def mnist_tutorial_jsma(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
viz_enabled=VIZ_ENABLED,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
source_samples=SOURCE_SAMPLES,
learning_rate=LEARNING_RATE):
"""
MNIST tutorial for the Jacobian-based saliency map approach (JSMA)
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session and set as Keras backend session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
nb_filters = 64
# Define TF model graph
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=0.1)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
sess.run(tf.global_variables_initializer())
rng = np.random.RandomState([2017, 8, 30])
train(sess, loss, x, y, x_train, y_train, args=train_params, rng=rng)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, x_test, y_test, args=eval_params)
assert x_test.shape[0] == test_end - test_start, x_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
print('Crafting ' + str(source_samples) + ' * ' + str(nb_classes - 1) +
' adversarial examples')
# Keep track of success (adversarial example classified in target)
results = np.zeros((nb_classes, source_samples), dtype='i')
# Rate of perturbed features for each test set example and target class
perturbations = np.zeros((nb_classes, source_samples), dtype='f')
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols, nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
# Instantiate a SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'clip_min': 0.,
'clip_max': 1.,
'y_target': None
}
figure = None
# Loop over the samples we want to perturb into adversarial examples
for sample_ind in xrange(0, source_samples):
print('--------------------------------------')
print('Attacking input %i/%i' % (sample_ind + 1, source_samples))
sample = x_test[sample_ind:(sample_ind + 1)]
# We want to find an adversarial example for each possible target class
# (i.e. all classes that differ from the label given in the dataset)
current_class = int(np.argmax(y_test[sample_ind]))
target_classes = other_classes(nb_classes, current_class)
# For the grid visualization, keep original images along the diagonal
grid_viz_data[current_class, current_class, :, :, :] = np.reshape(
sample, (img_rows, img_cols, nchannels))
# Loop over all target classes
for target in target_classes:
print('Generating adv. example for target class %i' % target)
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, nb_classes), dtype=np.float32)
one_hot_target[0, target] = 1
jsma_params['y_target'] = one_hot_target
adv_x = jsma.generate_np(sample, **jsma_params)
# Check if success was achieved
res = int(model_argmax(sess, x, preds, adv_x) == target)
# Computer number of modified features
adv_x_reshape = adv_x.reshape(-1)
test_in_reshape = x_test[sample_ind].reshape(-1)
nb_changed = np.where(adv_x_reshape != test_in_reshape)[0].shape[0]
percent_perturb = float(nb_changed) / adv_x.reshape(-1).shape[0]
# Display the original and adversarial images side-by-side
if viz_enabled:
figure = pair_visual(
np.reshape(sample, (img_rows, img_cols, nchannels)),
np.reshape(adv_x, (img_rows, img_cols, nchannels)), figure)
# Add our adversarial example to our grid data
grid_viz_data[target, current_class, :, :, :] = np.reshape(
adv_x, (img_rows, img_cols, nchannels))
# Update the arrays for later analysis
results[target, sample_ind] = res
perturbations[target, sample_ind] = percent_perturb
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
nb_targets_tried = ((nb_classes - 1) * source_samples)
succ_rate = float(np.sum(results)) / nb_targets_tried
print('Avg. rate of successful adv. examples {0:.4f}'.format(succ_rate))
report.clean_train_adv_eval = 1. - succ_rate
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(perturbations)
print('Avg. rate of perturbed features {0:.4f}'.format(percent_perturbed))
# Compute the average distortion introduced for successful samples only
percent_perturb_succ = np.mean(perturbations * (results == 1))
