def cw(datasets, sample, model_name, target, store_path, ini_con=10, start=0, end=10000, batch_size=32, epoch=9, mu=False, mu_var='gf', de=False, attack='fgsm'): """ Carlini and Wagner's attack :param datasets :param sample: inputs to attack :param target: the class want to generate :param nb_classes: number of output classes :return: """ tf.reset_default_graph() X_train, Y_train, X_test, Y_test = get_data(datasets) # sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=epoch) sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=epoch, mu=mu, mu_var=mu_var, de=de, attack=attack) print('load successfule') ########################################################################### # Craft adversarial examples using Carlini and Wagner's approach ########################################################################### ''' if 'mnist' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(28, 28, 1)]).astype('float32') sample = preprocess_image_1(sample) elif 'cifar10' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(32, 32, 3)]).astype('float32') sample = preprocess_image_1(sample) elif 'svhn' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32') sample = preprocess_image_1(sample) ''' input_shape, nb_classes = get_shape(datasets) sample=sample[start:end] probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict) current_class=[] for i in range(0, probabilities.shape[0]): current_class.append(np.argmax(probabilities[i])) if not os.path.exists(store_path): os.makedirs(store_path) ''' if target == current_class: return 'The target is equal to its original class' elif target >= nb_classes or target < 0: return 'The target is out of range' ''' #only for correct: Y_test=Y_test[start:end] #sample=sample[start:end] acc_pre_index=[] for i in range(0, sample.shape[0]): if current_class[i]==np.argmax(Y_test[i]): acc_pre_index.append(i) print('current_class',current_class) print('Start generating adv. example for target class %i' % target) # Instantiate a CW attack object sample_acc=np.zeros(shape=(len(acc_pre_index),input_shape[1], input_shape[2], input_shape[3]), dtype='float') current_class_acc=np.zeros(shape=(len(acc_pre_index)), dtype=int) for i in range(0, len(acc_pre_index)): sample_acc[i]=sample[acc_pre_index[i]] current_class_acc[i]=current_class[acc_pre_index[i]] print('current_class_acc',current_class_acc) cw = CarliniWagnerL2(model, back='tf', sess=sess) one_hot = np.zeros((1, nb_classes), dtype=np.float32) one_hot[0, target] = 1 adv_ys = one_hot yname = "y_target" if 'mnist' == datasets: cw_params = {'binary_search_steps': 1, yname: adv_ys, 'max_iterations': 1000, 'learning_rate': 0.1, 'batch_size': 1, 'initial_const': ini_con} elif 'cifar10' == datasets: cw_params = {'binary_search_steps': 1, yname: adv_ys, 'max_iterations': 1000, 'learning_rate': 0.1, 'batch_size': 1, 'initial_const': ini_con} suc=0 nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size)) for batch in range(nb_batches): start_batch=batch*batch_size end_batch=(batch+1)*batch_size if end_batch>sample_acc.shape[0]: end_batch=sample_acc.shape[0] adv_inputs=sample_acc[start_batch:end_batch] for j in range(start_batch, end_batch): if current_class_acc[j]!=target: adv_input=adv_inputs[j-start_batch].reshape(1,input_shape[1],input_shape[2],input_shape[3]) adv = cw.generate_np(adv_input, **cw_params) #print(adv.shape) #print(adv) new_class_labels = model_argmax(sess, x, preds, adv, feed=feed_dict) res = int(new_class_labels == target) if res == 1: adv=adv.reshape(adv.shape[1],adv.shape[2],adv.shape[3]) #adv_img_deprocessed = deprocess_image_1(adv) #adv_img_deprocessed=adv_img_deprocessed.reshape(adv_img_deprocessed.shape[1],adv_img_deprocessed.shape[2]) suc+=1 path = store_path + '/' + str(start+acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_labels) #path = store_path + '/' + str(start+acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_labels)+'.png' #path=store_path + '/' + str(j)+ '_'+ str(current_class_acc[j]) +'.png' #imsave(path, adv) np.save(path, adv) #print(adv.shape) sess.close() return suc, len(acc_pre_index)
