def mutation_tutorial(datasets,
attack,
sample_path,
store_path,
model_path,
level=1,
test_num=100,
mutation_number=1000,
mutated=False):
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_path + datasets)
sample_path = sample_path + attack + '/' + datasets
# sample_path = '../mt_result/mnist_jsma/adv_jsma'
[image_list, image_files, real_labels,
predicted_labels] = utils.get_data_mutation_test(sample_path)
count = 0
for i in range(len(image_list)):
ori_img = preprocess_image_1(image_list[i].astype('float64'))
ori_img = np.expand_dims(ori_img.copy(), 0)
p = model_argmax(sess, x, preds, ori_img, feed=feed_dict)
if p != predicted_labels[i]:
count = count + 1
image_file = image_files[i]
os.remove("../datasets/adversary/" + attack + '/' + datasets +
'/' + image_file)
# os.remove(sample_path + '/' + image_file)
# Close TF session
print(count)
sess.close()
print('Finish.')
def mr(datasets, model, samples_path):
"""
:param datasets
:param model
:param samples_path
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
sess, preds, x, y, model, feed_dict = model_load(datasets, model)
preds_test = np.asarray([])
n_batches = int(np.ceil(1.0 * X_test.shape[0] / 256))
for i in range(n_batches):
start = i * 256
end = np.minimum(len(X_test), (i + 1) * 256)
preds_test = np.concatenate(
(preds_test, model_argmax(sess, x, preds, X_test[start:end], feed=feed_dict)))
inds_correct = np.asarray(np.where(preds_test != Y_test.argmax(axis=1))[0])
X_test = X_test[inds_correct]
[image_list, image_files, real_labels, predicted_labels] = get_data_file(samples_path)
for a in ua:
if a in samples_path:
result = len(image_files) / len(X_test)
print('misclassification ratio is %.4f' % (result))
return result
for a in ta:
if a in samples_path:
result = len(image_files) / (len(X_test) * (nb_classes - 1))
print('misclassification ratio is %.4f' % (result))
return result
def actc(datasets, model, samples_path, epoch=49):
"""
:param datasets
:param model
:param samples_path
:return:
"""
# Object used to keep track of (and return) key accuracies
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets, model, epoch=epoch)
[image_list, image_files, real_labels, predicted_labels] = get_data_file(samples_path)
#samples = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list])
samples=np.asarray(image_list)
pbs = []
n_batches = int(np.ceil(samples.shape[0] / 256))
for i in range(n_batches):
start = i * 256
end = np.minimum(len(samples), (i + 1) * 256)
feed = {x: samples[start:end]}
if feed_dict is not None:
feed.update(feed_dict)
probabilities = sess.run(preds, feed)
for j in range(len(probabilities)):
pbs.append(probabilities[j][real_labels[start+j]])
result = sum(pbs) / len(pbs)
print('average confidence of true class %.4f' %(result))
# Close TF session
sess.close()
return result
def write_txt(file,epochs):
string = file.split('_')
datasets = string[0]
model_name = string[1]
factor = string[2] + '_' + string[3] + '_' + string[4]
filters_dict = {}
f = open('../filter1/filter_euclidean/' + datasets + '_' + model_name + '_' + factor + '_' + str(epochs) + '.txt',
'w')
f_layers = open('../filter1/filter_euclidean/' + datasets + '_' + model_name + '_' + factor + '_layers' + '.txt',
'w')
for epoch in range(epochs):
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=False,
attack='fgsm',
epoch=epoch, others=factor)
filters_dict[epoch] = get_filters(sess, model)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
x, y = data_process(filters_dict[epoch][0], filters_dict[epoch][-1])
f.write(str(epoch) + ' ' + str(np.linalg.norm(x - y)))
f.write('\n')
f_layers.write(str(epoch) )
for num in range(len(filters_dict[epoch])):
x, y = data_process(filters_dict[epoch][0], filters_dict[epoch][num])
f_layers.write(' ' +str(np.linalg.norm(x - y)))
f_layers.write('\n')
compare_epochs(filters_dict,datasets=datasets, model_name=model_name,others=factor)
def calculate_lid(datasets, model_path, sample_path, attack, k_nearest,
batch_size):
"""
Load multiple characteristics for one dataset and one attack.
:param dataset:
:param attack:
:param characteristics:
:return:
"""
# Load the model
sess, preds, x, y, model, feed_dict = model_load(datasets, model_path)
[X_test_adv_train, adv_image_files, real_labels, predicted_labels
] = utils.get_data_mutation_test("../datasets/experiment/" + datasets +
"/" + attack + "/train")
[X_test_adv_test, adv_image_files, real_labels, predicted_labels
] = utils.get_data_mutation_test("../datasets/experiment/" + datasets +
"/" + attack + "/test")
train_num = len(X_test_adv_train)
test_num = len(X_test_adv_test)
X_test_adv = preprocess_image_1(
np.concatenate((np.asarray(X_test_adv_train),
np.asarray(X_test_adv_test))).astype('float32'))
if len(X_test_adv.shape) < 4:
X_test_adv = np.expand_dims(X_test_adv, axis=3)
[X_test_train, adv_image_files, real_labels,
predicted_labels] = utils.get_data_normal_test("../datasets/experiment/" +
datasets + "/normal/train")
[X_test_test, adv_image_files, real_labels,
predicted_labels] = utils.get_data_normal_test("../datasets/experiment/" +
datasets + "/normal/test")
X_test_train = np.asarray(X_test_train)[np.random.choice(len(X_test_train),
train_num,
replace=False)]
X_test_test = np.asarray(X_test_test)[np.random.choice(len(X_test_test),
test_num,
replace=False)]
X_test = preprocess_image_1(
np.concatenate((np.asarray(X_test_train),
np.asarray(X_test_test))).astype('float32'))
if len(X_test.shape) < 4:
X_test = np.expand_dims(X_test, axis=3)
file_name = os.path.join('../detection/lid/',
"%s_%s.npy" % (datasets, attack))
if not os.path.exists(file_name):
# extract local intrinsic dimensionality
characteristics, labels = get_lid(sess, x, model, feed_dict, X_test,
X_test_adv, k_nearest, batch_size,
datasets)
data = np.concatenate((characteristics, labels), axis=1)
np.save(file_name, data)
return train_num
def mr(datasets, model_name, attack, va, epoch=49):
"""
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
sample = X_test
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_name,
epoch=epoch)
probabilities = model_prediction(sess,
x,
preds,
sample,
feed=feed_dict,
datasets=datasets)
if sample.shape[0] == 1:
current_class = np.argmax(probabilities)
else:
current_class = np.argmax(probabilities, axis=1)
# only for correct:
acc_pre_index = []
for i in range(0, sample.shape[0]):
if current_class[i] == np.argmax(Y_test[i]):
acc_pre_index.append(i)
print(len(acc_pre_index))
sess.close()
total = 0
if attack == 'fgsm':
samples_path = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/' + str(
va)
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
num = len(image_list)
return num / len(acc_pre_index)
else:
total = 0
for tar in range(0, nb_classes):
samples_path = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/' + str(
va) + '_' + str(tar)
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
total += len(image_list)
return total / len(acc_pre_index)
def correct(datasets, model_name, X_test, Y_test, de=False, attack='fgsm', epoch=49):
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=de, attack=attack, epoch=epoch)
preds_test = np.asarray([])
n_batches = int(np.ceil(1.0 * X_test.shape[0] / 256))
for i in range(n_batches):
start = i * 256
end = np.minimum(len(X_test), (i + 1) * 256)
preds_test = np.concatenate(
(preds_test, model_argmax(sess, x, preds, X_test[start:end], feed=feed_dict)))
inds_correct = np.asarray(np.where(preds_test == Y_test.argmax(axis=1))[0])
sess.close()
tf.reset_default_graph()
return inds_correct
def pure(datasets='mnist', attack='fgsm', model_name='lenet1'):
tf.reset_default_graph()
samples_path = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/pure'
if not os.path.isdir(samples_path):
os.makedirs(samples_path + '/train')
os.makedirs(samples_path + '/test')
samples_path_train = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/train_data'
samples_path_test = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/test_data'
sess, preds, x, y, model, feed_dict = model_load(datasets, model_name)
[
image_list_train, image_files_train, real_labels_train,
predicted_labels_train
] = get_data_file(samples_path_train)
[
image_list_test, image_files_test, real_labels_test,
predicted_labels_test
] = get_data_file(samples_path_test)
#samples_train = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list_train])
#samples_test = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list_test])
samples_train = np.asarray(image_list_train)
samples_test = np.asarray(image_list_test)
probabilities_train = model_prediction(sess,
x,
preds,
samples_train,
feed=feed_dict)
probabilities_test = model_prediction(sess,
x,
preds,
samples_test,
