def test_iris_pt(self): """ Third test for Pytorch. :return: """ # Build PyTorchClassifier victim_ptc = get_iris_classifier_pt() class Model(nn.Module): """ Create Iris model for PyTorch. """ def __init__(self): super(Model, self).__init__() self.fully_connected1 = nn.Linear(4, 10) self.fully_connected2 = nn.Linear(10, 10) self.fully_connected3 = nn.Linear(10, 3) # pylint: disable=W0221 # disable pylint because of API requirements for function def forward(self, x): x = self.fully_connected1(x) x = self.fully_connected2(x) logit_output = self.fully_connected3(x) return logit_output # Define the network model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.001) # Get classifier thieved_ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(4, ), nb_classes=3, clip_values=(0, 1), channel_index=1) # Create attack copycat_cnn = CopycatCNN(classifier=victim_ptc, batch_size_fit=BATCH_SIZE, batch_size_query=BATCH_SIZE, nb_epochs=NB_EPOCHS, nb_stolen=NB_STOLEN) thieved_ptc = copycat_cnn.extract(x=self.x_train, thieved_classifier=thieved_ptc) victim_preds = np.argmax(victim_ptc.predict(x=self.x_train[:100]), axis=1) thieved_preds = np.argmax(thieved_ptc.predict(x=self.x_train[:100]), axis=1) acc = np.sum(victim_preds == thieved_preds) / len(victim_preds) self.assertGreater(acc, 0.3)
def main(config_filepath): config = load_config(config_filepath) if os.path.isfile(config.metrics_output_path): click.confirm(f"Overwrite {config.metrics_output_path}?", abort=True) np.random.seed(config.seed) torch.manual_seed(config.seed) # Load data x = torch.load(config.x_filepath) y = torch.load(config.y_filepath) # Flatten x = x.reshape(x.shape[0], -1) model = torch.load(config.trained_model_filepath) clip_values = {} with open(config.clip_values_filepath, "r") as f: clip_values = json.load(f) clip_values = ( clip_values.get("min_pixel_value"), clip_values.get("max_pixel_value"), ) classifier = PyTorchClassifier( model=model, clip_values=clip_values, loss=model.criterion, optimizer=model.optimizer, input_shape=(1, 28, 28), nb_classes=10, ) # TODO: move these parameters to config # Evaluate the classifier on benign data predictions = classifier.predict(x) # Convert one-hots to numbers for metrics y = utils.one_hot_to_num(y) predictions = utils.one_hot_to_num(predictions) accuracy = { "Accuracy": metrics.accuracy_score(y, predictions), "Confusion Matrix": metrics.confusion_matrix(y, predictions).tolist(), } # Save data with open(config.metrics_output_path, "w") as f: json.dump( accuracy, f, ensure_ascii=False, sort_keys=True, indent=4, separators=(",", ": "), )
def __init__(self, model, dataset): model.eval() self.model = model self.dataset = dataset optimizer = torch.optim.Adam(model.parameters()) # Useless self.nb_classes = nb_classes[dataset] self.classifier = PyTorchClassifier((0., 1.), model=self.model, loss=nn.CrossEntropyLoss(), optimizer=optimizer, input_shape=input_shape[dataset], nb_classes=self.nb_classes)
def test_device(self): # Define the network model = nn.Sequential(nn.Conv2d(1, 2, 5), nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(), nn.Linear(288, 10)) # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # First test cpu classifier_cpu = PyTorchClassifier( model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, device_type="cpu", ) self.assertTrue(classifier_cpu._device == torch.device("cpu")) self.assertFalse(classifier_cpu._device == torch.device("cuda")) # Then test gpu if torch.cuda.device_count() >= 2: with torch.cuda.device(0): classifier_gpu0 = PyTorchClassifier( model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, ) self.assertTrue( classifier_gpu0._device == torch.device("cuda:0")) self.assertFalse( classifier_gpu0._device == torch.device("cuda:1")) with torch.cuda.device(1): classifier_gpu1 = PyTorchClassifier( model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, ) self.assertTrue( classifier_gpu1._device == torch.device("cuda:1")) self.assertFalse( classifier_gpu1._device == torch.device("cuda:0"))
