def test_minimal_perturbations_images(fix_get_mnist_subset, get_image_classifier_list_for_attack): classifier_list = get_image_classifier_list_for_attack(FastGradientMethod) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return for classifier in classifier_list: attack = FastGradientMethod(classifier, eps=1.0, batch_size=11) attack_params = {"minimal": True, "eps_step": 0.1, "eps": 5.0} attack.set_params(**attack_params) expected_values = { "x_test_mean": ExpectedValue(0.03896513, 0.01), "x_test_min": ExpectedValue(-0.30000000, 0.00001), "x_test_max": ExpectedValue(0.30000000, 0.00001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([4, 2, 4, 7, 0, 4, 7, 2, 0, 7, 0]), 2), } backend_check_adverse_values(attack, fix_get_mnist_subset, expected_values)
def attack(self, eps=0.05): # Create Adversarial Examples using FGSM. self.utility.print_message( NOTE, 'Creating Adversarial Examples using FGSM.') attack = FastGradientMethod(estimator=self.model, eps=eps) X_adv = attack.generate(x=self.dataset) return X_adv
def test_inverse_gan(art_warning, fix_get_mnist_subset, image_dl_estimator_for_attack): try: (x_train_mnist, y_train_mnist, x_test_mnist, y_test_mnist) = fix_get_mnist_subset gan, inverse_gan, sess = get_gan_inverse_gan_ft() if gan is None: logging.warning("Couldn't perform this test because no gan is defined for this framework configuration") return classifier = image_dl_estimator_for_attack(FastGradientMethod) attack = FastGradientMethod(classifier, eps=0.2) x_test_adv = attack.generate(x=x_test_mnist) inverse_gan = InverseGAN(sess=sess, gan=gan, inverse_gan=inverse_gan) x_test_defended = inverse_gan(x_test_adv, maxiter=1) np.testing.assert_array_almost_equal( float(np.mean(x_test_defended - x_test_adv)), 0.08818667382001877, decimal=0.01, ) except ARTTestException as e: art_warning(e)
def test_inverse_gan(fix_get_mnist_subset, image_dl_estimator_for_attack): (x_train_mnist, y_train_mnist, x_test_mnist, y_test_mnist) = fix_get_mnist_subset gan, inverse_gan, sess = get_gan_inverse_gan_ft() if gan is None: logging.warning( "Couldn't perform this test because no gan is defined for this framework configuration" ) return classifier_list = image_dl_estimator_for_attack(FastGradientMethod) if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return classifier = classifier_list[0] attack = FastGradientMethod(classifier, eps=0.2) x_test_adv = attack.generate(x=x_test_mnist) inverse_gan = InverseGAN(sess=sess, gan=gan, inverse_gan=inverse_gan) x_test_defended = inverse_gan(x_test_adv, maxiter=1) assert np.mean(x_test_defended - x_test_adv) == pytest.approx(0.33819187, abs=0.05)
def generate_adv_samples(self, model_path, name): name = name model = models.load_model(model_path) x_train, x_test, y_train, y_test = self.data_pre_process(name) classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model) fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35, targeted=False, batch_size=128) x_adv_test = fgsm.generate(x=x_test) return x_adv_test
def test_targeted_images(art_warning, fix_get_mnist_subset, image_dl_estimator_for_attack): try: classifier = image_dl_estimator_for_attack(FastGradientMethod) attack = FastGradientMethod(classifier, eps=1.0, targeted=True) attack_params = {"minimal": True, "eps_step": 0.01, "eps": 1.0} attack.set_params(**attack_params) backend_targeted_images(attack, fix_get_mnist_subset) except ARTTestException as e: art_warning(e)
def test_tabular(art_warning, tabular_dl_estimator, framework, get_iris_dataset, targeted, clipped): try: classifier = tabular_dl_estimator(clipped=clipped) if targeted: attack = FastGradientMethod(classifier, targeted=True, eps=0.1, batch_size=128) backend_targeted_tabular(attack, get_iris_dataset) else: attack = FastGradientMethod(classifier, eps=0.1) backend_untargeted_tabular(attack, get_iris_dataset, clipped=clipped) except ARTTestException as e: art_warning(e)
def generate_adv_samples(self): model = models.load_model(self.model_path) x_train, x_test, y_train, y_test = self.data_pre_process() classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model) if self.attack == 'fgsm': fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35, targeted=False, batch_size=128) x_adv_test = fgsm.generate(x=x_test) if self.defence == True: return x_test, x_adv_test, y_test else: return x_test, x_adv_test, y_test
