class PGDUtil(object):
def __init__(self, model, sess, log_file="log.txt"):
self.pgd = ProjectedGradientDescent(model=model, sess=sess)
self.log_file = log_file
def create_adversaries(self, x_train, y_train, i, nb_of_adv=None):
if nb_of_adv is None:
nb_of_adv = len(x_train)
adv_train_x, clean_train_x, adv_train_y, clean_train_y = divide_into_clean_and_adversarial_set(
x_train, y_train, nb_of_adv, i)
adv_x = self.pgd.generate_np(adv_train_x)
return numpy.vstack((adv_x, clean_train_x)), numpy.vstack(
(adv_train_y, clean_train_y))
class PGDGenerator:
def __init__( self, sess, in_tensor_name, out_tensor_name, mean=None, std=None ):
callable_model = CleverHansWrapperWrapper( sess, in_tensor_name, out_tensor_name, mean, std )
cleverhans_model = CallableModelWrapper( callable_model, 'logits' )
self.sess = sess
self.attack = ProjectedGradientDescent( cleverhans_model, sess=sess )
self.output_ten = tf.get_default_graph().get_tensor_by_name( out_tensor_name )
self.input_ten = tf.get_default_graph().get_tensor_by_name( in_tensor_name )
self.output_shape = [ dim.value for dim in self.output_ten.shape ]
self.mean = mean
self.std = std
def generate( self, img, **kwargs ):
if 'y_target' in kwargs:
y_target = kwargs[ 'y_target' ]
if not isinstance( y_target, (np.ndarray, list) ):
y_target = [ y_target ]
target_arr = np.zeros(self.output_shape)
target = y_target[ np.random.randint(0, len(y_target)) ]
target_arr[ 0, target ] = 1
kwargs[ 'y_target' ] = target_arr
if 'eps_iter_size' in kwargs and not 'eps_iter' in kwargs and 'eps' in kwargs:
kwargs['eps_iter'] = kwargs['eps'] * kwargs['eps_iter_size']
del kwargs['eps_iter_size']
check = True
if 'check' in kwargs:
check = kwargs['check']
del kwargs['check']
adv_example = self.attack.generate_np( img, **kwargs )
if not self.std is None:
adv_example = adv_example.reshape( -1, 1 )
adv_example = ( adv_example - self.mean ) / self.std
adv_example = adv_example.reshape( -1 )
#assert ( np.all( adv_example <= kwargs['clip_max'] + 0.000001) and np.all( adv_example >= kwargs['clip_min'] - 0.000001 ) )
real_cl = np.argmax( self.sess.run( self.output_ten, feed_dict={ self.input_ten: adv_example } ) )
if not check:
return adv_example
if 'y_target' in kwargs and real_cl in y_target:
return adv_example
if not 'y_target' in kwargs:
correct_cl = np.argmax( self.sess.run( self.output_ten, feed_dict={ self.input_ten: img } ) )
if not correct_cl == real_cl:
return adv_example
return None
time_st=time.time()
for st in range(0, data_size, batch_size):
sample = np.array(X_train[st : st + batch_size].reshape(-1, 32 * 32 * 3) / 255, dtype=np.float)
# sample = np.array([sample])
sess = keras.backend.get_session()
model = KerasModelWrapper(model_keras)
attack = ProjectedGradientDescent(model, sess=sess)
# print(model.predict(panda.reshape(1, *panda.shape)))
param = dict(
eps= 10 / 255,
eps_iter= 10 / 255 / 40,
nb_iter= 40,
rand_init= True,
)
advs = attack.generate_np(sample, **param)
# plt.imsave("sample.png", advs[0])
adv_train.append(advs)
preb = model_keras.predict(advs).argmax(axis=1).reshape((sample.shape[0], ))
y_sample = model_keras.predict(sample).argmax(axis=1).reshape((sample.shape[0], ))
success += (preb != y_sample).sum()
print((preb != y_sample).sum())
time_ed=time.time()
print("Took", round((time_ed - time_st) / 60,2), "mins to run")
print(success / data_size)
new_train = np.concatenate(adv_train)
#保存ifgsm对抗样本数据集文件
np.save('new_train', new_train)
# plt.imshow(adv[0])
def gen_adv_data(model, x, y, method, dataset, batch=2048):
sess = K.get_session()
model_wrap = KerasModelWrapper(model)
if method.upper() == 'CW':
params = {
'binary_search_steps': 1,
'y': y,
'learning_rate': .1,
'max_iterations': 50,
'initial_const': 10,
'batch_size': batch,
# 'clip_min': -0.5,
# 'clip_max': 0.5
}
attack = CarliniWagnerL2(model_wrap, sess=sess)
data_num = x.shape[0]
begin, end = 0, batch
adv_x_all = np.zeros_like(x)
# every time process batch_size
while end < data_num:
start_time = time.time()
params['y'] = y[begin:end]
adv_x = attack.generate_np(x[begin:end], **params)
adv_x_all[begin:end] = adv_x
print(begin, end, "done")
begin += batch
end += batch
end_time = time.time()
print("time: ", end_time - start_time)
# process the remaining
if begin < data_num:
start_time = time.time()
params['y'] = y[begin:]
params['batch_size'] = data_num - begin
adv_x = attack.generate_np(x[begin:], **params)
adv_x_all[begin:] = adv_x
print(begin, data_num, "done")
end_time = time.time()
print("time: ", end_time - start_time)
elif method.upper() == 'PGD':