feed=feed_dict)
for i in range(0, samples_train.shape[0]):
if predicted_labels_train[i] == np.argmax(probabilities_train[i]):
pure_train = samples_path + '/train/' + image_files_train[i]
#imsave(pure_train, image_list_train[i])
np.save(pure_train, image_list_train[i])
for i in range(0, samples_test.shape[0]):
if predicted_labels_test[i] == np.argmax(probabilities_test[i]):
pure_test = samples_path + '/test/' + image_files_test[i]
#imsave(pure_test, image_list_test[i])
np.save(pure_test, image_list_test[i])
def cw(datasets, sample, model_name, target,
store_path='../mt_result/integration/cw/mnist'):
"""
Carlini and Wagner's attack
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
sess, preds, x, y, model, feed_dict = model_load(datasets, model_name)
###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
'''
def test_adv(datasets, model_name, samples_path, de=True, attack='fgsm', epoch=9):
[image_list, _, real_labels, _] = get_data_file(samples_path)
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=de, attack=attack,
epoch=epoch)
def y_one_hot(label):
y = np.zeros(10)
y[label] = 1
return y
eval_params = {'batch_size': 256}
labels_adv = np.asarray([y_one_hot(int(label)) for label in real_labels])
accuracy = model_eval(sess,x,y,preds,np.asarray(image_list), labels_adv, feed_dict, eval_params)
print(accuracy)
def main(argv=None):
datasets = FLAGS.datasets
attack_type = FLAGS.attack_type
# detector config
k_nor = FLAGS.k_nor
mu = FLAGS.mu
level = FLAGS.level
max_mutations = FLAGS.max_iteration
normal = False
indifference_region_ratio = mu - 1
alpha = 0.05
beta = 0.05
if 'mnist' == datasets:
rgb = False
image_rows = 28
image_cols = 28
elif 'cifar10' == datasets:
rgb = True
image_rows = 32
image_cols = 32
print('--- Dataset: ', datasets, 'attack type: ', attack_type)
sess, preds, x, y, model, feed_dict = model_load(datasets,
FLAGS.model_name,
FLAGS.epoch)
adv_image_dir = FLAGS.sample_path + '/' + attack_type + '/test'
if attack_type.__eq__('normal'):
normal = True
store_path = FLAGS.store_path + datasets + '_' + attack_type + '/level=' + str(level)+',mm=' + \
str(max_mutations) + '/mu=' + str(mu) + ',irr=' + str(indifference_region_ratio)
# Detection
ad = detector(k_nor, mu, image_rows, image_cols, level, rgb, max_mutations,
alpha, beta, k_nor * indifference_region_ratio)
print('--- Detector config: ', ad.print_config())
directory_detect(datasets, adv_image_dir, normal, store_path, ad, sess,
preds, x, feed_dict)
def acc(datasets, model_name, target, attack):
"""
Carlini and Wagner's attack
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
# sess, preds, x, y, model, feed_dict = model_load(datasets, model_name,de=True, epoch=target, attack=attack)
sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=9)
# sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, de=False, epoch=target, attack=attack)
print(datasets)
print('load successfule')
eval_params = {'batch_size':256}
accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params, feed=feed_dict)
sess.close()
# tf.reset_default_graph()
# X_train, Y_train, X_test, Y_test = get_data(datasets)
# # sess, preds, x, y, model, feed_dict = model_load(datasets, model_name,de=True, epoch=target, attack=attack)
# sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=64)
# # sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, de=False, epoch=target, attack=attack)
# print(datasets)
# print('load successfule')
# eval_params = {'batch_size': 256}
#
# preds_test = np.asarray([])
# n_batches = int(np.ceil(1.0 * X_test.shape[0] / 256))
# for i in range(n_batches):
# start = i * 256
# end = np.minimum(len(X_test), (i + 1) * 256)
# preds_test = np.concatenate(
# (preds_test, model_argmax(sess, x, preds, X_test[start:end], feed=feed_dict)))
# inds_correct = np.asarray(np.where(preds_test == Y_test.argmax(axis=1))[0])
print(accuracy)
return accuracy#, len(inds_correct)
def jsma(datasets, sample_path, model_path='../models/integration/mnist'):
"""
the Jacobian-based saliency map approach (JSMA)
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
sess, preds, x, y, model, feed_dict = model_load(datasets, model_path)
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
[X_test_adv, adv_image_files, real_labels,
predicted_labels] = utils.get_data_mutation_test(sample_path)
import os
for i in range(len(adv_image_files)):
temp = adv_image_files[i].split('_')[-4]
if os.path.exists("../datasets/integration/batch_attack/cifar10/" +
str(temp) + '.png'):
os.remove("../datasets/integration/batch_attack/cifar10/" +
str(temp) + '.png')
def nte(datasets, model, samples_path, epoch=49):
"""
:param datasets
:param model
:param samples_path
:return:
"""
tf.reset_default_graph()
# Object used to keep track of (and return) key accuracies
sess, preds, x, y, model, feed_dict = model_load(datasets, model, epoch=epoch)
[image_list, image_files, real_labels, predicted_labels] = get_data_file(samples_path)
samples = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list])
samples = np.asarray(image_list)
pbs = []
n_batches = int(np.ceil(samples.shape[0] / 256))
for i in range(n_batches):
start = i * 256
end = np.minimum(len(samples), (i + 1) * 256)
feed = {x: samples[start:end]}
if feed_dict is not None:
feed.update(feed_dict)
probabilities = sess.run(preds, feed)
#print(probabilities[1])
for j in range(len(probabilities)):
pro_adv_max=probabilities[j][predicted_labels[start+j]]
temp=np.delete(probabilities[j], predicted_labels[start+j], axis=0)
pro_adv_top2=np.max(temp)
pbs.append(pro_adv_max-pro_adv_top2)
result = sum(pbs) / len(pbs)
print('Noise Tolerance Estimation %.4f' %(result))
# Close TF session
sess.close()
return result
def write_ee1(file,epochs):
# 计算每个模型/每一个模型的最后一层和第一层filter差距的欧式距离
string = file.split('_')
datasets = string[0]
model_name = string[1]
factor = string[2] + '_' + string[3] + '_' + string[4]
filters_dict = {}
f = open('../filter1/filter_euclidean/' + datasets + '_' + model_name + '_' + factor + '_ee1' + '.txt','w')
epoch_df = {}
for epoch in range(epochs):
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=False,
attack='fgsm',
epoch=epoch, others=factor)
filters_dict[epoch] = get_filters(sess, model)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
x, y = data_process(filters_dict[epoch][0], filters_dict[epoch][-1])
epoch_df[epoch] = np.linalg.norm(x - y)
layer_epoch = {}
for key in filters_dict.keys():
for i in range(len(filters_dict[key])):
if i not in layer_epoch.keys():
layer_epoch[i] = []
layer_epoch[i].append(filters_dict[key][i])
for key in layer_epoch.keys():
filters = layer_epoch[key]
f.write(str(key))
for i in range(len(filters)):
f.write(' ' + str(np.linalg.norm((filters[0]-abs(epoch_df[0]))/abs(epoch_df[0]) - (filters[i]-abs(epoch_df[i]))/abs(epoch_df[i]))))
f.write('\n')
def bim(datasets,
sample,
model_name,
store_path,
step_size='0.3',
batch_size=256,
epoch=9):
"""
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
print(epoch)
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_name,
epoch=epoch)
###########################################################################
# Craft adversarial examples using the BIM approach
###########################################################################
# Initialize the Basic Iterative Method (BIM) attack object and
# graph
'''
if 'mnist' == datasets:
#sample = np.asarray([np.asarray(imread(sample_path)).reshape(28,28,1)]).astype('float32')
#sample = preprocess_image_1(sample)
print('1')
elif 'cifar10' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'svhn' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
#print(sample.shape)
'''
probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
if sample.shape[0] == 1:
current_class = np.argmax(probabilities)
else:
current_class = np.argmax(probabilities, axis=1)
if not os.path.exists(store_path):
os.makedirs(store_path)
# only for correct:
acc_pre_index = []
for i in range(0, sample.shape[0]):
if current_class[i] == np.argmax(Y_test[i]):
acc_pre_index.append(i)
sample_acc = np.zeros(shape=(len(acc_pre_index), input_shape[1],
input_shape[2], input_shape[3]),
dtype='float32')
probabilities_acc = np.zeros(shape=(len(acc_pre_index), nb_classes),
dtype='float32')
current_class_acc = np.zeros(shape=(len(acc_pre_index)), dtype=int)
for i in range(0, len(acc_pre_index)):
sample_acc[i] = sample[acc_pre_index[i]]
probabilities_acc[i] = probabilities[acc_pre_index[i]]
current_class_acc[i] = current_class[acc_pre_index[i]]
print('Start generating adv. example')
#print(float(step_size))
if 'mnist' == datasets:
bim_params = {
'eps': float(step_size),
'eps_iter': float(step_size) / 6,
'clip_min': 0.,
'clip_max': 1.