print('Avg. rate of perturbed features for successful '
'adversarial examples {0:.4f}'.format(percent_perturb_succ))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
plt.close(figure)
_ = grid_visual(grid_viz_data)
return report
def mnist_tutorial(nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
train_end=-1,
test_end=-1,
learning_rate=LEARNING_RATE):
"""
MNIST cleverhans tutorial
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:return: an AccuracyReport object
"""
# Train a pytorch MNIST model
torch_model = PytorchMnistModel()
if torch.cuda.is_available():
torch_model = torch_model.cuda()
report = AccuracyReport()
train_loader = torch.utils.data.DataLoader(datasets.MNIST(
'data', train=True, download=True, transform=transforms.ToTensor()),
batch_size=batch_size,
shuffle=True)
test_loader = torch.utils.data.DataLoader(datasets.MNIST(
'data', train=False, transform=transforms.ToTensor()),
batch_size=batch_size)
# Truncate the datasets so that our test run more quickly
train_loader.dataset.train_data = train_loader.dataset.train_data[:
train_end]
test_loader.dataset.test_data = test_loader.dataset.test_data[:test_end]
# Train our model
optimizer = optim.Adam(torch_model.parameters(), lr=learning_rate)
train_loss = []
total = 0
correct = 0
step = 0
for epoch in range(nb_epochs):
for xs, ys in train_loader:
xs, ys = Variable(xs), Variable(ys)
if torch.cuda.is_available():
xs, ys = xs.cuda(), ys.cuda()
optimizer.zero_grad()
preds = torch_model(xs)
loss = F.nll_loss(preds, ys)
loss.backward() # calc gradients
train_loss.append(loss.data.item())
optimizer.step() # update gradients
preds_np = preds.data.cpu().numpy()
correct += (np.argmax(preds_np, axis=1) == ys).sum()
total += len(xs)
step += 1
if total % 1000 == 0:
acc = float(correct) / total
print('[%s] Training accuracy: %.2f%%' % (step, acc * 100))
total = 0
correct = 0
# Evaluate on clean data
total = 0
correct = 0
for xs, ys in test_loader:
xs, ys = Variable(xs), Variable(ys)
if torch.cuda.is_available():
xs, ys = xs.cuda(), ys.cuda()
preds = torch_model(xs)
preds_np = preds.data.cpu().numpy()
correct += (np.argmax(preds_np, axis=1) == ys).sum()
total += len(xs)
acc = float(correct) / total
report.clean_train_clean_eval = acc
print('[%s] Clean accuracy: %.2f%%' % (step, acc * 100))
# We use tf for evaluation on adversarial data
sess = tf.Session()
x_op = tf.placeholder(tf.float32, shape=(
None,
1,
28,
28,
))
# Convert pytorch model to a tf_model and wrap it in cleverhans
tf_model_fn = convert_pytorch_model_to_tf(torch_model)
cleverhans_model = CallableModelWrapper(tf_model_fn, output_layer='logits')
# Create an FGSM attack
fgsm_op = FastGradientMethod(cleverhans_model, sess=sess)
fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
adv_x_op = fgsm_op.generate(x_op, **fgsm_params)
adv_preds_op = tf_model_fn(adv_x_op)
# Run an evaluation of our model against fgsm
total = 0
correct = 0
for xs, ys in test_loader:
adv_preds = sess.run(adv_preds_op, feed_dict={x_op: xs})
correct += (np.argmax(adv_preds, axis=1) == ys).sum()
total += len(xs)
acc = float(correct) / total
print('Adv accuracy: {:.3f}'.format(acc * 100))
report.clean_train_adv_eval = acc
return report
def mnist_tutorial(train_start=0, train_end=60000, test_start=0,
test_end=10000, nb_epochs=NB_EPOCHS, batch_size=BATCH_SIZE,
learning_rate=LEARNING_RATE,
clean_train=CLEAN_TRAIN,
testing=False,
backprop_through_attack=BACKPROP_THROUGH_ATTACK,
nb_filters=NB_FILTERS, num_threads=None,
label_smoothing=0.1):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param label_smoothing: float, amount of label smoothing for cross entropy
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Create TF session
if num_threads:
config_args = dict(intra_op_parallelism_threads=1)
else:
config_args = {}
sess = tf.Session(config=tf.ConfigProto(**config_args))
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
eval_params = {'batch_size': batch_size}
fgsm_params = {
'eps': 0.3,
'clip_min': 0.,
'clip_max': 1.
