def make_confidence_report(filepath,
train_start=TRAIN_START,
train_end=TRAIN_END,
test_start=TEST_START,
test_end=TEST_END,
batch_size=BATCH_SIZE,
which_set=WHICH_SET,
mc_batch_size=MC_BATCH_SIZE,
report_path=REPORT_PATH,
base_eps_iter=BASE_EPS_ITER,
nb_iter=NB_ITER):
"""
Load a saved model, gather its predictions, and save a confidence report.
This function works by running a single MaxConfidence attack on each example.
This provides a reasonable estimate of the true failure rate quickly, so
long as the model does not suffer from gradient masking.
However, this estimate is mostly intended for development work and not
for publication. A more accurate estimate may be obtained by running
make_confidence_report_bundled.py instead.
:param filepath: path to model to evaluate
:param train_start: index of first training set example to use
:param train_end: index of last training set example to use
:param test_start: index of first test set example to use
:param test_end: index of last test set example to use
:param batch_size: size of evaluation batches
:param which_set: 'train' or 'test'
:param mc_batch_size: batch size for MaxConfidence attack
:param base_eps_iter: step size if the data were in [0,1]
(Step size will be rescaled proportional to the actual data range)
:param nb_iter: Number of iterations of PGD to run per class
"""
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.INFO)
# Create TF session
sess = tf.Session()
if report_path is None:
assert filepath.endswith('.joblib')
report_path = filepath[:-len('.joblib')] + "_report.joblib"
with sess.as_default():
model = load(filepath)
assert len(model.get_params()) > 0
factory = model.dataset_factory
factory.kwargs['train_start'] = train_start
factory.kwargs['train_end'] = train_end
factory.kwargs['test_start'] = test_start
factory.kwargs['test_end'] = test_end
dataset = factory()
center = dataset.kwargs['center']
max_val = dataset.kwargs['max_val']
value_range = max_val * (1. + center)
min_value = 0. - center * max_val
if 'CIFAR' in str(factory.cls):
base_eps = 8. / 255.
if base_eps_iter is None:
base_eps_iter = 2. / 255.
elif 'MNIST' in str(factory.cls):
base_eps = .3
if base_eps_iter is None:
base_eps_iter = .1
else:
raise NotImplementedError(str(factory.cls))
mc_params = {
'eps': base_eps * value_range,
'eps_iter': base_eps_iter * value_range,
'nb_iter': nb_iter,
'clip_min': min_value,
'clip_max': max_val
}
x_data, y_data = dataset.get_set(which_set)
report = {}
semantic = Semantic(model, center, max_val, sess)
mc = MaxConfidence(model, sess=sess)
jobs = [('clean', None, None, None), ('Semantic', semantic, None, None),
('mc', mc, mc_params, mc_batch_size)]
for job in jobs:
name, attack, attack_params, job_batch_size = job
if job_batch_size is None:
job_batch_size = batch_size
t1 = time.time()
packed = correctness_and_confidence(sess,
model,
x_data,
y_data,
batch_size=job_batch_size,
devices=devices,
attack=attack,
attack_params=attack_params)
t2 = time.time()
print("Evaluation took", t2 - t1, "seconds")
correctness, confidence = packed
report[name] = {'correctness': correctness, 'confidence': confidence}
print_stats(correctness, confidence, name)
save(report_path, report)
def cifar10_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
learning_rate=LEARNING_RATE,
clean_train=CLEAN_TRAIN,
testing=False,
backprop_through_attack=BACKPROP_THROUGH_ATTACK,
nb_filters=NB_FILTERS,
num_threads=None,
label_smoothing=0.1,
adversarial_training=ADVERSARIAL_TRAINING):
"""
CIFAR10 cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param label_smoothing: float, amount of label smoothing for cross entropy
:param adversarial_training: True means using adversarial training
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
# put data on cpu and gpu both
config_args = dict(allow_soft_placement=True)
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get CIFAR10 data
data = CIFAR10(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
dataset_size = data.x_train.shape[0]
dataset_train = data.to_tensorflow()[0]
dataset_train = dataset_train.map(
lambda x, y: (random_shift(random_horizontal_flip(x)), y), 4)
dataset_train = dataset_train.batch(batch_size)
dataset_train = dataset_train.prefetch(16)
x_train, y_train = data.get_set('train')
x_test, y_test = data.get_set('test')
# Use Image Parameters
img_rows, img_cols, nchannels = x_test.shape[1:4]
nb_classes = y_test.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
bim_params = {
'eps': 0.5,
'clip_min': 0.,
'eps_iter': 0.002,
'nb_iter': 10,
'clip_max': 1.,
'ord': np.inf
}
rng = np.random.RandomState([2017, 8, 30])
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
if clean_train:
model = ModelAllConvolutional('model1',
nb_classes,
nb_filters,
input_shape=[32, 32, 3])
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=label_smoothing)
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
"""
when training, evaluating can be happened
"""
train(sess,
loss,
None,
None,
dataset_train=dataset_train,
dataset_size=dataset_size,
evaluate=evaluate,
args=train_params,
rng=rng,
var_list=model.get_params())
# save model
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Initialize the Basic Iterative Method (BIM) attack object and
# graph
for i in range(20):
bim = BasicIterativeMethod(model, sess=sess)
adv_x = bim.generate(x, **bim_params)
preds_adv = model.get_logits(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
print("eps:%0.2f" %
(bim_params["eps_iter"] * bim_params['nb_iter']))
do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True)
bim_params["eps_iter"] = bim_params["eps_iter"] + 0.002
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
if not adversarial_training:
return report
print('Repeating the process, using adversarial training')
# Create a new model and train it to be robust to BasicIterativeMethod
model2 = ModelAllConvolutional('model2',
nb_classes,
nb_filters,
input_shape=[32, 32, 3])
bim2 = BasicIterativeMethod(model2, sess=sess)
def attack(x):
return bim2.generate(x, **bim_params)
# add attack to loss
loss2 = CrossEntropy(model2, smoothing=label_smoothing, attack=attack)
preds2 = model2.get_logits(x)
adv_x2 = attack(x)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the attacker will change their strategy in response to updates to
# the defender's parameters.
adv_x2 = tf.stop_gradient(adv_x2)
preds2_adv = model2.get_logits(adv_x2)
def evaluate2():
# Accuracy of adversarially trained model on legitimate test inputs
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
# Accuracy of the adversarially trained model on adversarial examples
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
# Perform and evaluate adversarial training
train(sess,
loss2,
None,
None,
dataset_train=dataset_train,
dataset_size=dataset_size,
evaluate=evaluate2,
args=train_params,
rng=rng,
var_list=model2.get_params())
# Calculate training errors
if testing:
do_eval(preds2, x_train, y_train, 'train_adv_train_clean_eval')
do_eval(preds2_adv, x_train, y_train, 'train_adv_train_adv_eval')
return report
def mnist_blackbox(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_classes=10,
batch_size=128,
learning_rate=0.001,
nb_epochs=10,
holdout=150,
data_aug=6,
nb_epochs_s=10,
lmbda=0.1):
"""
MNIST tutorial for the black-box attack from arxiv.org/abs/1602.02697
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:return: a dictionary with:
* black-box model accuracy on test set
* substitute model accuracy on test set
* black-box model accuracy on adversarial examples transferred
from the substitute model
"""
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Dictionary used to keep track and return key accuracies
accuracies = {}
# Perform tutorial setup
assert setup_tutorial()
# Create TF session
sess = tf.Session()
# Get MNIST data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Initialize substitute training set reserved for adversary
X_sub = X_test[:holdout]
Y_sub = np.argmax(Y_test[:holdout], axis=1)
# Redefine test set as remaining samples unavailable to adversaries
X_test = X_test[holdout:]
Y_test = Y_test[holdout:]
# Define input and output TF placeholders
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Simulate the black-box model locally
# You could replace this by a remote labeling API for instance
print("Preparing the black-box model.")
prep_bbox_out = prep_bbox(sess, x, y, X_train, Y_train, X_test, Y_test,
nb_epochs, batch_size, learning_rate)
model, bbox_preds, accuracies['bbox'] = prep_bbox_out
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Training the substitute model.")
train_sub_out = train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug,
lmbda)
model_sub, preds_sub = train_sub_out
# Evaluate the substitute model on clean test examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_sub, X_test, Y_test, args=eval_params)
accuracies['sub'] = acc
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
fgsm_par = {'eps': 0.3, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model_sub, sess=sess)
# Craft adversarial examples using the substitute
eval_params = {'batch_size': batch_size}
x_adv_sub = fgsm.generate(x, **fgsm_par)
# Evaluate the accuracy of the "black-box" model on adversarial examples
accuracy = model_eval(sess,
x,
y,
model(x_adv_sub),
X_test,
Y_test,
args=eval_params)
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(accuracy))
accuracies['bbox_on_sub_adv_ex'] = accuracy
return accuracies
def JSMA_FGSM_BIM_EN_DF(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=6,
batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=64):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param clean_train: if true, train on clean examples
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
sess = tf.Session()
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
source_samples = batch_size
# Use label smoothing
# Hopefully this doesn't screw up JSMA...
assert Y_train.shape[1] == 10
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
model_path = "models/mnist"
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_par = {'batch_size': batch_size}
rng = np.random.RandomState([2017, 8, 30])
if clean_train:
model = make_basic_cnn(nb_filters=nb_filters)
preds = model.get_probs(x)
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test
# examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params)
report.clean_train_clean_eval = acc
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate examples: %0.4f' % acc)
model_train(sess,
x,
y,
preds,
X_train,
Y_train,
evaluate=evaluate,
args=train_params,
rng=rng)
print("#####Starting attacks on clean model#####")
#################################################################
#Clean test against JSMA
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'clip_min': 0.,
'clip_max': 1.,
'y_target': None
}
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
adv_x = jsma.generate(x, **jsma_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Clean test accuracy on JSMA adversarial examples: %0.4f' % acc)
################################################################
#Clean test against FGSM
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Clean test accuracy on FGSM adversarial examples: %0.4f' % acc)
################################################################
#Clean test against BIM
bim_params = {
'eps': 0.3,
'eps_iter': 0.01,
'nb_iter': 100,
'clip_min': 0.,
'clip_max': 1.
}
bim = BasicIterativeMethod(model, sess=sess)
adv_x = bim.generate(x, **bim_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Clean test accuracy on BIM adversarial examples: %0.4f' % acc)
################################################################
#Clean test against EN
en_params = {
'binary_search_steps': 1,
#'y': None,
'max_iterations': 100,
'learning_rate': 0.1,
'batch_size': source_samples,
'initial_const': 10
}
en = ElasticNetMethod(model, back='tf', sess=sess)
adv_x = en.generate(x, **en_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Clean test accuracy on EN adversarial examples: %0.4f' % acc)
################################################################
#Clean test against DF
deepfool_params = {
'nb_candidate': 10,
'overshoot': 0.02,
'max_iter': 50,
'clip_min': 0.,
'clip_max': 1.
}
deepfool = DeepFool(model, sess=sess)
adv_x = deepfool.generate(x, **deepfool_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Clean test accuracy on DF adversarial examples: %0.4f' % acc)
################################################################
#Clean test against VAT
vat_params = {
'eps': 2.0,
'num_iterations': 1,
'xi': 1e-6,
'clip_min': 0.,
'clip_max': 1.
}
vat = VirtualAdversarialMethod(model, sess=sess)
adv_x = vat.generate(x, **vat_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Clean test accuracy on VAT adversarial examples: %0.4f\n' % acc)
################################################################
print("Repeating the process, using adversarial training\n")
# Redefine TF model graph
model_2 = make_basic_cnn(nb_filters=nb_filters)
preds_2 = model_2(x)
#################################################################
#Adversarial test against JSMA
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'clip_min': 0.,
'clip_max': 1.,
'y_target': None
}
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
adv_x = jsma.generate(x, **jsma_params)
preds_adv_jsma = model.get_probs(adv_x)
################################################################
#Adversarial test against FGSM
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv_fgsm = model.get_probs(adv_x)
################################################################
#Adversarial test against BIM
bim_params = {
'eps': 0.3,
'eps_iter': 0.01,
'nb_iter': 100,
'clip_min': 0.,
'clip_max': 1.
}
bim = BasicIterativeMethod(model, sess=sess)
adv_x = bim.generate(x, **bim_params)
preds_adv_bim = model.get_probs(adv_x)
################################################################
#Adversarial test against EN
en_params = {
'binary_search_steps': 5,
#'y': None,
'max_iterations': 100,
'learning_rate': 0.1,
'batch_size': source_samples,
'initial_const': 10
}
en = ElasticNetMethod(model, back='tf', sess=sess)
adv_x = en.generate(x, **en_params)
preds_adv_en = model.get_probs(adv_x)
################################################################
#Adversarial test against DF
deepfool_params = {
'nb_candidate': 10,
'overshoot': 0.02,
'max_iter': 200,
'clip_min': 0.,
'clip_max': 1.
}
deepfool = DeepFool(model, sess=sess)
adv_x = deepfool.generate(x, **deepfool_params)
preds_adv_df = model.get_probs(adv_x)
################################################################
#Adversarial test against VAT
vat_params = {
'eps': 2.0,
'num_iterations': 1,
'xi': 1e-6,
'clip_min': 0.,
'clip_max': 1.
}
vat = VirtualAdversarialMethod(model, sess=sess)
adv_x = vat.generate(x, **vat_params)
preds_adv_vat = model.get_probs(adv_x)
################################################################
print("#####Evaluate trained model#####")
def evaluate_2():
# Evaluate the accuracy of the MNIST model on JSMA adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_jsma,
X_test,
Y_test,
args=eval_par)
print('Test accuracy on JSMA adversarial examples: %0.4f' % acc)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_fgsm,
X_test,
Y_test,
args=eval_par)
print('Test accuracy on FGSM adversarial examples: %0.4f' % acc)
# Evaluate the accuracy of the MNIST model on BIM adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_bim,
X_test,
Y_test,
args=eval_par)
print('Test accuracy on BIM adversarial examples: %0.4f' % acc)
# Evaluate the accuracy of the MNIST model on EN adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_en,
X_test,
Y_test,
args=eval_par)
print('Test accuracy on EN adversarial examples: %0.4f' % acc)
# Evaluate the accuracy of the MNIST model on DF adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_df,
X_test,
Y_test,
args=eval_par)
print('Test accuracy on DF adversarial examples: %0.4f' % acc)
# Evaluate the accuracy of the MNIST model on VAT adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_vat,
X_test,
Y_test,
args=eval_par)
print('Test accuracy on VAT adversarial examples: %0.4f\n' % acc)
preds_2_adv = [
preds_adv_jsma, preds_adv_fgsm, preds_adv_bim, preds_adv_en,
preds_adv_df
]
model_train(sess,
x,
y,
preds_2,
X_train,
Y_train,
predictions_adv=preds_2_adv,
evaluate=evaluate_2,
args=train_params,
rng=rng)
def mnist_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=6,
batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=64):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param clean_train: if true, train on clean examples
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
sess = tf.Session()
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use label smoothing
assert Y_train.shape[1] == 10
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
model_path = "models/mnist"
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
bim_params = {
'eps': 0.3,
'eps_iter': 0.01,
'nb_iter': 100,
'clip_min': 0.,
'clip_max': 1.
}
rng = np.random.RandomState([2017, 8, 30])
if clean_train:
model = make_basic_cnn(nb_filters=nb_filters)
preds = model.get_probs(x)
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test
# examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params)
report.clean_train_clean_eval = acc
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate examples: %0.4f' % acc)
model_train(sess,
x,
y,
preds,
X_train,
Y_train,
evaluate=evaluate,
args=train_params,
rng=rng)
# Calculate training error
if testing:
eval_params = {'batch_size': batch_size}
acc = model_eval(sess,
x,
y,
preds,
X_train,
Y_train,
args=eval_params)
report.train_clean_train_clean_eval = acc
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on FGSM adversarial examples
eval_par = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Test accuracy on FGSM adversarial examples: %0.4f\n' % acc)
# Calculate training error
if testing:
eval_par = {'batch_size': batch_size}
acc = model_eval(sess,
x,
y,
preds_adv,
X_train,
Y_train,
args=eval_par)
report.train_clean_train_adv_eval = acc
# Init the Basic Iterative Method attack object and graph
bim = BasicIterativeMethod(model, sess=sess)
adv_x_2 = bim.generate(x, **bim_params)
preds_adv_2 = model.get_probs(adv_x_2)
# Evaluate the accuracy of the MNIST model on Basic Iterative Method adversarial examples
acc = model_eval(sess,
x,
y,
preds_adv_2,
X_test,
Y_test,
args=eval_par)
print(
'Test accuracy on Basic Iterative Method adversarial examples: %0.4f\n'
% acc)
# Calculate training error
if testing:
eval_par = {'batch_size': batch_size}
acc = model_eval(sess,
x,
y,
preds_adv,
X_train,
Y_train,
args=eval_par)
report.train_clean_train_adv_eval = acc
print("Repeating the process, using adversarial training")
# Redefine TF model graph
model_2 = make_basic_cnn(nb_filters=nb_filters)
preds_2 = model_2(x)
fgsm2 = FastGradientMethod(model_2, sess=sess)
adv_x_fgsm = fgsm2.generate(x, **fgsm_params)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x_fgsm = tf.stop_gradient(adv_x_fgsm)
preds_2_adv_fgsm = model_2(adv_x_fgsm)
bim2 = BasicIterativeMethod(model_2, sess=sess)
adv_x_bim = bim2.generate(x, **bim_params)
preds_2_adv_bim = model_2(adv_x_bim)
# X_train_rep = np.tile(X_train, [2, 1, 1, 1])
# Y_train_rep = np.tile(Y_train, [2, 1])
# preds_2_rep = tf.tile(preds_2, [2, 1])
# preds_2_adv = model_2(tf.concat([adv_x_fgsm, adv_x_bim], 0))
#
# # Perform and evaluate adversarial training
# model_train(sess, x, y, preds_2_rep, X_train_rep, Y_train_rep,
# predictions_adv=preds_2_adv,
# args=train_params, rng=rng)
def evaluate_2():
# evaluate the final result of the model
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess,
x,
y,
preds_2,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on legitimate examples: %0.4f' % accuracy)
# Accuracy of the adversarially trained model on FGSM adversarial examples
accuracy = model_eval(sess,
x,
y,
preds_2_adv_fgsm,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on FGSM adversarial examples: %0.4f' % accuracy)
# Accuracy of the adversarially trained model on Basic Iterative Method adversarial examples
accuracy = model_eval(sess,
x,
y,
preds_2_adv_bim,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on BIM adversarial examples: %0.4f' % accuracy)
preds_2_adv = [preds_2_adv_fgsm, preds_2_adv_bim]
model_train(sess,
x,
y,
preds_2,
X_train,
Y_train,
predictions_adv=preds_2_adv,
evaluate=evaluate_2,
args=train_params,
rng=rng)
return report
def mnist_tutorial_jsma(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
viz_enabled=VIZ_ENABLED,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
source_samples=SOURCE_SAMPLES,
learning_rate=LEARNING_RATE):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session and set as Keras backend session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
### CHANGE DATASET ###
# Get MNIST test data
mnist = MNIST_67(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
x_train, y_train = mnist.get_set('train')
x_test, y_test = mnist.get_set('test')
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
nb_filters = 64
# Define TF model graph
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=0.1)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
sess.run(tf.global_variables_initializer())
rng = np.random.RandomState([2017, 8, 30])
train(sess, loss, x_train, y_train, args=train_params, rng=rng)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
### TEST ON TRAIN DATA ###
accuracy = model_eval(sess,
x,
y,
preds,
x_test,
y_test,
save_logit=False,
args=eval_params)
# assert x_test.shape[0] == test_end - test_start, x_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(source_samples) + ' * ' + str(nb_classes - 1) +
' adversarial examples')
# Keep track of success (adversarial example classified in target)
results = np.zeros((nb_classes, source_samples), dtype='i')
# Rate of perturbed features for each test set example and target class
perturbations = np.zeros((nb_classes, source_samples), dtype='f')
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Instantiate a SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, sess=sess)
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'clip_min': 0.,
'clip_max': 1.,
'y_target': None
}
figure = None
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, source_samples):
print('--------------------------------------')
print('Attacking input %i/%i' % (sample_ind + 1, source_samples))
sample = x_test[sample_ind:(sample_ind + 1)]
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(y_test[sample_ind]))
target_classes = other_classes(nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
sample, (img_rows, img_cols, nchannels))
# Loop over all target classes
for target in target_classes:
print('Generating adv. example for target class %i' % target)
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, nb_classes), dtype=np.float32)
one_hot_target[0, target] = 1
jsma_params['y_target'] = one_hot_target
adv_x = jsma.generate_np(sample, **jsma_params)
# Check if success was achieved
res = int(model_argmax(sess, x, preds, adv_x) == target)
# Computer number of modified features
adv_x_reshape = adv_x.reshape(-1)
test_in_reshape = x_test[sample_ind].reshape(-1)
nb_changed = np.where(adv_x_reshape != test_in_reshape)[0].shape[0]
percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
# Display the original and adversarial images side-by-side
if viz_enabled:
figure = pair_visual(
np.reshape(sample, (img_rows, img_cols, nchannels)),
np.reshape(adv_x, (img_rows, img_cols, nchannels)), figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (img_rows, img_cols, nchannels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
nb_targets_tried = ((nb_classes - 1) * source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.4f}'.format(succ_rate))
report.clean_train_adv_eval = 1. - succ_rate
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.4f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.4f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
plt.close(figure)
_ = grid_visual(grid_viz_data)
return report
def whitebox(gan,
rec_data_path=None,
batch_size=128,
learning_rate=0.001,
nb_epochs=10,
eps=0.3,
online_training=False,
test_on_dev=False,
attack_type='fgsm',
defense_type='gan',
num_tests=-1,
num_train=-1,
cfg=None):
"""Based on MNIST tutorial from cleverhans.