}
elif 'cifar10' == datasets:
bim_params = {
'eps': float(step_size),
'eps_iter': float(step_size) / 6,
'clip_min': 0.,
'clip_max': 1.
}
elif 'svhn' == datasets:
bim_params = {
'eps': float(step_size),
'eps_iter': float(step_size) / 6,
'clip_min': 0.,
'clip_max': 1.
}
bim = BasicIterativeMethod(model, sess=sess)
adv_x = bim.generate(x, **bim_params)
nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size))
suc = 0
for batch in range(nb_batches):
#start, end = batch_indices(batch, sample_acc.shape[0], batch_size)
print(batch)
start = batch * batch_size
end = (batch + 1) * batch_size
if end > sample_acc.shape[0]:
end = sample_acc.shape[0]
adv = sess.run(adv_x,
feed_dict={
x: sample_acc[start:end],
y: probabilities_acc[start:end]
})
#adv_img_deprocessed = deprocess_image_1(adv)
#adv:float 0-1 numpy.save("filename.npy",a)
# Check if success was achieved
#probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
new_class_label = model_argmax(
sess, x, preds, adv,
feed=feed_dict) # Predicted class of the generated adversary
for i in range(0, len(new_class_label)):
j = batch * batch_size + i
if new_class_label[i] != current_class_acc[j]:
suc += 1
path = store_path + '/' + str(acc_pre_index[j]) + '_' + str(
time.time() * 1000) + '_' + str(
current_class_acc[j]) + '_' + str(new_class_label[i])
np.save(path, adv[i])
# adv_img_deprocessed = deprocess_image_1(adv[i:i+1])
# adv_img_deprocessed=adv_img_deprocessed.reshape(adv_img_deprocessed.shape[1],adv_img_deprocessed.shape[2])
# path = store_path + '/' + str(acc_pre_index[j]) + '_' + str(time.time()*1000) + '_' + str(current_class_acc[j]) + '_' + str(new_class_label[i])+'.png'
#print(adv[i].shape)
# imsave(path, adv_img_deprocessed)
# Close TF session
sess.close()
return suc, len(acc_pre_index)
def mcdc(datasets,
model_name,
samples_path,
de='False',
attack='fgsm',
just_adv=False,
epoch=9):
X_train, Y_train, X_test, Y_test = get_data(datasets)
samples = X_test
if samples_path not in ['test']:
if not just_adv:
[image_list, _, _, _] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
samples = np.concatenate((samples, samples_adv))
print("Combine data")
else:
[image_list, _, _, _] = get_data_file(samples_path)
samples = np.asarray(image_list)
print("Just adv")
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch)
# dict = model.fprop(x)
layer_names = model.layer_names
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
l = 0
ss = []
sc_pr = []
neuron = []
for key in layer_names: #model.layer_names:
if 'ReLU' in key or 'probs' in key:
print(l)
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(
datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch)
dict = model.fprop(x)
tensor = dict[key]
neuron.append(tensor.shape[-1])
layer_output = []
n_batches = int(np.ceil(1.0 * samples.shape[0] / 256))
for batch in range(n_batches):
start = batch * 256
end = np.minimum(len(samples), (batch + 1) * 256)
feed = {x: samples[start:end]}
if feed_dict is not None:
feed.update(feed_dict)
# v = sess.run(tensor, feed_dict=feed)
layer_output = layer_output + sess.run(
tensor, feed_dict=feed).tolist()
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
layer_output = np.asarray(layer_output)
layer_sign = np.zeros(
(layer_output.shape[0], layer_output.shape[-1]))
for num in range(len(layer_output)):
for num_neuron in xrange(layer_output[num].shape[-1]):
if np.mean(layer_output[num][..., num_neuron]) > 0.0:
layer_sign[num][num_neuron] = 1
del layer_output
gc.collect()
if l == 0:
for i in range(len(samples) - 1):
temp = []
for j in range(i + 1, len(samples)):
sc = xor(layer_sign[i], layer_sign[j])
if len(sc) > 1:
sc = []
temp.append(sc)
sc_pr.append(temp)
else:
for i in range(len(samples) - 1):
for j in range(i + 1, len(samples)):
sc = xor(layer_sign[i], layer_sign[j])
if len(sc_pr[i][j - i - 1]) == 1:
n_pr = str(l) + '_' + str(sc_pr[i][j - i - 1])
for n in sc:
n = str(l + 1) + '_' + str(n)
combination = tuple([n_pr, n])
if combination not in ss:
# ss.append(tuple([n_pr, n]))
ss.append(combination)
if len(sc) > 1:
sc = []
sc_pr[i][j - i - 1] = sc
l = l + 1
total = 0
for i in range(len(neuron) - 1):
total = total + int(neuron[i]) * int(neuron[i + 1])
print(1.0 * len(set(ss)) / total)
return 1.0 * len(set(ss)) / total
def ct(datasets,
model_name,
samples_path,
t=2,
p=0.5,
de='False',
attack='fgsm',
just_adv=False,
epoch=9):
X_train, Y_train, X_test, Y_test = get_data(datasets)
samples = X_test
if samples_path not in ['test']:
if not just_adv:
[image_list, _, _, _] = get_data_file(
samples_path) #image_files, real_labels, predicted_labels
samples_adv = np.asarray(image_list)
samples = np.concatenate((samples, samples_adv))
print("Combine data")
else:
[image_list, _, _, _] = get_data_file(
samples_path) #image_files, real_labels, predicted_labels
samples = np.asarray(image_list)
print("Just adv")
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch)
layers_combination = neuron_combination(t, model, x)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
n_batches = int(np.ceil(1.0 * samples.shape[0] / 512))
for num in range(n_batches):
print(num)
start = num * 512
end = np.minimum(len(samples), (num + 1) * 512)
batch_samples = samples[start:end]
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch)
layers_activation = cal_activation(sess, x, batch_samples, model,
feed_dict)
sess.close()
del sess, preds, x, y, model, feed_dict, batch_samples
gc.collect()
layers_combination = update_combination(layers_combination,
layers_activation, t)
sparse = 0
dense = 0
p_completeness = 0
total = 0
t_t = pow(2, t)
completeness = 1.0 * t_t * p
for layer in layers_combination:
total += len(layer)
for combination in layer:
s = sum(combination)
dense += s
if s >= completeness:
p_completeness += 1
if combination == np.ones(t_t).astype('int').tolist():
sparse += 1
sparse_coverage = 1.0 * sparse / total
dense_coverage = 1.0 * dense / (t_t * total)
pt_completeness = 1.0 * p_completeness / total
print([sparse_coverage, dense_coverage, pt_completeness])
return [sparse_coverage, dense_coverage, pt_completeness]
def jsma(datasets,
sample,
model_name,
target,
store_path,
gamma=0.1,
start=0,
end=10000,
batch_size=32,
epoch=9,
mu=False,
mu_var='gf',
de=False,
attack='fgsm'):
"""
the Jacobian-based saliency map approach (JSMA)
:param datasets
:param sample: inputs to attack
:param target: the class want to generate
:param nb_classes: number of output classes
:return:
"""
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
# sess, preds, x, y, model, feed_dict = model_load(datasets, model_name, epoch=epoch)
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_name,
epoch=epoch,
mu=mu,
mu_var=mu_var,
de=de,
attack=attack)
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################
'''
if 'mnist' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(28,28,1)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'cifar10' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
elif 'svhn' == datasets:
sample = np.asarray([np.asarray(imread(sample_path)).reshape(32,32,3)]).astype('float32')
sample = preprocess_image_1(sample)
'''
input_shape, nb_classes = get_shape(datasets)
sample = sample[start:end]
probabilities = model_prediction(sess, x, preds, sample, feed=feed_dict)
current_class = []
for i in range(0, probabilities.shape[0]):
current_class.append(np.argmax(probabilities[i]))
if not os.path.exists(store_path):
os.makedirs(store_path)
'''
if target == current_class:
return 'The target is equal to its original class'
elif target >= nb_classes or target < 0:
return 'The target is out of range'
'''
#only for correct:
Y_test = Y_test[start:end]
acc_pre_index = []
for i in range(0, sample.shape[0]):
if current_class[i] == np.argmax(Y_test[i]):
acc_pre_index.append(i)
print('Start generating adv. example for target class %i' % target)
sample_acc = np.zeros(shape=(len(acc_pre_index), input_shape[1],
input_shape[2], input_shape[3]),
dtype='float')
current_class_acc = np.zeros(shape=(len(acc_pre_index)), dtype=int)