def __init__(self, model_container, theta=0.1, gamma=1.0, batch_size=16): super(SaliencyContainer, self).__init__(model_container) dim_data = model_container.data_container.dim_data assert len(dim_data) == 3, \ 'Jacobian Saliency Map attack only works on images' self._params = { 'theta': theta, 'gamma': gamma, 'batch_size': batch_size } # use IBM ART pytorch module wrapper # the model used here should be already trained model = self.model_container.model loss_fn = self.model_container.model.loss_fn dc = self.model_container.data_container clip_values = get_range(dc.x_train, dc.data_type == 'image') optimizer = self.model_container.model.optimizer num_classes = self.model_container.data_container.num_classes dim_data = self.model_container.data_container.dim_data logger.debug('clip_values = %s', str(clip_values)) self.classifier = PyTorchClassifier(model=model, clip_values=clip_values, loss=loss_fn, optimizer=optimizer, input_shape=dim_data, nb_classes=num_classes)
def __init__(self, model_container, eps=0.3, eps_step=0.1, max_iter=100, targeted=False, batch_size=64): super(BIMContainer, self).__init__(model_container) params_received = { 'eps': eps, 'eps_step': eps_step, 'max_iter': max_iter, 'targeted': targeted, 'batch_size': batch_size } self._params = params_received # use IBM ART pytorch module wrapper # the model used here should be already trained model = self.model_container.model loss_fn = self.model_container.model.loss_fn dc = self.model_container.data_container clip_values = get_range(dc.x_train, dc.data_type == 'image') optimizer = self.model_container.model.optimizer num_classes = self.model_container.data_container.num_classes dim_data = self.model_container.data_container.dim_data self.classifier = PyTorchClassifier(model=model, clip_values=clip_values, loss=loss_fn, optimizer=optimizer, input_shape=dim_data, nb_classes=num_classes)
def __init__(self, model_container, max_iter=100, epsilon=1e-6, nb_grads=10, batch_size=16): super(DeepFoolContainer, self).__init__(model_container, ) self._params = { 'max_iter': max_iter, 'epsilon': epsilon, 'nb_grads': nb_grads, 'batch_size': batch_size } # use IBM ART pytorch module wrapper # the model used here should be already trained model = self.model_container.model loss_fn = self.model_container.model.loss_fn dc = self.model_container.data_container clip_values = get_range(dc.x_train, dc.data_type == 'image') optimizer = self.model_container.model.optimizer num_classes = self.model_container.data_container.num_classes dim_data = self.model_container.data_container.dim_data self.classifier = PyTorchClassifier(model=model, clip_values=clip_values, loss=loss_fn, optimizer=optimizer, input_shape=dim_data, nb_classes=num_classes)
def artattack(fcn, model, images, criterion, epsilon, kwargs): """ adversarial robustness toolbox ported attack implementation :param fcn: the foolbox_custom attack function :param model: network in DAGModule :param images: test samples :param criterion: labels/criterion object :param epsilon: epsilon to test with :param kwargs: other arguments to the model :return: perturbed image, whether the attack is successful or not """ artmodel = PyTorchClassifier( model=model, clip_values=(0, 1), loss=nn.CrossEntropyLoss(), optimizer=None, input_shape=(0,), nb_classes=10 ) device = model.device attack = fcn(classifier=artmodel, **kwargs) adv_imgs = torch.as_tensor(attack.generate(x=images.clone().cpu())).to(device) linf = LpDistance(ep.inf) adv_imgs = linf.clip_perturbation(images, adv_imgs, epsilon) return adv_imgs