def model_training(datasets, model_name, samples_path=None, nb_epochs=6, batch_size=256, learning_rate=0.001, attack=None, mu=False, mu_var='gf'): # Set TF random seed to improve reproducibility tf.set_random_seed(1234) config = tf.ConfigProto() config.gpu_options.allow_growth = True #config.gpu_options.per_process_gpu_memory_fraction = 0.9 # Create TF session and set as Keras backend session sess = tf.Session(config=config) print("Created TensorFlow session.") set_log_level(logging.DEBUG) X_train, Y_train, X_test, Y_test = get_data(datasets) def y_one_hot(label): y = np.zeros(10) y[label] = 1 return y if samples_path != None: [image_list, image_files, real_labels, predicted_labels] = get_data_file(samples_path) #samples_adv = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list]) samples_adv = np.asarray(image_list) #print(samples_adv.shape) labels_adv = np.asarray( [y_one_hot(int(label)) for label in real_labels]) samples = np.concatenate((X_train, samples_adv)) #print(samples.shape) labels = np.concatenate((Y_train, labels_adv)) if mu == True: model_path = path.mude_model_path + mu_var + '/' + attack + '/' + datasets + "_" + model_name else: model_path = path.de_model_path + attack + '/' + datasets + "_" + model_name else: samples = X_train labels = Y_train model_path = path.model_path + datasets + "_" + model_name input_shape, nb_classes = get_shape(datasets) # Define input TF placeholder x = tf.placeholder(tf.float32, shape=input_shape) y = tf.placeholder(tf.float32, shape=(None, nb_classes)) feed_dict = None model = model_dict[model_name](input_shape, nb_classes) preds = model(x) print("Defined TensorFlow model graph.") ########################################################################### # Training the model using TensorFlow ########################################################################### train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate, 'train_dir': model_path, 'filename': model_name + '.model' } sess.run(tf.global_variables_initializer()) rng = np.random.RandomState([2017, 8, 30]) model_train(sess, x, y, preds, samples, labels, args=train_params, rng=rng, save=True) # Evaluate the accuracy of the model on legitimate test examples eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params, feed=feed_dict) print('Test accuracy on legitimate test examples: {0}'.format(accuracy)) #accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params, feed=feed_dict) # Close TF session sess.close() print('Finish model training.')
def submodel_training(datasets, submodel_name, target_model, batch_size=256, learning_rate=0.001, data_aug=6, lmbda=0.1, nb_epochs=10, holdout=150): # Set TF random seed to improve reproducibility tf.set_random_seed(1234) config = tf.ConfigProto() #config.gpu_options.per_process_gpu_memory_fraction = 0.7 config.gpu_options.allow_growth = True # Create TF session and set as Keras backend session sess = tf.Session(config=config) print("Created TensorFlow session.") set_log_level(logging.DEBUG) model_path = path.model_path + datasets + "_" + submodel_name + "_" + target_model X_train, Y_train, X_test, Y_test = get_data(datasets) input_shape, nb_classes = get_shape(datasets) # Define input TF placeholder sess, preds, x, y, model, feed_dict = model_load(datasets, target_model) rng = np.random.RandomState([2017, 8, 30]) # Initialize substitute training set reserved for adversary X_sub = X_test[:holdout] Y_sub = np.argmax(Y_test[:holdout], axis=1) model_sub = model_dict[submodel_name](input_shape, nb_classes) preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate, 'train_dir': model_path, 'filename': 'substitute.model' } with TemporaryLogLevel(logging.WARNING, "nmutant_util.utils.tf"): model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub, nb_classes), init_all=False, args=train_params, rng=rng, save=True) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda_coef * lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [preds], [X_sub_prev], args=eval_params, feed=feed_dict)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) # Close TF session sess.close() print('Finish model training.')