for i in range(0, len(acc_pre_index)):
sample_acc[i] = sample[acc_pre_index[i]]
current_class_acc[i] = current_class[acc_pre_index[i]]
#print('current_class_acc',current_class_acc)
# Instantiate a SaliencyMapMethod attack object
jsma = SaliencyMapMethod(model, back='tf', sess=sess)
jsma_params = {
'theta': 1.,
'gamma': gamma,
'clip_min': 0.,
'clip_max': 1.,
'y_target': None
}
# This call runs the Jacobian-based saliency map approach
one_hot_target = np.zeros((1, nb_classes), dtype=np.float32)
one_hot_target[0, target] = 1
jsma_params['y_target'] = one_hot_target
suc = 0
nb_batches = int(math.ceil(float(sample_acc.shape[0]) / batch_size))
for batch in range(nb_batches):
#print(batch)
start_batch = batch * batch_size
end_batch = (batch + 1) * batch_size
if end_batch > sample_acc.shape[0]:
end_batch = sample_acc.shape[0]
adv_inputs = sample_acc[start_batch:end_batch]
for j in range(start_batch, end_batch):
if current_class_acc[j] != target:
adv_input = adv_inputs[j - start_batch].reshape(
1, input_shape[1], input_shape[2], input_shape[3])
adv = jsma.generate_np(adv_input, **jsma_params)
new_class_labels = model_argmax(sess,
x,
preds,
adv,
feed=feed_dict)
res = int(new_class_labels == target)
if res == 1:
adv = adv.reshape(adv.shape[1], adv.shape[2], adv.shape[3])
#adv_img_deprocessed = deprocess_image_1(adv)
#adv_img_deprocessed=adv_img_deprocessed.reshape(adv_img_deprocessed.shape[1],adv_img_deprocessed.shape[2])
suc += 1
path = store_path + '/' + str(
start + acc_pre_index[j]
) + '_' + str(time.time() * 1000) + '_' + str(
current_class_acc[j]) + '_' + str(new_class_labels)
#path=store_path + '/' + str(j)+ '_'+ str(current_class_acc[j]) +'.png'
#imsave(path, adv_img_deprocessed)
np.save(path, adv)
#print(adv.shape)
# Close TF session
sess.close()
return suc, len(acc_pre_index)
def neuron_coverage(datasets,
model_name,
samples_path,
others='',
train_num=0,
test_num=0,
de=False,
attack='fgsm',
just_adv=False,
epoch=49,
datasettype='test'):
"""
:param datasets
:param model
:param samples_path
:return:
"""
# Object used to keep track of (and return) key accuracies
X_train, Y_train, X_test, Y_test = get_data(datasets)
if datasettype == 'train':
samples = X_train[:train_num]
else:
samples = X_test[:test_num]
if samples_path not in ['test']:
if not just_adv:
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
#samples_adv = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list])
samples_adv = np.asarray(image_list)
samples = np.concatenate((samples, samples_adv))
print("Combine data")
else:
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
#samples_adv = np.asarray([preprocess_image_1(image.astype('float64')) for image in image_list])
samples = np.asarray(image_list)
#samples = np.concatenate((samples, samples_adv))
print("Just adv")
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch,
others=others)
model_layer_dict = init_coverage_tables(model)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
#ceil取整数
n_batches = int(np.ceil(samples.shape[0] / 256))
for i in range(n_batches):
print(i)
start = i * 256
end = np.minimum(len(samples), (i + 1) * 256)
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch,
others=others)
model_layer_dict = update_coverage(sess,
x,
samples[start:end],
model,
model_layer_dict,
feed_dict,
threshold=0)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
result = neuron_covered(model_layer_dict)[2]
print('covered neurons percentage %d neurons %.4f' %
(len(model_layer_dict), result))
if result >= 0.999:
break
return len(model_layer_dict), result
def sc(datasets, model_name, samples_path, layer=-3, num_section=1000, de='False', attack='fgsm', epoch=9):
X_train, Y_train, X_test, Y_test = get_data(datasets)
if de == True:
adv_train_path = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/train_data'
[image_list_train, _, real_labels, _] = get_data_file(adv_train_path)
samples_train = np.asarray(image_list_train)
if datasets == "mnist":
indexs = random.sample(range(len(samples_train)), int(len(samples_train)/12))
elif datasets == "cifar10":
indexs = random.sample(range(len(samples_train)), int(len(samples_train) / 10))
train_samples = np.concatenate((samples_train[indexs], X_train[:5000]))
store_path = "../suprise/" + datasets + "/" + model_name + "/" + attack + '/'
else:
train_samples = X_train[:5000]
store_path = "../suprise/" + datasets + "/" + model_name + "/ori/"
if not os.path.exists(store_path):
os.makedirs(store_path)
a_n_train = []
train_labels = []
n_batches = int(np.ceil(1.0 * train_samples.shape[0] / 512))
for num in range(n_batches):
print(num)
start = num * 512
end = np.minimum(len(train_samples), (num + 1) * 512)
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=de,
attack=attack,
epoch=epoch)
train_labels = train_labels+model_argmax(sess, x, preds, train_samples[start:end], feed_dict).tolist()
a_n_train = a_n_train+at_training(sess, x, train_samples[start:end], model, feed_dict, layer).tolist()
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
a_n_train = np.asarray(a_n_train)
train_labels = np.asarray(train_labels)
np.save(store_path + "a_n_train.npy", a_n_train)
np.save(store_path + "train_labels.npy", train_labels)
else:
a_n_train = np.load(store_path + "a_n_train.npy")
train_labels = np.load(store_path + "train_labels.npy")
class_inds = {}
for i in range(10):
class_inds[i] = np.where(train_labels == i)[0]
kdes_store_path=store_path+'kdes.npy'
if os.path.exists(kdes_store_path):
kdes = np.load(kdes_store_path).item()
else:
kdes = {}
for i in range(10):
scott_bw = pow(len(a_n_train[class_inds[i]]), -1.0/(len(a_n_train[0])+4))
kdes[i] = KernelDensity(kernel='gaussian',
bandwidth=scott_bw).fit(a_n_train[class_inds[i]])
np.save(kdes_store_path, kdes)
lsa = []
dsa = []
c = set(range(len(train_labels)))
lsa_test_store_path=store_path+"lsa_test.npy"
dsa_test_store_path=store_path+"dsa_test.npy"
if os.path.exists(lsa_test_store_path) and os.path.exists(dsa_test_store_path):
lsa=np.load(lsa_test_store_path).tolist()
dsa=np.load(dsa_test_store_path).tolist()
else:
# X_test=X_test
n_batches = int(np.ceil(1.0 * X_test.shape[0] / 512))
for num in range(n_batches):
print(num)
start = num * 512
end = np.minimum(len(X_test), (num + 1) * 512)
batch_samples = X_test[start:end]
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=de,
attack=attack,
epoch=epoch)
batch_labels = model_argmax(sess, x, preds, batch_samples, feed=feed_dict)
a_n_test = at_training(sess, x, batch_samples, model, feed_dict, layer)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
for i in range(len(batch_samples)):
kd_value = kdes[batch_labels[i]].score_samples(np.reshape(a_n_test[i],(1,-1)))[0] #/ len(a_n_train[class_inds[batch_labels[i]]])
lsa.append(-kd_value)
data = np.asarray([a_n_test[i]], dtype=np.float32)
batch = np.asarray(a_n_train[class_inds[batch_labels[i]]], dtype=np.float32)
# dist = np.linalg.norm(data - batch, axis=1)
dist = cdist(data, batch)[0]
dist_a = min(dist)
alpha_a = np.asarray([batch[np.argmin(dist)]])
c_i = set(class_inds[batch_labels[i]])
c_ni = list(c^c_i)
batch = np.asarray(a_n_train[c_ni], dtype=np.float32)
# dist_b = min(np.linalg.norm(alpha_a - batch, axis=1))
dist_b = min(cdist(alpha_a, batch)[0])
dsa.append(dist_a / dist_b)
np.save(store_path + "lsa_test.npy", np.asarray(lsa))
np.save(store_path + "dsa_test.npy", np.asarray(dsa))
upper_lsa_test=max(lsa)
lower_lsa_test = min(lsa)
upper_dsa_test=max(dsa)
lower_dsa_test = min(dsa)
if samples_path not in ['test']:
lsa = []
dsa = []
[image_list, _, _, _] = get_data_file(samples_path) # image_files, real_labels, predicted_labels
samples_adv = np.asarray(image_list)
n_batches = int(np.ceil(1.0 * samples_adv.shape[0] / 512))
for num in range(n_batches):
print(num)
start = num * 512
end = np.minimum(len(samples_adv), (num + 1) * 512)
batch_samples = samples_adv[start:end]
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets, model_name=model_name, de=de,
attack=attack,
epoch=epoch)