def test_one_channel(self): (x_train, _), (_, _), _, _ = load_mnist() x_train = x_train[:2, 10:15, 15:20, :] x_train = x_train.astype(np.float32) x_train_original = x_train.copy() # Define the network model = ModelImage() loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) self.pixelcnn = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, clip_values=(0, 1)) preprocess = PixelDefend(eps=5, pixel_cnn=self.pixelcnn) x_defended, _ = preprocess(x_train) self.assertEqual(x_defended.shape, x_train.shape) self.assertTrue((x_defended <= 1.0).all()) self.assertTrue((x_defended >= 0.0).all()) # Check that x_train has not been modified by attack and classifier self.assertAlmostEqual(float(np.max(np.abs(x_train_original - x_train))), 0.0, delta=0.00001)
def __init__(self, net, num_classes, attack_type, eps, batch_size): self.num_classes = num_classes self.net = net self.fmodel = foolbox.models.PyTorchModel(net, bounds=(0, 1), num_classes=10) if attack_type == "DeepFool": attacker = foolbox.attacks.DeepFoolLinfinityAttack(self.fmodel) elif attack_type == "MIFGSM": attacker = foolbox.attacks.MomentumIterativeAttack( self.fmodel, distance=foolbox.distances.Linfinity) elif attack_type == "CW": a0 = 2 * eps / 20 classifier = PyTorchClassifier(clip_values=(0, 1), model=net, loss=None, optimizer=None, input_shape=(batch_size, 3, 32, 32), nb_classes=num_classes, channel_index=3, defences=None, preprocessing=(0, 1)) attacker = carlini.CarliniLInfMethod(classifier, learning_rate=a0 / 2, targeted=False, max_iter=40, eps=eps, batch_size=128) self.attacker = attacker self.attack_type = attack_type self.eps = eps
def __init__(self, model_container, norm=np.inf, eps=.3, eps_step=0.1, targeted=False, num_random_init=0, batch_size=64, minimal=False): """ Fast Gradient Sign Method. Use L-inf norm as default """ super(FGSMContainer, self).__init__(model_container) self._params = { 'norm': norm, 'eps': eps, 'eps_step': eps_step, 'targeted': targeted, 'num_random_init': num_random_init, 'batch_size': batch_size, 'minimal': minimal} # use IBM ART pytorch module wrapper # the model used here should be already trained model = self.model_container.model loss_fn = self.model_container.model.loss_fn dc = self.model_container.data_container clip_values = get_range(dc.x_train, dc.data_type == 'image') optimizer = self.model_container.model.optimizer num_classes = self.model_container.data_container.num_classes dim_data = self.model_container.data_container.dim_data self.classifier = PyTorchClassifier( model=model, clip_values=clip_values, loss=loss_fn, optimizer=optimizer, input_shape=dim_data, nb_classes=num_classes)
def wrap(model, target_type, **config): assert model is not None if target_type == 'sklearnclassifier': nb_classes = config.get('nb_classes', 10) return SklearnClassifier(model=model, clip_values=(0, nb_classes)) elif target_type == 'pytorchclassifier': loss = config.get('loss', None) optimizer = config.get('optimizer', None) input_shape = config.get('input_shape', None) nb_classes = config.get('nb_classes', None) clip_values = config.get('clip_values', (0., 1.)) return PyTorchClassifier(model=model, loss=loss, optimizer=optimizer, input_shape=input_shape, nb_classes=nb_classes, clip_values=clip_values) else: raise NotImplementedError( 'Wrapper for {} is not implemented.'.format(target_type))
def setUpClass(cls): (x_train, y_train), (x_test, y_test), _, _ = load_dataset('mnist') x_train = np.swapaxes(x_train, 1, 3).astype(np.float32) x_test = np.swapaxes(x_test, 1, 3).astype(np.float32) cls.x_train = x_train[:NB_TRAIN] cls.y_train = y_train[:NB_TRAIN] cls.x_test = x_test[:NB_TEST] cls.y_test = y_test[:NB_TEST] # Define the internal classifier classifier = get_classifier_pt() # Define the internal detector conv = nn.Conv2d(1, 16, 5) linear = nn.Linear(2304, 1) torch.nn.init.xavier_uniform_(conv.weight) torch.nn.init.xavier_uniform_(linear.weight) model = nn.Sequential(conv, nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(), linear) model = Model(model) loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) detector = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=1, clip_values=(0, 1)) # Define the detector-classifier cls.detector_classifier = DetectorClassifier(classifier=classifier, detector=detector)
