def calc_single_bim(x,sess):
from scipy.spatial.distance import euclidean
K.set_session(sess)
model = load_model("model/model_mnist.h5")
x = x.reshape(1,28,28,1)
y = model.predict_classes(x)
y = np.eye(10)[y]
print y.shape
its, results = basic_iterative_method(
sess, model, x, y, eps=0.40,
eps_iter=0.010, clip_min=-0.5,
clip_max=0.5)
x_adv = np.asarray([results[its[i], i] for i in range(len(y))])
dist = np.zeros(shape=(1,1))
dist[0][0] = euclidean(x.reshape(-1),x_adv.reshape(-1))
return dist
def craftadv(x,y,sess,dataset='mnist'):
assert dataset in ['mnist','roadsign']
K.set_session(sess)
if dataset == 'mnist':
x = x.reshape((1,28,28,1))
y = np.eye(10)[y]
y = y.reshape(-1,10)
model = load_model("model/model_mnist.h5")
else :
x = x.reshape((1,32,32,3))
y = np.eye(62)[y]
y = y.reshape(-1,62)
model = load_model("model/model_traffic.h5")
its, results = basic_iterative_method(
sess, model, x, y, eps=0.4,
eps_iter=0.010, clip_min=0.0,
clip_max=1.0
)
x_adv = np.asarray([results[its[0], 0]])
return x_adv
def craft_one_type(sess, model, X, Y, dataset, attack, batch_size):
"""
TODO
:param sess:
:param model:
:param X:
:param Y:
:param dataset:
:param attack:
:param batch_size:
:return:
"""
if attack == 'fgsm':
# FGSM attack
print('Crafting fgsm adversarial samples...')
X_adv = fast_gradient_sign_method(sess,
model,
X,
Y,
eps=ATTACK_PARAMS['fgsm']['eps'],
clip_min=0.0,
clip_max=1.0,
batch_size=batch_size)
elif attack in ['bim-a', 'bim-b']:
# BIM attack
print('Crafting %s adversarial samples...' % attack)
its, results = basic_iterative_method(
sess,
model,
X,
Y,
eps=ATTACK_PARAMS['bim']['eps'],
eps_iter=ATTACK_PARAMS['bim']['eps_iter'],
clip_min=0.,
clip_max=1.,
batch_size=batch_size)
if attack == 'bim-a':
# BIM-A
# For each sample, select the time step where that sample first
# became misclassified
X_adv = np.asarray([results[its[i], i] for i in range(len(Y))])
else:
# BIM-B
# For each sample, select the very last time step
X_adv = results[-1]
elif attack == 'jsma':
# JSMA attack
print('Crafting jsma adversarial samples. This may take a while...')
X_adv = saliency_map_method(sess,
model,
X,
Y,
theta=1,
gamma=0.1,
clip_min=0.,
clip_max=1.)
else:
# TODO: CW attack
raise NotImplementedError('CW attack not yet implemented.')
_, acc = model.evaluate(X_adv, Y, batch_size=batch_size, verbose=0)
np.set_printoptions(threshold=9999) # 打印全部
# print(model(inputs=X[0], outputs=model.layers[30].input))
def sigmoid(x):
s = 1 / (1 + np.exp(-x))
return s
temperature = 1
predicted = model.predict(X) / temperature
print(predicted)
#print(np.concatenate((softmax(predicted,0), softmax(predicted,1), softmax(predicted,2),softmax(predicted,3)), axis=1))
def softmax(X, i): # softmax函数
return np.exp(X[LEN * i:LEN *
(i + 1)]) / np.sum(np.exp(X[LEN * i:LEN * (i + 1)]))
# print(np.concatenate((softmax(predicted,0), softmax(predicted,1), softmax(predicted,2),softmax(predicted,3)), axis=1))
def soften(predicted):
soft = predicted
for i in range(1):
soft[i] = np.concatenate(
(softmax(predicted[i], 0), softmax(predicted[i], 1),
softmax(predicted[i], 2), softmax(predicted[i], 3)),
axis=0)
return soft
def fn(correct, predicted):
loss = 0
for i in range(CAPTCHA_LEN):
loss += tf.nn.softmax_cross_entropy_with_logits(
labels=correct[LEN * i:LEN * (i + 1)],
logits=predicted[LEN * i:LEN * (i + 1)])
return loss
# print(fn(Y,model.predict(X)))
soft_label = soften(predicted)
print(Y, soft_label)
# print((model.predict(X) ))
# print(softmax(model.predict(X)))
pred_adv = sigmoid(model.predict(X_adv))
pred_x = sigmoid(model.predict(X))