batch_labels = model_argmax(sess, x, preds, batch_samples, feed=feed_dict)
a_n_adv = at_training(sess, x, batch_samples, model, feed_dict, layer)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
for i in range(len(batch_samples)):
kd_value = kdes[batch_labels[i]].score_samples(np.reshape(a_n_adv[i],(1,-1)))[0] #/ len(a_n_train[class_inds[batch_labels[i]]])
lsa.append(-kd_value)
data = np.asarray([a_n_adv[i]], dtype=np.float32)
batch = np.asarray(a_n_train[class_inds[batch_labels[i]]], dtype=np.float32)
# dist = np.linalg.norm(data - batch, axis=1)
dist = cdist(data, batch)[0]
dist_a = min(dist)
alpha_a = np.asarray([batch[np.argmin(dist)]])
c_i = set(class_inds[batch_labels[i]])
c_ni = list(c ^ c_i)
batch = np.asarray(a_n_train[c_ni], dtype=np.float32)
# dist_b = min(np.linalg.norm(alpha_a - batch, axis=1))
dist_b = min(cdist(alpha_a, batch)[0])
dsa.append(dist_a / dist_b)
for i in range(len(lsa)):
lsa[i]=(lsa[i]-lower_lsa_test)/(upper_lsa_test-lower_lsa_test)
dsa[i]=(dsa[i]-lower_dsa_test)/(upper_dsa_test-lower_dsa_test)
lsa_mean = np.mean(lsa)
lsa_std = np.std(lsa)
dsa_mean = np.mean(dsa)
dsa_std = np.std(dsa)
half_section = int(num_section / 2)
n_section_lsa=np.zeros(num_section).astype('int64')
n_section_dsa=np.zeros(num_section).astype('int64')
for i in range(len(lsa)):
l = lsa[i]*half_section
d = dsa[i]*half_section
if math.ceil(l) < num_section and math.floor(l) >= 0:
if math.ceil(l) == math.floor(l):
n_section_lsa[int(l)-1]=1
else:
n_section_lsa[int(l)]=1
if math.ceil(d) < num_section and math.floor(d) >= 0:
if math.ceil(d) == math.floor(d):
n_section_dsa[int(d)-1]=1
else:
n_section_dsa[int(d)]=1
cov_lsa_1=1.0 * sum(n_section_lsa[:half_section])/(half_section)
cov_dsa_1=1.0 * sum(n_section_dsa[:half_section])/(half_section)
cov_lsa_2 = 1.0 * sum(n_section_lsa[half_section:]) / (half_section)
cov_dsa_2 = 1.0 * sum(n_section_dsa[half_section:]) / (half_section)
print([lsa_mean, lsa_std, cov_lsa_1, cov_lsa_2, upper_lsa_test,lower_lsa_test, dsa_mean, dsa_std, cov_dsa_1, cov_dsa_2, upper_dsa_test,lower_dsa_test])
return [lsa_mean, lsa_std, cov_lsa_1, cov_lsa_2, upper_lsa_test,lower_lsa_test, dsa_mean, dsa_std, cov_dsa_1, cov_dsa_2, upper_dsa_test,lower_dsa_test]
def nai(datasets,
model_name,
ration=0.1,
threshold=0.9,
batch_size=256,
epoch=9):
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_name,
epoch=epoch)
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params,
feed=feed_dict)
print('Test accuracy on legitimate test examples for original model: {0}'.
format(accuracy))
unique_neurons = 0
for layer in model.layers:
if "Conv2D" in layer.__class__.__name__:
unique_neurons += layer.output_channels
elif "Linear" in layer.__class__.__name__:
unique_neurons += layer.num_hid
#as for BN, it changes when Conv2D changes, so would make sure to invert the activation
indices = np.random.choice(unique_neurons,
int(unique_neurons * ration),
replace=False)
neurons_count = 0
for i in range(len(model.layers)):
layer = model.layers[i]
if "Conv2D" in layer.__class__.__name__:
unique_neurons_layer = layer.output_channels
mutated_neurons = set(indices) & set(
np.arange(neurons_count, neurons_count + unique_neurons_layer))
if mutated_neurons:
mutated_neurons = np.array(
list(mutated_neurons)) - neurons_count
kernel_shape = layer.kernel_shape
mutated_metrix = np.asarray([1.0] * unique_neurons_layer)
mutated_metrix[mutated_neurons] = -1.0
mutated_kernel = np.asarray(
[[[list(mutated_metrix)]] * kernel_shape[1]] *
kernel_shape[0])
update_kernel = tf.assign(
layer.kernels, mutated_kernel * sess.run(layer.kernels))
update_bias = tf.assign(layer.b,
mutated_metrix * sess.run(layer.b))
sess.run(update_kernel)
sess.run(update_bias)
if "BN" in model.layers[i + 1].__class__.__name__:
layer = model.layers[i + 1]
update_beta = tf.assign(
layer.beta, mutated_metrix * sess.run(layer.beta))
update_moving_mean = tf.assign(
layer.moving_mean,
mutated_metrix * sess.run(layer.moving_mean))
sess.run(update_beta)
sess.run(update_moving_mean)
neurons_count += unique_neurons_layer
elif "Linear" in layer.__class__.__name__:
unique_neurons_layer = layer.num_hid
mutated_neurons = set(indices) & set(
np.arange(neurons_count, neurons_count + unique_neurons_layer))
if mutated_neurons:
mutated_neurons = np.array(
list(mutated_neurons)) - neurons_count
input_shape = layer.input_shape[1]
mutated_metrix = np.asarray([1.0] * unique_neurons_layer)
mutated_metrix[mutated_neurons] = -1.0
mutated_weight = np.asarray([list(mutated_metrix)] *
input_shape)
weight = sess.run(layer.W)
update_weight = tf.assign(layer.W, mutated_weight * weight)
update_bias = tf.assign(layer.b,
mutated_metrix * sess.run(layer.b))
sess.run(update_weight)
sess.run(update_bias)
neurons_count += unique_neurons_layer
mutated_accuracy = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params,
feed=feed_dict)
print('Test accuracy on legitimate test examples for mutated model: {0}'.
format(mutated_accuracy))
if mutated_accuracy >= threshold * accuracy:
train_dir = os.path.join(path.mu_model_path, 'nai',
datasets + '_' + model_name, '0')
if not os.path.exists(train_dir):
os.makedirs(train_dir)
save_path = os.path.join(train_dir,
datasets + '_' + model_name + '.model')
saver = tf.train.Saver()
saver.save(sess, save_path)
sess.close()
def prepare_datasets(datasets, model_path, attack_type, sample_path):
print('Loading the data and model...')
# Load the model
sess, preds, x, y, model, feed_dict = model_load(datasets, model_path)
# Load the dataset
if 'mnist' == datasets:
train_start = 0
train_end = 60000
test_start = 0
test_end = 10000
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
elif 'cifar10' == datasets:
preprocess_image = preprocess_image_1
train_start = 0
train_end = 50000
test_start = 0
test_end = 10000
# Get CIFAR10 test data
X_train, Y_train, fn_train, X_test, Y_test, fn_test = data_cifar10(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
preprocess=preprocess_image)
if attack_type == "normal":
# Refine the normal, noisy and adversarial sets to only include samples for
# which the original version was correctly classified by the model
preds_test = np.asarray([])
for i in range(40):
preds_test = np.concatenate(
(preds_test,
model_argmax(sess,
x,
preds,
X_test[i * 250:(i + 1) * 250],
feed=feed_dict)))
inds_correct = np.asarray(
np.where(preds_test == Y_test.argmax(axis=1))[0])
inds_correct = inds_correct[np.random.choice(len(inds_correct),
5000,
replace=False)]
X_test = X_test[inds_correct]
for i in range(4000):
imsave(
"../datasets/experiment/" + datasets + "/normal/train/" +
str(inds_correct[i]) + '_' +
str(int(preds_test[inds_correct[i]])) + '_' +
str(int(preds_test[inds_correct[i]])) + '_.png',
deprocess_image_1(X_test[i:i + 1]))
for j in range(1000):
imsave(
"../datasets/experiment/" + datasets + "/normal/test/" +
str(inds_correct[4000 + j]) + '_' +
str(int(preds_test[inds_correct[4000 + j]])) + '_' +
str(int(preds_test[inds_correct[4000 + j]])) + '_.png',
deprocess_image_1(X_test[4000 + j:4001 + j]))
elif attack_type == "error":
preds_test = np.asarray([])
for i in range(40):
preds_test = np.concatenate(
(preds_test,
model_argmax(sess,
x,
preds,
X_test[i * 250:(i + 1) * 250],
feed=feed_dict)))
inds_correct = np.asarray(
np.where(preds_test != Y_test.argmax(axis=1))[0])
X_test = X_test[inds_correct]
num = int(len(X_test) * 0.8)
for i in range(num):
imsave(
"../datasets/experiment/" + datasets + "/error/train/" +
str(inds_correct[i]) + '_' +
str(int(np.argmax(Y_test[inds_correct[i]]))) + '_' +
str(int(preds_test[inds_correct[i]])) + '_.png',
deprocess_image_1(X_test[i:i + 1]))
for j in range(len(X_test) - num):
imsave(
"../datasets/experiment/" + datasets + "/error/test/" +
str(inds_correct[num + j]) + '_' +
str(int(np.argmax(Y_test[inds_correct[num + j]]))) + '_' +
str(int(preds_test[inds_correct[num + j]])) + '_.png',
deprocess_image_1(X_test[num + j:num + 1 + j]))
else:
# Check attack type, select adversarial and noisy samples accordingly
print('Loading adversarial samples...')