}
rng = np.random.RandomState([2017, 8, 30])
def do_eval(preds, x_set, y_set, report_key, is_adv=None):
acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params)
setattr(report, report_key, acc)
if is_adv is None:
report_text = None
elif is_adv:
report_text = 'adversarial'
else:
report_text = 'legitimate'
if report_text:
print('Test accuracy on %s examples: %0.4f' % (report_text, acc))
if clean_train:
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=label_smoothing)
def evaluate():
do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False)
train(sess, loss, x, y, x_train, y_train, evaluate=evaluate,
args=train_params, rng=rng, var_list=model.get_params())
# Calculate training error
if testing:
do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval')
# Initialize the Fast Gradient Sign Method (FGSM) attack object and
# graph
fgsm = FastGradientMethod(model, sess=sess)
adv_x = fgsm.generate(x, **fgsm_params)
preds_adv = model.get_logits(adv_x)
# Evaluate the accuracy of the MNIST model on adversarial examples
do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True)
# Calculate training error
if testing:
do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval')
print('Repeating the process, using adversarial training')
# Create a new model and train it to be robust to FastGradientMethod
model2 = ModelBasicCNN('model2', nb_classes, nb_filters)
fgsm2 = FastGradientMethod(model2, sess=sess)
def attack(x):
return fgsm2.generate(x, **fgsm_params)
loss2 = CrossEntropy(model2, smoothing=label_smoothing, attack=attack)
preds2 = model2.get_logits(x)
adv_x2 = attack(x)
if not backprop_through_attack:
# For the fgsm attack used in this tutorial, the attack has zero
# gradient so enabling this flag does not change the gradient.
# For some other attacks, enabling this flag increases the cost of
# training, but gives the defender the ability to anticipate how
# the atacker will change their strategy in response to updates to
# the defender's parameters.
adv_x2 = tf.stop_gradient(adv_x2)
preds2_adv = model2.get_logits(adv_x2)
def evaluate2():
# Accuracy of adversarially trained model on legitimate test inputs
do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False)
# Accuracy of the adversarially trained model on adversarial examples
do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True)
# Perform and evaluate adversarial training
train(sess, loss2, x, y, x_train, y_train, evaluate=evaluate2,
args=train_params, rng=rng, var_list=model2.get_params())
# Calculate training errors
if testing:
do_eval(preds2, x_train, y_train, 'train_adv_train_clean_eval')
do_eval(preds2_adv, x_train, y_train, 'train_adv_train_adv_eval')
return report
def mnist_tutorial_cw(train_start=0, train_end=60000, test_start=0,
test_end=10000, viz_enabled=VIZ_ENABLED,
nb_epochs=NB_EPOCHS, batch_size=BATCH_SIZE,
source_samples=SOURCE_SAMPLES,
learning_rate=LEARNING_RATE,
attack_iterations=ATTACK_ITERATIONS,
model_path=MODEL_PATH,
targeted=TARGETED):
"""
MNIST tutorial for Carlini and Wagner's attack
:param train_start: index of first training set example
:param train_end: index of last training set example
:param test_start: index of first test set example
:param test_end: index of last test set example
:param viz_enabled: (boolean) activate plots of adversarial examples
:param nb_epochs: number of epochs to train model
:param batch_size: size of training batches
:param nb_classes: number of output classes
:param source_samples: number of test inputs to attack
:param learning_rate: learning rate for training
:param model_path: path to the model file
:param targeted: should we run a targeted attack? or untargeted?
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Create TF session
sess = tf.Session()
print("Created TensorFlow session.")
set_log_level(logging.DEBUG)
# Get MNIST test data
x_train, y_train, x_test, y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Obtain Image Parameters
img_rows, img_cols, nchannels = x_train.shape[1:4]
nb_classes = y_train.shape[1]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols,
nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
nb_filters = 64
# Define TF model graph
model = ModelBasicCNN('model1', nb_classes, nb_filters)
preds = model.get_logits(x)
loss = CrossEntropy(model, smoothing=0.1)
print("Defined TensorFlow model graph.")