def attack_FGSM_nontargeted(dataloader, model, model_info, args, checkpoint_dir): """ FGSM attack """ device = args.device criterion = nn.CrossEntropyLoss() optimizer = optim.Adam(model.parameters(), lr=0.01) img_size = model_info["model_img_size"] n_classes = model_info["num_classes"] classifier = PyTorchClassifier( model=model, loss=criterion, clip_values=(0.0, 1.0), optimizer=optimizer, input_shape=(img_size, img_size), nb_classes=n_classes, device_type=device, ) # attack = FastGradientMethod(estimator=classifier, batch_size=args.batch_size) attack = FastGradientMethod(estimator=classifier, batch_size=args.batch_size) # Launching a non-targeted attack # t = args.target_class print(f"Launching FGSM nontargeted attack") dest_images = os.path.join(checkpoint_dir, args.model_name) os.makedirs(dest_images, exist_ok=True) # Running over the entire-batch to compute a universal perturbation for data in tqdm(dataloader): sample, label, img_path = data sample = sample.to(device) # Launch attack sample_adv = attack.generate(x=sample.cpu()) # Code to save these images img_path = [it.split("/")[-1] for it in img_path] for i in range(len(sample_adv)): _img = sample_adv[i].transpose(1, 2, 0) skimage.io.imsave(os.path.join(dest_images, img_path[i]), img_as_ubyte(_img)) with open(os.path.join(dest_images, "stats.txt"), "w") as f: f.write(f"Fooling-rate was nan\n") return dest_images
def test_targeted_images(fix_get_mnist_subset, image_dl_estimator_for_attack): classifier_list = image_dl_estimator_for_attack(FastGradientMethod) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return for classifier in classifier_list: attack = FastGradientMethod(classifier, eps=1.0, targeted=True) attack_params = {"minimal": True, "eps_step": 0.01, "eps": 1.0} attack.set_params(**attack_params) backend_targeted_images(attack, fix_get_mnist_subset)
def adv_model_fit(self): model = self.choose_model x_train, x_test, y_train, y_test = self.data_pre_process() classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model) fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35, targeted=False, batch_size=128) x_train, x_test = self.data_reshape(self.model_choice, x_train, x_test) x_adv_train = fgsm.generate(x=x_train) history = model.fit(x_adv_train, y_train, epochs=self.epochs, batch_size=32, validation_split=0.2) data_record = DataRecord() data_record.model = model data_record.summary = model.to_yaml() data_record.history = history data_record.epochs = self.epochs self.result_save(data_record, self.save_adv_dir)
def test_classifier_defended_images(art_warning, fix_get_mnist_subset, image_dl_estimator_for_attack): try: classifier = image_dl_estimator_for_attack(FastGradientMethod, defended=True) attack = FastGradientMethod(classifier, eps=1.0, batch_size=128) backend_test_defended_images(attack, fix_get_mnist_subset) except ARTTestException as e: art_warning(e)
def test_norm_images(art_warning, norm, fix_get_mnist_subset, image_dl_estimator_for_attack): try: classifier = image_dl_estimator_for_attack(FastGradientMethod) if norm == np.inf: expected_values = { "x_test_mean": ExpectedValue(0.2346725, 0.002), "x_test_min": ExpectedValue(-1.0, 0.00001), "x_test_max": ExpectedValue(1.0, 0.00001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([4, 4, 4, 7, 7, 4, 7, 2, 2, 3, 0]), 2), } elif norm == 1: expected_values = { "x_test_mean": ExpectedValue(0.00051374, 0.002), "x_test_min": ExpectedValue(-0.01486498, 0.001), "x_test_max": ExpectedValue(0.014761963, 0.001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([7, 1, 1, 4, 4, 1, 4, 4, 4, 4, 4]), 4), } elif norm == 2: expected_values = { "x_test_mean": ExpectedValue(0.007636416, 0.001), "x_test_min": ExpectedValue(-0.211054801, 0.001), "x_test_max": ExpectedValue(0.209592223, 0.001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([7, 2, 4, 4, 4, 7, 7, 4, 0, 4, 4]), 2), } attack = FastGradientMethod(classifier, eps=1.0, norm=norm, batch_size=128) backend_check_adverse_values(attack, fix_get_mnist_subset, expected_values) except ARTTestException as e: art_warning(e)