# Load adversarial samplesx
[X_test_adv, adv_image_files, real_labels, predicted_labels
] = utils.get_data_mutation_test(sample_path + attack_type + '/' +
datasets)
if len(X_test_adv) > 5000:
index = np.asarray(range(len(X_test_adv)))
index = index[np.random.choice(len(index), 5000, replace=False)]
for i in range(4000):
imsave(
"../datasets/experiment/" + datasets + "/" + attack_type +
"/train/" + adv_image_files[index[i]],
X_test_adv[index[i]])
for j in range(1000):
imsave(
"../datasets/experiment/" + datasets + "/" + attack_type +
"/test/" + adv_image_files[index[4000 + j]],
X_test_adv[index[4000 + j]])
else:
index = np.asarray(range(len(X_test_adv)))
np.random.shuffle(index)
cut = int(len(X_test_adv) * 0.8)
for i in range(len(index)):
if i < cut:
imsave(
"../datasets/experiment/" + datasets + "/" +
attack_type + "/train/" + adv_image_files[index[i]],
X_test_adv[index[i]])
else:
imsave(
"../datasets/experiment/" + datasets + "/" +
attack_type + "/test/" + adv_image_files[index[i]],
X_test_adv[index[i]])
def choose_mu(attack='fgsm',
datasets='mnist',
total_num=10000,
model_name='lenet1',
mu_var='gf'):
tf.reset_default_graph()
tf.set_random_seed(1234)
config = tf.ConfigProto()
#config.gpu_options.per_process_gpu_memory_fraction = 0.7
config.gpu_options.allow_growth = True
sess = tf.Session(config=config)
X_train, Y_train, X_test, Y_test = get_data(datasets)
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_name,
de=False,
epoch=9,
attack='fgsm',
mu=True,
mu_var=mu_var)
pre = model_prediction(sess,
x,
preds,
X_test,
feed=feed_dict,
datasets=datasets)
acc_pre_index = []
for i in range(0, pre.shape[0]):
if np.argmax(pre[i]) == np.argmax(Y_test[i]):
acc_pre_index.append(i)
input_shape, nb_classes = get_shape(datasets)
train_path = '../adv_result/' + datasets + '/' + attack + '/' + model_name
store_path_train = '../adv_result/mu_' + datasets + '/' + mu_var + '/' + attack + '/' + model_name + '/train_data'
store_path_test = '../adv_result/mu_' + datasets + '/' + mu_var + '/' + attack + '/' + model_name + '/test_data'
if not os.path.isdir(store_path_train):
os.makedirs(store_path_train)
if not os.path.isdir(store_path_test):
os.makedirs(store_path_test)
if datasets == 'cifar10':
if attack == 'fgsm':
step_size = [0.01, 0.02, 0.03]
for s in range(0, len(step_size)):
samples_path = train_path + '/' + str(step_size[s])
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
result = model_prediction(sess,
x,
preds,
samples_adv,
feed=feed_dict,
datasets=datasets)
ind_file = []
for i in range(len(image_list)):
ind_file.append(image_files[i].split('_')[0])
ind = []
for i in range(len(image_list)):
nn = int(image_files[i].split('_')[0])
if (nn in acc_pre_index) and (predicted_labels[i]
== np.argmax(result[i])):
ind.append(image_files[i].split('_')[0])
for i in range(0, int(math.ceil(X_test.shape[0] / 6))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
step_size[s]) + '_' + image_files[i_index]
test_p = store_path_test + '/' + image_files[i_index]
np.save(test_p, image_list[i_index])
for i in range(int(math.ceil(X_test.shape[0] / 6)),
X_test.shape[0]):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
step_size[s]) + '_' + image_files[i_index]
train_p = store_path_train + '/' + image_files[i_index]
np.save(train_p, image_list[i_index])
if attack == 'cw':
targets = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
cw_ini_cons = [0.1, 0.2, 0.3]
for t in range(0, len(targets)):
for c in range(0, len(cw_ini_cons)):
samples_path = train_path + '/' + str(
cw_ini_cons[c]) + '_' + str(targets[t])
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
result = model_prediction(sess,
x,
preds,
samples_adv,
feed=feed_dict,
datasets=datasets)
ind_file = []
for i in range(len(image_list)):
ind_file.append(image_files[i].split('_')[0])
ind = []
for i in range(len(image_list)):
nn = int(image_files[i].split('_')[0])
if (nn in acc_pre_index) and (predicted_labels[i]
== np.argmax(result[i])):
ind.append(image_files[i].split('_')[0])
for i in range(1000 * t,
1000 * t + int(math.ceil(1000 / 6))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
cw_ini_cons[c]) + '_' + image_files[i_index]
test_p = store_path_test + '/' + image_files[
i_index]
np.save(test_p, image_list[i_index])
for i in range(1000 * t + int(math.ceil(1000 / 6), 1000 *
(t + 1))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
cw_ini_cons[c]) + '_' + image_files[i_index]
train_p = store_path_train + '/' + image_files[
i_index]
np.save(train_p, image_list[i_index])
if attack == 'jsma':
targets = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
jsma_var = [0.09, 0.1, 0.11]
for t in range(0, len(targets)):
for c in range(0, len(jsma_var)):
samples_path = train_path + '/' + str(
jsma_var[c]) + '_' + str(targets[t])
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
result = model_prediction(sess,
x,
preds,
samples_adv,
feed=feed_dict,
datasets=datasets)
ind_file = []
for i in range(len(image_list)):
ind_file.append(image_files[i].split('_')[0])
ind = []
for i in range(len(image_list)):
nn = int(image_files[i].split('_')[0])
if (nn in acc_pre_index) and (predicted_labels[i]
== np.argmax(result[i])):
ind.append(image_files[i].split('_')[0])
for i in range(1000 * t,
1000 * t + int(math.ceil(1000 / 6))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
jsma_var[c]) + '_' + image_files[i_index]
test_p = store_path_test + '/' + image_files[
i_index]
np.save(test_p, image_list[i_index])
for i in range(1000 * t + int(math.ceil(1000 / 6)),
1000 * (t + 1)):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
jsma_var[c]) + '_' + image_files[i_index]
train_p = store_path_train + '/' + image_files[
i_index]
np.save(train_p, image_list[i_index])
if datasets == 'mnist':
if attack == 'fgsm':
step_size = [0.2, 0.3, 0.4]
for s in range(0, len(step_size)):
samples_path = train_path + '/' + str(step_size[s])
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
result = model_prediction(sess,
x,
preds,
samples_adv,
feed=feed_dict,
datasets=datasets)
ind_file = []
for i in range(len(image_list)):
ind_file.append(image_files[i].split('_')[0])
ind = []
for i in range(len(image_list)):
nn = int(image_files[i].split('_')[0])
if (nn in acc_pre_index) and (predicted_labels[i]
== np.argmax(result[i])):
ind.append(image_files[i].split('_')[0])
for i in range(0, int(math.ceil(X_test.shape[0] / 7))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
step_size[s]) + '_' + image_files[i_index]
test_p = store_path_test + '/' + image_files[i_index]
np.save(test_p, image_list[i_index])
for i in range(int(math.ceil(X_test.shape[0] / 7)),
X_test.shape[0]):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
step_size[s]) + '_' + image_files[i_index]
train_p = store_path_train + '/' + image_files[i_index]
np.save(train_p, image_list[i_index])
if attack == 'cw':
targets = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
cw_ini_cons = [9, 10, 11]
for t in range(0, len(targets)):
for c in range(0, len(cw_ini_cons)):
samples_path = train_path + '/' + str(
cw_ini_cons[c]) + '_' + str(targets[t])
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
result = model_prediction(sess,
x,
preds,
samples_adv,
feed=feed_dict,
datasets=datasets)
ind_file = []
for i in range(len(image_list)):
ind_file.append(image_files[i].split('_')[0])
ind = []
for i in range(len(image_list)):
nn = int(image_files[i].split('_')[0])
if (nn in acc_pre_index) and (predicted_labels[i]
== np.argmax(result[i])):
ind.append(image_files[i].split('_')[0])
for i in range(1000 * t,
1000 * t + int(math.ceil(1000 / 7))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
cw_ini_cons[c]) + '_' + image_files[i_index]
test_p = store_path_test + '/' + image_files[
i_index]
np.save(test_p, image_list[i_index])
for i in range(1000 * t + int(math.ceil(1000 / 7)),
1000 * (t + 1)):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
cw_ini_cons[c]) + '_' + image_files[i_index]
train_p = store_path_train + '/' + image_files[
i_index]
np.save(train_p, image_list[i_index])
if attack == 'jsma':
targets = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
jsma_var = [0.09, 0.1, 0.11]
for t in range(0, len(targets)):
for c in range(0, len(jsma_var)):
samples_path = train_path + '/' + str(
jsma_var[c]) + '_' + str(targets[t])
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
result = model_prediction(sess,
x,
preds,
samples_adv,
feed=feed_dict,
datasets=datasets)
ind_file = []
for i in range(len(image_list)):
ind_file.append(image_files[i].split('_')[0])
ind = []
for i in range(len(image_list)):
nn = int(image_files[i].split('_')[0])
if (nn in acc_pre_index) and (predicted_labels[i]
== np.argmax(result[i])):
ind.append(image_files[i].split('_')[0])
for i in range(1000 * t,
1000 * t + int(math.ceil(1000 / 7))):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
jsma_var[c]) + '_' + image_files[i_index]
test_p = store_path_test + '/' + image_files[
i_index]
np.save(test_p, image_list[i_index])
for i in range(1000 * t + int(math.ceil(1000 / 7)),
1000 * (t + 1)):
if str(i) in ind:
i_index = ind_file.index(str(i))
image_files[i_index] = str(
jsma_var[c]) + '_' + image_files[i_index]
train_p = store_path_train + '/' + image_files[
i_index]
np.save(train_p, image_list[i_index])
def detect_adv_samples(datasets, model_path, sample_path, store_path,
attack_type):
print('Loading the data and model...')
