def setUpClass(cls): k.clear_session() k.set_learning_phase(1) # Get MNIST (x_train, y_train), (x_test, y_test), _, _ = load_mnist() x_train, y_train, x_test, y_test = x_train[: NB_TRAIN], y_train[: NB_TRAIN], x_test[: NB_TEST], y_test[: NB_TEST] cls.mnist = (x_train, y_train), (x_test, y_test) # Load small Keras model cls.model_mnist, _ = get_classifier_kr() cls.functional_model = cls.functional_model() import requests import tempfile import os # Temporary folder for tests cls.test_dir = tempfile.mkdtemp() # Download one ImageNet pic for tests url = 'http://farm1.static.flickr.com/163/381342603_81db58bea4.jpg' result = requests.get(url, stream=True) if result.status_code == 200: image = result.raw.read() f = open(os.path.join(cls.test_dir, 'test.jpg'), 'wb') f.write(image) f.close()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (x_train, _), (x_test, _) = self.mnist # Attack attack_params = {"max_translation": 10.0, "num_translations": 3, "max_rotation": 30.0, "num_rotations": 3} attack_st = SpatialTransformation(krc) x_train_adv = attack_st.generate(x_train, **attack_params) self.assertTrue(abs(x_train_adv[0, 8, 13, 0] - 0.49004024) <= 0.01) self.assertTrue(abs(attack_st.fooling_rate - 0.707) <= 0.01) self.assertTrue(attack_st.attack_trans_x == 3) self.assertTrue(attack_st.attack_trans_y == 3) self.assertTrue(attack_st.attack_rot == 30.0) x_test_adv = attack_st.generate(x_test) self.assertTrue(abs(x_test_adv[0, 14, 14, 0] - 0.013572651) <= 0.01) k.clear_session()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, _ = get_classifier_kr() # Get MNIST (x_train, _), (_, _) = self.mnist # Attack attack_ap = AdversarialPatch(krc, rotation_max=22.5, scale_min=0.1, scale_max=1.0, learning_rate=5.0, patch_shape=(28, 28, 1), batch_size=10) patch_adv, _ = attack_ap.generate(x_train) self.assertTrue(patch_adv[8, 8, 0] - (-3.2501425017774923) < 0.01) self.assertTrue(patch_adv[14, 14, 0] - 20.48400094881169 < 0.01) self.assertTrue(np.sum(patch_adv) - 1764.7681744376168 < 0.01) k.clear_session()
def test_krclassifier(self): """ Test with a KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (_, _), (x_test, y_test) = self.mnist # First attack (without EoT): fgsm = FastGradientMethod(classifier=krc, targeted=True) params = {'y': random_targets(y_test, krc.nb_classes)} x_test_adv = fgsm.generate(x_test, **params) # Second attack (with EoT): def t(x): return x def transformation(): while True: yield t eot = ExpectationOverTransformations(sample_size=1, transformation=transformation) fgsm_with_eot = FastGradientMethod(classifier=krc, expectation=eot, targeted=True) self.assertFalse(fgsm_with_eot.expectation is None) x_test_adv_with_eot = fgsm_with_eot.generate(x_test, **params) self.assertTrue((np.abs(x_test_adv - x_test_adv_with_eot) < 0.001).all())
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (x_train, y_train), (x_test, y_test) = self.mnist # Attack up = UniversalPerturbation(krc, max_iter=1, attacker="ead", attacker_params={ "max_iter": 5, "targeted": False }) x_train_adv = up.generate(x_train) self.assertTrue((up.fooling_rate >= 0.2) or not up.converged) x_test_adv = x_test + up.noise self.assertFalse((x_test == x_test_adv).all()) train_y_pred = np.argmax(krc.predict(x_train_adv), axis=1) test_y_pred = np.argmax(krc.predict(x_test_adv), axis=1) self.assertFalse((np.argmax(y_test, axis=1) == test_y_pred).all()) self.assertFalse((np.argmax(y_train, axis=1) == train_y_pred).all())