def fgsm(datasets, sample, model_name, epoch, store_path, step_size='0.3', batch_size=256): """ :param datasets :param sample: inputs to attack :param target: the class want to generate :param nb_classes: number of output classes :return: """ tf.reset_default_graph() X_train, Y_train, X_test, Y_test = get_data(datasets) input_shape, nb_classes = get_shape(datasets) sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch) ########################################################################### # Craft adversarial examples using the FGSM approach ########################################################################### # Initialize the Fast Gradient Sign Method (FGSM) attack object and # graph ''' if 'mnist' == datasets: #sample = np.asarray([np.asarray(imread(sample_path)).reshape(28,28,1)]).astype('float32') #sample = preprocess_image_1(sample) print('1') elif 'cifar10' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32') sample = preprocess_image_1(sample) elif 'svhn' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32') sample = preprocess_image_1(sample) #print(sample.shape) ''' probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict) if sample.shape[0] == 1: current_class = np.argmax(probabilities) else: current_class = np.argmax(probabilities, axis=1) if not os.path.exists(store_path): os.makedirs(store_path) # only for correct: acc_pre_index=[] for i in range(0, sample.shape[0]): if current_class[i]==np.argmax(Y_test[i]): acc_pre_index.append(i) sample_acc=np.zeros(shape=(len(acc_pre_index),input_shape[1], input_shape[2], input_shape[3]), dtype='float32') probabilities_acc=np.zeros(shape=(len(acc_pre_index),nb_classes), dtype='float32') current_class_acc=np.zeros(shape=(len(acc_pre_index)), dtype=int) for i in range(0, len(acc_pre_index)): sample_acc[i]=sample[acc_pre_index[i]] probabilities_acc[i]=probabilities[acc_pre_index[i]] current_class_acc[i]=current_class[acc_pre_index[i]] print('Start generating adv. example') #print(float(step_size)) if 'mnist' == datasets: fgsm_params = {'eps': float(step_size), 'clip_min': 0., 'clip_max': 1.} elif 'cifar10' == datasets: fgsm_params = {'eps': float(step_size), 'clip_min': 0., 'clip_max': 1.} elif 'svhn' == datasets: fgsm_params = {'eps': float(step_size), 'clip_min': 0., 'clip_max': 1.} fgsm = FastGradientMethod(model, sess=sess) adv_x = fgsm.generate(x, **fgsm_params) nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size)) suc=0 for batch in range(nb_batches): #start, end = batch_indices(batch, sample_acc.shape[0], batch_size) print(batch) start=batch*batch_size end=(batch+1)*batch_size if end>sample_acc.shape[0]: end=sample_acc.shape[0] adv= sess.run(adv_x,feed_dict={x: sample_acc[start:end], y: probabilities_acc[start:end]}) adv_img_deprocessed = deprocess_image_1(adv) # Check if success was achieved #probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict) new_class_label = model_argmax(sess, x, preds, adv, feed=feed_dict) # Predicted class of the generated adversary for i in range(0, len(new_class_label)): j=batch*batch_size+i if new_class_label[i]!=current_class_acc[j]: suc+=1 path = store_path + '/adv_'+ str(time.time()*1000) + '_' + str(acc_pre_index[j]) + '_' + str(current_class_acc[j]) + '_' + str(new_class_label[i]) + '_.png' # path = store_path + '/' + str(acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_label[i]) + '.png' imsave(path, adv_img_deprocessed[i]) # Close TF session sess.close() return suc, len(acc_pre_index)
def ccv(datasets='mnist', model='lenet1', de_model='lenet1', attack='fgsm', epoch=49, de_epoch=49): """ :param datasets :param model :param samples_path :return: """ tf.reset_default_graph() # Object used to keep track of (and return) key accuracies print("load defense model.") sess, preds, x, y, model, feed_dict = model_load(datasets, model, epoch=epoch) X_train, Y_train, X_test, Y_test = get_data(datasets) input_shape, nb_classes = get_shape(datasets) feed_dict_de = None result_nor = model_prediction(sess, x, preds, X_test, feed=feed_dict, datasets=datasets) #result_nor=sess.run(preds, feed_dict={x:X_test[0:1000]}) #print(result_nor) #print(model) #print(get_model_dict()) tf.reset_default_graph() sess, preds_de, x, y, model_de, feed_dict = model_load(datasets, de_model, True, attack=attack, epoch=de_epoch) #result_de=sess.run(preds_de, feed_dict={x:X_test[0:1000]}) result_de = model_prediction(sess, x, preds_de, X_test, feed=feed_dict, datasets=datasets) #print(result_de) # print('average confidence of adversarial class %.4f' %(result)) result = 0 num = 0 for i in range(Y_test.shape[0]): if (np.argmax(Y_test[i]) == np.argmax(result_nor[i])) and (np.argmax( Y_test[i]) == np.argmax(result_de[i])): num += 1 result += abs(result_nor[i][np.argmax(Y_test[i])] - result_de[i][np.argmax(Y_test[i])]) # Close TF session print(result / num) sess.close() return result / num