###########################################################################
# Training the model using TensorFlow
###########################################################################
# Train an MNIST model
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate,
'filename': os.path.split(model_path)[-1]
}
rng = np.random.RandomState([2017, 8, 30])
# check if we've trained before, and if we have, use that pre-trained model
if os.path.exists(model_path + ".meta"):
tf_model_load(sess, model_path)
else:
train(sess, loss, x, y, x_train, y_train, args=train_params, rng=rng)
saver = tf.train.Saver()
saver.save(sess, model_path)
# Evaluate the accuracy of the MNIST model on legitimate test examples
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess, x, y, preds, x_test, y_test, args=eval_params)
assert x_test.shape[0] == test_end - test_start, x_test.shape
print('Test accuracy on legitimate test examples: {0}'.format(accuracy))
report.clean_train_clean_eval = accuracy
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
nb_adv_per_sample = str(nb_classes - 1) if targeted else '1'
print('Crafting ' + str(source_samples) + ' * ' + nb_adv_per_sample +
' adversarial examples')
print("This could take some time ...")
# Instantiate a CW attack object
cw = CarliniWagnerL2(model, back='tf', sess=sess)
if viz_enabled:
assert source_samples == nb_classes
idxs = [np.where(np.argmax(y_test, axis=1) == i)[0][0]
for i in range(nb_classes)]
if targeted:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, nb_classes, img_rows, img_cols,
nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = np.array(
[[instance] * nb_classes for instance in x_test[idxs]],
dtype=np.float32)
else:
adv_inputs = np.array(
[[instance] * nb_classes for
instance in x_test[:source_samples]], dtype=np.float32)
one_hot = np.zeros((nb_classes, nb_classes))
one_hot[np.arange(nb_classes), np.arange(nb_classes)] = 1
adv_inputs = adv_inputs.reshape(
(source_samples * nb_classes, img_rows, img_cols, nchannels))
adv_ys = np.array([one_hot] * source_samples,
dtype=np.float32).reshape((source_samples *
nb_classes, nb_classes))
yname = "y_target"
else:
if viz_enabled:
# Initialize our array for grid visualization
grid_shape = (nb_classes, 2, img_rows, img_cols, nchannels)
grid_viz_data = np.zeros(grid_shape, dtype='f')
adv_inputs = x_test[idxs]
else:
adv_inputs = x_test[:source_samples]
adv_ys = None
yname = "y"
if targeted:
cw_params_batch_size = source_samples * nb_classes
else:
cw_params_batch_size = source_samples
cw_params = {'binary_search_steps': 1,
yname: adv_ys,
'max_iterations': attack_iterations,
'learning_rate': CW_LEARNING_RATE,
'batch_size': cw_params_batch_size,
'initial_const': 10}
adv = cw.generate_np(adv_inputs,
**cw_params)
eval_params = {'batch_size': np.minimum(nb_classes, source_samples)}
if targeted:
adv_accuracy = model_eval(
sess, x, y, preds, adv, adv_ys, args=eval_params)
else:
if viz_enabled:
err = model_eval(sess, x, y, preds, adv, y_test[idxs], args=eval_params)
adv_accuracy = 1 - err
else:
err = model_eval(sess, x, y, preds, adv, y_test[:source_samples],
args=eval_params)
adv_accuracy = 1 - err
if viz_enabled:
for j in range(nb_classes):
if targeted:
for i in range(nb_classes):
grid_viz_data[i, j] = adv[i * nb_classes + j]
else:
grid_viz_data[j, 0] = adv_inputs[j]
grid_viz_data[j, 1] = adv[j]
print(grid_viz_data.shape)
print('--------------------------------------')
# Compute the number of adversarial examples that were successfully found
print('Avg. rate of successful adv. examples {0:.4f}'.format(adv_accuracy))
report.clean_train_adv_eval = 1. - adv_accuracy
# Compute the average distortion introduced by the algorithm
percent_perturbed = np.mean(np.sum((adv - adv_inputs)**2,
axis=(1, 2, 3))**.5)
print('Avg. L_2 norm of perturbations {0:.4f}'.format(percent_perturbed))
# Close TF session
sess.close()
# Finally, block & display a grid of all the adversarial examples
if viz_enabled:
import matplotlib.pyplot as plt
_ = grid_visual(grid_viz_data)
return report
def test_run_single_gpu_fgsm(self):
"""
Test the basic single GPU performance by comparing to the FGSM
tutorial.