def setUpClass(cls): k.set_learning_phase(1) # Get MNIST (x_train, y_train), (x_test, y_test), _, _ = load_mnist() x_train, y_train, x_test, y_test = x_train[:NB_TRAIN], y_train[:NB_TRAIN], x_test[:NB_TEST], y_test[:NB_TEST] cls.mnist = (x_train, y_train), (x_test, y_test) # Keras classifier cls.classifier_k, _ = get_classifier_kr()
def setUpClass(cls): # Build KerasClassifier cls.classifier, sess = get_classifier_kr() (x_train, y_train), (x_test, y_test), _, _ = load_mnist() x_train, y_train = x_train[:NB_TRAIN], y_train[:NB_TRAIN] cls.mnist = (x_train, y_train), (x_test, y_test) cls.defence = ActivationDefence(cls.classifier, x_train, y_train)
def setUpClass(cls): k.clear_session() k.set_learning_phase(1) # Get MNIST (x_train, y_train), (x_test, y_test), _, _ = load_mnist() x_train, y_train, x_test, y_test = x_train[:NB_TRAIN], y_train[:NB_TRAIN], x_test[:NB_TEST], y_test[:NB_TEST] cls.mnist = (x_train, y_train), (x_test, y_test) # Load small Keras model cls.model_mnist, _ = get_classifier_kr()
def setUpClass(cls): k.set_learning_phase(1) # Get MNIST (x_train, y_train), (x_test, y_test), _, _ = load_dataset('mnist') x_train, y_train, x_test, y_test = x_train[: NB_TRAIN], y_train[: NB_TRAIN], x_test[: NB_TEST], y_test[: NB_TEST] cls.mnist = (x_train, y_train), (x_test, y_test) # Keras classifier cls.classifier_k, sess = get_classifier_kr() scores = cls.classifier_k._model.evaluate(x_train, y_train) logger.info('[Keras, MNIST] Accuracy on training set: %.2f%%', (scores[1] * 100)) scores = cls.classifier_k._model.evaluate(x_test, y_test) logger.info('[Keras, MNIST] Accuracy on test set: %.2f%%', (scores[1] * 100)) # Create basic CNN on MNIST using TensorFlow cls.classifier_tf, sess = get_classifier_tf() scores = get_labels_np_array(cls.classifier_tf.predict(x_train)) acc = np.sum(np.argmax(scores, axis=1) == np.argmax( y_train, axis=1)) / y_train.shape[0] logger.info('[TF, MNIST] Accuracy on training set: %.2f%%', (acc * 100)) scores = get_labels_np_array(cls.classifier_tf.predict(x_test)) acc = np.sum(np.argmax(scores, axis=1) == np.argmax( y_test, axis=1)) / y_test.shape[0] logger.info('[TF, MNIST] Accuracy on test set: %.2f%%', (acc * 100)) # Create basic PyTorch model cls.classifier_py = get_classifier_pt() x_train, x_test = np.swapaxes(x_train, 1, 3), np.swapaxes(x_test, 1, 3) scores = get_labels_np_array(cls.classifier_py.predict(x_train)) acc = np.sum(np.argmax(scores, axis=1) == np.argmax( y_train, axis=1)) / y_train.shape[0] logger.info('[PyTorch, MNIST] Accuracy on training set: %.2f%%', (acc * 100)) scores = get_labels_np_array(cls.classifier_py.predict(x_test)) acc = np.sum(np.argmax(scores, axis=1) == np.argmax( y_test, axis=1)) / y_test.shape[0] logger.info('[PyTorch, MNIST] Accuracy on test set: %.2f%%', (acc * 100))
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (_, _), (x_test, _) = self.mnist # Attack # import time nf = NewtonFool(krc, max_iter=5) # print("Test Keras....") # starttime = time.clock() # x_test_adv = nf.generate(x_test, batch_size=1) # endtime = time.clock() # print(1, endtime - starttime) # starttime = time.clock() # x_test_adv = nf.generate(x_test, batch_size=10) # endtime = time.clock() # print(10, endtime - starttime) # starttime = time.clock() x_test_adv = nf.generate(x_test, batch_size=100) # endtime = time.clock() # print(100, endtime - starttime) # # starttime = time.clock() # x_test_adv = nf.generate(x_test, batch_size=1000) # endtime = time.clock() # print(1000, endtime - starttime) self.assertFalse((x_test == x_test_adv).all()) y_pred = krc.predict(x_test) y_pred_adv = krc.predict(x_test_adv) y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred y_pred_max = y_pred.max(axis=1) y_pred_adv_max = y_pred_adv[y_pred_bool] self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (_, _), (x_test, y_test) = self.mnist # First attack ead = ElasticNet(classifier=krc, targeted=True, max_iter=2) params = {'y': random_targets(y_test, krc.nb_classes)} x_test_adv = ead.generate(x_test, **params) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) logger.debug('EAD target: %s', target) logger.debug('EAD actual: %s', y_pred_adv) logger.info('EAD success rate: %.2f%%', (100 * sum(target == y_pred_adv) / float(len(target)))) self.assertTrue((target == y_pred_adv).any()) # Second attack ead = ElasticNet(classifier=krc, targeted=False, max_iter=2) params = {'y': random_targets(y_test, krc.nb_classes)} x_test_adv = ead.generate(x_test, **params) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) logger.debug('EAD target: %s', target) logger.debug('EAD actual: %s', y_pred_adv) logger.info('EAD success rate: %.2f', (100 * sum(target != y_pred_adv) / float(len(target)))) self.assertTrue((target != y_pred_adv).any()) # Kill Keras k.clear_session()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (_, _), (x_test, y_test) = self.mnist # First attack cl2m = CarliniL2Method(classifier=krc, targeted=True, max_iter=10) params = {'y': random_targets(y_test, krc.nb_classes)} x_test_adv = cl2m.generate(x_test, **params) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) logger.debug('CW2 Target: %s', target) logger.debug('CW2 Actual: %s', y_pred_adv) logger.info('CW2 Success Rate: %.2f', (np.sum(target == y_pred_adv) / float(len(target)))) self.assertTrue((target == y_pred_adv).any()) # Second attack cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=10) x_test_adv = cl2m.generate(x_test) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) logger.debug('CW2 Target: %s', target) logger.debug('CW2 Actual: %s', y_pred_adv) logger.info('CW2 Success Rate: %.2f', (np.sum(target != y_pred_adv) / float(len(target)))) self.assertTrue((target != y_pred_adv).any()) # Clean-up k.clear_session()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, _ = get_classifier_kr() # Get MNIST and test with 3 channels x_test, y_test = self.mnist # First attack zoo = ZooAttack(classifier=krc, targeted=True, batch_size=5) params = {'y': random_targets(y_test, krc.nb_classes)} x_test_adv = zoo.generate(x_test, **params) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) logger.debug('ZOO target: %s', target) logger.debug('ZOO actual: %s', y_pred_adv) logger.info('ZOO success rate: %.2f', (sum(target == y_pred_adv) / float(len(target)))) # Second attack zoo = ZooAttack(classifier=krc, targeted=False, max_iter=20) x_test_adv = zoo.generate(x_test) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) y_pred = np.argmax(krc.predict(x_test), axis=1) logger.debug('ZOO actual: %s', y_pred_adv) logger.info('ZOO success rate: %.2f', (sum(y_pred != y_pred_adv) / float(len(y_pred)))) # Clean-up k.clear_session()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, _ = get_classifier_kr() # Get MNIST (x_train, _), (_, _) = self.mnist # Attack attack_params = {"rotation_max": 22.5, "scale_min": 0.1, "scale_max": 1.0, "learning_rate": 5.0, "number_of_steps": 5, "patch_shape": (28, 28, 1), "batch_size": 10} attack_ap = AdversarialPatch(krc) patch_adv, _ = attack_ap.generate(x_train, **attack_params) self.assertTrue(patch_adv[8, 8, 0] - (-3.2501425017774923) < 0.01) self.assertTrue(patch_adv[14, 14, 0] - 20.48400094881169 < 