def test_iterative_saliency(fix_get_mnist_subset, image_dl_estimator_for_attack): classifier_list = image_dl_estimator_for_attack(FastGradientMethod) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return expected_values_axis_1 = { "nb_perturbed_frames": ExpectedValue(np.asarray([10, 1, 2, 12, 16, 1, 2, 7, 4, 11, 5]), 2) } expected_values_axis_2 = { "nb_perturbed_frames": ExpectedValue(np.asarray([11, 1, 2, 6, 14, 2, 2, 13, 4, 8, 4]), 2) } for classifier in classifier_list: attacker = FastGradientMethod(classifier, eps=0.3, batch_size=128) attack = FrameSaliencyAttack(classifier, attacker, "iterative_saliency") backend_check_adverse_frames(attack, fix_get_mnist_subset, expected_values_axis_1) # test with non-default frame index: attack = FrameSaliencyAttack(classifier, attacker, "iterative_saliency", frame_index=2) backend_check_adverse_frames(attack, fix_get_mnist_subset, expected_values_axis_2)
def test_one_shot(fix_get_mnist_subset, image_dl_estimator_for_attack): classifier_list = image_dl_estimator_for_attack(FastGradientMethod) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return # for the one-shot method, frame saliency attack should resort to plain FastGradientMethod expected_values = { "x_test_mean": ExpectedValue(0.2346725, 0.002), "x_test_min": ExpectedValue(-1.0, 0.00001), "x_test_max": ExpectedValue(1.0, 0.00001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([4, 4, 4, 7, 7, 4, 7, 2, 2, 3, 0]), 2), } for classifier in classifier_list: attacker = FastGradientMethod(classifier, eps=1, batch_size=128) attack = FrameSaliencyAttack(classifier, attacker, "one_shot") backend_check_adverse_values(attack, fix_get_mnist_subset, expected_values)
def test_fgsm_defences(fix_get_mnist_subset, image_dl_estimator, is_tf_version_2): if is_tf_version_2: clip_values = (0, 1) smooth_3x3 = SpatialSmoothingTensorFlowV2(window_size=3, channels_first=False) smooth_5x5 = SpatialSmoothingTensorFlowV2(window_size=5, channels_first=False) smooth_7x7 = SpatialSmoothingTensorFlowV2(window_size=7, channels_first=False) classifier_, _ = image_dl_estimator(one_classifier=True) loss_object = tf.keras.losses.CategoricalCrossentropy(from_logits=True) classifier = TensorFlowV2Classifier( clip_values=clip_values, model=classifier_.model, preprocessing_defences=[smooth_3x3, smooth_5x5, smooth_7x7], loss_object=loss_object, input_shape=(28, 28, 1), nb_classes=10, ) assert len(classifier.preprocessing_defences) == 3 attack = FastGradientMethod(classifier, eps=1, batch_size=128) backend_test_defended_images(attack, fix_get_mnist_subset)
def test_masked_images(art_warning, fix_get_mnist_subset, image_dl_estimator_for_attack): try: classifier = image_dl_estimator_for_attack(FastGradientMethod) attack = FastGradientMethod(classifier, eps=1.0, num_random_init=1) backend_masked_images(attack, fix_get_mnist_subset) except ARTTestException as e: art_warning(e)
def test_iterative_saliency(art_warning, fix_get_mnist_subset, image_dl_estimator_for_attack): try: classifier = image_dl_estimator_for_attack(FastGradientMethod) expected_values_axis_1 = { "nb_perturbed_frames": ExpectedValue(np.asarray([10, 1, 2, 12, 16, 1, 2, 7, 4, 11, 5]), 2) } expected_values_axis_2 = { "nb_perturbed_frames": ExpectedValue(np.asarray([11, 1, 2, 6, 14, 2, 2, 13, 4, 8, 4]), 2) } attacker = FastGradientMethod(classifier, eps=0.3, batch_size=128) attack = FrameSaliencyAttack(classifier, attacker, "iterative_saliency") backend_check_adverse_frames(attack, fix_get_mnist_subset, expected_values_axis_1) # test with non-default frame index: attack = FrameSaliencyAttack(classifier, attacker, "iterative_saliency", frame_index=2) backend_check_adverse_frames(attack, fix_get_mnist_subset, expected_values_axis_2) except ARTTestException as e: art_warning(e)
def test_check_params(art_warning, image_dl_estimator_for_attack): try: from art.attacks.evasion import FastGradientMethod classifier = image_dl_estimator_for_attack(FrameSaliencyAttack, from_logits=True) attacker = FastGradientMethod(estimator=classifier) with pytest.raises(ValueError): _ = FrameSaliencyAttack(classifier, attacker="attack") with pytest.raises(ValueError): _ = FrameSaliencyAttack(classifier, attacker=attacker, method="test") with pytest.raises(ValueError): _ = FrameSaliencyAttack(classifier, attacker=attacker, frame_index=0) with pytest.raises(ValueError): _ = FrameSaliencyAttack(classifier, attacker=attacker, batch_size=-1) with pytest.raises(ValueError): _ = FrameSaliencyAttack(classifier, attacker=attacker, verbose="true") except ARTTestException as e: art_warning(e)