def get_art_model(model_kwargs, wrapper_kwargs, weights_file=None): model = models.resnet50(**model_kwargs) model.to(DEVICE) if weights_file: filepath = maybe_download_weights_from_s3(weights_file) checkpoint = torch.load(filepath, map_location=DEVICE) model.load_state_dict(checkpoint) wrapped_model = PyTorchClassifier( model, loss=torch.nn.CrossEntropyLoss(), optimizer=torch.optim.Adam(model.parameters(), lr=0.003), input_shape=(224, 224, 3), **wrapper_kwargs, clip_values=( np.array([ 0.0 - IMAGENET_MEANS[0] / IMAGENET_STDEV[0], 0.0 - IMAGENET_MEANS[1] / IMAGENET_STDEV[1], 0.0 - IMAGENET_MEANS[2] / IMAGENET_STDEV[2], ]), np.array([ 1.0 - IMAGENET_MEANS[0] / IMAGENET_STDEV[0], 1.0 - IMAGENET_MEANS[1] / IMAGENET_STDEV[1], 1.0 - IMAGENET_MEANS[2] / IMAGENET_STDEV[2], ]), ), ) return wrapped_model
def general_test(model, optimizer, input_shape, nb_classes, test_loader, method, btrain=False, model_file='last_model_92_sgd.pkl'): global _classes if not btrain: model.load_state_dict(torch.load(model_file)) model.eval() loss = nn.CrossEntropyLoss() warped_model = PyTorchClassifier(model, loss, optimizer, input_shape, nb_classes, clip_values=(.0, 1.)) if method == 'Deepfool': adv_crafter = DeepFool(warped_model) elif method == 'BIM': adv_crafter = BasicIterativeMethod(warped_model, batch_size=20) elif method == 'JSMA': adv_crafter = SaliencyMapMethod(warped_model, batch_size=20) elif method == 'CW2': adv_crafter = CarliniL2Method(warped_model, batch_size=20) elif method == 'CWI': adv_crafter = CarliniLInfMethod(warped_model, batch_size=20) correct, total = 0, 0 class_correct = list(0. for _ in range(10)) class_total = list(0. for _ in range(10)) for images, labels in test_loader: images = adv_crafter.generate(images.numpy()) images = Variable(torch.from_numpy(images).cuda()) labels = Variable(labels.cuda()) outputs = model(images) _, predicted = torch.max(outputs.data, 1) total += labels.size(0) correct += (predicted == labels.data).sum() c = (predicted == labels.data).squeeze() for i in range(20): label = labels.data[i] class_correct[label] += c[i] class_total[label] += 1 print('Accuracy of the model on the test images: %d %%' % (100 * float(correct) / total)) print('Accuracy of the model on the test images:', float(correct) / total) for i in range(10): print('Accuracy of %5s : %2d %%' % (_classes[i], 100 * class_correct[i] / class_total[i])) return correct / total
def test(): (x_train, y_train), (x_test, y_test), min_, max_ = load_dataset(str('cifar10')) x_train = np.swapaxes(x_train, 1, 3).astype(np.float32) x_test = np.swapaxes(x_test, 1, 3).astype(np.float32) model = VGG('VGG16') model.load_state_dict(torch.load("./logs/pytorch_vgg16.h5.model")) criterion = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=1e-2) classifier = PyTorchClassifier(model=model, clip_values=(min_, max_ ), loss=criterion, optimizer=optimizer, input_shape=(3, 32, 32), nb_classes=10) predictions = classifier.predict(x_test) accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(y_test) print('Accuracy on benign test examples: {}%'.format(accuracy * 100))
