def create_adv_examples(model, input_t, x_to_adv, attack_dict): """ This fn may seem bizarre and pointless, but the point of it is to enable the entire attack to be specified as a dict from the command line without editing this script, which is a convenient thing to be able to do, both for scripting and repeatablity """ if attack_dict['method'] == 'fgm': attack = attacks.FastGradientMethod(model, sess=K.get_session(), back='tf') elif attack_dict['method'] == 'bim': attack = attacks.BasicIterativeMethod(model, sess=K.get_session(), back='tf') elif attack_dict['method'] == 'mim': attack = attacks.MomentumIterativeMethod(model, sess=K.get_session(), back='tf') else: assert False, 'Current attack needs to be added to the create attack fn' #this hurts a little adv_tensor = attack.generate( input_t, **{k: a for k, a in attack_dict.items() if k != 'method'}) # 'method' key for this fn use x_adv = batch_eval(adv_tensor, input_t, x_to_adv, batch_size=args.batch_size, verbose="Generating adv examples") return x_adv
def __init__(self, model, prob=0.0, actionProbThr=1.0): super(AttackModel, self).__init__() self.sess = model.sess self.layer_names = ['inputs', 'logits', 'probs'] self.layers = [model.inputs, model.logits, model.probs] self.input_shape = tuple(model.inputs.shape.as_list()) self.nb_classes = model.logits.get_shape()[1].value self.attackModels = {} self.attackModels["lbfgs"] = atts.LBFGS(self, "tf", self.sess) self.attackModels["fgsm"] = atts.FastGradientMethod( self, "tf", self.sess) self.attackModels["basicIt"] = atts.BasicIterativeMethod( self, "tf", self.sess) self.attackModels["pgd"] = atts.MadryEtAl(self, "tf", self.sess) self.attackModels["momenIt"] = atts.MomentumIterativeMethod( self, "tf", self.sess) self.attackModels["jsma"] = atts.SaliencyMapMethod( self, "tf", self.sess) self.attackModels["cwl2"] = atts.CarliniWagnerL2(self, "tf", self.sess) self.attackModels["ead"] = atts.ElasticNetMethod(self, "tf", self.sess) self.attackModels["deepfool"] = atts.DeepFool(self, "tf", self.sess) self.attackModels["spsa"] = atts.SPSA(self, "tf", self.sess) self.attackModels["featureAdvs"] = atts.FastFeatureAdversaries( self, "tf", self.sess) self.availableAttacks = list(self.attackModels.keys()) self.availableAttacks.append("ofsm") self.ofsm = OFSM() self.availableAttacks.append("gauss") self.gaussEps = 0.0 self.attack = None self.lastAttack = None self.attackProb = prob self.actionProbThr = actionProbThr
def basic_iter_init(model): """ @brief: Initialize the Basic Iterative module with Keras model @param: Keras model (TensorFlow) @return: Intialized Basic Iterative module """ biter_wrapper = KerasModelWrapper(model) biter_session = keras.backend.get_session() return clhan.BasicIterativeMethod(biter_wrapper, biter_session)
def adversarial_attack(data, args): # Set attack parameters eps = float(args.eps) order = args.lorder batch_size = 100 # Set evaluation parameters eval_params = {'batch_size': batch_size} # Object used to keep track of (and return) key accuracies report = utils.AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Set logging level to see debug information utils.set_log_level(logging.DEBUG) tf_config = tf.ConfigProto() tf_config.gpu_options.allow_growth = True sess = tf.Session(config=tf_config) keras.backend.set_session(sess) # Get