def test_check_params(art_warning, image_dl_estimator_for_attack): try: from art.attacks.evasion import FastGradientMethod classifier = image_dl_estimator_for_attack(AutoAttack) attacks = [FastGradientMethod(estimator=classifier)] with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, norm=0) with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, eps="1") with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, eps=-1.0) with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, eps_step="1") with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, eps_step=-1.0) with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, batch_size=1.0) with pytest.raises(ValueError): _ = AutoAttack(classifier, attacks=attacks, batch_size=-1) except ARTTestException as e: art_warning(e)
def test_fgsm_defences(fix_get_mnist_subset, image_dl_estimator, device_type): clip_values = (0, 1) smooth_3x3 = SpatialSmoothingPyTorch(window_size=3, channels_first=True, device_type=device_type) smooth_5x5 = SpatialSmoothingPyTorch(window_size=5, channels_first=True, device_type=device_type) smooth_7x7 = SpatialSmoothingPyTorch(window_size=7, channels_first=True, device_type=device_type) classifier_, _ = image_dl_estimator(one_classifier=True) criterion = nn.CrossEntropyLoss() classifier = PyTorchClassifier( clip_values=clip_values, model=classifier_.model, preprocessing_defences=[smooth_3x3, smooth_5x5, smooth_7x7], loss=criterion, input_shape=(1, 28, 28), nb_classes=10, device_type=device_type, ) assert len(classifier.preprocessing_defences) == 3 attack = FastGradientMethod(classifier, eps=1, batch_size=128) backend_test_defended_images(attack, fix_get_mnist_subset)
def __init__(self, linf_args={}, cond_ratio=0.01, ref_data=None, **kwds): super().__init__(**kwds) self.metric = LInf(**linf_args) self.cond_ratio = cond_ratio self.ref_data = ref_data ## define a global attacker classifier = KerasClassifier(clip_values=(MIN, -MIN), model=self.dnn) self.adv_crafter = FastGradientMethod(classifier)
def FGSM(points=10): from art.attacks.evasion import FastGradientMethod from art.estimators.classification import TensorFlowV2Classifier loss_object = tf.keras.losses.SparseCategoricalCrossentropy() classifier = TensorFlowV2Classifier(model=model, nb_classes=10, input_shape=(28, 28, 1), loss_object=loss_object, clip_values=(0, 1), channels_first=False) # Craft adversarial samples with FGSM epsilons = [0.05 * i for i in range(points)] # Maximum perturbation preds = np.argmax(classifier.predict(x_test), axis=1) acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0] print("\nTest accuracy on normal sample: %.2f%% eps: %.2f" % (acc * 100, 0)) accuracies = [acc] examples = [] for epsilon in epsilons[1:]: adv_crafter = FastGradientMethod(classifier, eps=epsilon) x_test_adv = adv_crafter.generate(x=x_test) # Evaluate the classifier on the adversarial examples preds = np.argmax(classifier.predict(x_test_adv), axis=1) acc = np.sum(preds == np.argmax(y_test, axis=1)) / y_test.shape[0] print("\nTest accuracy on adversarial sample: %.2f%% eps: %.2f" % (acc * 100, epsilon)) accuracies.append(acc) example = [] preds = np.argmax(classifier.predict(x_test_adv), axis=1) labels = np.argmax(y_test, axis=1) for i in range(len(preds)): p, l = preds[i], labels[i] if p != l: orig = l adv = p ex = x_test_adv[i] example.append((orig, adv, ex)) if len(example) == 5: break examples.append(example) plot_accuracies(epsilons, accuracies) plot_examples(epsilons[1:], examples)
def test_non_classification(art_warning, fix_get_mnist_subset, image_dl_estimator_for_attack, fix_get_rcnn): try: classifier = fix_get_rcnn attack = FastGradientMethod(classifier, num_random_init=3) backend_test_random_initialisation_images(attack, fix_get_mnist_subset) except ARTTestException as e: art_warning(e)