Args:
gan: A `GAN` model.
rec_data_path: A string to the directory.
batch_size: The size of the batch.
learning_rate: The learning rate for training the target models.
nb_epochs: Number of epochs for training the target model.
eps: The epsilon of FGSM.
online_training: Training Defense-GAN with online reconstruction. The
faster but less accurate way is to reconstruct the dataset once and use
it to train the target models with:
`python train.py --cfg <path-to-model> --save_recs`
attack_type: Type of the white-box attack. It can be `fgsm`,
`rand+fgsm`, or `cw`.
defense_type: String representing the type of attack. Can be `none`,
`defense_gan`, or `adv_tr`.
"""
FLAGS = tf.flags.FLAGS
rng = np.random.RandomState([11, 24, 1990])
# Set logging level to see debug information.
set_log_level(logging.WARNING)
### Attack paramters
eps = attack_config_dict[gan.dataset_name]['eps']
min_val = attack_config_dict[gan.dataset_name]['clip_min']
attack_iterations = FLAGS.attack_iters
search_steps = FLAGS.search_steps
train_images, train_labels, test_images, test_labels = get_cached_gan_data(
gan, test_on_dev, orig_data_flag=True)
sess = gan.sess
# if defense_type == 'defense_gan':
# assert gan is not None
# sess = gan.sess
#
# if FLAGS.train_on_recs:
# assert rec_data_path is not None or online_training
# else:
# config = tf.ConfigProto()
# config.gpu_options.allow_growth = True
# sess = tf.Session(config=config)
# Classifier is trained on either original data or reconstructed data.
# During testing, the input image will be reconstructed by GAN.
# Therefore, we use rec_test_images as input to the classifier.
# When evaluating defense_gan with attack, input should be test_images.
x_shape = [None] + list(train_images.shape[1:])
images_pl = tf.placeholder(tf.float32,
shape=[None] + list(train_images.shape[1:]))
labels_pl = tf.placeholder(tf.float32,
shape=[None] + [train_labels.shape[1]])
if num_tests > 0:
test_images = test_images[:num_tests]
test_labels = test_labels[:num_tests]
if num_train > 0:
train_images = train_images[:num_train]
train_labels = train_labels[:num_train]
# Creating classificaion model
if gan.dataset_name in ['mnist', 'f-mnist']:
images_pl_transformed = images_pl
models = {
'A': model_a,
'B': model_b,
'C': model_c,
'D': model_d,
'E': model_e,
'F': model_f
}
with tf.variable_scope(tf.get_variable_scope(), reuse=tf.AUTO_REUSE):
model = models[FLAGS.model](input_shape=x_shape,
nb_classes=train_labels.shape[1])
used_vars = model.get_params()
preds_train = model.get_logits(images_pl_transformed, dropout=True)
preds_eval = model.get_logits(images_pl_transformed)
elif gan.dataset_name == 'cifar-10':
images_pl_transformed = images_pl
pre_model = Model('classifiers/model/cifar-10',
tiny=False,
mode='eval',
sess=sess)
with tf.variable_scope(tf.get_variable_scope(), reuse=tf.AUTO_REUSE):
model = DefenseWrapper(pre_model, 'logits')
used_vars = [
x for x in tf.global_variables() if x.name.startswith('model')
]
preds_eval = model.get_logits(images_pl_transformed)
elif gan.dataset_name == 'celeba':
images_pl_transformed = tf.cast(images_pl, tf.float32) / 255. * 2. - 1.
with tf.variable_scope(tf.get_variable_scope(), reuse=tf.AUTO_REUSE):
model = model_y(input_shape=x_shape,
nb_classes=train_labels.shape[1])
used_vars = model.get_params()
preds_train = model.get_logits(images_pl_transformed, dropout=True)
preds_eval = model.get_logits(images_pl_transformed)
# Creating BPDA model
if attack_type in ['bpda', 'bpda-pgd']:
gan_bpda = InvertorDefenseGAN(get_generator_fn(cfg['DATASET_NAME'],
cfg['USE_RESBLOCK']),
cfg=cfg,
test_mode=True)
gan_bpda.checkpoint_dir = cfg['BPDA_ENCODER_CP_PATH']
gan_bpda.generator_init_path = cfg['BPDA_GENERATOR_INIT_PATH']
gan_bpda.active_sess = sess
gan_bpda.load_model()
if gan.dataset_name in ['mnist', 'f-mnist']:
with tf.variable_scope(tf.get_variable_scope(),
reuse=tf.AUTO_REUSE):
attack_model = models[FLAGS.model](
input_shape=x_shape, nb_classes=train_labels.shape[1])
attack_used_vars = attack_model.get_params()
elif gan.dataset_name == 'cifar-10':
pre_model_attack = Model('classifiers/model/cifar-10',
tiny=False,
mode='eval',
sess=sess)
with tf.variable_scope(tf.get_variable_scope(),
reuse=tf.AUTO_REUSE):
attack_model = DefenseWrapper(pre_model_attack, 'logits')
attack_used_vars = [
x for x in tf.global_variables() if x.name.startswith('model')
]
elif gan.dataset_name == 'celeba':
with tf.variable_scope(tf.get_variable_scope(),
reuse=tf.AUTO_REUSE):
attack_model = model_y(input_shape=x_shape,
nb_classes=train_labels.shape[1])
attack_used_vars = attack_model.get_params()
report = AccuracyReport()
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test
# examples.
eval_params = {'batch_size': batch_size}
acc = model_eval(sess,
images_pl,
labels_pl,
preds_eval,
test_images,
test_labels,
args=eval_params)
report.clean_train_clean_eval = acc
print('Test accuracy: %0.4f' % acc)
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': 'classifiers/model/{}'.format(gan.dataset_name),
'filename': 'model_{}'.format(FLAGS.model)
}
preds_adv = None
if FLAGS.defense_type == 'adv_tr':
attack_params = {
'eps': FLAGS.fgsm_eps_tr,
'clip_min': 0.,
'clip_max': 1.
}
if gan:
if gan.dataset_name == 'celeba':
attack_params['clip_min'] = -1.0
attack_obj = FastGradientMethod(model, sess=sess)
adv_x_tr = attack_obj.generate(images_pl_transformed, **attack_params)
adv_x_tr = tf.stop_gradient(adv_x_tr)
preds_adv = model(adv_x_tr)
classifier_load_success = False
if FLAGS.load_classifier:
try:
path = tf.train.latest_checkpoint('classifiers/model/{}'.format(
gan.dataset_name))
saver = tf.train.Saver(var_list=used_vars)
saver.restore(sess, path)
print('[+] Classifier loaded successfully ...')
classifier_load_success = True
except:
print('[-] Cannot load classifier ...')
classifier_load_success = False
if classifier_load_success == False:
print('[+] Training classifier model ...')
model_train(sess,
images_pl,
labels_pl,
preds_train,
train_images,
train_labels,
args=train_params,
rng=rng,
predictions_adv=preds_adv,
init_all=False,
evaluate=evaluate,
save=False)
if attack_type in ['bpda', 'bpda-pgd']:
# Initialize attack model weights with trained model
path = tf.train.latest_checkpoint('classifiers/model/{}'.format(
gan.dataset_name))
saver = tf.train.Saver(var_list=attack_used_vars)
saver.restore(sess, path)
print('[+] Attack model initialized successfully ...')
# Add self.enc_reconstruction
# Only auto-encodes to reconstruct. No GD is performed
attack_model.add_rec_model(gan_bpda, batch_size, ae_flag=True)
# Calculate training error.
eval_params = {'batch_size': batch_size}
# Evaluate trained model
#train_acc = model_eval(sess, images_pl, labels_pl, preds_eval, train_images, train_labels,
# args=eval_params)
# print('[#] Train acc: {}'.format(train_acc))
eval_acc = model_eval(sess,
images_pl,
labels_pl,
preds_eval,
test_images,
test_labels,
args=eval_params)
print('[#] Eval acc: {}'.format(eval_acc))
reconstructor = get_reconstructor(gan)
if attack_type is None:
return eval_acc, 0, None
if 'rand' in FLAGS.attack_type:
test_images = np.clip(
test_images +
args.alpha * np.sign(np.random.randn(*test_images.shape)), min_val,
1.0)
eps -= args.alpha
if 'fgsm' in FLAGS.attack_type:
attack_params = {
'eps': eps,
'ord': np.inf,
'clip_min': min_val,
'clip_max': 1.
}
attack_obj = FastGradientMethod(model, sess=sess)
elif FLAGS.attack_type == 'cw':
attack_obj = CarliniWagnerL2(model, sess=sess)
attack_params = {
'binary_search_steps': 6,
'max_iterations': attack_iterations,
'learning_rate': 0.2,
'batch_size': batch_size,
'clip_min': min_val,
'clip_max': 1.,
'initial_const': 10.0
}
elif FLAGS.attack_type == 'madry':
attack_obj = MadryEtAl(model, sess=sess)
attack_params = {
'eps': eps,
'eps_iter': eps / 4.0,
'clip_min': min_val,
'clip_max': 1.,
'ord': np.inf,
'nb_iter': attack_iterations
}
elif FLAGS.attack_type == 'bpda':
# BPDA + FGSM
attack_params = {
'eps': eps,
'ord': np.inf,
'clip_min': min_val,
'clip_max': 1.
}
attack_obj = FastGradientMethod(attack_model, sess=sess)
elif FLAGS.attack_type == 'bpda-pgd':
# BPDA + PGD
attack_params = {
'eps': eps,
'eps_iter': eps / 4.0,
'clip_min': min_val,
'clip_max': 1.,
'ord': np.inf,
'nb_iter': attack_iterations
}
attack_obj = MadryEtAl(attack_model, sess=sess)
elif FLAGS.attack_type == 'bpda-l2':
# default: lr=1.0, c=0.1
attack_obj = BPDAL2(model, reconstructor, sess=sess)
attack_params = {
'binary_search_steps': search_steps,
'max_iterations': attack_iterations,
'learning_rate': 0.2,
'batch_size': batch_size,
'clip_min': min_val,
'clip_max': 1.,
'initial_const': 10.0
}
adv_x = attack_obj.generate(images_pl_transformed, **attack_params)
if FLAGS.defense_type == 'defense_gan':
recons_adv, zs = reconstructor.reconstruct(adv_x,
batch_size=batch_size,
reconstructor_id=123)
preds_adv = model.get_logits(recons_adv)
sess.run(tf.local_variables_initializer())
diff_op = get_diff_op(model, adv_x, recons_adv, FLAGS.detect_image)
z_norm = tf.reduce_sum(tf.square(zs), axis=1)
acc_adv, diffs_mean, roc_info_adv = model_eval_gan(
sess,
images_pl,
labels_pl,
preds_adv,
None,
test_images=test_images,
test_labels=test_labels,
args=eval_params,
diff_op=diff_op,
z_norm=z_norm,
recons_adv=recons_adv,
adv_x=adv_x,
debug=FLAGS.debug,
vis_dir=_get_vis_dir(gan, FLAGS.attack_type))
# reconstruction on clean images
recons_clean, zs = reconstructor.reconstruct(images_pl_transformed,
batch_size=batch_size)
preds_eval = model.get_logits(recons_clean)
sess.run(tf.local_variables_initializer())
diff_op = get_diff_op(model, images_pl_transformed, recons_clean,
FLAGS.detect_image)
z_norm = tf.reduce_sum(tf.square(zs), axis=1)
acc_rec, diffs_mean_rec, roc_info_rec = model_eval_gan(
sess,
images_pl,
labels_pl,
preds_eval,
None,
test_images=test_images,
test_labels=test_labels,
args=eval_params,
diff_op=diff_op,
z_norm=z_norm,
recons_adv=recons_clean,
adv_x=images_pl,
debug=FLAGS.debug,
vis_dir=_get_vis_dir(gan, 'clean'))
# print('Training accuracy: {}'.format(train_acc))
print('Evaluation accuracy: {}'.format(eval_acc))
print('Evaluation accuracy with reconstruction: {}'.format(acc_rec))
print('Test accuracy on adversarial examples: %0.4f\n' % acc_adv)
return {
'acc_adv': acc_adv,
'acc_rec': acc_rec,
'roc_info_adv': roc_info_adv,
'roc_info_rec': roc_info_rec
}
else:
preds_adv = model.get_logits(adv_x)
sess.run(tf.local_variables_initializer())
acc_adv = model_eval(sess,
images_pl,
labels_pl,
preds_adv,
test_images,
test_labels,
args=eval_params)
print('Test accuracy on adversarial examples: %0.4f\n' % acc_adv)
return {
'acc_adv': acc_adv,
'acc_rec': 0,
'roc_info_adv': None,
'roc_info_rec': None
}
def mnist_blackbox(train_start=0, train_end=60000, test_start=0,
test_end=10000, nb_classes=10, batch_size=128,
learning_rate=0.001, nb_epochs=10, holdout=150, data_aug=6,
nb_epochs_s=10, lmbda=0.1, aug_batch_size=512):
"""
MNIST tutorial for the black-box attack from arxiv.org/abs/1602.02697
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:return: a dictionary with:
* black-box model accuracy on test set
* substitute model accuracy on test set
* black-box model accuracy on adversarial examples transferred
from the substitute model
"""
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Dictionary used to keep track and return key accuracies
accuracies = {}
# Perform tutorial setup
assert setup_tutorial()
# Create TF session
sess = tf.Session()
# Get MNIST data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Initialize substitute training set reserved for adversary
X_sub = x_test[:holdout]
Y_sub = np.argmax(y_test[:holdout], axis=1)
# Redefine test set as remaining samples unavailable to adversaries
x_test = x_test[holdout:]
y_test = y_test[holdout:]
# Obtain Image parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Seed random number generator so tutorial is reproducible
rng = np.random.RandomState([2017, 8, 30])
# Simulate the black-box model locally
# You could replace this by a remote labeling API for instance
print("Preparing the black-box model.")
prep_bbox_out = prep_bbox(sess, x, y, x_train, y_train, x_test, y_test,
nb_epochs, batch_size, learning_rate,
rng, nb_classes, img_rows, img_cols, nchannels)
model, bbox_preds, accuracies['bbox'] = prep_bbox_out
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Training the substitute model.")
train_sub_out = train_sub(sess, x, y, bbox_preds, X_sub, Y_sub,
nb_classes, nb_epochs_s, batch_size,
learning_rate, data_aug, lmbda, aug_batch_size,
rng, img_rows, img_cols, nchannels)
model_sub, preds_sub = train_sub_out
# Evaluate the substitute model on clean test examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_sub, x_test, y_test, args=eval_params)
accuracies['sub'] = acc
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
fgsm_par = {'eps': 0.3, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model_sub, sess=sess)
# Craft adversarial examples using the substitute
eval_params = {'batch_size': batch_size}
x_adv_sub = fgsm.generate(x, **fgsm_par)
# Evaluate the accuracy of the "black-box" model on adversarial examples
accuracy = model_eval(sess, x, y, model.get_logits(x_adv_sub),
x_test, y_test, args=eval_params)
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(accuracy))
accuracies['bbox_on_sub_adv_ex'] = accuracy
return accuracies
def mnist_tutorial(train_start=0,
train_end=1000,
test_start=0,
test_end=1666,
nb_epochs=6,
batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=64,
num_threads=None):
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
rng = np.random.RandomState([2017, 8, 30])
sess = tf.Session()
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
# added by hhkim
# print('cur:', y_set)
# feed_dict = {x: x_set}
# probabilities = sess.run(preds, feed_dict)
# print(probabilities)
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
if clean_train:
model = ModelBasicCNN('model1', 10, nb_filters)
preds = model.get_logits(x)
loss = LossCrossEntropy(model, smoothing=0.1)
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
train(sess,
loss,
x,
y,
x_train,
y_train,
evaluate=evaluate,
args=train_params,
rng=rng,
var_list=model.get_params())
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
print('adv_x shape:', adv_x.shape)
# Get array of output
# updated by hak hyun kim
feed_dict = {x: x_test[:1]}
probabilities = sess.run(preds_adv, feed_dict)
print(probabilities)
print('original answer :', y_test[:1])
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds_adv, x_test[:1], y_test[:1], 'clean_train_adv_eval',
True)
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
print('Repeating the process, using adversarial training')
def main(argv):
model_file = tf.train.latest_checkpoint(FLAGS.checkpoint_dir)
if model_file is None:
print('No model found')
sys.exit()
cifar = cifar10_input.CIFAR10Data(FLAGS.dataset_dir)
nb_classes = 10
X_test = cifar.eval_data.xs
Y_test = to_categorical(cifar.eval_data.ys, nb_classes)
assert Y_test.shape[1] == 10.
set_log_level(logging.DEBUG)
with tf.Session() as sess:
x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
y = tf.placeholder(tf.float32, shape=(None, 10))
from cleverhans.model_zoo.madry_lab_challenges.cifar10_model import make_wresnet
model = make_wresnet()
saver = tf.train.Saver()
# Restore the checkpoint
saver.restore(sess, model_file)
nb_samples = FLAGS.nb_samples
attack_params = {
'batch_size': FLAGS.batch_size,
'clip_min': 0.,
'clip_max': 255.
}
if FLAGS.attack_type == 'cwl2':
from cleverhans.attacks import CarliniWagnerL2
attacker = CarliniWagnerL2(model, sess=sess)
attack_params.update({
'binary_search_steps': 1,
'max_iterations': 100,
'learning_rate': 0.1,
'initial_const': 10,
'batch_size': 10
})
else: # eps and eps_iter in range 0-255
attack_params.update({'eps': 8, 'ord': np.inf})
if FLAGS.attack_type == 'fgsm':
from cleverhans.attacks import FastGradientMethod
attacker = FastGradientMethod(model, sess=sess)
elif FLAGS.attack_type == 'pgd':
attack_params.update({'eps_iter': 2, 'nb_iter': 20})
from cleverhans.attacks import MadryEtAl
attacker = MadryEtAl(model, sess=sess)
eval_par = {'batch_size': FLAGS.batch_size}
if FLAGS.sweep:
max_eps = 16
epsilons = np.linspace(1, max_eps, max_eps)
for e in epsilons:
t1 = time.time()
attack_params.update({'eps': e})
x_adv = attacker.generate(x, **attack_params)
preds_adv = model.get_probs(x_adv)
acc = model_eval(sess,
x,
y,
preds_adv,
X_test[:nb_samples],
Y_test[:nb_samples],
args=eval_par)
print('Epsilon %.2f, accuracy on adversarial' % e,
'examples %0.4f\n' % acc)
t2 = time.time()
else:
t1 = time.time()
x_adv = attacker.generate(x, **attack_params)
preds_adv = model.get_probs(x_adv)
acc = model_eval(sess,
x,
y,
preds_adv,
X_test[:nb_samples],
Y_test[:nb_samples],
args=eval_par)
t2 = time.time()
print('Test accuracy on adversarial examples %0.4f\n' % acc)
print("Took", t2 - t1, "seconds")
def cifar10_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
architecture=ARCHITECTURE,
load_model=LOAD_MODEL,
ckpt_dir='None',
learning_rate=LEARNING_RATE,
clean_train=CLEAN_TRAIN,
backprop_through_attack=BACKPROP_THROUGH_ATTACK,
nb_filters=NB_FILTERS,
num_threads=None,
label_smoothing=0.):
"""
CIFAR10 cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param label_smoothing: float, amount of label smoothing for cross entropy
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(int(time.time() * 1000) % 2**31)
np.random.seed(int(time.time() * 1001) % 2**31)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get CIFAR10 data
data = CIFAR10(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
dataset_size = data.x_train.shape[0]
dataset_train = data.to_tensorflow()[0]
dataset_train = dataset_train.map(
lambda x, y: (random_shift(random_horizontal_flip(x)), y), 4)
dataset_train = dataset_train.batch(batch_size)
dataset_train = dataset_train.prefetch(16)
x_train, y_train = data.get_set('train')
pgd_train = None
if FLAGS.load_pgd_train_samples:
pgd_path = os.path.expanduser('~/data/advhyp/{}/samples'.format(
FLAGS.load_pgd_train_samples))
x_train = np.load(os.path.join(pgd_path, 'train_clean.npy'))
y_train = np.load(os.path.join(pgd_path, 'train_y.npy'))
pgd_train = np.load(os.path.join(pgd_path, 'train_pgd.npy'))
if x_train.shape[1] == 3:
x_train = x_train.transpose((0, 2, 3, 1))
pgd_train = pgd_train.transpose((0, 2, 3, 1))
if len(y_train.shape) == 1:
y_tmp = np.zeros((len(y_train), np.max(y_train) + 1),
y_train.dtype)
y_tmp[np.arange(len(y_tmp)), y_train] = 1.
y_train = y_tmp
x_test, y_test = data.get_set('test')
pgd_test = None
if FLAGS.load_pgd_test_samples:
pgd_path = os.path.expanduser('~/data/advhyp/{}/samples'.format(
FLAGS.load_pgd_test_samples))
x_test = np.load(os.path.join(pgd_path, 'test_clean.npy'))
y_test = np.load(os.path.join(pgd_path, 'test_y.npy'))
pgd_test = np.load(os.path.join(pgd_path, 'test_pgd.npy'))
if x_test.shape[1] == 3:
x_test = x_test.transpose((0, 2, 3, 1))
pgd_test = pgd_test.transpose((0, 2, 3, 1))
if len(y_test.shape) == 1:
y_tmp = np.zeros((len(y_test), np.max(y_test) + 1), y_test.dtype)
y_tmp[np.arange(len(y_tmp)), y_test] = 1.