if dataset == 'cifar':
params = {
'eps': 16. / 255.,
'eps_iter': 2. / 255.,
'nb_iter': 30.,
# 'clip_min': -0.5,
# 'clip_max': 0.5,
'y': y
}
attack = ProjectedGradientDescent(model_wrap, sess=sess)
elif dataset == 'mnist':
params = {
'eps': .3,
'eps_iter': .03,
'nb_iter': 20.,
'clip_min': -0.5,
'clip_max': 0.5,
'y': y
}
attack = ProjectedGradientDescent(model_wrap, sess=sess)
elif dataset == 'svhn':
params = {
'eps': 8. / 255.,
'eps_iter': 0.01,
'nb_iter': 30.,
'clip_min': -0.5,
'clip_max': 0.5,
'y': y
}
attack = ProjectedGradientDescent(model_wrap, sess=sess)
data_num = x.shape[0]
begin, end = 0, batch
adv_x_all = np.zeros_like(x)
# every time process batch_size
while end < data_num:
start_time = time.time()
params['y'] = y[begin:end]
adv_x = attack.generate_np(x[begin:end], **params)
adv_x_all[begin:end] = adv_x
print(begin, end, "done")
begin += batch
end += batch
end_time = time.time()
print("time: ", end_time - start_time)
# process the remaining
if begin < data_num:
start_time = time.time()
params['y'] = y[begin:]
adv_x = attack.generate_np(x[begin:], **params)
adv_x_all[begin:] = adv_x
print(begin, data_num, "done")
end_time = time.time()
print("time: ", end_time - start_time)
else:
print('Unsupported attack')
sys.exit(1)
return adv_x_all
print(results)
#####BIM
print("BIM")
bim_params = {'eps': 0.03,
'nb_iter': 300,
'eps_iter': 0.03/100,
'ord': np.inf,
'clip_min': 0.,
'clip_max': 1.,
'rand_init': False
}
bim = ProjectedGradientDescent(wrap, sess=sess)
X_adv = np.zeros((len(indices),32,32,3))
for i in range(0,len(indices),batch_attack):
X_adv[i:i+batch_attack] = bim.generate_np(X_test[indices[i:(i+batch_attack)]], **bim_params)
print("results on source model: ")
results = metrics(model, X_adv, X_test, y_test, indices)
print(results)
print("results on target model: ")
results = metrics(model_target, X_adv, X_test, y_test, indices)
print(results)
#####CWL2
print("CWL2")
cwl2_params = {'binary_search_steps': 10,
'max_iterations': 100,
'learning_rate': 0.1,
'batch_size': 100,
'initial_const': 0.5,
'clip_min': 0.,
print(metrics(model, X_adv_noise, X_test, y_test, indices))
#############################
#PGD
pgd_params = {
'eps': 0.03,
'eps_iter': 0.01,
'nb_iter': 100,
'ord': np.inf,
'rand_init': True
}
pgd_attack = ProjectedGradientDescent(wrap, sess=sess)
X_adv = np.zeros((len(indices), 32, 32, 3))
for i in range(0, len(indices), 200):
X_adv[i:(i + 200)] = pgd_attack.generate_np(X_test[indices[i:(i + 200)]],
**pgd_params)
print(metrics(model, X_adv, X_test, y_test, indices))
#############################
#CWL2
cwl2_params = {
'binary_search_steps': 10,
'max_iterations': 100,
'learning_rate': 0.1,
'batch_size': 200,
'initial_const': 0.5,
'clip_min': 0.,
'clip_max': 1.,
'confidence': 0
}
#comp_func_transfer(X_adv_auto, indices_test, pred_base, pred_auto, model_auto, model)
#comp_func_transfer(X_adv_ce, indices_test, pred_base, pred_ce, model_ce, model)
#comp_func_transfer(X_adv_rob, indices_test, pred_base, pred_rob, model_rob, model)
####################################
#PGD
print("\n\n")
print("PGD")
pgd_stacked = ProjectedGradientDescent(wrap_stacked, sess=sess)
pgd_auto = ProjectedGradientDescent(wrap_auto, sess=sess)
pgd_ce = ProjectedGradientDescent(wrap_ce, sess=sess)
pgd_rob = ProjectedGradientDescent(wrap_rob, sess=sess)
X_adv_stacked = np.zeros((len(indices_test), 32, 32, 3))
for i in np.arange(0, len(indices_test), 500):
X_adv_stacked[i:(i + 500)] = pgd_stacked.generate_np(
X_test[indices_test[i:(i + 500)]], **pgd_params)
X_adv_auto = np.zeros((len(indices_test), 32, 32, 3))
for i in np.arange(0, len(indices_test), 500):
X_adv_auto[i:(i + 500)] = pgd_auto.generate_np(
X_test[indices_test[i:(i + 500)]], **pgd_params)
X_adv_ce = np.zeros((len(indices_test), 32, 32, 3))
for i in np.arange(0, len(indices_test), 500):
X_adv_ce[i:(i + 500)] = pgd_ce.generate_np(
X_test[indices_test[i:(i + 500)]], **pgd_params)
X_adv_rob = np.zeros((len(indices_test), 32, 32, 3))
for i in np.arange(0, len(indices_test), 500):
X_adv_rob[i:(i + 500)] = pgd_rob.generate_np(
X_test[indices_test[i:(i + 500)]], **pgd_params)
all_models = [model_4bits_1, model_4bits_2,
model_8bits_1, model_8bits_2,
model_16bits_1, model_16bits_2,
model_32bits_1, model_32bits_2,
model_vanilla_nn_1, model_vanilla_nn_2]
test_images, test_labels = filter_correctly_classified_samples(test_images, test_labels, all_models)
print("From now on using " + str(test_images.shape[0]) + " samples that are correctly classified by all " + str(len(all_models)) + " networks.")