def general_test_v2(model, optimizer, input_shape, nb_classes, test_loader, method, conf, btrain=False, model_file='last_model_92_sgd.pkl'): global _classes if not btrain: checked_state = torch.load(model_file)['state_dict'] model.load_state_dict(checked_state) model.eval() loss = nn.CrossEntropyLoss() warped_model = PyTorchClassifier(model, loss, optimizer, input_shape, nb_classes, clip_values=(.0, 1.)) if method == 'Deepfool': adv_crafter = DeepFool(warped_model) elif method == 'BIM': adv_crafter = BasicIterativeMethod(warped_model, batch_size=32) elif method == 'JSMA': adv_crafter = SaliencyMapMethod(warped_model, batch_size=32) elif method == 'CW2': adv_crafter = CarliniL2Method(warped_model, batch_size=32) elif method == 'CWI': adv_crafter = CarliniLInfMethod(warped_model, batch_size=32) elif method == 'FGSM': adv_crafter = FastGradientMethod(warped_model, batch_size=32) correct, total = 0, 0 adv_dataset = adv_generalization(test_loader, adv_crafter, conf) temp_loader = DataLoader(dataset=adv_dataset, batch_size=32, shuffle=False, drop_last=True) # temp_loader = test_loader for images, labels in temp_loader: images = Variable(images.cuda()) labels = Variable(labels.cuda()) outputs = model(images) _, predicted = torch.max(outputs.data, 1) total += labels.size(0) correct += (predicted == labels.data).sum() print('Accuracy of the model on the test images: %d %%' % (100 * float(correct) / total)) print('Accuracy of the model on the test images:', float(correct) / total) return correct / total
def main(config_filepath): config = load_config(config_filepath) if os.path.isfile(config.model_output_path): click.confirm(f"Overwrite {config.model_output_path}?", abort=True) np.random.seed(config.seed) torch.manual_seed(config.seed) # Load data x = torch.load(config.x_filepath) y = torch.load(config.y_filepath) # Flatten training set x = x.reshape(x.shape[0], -1) clip_values = {} with open(config.clip_values_filepath, "r") as f: clip_values = json.load(f) clip_values = ( clip_values.get("min_pixel_value"), clip_values.get("max_pixel_value"), ) model = get_model_from_module(mnist.models, config.model_class_name) if not model: sys.exit(f"Could not load provided model {config.model_class_name}") classifier = PyTorchClassifier( model=model, clip_values=clip_values, loss=model.criterion, optimizer=model.optimizer, input_shape=(784), nb_classes=10, ) # TODO: move these parameters to config # Train classifier classifier.fit(x, y, batch_size=config.batch_size, nb_epochs=config.num_epochs) # Save data torch.save(model, config.model_output_path)
def apply_attack(model_path, dataset, model_attack_config): model = torch.load(model_path, map_location='cpu').model input_shape = model_attack_config[lookup.input_shape] criterion = model_attack_config[lookup.criterion] optimizer = model_attack_config[lookup.optimizer] nb_classes = model_attack_config[lookup.nb_classes] attack_method = model_attack_config[lookup.attack_method] robust_db_name = model_attack_config[lookup.robust_db_name] if criterion == 'cross_entropy': criterion = nn.CrossEntropyLoss() else: raise ValueError if optimizer == 'SGD': optimizer = optim.SGD(model.parameters(), lr=0.01, momentum=0.5) elif optimizer == 'Adam': optimizer = optim.Adam(model.parameters(), lr=1e-4) else: raise ValueError classifier = PyTorchClassifier(model=model, input_shape=input_shape, loss=criterion, optimizer=optimizer, nb_classes=nb_classes) x = np.array([x_element.numpy()[0] for x_element in dataset[0]]) y = np.array(dataset[1]) predictions = classifier.predict(x) accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y, axis=1)) / len (y) print('Accuracy on benign test examples: {}%'.format(accuracy * 100)) attack_function = get_attack_method(attack_method) attack_instance = attack_function(classifier=classifier) x_adv = attack_instance.generate(x=x) predictions = classifier.predict(x_adv) accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y, axis=1)) / len(y) print('Accuracy on adversarial test examples: {}%'.format(accuracy * 100)) path_to_directory = join(abspath(lookup.get_db_dirs()[lookup.dataset]), fs.get_uuid()) fs.make_dir(path_to_directory) db_uuid = processor.convert_to_image(path_to_directory, robust_db_name, x_adv) return db_uuid