# Load the model
sess, preds, x, y, model, feed_dict = model_load(datasets, model_path)
# # Load the dataset
if 'mnist' == datasets:
train_start = 0
train_end = 60000
test_start = 0
test_end = 10000
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
elif 'cifar10' == datasets:
preprocess_image = preprocess_image_1
train_start = 0
train_end = 50000
test_start = 0
test_end = 10000
# Get CIFAR10 test data
X_train, Y_train, fn_train, X_test, Y_test, fn_test = data_cifar10(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
preprocess=preprocess_image)
# # Refine the normal, noisy and adversarial sets to only include samples for
# # which the original version was correctly classified by the model
# preds_test = model_argmax(sess, x, preds, X_test, feed=feed_dict)
# inds_correct = np.where(preds_test == Y_test.argmax(axis=1))[0]
# X_test = X_test[inds_correct]
# X_test = X_test[np.random.choice(len(X_test), 500)]#500
#
# # Check attack type, select adversarial and noisy samples accordingly
# print('Loading adversarial samples...')
# # Load adversarial samplesx
# [X_test_adv, adv_image_files, real_labels, predicted_labels] = utils.get_data_mutation_test(sample_path)
# X_test_adv = preprocess_image_1(np.asarray(X_test_adv).astype('float32'))
# if len(X_test_adv.shape) < 4:
# X_test_adv = np.expand_dims(X_test_adv, axis=3)
[X_test_adv_train, adv_image_files, real_labels, predicted_labels
] = utils.get_data_mutation_test("../datasets/experiment/" + datasets +
"/" + attack_type + "/train")
[X_test_adv_test, adv_image_files, real_labels, predicted_labels
] = utils.get_data_mutation_test("../datasets/experiment/" + datasets +
"/" + attack_type + "/test")
train_num = len(X_test_adv_train)
test_num = len(X_test_adv_test)
X_test_adv = preprocess_image_1(
np.concatenate((np.asarray(X_test_adv_train),
np.asarray(X_test_adv_test))).astype('float32'))
if len(X_test_adv.shape) < 4:
X_test_adv = np.expand_dims(X_test_adv, axis=3)
[X_test_train, adv_image_files, real_labels,
predicted_labels] = utils.get_data_normal_test("../datasets/experiment/" +
datasets + "/normal/train")
[X_test_test, adv_image_files, real_labels,
predicted_labels] = utils.get_data_normal_test("../datasets/experiment/" +
datasets + "/normal/test")
X_test_train = np.asarray(X_test_train)[np.random.choice(len(X_test_train),
train_num,
replace=False)]
X_test_test = np.asarray(X_test_test)[np.random.choice(len(X_test_test),
test_num,
replace=False)]
X_test = preprocess_image_1(
np.concatenate((np.asarray(X_test_train),
np.asarray(X_test_test))).astype('float32'))
if len(X_test.shape) < 4:
X_test = np.expand_dims(X_test, axis=3)
## Get Bayesian uncertainty scores
print('Getting Monte Carlo dropout variance predictions...')
uncerts_normal = get_mc_predictions(sess, x, preds,
X_test).var(axis=0).mean(axis=1)
uncerts_adv = get_mc_predictions(sess, x, preds,
X_test_adv).var(axis=0).mean(axis=1)
## Get KDE scores
# Get deep feature representations
print('Getting deep feature representations...')
X_train_features = get_deep_representations(sess, x, X_train, model,
feed_dict)
X_test_normal_features = get_deep_representations(sess, x, X_test, model,
feed_dict)
X_test_adv_features = get_deep_representations(sess, x, X_test_adv, model,
feed_dict)
# Train one KDE per class
print('Training KDEs...')
class_inds = {}
for i in range(Y_train.shape[1]):
class_inds[i] = np.where(Y_train.argmax(axis=1) == i)[0]
kdes = {}
warnings.warn(
"Using pre-set kernel bandwidths that were determined "
"optimal for the specific CNN models of the paper. If you've "
"changed your model, you'll need to re-optimize the "
"bandwidth.")
for i in range(Y_train.shape[1]):
kdes[i] = KernelDensity(kernel='gaussian',
bandwidth=BANDWIDTHS[datasets]) \
.fit(X_train_features[class_inds[i]])
# Get model predictions
print('Computing model predictions...')
preds_test_normal = model_argmax(sess, x, preds, X_test, feed=feed_dict)
preds_test_adv = model_argmax(sess, x, preds, X_test_adv, feed=feed_dict)
# Get density estimates
print('computing densities...')
densities_normal = score_samples(kdes, X_test_normal_features,
preds_test_normal)
densities_adv = score_samples(kdes, X_test_adv_features, preds_test_adv)
uncerts_pos = uncerts_adv[:]
uncerts_neg = uncerts_normal[:]
characteristics, labels = merge_and_generate_labels(
uncerts_pos, uncerts_neg)
file_name = os.path.join('../detection/bu/',
"%s_%s.npy" % (datasets, attack_type))
data = np.concatenate((characteristics, labels), axis=1)
np.save(file_name, data)
densities_pos = densities_adv[:]
densities_neg = densities_normal[:]
characteristics, labels = merge_and_generate_labels(
densities_pos, densities_neg)
file_name = os.path.join(
'../detection/de/',
"%s_%s_%.4f.npy" % (datasets, attack_type, BANDWIDTHS[datasets]))
data = np.concatenate((characteristics, labels), axis=1)
np.save(file_name, data)
## Z-score the uncertainty and density values
uncerts_normal_z, uncerts_adv_z = normalize(uncerts_normal, uncerts_adv)
densities_normal_z, densities_adv_z = normalize(densities_normal,
densities_adv)
## Build detector
values, labels = features(densities_pos=densities_adv_z,
densities_neg=densities_normal_z,
uncerts_pos=uncerts_adv_z,
uncerts_neg=uncerts_normal_z)
X_tr, Y_tr, X_te, Y_te = block_split(values, labels, train_num)
lr = train_lr(X_tr, Y_tr)
## Evaluate detector
# Compute logistic regression model predictions
probs = lr.predict_proba(X_te)[:, 1]
preds = lr.predict(X_te)
# Compute AUC
n_samples = int(len(X_te) / 2)