"""
from cleverhans_tutorials import mnist_tutorial_tf
# Run the MNIST tutorial on a dataset of reduced size
flags = {
'train_start': 0,
'train_end': 5000,
'test_start': 0,
'test_end': 333,
'nb_epochs': 5,
'testing': True
}
report = mnist_tutorial_tf.mnist_tutorial(**flags)
# Run the multi-gpu trainer for clean training
flags.update({
'batch_size': 128,
'adam_lrn': 0.001,
'dataset': 'mnist',
'only_adv_train': False,
'eval_iters': 1,
'ngpu': 1,
'fast_tests': False,
'attack_type_train': '',
'save_dir': None,
'save_steps': 10000,
'attack_nb_iter_train': None,
'save': False,
'model_type': 'basic',
'attack_type_test': 'FGSM'
})
flags.update({'adv_train': False})
HParams = namedtuple('HParams', flags.keys())
hparams = HParams(**flags)
np.random.seed(42)
tf.set_random_seed(42)
with tf.variable_scope(None, 'runner'):
report_dict = run_trainer(hparams)
report_2 = AccuracyReport()
report_2.train_clean_train_clean_eval = report_dict['train']
report_2.clean_train_clean_eval = report_dict['test']
report_2.clean_train_adv_eval = report_dict['FGSM']
# Run the multi-gpu trainer for adversarial training
flags.update({'adv_train': True, 'attack_type_train': 'FGSM'})
HParams = namedtuple('HParams', flags.keys())
hparams = HParams(**flags)
np.random.seed(42)
tf.set_random_seed(42)
with tf.variable_scope(None, 'runner'):
report_dict = run_trainer(hparams)
report_2.train_adv_train_clean_eval = report_dict['train']
report_2.adv_train_clean_eval = report_dict['test']
report_2.adv_train_adv_eval = report_dict['FGSM']
self.assertClose(report.train_clean_train_clean_eval,
report_2.train_clean_train_clean_eval,
atol=5e-2)
self.assertClose(report.clean_train_clean_eval,
report_2.clean_train_clean_eval,
atol=2e-2)
self.assertClose(report.clean_train_adv_eval,
report_2.clean_train_adv_eval,
atol=5e-2)
self.assertClose(report.train_adv_train_clean_eval,
report_2.train_adv_train_clean_eval,
atol=1e-1)
self.assertClose(report.adv_train_clean_eval,
report_2.adv_train_clean_eval,
atol=2e-2)
self.assertClose(report.adv_train_adv_eval,
report_2.adv_train_adv_eval,
atol=1e-1)
def helper_run_multi_gpu_madryetal(self, extra_flags=None):
"""
Compare the single GPU performance to multiGPU performance.