0.01) self.assertTrue(np.sum(patch_adv) - 1764.7681744376168 < 0.01) k.clear_session()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (_, _), (x_test, y_test) = self.mnist # First targeted attack boundary = Boundary(classifier=krc, targeted=True, max_iter=20) params = {'y': random_targets(y_test, krc.nb_classes)} x_test_adv = boundary.generate(x_test, **params) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) target = np.argmax(params['y'], axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) self.assertTrue((target == y_pred_adv).any()) # Second untargeted attack boundary = Boundary(classifier=krc, targeted=False, max_iter=20) x_test_adv = boundary.generate(x_test) self.assertFalse((x_test == x_test_adv).all()) self.assertTrue((x_test_adv <= 1.0001).all()) self.assertTrue((x_test_adv >= -0.0001).all()) y_pred = np.argmax(krc.predict(x_test), axis=1) y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1) self.assertTrue((y_pred != y_pred_adv).any()) # Clean-up session k.clear_session()
def test_krclassifier(self): """ Second test with the KerasClassifier. :return: """ # Build KerasClassifier krc, sess = get_classifier_kr() # Get MNIST (_, _), (x_test, _) = self.mnist # Attack nf = NewtonFool(krc, max_iter=5, batch_size=100) x_test_adv = nf.generate(x_test) self.assertFalse((x_test == x_test_adv).all()) y_pred = krc.predict(x_test) y_pred_adv = krc.predict(x_test_adv) y_pred_bool = y_pred.max(axis=1, keepdims=1) == y_pred y_pred_max = y_pred.max(axis=1) y_pred_adv_max = y_pred_adv[y_pred_bool] self.assertTrue((y_pred_max >= y_pred_adv_max).all())
def test_binary_input_detector(self): """ Test the binary input detector end-to-end. :return: """ # Get MNIST nb_train, nb_test = 1000, 10 (x_train, y_train), (x_test, y_test), _, _ = load_mnist() x_train, y_train = x_train[:NB_TRAIN], y_train[:NB_TRAIN] x_test, y_test = x_test[:NB_TEST], y_test[:NB_TEST] # Keras classifier classifier, _ = get_classifier_kr() # Generate adversarial samples: attacker = FastGradientMethod(classifier, eps=0.1) x_train_adv = attacker.generate(x_train[:nb_train]) x_test_adv = attacker.generate(x_test[:nb_test]) # Compile training data for detector: x_train_detector = np.concatenate((x_train[:nb_train], x_train_adv), axis=0) y_train_detector = np.concatenate( (np.array([[1, 0]] * nb_train), np.array([[0, 1]] * nb_train)), axis=0) # Create a simple CNN for the detector input_shape = x_train.shape[1:] model = Sequential() model.add( Conv2D(4, kernel_size=(5, 5), activation='relu', input_shape=input_shape)) model.add(MaxPooling2D(pool_size=(2, 2))) model.add(Flatten()) model.add(Dense(2, activation='softmax')) model.compile(loss=keras.losses.categorical_crossentropy, optimizer=keras.optimizers.Adam(lr=0.01), metrics=['accuracy']) # Create detector and train it: detector = BinaryInputDetector( KerasClassifier((0, 1), model, use_logits=False)) detector.fit(x_train_detector, y_train_detector, nb_epochs=2, batch_size=128) # Apply detector on clean and adversarial test data: test_detection = np.argmax(detector.predict(x_test), axis=1) test_adv_detection = np.argmax(detector.predict(x_test_adv), axis=1) # Assert there is at least one true positive and negative: nb_true_positives = len(np.where(test_adv_detection == 1)[0]) nb_true_negatives = len(np.where(test_detection == 0)[0]) logger.debug('Number of true positives detected: %i', nb_true_positives) logger.debug('Number of true negatives detected: %i', nb_true_negatives) self.assertTrue(nb_true_positives > 0) self.assertTrue(nb_true_negatives > 0)