y_test = y_tmp
train_idcs = np.arange(len(x_train))
np.random.shuffle(train_idcs)
x_train, y_train = x_train[train_idcs], y_train[train_idcs]
if pgd_train is not None:
pgd_train = pgd_train[train_idcs]
test_idcs = np.arange(len(x_test))[:FLAGS.test_size]
np.random.shuffle(test_idcs)
x_test, y_test = x_test[test_idcs], y_test[test_idcs]
if pgd_test is not None:
pgd_test = pgd_test[test_idcs]
# Use Image Parameters
img_rows, img_cols, nchannels = x_test.shape[1:4]
nb_classes = y_test.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
pgd_params = {
# ord: ,
'eps': FLAGS.eps,
'eps_iter': (FLAGS.eps / 5),
'nb_iter': 10,
'clip_min': 0,
'clip_max': 255
}
cw_params = {
'binary_search_steps': FLAGS.cw_search_steps,
'max_iterations': FLAGS.cw_steps, #1000
'abort_early': True,
'learning_rate': FLAGS.cw_lr,
'batch_size': batch_size,
'confidence': 0,
'initial_const': FLAGS.cw_c,
'clip_min': 0,
'clip_max': 255
}
# Madry dosen't divide by 255
x_train *= 255
x_test *= 255
if pgd_train is not None:
pgd_train *= 255
if pgd_test is not None:
pgd_test *= 255
print('x_train amin={} amax={}'.format(np.amin(x_train), np.amax(x_train)))
print('x_test amin={} amax={}'.format(np.amin(x_test), np.amax(x_test)))
print(
'clip_min : {}, clip_max : {} >> CHECK WITH WHICH VALUES THE CLASSIFIER WAS PRETRAINED !!! <<'
.format(pgd_params['clip_min'], pgd_params['clip_max']))
rng = np.random.RandomState() # [2017, 8, 30]
debug_dict = dict() if FLAGS.save_debug_dict else None
def do_eval(preds,
x_set,
y_set,
report_key,
is_adv=None,
predictor=None,
x_adv=None):
if predictor is None:
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
else:
do_eval(preds, x_set, y_set, report_key, is_adv=is_adv)
if x_adv is not None:
x_set_adv, = batch_eval(sess, [x], [x_adv], [x_set],
batch_size=batch_size)
assert x_set.shape == x_set_adv.shape
x_set = x_set_adv
n_batches = math.ceil(x_set.shape[0] / batch_size)
p_set, p_det = np.concatenate([
predictor.send(x_set[b * batch_size:(b + 1) * batch_size])
for b in tqdm.trange(n_batches)
]).T
acc = np.equal(p_set, y_set[:len(p_set)].argmax(-1)).mean()
# if is_adv:
# import IPython ; IPython.embed() ; exit(1)
if FLAGS.save_debug_dict:
debug_dict['x_set'] = x_set
debug_dict['y_set'] = y_set
ddfn = 'logs/debug_dict_{}.pkl'.format(
'adv' if is_adv else 'clean')
if not os.path.exists(ddfn):
with open(ddfn, 'wb') as f:
pickle.dump(debug_dict, f)
debug_dict.clear()
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples %s: %0.4f' %
(report_text, 'with correction'
if predictor is not None else 'without correction', acc))
if is_adv is not None:
label = 'test_acc_{}_{}'.format(
report_text, 'corrected' if predictor else 'uncorrected')
swriter.add_scalar(label, acc)
if predictor is not None:
detect = np.equal(p_det, is_adv).mean()
label = 'test_det_{}_{}'.format(
report_text,
'corrected' if predictor else 'uncorrected')
print(label, detect)
swriter.add_scalar(label, detect)
label = 'test_dac_{}_{}'.format(
report_text,
'corrected' if predictor else 'uncorrected')
swriter.add_scalar(
label,
np.equal(p_set,
y_set[:len(p_set)].argmax(-1))[np.equal(
p_det, is_adv)].mean())
return acc
if clean_train:
if architecture == 'ConvNet':
model = ModelAllConvolutional('model1',
nb_classes,
nb_filters,
input_shape=[32, 32, 3])
elif architecture == 'ResNet':
model = ResNet(scope='ResNet')
else:
raise Exception('Specify valid classifier architecture!')
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=label_smoothing)
if load_model:
model_name = 'naturally_trained'
if FLAGS.load_adv_trained:
model_name = 'adv_trained'
if ckpt_dir is not 'None':
ckpt = tf.train.get_checkpoint_state(
os.path.join(os.path.expanduser(ckpt_dir), model_name))
else:
ckpt = tf.train.get_checkpoint_state('./models/' + model_name)
ckpt_path = False if ckpt is None else ckpt.model_checkpoint_path
saver = tf.train.Saver(var_list=dict(
(v.name.split('/', 1)[1].split(':')[0], v)
for v in tf.global_variables()))
saver.restore(sess, ckpt_path)
print('\nMODEL SUCCESSFULLY LOADED from : {}'.format(ckpt_path))
initialize_uninitialized_global_variables(sess)
else:
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
train(sess,
loss,
None,
None,
dataset_train=dataset_train,
dataset_size=dataset_size,
evaluate=evaluate,
args=train_params,
rng=rng,
var_list=model.get_params())
logits_op = preds.op
while logits_op.type != 'MatMul':
logits_op = logits_op.inputs[0].op
latent_x_tensor, weights = logits_op.inputs
logits_tensor = preds
nb_classes = weights.shape[-1].value
if not FLAGS.save_pgd_samples:
noise_eps = FLAGS.noise_eps.split(',')
if FLAGS.noise_eps_detect is None:
FLAGS.noise_eps_detect = FLAGS.noise_eps
noise_eps_detect = FLAGS.noise_eps_detect.split(',')
if pgd_train is not None:
pgd_train = pgd_train[:FLAGS.n_collect]
if not FLAGS.passthrough:
predictor = tf_robustify.collect_statistics(
x_train[:FLAGS.n_collect],
y_train[:FLAGS.n_collect],
x,
sess,
logits_tensor=logits_tensor,
latent_x_tensor=latent_x_tensor,
weights=weights,
nb_classes=nb_classes,
p_ratio_cutoff=FLAGS.p_ratio_cutoff,
noise_eps=noise_eps,
noise_eps_detect=noise_eps_detect,
pgd_eps=pgd_params['eps'],
pgd_lr=pgd_params['eps_iter'] / pgd_params['eps'],
pgd_iters=pgd_params['nb_iter'],
save_alignments_dir='logs/stats'
if FLAGS.save_alignments else None,
load_alignments_dir=os.path.expanduser(
'~/data/advhyp/madry/stats')
if FLAGS.load_alignments else None,
clip_min=pgd_params['clip_min'],
clip_max=pgd_params['clip_max'],
batch_size=batch_size,
num_noise_samples=FLAGS.num_noise_samples,
debug_dict=debug_dict,
debug=FLAGS.debug,
targeted=False,
pgd_train=pgd_train,
fit_classifier=FLAGS.fit_classifier,
clip_alignments=FLAGS.clip_alignments,
just_detect=FLAGS.just_detect)
else:
def _predictor():
_x = yield
while (_x is not None):
_y = sess.run(preds, {x: _x}).argmax(-1)
_x = yield np.stack((_y, np.zeros_like(_y)), -1)
predictor = _predictor()
next(predictor)
if FLAGS.save_alignments:
exit(0)
# Evaluate the accuracy of the model on clean examples
acc_clean = do_eval(preds,
x_test,
y_test,
'clean_train_clean_eval',
False,
predictor=predictor)
# Initialize the PGD attack object and graph
if FLAGS.attack == 'pgd':
pgd = MadryEtAl(model, sess=sess)
adv_x = pgd.generate(x, **pgd_params)
elif FLAGS.attack == 'cw':
cw = CarliniWagnerL2(model, sess=sess)
adv_x = cw.generate(x, **cw_params)
elif FLAGS.attack == 'mean':
pgd = MadryEtAl(model, sess=sess)
mean_eps = FLAGS.mean_eps * FLAGS.eps
def _attack_mean(x):
x_many = tf.tile(x[None], (FLAGS.mean_samples, 1, 1, 1))
x_noisy = x_many + tf.random_uniform(x_many.shape, -mean_eps,
mean_eps)
x_noisy = tf.clip_by_value(x_noisy, 0, 255)
x_pgd = pgd.generate(x_noisy, **pgd_params)
x_clip = tf.minimum(x_pgd, x_many + FLAGS.eps)
x_clip = tf.maximum(x_clip, x_many - FLAGS.eps)
x_clip = tf.clip_by_value(x_clip, 0, 255)
return x_clip
adv_x = tf.map_fn(_attack_mean, x)
adv_x = tf.reduce_mean(adv_x, 1)
preds_adv = model.get_logits(adv_x)
if FLAGS.save_pgd_samples:
for ds, y, name in ((x_train, y_train, 'train'), (x_test, y_test,
'test')):
train_batches = math.ceil(len(ds) / FLAGS.batch_size)
train_pgd = np.concatenate([
sess.run(adv_x, {
x:
ds[b * FLAGS.batch_size:(b + 1) * FLAGS.batch_size]
}) for b in tqdm.trange(train_batches)
])
np.save('logs/{}_clean.npy'.format(name), ds / 255.)
np.save('logs/{}_y.npy'.format(name), y)
train_pgd /= 255.
np.save('logs/{}_pgd.npy'.format(name), train_pgd)
exit(0)
# Evaluate the accuracy of the model on adversarial examples
if not FLAGS.load_pgd_test_samples:
acc_pgd = do_eval(preds_adv,
x_test,
y_test,
'clean_train_adv_eval',
True,
predictor=predictor,
x_adv=adv_x)
else:
acc_pgd = do_eval(preds,
pgd_test,
y_test,
'clean_train_adv_eval',
True,
predictor=predictor)
swriter.add_scalar('test_acc_mean', (acc_clean + acc_pgd) / 2., 0)
print('Repeating the process, using adversarial training')
exit(0)
# Create a new model and train it to be robust to MadryEtAl
if architecture == 'ConvNet':
model2 = ModelAllConvolutional('model2',
nb_classes,
nb_filters,
input_shape=[32, 32, 3])
elif architecture == 'ResNet':
model = ResNet()
else:
raise Exception('Specify valid classifier architecture!')
pgd2 = MadryEtAl(model2, sess=sess)
def attack(x):
return pgd2.generate(x, **pgd_params)
loss2 = CrossEntropy(model2, smoothing=label_smoothing, attack=attack)
preds2 = model2.get_logits(x)
adv_x2 = attack(x)
if not backprop_through_attack:
# For some attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x2 = tf.stop_gradient(adv_x2)
preds2_adv = model2.get_logits(adv_x2)
if load_model:
if ckpt_dir is not 'None':
ckpt = tf.train.get_checkpoint_state(
os.path.join(os.path.expanduser(ckpt_dir), 'adv_trained'))
else:
ckpt = tf.train.get_checkpoint_state('./models/adv_trained')
ckpt_path = False if ckpt is None else ckpt.model_checkpoint_path
assert ckpt_path and tf_model_load(
sess, file_path=ckpt_path), '\nMODEL LOADING FAILED'
print('\nMODEL SUCCESSFULLY LOADED from : {}'.format(ckpt_path))
initialize_uninitialized_global_variables(sess)
else:
def evaluate2():
# Accuracy of adversarially trained model on legitimate test inputs
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
# Accuracy of the adversarially trained model on adversarial
# examples
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
# Perform and evaluate adversarial training
train(sess,
loss2,
None,
None,
dataset_train=dataset_train,
dataset_size=dataset_size,
evaluate=evaluate2,
args=train_params,
rng=rng,
var_list=model2.get_params())
# Evaluate model
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
return report
def mnist_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
learning_rate=LEARNING_RATE,
clean_train=CLEAN_TRAIN,
testing=False,
backprop_through_attack=BACKPROP_THROUGH_ATTACK,
nb_filters=NB_FILTERS,
num_threads=None,
label_smoothing=0.1):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param label_smoothing: float, amount of label smoothing for cross entropy
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
mnist = MNIST(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
x_train, y_train = mnist.get_set('train')
x_test, y_test = mnist.get_set('test')
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
rng = np.random.RandomState([2017, 8, 30])
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
if clean_train:
model = make_basic_picklable_cnn()
# Tag the model so that when it is saved to disk, future scripts will
# be able to tell what data it was trained on
model.dataset_factory = mnist.get_factory()
preds = model.get_logits(x)
assert len(model.get_params()) > 0
loss = CrossEntropy(model, smoothing=label_smoothing)
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
train(sess,
loss,
x_train,
y_train,
evaluate=evaluate,
args=train_params,
rng=rng,
var_list=model.get_params())
with sess.as_default():
save("clean_model.joblib", model)
print("Now that the model has been saved, you can evaluate it in a"
" separate process using `evaluate_pickled_model.py`. "
"You should get exactly the same result for both clean and "
"adversarial accuracy as you get within this program.")
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True)
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
print('Repeating the process, using adversarial training')
# Create a new model and train it to be robust to FastGradientMethod
model2 = make_basic_picklable_cnn()
# Tag the model so that when it is saved to disk, future scripts will
# be able to tell what data it was trained on
model2.dataset_factory = mnist.get_factory()
fgsm2 = FastGradientMethod(model2, sess=sess)
def attack(x):
return fgsm2.generate(x, **fgsm_params)
loss2 = CrossEntropy(model2, smoothing=label_smoothing, attack=attack)
preds2 = model2.get_logits(x)
adv_x2 = attack(x)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x2 = tf.stop_gradient(adv_x2)
preds2_adv = model2.get_logits(adv_x2)
def evaluate2():
# Accuracy of adversarially trained model on legitimate test inputs
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
# Accuracy of the adversarially trained model on adversarial examples
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
# Perform and evaluate adversarial training
train(sess,
loss2,
x_train,
y_train,
evaluate=evaluate2,
args=train_params,
rng=rng,
var_list=model2.get_params())
with sess.as_default():
save("adv_model.joblib", model2)
print(
"Now that the model has been saved, you can evaluate it in a "
"separate process using "
"`python evaluate_pickled_model.py adv_model.joblib`. "
"You should get exactly the same result for both clean and "
"adversarial accuracy as you get within this program."
" You can also move beyond the tutorials directory and run the "
" real `compute_accuracy.py` script (make sure cleverhans/scripts "
"is in your PATH) to see that this FGSM-trained "
"model is actually not very robust---it's just a model that trains "
" quickly so the tutorial does not take a long time")
# Calculate training errors
if testing:
do_eval(preds2, x_train, y_train, 'train_adv_train_clean_eval')
do_eval(preds2_adv, x_train, y_train, 'train_adv_train_adv_eval')
return report
def mnist_tutorial_cw(train_start=0, train_end=60000, test_start=0,
test_end=10000, viz_enabled=True, nb_epochs=6,
batch_size=128, source_samples=10,
learning_rate=0.001, attack_iterations=100,
model_path=os.path.join("models", "mnist"),
targeted=True):
"""
MNIST tutorial for Carlini and Wagner's attack
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:param model_path: path to the model file
:param targeted: should we run a targeted attack? or untargeted?
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
nb_filters = 64
# Define TF model graph
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = LossCrossEntropy(model, smoothing=0.1)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': os.path.join(*os.path.split(model_path)[:-1]),
'filename': os.path.split(model_path)[-1]
}
rng = np.random.RandomState([2017, 8, 30])
# check if we've trained before, and if we have, use that pre-trained model
if os.path.exists(model_path + ".meta"):
tf_model_load(sess, model_path)
else:
train(sess, loss, x, y, x_train, y_train, args=train_params,
save=os.path.exists("models"), rng=rng)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, x_test, y_test, args=eval_params)
assert x_test.shape[0] == test_end - test_start, x_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
nb_adv_per_sample = str(nb_classes - 1) if targeted else '1'
print('Crafting ' + str(source_samples) + ' * ' + nb_adv_per_sample +
' adversarial examples')
print("This could take some time ...")
# Instantiate a CW attack object
cw = CarliniWagnerL2(model, back='tf', sess=sess)
if viz_enabled:
assert source_samples == nb_classes
idxs = [np.where(np.argmax(y_test, axis=1) == i)[0][0]
for i in range(nb_classes)]
if targeted:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols,
nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = np.array(
[[instance] * nb_classes for instance in x_test[idxs]],
dtype=np.float32)
else:
adv_inputs = np.array(
[[instance] * nb_classes for
instance in x_test[:source_samples]], dtype=np.float32)
one_hot = np.zeros((nb_classes, nb_classes))
one_hot[np.arange(nb_classes), np.arange(nb_classes)] = 1
adv_inputs = adv_inputs.reshape(
(source_samples * nb_classes, img_rows, img_cols, nchannels))
adv_ys = np.array([one_hot] * source_samples,
dtype=np.float32).reshape((source_samples *
nb_classes, nb_classes))
yname = "y_target"
else:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, 2, img_rows, img_cols, nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = x_test[idxs]
else:
adv_inputs = x_test[:source_samples]
adv_ys = None
yname = "y"
cw_params = {'binary_search_steps': 1,
yname: adv_ys,
'max_iterations': attack_iterations,
'learning_rate': 0.1,
'batch_size': source_samples * nb_classes if
targeted else source_samples,
'initial_const': 10}
adv = cw.generate_np(adv_inputs,
**cw_params)
eval_params = {'batch_size': np.minimum(nb_classes, source_samples)}
if targeted:
adv_accuracy = model_eval(
sess, x, y, preds, adv, adv_ys, args=eval_params)
else:
if viz_enabled:
adv_accuracy = 1 - \
model_eval(sess, x, y, preds, adv, y_test[
idxs], args=eval_params)
else:
adv_accuracy = 1 - \
model_eval(sess, x, y, preds, adv, y_test[
:source_samples], args=eval_params)
if viz_enabled:
for j in range(nb_classes):
if targeted:
for i in range(nb_classes):
grid_viz_data[i, j] = adv[i * nb_classes + j]
else:
grid_viz_data[j, 0] = adv_inputs[j]
grid_viz_data[j, 1] = adv[j]
print(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
print('Avg. rate of successful adv. examples {0:.4f}'.format(adv_accuracy))
report.clean_train_adv_eval = 1. - adv_accuracy
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(np.sum((adv - adv_inputs)**2,
axis=(1, 2, 3))**.5)
print('Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
_ = grid_visual(grid_viz_data)
return report
sys.exit()
data_path = config['data_path']
cifar = cifar10_input.CIFAR10Data(data_path)
# CIFAR10-specific dimensions
img_rows = 32
img_cols = 32
channels = 3
nb_classes = 10
X_test = cifar.eval_data.xs
Y_test = np_utils.to_categorical(cifar.eval_data.ys, nb_classes)
assert Y_test.shape[1] == 10.