CIFAR10 data x_train, y_train = data.train_data, data.train_label x_test, y_test = data.test_data, data.test_label img_rows, img_cols, nchannels = x_train.shape[1:4] nb_classes = y_train.shape[1] # Define input TF placeholders x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels)) y = tf.placeholder(tf.float32, shape=(None, nb_classes)) def evaluate(preds, x_set, y_set, report_key, is_adv=None): acc = utils_tf.model_eval(sess, x, y, preds, x_set, y_set, args=eval_params) setattr(report, report_key, acc) if is_adv is None: report_text = None elif is_adv: report_text = 'adversarial' else: report_text = 'legitimate' if report_text: print('Test accuracy on %s examples: %0.4f' % (report_text, acc)) # Load baseline model model = resnet(input_shape=x_train.shape[1:], depth=29, num_classes=10).build() model.load_weights(args.model) wrapper = utils_keras.KerasModelWrapper(model) preds = model(x) evaluate(preds, x_test, y_test, 'clean_train_clean_eval', False) if args.attack == 'fgsm': # Fast Gradient Sign Method (FGSM) attack fgsm_params = { 'eps': eps, 'ord': order, 'clip_min': 0., 'clip_max': 1. } fgsm = attacks.FastGradientMethod(wrapper, sess=sess) adv_x = fgsm.generate(x, **fgsm_params) preds_adv = model(adv_x) elif args.attack == 'ifgsm': # Fast Gradient Sign Method (FGSM) attack ifgsm_params = { 'eps': eps, 'eps_iter': eps / 10, 'ord': order, 'clip_min': 0., 'clip_max': 1. } ifgsm = attacks.BasicIterativeMethod(wrapper, sess=sess) adv_x = ifgsm.generate(x, **ifgsm_params) preds_adv = model(adv_x) elif args.attack == 'mifgsm': mifgsm_params = { 'eps': eps, 'eps_iter': eps / 10, 'ord': order, 'clip_min': 0., 'clip_max': 1. } mifgsm = attacks.MomentumIterativeMethod(wrapper, sess=sess) adv_x = mifgsm.generate(x, **mifgsm_params) preds_adv = model(adv_x) elif args.attack == 'jsma': jsma_params = { 'theta': 1., 'gamma': 1., 'ord': order, 'clip_min': 0., 'clip_max': 1. } jsma = attacks.SaliencyMapMethod(wrapper, sess=sess) adv_x = jsma.generate(x, **jsma_params) preds_adv = model(adv_x) elif args.attack == 'lbfgs': # y_target = tf.placeholder(tf.float32, shape=(None, nb_classes)) lbfgs_params = { 'y_target': tf.convert_to_tensor(get_random_targets(data.test_label)), 'batch_size': batch_size, 'binary_search_steps': 4, 'max_iterations': 1000, 'clip_min': 0., 'clip_max': 1. } lbfgs = attacks.LBFGS(wrapper, sess=sess) adv_x = lbfgs.generate(x, **lbfgs_params) preds_adv = model(adv_x) elif args.attack == 'deepfool': deepfool_params = { 'nb_candidate': 10, 'overshoot': 0.02, 'max_iterations': 100, 'clip_min': 0., 'clip_max': 1. } deepfool = attacks.DeepFool(wrapper, sess=sess) adv_x = deepfool.generate(x, **deepfool_params) preds_adv = model(adv_x) elif args.attack == 'cw': cw_params = { 'batch_size': batch_size, 'binary_search_steps': 4, 'max_iterations': 1000, 'abort_early': True, 'clip_min': 0., 'clip_max': 1. } cw = attacks.CarliniWagnerL2(wrapper, sess=sess) adv_x = cw.generate(x, **cw_params) preds_adv = model(adv_x) elif args.attack == 'pgd': pgd_params = { 'eps': eps, 'eps_iter': eps / 10, 'ord': order, 'clip_min': 0., 'clip_max': 1. } pgd = attacks.ProjectedGradientDescent(wrapper, sess=sess) adv_x = pgd.generate(x, **pgd_params) preds_adv = model(adv_x) # Evaluate the accuracy on adversarial examples ''' if args.attack == 'cw': acc = utils_tf.model_eval(sess, x, y, preds_adv, x_test, y_test, args=eval_params) print('Test accuracy on adversarial examples: %0.4f' % acc) elif args.attack == 'lbfgs': acc = utils_tf.model_eval(sess, x, y, preds_adv, x_test, y_test, args=eval_params) print('Test accuracy on adversarial examples: %0.4f' % acc) else: evaluate(preds_adv, x_test, y_test, 'clean_train_adv_eval', True) ''' with sess.as_default(): adv = np.zeros(x_test.shape, dtype=np.float32) n = batch_size for i in range(x_test.shape[0] // n): adv[i * n:(i + 1) * n] = sess.run( adv_x, feed_dict={x: x_test[i * n:(i + 1) * n]}) return adv
+'_batchsize'+str(FLAGS.batch_size)+attack_method_for_advtrain+adv_ratio_name+BN_name+'/' \ +'model.'+str(FLAGS.epoch).zfill(3)+'.h5' wrap_ensemble = KerasModelWrapper(model, num_class=num_class) model.load_weights(filepath_dir) # Initialize the attack method if FLAGS.attack_method == 'MadryEtAl': att = attacks.MadryEtAl(wrap_ensemble) elif FLAGS.attack_method == 'FastGradientMethod': att = attacks.FastGradientMethod(wrap_ensemble) elif FLAGS.attack_method == 'MomentumIterativeMethod': att = attacks.MomentumIterativeMethod(wrap_ensemble) elif FLAGS.attack_method == 'BasicIterativeMethod': att = attacks.BasicIterativeMethod(wrap_ensemble) # Consider the attack to be constant eval_par = {'batch_size': FLAGS.batch_size} for eps in range(4): eps_ = (eps + 1) * 8 print('eps is %d' % eps_) eps_ = eps_ / 256.0 if FLAGS.target == False: y_target = None if FLAGS.attack_method == 'FastGradientMethod': att_params = { 'eps': eps_, 'clip_min': clip_min, 'clip_max': clip_max,
rec_balds = [] AUC_entropies = [] AUC_balds = [] AP_entropies = [] AP_balds = [] for i, (name, m) in enumerate(models_to_eval): input_t = K.placeholder(shape=(None, 28, 28, 1)) wrap = CallableModelWrapper(m, 'probs') attack = attacks.BasicIterativeMethod(wrap, sess=K.get_session(), back='tf') adv_tensor = attack.generate( input_t, eps=50, nb_iter=10, eps_iter=5, ord=1, clip_min=0, clip_max=1, y_targets=make_random_targets(x_to_adv_labs)) x_adv = adv_tensor.eval(session=K.get_session(), feed_dict={input_t: x_to_adv}) #check the examples are really adversarial preds = m.predict(x_adv).argmax(axis=1)
#Load model model.load_weights(filepath) model_baseline.load_weights(filepath_baseline) # Initialize the attack method if FLAGS.attack_method == 'MadryEtAl': att = attacks.MadryEtAl(wrap_ensemble) att_baseline = attacks.MadryEtAl(wrap_ensemble_baseline) elif FLAGS.attack_method == 'FastGradientMethod': att = attacks.FastGradientMethod(wrap_ensemble) att_baseline = attacks.FastGradientMethod(wrap_ensemble_baseline) elif FLAGS.attack_method == 'MomentumIterativeMethod': att = attacks.MomentumIterativeMethod(wrap_ensemble) att_baseline = attacks.MomentumIterativeMethod(wrap_ensemble_baseline) elif FLAGS.attack_method == 'BasicIterativeMethod': att = attacks.BasicIterativeMethod(wrap_ensemble) att_baseline = attacks.BasicIterativeMethod(wrap_ensemble_baseline) # Consider the attack to be constant eval_par = {'batch_size': 100} eps_ = FLAGS.eps print('eps is %.3f' % eps_) if FLAGS.attack_method == 'FastGradientMethod': att_params = {'eps': eps_, 'clip_min': clip_min, 'clip_max': clip_max} else: att_params = { 'eps': eps_, 'eps_iter': eps_ * 1.0 / 10, 'clip_min': clip_min, 'clip_max': clip_max, 'nb_iter': 10