def test_ptclassifier(self): """ Third test with the PyTorchClassifier. :return: """ # Get MNIST (x_train, y_train), (x_test, y_test) = self.mnist x_train = np.swapaxes(x_train, 1, 3) x_test = np.swapaxes(x_test, 1, 3) # Define the network model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # Get classifier ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10) ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10) # First attack cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=10) params = {'y': random_targets(y_test, ptc.nb_classes)} x_test_adv = cl2m.generate(x_test, **params) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1) self.assertTrue((target == y_pred_adv).any()) # Second attack cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10) params = {'y': random_targets(y_test, ptc.nb_classes)} x_test_adv = cl2m.generate(x_test, **params) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1) self.assertTrue((target != y_pred_adv).any()) # Third attack cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10) params = {} x_test_adv = cl2m.generate(x_test, **params) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) y_pred = np.argmax(ptc.predict(x_test), axis=1) y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1) self.assertTrue((y_pred != y_pred_adv).any())
def get_art_model(model_kwargs, wrapper_kwargs): model = resnet50(**model_kwargs) wrapped_model = PyTorchClassifier( model, loss=nn.CrossEntropyLoss(), optimizer=None, input_shape=(224, 224, 3), **wrapper_kwargs, ) return wrapped_model
def test_ptclassifier(self): """ Third test with the PyTorchClassifier. :return: """ # Get MNIST (x_train, y_train), (x_test, y_test) = self.mnist x_train = np.swapaxes(x_train, 1, 3) x_test = np.swapaxes(x_test, 1, 3) # Create simple CNN # Define the network model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # Get classifier ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10) ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=1) # Attack attack_params = { "max_translation": 10.0, "num_translations": 3, "max_rotation": 30.0, "num_rotations": 3 } attack_st = SpatialTransformation(ptc) x_train_adv = attack_st.generate(x_train, **attack_params) self.assertTrue(abs(x_train_adv[0, 0, 13, 5] - 0.374206543) <= 0.01) # self.assertTrue(abs(attack_st.fooling_rate - 0.781) <= 0.01) self.assertTrue(attack_st.attack_trans_x == 0) self.assertTrue(attack_st.attack_trans_y == -3) self.assertTrue(attack_st.attack_rot == 30.0) x_test_adv = attack_st.generate(x_test) self.assertTrue(abs(x_test_adv[0, 0, 14, 14] - 0.008591662) <= 0.01)
def setUpClass(cls): master_seed(seed=1234) super().setUpClass() cls.x_train_mnist = np.reshape( cls.x_train_mnist, (cls.x_train_mnist.shape[0], 1, 28, 28)).astype(np.float32) cls.x_test_mnist = np.reshape( cls.x_test_mnist, (cls.x_test_mnist.shape[0], 1, 28, 28)).astype(np.float32) # Define the network model = nn.Sequential(nn.Conv2d(1, 2, 5), nn.ReLU(), nn.MaxPool2d(2, 2), Flatten(), nn.Linear(288, 10)) # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) classifier = PyTorchClassifier(model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10) classifier.fit(cls.x_train_mnist, cls.y_train_mnist, batch_size=100, nb_epochs=1) cls.seq_classifier = classifier # Define the network model = Model() loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) classifier_2 = PyTorchClassifier(model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10) classifier_2.fit(cls.x_train_mnist, cls.y_train_mnist, batch_size=100, nb_epochs=1) cls.module_classifier = classifier_2 cls.x_train_mnist = np.reshape( cls.x_train_mnist, (cls.x_train_mnist.shape[0], 28, 28, 1)).astype(np.float32) cls.x_test_mnist = np.reshape( cls.x_test_mnist, (cls.x_test_mnist.shape[0], 28, 28, 1)).astype(np.float32)