print("All neural networks now have 100% accuracy.")
print()
# perform attack on 4 bits QNN
print("Generating adversarial samples for QNN_1 with 4 bits..")
wrap = KerasModelWrapper(model_4bits_1)
iterative_fgsm = ProjectedGradientDescent(wrap, sess)
adv = iterative_fgsm.generate_np(test_images, **FGSM_PARAMS)
print("Finished generating adversarial samples")
# quantify perturbation
mean, std, min, max = get_stats(np.array([np.linalg.norm(x - y) for x, y in zip(test_images, adv)]))
print("Information about L2 distances between adversarial and original samples:")
print("mean: " + str(mean))
print("std dev: " + str(std))
print("min: " + str(min))
print("max: " + str(max))
# evaluate models on adv samples
print("Evaluating accuracy of all neural networks on adversarial samples crafted for 4 bits QNN_1..")
_, test_acc = model_4bits_1.evaluate(adv, test_labels, verbose=0)
print("Accuracy of QNN_1 with 4 bits: " + str(test_acc))
loss='sparse_categorical_crossentropy',
metrics=['accuracy'])
train_model.fit(train_images, train_labels, epochs=2)
tf.contrib.quantize.experimental_create_eval_graph(input_graph=train_graph,
weight_bits=4,
activation_bits=4)
_, test_acc = train_model.evaluate(test_images, test_labels, verbose=0)
print("Test accuracy of QNN: " + str(test_acc))
# perform attack on the QNN
print("Generating adversarial samples for QNN..")
wrap = KerasModelWrapper(train_model)
iterative_fgsm = ProjectedGradientDescent(wrap, train_sess)
adv_4_bits = iterative_fgsm.generate_np(test_images, **FGSM_PARAMS)
print("Finished generating adversarial samples")
# quantify perturbation
mean, std, min, max = get_stats(
np.array(
[np.linalg.norm(x - y) for x, y in zip(test_images, adv_4_bits)]))
print(
"Information about L2 distances between adversarial and original samples:"
)
print("mean: " + str(mean))
print("std dev: " + str(std))
print("min: " + str(min))
print("max: " + str(max))
# evaluate adv samples
pred_base, pred_stacked, pred_auto, pred_ce, pred_rob)
#comp_func_transfer(X_adv_stacked, indices_test, pred_base, pred_stacked, model_stacked, model)
#comp_func_transfer(X_adv_auto, indices_test, pred_base, pred_auto, model_auto, model)
#comp_func_transfer(X_adv_ce, indices_test, pred_base, pred_ce, model_ce, model)
#comp_func_transfer(X_adv_rob, indices_test, pred_base, pred_rob, model_rob, model)
###################################
#PGD
print("\n\n")
print("PGD")
pgd_stacked = ProjectedGradientDescent(wrap_stacked, sess=sess)
pgd_auto = ProjectedGradientDescent(wrap_auto, sess=sess)
pgd_ce = ProjectedGradientDescent(wrap_ce, sess=sess)
pgd_rob = ProjectedGradientDescent(wrap_rob, sess=sess)
X_adv_stacked = pgd_stacked.generate_np(X_test[indices_test], **pgd_params)
X_adv_auto = pgd_auto.generate_np(X_test[indices_test], **pgd_params)
X_adv_ce = pgd_ce.generate_np(X_test[indices_test], **pgd_params)
X_adv_rob = pgd_rob.generate_np(X_test[indices_test], **pgd_params)
comp_func(X_adv_stacked, X_adv_auto, X_adv_ce, X_adv_rob, indices_test,
pred_base, pred_stacked, pred_auto, pred_ce, pred_rob)
#comp_func_transfer(X_adv_stacked, indices_test, pred_base, pred_stacked, model_stacked, model)
#comp_func_transfer(X_adv_auto, indices_test, pred_base, pred_auto, model_auto, model)
#comp_func_transfer(X_adv_ce, indices_test, pred_base, pred_ce, model_ce, model)
#comp_func_transfer(X_adv_rob, indices_test, pred_base, pred_rob, model_rob, model)
####################################
#MIM
print("\n\n")
print("MIM")