set_log_level(logging.DEBUG)
with tf.Session() as sess:
x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
y = tf.placeholder(tf.float32, shape=(None, 10))
from cleverhans_model import make_madry_wresnet
model = make_madry_wresnet()
preds = model(x)
saver = tf.train.Saver()
# Restore the checkpoint
saver.restore(sess, model_file)
def baseline_jsma(train_start=0, train_end=60000, test_start=0,
test_end=10000, nb_epochs=6, batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
nb_filters=64):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param clean_train: if true, train on clean examples
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
sess = tf.Session()
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use label smoothing
# assert Y_train.shape[1] == 10
# label_smooth = .1
# Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
model_path = "models/mnist"
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
jsma_params = {'theta': 1., 'gamma': 0.1,
'clip_min': 0., 'clip_max': 1.,
'y_target': None}
rng = np.random.RandomState([2017, 8, 30])
if clean_train:
model = make_basic_cnn(nb_filters=nb_filters)
preds = model.get_probs(x)
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test
# examples
eval_params = {'batch_size': batch_size}
acc = model_eval(
sess, x, y, preds, X_test, Y_test, args=eval_params)
report.clean_train_clean_eval = acc
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate examples: %0.4f' % acc)
#
# HERE already trained model, thus we need a new one (model_2)
model_train(sess, x, y, preds, X_train, Y_train, evaluate=evaluate,
args=train_params, rng=rng)
# Calculate training error
if testing:
eval_params = {'batch_size': batch_size}
acc = model_eval(
sess, x, y, preds, X_train, Y_train, args=eval_params)
report.train_clean_train_clean_eval = acc
# Initialize the JSMA attack object and
# graph
jsma = SaliencyMapMethod(model, sess=sess)
adv_x = jsma.generate(x, **jsma_params)
preds_adv = model.get_probs(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
eval_par = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par)
print('Test accuracy on adversarial examples: %0.4f\n' % acc)
report.clean_train_adv_eval = acc
# Calculate training error
if testing:
eval_par = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_adv, X_train,
Y_train, args=eval_par)
report.train_clean_train_adv_eval = acc
print("Repeating the process, using adversarial training")
# Redefine TF model graph
model_2 = make_basic_cnn(nb_filters=nb_filters)
preds_2 = model_2(x)
jsma2 = SaliencyMapMethod(model_2, sess=sess)
adv_x_2 = jsma2.generate(x, **jsma_params)
preds_2_adv = model_2(adv_x_2)
#
# let's generate FGSM examples for model_2
#
fgsm = FastGradientMethod(model_2, sess=sess)
fgsm_params = {'eps': 0.3,
'clip_min': 0.,
'clip_max': 1.}
adv_x_fgsm = fgsm.generate(x, **fgsm_params)
preds_2_fgsm = model_2(adv_x_fgsm)
# DON'T WANT TO TRAIN on FGSM adv examples yet
def evaluate_2():
# Accuracy of adversarially trained model on legitimate test inputs
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds_2, X_test, Y_test,
args=eval_params)
print('Test accuracy on legitimate examples: %0.4f' % accuracy)
report.adv_train_clean_eval = accuracy
# Accuracy of the adversarially trained model on JSMA adversarial examples
accuracy = model_eval(sess, x, y, preds_2_adv, X_test,
Y_test, args=eval_params)
print('Test accuracy on FGSM adversarial examples: %0.4f' % accuracy)
report.adv_train_adv_eval = accuracy
# Accuracy of the JSMA adv trained model on FGSM adv examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds_2_fgsm, X_test,
Y_test, args=eval_params)
print('Test accuracy on SaliencyMapMethod adversarial examples: %0.4f' % accuracy)
# Perform and evaluate adversarial training
model_train(sess, x, y, preds_2, X_train, Y_train,
predictions_adv=preds_2_adv, evaluate=evaluate_2,
args=train_params, rng=rng)
# Calculate training errors
if testing:
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds_2, X_train, Y_train,
args=eval_params)
report.train_adv_train_clean_eval = accuracy
accuracy = model_eval(sess, x, y, preds_2_adv, X_train,
Y_train, args=eval_params)
report.train_adv_train_adv_eval = accuracy
return report
def mnist_tutorial_jsma(train_start=0, train_end=60000, test_start=0,
test_end=10000, viz_enabled=True, nb_epochs=6,
batch_size=128, source_samples=10,
learning_rate=0.001):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session and set as Keras backend session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
nb_filters = 64
# Define TF model graph
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = LossCrossEntropy(model, smoothing=0.1)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
sess.run(tf.global_variables_initializer())
rng = np.random.RandomState([2017, 8, 30])
train(sess, loss, x, y, x_train, y_train, args=train_params,
rng=rng)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, x_test, y_test, args=eval_params)
assert x_test.shape[0] == test_end - test_start, x_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(source_samples) + ' * ' + str(nb_classes-1) +
' adversarial examples')
# Keep track of success (adversarial example classified in target)
results = np.zeros((nb_classes, source_samples), dtype='i')
# Rate of perturbed features for each test set example and target class
perturbations = np.zeros((nb_classes, source_samples), dtype='f')
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Instantiate a SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
jsma_params = {'theta': 1., 'gamma': 0.1,
'clip_min': 0., 'clip_max': 1.,
'y_target': None}
figure = None
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, source_samples):
print('--------------------------------------')
print('Attacking input %i/%i' % (sample_ind + 1, source_samples))
sample = x_test[sample_ind:(sample_ind+1)]
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(y_test[sample_ind]))
target_classes = other_classes(nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
sample, (img_rows, img_cols, nchannels))
# Loop over all target classes
for target in target_classes:
print('Generating adv. example for target class %i' % target)
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, nb_classes), dtype=np.float32)
one_hot_target[0, target] = 1
jsma_params['y_target'] = one_hot_target
adv_x = jsma.generate_np(sample, **jsma_params)
# Check if success was achieved
res = int(model_argmax(sess, x, preds, adv_x) == target)
# Computer number of modified features
adv_x_reshape = adv_x.reshape(-1)
test_in_reshape = x_test[sample_ind].reshape(-1)
nb_changed = np.where(adv_x_reshape != test_in_reshape)[0].shape[0]
percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
# Display the original and adversarial images side-by-side
if viz_enabled:
figure = pair_visual(
np.reshape(sample, (img_rows, img_cols, nchannels)),
np.reshape(adv_x, (img_rows, img_cols, nchannels)), figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (img_rows, img_cols, nchannels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
nb_targets_tried = ((nb_classes - 1) * source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.4f}'.format(succ_rate))
report.clean_train_adv_eval = 1. - succ_rate
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.4f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.4f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
plt.close(figure)
_ = grid_visual(grid_viz_data)
return report
def evaluate_model(filepath,
train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
batch_size=128,
testing=False,
num_threads=None):
"""
Run evaluation on a saved model
:param filepath: path to model to evaluate
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param batch_size: size of evaluation batches
"""
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.INFO)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
mnist = MNIST(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
x_train, y_train = mnist.get_set('train')
x_test, y_test = mnist.get_set('test')
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
eval_params = {'batch_size': batch_size}
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
with sess.as_default():
model = load(filepath)
assert len(model.get_params()) > 0
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
preds = model.get_logits(x)
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds, x_test, y_test, 'train_clean_train_clean_eval', False)
do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True)
def cifar10_cw_latent(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
viz_enabled=VIZ_ENABLED,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
source_samples=SOURCE_SAMPLES,
learning_rate=LEARNING_RATE,
attack_iterations=ATTACK_ITERATIONS,
targeted=TARGETED,
num_threads=None,
label_smoothing=0.1,
nb_filters=NB_FILTERS):
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
rng = np.random.RandomState()
# Create TF session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get CIFAR10 data
data = CIFAR10(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
dataset_size = data.x_train.shape[0]
dataset_train = data.to_tensorflow()[0]
dataset_train = dataset_train.map(
lambda x, y: (random_shift(random_horizontal_flip(x)), y), 4)
dataset_train = dataset_train.batch(batch_size)
dataset_train = dataset_train.prefetch(16)
x_train, y_train = data.get_set('train')
x_test, y_test = data.get_set('test')
nb_latent_size = 100
# Get MNIST test data
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
print("img_Rows, img_cols, nchannels: ", img_rows, img_cols, nchannels)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
x_t = tf.placeholder(tf.float32,
shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
y_t = tf.placeholder(tf.float32, shape=(None, nb_classes))
z = tf.placeholder(tf.float32, shape=(None, nb_latent_size))
z_t = tf.placeholder(tf.float32, shape=(None, nb_latent_size))
save_dir = 'models'
model_name = 'cifar10_AE'
model_path_ae = os.path.join(save_dir, model_name)
if clean_train_ae == True:
input_img = Input(shape=(32, 32, 3))
x = Conv2D(64, (3, 3), padding='same')(input_img)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
encoded = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(encoded)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(64, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(3, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
decoded = Activation('sigmoid')(x)
model = Model(input_img, decoded)
model.compile(optimizer='adam', loss='binary_crossentropy')
#es_cb = EarlyStopping(monitor='val_loss', patience=2, verbose=1, mode='auto')
#chkpt = saveDir + 'AutoEncoder_Cifar10_Deep_weights.{epoch:02d}-{loss:.2f}-{val_loss:.2f}.hdf5'
#cp_cb = ModelCheckpoint(filepath = chkpt, monitor='val_loss', verbose=1, save_best_only=True, mode='auto')
model.fit(
x_train,
x_train,
batch_size=128,
epochs=5,
verbose=1,
validation_data=(x_test, x_test),
#callbacks=[es_cb, cp_cb],
shuffle=True)
score = model.evaluate(x_test, x_test, verbose=1)
print(score)
model.save(model_path_ae)
print('Saved trained model at %s ' % model_path_ae)
else:
model = load_model(model_path_ae)
x_lat_train = model.predict(x_train)
x_lat_test = model.predict(x_test)
num_classes = 10
save_dir = 'models'
model_name = 'cifar10_CNN_latent'
model_path_cls = os.path.join(save_dir, model_name)
if clean_train_cl == True:
print("Training CNN AE")
cl_model = Sequential()
cl_model.add(
Conv2D(32, (3, 3), padding='same', input_shape=x_train.shape[1:]))
cl_model.add(Activation('relu'))
cl_model.add(Conv2D(32, (3, 3)))
cl_model.add(Activation('relu'))
cl_model.add(MaxPooling2D(pool_size=(2, 2)))
cl_model.add(Dropout(0.25))
cl_model.add(Conv2D(64, (3, 3), padding='same'))
cl_model.add(Activation('relu'))
cl_model.add(Conv2D(64, (3, 3)))
cl_model.add(Activation('relu'))
cl_model.add(MaxPooling2D(pool_size=(2, 2)))
cl_model.add(Dropout(0.25))
cl_model.add(Flatten())
cl_model.add(Dense(512))
cl_model.add(Activation('relu'))
cl_model.add(Dropout(0.5))
cl_model.add(Dense(num_classes))
cl_model.add(Activation('softmax'))
opt = keras.optimizers.rmsprop(lr=0.0001, decay=1e-6)
# Let's train the model using RMSprop
cl_model.compile(loss='categorical_crossentropy',
optimizer=opt,
metrics=['accuracy'])
cl_model.fit(x_lat_train,
y_train,
batch_size=90,
epochs=2,
validation_data=(x_test, y_test),
shuffle=True)
cl_model.save(model_path_cls)
print('Saved trained model at %s ' % model_path_cls)
else:
cl_model = load_model(model_path_cls)
# Score trained model.
scores = cl_model.evaluate(x_lat_test, y_test, verbose=1)
print('Test loss:', scores[0])
print('Test accuracy:', scores[1])
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
nb_adv_per_sample = str(nb_classes - 1) if targeted else '1'
print('Crafting ' + str(source_samples) + ' * ' + nb_adv_per_sample +
' adversarial examples')
print("This could take some time ...")
# Instantiate a CW attack Object
cw = CarliniWagnerAE_Lat_Keras(model, cl_model, sess=sess)
if viz_enabled:
assert source_samples == nb_classes
idxs = [
np.where(np.argmax(y_test, axis=1) == i)[0][0]
for i in range(nb_classes)
]
if targeted:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols,
nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
grid_viz_data_1 = np.zeros(grid_shape, dtype='f')
adv_inputs = np.array([[instance] * (nb_classes - 1)
for instance in x_test[idxs]],
dtype=np.float32)
#adv_input_y = np.array([[instance]*(nb_classes-1) for instance in y_test[idxs]])
adv_input_y = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes - 1):
targ.append(y_test[idxs[curr_num]])
adv_input_y.append(targ)
adv_input_y = np.array(adv_input_y)
adv_target_y = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes):
if (id != curr_num):
targ.append(y_test[idxs[id]])
adv_target_y.append(targ)
adv_target_y = np.array(adv_target_y)
#print("adv_input_y: \n", adv_input_y)
#print("adv_target_y: \n", adv_target_y)
adv_input_targets = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes):
if (id != curr_num):
targ.append(x_test[idxs[id]])
adv_input_targets.append(targ)
adv_input_targets = np.array(adv_input_targets)
adv_inputs = adv_inputs.reshape((source_samples * (nb_classes - 1),
img_rows, img_cols, nchannels))
adv_input_targets = adv_input_targets.reshape(
(source_samples * (nb_classes - 1), img_rows, img_cols,
nchannels))
adv_input_y = adv_input_y.reshape(
source_samples * (nb_classes - 1), 10)
adv_target_y = adv_target_y.reshape(
source_samples * (nb_classes - 1), 10)
one_hot = np.zeros((nb_classes, nb_classes))
one_hot[np.arange(nb_classes), np.arange(nb_classes)] = 1
adv_ys = np.array([one_hot] * source_samples, dtype=np.float32).reshape(
(source_samples * nb_classes, nb_classes))
yname = "y_target"
cw_params_batch_size = source_samples * (nb_classes - 1)
cw_params = {
'binary_search_steps': 4,
yname: adv_ys,
'max_iterations': attack_iterations,
'learning_rate': CW_LEARNING_RATE,
'batch_size': cw_params_batch_size,
'initial_const': 1
}
adv = cw.generate_np(adv_inputs, adv_input_targets, **cw_params)
adv = sess.run(adv)
recon_orig = model.predict(adv_inputs)
recon_adv = model.predict(adv)
shape = np.shape(adv_inputs)
noise = reduce_sum(np.square(adv_inputs - adv), list(range(1, len(shape))))
print("noise: ", noise)
scores1 = cl_model.evaluate(recon_adv, adv_input_y, verbose=1)
scores2 = cl_model.evaluate(recon_adv, adv_target_y, verbose=1)
print("classifier acc_target: ", scores2[1])
print("classifier acc_true: ", scores1[1])
#print("recon_adv[0]\n", recon_adv[0,:,:,0])
curr_class = 0
if viz_enabled:
for j in range(nb_classes):
if targeted:
for i in range(nb_classes):
#grid_viz_data[i, j] = adv[j * (nb_classes-1) + i]
if (i == j):
grid_viz_data[i, j] = recon_orig[curr_class * 9]
grid_viz_data_1[i, j] = adv_inputs[curr_class * 9]
curr_class = curr_class + 1
else:
if (j > i):
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j - 1]
grid_viz_data_1[i, j] = adv[i * (nb_classes - 1) +
j - 1]
else:
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j]
grid_viz_data_1[i,
j] = adv[i * (nb_classes - 1) + j]
#rint(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(
np.sum((adv - adv_inputs)**2, axis=(1, 2, 3))**.5)
print('Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
plt.ioff()
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = grid_viz_data.shape[0]
num_rows = grid_viz_data.shape[1]
num_channels = grid_viz_data.shape[4]
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
plt.imshow(grid_viz_data[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig1')
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
plt.imshow(grid_viz_data_1[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig2')
#return report
#adversarial training
if (adv_train == True):
print("starting adversarial training")
#sess1 = tf.Session()
adv_input_set = []
adv_input_target_set = []
for i in range(20):
indices = np.arange(np.shape(x_train)[0])
np.random.shuffle(indices)
print("indices: ", indices[1:10])
x_train = x_train[indices]
y_train = y_train[indices]
idxs = [
np.where(np.argmax(y_train, axis=1) == i)[0][0]
for i in range(nb_classes)
]
adv_inputs_2 = np.array([[instance] * (nb_classes - 1)
for instance in x_train[idxs]],
dtype=np.float32)
adv_input_targets_2 = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes):
if (id != curr_num):
targ.append(x_train[idxs[id]])
adv_input_targets_2.append(targ)
adv_input_targets_2 = np.array(adv_input_targets_2)
adv_inputs_2 = adv_inputs_2.reshape(
(source_samples * (nb_classes - 1), img_rows, img_cols,
nchannels))
adv_input_targets_2 = adv_input_targets_2.reshape(
(source_samples * (nb_classes - 1), img_rows, img_cols,
nchannels))
adv_input_set.append(adv_inputs_2)
adv_input_target_set.append(adv_input_targets_2)
adv_input_set = np.array(adv_input_set),
adv_input_target_set = np.array(adv_input_target_set)
print("shape of adv_input_set: ", np.shape(adv_input_set))
print("shape of adv_input_target_set: ",
np.shape(adv_input_target_set))
adv_input_set = np.reshape(
adv_input_set,
(np.shape(adv_input_set)[0] * np.shape(adv_input_set)[1] *
np.shape(adv_input_set)[2], np.shape(adv_input_set)[3],
np.shape(adv_input_set)[4], np.shape(adv_input_set)[5]))
adv_input_target_set = np.reshape(adv_input_target_set,
(np.shape(adv_input_target_set)[0] *
np.shape(adv_input_target_set)[1],
np.shape(adv_input_target_set)[2],
np.shape(adv_input_target_set)[3],
np.shape(adv_input_target_set)[4]))
print("generated adversarial training set")
adv_set = cw.generate_np(adv_input_set, adv_input_target_set,
**cw_params)
x_train_aim = np.append(x_train, adv_input_set, axis=0)
x_train_app = np.append(x_train, adv_set, axis=0)
model_name = 'cifar10_AE_adv_lat'
model_path_ae_adv = os.path.join(save_dir, model_name)
input_img = Input(shape=(32, 32, 3))
x = Conv2D(64, (3, 3), padding='same')(input_img)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
encoded = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(encoded)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(64, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(3, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
decoded = Activation('sigmoid')(x)
model2 = Model(input_img, decoded)
model2.compile(optimizer='adam', loss='binary_crossentropy')
model2.fit(x_train_app,
x_train_aim,
batch_size=128,
epochs=20,
verbose=1,
validation_data=(x_test, x_test),
callbacks=[es_cb, cp_cb],
shuffle=True)
score = model.evaluate(x_test, x_test, verbose=1)
print(score)
model2.save(model_path_ae_adv)
print('Saved adv trained model at ', model_path_ae_adv)
cw2 = CarliniWagnerAE_Lat_Keras(model_adv_trained, cl_model, sess=sess)
adv_2 = cw2.generate_np(adv_inputs, adv_input_targets, **cw_params)
recon_adv = model2.predict(adv)
recon_orig = model2.predict(adv_inputs)
if targeted:
noise = reduce_sum(tf.square(adv_inputs - adv_2),
list(range(1, len(shape))))
print("noise: ", noise)
scores1 = cl_model.evaluate(recon_adv, adv_input_y, verbose=1)
scores2 = cl_model.eval_params(recon_adv, adv_target_y, verbose=1)
print("classifier acc_target: ", scores2[1])
print("classifier acc_true: ", scores1[1])
#print("recon_adv[0]\n", recon_adv[0,:,:,0])
curr_class = 0
if viz_enabled:
for j in range(nb_classes):
for i in range(nb_classes):
#grid_viz_data[i, j] = adv[j * (nb_classes-1) + i]
if (i == j):
grid_viz_data[i, j] = recon_orig[curr_class * 9]
grid_viz_data_1[i, j] = adv_inputs[curr_class * 9]
curr_class = curr_class + 1
else:
if (j > i):
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j - 1]
grid_viz_data_1[i,
j] = adv_2[i * (nb_classes - 1) +
j - 1]
else:
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j]
grid_viz_data_1[i, j] = adv_2[i *
(nb_classes - 1) + j]
#rint(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(
np.sum((adv_2 - adv_inputs)**2, axis=(1, 2, 3))**.5)
print(
'Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
#_ = grid_visual(grid_viz_data)
#_ = grid_visual(grid_viz_data_1)
plt.ioff()
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = grid_viz_data.shape[0]
num_rows = grid_viz_data.shape[1]
num_channels = grid_viz_data.shape[4]
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(grid_viz_data[xx, yy, :, :, 0])
else:
plt.imshow(grid_viz_data[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig1_adv_trained')
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
plt.imshow(grid_viz_data_1[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig2_adv_trained')
return report
#binarization defense
if (binarization_defense == True or mean_filtering == True):
if (binarization_defense == True):
adv[adv > 0.5] = 1.0
adv[adv <= 0.5] = 0.0
else:
adv = uniform_filter(adv, 2)
recon_orig = model.predict(adv_inputs)
recon_adv = model.predict(adv)
eval_params = {'batch_size': 90}
if targeted:
noise = reduce_sum(tf.square(x_orig - x_adv),
list(range(1, len(shape))))
print("noise: ", noise)
scores1 = cl_model.evaluate(recon_adv, adv_input_y, verbose=1)
scores2 = cl_model.evalluate(recon_adv, adv_target_y, verbose=1)
print("classifier acc_target: ", scores2[1])
print("classifier acc_true: ", scores1[1])
#print("recon_adv[0]\n", recon_adv[0,:,:,0])
curr_class = 0
if viz_enabled:
for j in range(nb_classes):
for i in range(nb_classes):
#grid_viz_data[i, j] = adv[j * (nb_classes-1) + i]
if (i == j):
grid_viz_data[i, j] = recon_orig[curr_class * 9]
grid_viz_data_1[i, j] = adv_inputs[curr_class * 9]
curr_class = curr_class + 1
else:
if (j > i):
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j - 1]
grid_viz_data_1[i, j] = adv[i * (nb_classes - 1) +
j - 1]
else:
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j]
grid_viz_data_1[i,
j] = adv[i * (nb_classes - 1) + j]
sess.close()
plt.ioff()
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = grid_viz_data.shape[0]
num_rows = grid_viz_data.shape[1]
num_channels = grid_viz_data.shape[4]
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(grid_viz_data[xx, yy, :, :, 0])
else:
plt.imshow(grid_viz_data[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig1_bin')
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(grid_viz_data_1[xx, yy, :, :, 0])
else:
plt.imshow(grid_viz_data_1[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig2_bin')
def whitebox(gan,
rec_data_path=None,
batch_size=128,
learning_rate=0.001,
nb_epochs=10,
eps=0.3,
online_training=False,
test_on_dev=True,
attack_type='fgsm',
defense_type='gan',
num_tests=-1,
num_train=-1):
"""Based on MNIST tutorial from cleverhans.
Args:
gan: A `GAN` model.
rec_data_path: A string to the directory.
batch_size: The size of the batch.
learning_rate: The learning rate for training the target models.
nb_epochs: Number of epochs for training the target model.
eps: The epsilon of FGSM.
online_training: Training Defense-GAN with online reconstruction. The
faster but less accurate way is to reconstruct the dataset once and use
it to train the target models with:
`python train.py --cfg <path-to-model> --save_recs`
attack_type: Type of the white-box attack. It can be `fgsm`,
`rand+fgsm`, or `cw`.
defense_type: String representing the type of attack. Can be `none`,
`defense_gan`, or `adv_tr`.
"""
FLAGS = tf.flags.FLAGS
# Set logging level to see debug information.
set_log_level(logging.WARNING)
if defense_type == 'defense_gan':
assert gan is not None
# Create TF session.
if defense_type == 'defense_gan':
sess = gan.sess
if FLAGS.train_on_recs:
assert rec_data_path is not None or online_training
else:
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
sess = tf.Session(config=config)
train_images, train_labels, test_images, test_labels = \
get_cached_gan_data(gan, test_on_dev)
rec_test_images = test_images
rec_test_labels = test_labels
_, _, test_images, test_labels = \
get_cached_gan_data(gan, test_on_dev, orig_data_flag=True)
x_shape = [None] + list(train_images.shape[1:])
images_pl = tf.placeholder(tf.float32,
shape=[None] + list(train_images.shape[1:]))
labels_pl = tf.placeholder(tf.float32,
shape=[None] + [train_labels.shape[1]])
if num_tests > 0:
test_images = test_images[:num_tests]
rec_test_images = rec_test_images[:num_tests]
test_labels = test_labels[:num_tests]
if num_train > 0:
train_images = train_images[:num_train]
train_labels = train_labels[:num_train]
# GAN defense flag.
models = {
'A': model_a,
'B': model_b,
'C': model_c,
'D': model_d,
'E': model_e,
'F': model_f
}
model = models[FLAGS.model](input_shape=x_shape,
nb_classes=train_labels.shape[1])
preds = model.get_probs(images_pl)
report = AccuracyReport()
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test
# examples.
eval_params = {'batch_size': batch_size}
acc = model_eval(sess,
images_pl,
labels_pl,
preds,
rec_test_images,
rec_test_labels,
args=eval_params,
feed={K.learning_phase(): 0})
report.clean_train_clean_eval = acc
print('Test accuracy on legitimate examples: %0.4f' % acc)
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
}
rng = np.random.RandomState([11, 24, 1990])
tf.set_random_seed(11241990)
preds_adv = None
if FLAGS.defense_type == 'adv_tr':
attack_params = {
'eps': FLAGS.fgsm_eps_tr,
'clip_min': 0.,
'clip_max': 1.