# print(pred_x)
# print(sigmoid(pred_x))
# x=tf.convert_to_tensor(X.astype(np.float32))
# logits,=model(x).op.input
# print(aget_logits(sess,model,X,Y,))
succeed = 0
t_all = 0
for j in range(1):
t = 0
for i in range(4):
if np.argmax(pred_x[j, LEN * i:LEN * (i + 1)]) == np.argmax(
Y[j, LEN * i:LEN * (i + 1)]):
t = t + 1
t_all += t
if t == 4:
succeed += 1
print(succeed, ' ', t_all)
def max_predict(x):
for i in range(4):
print(CAPTCHA_LIST[np.argmax(x[0, LEN * i:LEN * (i + 1)])],
" ",
end="")
print("真实值")
max_predict(Y)
print(" ")
print("蒸馏值")
max_predict(soft_label)
print(" ")
print("攻击前预测值")
max_predict(pred_x)
print(" ")
print("攻击后预测值")
max_predict(pred_adv)
print(" ")
#np.argmax(pred_adv)
acc_x = soft_label[0] * (Y[0] / 4) #每个数字权重是1/4
acc_adv = pred_adv[0] * (Y[0] / 4)
print("攻击前准确度", sum(acc_x), "攻击后准确度", sum(acc_adv))
print("攻击前模型输出")
print(pred_x)
print("攻击后模型输出")
print(pred_adv)
plt.figure()
plt.subplot(2, 1, 1)
plt.imshow(X[0, :, :, 0])
plt.subplot(2, 1, 2)
plt.imshow(X_adv[0, :, :, 0])
plt.show()
print("Model accuracy on the adversarial test set: %0.2f%%" % (100 * acc))
np.save('../data/captcha6.npy', X_adv)
def craft_one_type(sess, model, X, Y, dataset, attack, batch_size):
"""
TODO
:param sess:
:param model:
:param X:
:param Y:
:param dataset:
:param attack:
:param batch_size:
:return:
"""
if attack == 'fgsm':
# FGSM attack
print('Crafting fgsm adversarial samples...')
X_adv = fast_gradient_sign_method(sess,
model,
X,
Y,
eps=ATTACK_PARAMS[dataset]['eps'],
clip_min=CLIP_MIN,
clip_max=CLIP_MAX,
batch_size=batch_size)
elif attack in ['bim-a', 'bim-b']:
# BIM attack
print('Crafting %s adversarial samples...' % attack)
its, results = basic_iterative_method(
sess,
model,
X,
Y,
eps=ATTACK_PARAMS[dataset]['eps'],
eps_iter=ATTACK_PARAMS[dataset]['eps_iter'],
clip_min=CLIP_MIN,
clip_max=CLIP_MAX,
batch_size=batch_size)
if attack == 'bim-a':
# BIM-A
# For each sample, select the time step where that sample first
# became misclassified
X_adv = np.asarray([results[its[i], i] for i in range(len(Y))])
else:
# BIM-B
# For each sample, select the very last time step
X_adv = results[-1]
elif attack == 'jsma':
# JSMA attack
print('Crafting jsma adversarial samples. This may take > 5 hours')
X_adv = saliency_map_method(sess,
model,
X,
Y,
theta=1,
gamma=0.1,
clip_min=CLIP_MIN,
clip_max=CLIP_MAX)
elif attack == 'cw-l2':
# C&W attack
print(
'Crafting %s examples. This takes > 5 hours due to internal grid search'
% attack)
image_size = ATTACK_PARAMS[dataset]['image_size']
num_channels = ATTACK_PARAMS[dataset]['num_channels']
num_labels = ATTACK_PARAMS[dataset]['num_labels']
cw_attack = CarliniL2(sess,
model,
image_size,
num_channels,
num_labels,
batch_size=batch_size)
X_adv = cw_attack.attack(X, Y)
elif attack == 'cw-lid':
# C&W attack to break LID detector
print(
'Crafting %s examples. This takes > 5 hours due to internal grid search'
% attack)
image_size = ATTACK_PARAMS[dataset]['image_size']
num_channels = ATTACK_PARAMS[dataset]['num_channels']
num_labels = ATTACK_PARAMS[dataset]['num_labels']
cw_attack = CarliniLID(sess,
model,
image_size,
num_channels,
num_labels,
batch_size=batch_size)
X_adv = cw_attack.attack(X, Y)
_, acc = model.evaluate(X_adv, Y, batch_size=batch_size, verbose=0)
print("Model accuracy on the adversarial test set: %0.2f%%" % (100 * acc))
np.save(os.path.join(PATH_DATA, 'Adv_%s_%s.npy' % (dataset, attack)),
X_adv)
l2_diff = np.linalg.norm(X_adv.reshape((len(X), -1)) - X.reshape(
(len(X), -1)),
axis=1).mean()
print("Average L-2 perturbation size of the %s attack: %0.2f" %
(attack, l2_diff))