"""
# Run the trainers on a dataset of reduced size
flags = {
'train_start': 0,
'train_end': 5000,
'test_start': 0,
'test_end': 333,
'nb_epochs': 5,
'testing': True
}
# Run the multi-gpu trainer for adversarial training
flags.update({
'batch_size': 128,
'adam_lrn': 0.001,
'dataset': 'mnist',
'only_adv_train': False,
'eval_iters': 1,
'fast_tests': True,
'save_dir': None,
'save_steps': 10000,
'attack_nb_iter_train': 10,
'sync_step': None,
'adv_train': True,
'save': False,
'model_type': 'basic',
'attack_type_test': 'MadryEtAl_y'
})
if extra_flags is not None:
flags.update(extra_flags)
# Run the multi-gpu trainer for adversarial training using 2 gpus
# trainer_multigpu by default sets `allow_soft_placement=True`
flags.update({
'ngpu': 2,
'attack_type_train': 'MadryEtAl_y_multigpu',
'sync_step': 1
})
HParams = namedtuple('HParams', flags.keys())
hparams = HParams(**flags)
np.random.seed(42)
tf.set_random_seed(42)
with tf.variable_scope(None, 'runner'):
report_dict = run_trainer(hparams)
report_m = AccuracyReport()
report_m.train_adv_train_clean_eval = report_dict['train']
report_m.adv_train_clean_eval = report_dict['test']
report_m.adv_train_adv_eval = report_dict['MadryEtAl_y']
flags.update({'ngpu': 1, 'attack_type_train': 'MadryEtAl_y'})
hparams = HParams(**flags)
np.random.seed(42)
tf.set_random_seed(42)
with tf.variable_scope(None, 'runner'):
report_dict = run_trainer(hparams)
report_s = AccuracyReport()
report_s.train_adv_train_clean_eval = report_dict['train']
report_s.adv_train_clean_eval = report_dict['test']
report_s.adv_train_adv_eval = report_dict['MadryEtAl_y']
self.assertClose(report_s.train_adv_train_clean_eval,
report_m.train_adv_train_clean_eval,
atol=5e-2)
self.assertClose(report_s.adv_train_clean_eval,
report_m.adv_train_clean_eval,
atol=2e-2)
self.assertClose(report_s.adv_train_adv_eval,
report_m.adv_train_adv_eval,
atol=5e-2)
def tsc_tutorial(attack_method='fgsm',batch_size=BATCH_SIZE,
dataset_name='Adiac',eps=0.1,attack_on='train'):
keras.layers.core.K.set_learning_phase(0)
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
if not hasattr(backend, "tf"):
raise RuntimeError("This tutorial requires keras to be configured"
" to use the TensorFlow backend.")
if keras.backend.image_dim_ordering() != 'tf':
keras.backend.set_image_dim_ordering('tf')
print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to "
"'th', temporarily setting to 'tf'")
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
root_dir = '/b/home/uha/hfawaz-datas/dl-tsc/'
# dataset_name = 'Adiac'
archive_name = 'TSC'
classifier_name = 'resnet'
out_dir = 'ucr-attack/'
file_path = root_dir + 'results/' + classifier_name + '/' + archive_name +\
'/' + dataset_name + '/best_model.hdf5'
adv_data_dir = out_dir+attack_method+'/'+archive_name+'/'+attack_on+\
'/eps-'+str(eps)+'/'
if os.path.exists(adv_data_dir+dataset_name+'-adv'):
print('Already_done:',dataset_name)
return
else:
print('Doing:',dataset_name)
dataset_dict = read_dataset(root_dir, archive_name, dataset_name)
x_train, y_train, x_test, y_test, _, nb_classes = prepare_data(dataset_dict,dataset_name)
if attack_on == 'train':
X = x_train
Y = y_train
original_y = dataset_dict[dataset_name][1]
elif attack_on =='test':
X = x_test
Y = y_test
original_y = dataset_dict[dataset_name][3]
else:
print('Error either train or test options for attack_on param')
exit()
# for big datasets we should decompose in batches the evaluation of the attack
# loop through the batches
ori_acc = 0
adv_acc = 0
res_dir = out_dir + 'results'+attack_method+'.csv'
if os.path.exists(res_dir):
res_ori = pd.read_csv(res_dir, index_col=False)
else:
res_ori = pd.DataFrame(data=np.zeros((0, 3), dtype=np.float), index=[],
columns=['dataset_name', 'ori_acc', 'adv_acc'])
test_set = np.zeros((Y.shape[0], x_train.shape[1] + 1), dtype=np.float64)
for i in range(0,len(X),batch_size):
curr_X = X[i:i+batch_size]
curr_Y = Y[i:i+batch_size]
# Obtain series Parameters
img_rows, nchannels = x_train.shape[1:3]
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, img_rows, nchannels))
y = tf.placeholder(tf.float32, shape=(None, nb_classes))
# Define TF model graph
model = keras.models.load_model(file_path)
preds = model(x)
print("Defined TensorFlow model graph.")