}
if gan:
if gan.dataset_name == 'celeba':
attack_params['clip_min'] = -1.0
attack_obj = FastGradientMethod(model, sess=sess)
adv_x_tr = attack_obj.generate(images_pl, **attack_params)
adv_x_tr = tf.stop_gradient(adv_x_tr)
preds_adv = model(adv_x_tr)
model_train(sess,
images_pl,
labels_pl,
preds,
train_images,
train_labels,
args=train_params,
rng=rng,
predictions_adv=preds_adv,
init_all=False,
feed={K.learning_phase(): 1},
evaluate=evaluate)
# Calculate training error.
eval_params = {'batch_size': batch_size}
acc = model_eval(
sess,
images_pl,
labels_pl,
preds,
train_images,
train_labels,
args=eval_params,
feed={K.learning_phase(): 0},
)
print('[#] Accuracy on clean examples {}'.format(acc))
if attack_type is None:
return acc, 0, None
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph.
if FLAGS.defense_type == 'defense_gan':
z_init_val = None
if FLAGS.same_init:
z_init_val = tf.constant(
np.random.randn(batch_size * gan.rec_rr,
gan.latent_dim).astype(np.float32))
model.add_rec_model(gan, z_init_val, batch_size)
min_val = 0.0
if gan:
if gan.dataset_name == 'celeba':
min_val = -1.0
if 'rand' in FLAGS.attack_type:
test_images = np.clip(
test_images +
args.alpha * np.sign(np.random.randn(*test_images.shape)), min_val,
1.0)
eps -= args.alpha
if 'fgsm' in FLAGS.attack_type:
attack_params = {
'eps': eps,
'ord': np.inf,
'clip_min': min_val,
'clip_max': 1.
}
attack_obj = FastGradientMethod(model, sess=sess)
elif FLAGS.attack_type == 'cw':
attack_obj = CarliniWagnerL2(model, back='tf', sess=sess)
attack_iterations = 100
attack_params = {
'binary_search_steps': 1,
'max_iterations': attack_iterations,
'learning_rate': 10.0,
'batch_size': batch_size,
'initial_const': 100,
'feed': {
K.learning_phase(): 0
}
}
elif FLAGS.attack_type == 'mim':
attack_obj = MomentumIterativeMethod(model, back='tf', sess=sess)
attack_params = {
'eps': eps,
'ord': np.inf,
'clip_min': min_val,
'clip_max': 1.
}
elif FLAGS.attack_type == 'deepfool':
attack_obj = DeepFool(model, back='tf', sess=sess)
attack_params = {
'eps': eps,
'clip_min': min_val,
'clip_max': 1.,
'nb_candidate': 2,
'nb_classes': 2
}
elif FLAGS.attack_type == 'lbfgs':
attack_obj = LBFGS(model, back='tf', sess=sess)
attack_params = {'clip_min': min_val, 'clip_max': 1.}
adv_x = attack_obj.generate(images_pl, **attack_params)
eval_par = {'batch_size': batch_size}
if FLAGS.defense_type == 'defense_gan':
preds_adv = model.get_probs(adv_x)
num_dims = len(images_pl.get_shape())
avg_inds = list(range(1, num_dims))
diff_op = tf.reduce_mean(tf.square(adv_x - images_pl), axis=avg_inds)
acc_adv, roc_info = model_eval_gan(
sess,
images_pl,
labels_pl,
preds_adv,
None,
test_images=test_images,
test_labels=test_labels,
args=eval_par,
feed={K.learning_phase(): 0},
diff_op=diff_op,
)
print('Test accuracy on adversarial examples: %0.4f\n' % acc_adv)
else:
preds_adv = model(adv_x)
roc_info = None
acc_adv = model_eval(sess,
images_pl,
labels_pl,
preds_adv,
test_images,
test_labels,
args=eval_par,
feed={K.learning_phase(): 0})
print('Test accuracy on adversarial examples: %0.4f\n' % acc_adv)
if FLAGS.debug and gan is not None: # To see some qualitative results.
adv_x_debug = adv_x[:batch_size]
images_pl_debug = images_pl[:batch_size]
debug_dir = os.path.join('debug', 'whitebox', FLAGS.debug_dir)
ensure_dir(debug_dir)
reconstructed_tensors = gan.reconstruct(adv_x_debug,
batch_size=batch_size,
reconstructor_id=2)
x_rec_orig = gan.reconstruct(images_tensor,
batch_size=batch_size,
reconstructor_id=3)
x_adv_sub_val = sess.run(x_adv_sub,
feed_dict={
images_tensor: images_pl_debug,
K.learning_phase(): 0
})
sess.run(tf.local_variables_initializer())
x_rec_debug_val, x_rec_orig_val = sess.run(
[reconstructed_tensors, x_rec_orig],
feed_dict={
images_tensor: images_pl_debug,
K.learning_phase(): 0
})
save_images_files(x_adv_sub_val, output_dir=debug_dir, postfix='adv')
postfix = 'gen_rec'
save_images_files(x_rec_debug_val,
output_dir=debug_dir,
postfix=postfix)
save_images_files(images_pl_debug,
output_dir=debug_dir,
postfix='orig')
save_images_files(x_rec_orig_val,
output_dir=debug_dir,
postfix='orig_rec')
return acc_adv, 0, roc_info
def mnist_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=6,
batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=64,
num_threads=None,
label_smoothing=0.1):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param clean_train: if true, train on clean examples
:param label_smoothing: float, amount of label smoothing for cross entropy
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
#sess = tf.Session(config=tf.ConfigProto(**config_args))
sess = tf.Session(config=tf.ConfigProto(device_count={'GPU': 1}))
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(file,
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
rng = np.random.RandomState([2017, 8, 30])
################ color training initialization ####################
color_training_epochs = 5000
color_learning_rate = 0.1
colorCategory = [
[0.0, 0.4], # Black
[0.3, 0.7], # Grey
[0.6, 1.0] # White
]
numOfPRModel = 20
minColorEpoch = 300
maxColorEpoch = 3000
numColorInput = 1
#numColorOutput = len(colorCategory)
color_x = tf.placeholder(
tf.float32,
[None, numColorInput]) # mnist data image of shape 28*28=784
color_y = tf.placeholder(
tf.float32,
[None, numColorOutput]) # 0-9 digits recognition => 10 classes
# Set multiple models' weights and biases
color_W = {}
color_b = {}
color_pred_out = {}
color_cost = {}
color_optimizer = {}
color_argmax = {}
color_correct_prediction = {}
color_accuracy = {}
for i in range(numOfPRModel):
color_W["w" + str(i)] = tf.Variable(
tf.random_normal([numColorInput, numColorOutput]))
color_b["b" + str(i)] = tf.Variable(tf.random_normal([numColorOutput]))
color_pred_out["out" + str(i)] = tf.matmul(
color_x, color_W["w" + str(i)]) + color_b["b" + str(i)] # Softmax
color_cost["cost" + str(i)] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(
logits=color_pred_out["out" + str(i)], labels=color_y))
# Gradient Descent
color_optimizer["opt" + str(i)] = tf.train.GradientDescentOptimizer(
color_learning_rate).minimize(color_cost["cost" + str(i)])
# Test model
color_argmax["argmax" + str(i)] = tf.argmax(
color_pred_out["out" + str(i)], 1)
color_correct_prediction["pred" + str(i)] = tf.equal(
tf.argmax(color_pred_out["out" + str(i)], 1),
tf.argmax(color_y, 1))
# Calculate accuracy
color_accuracy["acc" + str(i)] = tf.reduce_mean(
tf.cast(color_correct_prediction["pred" + str(i)], tf.float32))
# Graph for re-generating the original image into a new image by using trained color model
pr_model_x = tf.placeholder(
tf.float32,
[None, n_input, numColorInput]) # mnist data image of shape 28*28=784
pr_model_W = tf.placeholder(tf.float32,
[None, numColorInput, numColorOutput
]) # mnist data image of shape 28*28=784
pr_model_b = tf.placeholder(tf.float32,
[None, numColorInput, numColorOutput
]) # mnist data image of shape 28*28=784
pr_model_output = tf.one_hot(
tf.argmax((tf.matmul(pr_model_x, pr_model_W) + pr_model_b), 2),
numColorOutput)
# Merge the random generated output for new image based on the colorCategory
randomColorCategory = []
for i in range(len(colorCategory)):
tmp = []
tmpRandomColorCategory = my_tf_round(
tf.random_uniform(tf.shape(pr_model_x),
colorCategory[i][0],
colorCategory[i][1],
dtype=tf.float32), 2)
tmp.append(tmpRandomColorCategory)
randomColorCategory.append(tf.concat(tmp, 1))
random_merge = tf.reshape(tf.concat(randomColorCategory, -1),
[-1, n_input, numColorOutput])
random_color_set = tf.reduce_sum(
tf.multiply(pr_model_output, random_merge), 2)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
# x = tf.reshape(random_color_set, shape=(-1, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
print(random_color_set)
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': save_dir,
'filename': filename,
'numColorOutput': numColorOutput
}
eval_params = {'batch_size': batch_size, 'numColorOutput': numColorOutput}
fgsm_params = {'eps': 8 / 256, 'clip_min': 0., 'clip_max': 1.}
#sess = tf.Session()
def do_eval(preds,
x_set,
y_set,
report_key,
is_adv=None,
pred2=None,
c_w=None,
c_b=None,
pr_model_x=None,
random_color_set=None,
pr_model_W=None,
pr_model_b=None,
pr_model_output=None,
ae=None):
acc = model_eval(sess,
x,
y,
preds,
x_set,
y_set,
args=eval_params,
pred2=pred2,
c_w=c_w,
c_b=c_b,
pr_model_x=pr_model_x,
random_color_set=random_color_set,
pr_model_W=pr_model_W,
pr_model_b=pr_model_b,
pr_model_output=pr_model_output,
is_adv=is_adv,
ae=ae)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
with sess.as_default():
if hasattr(tf, "global_variables_initializer"):
tf.global_variables_initializer().run()
else:
warnings.warn("Update your copy of tensorflow; future versions of "
"CleverHans may drop support for this version.")
sess.run(tf.initialize_all_variables())
################# color training ####################
print("Trying to load pr model from: " + model_path2)
if os.path.exists(model_path2 + ".meta"):
tf_model_load(sess, model_path2)
c_w, c_b = sess.run([color_W, color_b])
print("Load color trained model in training")
else:
# Training the PR model
c_w = {}
c_b = {}
for modelcount in range(numOfPRModel):
color_training_epochs = np.random.randint(
minColorEpoch, maxColorEpoch)
for epoch in range(color_training_epochs):
outputColorY = []
p1 = np.random.random(100)
for i in range(len(p1)):
outputOverlapColorY = []
for j in range(len(colorCategory)):
if p1[i] >= colorCategory[j][0] and p1[
i] <= colorCategory[j][1]:
colorIndexSeq = []
for k in range(len(colorCategory)):
if j == k:
colorIndexSeq.append(1)
else:
colorIndexSeq.append(0)
outputOverlapColorY.append(colorIndexSeq)
# break
# Randomly choose the output for color Y if the outputOverlapColorY has more than 1 item
outputColorY.append(
outputOverlapColorY[np.random.randint(
0, len(outputOverlapColorY))])
inputColorX = p1.reshape(100, 1)
_, c, _c_w, _c_b = sess.run([
color_optimizer["opt" + str(modelcount)],
color_cost["cost" + str(modelcount)],
color_W["w" + str(modelcount)],
color_b["b" + str(modelcount)]
],
feed_dict={
color_x: inputColorX,
color_y: outputColorY
})
avg_cost = c
# Evaluating color model
outputColorY = []
p1 = np.random.random(100)
# Generate output for random color inputs (test case)
for i in range(len(p1)):
for j in range(len(colorCategory)):
outputOverlapColorY = []
if p1[i] >= colorCategory[j][0] and p1[
i] <= colorCategory[j][1]:
colorIndexSeq = []
for k in range(len(colorCategory)):
if j == k:
colorIndexSeq.append(1)
else:
colorIndexSeq.append(0)
outputOverlapColorY.append(colorIndexSeq)
break
# Randomly choose the output for color Y if the outputOverlapColorY has more than 1 item
outputColorY.append(
outputOverlapColorY[np.random.randint(
0, len(outputOverlapColorY))])
inputColorX = p1.reshape(100, 1)
# print(random_xs)
acc, argmax = sess.run([
color_accuracy["acc" + str(modelcount)],
color_argmax["argmax" + str(modelcount)]
],
feed_dict={
color_x: inputColorX,
color_y: outputColorY
})
print(str(modelcount + 1) + ") Epoch:",
'%04d' % (epoch + 1) + "/" + str(color_training_epochs) + ", Cost= " + \
"{:.9f}".format(avg_cost) + ", Training Accuracy= " + \
"{:.5f}".format(acc) + " ")
c_w["w" + str(modelcount)] = _c_w
c_b["b" + str(modelcount)] = _c_b
# print(c_w)
save_path = os.path.join(save_dir2, filename2)
saver = tf.train.Saver()
saver.save(sess, save_path)
##################### end of color training ------------------------------
################# model training ####################
if clean_train:
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = LossCrossEntropy(model, smoothing=label_smoothing)
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
saveFileNum = 50
# saveFileNum = 500
# saveFileNum = 1000
model_path = os.path.join(save_dir, filename + "-" + str(saveFileNum))
fgsm = FastGradientMethod(model)
# fgsm = BasicIterativeMethod(model)
# fgsm = MomentumIterativeMethod(model)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
def evaluate():
do_eval(preds,
x_test,
y_test,
'clean_train_clean_eval',
False,
pred2=preds,
c_w=c_w,
c_b=c_b,
pr_model_x=pr_model_x,
random_color_set=random_color_set,
pr_model_W=pr_model_W,
pr_model_b=pr_model_b)
#do_eval(preds, x_test, y_test, 'clean_train_adv_eval', True,
#pred2=preds, c_w=c_w, c_b=c_b, ae=adv_x,
#pr_model_x=pr_model_x, random_color_set=random_color_set,
#pr_model_W=pr_model_W, pr_model_b=pr_model_b, pr_model_output=pr_model_output
#)
print("Trying to load trained model from: " + model_path)
if os.path.exists(model_path + ".meta"):
tf_model_load(sess, model_path)
print("Load trained model")
else:
train(sess,
loss,
x,
y,
x_train,
y_train,
evaluate=evaluate,
args=train_params,
rng=rng,
var_list=model.get_params(),
save=True,
c_w=c_w,
c_b=c_b,
pr_model_x=pr_model_x,
random_color_set=random_color_set,
pr_model_W=pr_model_W,
pr_model_b=pr_model_b)
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds,
x_test,
y_test,
'clean_train_adv_eval',
True,
pred2=preds,
c_w=c_w,
c_b=c_b,
ae=adv_x,
pr_model_x=pr_model_x,
random_color_set=random_color_set,
pr_model_W=pr_model_W,
pr_model_b=pr_model_b)
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
def mnist_tutorial_bim(train_start=0, train_end=60000, test_start=0,
test_end=10000, viz_enabled=VIZ_ENABLED,
nb_epochs=NB_EPOCHS, batch_size=BATCH_SIZE,
source_samples=SOURCE_SAMPLES,
learning_rate=LEARNING_RATE,
attack_iterations=ATTACK_ITERATIONS,
model_path=MODEL_PATH,
targeted=TARGETED,
noise_output = NOISE_OUTPUT):
"""
MNIST tutorial for Basic Iterative Method's attack
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:param model_path: path to the model file
:param targeted: should we run a targeted attack? or untargeted?
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
# Get Fashion MNIST test data
fashion = keras.datasets.fashion_mnist
(x_train, y_train), (x_test, y_test) = fashion.load_data()
# cifar10 = CIFAR10(train_start=train_start, train_end=train_end,
# test_start=test_start, test_end=test_end)
# x_train, y_train = cifar10.get_set('train')
# x_test, y_test = cifar10.get_set('test')
x_train = x_train.reshape(x_train.shape[0], 28, 28, 1)
x_test = x_test.reshape(x_test.shape[0], 28, 28, 1)
y_train = np_utils.to_categorical(y_train, 10)
y_test = np_utils.to_categorical(y_test, 10)
x_train = x_train.astype('float32')
x_test = x_test.astype('float32')
x_train /= 255
x_test /= 255
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
nb_filters = 64
# Define TF model graph
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=0.1)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'filename': os.path.split(model_path)[-1]
}
rng = np.random.RandomState([2017, 8, 30])
# check if we've trained before, and if we have, use that pre-trained model
if os.path.exists(model_path + ".meta"):
tf_model_load(sess, model_path)
else:
train(sess, loss, x_train, y_train, args=train_params, rng=rng)
saver = tf.train.Saver()
saver.save(sess, model_path)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, x_test, y_test, args=eval_params)
assert x_test.shape[0] == test_end - test_start, x_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using Basic Iterative Method's approach
###########################################################################
nb_adv_per_sample = str(nb_classes - 1) if targeted else '1'
print('Crafting ' + str(source_samples) + ' * ' + nb_adv_per_sample +
' adversarial examples')
print("This could take some time ...")
# Instantiate a BIM attack object
bim = BasicIterativeMethod(model, sess=sess)
if viz_enabled:
assert source_samples == nb_classes
idxs = [np.where(np.argmax(y_test, axis=1) == i)[0][0]
for i in range(nb_classes)]
if targeted:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, 1, img_rows, img_cols,
nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = np.array(
[[instance] * nb_classes for instance in x_test[idxs]],
dtype=np.float32)
else:
adv_inputs = np.array(
[[instance] * nb_classes for
instance in x_test[:source_samples]], dtype=np.float32)
one_hot = np.zeros((nb_classes, nb_classes))
one_hot[np.arange(nb_classes), np.arange(nb_classes)] = 1
adv_inputs = adv_inputs.reshape(
(source_samples * nb_classes, img_rows, img_cols, nchannels))
adv_ys = np.array([one_hot] * source_samples,
dtype=np.float32).reshape((source_samples *
nb_classes, nb_classes))
else:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = x_test[idxs]
else:
adv_inputs = x_test[:source_samples]
adv_ys = None
bim_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.,
'nb_iter': 50,
'eps_iter': .01}
adv = bim.generate_np(adv_inputs,
**bim_params)
eval_params = {'batch_size': np.minimum(nb_classes, source_samples)}
if targeted:
adv_accuracy = model_eval(
sess, x, y, preds, adv, adv_ys, args=eval_params)
else:
if viz_enabled:
err = model_eval(sess, x, y, preds, adv, y_test[idxs], args=eval_params)
adv_accuracy = 1 - err
else:
err = model_eval(sess, x, y, preds, adv, y_test[:source_samples],
args=eval_params)
adv_accuracy = 1 - err
if viz_enabled:
for i in range(nb_classes):
if noise_output:
image = adv[i * nb_classes] - adv_inputs[i * nb_classes]
else:
image = adv[i * nb_classes]
grid_viz_data[i, 0] = image
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
print('Avg. rate of successful adv. examples {0:.4f}'.format(adv_accuracy))
report.clean_train_adv_eval = 1. - adv_accuracy
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(np.sum((adv - adv_inputs)**2,
axis=(1, 2, 3))**.5)
print('Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
sess.close()
def save_visual(data, path):
"""
Modified version of cleverhans.plot.pyplot
"""
figure = plt.figure()
# figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = data.shape[0]
num_rows = data.shape[1]
num_channels = data.shape[4]
for y in range(num_rows):
for x in range(num_cols):
figure.add_subplot(num_rows, num_cols, (x + 1) + (y * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(data[x, y, :, :, 0], cmap='gray')
else:
plt.imshow(data[x, y, :, :, :])
# Draw the plot and return
plt.savefig(path)
return figure
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
if noise_output:
image_name = "output/bim_fashion_mnist_noise.png"
else:
image_name = "output/bim_fashion_mnist.png"
_ = save_visual(grid_viz_data, image_name)
return report
def measure_gan(gan,
rec_data_path=None,
probe_size=10000,
calc_real_data_is=True):
"""Based on MNIST tutorial from cleverhans.
Args:
gan: A `GAN` model.
rec_data_path: A string to the directory.