def _cnn_mnist_py(): model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # Get classifier classifier = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10) return classifier
def get_iris_classifier_pt(): """ Standard PyTorch classifier for unit testing on Iris dataset. :return: Trained model for Iris dataset. :rtype: :class:`.PyTorchClassifier` """ from art.classifiers import PyTorchClassifier class Model(nn.Module): """ Create Iris model for PyTorch. The weights and biases are identical to the Tensorflow model in `get_iris_classifier_tf`. """ def __init__(self): super(Model, self).__init__() w_dense1 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE1_IRIS.npy')) b_dense1 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE1_IRIS.npy')) w_dense2 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE2_IRIS.npy')) b_dense2 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE2_IRIS.npy')) w_dense3 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE3_IRIS.npy')) b_dense3 = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE3_IRIS.npy')) self.fully_connected1 = nn.Linear(4, 10) self.fully_connected1.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense1))) self.fully_connected1.bias = nn.Parameter(torch.Tensor(b_dense1)) self.fully_connected2 = nn.Linear(10, 10) self.fully_connected2.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense2))) self.fully_connected2.bias = nn.Parameter(torch.Tensor(b_dense2)) self.fully_connected3 = nn.Linear(10, 3) self.fully_connected3.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense3))) self.fully_connected3.bias = nn.Parameter(torch.Tensor(b_dense3)) def forward(self, x): x = self.fully_connected1(x) x = self.fully_connected2(x) logit_output = self.fully_connected3(x) return logit_output # Define the network model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # Get classifier ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(4,), nb_classes=3, clip_values=(0, 1), channel_index=1) return ptc
def load_classifier(model, data): """ Load ART PyTorch classifier from pytorch model :param model: pytorch model instance :param data: data class :return: ART classifier """ # not used but mandatory for ART criterion = torch.nn.CrossEntropyLoss() optimizer = torch.optim.SGD(model.parameters(), lr=0.01) classifier = PyTorchClassifier( model=model, clip_values=(data.min_pixel_value, data.max_pixel_value), loss=criterion, optimizer=optimizer, input_shape=tuple(data.trainset.data.shape[1:]), nb_classes=data.num_classes, device_type="gpu" if USE_CUDA else "cpu") classifier.set_learning_phase(False) return classifier
def main(config_filepath): config = load_config(config_filepath) if os.path.isfile(config.x_adv_output_path): click.confirm(f"Overwrite {config.x_adv_output_path}?", abort=True) np.random.seed(config.seed) torch.manual_seed(config.seed) # Load data x = torch.load(config.x_filepath) x_shape = x.shape x = x.reshape(x.shape[0], -1) y = torch.load(config.y_filepath) ace = torch.load(config.ace_filepath).cpu() interventions = torch.load(config.interventions_filepath).cpu() model = torch.load(config.model_filepath) clip_values = {} with open(config.clip_values_filepath, "r") as f: clip_values = json.load(f) clip_values = ( clip_values.get("min_pixel_value"), clip_values.get("max_pixel_value"), ) classifier = PyTorchClassifier( model=model, clip_values=clip_values, loss=model.criterion, optimizer=model.optimizer, input_shape=(1, 28, 28), nb_classes=10, ) # TODO: move these parameters to config # Target the attacks to a particular class y_adv = torch.zeros_like(torch.from_numpy(y)) y_adv[:, 0] = 1.0 # Generate attacks x_adv = ace_attack( ace, interventions, torch.from_numpy(x), target_classes=y_adv, norm=2, budget=5.0, ) # TODO: move these parameters to config # Unflatten for saving x_adv = x_adv.reshape(x_shape) torch.save(x_adv, config.x_adv_output_path)