def blackbox(datasets, sample, model_name, submodel_name, store_path, step_size=0.3, batch_size=256): """ the black-box attack from arxiv.org/abs/1602.02697 :param datasets :param sample: inputs to attack :param target: the class want to generate :param nb_classes: number of output classes :return: """ # Simulate the black-box model locally # You could replace this by a remote labeling API for instance print("Preparing the black-box model.") tf.reset_default_graph() X_train, Y_train, X_test, Y_test = get_data(datasets) input_shape, nb_classes = get_shape(datasets) sess, bbox_preds, x, y, model, feed_dict = model_load(datasets, model_name) # Train substitute using method from https://arxiv.org/abs/1602.02697 print("Preparing the substitute model.") model_sub, preds_sub = sub_model_load(sess, datasets, submodel_name, model_name) ########################################################################### # Craft adversarial examples using the Blackbox approach ########################################################################### # Initialize the Fast Gradient Sign Method (FGSM) attack object. ''' if 'mnist' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(28,28,1)]).astype('float32') sample = preprocess_image_1(sample) elif 'cifar10' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32') sample = preprocess_image_1(sample) elif 'svhn' == datasets: sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32') sample = preprocess_image_1(sample) ''' probabilities = model_prediction(sess, x, model(x), sample, feed=feed_dict) if sample.shape[0] == 1: current_class = np.argmax(probabilities) else: current_class = np.argmax(probabilities, axis=1) if not os.path.exists(store_path): os.makedirs(store_path) # only for correct: acc_pre_index = [] for i in range(0, sample.shape[0]): if current_class[i] == np.argmax(Y_test[i]): acc_pre_index.append(i) sample_acc = np.zeros(shape=(len(acc_pre_index), input_shape[1], input_shape[2], input_shape[3]), dtype='float32') probabilities_acc = np.zeros(shape=(len(acc_pre_index), nb_classes), dtype='float32') current_class_acc = np.zeros(shape=(len(acc_pre_index)), dtype=int) for i in range(0, len(acc_pre_index)): sample_acc[i] = sample[acc_pre_index[i]] probabilities_acc[i] = probabilities[acc_pre_index[i]] current_class_acc[i] = current_class[acc_pre_index[i]] if datasets == 'mnist': fgsm_par = { 'eps': step_size, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1. } elif 'cifar10' == datasets: fgsm_par = { 'eps': step_size, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1. } elif 'svhn' == datasets: fgsm_par = { 'eps': step_size, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1. } fgsm = FastGradientMethod(model_sub, sess=sess) # Craft adversarial examples using the substitute x_adv_sub = fgsm.generate(x, **fgsm_par) nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size)) suc = 0 for batch in range(nb_batches): #start, end = batch_indices(batch, sample_acc.shape[0], batch_size) print(batch) start = batch * batch_size end = (batch + 1) * batch_size if end > sample_acc.shape[0]: end = sample_acc.shape[0] adv = sess.run(x_adv_sub, feed_dict={ x: sample_acc[start:end], y: probabilities_acc[start:end] }) adv_img_deprocessed = deprocess_image_1(adv) # Check if success was achieved #probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict) new_class_label = model_argmax( sess, x, model(x), adv, feed=feed_dict) # Predicted class of the generated adversary for i in range(0, len(new_class_label)): j = batch * batch_size + i if new_class_label[i] != current_class_acc[j]: suc += 1 path = store_path + '/' + str(j) + '_' + str( time.time() * 1000) + '_' + str( current_class_acc[j]) + '_' + str( new_class_label[i]) + '.png' imsave(path, adv_img_deprocessed[i]) # Close TF session sess.close() return suc, len(acc_pre_index) '''