"""
FLAGS = tf.flags.FLAGS
# Set logging level to see debug information.
set_log_level(logging.WARNING)
sess = gan.sess
# FID init
stats_path = 'data/fid_stats_celeba.npz' # training set statistics
inception_path = fid.check_or_download_inception(
None) # download inception network
train_images, train_labels, test_images, test_labels = \
get_cached_gan_data(gan, False)
images = train_images[
0:probe_size] * 255 # np.concatenate(train_images, test_images)
# Inception Score for real data
is_orig_mean, is_orig_stddev = (-1, -1)
if calc_real_data_is:
is_orig_mean, is_orig_stddev = get_inception_score(images)
print(
'\n[#] Inception Score for original data: mean = %f, stddev = %f\n'
% (is_orig_mean, is_orig_stddev))
rng = np.random.RandomState([11, 24, 1990])
tf.set_random_seed(11241990)
# Calculate Inception Score for GAN
gan.batch_size = probe_size
generated_images_tensor = gan.generator_fn()
generated_images = sess.run(generated_images_tensor)
generated_images = 255 * ((generated_images + 1) / 2)
is_gen_mean, is_gen_stddev = get_inception_score(generated_images)
print(
'\n[#] Inception Score for generated data: mean = %f, stddev = %f\n' %
(is_gen_mean, is_gen_stddev))
# load precalculated training set statistics
f = np.load(stats_path)
mu_real, sigma_real = f['mu'][:], f['sigma'][:]
f.close()
fid.create_inception_graph(
inception_path) # load the graph into the current TF graph
with tf.Session() as sess:
sess.run(tf.global_variables_initializer())
mu_gen, sigma_gen = fid.calculate_activation_statistics(
generated_images, sess, batch_size=100)
fid_value = fid.calculate_frechet_distance(mu_gen, sigma_gen, mu_real,
sigma_real)
print("FID: %s" % fid_value)
return is_gen_mean, is_gen_stddev, is_orig_mean, is_orig_stddev, fid_value
def cifar_tutorial_jsma(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
viz_enabled=False,
nb_epochs=6,
batch_size=128,
nb_classes=10,
source_samples=10,
learning_rate=0.001):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Cifar10-specific dimensions
img_rows = 32
img_cols = 32
channels = 3
# Set TF random seed to improve reproducibility
tf.set_random_seed(7076)
# Create TF session and set as Keras backend session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
# Get cifar test data
X_train, Y_train, X_test, Y_test = data_CIFAR10(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
y = tf.placeholder(tf.float32, shape=(None, 10))
# Define TF model graph
model = make_basic_picklable_cnn()
preds = model(x)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
sess.run(tf.global_variables_initializer())
rng = np.random.RandomState([2017, 8, 30])
model_train(sess,
x,
y,
preds,
X_train,
Y_train,
args=train_params,
rng=rng)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params)
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(source_samples) + ' * ' + str(nb_classes - 1) +
' adversarial examples')
# Keep track of success (adversarial example classified in target)
results = np.zeros((nb_classes, source_samples), dtype='i') # i = interger
# Rate of perturbed features for each test set example and target class
perturbations = np.zeros((nb_classes, source_samples),
dtype='f') #f = floating
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, channels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Instantiate a SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'clip_min': 0.,
'clip_max': 1.,
'y_target': None
}
figure = None #None
# create an array for storing adv examples
adv_examples = np.empty([1, 32, 32, 3])
# for target labels
adv_targets = np.empty([1, 10])
# corresponding clean/correct label
adv_clean_labels = np.empty([1, 10])
# correspongding clean data
adv_clean_examples = np.empty([1, 32, 32, 3])
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, source_samples): #source_samples set 10
print('--------------------------------------')
print('Attacking input %i/%i' % (sample_ind + 1, source_samples))
sample = X_train[sample_ind:(sample_ind +
1)] # generate from training data
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(
Y_train[sample_ind])) # generate from training data
target_classes = other_classes(nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
sample, (img_rows, img_cols, channels))
# Loop over all target classes
for target in target_classes:
print('Generating adv. example for target class %i' % target)
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, nb_classes), dtype=np.float32)
#create fake target
one_hot_target[0, target] = 1
jsma_params['y_target'] = one_hot_target
adv_x = jsma.generate_np(sample, **jsma_params)
print('adv_x\'shape is ', np.shape(adv_x)) # (1,28,28,1)
# Check if success was achieved
res = int(model_argmax(sess, x, preds, adv_x) == target)
# if succeeds
if res == 1:
# append new adv_x to adv_examples array
# append sample here, so that the number of times sample is appended mmatches number of adv_ex.
adv_examples = np.append(adv_examples, adv_x, axis=0)
adv_targets = np.append(adv_targets, one_hot_target, axis=0)
adv_clean_labels = np.append(
adv_clean_labels,
np.expand_dims(Y_train[sample_ind], axis=0),
axis=0) # generate from training data
adv_clean_examples = np.append(adv_clean_examples,
sample,
axis=0)
# Compute the number of modified features
# adv_x.reshape(-1) means reshape into (1, n), in this case, n=28x28
# it makes comparison simplier
# adv_x_reshape = adv_x.reshape(-1)
# test_in_reshape = X_test[sample_ind].reshape(-1)
# nb_changed = np.where(adv_x_reshape != test_in_reshape)[0].shape[0]
# percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
adv_x_reshape = adv_x.reshape(-1)
train_in_reshape = X_train[sample_ind].reshape(-1)
nb_changed = np.where(
adv_x_reshape != train_in_reshape)[0].shape[0]
percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
# Display the original and adversarial images side-by-side
viz_enabled = True #False
if viz_enabled:
figure = pair_visual(
np.reshape(sample, (img_rows, img_cols, channels)),
np.reshape(adv_x, (img_rows, img_cols, channels)), figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (img_rows, img_cols, channels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
print('--------------------------------------')
adv_examples = adv_examples[1:, :, :, :]
adv_targets = adv_targets[1:, :]
adv_clean_labels = adv_clean_labels[1:, :]
adv_clean_examples = adv_clean_examples[1:, :, :, :]
np.savez('adversarial',
adv_examples=adv_examples,
adv_targets=adv_targets,
adv_clean_labels=adv_clean_labels,
adv_clean_examples=adv_clean_examples)
print(np.shape(adv_targets)[0], "adversarial examples have been saved.")
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
nb_targets_tried = ((nb_classes - 1) * source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.4f}'.format(succ_rate))
report.clean_train_adv_eval = 1. - succ_rate
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.4f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.4f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
plt.close(figure)
_ = grid_visual(grid_viz_data)
return report
def mnist_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
learning_rate=LEARNING_RATE,
clean_train=CLEAN_TRAIN,
testing=False,
backprop_through_attack=BACKPROP_THROUGH_ATTACK,
nb_filters=64,
num_threads=None,
label_smoothing=0.1):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param label_smoothing: float, amount of label smoothing for cross entropy
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
rng = np.random.RandomState([2017, 8, 30])
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
if clean_train:
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=label_smoothing)
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
train(sess,
loss,
x,
y,
x_train,
y_train,
evaluate=evaluate,
args=train_params,
rng=rng,
var_list=model.get_params())
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True)
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
print('Repeating the process, using adversarial training')
print("after clean train>>>>>>>>>>>>>>>>>>>>>")
# Create a new model and train it to be robust to FastGradientMethod
model2 = ModelBasicCNN('model2', nb_classes, nb_filters)
fgsm2 = FastGradientMethod(model2, sess=sess)
def attack(x):
return fgsm2.generate(x, **fgsm_params)
loss2 = CrossEntropy(model2, smoothing=label_smoothing, attack=attack)
preds2 = model2.get_logits(x)
adv_x2 = attack(x)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x2 = tf.stop_gradient(adv_x2)
preds2_adv = model2.get_logits(adv_x2)
def evaluate2():
# Accuracy of adversarially trained model on legitimate test inputs
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
# Accuracy of the adversarially trained model on adversarial examples
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
# Perform and evaluate adversarial training
train(sess,
loss2,
x,
y,
x_train,
y_train,
evaluate=evaluate2,
args=train_params,
rng=rng,
var_list=model2.get_params())
# Calculate training errors
if testing:
do_eval(preds2, x_train, y_train, 'train_adv_train_clean_eval')
do_eval(preds2_adv, x_train, y_train, 'train_adv_train_adv_eval')
return report
def test_attacks(data_name, model_name, attack_method, eps, batch_size=100,
targeted=False, save=False):
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
sess = tf.Session(config=config)
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
if data_name == 'mnist':
from cleverhans.utils_mnist import data_mnist
X_train, Y_train, X_test, Y_test = data_mnist(train_start=0, train_end=60000,
test_start=0, test_end=10000)
if data_name in ['cifar10', 'plane_frog']:
from import_data_cifar10 import load_data_cifar10
if data_name == 'plane_frog':
labels = [0, 6]
else:
labels = None
data_path = '../cifar_data/'
X_train, X_test, Y_train, Y_test = load_data_cifar10(data_path, labels=labels, conv=True)
source_samples, img_rows, img_cols, channels = X_test.shape
nb_classes = Y_test.shape[1]
# test cw
#source_samples = 100
# Define input TF placeholder
batch_size = min(batch_size, X_test.shape[0])
print('use batch_size = %d' % batch_size)
x = tf.placeholder(tf.float32, shape=(batch_size, img_rows, img_cols, channels))
y = tf.placeholder(tf.float32, shape=(batch_size, nb_classes))
# Define TF model graph
model = load_classifier(sess, model_name, data_name)
if 'bayes' in model_name and 'distill' not in model_name and 'query' not in model_name:
model_name = model_name + '_cnn'
# Craft adversarial examples
nb_adv_per_sample = str(nb_classes - 1) if targeted else '1'
print('Crafting ' + str(source_samples) + ' * ' + nb_adv_per_sample +
' adversarial examples')
print("This could take some time ...")
# Evaluate the accuracy of the MNIST model on legitimate test examples
if 'bnn' not in model_name:
keras.backend.set_learning_phase(0)
else:
# need to set keras learning phase to training in order to run test-time dropout
keras.backend.set_learning_phase(1)
# make adv inputs and labels for the attack if targeted
if targeted:
adv_inputs = np.array(
[[instance] * nb_classes for
instance in X_test[:source_samples]], dtype=np.float32)
one_hot = np.zeros((nb_classes, nb_classes))
one_hot[np.arange(nb_classes), np.arange(nb_classes)] = 1
adv_inputs = adv_inputs.reshape(
(source_samples * nb_classes, img_rows, img_cols, 1))
adv_ys = np.array([one_hot] * source_samples,
dtype=np.float32).reshape((source_samples *
nb_classes, nb_classes))
else:
adv_inputs = X_test[:source_samples]
adv_ys = Y_test[:source_samples]
# Instantiate an attack object
from attack_config import load_attack
attack, attack_params, yname = load_attack(sess, attack_method, model, targeted,
adv_ys, eps, batch_size)
print(attack_params)
# perform the attack!
adv = []
n_batch = int(adv_inputs.shape[0] / batch_size)
for i in xrange(n_batch):
adv_batch = adv_inputs[i*batch_size:(i+1)*batch_size]
attack_params[yname] = adv_ys[i*batch_size:(i+1)*batch_size] # only for untargeted
adv.append(attack.generate_np(adv_batch, **attack_params))
if (i+1) % 10 == 0:
print('finished %d/%d mini-batch' % (i+1, n_batch))
adv = np.concatenate(adv, axis=0)
print('--------------------------------------')
# evaluations
preds = model.predict(x, softmax=False) # output logits
eval_params = {'batch_size': batch_size}
# test clean acc
#accuracy, _ = model_eval(sess, x, y, preds, X_test, Y_test,
# args=eval_params, return_pred=True)
#print('clean test acc: %.4f' % (accuracy * 100))
accuracy, adv_logits = model_eval(sess, x, y, preds, adv, adv_ys,
args=eval_params, return_pred=True)
if targeted:
success_rate = accuracy * 100
print('untargeted attack success rate: %.4f' % success_rate)
else:
success_rate = (1 - accuracy) * 100
print('untargeted attack success rate: %.4f' % success_rate, adv.shape)
# Close TF session
sess.close()
# save results
if save:
if not os.path.isdir('raw_attack_results/'):
os.mkdir('raw_attack_results/')
print('create path raw_attack_results/')
path = 'raw_attack_results/' + model_name + '/'
if attack_method in ['fgsm', 'pgd', 'mim']:
attack_method = attack_method + '_' + 'eps%.2f' % attack_params['eps']
if attack_method == 'cw':
c = attack_params['initial_const']
lr = attack_params['learning_rate']
attack_method = attack_method + '_c%.2f_lr%.3f' % (c, lr)
if not os.path.isdir(path):
os.mkdir(path); print('create path ' + path)
filename = data_name + '_' + attack_method
if targeted:
filename = filename + '_targeted'
else:
filename = filename + '_untargeted'
true_ys = Y_test[:source_samples]
results = [adv, true_ys, adv_ys, adv_logits]
pickle.dump(results, open(path+filename+'.pkl', 'wb'))
print("results saved at %s.pkl" % (path+filename))
def blackbox(gan,
rec_data_path=None,
batch_size=128,
learning_rate=0.001,
nb_epochs=10,
holdout=150,
data_aug=6,
nb_epochs_s=10,
lmbda=0.1,
online_training=False,
train_on_recs=False,
test_on_dev=True,
defense_type='none'):
"""MNIST tutorial for the black-box attack from arxiv.org/abs/1602.02697
Args:
train_start: index of first training set example
train_end: index of last training set example
test_start: index of first test set example
test_end: index of last test set example
defense_type: Type of defense against blackbox attacks
Returns:
a dictionary with:
* black-box model accuracy on test set
* substitute model accuracy on test set
* black-box model accuracy on adversarial examples transferred
from the substitute model
"""
FLAGS = flags.FLAGS
# Set logging level to see debug information.
set_log_level(logging.WARNING)
# Dictionary used to keep track and return key accuracies.
accuracies = {}
# Create TF session.
adv_training = False
if defense_type:
if defense_type == 'defense_gan' and gan:
sess = gan.sess
gan_defense_flag = True
else:
gan_defense_flag = False
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
sess = tf.Session(config=config)
if 'adv_tr' in defense_type:
adv_training = True
else:
gan_defense_flag = False
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
sess = tf.Session(config=config)
train_images, train_labels, test_images, test_labels = \
get_cached_gan_data(gan, test_on_dev, orig_data_flag=True)
x_shape, classes = list(train_images.shape[1:]), train_labels.shape[1]
nb_classes = classes
type_to_models = {
'A': model_a,
'B': model_b,
'C': model_c,
'D': model_d,
'E': model_e,
'F': model_f,
'Q': model_q,
'Z': model_z
}
bb_model = type_to_models[FLAGS.bb_model](
input_shape=[None] + x_shape,
nb_classes=train_labels.shape[1],
)
sub_model = type_to_models[FLAGS.sub_model](
input_shape=[None] + x_shape,
nb_classes=train_labels.shape[1],
)
if FLAGS.debug:
train_images = train_images[:20 * batch_size]
train_labels = train_labels[:20 * batch_size]
debug_dir = os.path.join('debug', 'blackbox', FLAGS.debug_dir)
ensure_dir(debug_dir)
x_debug_test = test_images[:batch_size]
# Initialize substitute training set reserved for adversary
images_sub = test_images[:holdout]
labels_sub = np.argmax(test_labels[:holdout], axis=1)
# Redefine test set as remaining samples unavailable to adversaries
if FLAGS.num_tests > 0:
test_images = test_images[:FLAGS.num_tests]
test_labels = test_labels[:FLAGS.num_tests]
test_images = test_images[holdout:]
test_labels = test_labels[holdout:]
# Define input and output TF placeholders
if FLAGS.image_dim[0] == 3:
FLAGS.image_dim = [
FLAGS.image_dim[1], FLAGS.image_dim[2], FLAGS.image_dim[0]
]
images_tensor = tf.placeholder(tf.float32, shape=[None] + x_shape)
labels_tensor = tf.placeholder(tf.float32, shape=(None, classes))
rng = np.random.RandomState([11, 24, 1990])
tf.set_random_seed(11241990)
train_images_bb, train_labels_bb, test_images_bb, test_labels_bb = \
train_images, train_labels, test_images, \
test_labels
cur_gan = None
if defense_type:
if 'gan' in defense_type:
# Load cached dataset reconstructions.
if online_training and not train_on_recs:
cur_gan = gan
elif not online_training and rec_data_path:
train_images_bb, train_labels_bb, test_images_bb, \
test_labels_bb = get_cached_gan_data(
gan, test_on_dev, orig_data_flag=False)
else:
assert not train_on_recs
if FLAGS.debug:
train_images_bb = train_images_bb[:20 * batch_size]
train_labels_bb = train_labels_bb[:20 * batch_size]
# Prepare the black_box model.
prep_bbox_out = prep_bbox(sess,
images_tensor,
labels_tensor,
train_images_bb,
train_labels_bb,
test_images_bb,
test_labels_bb,
nb_epochs,
batch_size,
learning_rate,
rng=rng,
gan=cur_gan,
adv_training=adv_training,
cnn_arch=bb_model)
else:
prep_bbox_out = prep_bbox(sess,
images_tensor,
labels_tensor,
train_images_bb,
train_labels_bb,
test_images_bb,
test_labels_bb,
nb_epochs,
batch_size,
learning_rate,
rng=rng,
gan=cur_gan,
adv_training=adv_training,
cnn_arch=bb_model)
model, bbox_preds, accuracies['bbox'] = prep_bbox_out
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Training the substitute model.")
reconstructed_tensors = tf.stop_gradient(
gan.reconstruct(images_tensor,
batch_size=batch_size,
reconstructor_id=1))
model_sub, preds_sub = train_sub(
sess,
images_tensor,
labels_tensor,
model(reconstructed_tensors),
images_sub,
labels_sub,
nb_classes,
nb_epochs_s,
batch_size,
learning_rate,
data_aug,
lmbda,
rng=rng,
substitute_model=sub_model,
)
accuracies['sub'] = 0
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
fgsm_par = {
'eps': FLAGS.fgsm_eps,
'ord': np.inf,
'clip_min': 0.,
'clip_max': 1.
}
if gan:
if gan.dataset_name == 'celeba':
fgsm_par['clip_min'] = -1.0
fgsm = FastGradientMethod(model_sub, sess=sess)
# Craft adversarial examples using the substitute.
eval_params = {'batch_size': batch_size}
x_adv_sub = fgsm.generate(images_tensor, **fgsm_par)
if FLAGS.debug and gan is not None: # To see some qualitative results.
reconstructed_tensors = gan.reconstruct(x_adv_sub,
batch_size=batch_size,
reconstructor_id=2)
x_rec_orig = gan.reconstruct(images_tensor,
batch_size=batch_size,
reconstructor_id=3)
x_adv_sub_val = sess.run(x_adv_sub,
feed_dict={
images_tensor: x_debug_test,
K.learning_phase(): 0
})
sess.run(tf.local_variables_initializer())
x_rec_debug_val, x_rec_orig_val = sess.run(
[reconstructed_tensors, x_rec_orig],
feed_dict={
images_tensor: x_debug_test,
K.learning_phase(): 0
})
save_images_files(x_adv_sub_val, output_dir=debug_dir, postfix='adv')
postfix = 'gen_rec'
save_images_files(x_rec_debug_val,
output_dir=debug_dir,
postfix=postfix)
save_images_files(x_debug_test, output_dir=debug_dir, postfix='orig')
save_images_files(x_rec_orig_val,
output_dir=debug_dir,
postfix='orig_rec')
return
if gan_defense_flag:
reconstructed_tensors = gan.reconstruct(
x_adv_sub,
batch_size=batch_size,
reconstructor_id=4,
)
num_dims = len(images_tensor.get_shape())
avg_inds = list(range(1, num_dims))
diff_op = tf.reduce_mean(tf.square(x_adv_sub - reconstructed_tensors),
axis=avg_inds)
outs = model_eval_gan(sess,
images_tensor,
labels_tensor,
predictions=model(reconstructed_tensors),
test_images=test_images,
test_labels=test_labels,
args=eval_params,
diff_op=diff_op,
feed={K.learning_phase(): 0})
accuracies['bbox_on_sub_adv_ex'] = outs[0]
accuracies['roc_info'] = outs[1]
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(outs[0]))
else:
accuracy = model_eval(sess,
images_tensor,
labels_tensor,
model(x_adv_sub),
test_images,
test_labels,
args=eval_params,
feed={K.learning_phase(): 0})
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(accuracy))
accuracies['bbox_on_sub_adv_ex'] = accuracy
return accuracies
def cifar10_blackbox(nb_classes=10, batch_size=128, nb_samples=10, nb_filters=64,
eps=0.3, learning_rate=0.001, nb_epochs=10, holdout=150, data_aug=6,
nb_epochs_s=10, lmbda=0.1, binary=False, scale=False, model_path=None,
targeted=False, data_dir=None, adv=False, delay=0):
"""
MNIST tutorial for the black-box attack from arxiv.org/abs/1602.02697
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:return: a dictionary with:
* black-box model accuracy on test set
* substitute model accuracy on test set
* black-box model accuracy on adversarial examples transferred
from the substitute model
"""
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Dictionary used to keep track and return key accuracies
accuracies = {}
# Perform tutorial setup
assert setup_tutorial()
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
# Image dimensions ordering should follow the Theano convention
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# Get CIFAR10 test data
X_train, Y_train, X_test, Y_test = data_cifar10()
# Initialize substitute training set reserved for adversary
X_sub = X_test[:holdout]
Y_sub = np.argmax(Y_test[:holdout], axis=1)
# Redefine test set as remaining samples unavailable to adversaries
X_test = X_test[holdout:]
Y_test = Y_test[holdout:]
#Y_test_onehot = Y_test_onehot[holdout:]
# CIFAR10-specific dimensions
img_rows = 32
img_cols = 32
channels = 3
# Define input and output TF placeholders
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
phase = tf.placeholder(tf.bool, name='phase')
logits_scalar = tf.placeholder_with_default(
INIT_T, shape=(), name="logits_temperature")
# Seed random number generator so tutorial is reproducible
rng = np.random.RandomState([2017, 8, 30])
# Simulate the black-box model locally
# You could replace this by a remote labeling API for instance
print("Preparing the black-box model.")
prep_bbox_out = prep_bbox(sess, logits_scalar, x, y, X_train, Y_train, X_test, Y_test,
img_rows, img_cols, channels, nb_epochs, batch_size, learning_rate,
rng=rng, phase=phase, binary=binary, scale=scale,
nb_filters=nb_filters, model_path=model_path,
adv=adv, delay=delay, eps=eps)
model, bbox_preds, accuracies['bbox'], model_path = prep_bbox_out
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Training the substitute model.")
train_sub_out = train_sub(sess, x, y, bbox_preds, X_sub, Y_sub,
nb_classes, nb_epochs_s, batch_size,
learning_rate, data_aug, lmbda, rng=rng, phase=phase, model_path=model_path)
model_sub, preds_sub = train_sub_out
# Evaluate the substitute model on clean test examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_sub, X_test,
Y_test, phase=phase, args=eval_params)
accuracies['sub'] = acc
print('Test accuracy of substitute on clean examples: ' + str(acc))
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
fgsm_par = {'eps': eps, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model_sub, sess=sess)
if targeted:
from cleverhans.utils import build_targeted_dataset
adv_inputs, true_labels, adv_ys = build_targeted_dataset(
X_test, Y_test, np.arange(nb_samples), nb_classes, img_rows, img_cols, channels)
att_batch_size = np.clip(
nb_samples * (nb_classes - 1), a_max=MAX_BATCH_SIZE, a_min=1)
nb_adv_per_sample = nb_classes - 1
yname = "y_target"
else:
att_batch_size = np.minimum(nb_samples, MAX_BATCH_SIZE)
nb_adv_per_sample = 1
adv_ys = None
yname = "y"
# Craft adversarial examples using the substitute
#eval_params = {'batch_size': att_batch_size}
if targeted:
fgsm_par.update({yname: adv_ys})
x_adv_sub = fgsm.generate_np(adv_inputs, phase, **fgsm_par)
accuracy = model_eval(sess, x, y, model(x, reuse=True), x_adv_sub, true_labels,
phase=phase, args=eval_params)
else:
x_adv_sub = fgsm.generate(x, phase, **fgsm_par)
# Evaluate the accuracy of the "black-box" model on adversarial
# examples
accuracy = model_eval(sess, x, y, model(x_adv_sub), X_test, Y_test,
phase=phase, args=eval_params)
print('Test accuracy of oracle on adversarial examples generated symbolically '
'using the substitute: ' + str(accuracy))
adv_np = fgsm.generate_np(X_test, phase, **fgsm_par)
accuracy = model_eval(sess, x, y, bbox_preds,
adv_np, Y_test, phase=phase, args=eval_params)
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(accuracy))
name = 'cifar10_base_fgsm_eps%s_n%s.npy' % (eps, adv_np.shape[0])
#fpath = os.path.join('/scratch/gallowaa/mnist/adversarial_examples/cleverhans/', name)
fpath = os.path.join('./', name)
#np.savez(fpath, x=adv_np, y=Y_test)
accuracies['bbox_on_sub_adv_ex'] = accuracy
return accuracies
def make_confidence_report_bundled(filepath,
train_start=TRAIN_START,
train_end=TRAIN_END,
test_start=TEST_START,
test_end=TEST_END,
which_set=WHICH_SET,
recipe=RECIPE,
report_path=REPORT_PATH):
"""
Load a saved model, gather its predictions, and save a confidence report.