def get_classifier_pt(): """ Standard PyTorch classifier for unit testing :return: PyTorchClassifier """ from art.classifiers import PyTorchClassifier class Model(nn.Module): """ Create model for pytorch. The weights and biases are identical to the Tensorflow model in get_classifier_tf(). """ def __init__(self): super(Model, self).__init__() w_conv2d = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_CONV2D_MNIST.npy')) b_conv2d = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_CONV2D_MNIST.npy')) w_dense = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'W_DENSE_MNIST.npy')) b_dense = np.load(os.path.join(os.path.dirname(os.path.dirname(__file__)), 'models', 'B_DENSE_MNIST.npy')) self.conv = nn.Conv2d(in_channels=1, out_channels=1, kernel_size=7) w_conv2d_pt = np.swapaxes(w_conv2d, 0, 2) w_conv2d_pt = np.swapaxes(w_conv2d_pt, 1, 3) self.conv.weight = nn.Parameter(torch.Tensor(w_conv2d_pt)) self.conv.bias = nn.Parameter(torch.Tensor(b_conv2d)) self.pool = nn.MaxPool2d(4, 4) self.fullyconnected = nn.Linear(25, 10) self.fullyconnected.weight = nn.Parameter(torch.Tensor(np.transpose(w_dense))) self.fullyconnected.bias = nn.Parameter(torch.Tensor(b_dense)) def forward(self, x): import torch.nn.functional as f x = self.pool(f.relu(self.conv(x))) x = x.view(-1, 25) logit_output = self.fullyconnected(x) return logit_output # Define the network model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # Get classifier ptc = PyTorchClassifier(model=model, loss=loss_fn, optimizer=optimizer, input_shape=(1, 28, 28), nb_classes=10, clip_values=(0, 1)) return ptc
def main(args): (x_train, y_train), (x_test, y_test), min_, max_ = load_dataset(str('cifar10')) x_train = np.swapaxes(x_train, 1, 3).astype(np.float32) x_test = np.swapaxes(x_test, 1, 3).astype(np.float32) x_train = x_train y_train = y_train model = VGG('VGG16') model.load_state_dict(torch.load("./logs/pytorch_vgg16.model")) criterion = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=1e-2) classifier = PyTorchClassifier(model=model, clip_values=(min_, max_), loss=criterion, optimizer=optimizer, input_shape=(3, 32, 32), nb_classes=10) predictions = classifier.predict(x_test) accuracy = np.sum( np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len( y_test) print('Accuracy on benign test examples: {}%'.format(accuracy * 100)) pred_y = classifier.predict(x_train) v_max = 0 n = 1000 n_sp = list(split_list(x_train, n)) for i, X_t in enumerate(n_sp): print(f'split_No {i + 1}') v_max = simulated_anniling(classifier, X_t, args) # Compute fooling rate adv_x = x_train + v_max adv_y = classifier.predict(adv_x) fooling_rate = loss_fn(pred_y, adv_y, mode="fool_rate") print(fooling_rate)
def test_ptclassifier(self): """ Third test with the PyTorchClassifier. :return: """ # Get MNIST (x_train, y_train), (x_test, y_test) = self.mnist x_train = np.swapaxes(x_train, 1, 3) x_test = np.swapaxes(x_test, 1, 3) # Create simple CNN model = Model() # Define a loss function and optimizer loss_fn = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) # Get classifier ptc = PyTorchClassifier((0, 1), model, loss_fn, optimizer, (1, 28, 28), 10) ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=1) # Attack nf = NewtonFool(ptc, max_iter=5) x_test_adv = nf.generate(x_test) self.assertFalse((x_test == x_test_adv).all()) y_pred = ptc.predict(x_test) y_pred_adv = ptc.predict(x_test_adv) y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred y_pred_max = y_pred.max(axis=1) y_pred_adv_max = y_pred_adv[y_pred_bool] self.assertTrue((y_pred_max >= y_pred_adv_max).all())