def evaluate():
# Evaluate the accuracy of the model on legitimate test examples
eval_params = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds, curr_X, curr_Y, args=eval_params)
report.clean_train_clean_eval = acc
print('Test accuracy on legitimate examples: %0.4f' % acc)
return acc
wrap = KerasModelWrapper(model)
ori_acc += evaluate() * len(curr_X)/len(X)
if attack_method == 'fgsm':
# Initialize the Fast Gradient Sign Method (FGSM) attack object and graph
fgsm = FastGradientMethod(wrap, sess=sess)
fgsm_params = {'eps': eps }
adv_x = fgsm.generate(x, **fgsm_params)
elif attack_method == 'bim':
# BasicIterativeMethod
bim = BasicIterativeMethod(wrap,sess=sess)
bim_params = {'eps':eps, 'eps_iter':0.05, 'nb_iter':10}
adv_x = bim.generate(x,**bim_params)
else:
print('Either bim or fgsm are acceptable as attack methods')
return
# Consider the attack to be constant
adv_x = tf.stop_gradient(adv_x)
adv = adv_x.eval({x: curr_X}, session=sess)
adv = adv.reshape(adv.shape[0],adv.shape[1])
preds_adv = model(adv_x)
# Evaluate the accuracy of the model on adversarial examples
eval_par = {'batch_size': batch_size}
acc = model_eval(sess, x, y, preds_adv, curr_X, curr_Y, args=eval_par)
print('Test accuracy on adversarial examples: %0.4f\n' % acc)
report.clean_train_adv_eval = acc
adv_acc += acc * len(curr_X)/len(X)
test_set[i:i+batch_size,0] = original_y[i:i+batch_size]
test_set[i:i+batch_size,1:] = adv
create_directory(adv_data_dir)
np.savetxt(adv_data_dir+dataset_name+'-adv',test_set, delimiter=',')
add_labels_to_adv_test_set(dataset_dict, dataset_name, adv_data_dir,original_y)
res = pd.DataFrame(data = np.zeros((1,3),dtype=np.float), index=[0],
columns=['dataset_name','ori_acc','adv_acc'])
res['dataset_name'] = dataset_name+str(eps)
res['ori_acc'] = ori_acc
res['adv_acc'] = adv_acc
res_ori = pd.concat((res_ori,res),sort=False)
res_ori.to_csv(res_dir,index=False)
return report
def mnist_tutorial(train_start=0,
train_end=60000,
test_start=0,
test_end=10000,
nb_epochs=NB_EPOCHS,
batch_size=BATCH_SIZE,
learning_rate=LEARNING_RATE,
clean_train=True,
testing=False,
backprop_through_attack=False,
nb_filters=NB_FILTERS,
num_threads=None,
attack_string=None):
"""
MNIST cleverhans tutorial
:param train_start: index of first training set example.
:param train_end: index of last training set example.
:param test_start: index of first test set example.
:param test_end: index of last test set example.
:param nb_epochs: number of epochs to train model.
:param batch_size: size of training batches.
:param learning_rate: learning rate for training.
:param clean_train: perform normal training on clean examples only
before performing adversarial training.
:param testing: if true, complete an AccuracyReport for unit tests
to verify that performance is adequate.
:param backprop_through_attack: If True, backprop through adversarial
example construction process during
adversarial training.