:param filepath: path to model to evaluate
:param train_start: index of first training set example to use
:param train_end: index of last training set example to use
:param test_start: index of first test set example to use
:param test_end: index of last test set example to use
:param which_set: 'train' or 'test'
"""
# Avoid circular import
from cleverhans import attack_bundling
run_recipe = getattr(attack_bundling, recipe)
# Set logging level to see debug information
set_log_level(logging.INFO)
# Create TF session
sess = tf.Session()
assert filepath.endswith('.joblib')
if report_path is None:
report_path = filepath[:-len('.joblib')] + "_bundled_report.joblib"
with sess.as_default():
model = load(filepath)
assert len(model.get_params()) > 0
factory = model.dataset_factory
factory.kwargs['test_start'] = test_start
factory.kwargs['test_end'] = test_end
dataset = factory()
center = dataset.kwargs['center']
max_value = dataset.max_val
min_value = 0. - center * max_value
value_range = max_value - min_value
if 'CIFAR' in str(factory.cls):
base_eps = 8. / 255.
base_eps_iter = 2. / 255.
elif 'MNIST' in str(factory.cls):
base_eps = .3
base_eps_iter = .1
else:
raise NotImplementedError(str(factory.cls))
eps = base_eps * value_range
eps_iter = base_eps_iter * value_range
nb_iter = 40
clip_min = min_value
clip_max = max_value
x_data, y_data = dataset.get_set(which_set)
assert x_data.max() <= max_value
assert x_data.min() >= min_value
# Different recipes take different arguments.
# For now I don't have an idea for a beautiful unifying framework, so
# we get an if statement.
if recipe == 'random_search_max_confidence_recipe':
# pylint always checks against the default recipe here
# pylint: disable=no-value-for-parameter
run_recipe(sess=sess,
model=model,
x=x_data,
y=y_data,
eps=eps,
clip_min=clip_min,
clip_max=clip_max,
report_path=report_path)
else:
run_recipe(sess=sess,
model=model,
x=x_data,
y=y_data,
nb_classes=dataset.NB_CLASSES,
eps=eps,
clip_min=clip_min,
clip_max=clip_max,
eps_iter=eps_iter,
nb_iter=nb_iter,
report_path=report_path)
def mnist_tutorial(train_start=0, train_end=60000, test_start=0,
test_end=10000, nb_epochs=6, batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=64, num_threads=None,
label_smoothing=0.1):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param clean_train: if true, train on clean examples
:param label_smoothing: float, amount of label smoothing for cross entropy
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
color_W = tf.Variable(tf.zeros([16, 16]))
color_b = tf.Variable(tf.zeros([16]))
colorCategory = [
[0.0, 0.4], # Black
[0.3, 0.7], # Grey
[0.6, 1.0] # White
]
numColorInput = 1
numColorOutput = len(colorCategory)
# Merge the random generated output for new image based on the colorCategory
randomColorCategory = []
for i in range(len(colorCategory)):
tmp = []
tmpRandomColorCategory = my_tf_round(
tf.random_uniform([n_input, 1], colorCategory[i][0], colorCategory[i][1], dtype=tf.float32), 2)
tmp.append(tmpRandomColorCategory)
randomColorCategory.append(tf.concat(tmp, 1))
random_merge = tf.reshape(tf.concat(randomColorCategory, -1), [n_input, numColorOutput])
ranges = tf.Variable(np.arange(0, n_input))
ranges = tf.reshape(ranges, [1, n_input])
ranges = tf.cast(ranges, tf.int32)
single_x = tf.placeholder(tf.int32, [None, n_input])
indices = tf.reshape(tf.concat([ranges, single_x], -1), [n_input, 2])
random_color_set = tf.gather_nd(random_merge, indices)
with sess.as_default():
if hasattr(tf, "global_variables_initializer"):
tf.global_variables_initializer().run()
else:
sess.run(tf.initialize_all_variables())
save_path = os.path.join("/tmp/test_ae/", "test")
print(ranges.eval())
print(indices.eval(feed_dict = {single_x: [np.arange(0, n_input), np.arange(0, n_input)]}))
return report
def mnist_blackbox(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_classes=10,
batch_size=128,
nb_samples=10,
nb_filters=64,
eps=0.3,
learning_rate=0.001,
nb_epochs=10,
holdout=150,
data_aug=6,
nb_epochs_s=10,
lmbda=0.1,
binary=False,
scale=False,
model_path=None,
targeted=False,
data_dir=None,
adv=False,
delay=0):
"""
MNIST tutorial for the black-box attack from arxiv.org/abs/1602.02697
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:return: a dictionary with:
* black-box model accuracy on test set
* substitute model accuracy on test set
* black-box model accuracy on adversarial examples transferred
from the substitute model
"""
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Dictionary used to keep track and return key accuracies
accuracies = {}
# Perform tutorial setup
assert setup_tutorial()
# Create TF session
sess = tf.Session()
# Get MNIST data
X_train, Y_train, X_test, Y_test = data_mnist(datadir=data_dir,
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Initialize substitute training set reserved for adversary
X_sub = X_test[:holdout]
Y_sub = np.argmax(Y_test[:holdout], axis=1)
print("Y_sub shape=")
print(Y_sub.shape)
# Redefine test set as remaining samples unavailable to adversaries
X_test = X_test[holdout:]
Y_test = Y_test[holdout:]
# MNIST-specific dimensions
img_rows = 28
img_cols = 28
channels = 1
nb_classes = 10
# Define input and output TF placeholders
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))
phase = tf.placeholder(tf.bool, name='phase')
logits_scalar = tf.placeholder_with_default(INIT_T,
shape=(),
name="logits_temperature")
# Seed random number generator so tutorial is reproducible
rng = np.random.RandomState([2017, 8, 30])
# Simulate the black-box model locally
# You could replace this by a remote labeling API for instance
print("Preparing the black-box model.")
prep_bbox_out = prep_bbox(sess,
logits_scalar,
x,
y,
X_train,
Y_train,
X_test,
Y_test,
img_rows,
img_cols,
channels,
nb_epochs,
batch_size,
learning_rate,
rng=rng,
phase=phase,
binary=binary,
scale=scale,
nb_filters=nb_filters,
model_path=model_path,
adv=adv,
delay=delay,
eps=eps)
model, bbox_preds, accuracies['bbox'], model_path = prep_bbox_out
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Training the substitute model.")
train_sub_out = train_sub(sess,
logits_scalar,
x,
y,
bbox_preds,
X_sub,
Y_sub,
nb_classes,
nb_epochs_s,
batch_size,
learning_rate,
data_aug,
lmbda,
rng=rng,
phase=phase,
model_path=model_path)
model_sub, preds_sub = train_sub_out
# Evaluate the substitute model on clean test examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess,
x,
y,
preds_sub,
X_test,
Y_test,
phase=phase,
args=eval_params)
accuracies['sub'] = acc
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
fgsm_par = {'eps': eps, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model_sub, sess=sess)
if targeted:
from cleverhans.utils import build_targeted_dataset
adv_inputs, true_labels, adv_ys = build_targeted_dataset(
X_test, Y_test, np.arange(nb_samples), nb_classes, img_rows,
img_cols, channels)
att_batch_size = np.clip(nb_samples * (nb_classes - 1),
a_max=MAX_BATCH_SIZE,
a_min=1)
nb_adv_per_sample = nb_classes - 1
yname = "y_target"
else:
att_batch_size = np.minimum(nb_samples, MAX_BATCH_SIZE)
nb_adv_per_sample = 1
adv_ys = None
yname = "y"
# Craft adversarial examples using the substitute
eval_params = {'batch_size': att_batch_size}
if targeted:
fgsm_par.update({yname: adv_ys})
x_adv_sub = fgsm.generate_np(adv_inputs, phase, **fgsm_par)
accuracy = model_eval(sess,
x,
y,
model(x, reuse=True),
x_adv_sub,
true_labels,
phase=phase,
args=eval_params)
else:
x_adv_sub = fgsm.generate(x, phase, **fgsm_par)
# Evaluate the accuracy of the "black-box" model on adversarial
# examples
accuracy = model_eval(sess,
x,
y,
model(x_adv_sub),
X_test,
Y_test,
phase=phase,
args=eval_params)
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(accuracy))
accuracies['bbox_on_sub_adv_ex'] = accuracy
return accuracies
def mnist_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=6,
batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param clean_train: if true, train on clean examples
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
tf_graph = tf.Graph()
# Create TF session
sess = tf.Session(graph=tf_graph)
# Get MNIST test data
X_train, Y_train, X_test, Y_test, Y_test_OneHot = data_mnist(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
one_hot=False)
# Define input TF placeholder
with tf_graph.as_default():
x = tf.placeholder(tf.float32, shape=[None, 28 * 28])
x_reshaped = tf.reshape(x, [-1, 28, 28, 1])
y = tf.placeholder(tf.int32, shape=[None])
model_path = "models/mnist"
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
fgsm_params = {'eps': FLAGS.eps, 'y': Y_test_OneHot}
rng = np.random.RandomState([2017, 8, 30])
if clean_train:
with tf_graph.as_default():
model = make_gp_cnn(num_h=100)
h = model.get_logits(x_reshaped)
nn_vars = tf.global_variables(
) # only nn variables exist up to now.
sess.run(tf.variables_initializer(nn_vars))
#Wrap GP layer around
gp_model, train_step, preds = model_wrap_gp(sess,
tf_graph,
x,
y,
X_train,
Y_train,
h,
args=train_params)
def evaluate():
# Evaluate the accuracy of the MNIST model on legitimate test
# examples
with tf_graph.as_default():
eval_params = {'batch_size': batch_size}
acc, ll = model_gpdnn_eval(sess,
gp_model,
x_reshaped,
y,
h,
preds,
X_test,
Y_test,
args=eval_params)
report.clean_train_clean_eval = acc
assert X_test.shape[0] == test_end - test_start, X_test.shape
logger.info('Test accuracy on legitimate examples: %0.4f' %
acc)
model_gpdnn_train(sess,
x,
y,
h,
X_train,
Y_train,
train_step,
evaluate=evaluate,
args=train_params,
rng=rng)
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
with tf_graph.as_default():
fgsm = FastGradientMethodGP(model, preds, sess=sess)
adv_x = fgsm.generate(x_reshaped, **fgsm_params)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x = tf.stop_gradient(adv_x)
preds_adv = preds
# Evaluate the accuracy of the MNIST model on adversarial examples
eval_par = {'batch_size': batch_size}
feed_dict = {x_reshaped: X_test}
X_test_adv = sess.run(adv_x, feed_dict=feed_dict)
acc, ll = model_gpdnn_eval(sess,
gp_model,
x_reshaped,
y,
h,
preds_adv,
X_test_adv,
Y_test,
args=eval_par)
logger.info('Test accuracy on adversarial examples: %0.4f\n' % acc)
report.clean_train_adv_eval = acc
return report
def cifar10_cw_recon(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
viz_enabled=VIZ_ENABLED,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
source_samples=SOURCE_SAMPLES,
learning_rate=LEARNING_RATE,
attack_iterations=ATTACK_ITERATIONS,
model_path=MODEL_PATH,
model_path_cls=MODEL_PATH,
targeted=TARGETED,
num_threads=None,
label_smoothing=0.1,
nb_filters=NB_FILTERS):
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
rng = np.random.RandomState()
# Create TF session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get CIFAR10 data
data = CIFAR10(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
dataset_size = data.x_train.shape[0]
dataset_train = data.to_tensorflow()[0]
dataset_train = dataset_train.map(
lambda x, y: (random_shift(random_horizontal_flip(x)), y), 4)
dataset_train = dataset_train.batch(batch_size)
dataset_train = dataset_train.prefetch(16)
x_train, y_train = data.get_set('train')
x_test, y_test = data.get_set('test')
nb_latent_size = 100
# Get MNIST test data
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
print("img_Rows, img_cols, nchannels: ", img_rows, img_cols, nchannels)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
x_t = tf.placeholder(tf.float32,
shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
y_t = tf.placeholder(tf.float32, shape=(None, nb_classes))
z = tf.placeholder(tf.float32, shape=(None, nb_latent_size))
z_t = tf.placeholder(tf.float32, shape=(None, nb_latent_size))
#nb_filters = 64
nb_layers = 500
'''
def do_eval_cls(preds, x_set, y_set, x_tar_set,report_key, is_adv = None):
acc = model_eval(sess, x, y, preds, x_t, x_set, y_set, x_tar_set, args=eval_params_cls)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
def eval_cls():
do_eval_cls(y_logits, x_test, y_test, x_test,'clean_train_clean_eval', False)
'''
'''
def evaluate():
do_eval(y_logits, x_test, y_test, 'clean_train_clean_eval', False)
filepath_ae = "clean_model_cifar10_ae.joblib"
filepath_cl = "classifier_cifar10.joblib"
# Define TF model graph
model = ModelBasicAE('model', nb_layers, nb_latent_size)
#cl_model = ModelCls('cl_model')
#cl_model = ModelAllConvolutional('model1', nb_classes, nb_filters,
# input_shape=[32, 32, 3])
#preds = model.get_logits(x)
recons = model.get_layer(x, 'RECON')
latent1_orig = model.get_layer(x, 'LATENT')
latent1_orig_recon = model.get_layer(recons, 'LATENT')
loss = SquaredError(model)
print("Defined TensorFlow model graph.")
#y_logits = cl_model.get_logits(x)
#loss_cls = CrossEntropy(cl_model, smoothing=label_smoothing)
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'filename': os.path.split(model_path)[-1]
}
train_params_cls = {
'nb_epochs': 4,
'batch_size': batch_size,
'learning_rate': learning_rate
}
rng = np.random.RandomState([2017, 8, 30])
# check if we've trained before, and if we have, use that pre-trained model
#if os.path.exists(model_path + ".meta"):
# tf_model_load(sess, model_path)
#else:
#eval_params_cls = {'batch_size': batch_size}
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
def do_eval(recons, x_orig, x_target, y_orig, y_target, report_key, is_adv=False, x_adv = None, recon_adv = False, lat_orig = None, lat_orig_recon = None):
noise, d_orig, d_targ, avg_dd, d_latent = model_eval_ae(sess, x, x_t, recons, x_orig, x_target, x_adv, recon_adv, lat_orig, lat_orig_recon, args = eval_params)
setattr(report, report_key, avg_dd)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test d1 on ', report_text, ' examples: ', d_orig)
print('Test d2 on ', report_text,' examples: ', d_targ)
print('Test distance difference on %s examples: %0.4f' % (report_text, avg_dd))
print('Noise added: ', noise)
print("dist_latent_orig_recon on ", report_text, "examples : ", d_latent)
print()
def evaluate_ae():
do_eval(recons, x_test, x_test, y_test, y_test, 'clean_train_clean_eval', False, None, None, latent1_orig, latent1_orig_recon)
print("Training autoencoder")
train_ae(sess, loss, x_train,x_train, evaluate = evaluate_ae, args=train_params, rng=rng, var_list=model.get_params())
#with sess.as_default():
# save(filepath_ae, model)
'''
save_dir = 'models'
model_name = 'cifar10_AE'
model_path_ae = os.path.join(save_dir, model_name)
if clean_train_ae == True:
input_img = Input(shape=(32, 32, 3))
x = Conv2D(64, (3, 3), padding='same')(input_img)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
encoded = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(encoded)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(64, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(3, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
decoded = Activation('sigmoid')(x)
model = Model(input_img, decoded)
model.compile(optimizer='adam', loss='binary_crossentropy')
#es_cb = EarlyStopping(monitor='val_loss', patience=2, verbose=1, mode='auto')
#chkpt = saveDir + 'AutoEncoder_Cifar10_Deep_weights.{epoch:02d}-{loss:.2f}-{val_loss:.2f}.hdf5'
#cp_cb = ModelCheckpoint(filepath = chkpt, monitor='val_loss', verbose=1, save_best_only=True, mode='auto')
model.fit(
x_train,
x_train,
batch_size=128,
epochs=2,
verbose=1,
validation_data=(x_test, x_test),
#callbacks=[es_cb, cp_cb],
shuffle=True)
score = model.evaluate(x_test, x_test, verbose=1)
print(score)
model.save(model_path_ae)
print('Saved trained model at %s ' % model_path)
else:
model = load_model(model_path_ae)
num_classes = 10
save_dir = 'models'
model_name = 'cifar10_CNN'
model_path_cls = os.path.join(save_dir, model_name)
if clean_train_cl == True:
print("Training CNN classifier")
cl_model = Sequential()
cl_model.add(
Conv2D(32, (3, 3), padding='same', input_shape=x_train.shape[1:]))
cl_model.add(Activation('relu'))
cl_model.add(Conv2D(32, (3, 3)))
cl_model.add(Activation('relu'))
cl_model.add(MaxPooling2D(pool_size=(2, 2)))
cl_model.add(Dropout(0.25))
cl_model.add(Conv2D(64, (3, 3), padding='same'))
cl_model.add(Activation('relu'))
cl_model.add(Conv2D(64, (3, 3)))
cl_model.add(Activation('relu'))
cl_model.add(MaxPooling2D(pool_size=(2, 2)))
cl_model.add(Dropout(0.25))
cl_model.add(Flatten())
cl_model.add(Dense(512))
cl_model.add(Activation('relu'))
cl_model.add(Dropout(0.5))
cl_model.add(Dense(num_classes))
cl_model.add(Activation('softmax'))
opt = keras.optimizers.rmsprop(lr=0.0001, decay=1e-6)
# Let's train the model using RMSprop
cl_model.compile(loss='categorical_crossentropy',
optimizer=opt,
metrics=['accuracy'])
cl_model.fit(x_train,
y_train,
batch_size=90,
epochs=4,
validation_data=(x_test, y_test),
shuffle=True)
cl_model.save(model_path_cls)
print('Saved trained model at %s ' % model_path)
else:
cl_model = load_model(model_path_cls)
# Score trained model.
scores = cl_model.evaluate(x_test, y_test, verbose=1)
print('Test loss:', scores[0])
print('Test accuracy:', scores[1])
'''
train(sess, loss_cls, None, None,
dataset_train=dataset_train, dataset_size=dataset_size,
evaluate=eval_cls, args=train_params_cls, rng=rng,
var_list=cl_model.get_params())
'''
#with sess.as_default():
# save(filepath_cl, cl_model)
'''
else:
model = load(filepath_ae)
cl_model = load(filepath_cl)
'''
#train_cls(sess, loss_cls, x_train, y_train, evaluate = eval_cls, args = train_params_cls, rng = rng, var_list = cl_model.get_params())
#train_cls(sess, loss_cls, x_train, y_train, evaluate = eval_cls, args = train_params_cls, rng = rng, var_list = cl_model.get_params())
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
nb_adv_per_sample = str(nb_classes - 1) if targeted else '1'
print('Crafting ' + str(source_samples) + ' * ' + nb_adv_per_sample +
' adversarial examples')
print("This could take some time ...")
