["onnx", "tersorflow"]
print("options:{}".format(options))
if options.m == "onnx":
m = graphpipeBlackBoxModel_onnx(options.url, (0, 255),
channel_axis=options.c)
else:
m = graphpipeBlackBoxModel(options.url, (0, 255),
channel_axis=options.c)
start = time.time()
# 不定向攻击
attack = LocalSearchAttack(m)
# R 攻击次数
# r p 绕定系数
# t 每次攻击的点数
# d 搜索半径
attack_config = {
"R": options.R,
"r": options.r,
"p": options.p,
"t": options.t,
"d": options.d
}
data = np.array(Image.open(options.input_file))
data = data.reshape([1] + list(data.shape))
data = np.rollaxis(data, 3, 1).astype(np.float32) # channels first
print("Image shape :{}".format(data.shape))
original_data = np.copy(data)
# 猫对应的标签 imagenet 2012 对应链接https://blog.csdn.net/LegenDavid/article/details/73335578
original_label = None
adversary = Adversary(original_data, original_label)
print("Non-targeted Attack...")
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print('attack success, original_label=%d, adversarial_label=%d' %
(adversary.original_label, adversary.adversarial_label))
# 对抗样本保存在adversary.adversarial_example
adversary_image = np.copy(adversary.adversarial_example)
adversary_image = np.array(
adversary_image[0]).astype("uint8").transpose([1, 2, 0])
im = Image.fromarray(adversary_image)
im.save(options.output_file)
print("Save file :{}".format(options.output_file))
show_images_diff(options.input_file, options.output_file)
else:
print('attack failed, original_label=%d' % (adversary.original_label))
end = time.time()
print("LocalSearchAttack attack done. Cost time {}s".format(end - start))
def main(use_cuda):
"""
Advbox demo which demonstrate how to use advbox.
"""
class_dim = 1000
IMG_NAME = 'img'
LABEL_NAME = 'label'
#模型路径
pretrained_model = "models/resnet_50/115"
with_memory_optimization = 1
image_shape = [3,224,224]
image = fluid.layers.data(name=IMG_NAME, shape=image_shape, dtype='float32')
# gradient should flow
image.stop_gradient = False
label = fluid.layers.data(name=LABEL_NAME, shape=[1], dtype='int64')
# model definition
model = resnet.ResNet50()
out = model.net(input=image, class_dim=class_dim)
#test_program = fluid.default_main_program().clone(for_test=True)
if with_memory_optimization:
fluid.memory_optimize(fluid.default_main_program())
# 根据配置选择使用CPU资源还是GPU资源
place = fluid.CUDAPlace(0) if use_cuda else fluid.CPUPlace()
exe = fluid.Executor(place)
exe.run(fluid.default_startup_program())
#加载模型参数
if pretrained_model:
def if_exist(var):
return os.path.exists(os.path.join(pretrained_model, var.name))
fluid.io.load_vars(exe, pretrained_model, predicate=if_exist)
cost = fluid.layers.cross_entropy(input=out, label=label)
avg_cost = fluid.layers.mean(x=cost)
# advbox demo
m = PaddleModel(
fluid.default_main_program(),
IMG_NAME,
LABEL_NAME,
out.name,
avg_cost.name, (-1, 1),
channel_axis=3)
attack = FGSM(m)
attack_config = {"epsilons": 0.3}
test_data = get_image("cat.jpg")
# 猫对应的标签
test_label = 285
adversary = Adversary(test_data, test_label)
# FGSM non-targeted attack
adversary = attack(adversary, **attack_config)
if adversary.is_successful():
print(
'attack success, original_label=%d, adversarial_label=%d'
% (test_label, adversary.adversarial_label))
else:
print('attack failed, original_label=%d, ' % (test_label))
print("fgsm attack done")