:param nb_filters: number of filters in the CNN used for training.
:param num_threads: number of threads used for running the process.
:param attack_string: attack name for crafting adversarial attacks and
adversarial training, in string format.
:return: an AccuracyReport object
"""
# Object used to keep track of (and return) key accuracies
report = AccuracyReport()
# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)
# Set logging level to see debug information
set_log_level(logging.DEBUG)
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
# Use label smoothing
assert Y_train.shape[1] == 10
label_smooth = .1
Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth)
# Train an MNIST model
model_path = "models/mnist"
train_params = {
'nb_epochs': nb_epochs,
'batch_size': batch_size,
'learning_rate': learning_rate
}
# Initialize the attack object
attack_class = attack_selection(attack_string)
attack_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.}
rng = np.random.RandomState([2018, 6, 18])
if clean_train:
model = ModelBasicCNNTFE(nb_filters=nb_filters)
def evaluate_clean():
"""Evaluate the accuracy of the MNIST model on legitimate test
examples
"""
eval_params = {'batch_size': batch_size}
acc = model_eval(model, X_test, Y_test, args=eval_params)
report.clean_train_clean_eval = acc
assert X_test.shape[0] == test_end - test_start, X_test.shape
print('Test accuracy on legitimate examples: %0.4f' % acc)
train(model,
X_train,
Y_train,
evaluate=evaluate_clean,
args=train_params,
rng=rng,
var_list=model.get_params())
if testing:
# Calculate training error
eval_params = {'batch_size': batch_size}
acc = model_eval(model, X_train, Y_train, args=eval_params)
report.train_clean_train_clean_eval = acc
# Evaluate the accuracy of the MNIST model on adversarial examples
eval_par = {'batch_size': batch_size}
attack = attack_class(model)
acc = model_eval(model,
X_test,
Y_test,
args=eval_par,
attack=attack,
attack_args=attack_params)
print('Test accuracy on adversarial examples: %0.4f\n' % acc)
report.clean_train_adv_eval = acc
# Calculate training error
if testing:
eval_par = {'batch_size': batch_size}
acc = model_eval(model,
X_train,
Y_train,
args=eval_par,
attack=attack,
attack_args=attack_params)
print('Train accuracy on adversarial examples: %0.4f\n' % acc)
report.train_clean_train_adv_eval = acc
# Clear the previous Variables
for var in model.get_params():
var = None
attack = None
print("Repeating the process, using adversarial training")
model_adv_train = ModelBasicCNNTFE(nb_filters=nb_filters)
attack = attack_class(model_adv_train)
def evaluate_adv():
# Accuracy of adversarially trained model on legitimate test inputs
eval_params = {'batch_size': batch_size}
accuracy = model_eval(model_adv_train,
X_test,
Y_test,
args=eval_params)
print('Test accuracy on legitimate examples: %0.4f' % accuracy)
report.adv_train_clean_eval = accuracy
# Accuracy of the adversarially trained model on adversarial examples
accuracy = model_eval(model_adv_train,
X_test,
Y_test,
args=eval_params,
attack=attack,
attack_args=attack_params)
print('Test accuracy on adversarial examples: %0.4f' % accuracy)
report.adv_train_adv_eval = accuracy
# Perform and evaluate adversarial training
train(model_adv_train,
X_train,
Y_train,
evaluate=evaluate_adv,
args=train_params,
rng=rng,
var_list=model_adv_train.get_params(),
attack=attack,
attack_args=attack_params)
# Calculate training errors
if testing:
eval_params = {'batch_size': batch_size}
accuracy = model_eval(model_adv_train,
X_train,
Y_train,
args=eval_params,
attack=None,
attack_args=None)
report.train_adv_train_clean_eval = accuracy
accuracy = model_eval(model_adv_train,
X_train,
Y_train,
args=eval_params,
attack=attack,
attack_args=attack_params)
report.train_adv_train_adv_eval = accuracy
return report