# Instantiate a CW attack object
cw = CarliniWagnerAE(model, cl_model, sess=sess)
if viz_enabled:
assert source_samples == nb_classes
idxs = [
np.where(np.argmax(y_test, axis=1) == i)[0][0]
for i in range(nb_classes)
]
if targeted:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols,
nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
grid_viz_data_1 = np.zeros(grid_shape, dtype='f')
adv_inputs = np.array([[instance] * (nb_classes - 1)
for instance in x_test[idxs]],
dtype=np.float32)
#adv_input_y = np.array([[instance]*(nb_classes-1) for instance in y_test[idxs]])
adv_input_y = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes - 1):
targ.append(y_test[idxs[curr_num]])
adv_input_y.append(targ)
adv_input_y = np.array(adv_input_y)
adv_target_y = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes):
if (id != curr_num):
targ.append(y_test[idxs[id]])
adv_target_y.append(targ)
adv_target_y = np.array(adv_target_y)
#print("adv_input_y: \n", adv_input_y)
#print("adv_target_y: \n", adv_target_y)
adv_input_targets = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes):
if (id != curr_num):
targ.append(x_test[idxs[id]])
adv_input_targets.append(targ)
adv_input_targets = np.array(adv_input_targets)
adv_inputs = adv_inputs.reshape((source_samples * (nb_classes - 1),
img_rows, img_cols, nchannels))
adv_input_targets = adv_input_targets.reshape(
(source_samples * (nb_classes - 1), img_rows, img_cols,
nchannels))
adv_input_y = adv_input_y.reshape(
source_samples * (nb_classes - 1), 10)
adv_target_y = adv_target_y.reshape(
source_samples * (nb_classes - 1), 10)
one_hot = np.zeros((nb_classes, nb_classes))
one_hot[np.arange(nb_classes), np.arange(nb_classes)] = 1
adv_ys = np.array([one_hot] * source_samples, dtype=np.float32).reshape(
(source_samples * nb_classes, nb_classes))
yname = "y_target"
cw_params_batch_size = source_samples * (nb_classes - 1)
cw_params = {
'binary_search_steps': 4,
yname: adv_ys,
'max_iterations': attack_iterations,
'learning_rate': CW_LEARNING_RATE,
'batch_size': cw_params_batch_size,
'initial_const': 1
}
adv = cw.generate_np(adv_inputs, adv_input_targets, **cw_params)
adv = sess.run(adv)
#print("shaep of adv: ", np.shape(adv))
'''
recons = model.get_layer(x, 'RECON')
recon_orig = model.get_layer(adv_inputs, 'RECON')
recon_adv = model.get_layer(adv, 'RECON')
lat_orig = model.get_layer(x, 'LATENT')
lat_orig_recon = model.get_layer(recons, 'LATENT')
#pred_adv_recon = cl_model.get_logits(recon_adv)
'''
recon_orig = model.predict(adv_inputs)
recon_adv = model.predict(adv)
#eval_params = {'batch_size': np.minimum(nb_classes, source_samples)}
#eval_params = {'batch_size': 90}
#acc_1 = model_eval(sess, x, y, pred_adv_recon, x_t, adv_inputs, adv_target_y, adv_input_targets, args=eval_params_cls)
#acc_2 = model_eval(sess, x, y, pred_adv_recon, x_t, adv_inputs, adv_input_y, adv_input_targets, args=eval_params_cls)
#noise, d1, d2, dist_diff, avg_dist_lat = model_eval_ae(sess, x, x_t,recons, adv_inputs, adv_input_targets, adv, recon_adv,lat_orig, lat_orig_recon, args=eval_params)
shape = np.shape(adv_inputs)
noise = reduce_sum(np.square(adv_inputs - adv), list(range(1, len(shape))))
print("noise: ", noise)
#recon_adv = sess.run(recon_adv)
#recon_orig = sess.run(recon_orig)
scores1 = cl_model.evaluate(recon_adv, adv_input_y, verbose=1)
scores2 = cl_model.evaluate(recon_adv, adv_target_y, verbose=1)
print("classifier acc_target: ", scores2[1])
print("classifier acc_true: ", scores1[1])
#print("recon_adv[0]\n", recon_adv[0,:,:,0])
curr_class = 0
if viz_enabled:
for j in range(nb_classes):
if targeted:
for i in range(nb_classes):
#grid_viz_data[i, j] = adv[j * (nb_classes-1) + i]
if (i == j):
grid_viz_data[i, j] = recon_orig[curr_class * 9]
grid_viz_data_1[i, j] = adv_inputs[curr_class * 9]
curr_class = curr_class + 1
else:
if (j > i):
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j - 1]
grid_viz_data_1[i, j] = adv[i * (nb_classes - 1) +
j - 1]
else:
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j]
grid_viz_data_1[i,
j] = adv[i * (nb_classes - 1) + j]
#rint(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(
np.sum((adv - adv_inputs)**2, axis=(1, 2, 3))**.5)
print('Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
#sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
#_ = grid_visual(grid_viz_data)
#_ = grid_visual(grid_viz_data_1)
plt.ioff()
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = grid_viz_data.shape[0]
num_rows = grid_viz_data.shape[1]
num_channels = grid_viz_data.shape[4]
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
plt.imshow(grid_viz_data[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig1')
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
plt.imshow(grid_viz_data_1[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig2')
#return report
#adversarial training
if (adv_train == True):
print("starting adversarial training")
#sess1 = tf.Session()
adv_input_set = []
adv_input_target_set = []
for i in range(20):
indices = np.arange(np.shape(x_train)[0])
np.random.shuffle(indices)
print("indices: ", indices[1:10])
x_train = x_train[indices]
y_train = y_train[indices]
idxs = [
np.where(np.argmax(y_train, axis=1) == i)[0][0]
for i in range(nb_classes)
]
adv_inputs_2 = np.array([[instance] * (nb_classes - 1)
for instance in x_train[idxs]],
dtype=np.float32)
adv_input_targets_2 = []
for curr_num in range(nb_classes):
targ = []
for id in range(nb_classes):
if (id != curr_num):
targ.append(x_train[idxs[id]])
adv_input_targets_2.append(targ)
adv_input_targets_2 = np.array(adv_input_targets_2)
adv_inputs_2 = adv_inputs_2.reshape(
(source_samples * (nb_classes - 1), img_rows, img_cols,
nchannels))
adv_input_targets_2 = adv_input_targets_2.reshape(
(source_samples * (nb_classes - 1), img_rows, img_cols,
nchannels))
adv_input_set.append(adv_inputs_2)
adv_input_target_set.append(adv_input_targets_2)
adv_input_set = np.array(adv_input_set),
adv_input_target_set = np.array(adv_input_target_set)
print("shape of adv_input_set: ", np.shape(adv_input_set))
print("shape of adv_input_target_set: ",
np.shape(adv_input_target_set))
adv_input_set = np.reshape(
adv_input_set,
(np.shape(adv_input_set)[0] * np.shape(adv_input_set)[1] *
np.shape(adv_input_set)[2], np.shape(adv_input_set)[3],
np.shape(adv_input_set)[4], np.shape(adv_input_set)[5]))
adv_input_target_set = np.reshape(adv_input_target_set,
(np.shape(adv_input_target_set)[0] *
np.shape(adv_input_target_set)[1],
np.shape(adv_input_target_set)[2],
np.shape(adv_input_target_set)[3],
np.shape(adv_input_target_set)[4]))
print("generated adversarial training set")
adv_set = cw.generate_np(adv_input_set, adv_input_target_set,
**cw_params)
x_train_aim = np.append(x_train, adv_input_set, axis=0)
x_train_app = np.append(x_train, adv_set, axis=0)
model_name = 'cifar10_AE_adv'
model_path_ae = os.path.join(save_dir, model_name)
input_img = Input(shape=(32, 32, 3))
x = Conv2D(64, (3, 3), padding='same')(input_img)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
encoded = MaxPooling2D((2, 2), padding='same')(x)
x = Conv2D(16, (3, 3), padding='same')(encoded)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(32, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(64, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
x = Activation('relu')(x)
x = UpSampling2D((2, 2))(x)
x = Conv2D(3, (3, 3), padding='same')(x)
x = BatchNormalization()(x)
decoded = Activation('sigmoid')(x)
model2 = Model(input_img, decoded)
model2.compile(optimizer='adam', loss='binary_crossentropy')
model2.fit(x_train_app,
x_train_aim,
batch_size=128,
epochs=20,
verbose=1,
validation_data=(x_test, x_test),
callbacks=[es_cb, cp_cb],
shuffle=True)
score = model.evaluate(x_test, x_test, verbose=1)
print(score)
model2.save(model_path_ae_adv)
print('Saved adv trained model at %s ' % model_path)
'''
model_adv_trained = ModelBasicAE('model_adv_trained', nb_layers, nb_latent_size)
recons_2 = model_adv_trained.get_layer(x, 'RECON')
loss_2 = SquaredError(model_adv_trained)
train_ae(sess, loss_2, x_train_app, x_train_aim ,args=train_params, rng=rng, var_list=model_adv_trained.get_params())
saver = tf.train.Saver()
saver.save(sess, model_path)
'''
cw2 = CarliniWagnerAE(model_adv_trained, cl_model, sess=sess)
adv_2 = cw2.generate_np(adv_inputs, adv_input_targets, **cw_params)
recon_adv = model2.predict(adv)
recon_orig = model2.predict(adv_inputs)
#print("shaep of adv: ", np.shape(adv))
'''
recon_orig = model_adv_trained.get_layer(adv_inputs, 'RECON')
recon_adv = model_adv_trained.get_layer(adv_2, 'RECON')
lat_orig = model_adv_trained.get_layer(x, 'LATENT')
lat_orig_recon = model_adv_trained.get_layer(recons, 'LATENT')
'''
#pred_adv_recon = cl_model.get_logits(recon_adv)
#eval_params = {'batch_size': np.minimum(nb_classes, source_samples)}
#eval_params = {'batch_size': 90}
if targeted:
#noise, d1, d2, dist_diff, avg_dist_lat = model_eval_ae(sess, x, x_t,recons, adv_inputs, adv_input_targets, adv_2, recon_adv,lat_orig, lat_orig_recon, args=eval_params)
#acc = model_eval(sess, x, y, pred_adv_recon, x_t, adv_inputs, adv_target_y, adv_input_targets, args=eval_params_cls)
noise = reduce_sum(tf.square(adv_inputs - adv_2),
list(range(1, len(shape))))
print("noise: ", noise)
#print("d1: ", d1)
#print("d2: ", d2)
#print("d1-d2: ", dist_diff)
#print("Avg_dist_lat: ", avg_dist_lat)
#print("classifier acc: ", acc)
'''
recon_adv = sess.run(recon_adv)
recon_orig = sess.run(recon_orig)
'''
scores1 = cl_model.evaluate(recon_adv, adv_input_y, verbose=1)
scores2 = cl_model.eval_params(recon_adv, adv_target_y, verbose=1)
print("classifier acc_target: ", scores2[1])
print("classifier acc_true: ", scores1[1])
#print("recon_adv[0]\n", recon_adv[0,:,:,0])
curr_class = 0
if viz_enabled:
for j in range(nb_classes):
for i in range(nb_classes):
#grid_viz_data[i, j] = adv[j * (nb_classes-1) + i]
if (i == j):
grid_viz_data[i, j] = recon_orig[curr_class * 9]
grid_viz_data_1[i, j] = adv_inputs[curr_class * 9]
curr_class = curr_class + 1
else:
if (j > i):
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j - 1]
grid_viz_data_1[i,
j] = adv_2[i * (nb_classes - 1) +
j - 1]
else:
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j]
grid_viz_data_1[i, j] = adv_2[i *
(nb_classes - 1) + j]
#rint(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(
np.sum((adv_2 - adv_inputs)**2, axis=(1, 2, 3))**.5)
print(
'Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
#_ = grid_visual(grid_viz_data)
#_ = grid_visual(grid_viz_data_1)
plt.ioff()
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = grid_viz_data.shape[0]
num_rows = grid_viz_data.shape[1]
num_channels = grid_viz_data.shape[4]
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(grid_viz_data[xx, yy, :, :, 0])
else:
plt.imshow(grid_viz_data[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig1_adv_trained')
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
plt.imshow(grid_viz_data_1[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig2_adv_trained')
return report
#binarization defense
if (binarization_defense == True or mean_filtering == True):
#adv = sess.run(adv)
# print(adv[0])
if (binarization_defense == True):
adv[adv > 0.5] = 1.0
adv[adv <= 0.5] = 0.0
else:
#radius = 2
#adv_list = [mean(adv[i,:,:,0], disk(radius)) for i in range(0, np.shape(adv)[0])]
#adv = np.array(adv_list)
#adv = np.expand_dims(adv, axis = 3)
adv = uniform_filter(adv, 2)
#adv = median_filter(adv, 2)
#print("after bin ")
#print(adv[0])
'''
recons = model.get_layer(x, 'RECON')
recon_orig = model.get_layer(adv_inputs, 'RECON')
recon_adv = model.get_layer(adv, 'RECON')
lat_orig = model.get_layer(x, 'LATENT')
lat_orig_recon = model.get_layer(recon_orig, 'LATENT')
'''
recon_orig = model.predict(adv_inputs)
recon_adv = model.predict(adv)
#pred_adv_recon = cl_model.get_logits(recon_adv)
#eval_params = {'batch_size': np.minimum(nb_classes, source_samples)}
eval_params = {'batch_size': 90}
if targeted:
#noise, d1, d2, dist_diff, avg_dist_lat = model_eval_ae(sess, x, x_t,recons, adv_inputs, adv_input_targets, adv, recon_adv,lat_orig, lat_orig_recon, args=eval_params)
#acc1 = model_eval(sess, x, y, pred_adv_recon, x_t, adv_inputs, adv_target_y, adv_input_targets, args=eval_params_cls)
#acc2 = model_eval(sess, x, y, pred_adv_recon, x_t, adv_inputs, adv_input_y, adv_input_targets, args=eval_params_cls)
#print("d1: ", d1)
#print("d2: ", d2)
noise = reduce_sum(tf.square(x_orig - x_adv),
list(range(1, len(shape))))
print("noise: ", noise)
#print("classifier acc for target class: ", acc1)
#print("classifier acc for true class: ", acc2)
'''
recon_adv = sess.run(recon_adv)
recon_orig = sess.run(recon_orig)
'''
scores1 = cl_model.evaluate(recon_adv, adv_input_y, verbose=1)
scores2 = cl_model.evalluate(recon_adv, adv_target_y, verbose=1)
print("classifier acc_target: ", scores2[1])
print("classifier acc_true: ", scores1[1])
#print("recon_adv[0]\n", recon_adv[0,:,:,0])
curr_class = 0
if viz_enabled:
for j in range(nb_classes):
for i in range(nb_classes):
#grid_viz_data[i, j] = adv[j * (nb_classes-1) + i]
if (i == j):
grid_viz_data[i, j] = recon_orig[curr_class * 9]
grid_viz_data_1[i, j] = adv_inputs[curr_class * 9]
curr_class = curr_class + 1
else:
if (j > i):
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j - 1]
grid_viz_data_1[i, j] = adv[i * (nb_classes - 1) +
j - 1]
else:
grid_viz_data[i,
j] = recon_adv[i * (nb_classes - 1) +
j]
grid_viz_data_1[i,
j] = adv[i * (nb_classes - 1) + j]
sess.close()
#_ = grid_visual(grid_viz_data)
#_ = grid_visual(grid_viz_data_1)
plt.ioff()
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
# Add the images to the plot
num_cols = grid_viz_data.shape[0]
num_rows = grid_viz_data.shape[1]
num_channels = grid_viz_data.shape[4]
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(grid_viz_data[xx, yy, :, :, 0])
else:
plt.imshow(grid_viz_data[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig1_bin')
figure = plt.figure()
figure.canvas.set_window_title('Cleverhans: Grid Visualization')
for yy in range(num_rows):
for xx in range(num_cols):
figure.add_subplot(num_rows, num_cols,
(xx + 1) + (yy * num_cols))
plt.axis('off')
if num_channels == 1:
plt.imshow(grid_viz_data_1[xx, yy, :, :, 0])
else:
plt.imshow(grid_viz_data_1[xx, yy, :, :, :])
# Draw the plot and return
plt.savefig('cifar10_fig2_bin')
def mnist_blackbox(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_classes=NB_CLASSES,
batch_size=BATCH_SIZE,
learning_rate=LEARNING_RATE,
nb_epochs=NB_EPOCHS,
holdout=HOLDOUT,
data_aug=DATA_AUG,
nb_epochs_s=NB_EPOCHS_S,
lmbda=LMBDA,
aug_batch_size=AUG_BATCH_SIZE):
"""
MNIST tutorial for the black-box attack from arxiv.org/abs/1602.02697
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:return: a dictionary with:
* black-box model accuracy on test set
* substitute model accuracy on test set
* black-box model accuracy on adversarial examples transferred
from the substitute model
"""
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Dictionary used to keep track and return key accuracies
accuracies = {}
# Perform tutorial setup
assert setup_tutorial()
# Create TF session
sess = tf.Session()
# Get MNIST data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Initialize substitute training set reserved for adversary
x_sub = x_test[:holdout]
y_sub = np.argmax(y_test[:holdout], axis=1)
# Redefine test set as remaining samples unavailable to adversaries
x_test = x_test[holdout:]
y_test = y_test[holdout:]
# Obtain Image parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Seed random number generator so tutorial is reproducible
rng = np.random.RandomState([2017, 8, 30])
# Simulate the black-box model locally
# You could replace this by a remote labeling API for instance
print("Preparing the black-box model.")
prep_bbox_out = prep_bbox(sess, x, y, x_train, y_train, x_test, y_test,
nb_epochs, batch_size, learning_rate, rng,
nb_classes, img_rows, img_cols, nchannels)
model, bbox_preds, accuracies['bbox'] = prep_bbox_out
# Train substitute using method from https://arxiv.org/abs/1602.02697
print("Training the substitute model.")
train_sub_out = train_sub(sess, x, y, bbox_preds, x_sub, y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug,
lmbda, aug_batch_size, rng, img_rows, img_cols,
nchannels)
model_sub, preds_sub = train_sub_out
# Evaluate the substitute model on clean test examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_sub, x_test, y_test, args=eval_params)
accuracies['sub'] = acc
# Initialize the Fast Gradient Sign Method (FGSM) attack object.
fgsm_par = {'eps': 0.3, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1.}
fgsm = FastGradientMethod(model_sub, sess=sess)
# Craft adversarial examples using the substitute
eval_params = {'batch_size': batch_size}
x_adv_sub = fgsm.generate(x, **fgsm_par)
# Evaluate the accuracy of the "black-box" model on adversarial examples
accuracy = model_eval(sess,
x,
y,
model.get_logits(x_adv_sub),
x_test,
y_test,
args=eval_params)
print('Test accuracy of oracle on adversarial examples generated '
'using the substitute: ' + str(accuracy))
accuracies['bbox_on_sub_adv_ex'] = accuracy
return accuracies
def main(argv):
model_file = tf.train.latest_checkpoint(FLAGS.checkpoint_dir)
if model_file is None:
print('No model found')
sys.exit()
cifar = cifar10_input.CIFAR10Data(FLAGS.dataset_dir)
nb_classes = 10
X_test = cifar.eval_data.xs
Y_test = to_categorical(cifar.eval_data.ys, nb_classes)
assert Y_test.shape[1] == 10.
set_log_level(logging.DEBUG)
with tf.Session() as sess:
x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3))
y = tf.placeholder(tf.float32, shape=(None, 10))
from madry_cifar10_model import make_madry_wresnet
model = make_madry_wresnet()
saver = tf.train.Saver()
# Restore the checkpoint
saver.restore(sess, model_file)
nb_samples = FLAGS.nb_samples
attack_params = {'batch_size': FLAGS.batch_size,
'clip_min': 0., 'clip_max': 255.}
if FLAGS.attack_type == 'cwl2':
from cleverhans.attacks import CarliniWagnerL2
attacker = CarliniWagnerL2(model, sess=sess)
attack_params.update({'binary_search_steps': 1,
'max_iterations': 100,
'learning_rate': 0.1,
'initial_const': 10,
'batch_size': 10
})
else: # eps and eps_iter in range 0-255
attack_params.update({'eps': 8, 'ord': np.inf})
if FLAGS.attack_type == 'fgsm':
from cleverhans.attacks import FastGradientMethod
attacker = FastGradientMethod(model, sess=sess)
elif FLAGS.attack_type == 'pgd':
attack_params.update({'eps_iter': 2, 'nb_iter': 20})
from cleverhans.attacks import MadryEtAl
attacker = MadryEtAl(model, sess=sess)
eval_par = {'batch_size': FLAGS.batch_size}
if FLAGS.sweep:
max_eps = 16
epsilons = np.linspace(1, max_eps, max_eps)
for e in epsilons:
t1 = time.time()
attack_params.update({'eps': e})
x_adv = attacker.generate(x, **attack_params)
preds_adv = model.get_probs(x_adv)
acc = model_eval(sess, x, y, preds_adv, X_test[
:nb_samples], Y_test[:nb_samples], args=eval_par)
print('Epsilon %.2f, accuracy on adversarial' % e,
'examples %0.4f\n' % acc)
t2 = time.time()
else:
t1 = time.time()
x_adv = attacker.generate(x, **attack_params)
preds_adv = model.get_probs(x_adv)
acc = model_eval(sess, x, y, preds_adv, X_test[
:nb_samples], Y_test[:nb_samples], args=eval_par)
t2 = time.time()
print('Test accuracy on adversarial examples %0.4f\n' % acc)
print("Took", t2 - t1, "seconds")
def mnist_tutorial(train_start=0, train_end=60000, test_start=0,
test_end=10000, nb_epochs=6, batch_size=128,
learning_rate=0.001,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=64, num_threads=None,
label_smoothing=True):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param clean_train: if true, train on clean examples
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
if label_smoothing:
label_smooth = .1
y_train = y_train.clip(label_smooth /
(nb_classes-1), 1. - label_smooth)
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
fgsm_params = {
'eps': 0.3,
'clip_min': 0.,
'clip_max': 1.
}
rng = np.random.RandomState([2017, 8, 30])
sess = tf.Session()
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
if clean_train:
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = LossCrossEntropy(model, smoothing=0.1)
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
train(sess, loss, x, y, x_train, y_train, evaluate=evaluate,
args=train_params, rng=rng, var_list=model.get_params())
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True)
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
print('Repeating the process, using adversarial training')
# Create a new model and train it to be robust to FastGradientMethod
model2 = ModelBasicCNN('model2', nb_classes, nb_filters)
fgsm2 = FastGradientMethod(model2, sess=sess)
def attack(x):
return fgsm2.generate(x, **fgsm_params)
loss2 = LossCrossEntropy(model2, smoothing=0.1, attack=attack)
preds2 = model2.get_logits(x)
adv_x2 = attack(x)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x2 = tf.stop_gradient(adv_x2)
preds2_adv = model2.get_logits(adv_x2)
def evaluate2():
# Accuracy of adversarially trained model on legitimate test inputs
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
# Accuracy of the adversarially trained model on adversarial examples
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
# Perform and evaluate adversarial training
train(sess, loss2, x, y, x_train, y_train, evaluate=evaluate2,
args=train_params, rng=rng, var_list=model2.get_params())
# Calculate training errors
if testing:
do_eval(preds2, x_train, y_train, 'train_adv_train_clean_eval')
do_eval(preds2_adv, x_train, y_train, 'train_adv_train_adv_eval')
return report