def test_masked_images(fix_get_mnist_subset, image_dl_estimator_for_attack): classifier_list = image_dl_estimator_for_attack(FastGradientMethod) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return for classifier in classifier_list: attack = FastGradientMethod(classifier, eps=1.0, num_random_init=1) backend_masked_images(attack, fix_get_mnist_subset)
def __init__(self, linf_args={}, cond_ratio=0.01, ref_data=None, **kwds): """ TODO: FGM also accepts the L1 and L2 norms, in addition to Linf. """ super().__init__(**kwds) self.metric = LInf(**linf_args) self.cond_ratio = cond_ratio self.ref_data = ref_data ## define a global attacker classifier = KerasClassifier(clip_values=(MIN, -MIN), model=self.dnn) self.adv_crafter = FastGradientMethod(classifier)
def test_tabular(get_tabular_classifier_list, framework, get_iris_dataset, targeted, clipped): classifier_list = get_tabular_classifier_list(FastGradientMethod, clipped=clipped) if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return for classifier in classifier_list: if targeted: attack = FastGradientMethod(classifier, targeted=True, eps=0.1, batch_size=128) backend_targeted_tabular(attack, get_iris_dataset) else: attack = FastGradientMethod(classifier, eps=0.1) backend_untargeted_tabular(attack, get_iris_dataset, clipped=clipped)
def test_norm_images(norm, fix_get_mnist_subset, get_image_classifier_list_for_attack): classifier_list = get_image_classifier_list_for_attack(FastGradientMethod) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return elif norm == np.inf: expected_values = { "x_test_mean": ExpectedValue(0.2346725, 0.002), "x_test_min": ExpectedValue(-1.0, 0.00001), "x_test_max": ExpectedValue(1.0, 0.00001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([4, 4, 4, 7, 7, 4, 7, 2, 2, 3, 0]), 2), } elif norm == 1: expected_values = { "x_test_mean": ExpectedValue(0.00051374, 0.002), "x_test_min": ExpectedValue(-0.01486498, 0.001), "x_test_max": ExpectedValue(0.014761963, 0.001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([7, 1, 1, 4, 4, 1, 4, 4, 4, 4, 4]), 4), } elif norm == 2: expected_values = { "x_test_mean": ExpectedValue(0.007636416, 0.001), "x_test_min": ExpectedValue(-0.211054801, 0.001), "x_test_max": ExpectedValue(0.209592223, 0.001), "y_test_pred_adv_expected": ExpectedValue(np.asarray([7, 2, 4, 4, 4, 7, 7, 4, 0, 4, 4]), 2), } for classifier in classifier_list: attack = FastGradientMethod(classifier, eps=1, norm=norm, batch_size=128) backend_check_adverse_values(attack, fix_get_mnist_subset, expected_values)
def pre_adv_model_fit(self): model = models.load_model(os.path.join(self.save_dir, f'{self.model_choice}/model.h5')) x_train, x_test, y_train, y_test = self.data_pre_process() classifier = KerasClassifier(clip_values=(np.min(x_train), np.max(x_train)), model=model) fgsm = FastGradientMethod(classifier, eps=0.01, minimal=True, eps_step=0.01, num_random_init=35, targeted=False, batch_size=32) x_train, x_test = self.data_reshape(self.model_choice, x_train, x_test) x_adv_train = fgsm.generate(x=x_train) # x_adv_test = fgsm.generate(x=x_test) # adv_trainer = AdversarialTrainer(classifier, attacks=fgsm, ratio=1.0) # # samples = np.array(list(range(0, y_train.shape[0]))) # # y_train = np.column_stack((samples, y_train)) # y_train = np.reshape(y_train, (y_train.shape[0],)) # print(y_train.shape) # adv_trainer.fit(x_adv_train, y_train, batch_size=128, nb_epochs=10) history = model.fit(x_adv_train, y_train, epochs=self.epochs, batch_size=32, validation_split=0.2) data_record = DataRecord() data_record.model = model data_record.summary = model.to_yaml() data_record.history = history data_record.epochs = self.epochs self.result_save(data_record, self.save_pre_adv_dir)
def test_classifier_defended_images(fix_get_mnist_subset, image_dl_estimator_for_attack): classifier_list = image_dl_estimator_for_attack(FastGradientMethod, defended=True) # TODO this if statement must be removed once we have a classifier for both image and tabular data if classifier_list is None: logging.warning( "Couldn't perform this test because no classifier is defined") return for classifier in classifier_list: attack = FastGradientMethod(classifier, eps=1, batch_size=128) backend_test_defended_images(attack, fix_get_mnist_subset)