# The first 2/3 of 'probs' is the negative class (normal and noisy samples),
# and the last 1/3 is the positive class (adversarial samples).
_, _, auc_score = compute_roc(probs_neg=probs[:n_samples],
probs_pos=probs[n_samples:])
precision = precision_score(Y_te, preds)
recall = recall_score(Y_te, preds)
y_label_pred = lr.predict(X_te)
acc = accuracy_score(Y_te, y_label_pred)
print(
'Detector ROC-AUC score: %0.4f, accuracy: %.4f, precision: %.4f, recall: %.4f'
% (auc_score, acc, precision, recall))
def batch_attack(datasets, attack, model_path, store_path, nb_classes):
if 'mnist' == datasets:
train_start = 0
train_end = 60000
test_start = 0
test_end = 10000
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
elif 'cifar10' == datasets:
preprocess_image = preprocess_image_1
train_start = 0
train_end = 50000
test_start = 0
test_end = 10000
# Get CIFAR10 test data
X_train, Y_train, fn_train, X_test, Y_test, fn_test = data_cifar10(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
preprocess=preprocess_image)
elif 'svhn' == datasets:
# choose the method of preprocess image
preprocess_image = preprocess_image_1
train_start = 0
train_end = 73257
test_start = 0
test_end = 26032
# Get SVHN test data
X_train, Y_train, X_test, Y_test = data_svhn(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
preprocess=preprocess_image)
store_path = store_path + attack + '/' + datasets
sample_path = '../datasets/integration/batch_attack/' + datasets + '/'
sess, preds, x, y, model, feed_dict = model_load(datasets, model_path)
if os.listdir(sample_path) == []:
for i in range(len(X_test)):
sample = X_test[i:i + 1]
path = sample_path + str(i) + '.png'
imsave(path, deprocess_image_1(sample))
current_img = ndimage.imread(path)
img = np.expand_dims(
preprocess_image_1(current_img.astype('float64')), 0)
p = model_argmax(sess, x, preds, img, feed=feed_dict)
if p != Y_test[i].argmax(axis=0):
os.remove(path)
# for i in range(len(X_test)):
# sample = X_test[i:i+1]
# if model_argmax(sess, x, preds, sample, feed=feed_dict) == Y_test[i].argmax(axis=0):
# path = sample_path + str(i) + '.png'
# imsave(path, deprocess_image_1(sample))
sess.close()
samples = os.listdir(sample_path)
for sample in samples:
tf.reset_default_graph()
if 'blackbox' == attack:
blackbox(datasets=datasets,
sample_path=sample_path + sample,
model_path=model_path,
store_path=store_path,
nb_classes=nb_classes)
elif 'fgsm' == attack:
fgsm(datasets=datasets,
sample_path=sample_path + sample,
model_path=model_path,
store_path=store_path,
nb_classes=nb_classes)
else:
i = int(sample.split('.')[-2])
for j in range(nb_classes):
tf.reset_default_graph()
if Y_test[i][j] == 0:
if 'jsma' == attack:
jsma(datasets=datasets,
sample_path=sample_path + sample,
target=j,
model_path=model_path,
store_path=store_path,
nb_classes=nb_classes)
if 'cw' == attack:
cw(datasets=datasets,
sample_path=sample_path + sample,
target=j,
model_path=model_path,
store_path=store_path,
nb_classes=nb_classes)
def ric(datasets, model, samples_path, quality, epoch=49):
"""
:param datasets
:param model
:param samples_path
:return:
"""
# Object used to keep track of (and return) key accuracies
sess, preds, x, y, model, feed_dict = model_load(datasets,
model,
epoch=epoch)
[image_list, image_files, real_labels,
predicted_labels] = get_data_file(samples_path)
ori_path = samples_path.replace('test_data', 'ric_ori')
if not os.path.exists(ori_path):
os.makedirs(ori_path)
ic_path = samples_path.replace('test_data', 'ric_ic')
if not os.path.exists(ic_path):
os.makedirs(ic_path)
count = 0
for i in range(len(image_list)):
#jj=np.asarray(image_list[i:i+1])
#print(jj.shape)
if datasets == 'mnist':
adv_img_deprocessed = deprocess_image_1(
np.asarray(image_list[i:i + 1]))[0]
elif datasets == 'cifar10':
adv_img_deprocessed = deprocess_image_1(
np.asarray(image_list[i:i + 1]))
saved_adv_image_path = os.path.join(
ori_path, image_files[i].replace("npy", "png"))
imsave(saved_adv_image_path, adv_img_deprocessed)
output_IC_path = os.path.join(ic_path,
image_files[i].replace("npy", "jpg"))
cmd = '../../guetzli/bin/Release/guetzli --quality {} {} {}'.format(
quality, saved_adv_image_path, output_IC_path)
assert os.system(
cmd
) == 0, 'guetzli tool should be install before, https://github.com/google/guetzli'
if datasets == 'cifar10':
IC_image = Image.open(output_IC_path).convert('RGB')
IC_image = np.asarray(
[np.array(IC_image).astype('float32') / 255.0])
#IC_image=IC_image.reshape(32, 32, 3)
elif datasets == 'mnist':
IC_image = Image.open(output_IC_path).convert('L')
IC_image = np.expand_dims(np.array(IC_image).astype('float32'),
axis=0) / 255.0
IC_image = IC_image.reshape(-1, 28, 28, 1)
if model_argmax(sess, x, preds, IC_image, feed=feed_dict) != int(
real_labels[i]):
count = count + 1
result = 1.0 * count / len(image_list)
print('Robustness to image compression is %.4f' % (result))
# Close TF session
sess.close()
return result
def ws(datasets,
model_name,
ration=0.1,
threshold=0.9,
batch_size=256,
epoch=9):
tf.reset_default_graph()
X_train, Y_train, X_test, Y_test = get_data(datasets)
input_shape, nb_classes = get_shape(datasets)
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_name,
epoch=epoch)
eval_params = {'batch_size': batch_size}
accuracy = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params,
feed=feed_dict)
print('Test accuracy on legitimate test examples for original model: {0}'.
format(accuracy))
unique_neurons = 0
for layer in model.layers:
if "Conv2D" in layer.__class__.__name__:
unique_neurons += layer.output_channels
elif "Linear" in layer.__class__.__name__:
unique_neurons += layer.num_hid
# every BN neuron only connected with a previous neuron
indices = np.random.choice(unique_neurons,
int(unique_neurons * ration),
replace=False)
neurons_count = 0
for i in range(len(model.layers)):
layer = model.layers[i]
if "Conv2D" in layer.__class__.__name__:
unique_neurons_layer = layer.output_channels
mutated_neurons = set(indices) & set(
np.arange(neurons_count, neurons_count + unique_neurons_layer))
if mutated_neurons:
mutated_neurons = np.array(
list(mutated_neurons)) - neurons_count
current_weights = sess.run(layer.kernels).transpose(
[3, 0, 1, 2])
for neuron in mutated_neurons:
old_data = current_weights[neuron].reshape(-1)
shuffle_index = np.arange(len(old_data))
np.random.shuffle(shuffle_index)
new_data = old_data[shuffle_index].reshape(
layer.kernels.shape[0], layer.kernels.shape[1],
layer.kernels.shape[2])
current_weights[neuron] = new_data
update_weights = tf.assign(
layer.kernels, current_weights.transpose([1, 2, 3, 0]))
sess.run(update_weights)
neurons_count += unique_neurons_layer
elif "Linear" in layer.__class__.__name__:
unique_neurons_layer = layer.num_hid
mutated_neurons = set(indices) & set(
np.arange(neurons_count, neurons_count + unique_neurons_layer))
if mutated_neurons:
mutated_neurons = np.array(
list(mutated_neurons)) - neurons_count
current_weights = sess.run(layer.W).transpose([1, 0])
for neuron in mutated_neurons:
old_data = current_weights[neuron]
shuffle_index = np.arange(len(old_data))
np.random.shuffle(shuffle_index)
new_data = old_data[shuffle_index]
current_weights[neuron] = new_data
update_weights = tf.assign(layer.W,
current_weights.transpose([1, 0]))
sess.run(update_weights)
neurons_count += unique_neurons_layer
mutated_accuracy = model_eval(sess,
x,
y,
preds,
X_test,
Y_test,
args=eval_params,
feed=feed_dict)
print('Test accuracy on legitimate test examples for mutated model: {0}'.
format(mutated_accuracy))
if mutated_accuracy >= threshold * accuracy:
train_dir = os.path.join(path.mu_model_path, 'ws',
datasets + '_' + model_name, '0')
if not os.path.exists(train_dir):
os.makedirs(train_dir)
save_path = os.path.join(train_dir,
datasets + '_' + model_name + '.model')
saver = tf.train.Saver()
saver.save(sess, save_path)
sess.close()
def mutation_tutorial(datasets,
attack,
sample_path,
store_path,
model_path,
level=1,
test_num=100,
mutation_number=1000,
mutated=False):
if 'mnist' == datasets:
train_start = 0
train_end = 60000
test_start = 0
test_end = 10000
# Get MNIST test data
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end)
elif 'cifar10' == datasets:
preprocess_image = preprocess_image_1
train_start = 0
train_end = 50000
test_start = 0
test_end = 10000
# Get CIFAR10 test data
X_train, Y_train, fn_train, X_test, Y_test, fn_test = data_cifar10(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
preprocess=preprocess_image)
elif 'svhn' == datasets:
# choose the method of preprocess image
preprocess_image = preprocess_image_1
train_start = 0
train_end = 73257
test_start = 0
test_end = 26032
# Get SVHN test data
X_train, Y_train, X_test, Y_test = data_svhn(
train_start=train_start,
train_end=train_end,
test_start=test_start,
test_end=test_end,
preprocess=preprocess_image)
sess, preds, x, y, model, feed_dict = model_load(datasets,
model_path + datasets)
# Generate random matution matrix for mutations
store_path = store_path + attack + '/' + datasets + '/' + str(level)
if not os.path.exists(store_path):
os.makedirs(store_path)
result = ''
sample_path = sample_path + attack + '/' + datasets
[image_list, image_files, real_labels,
predicted_labels] = utils.get_data_mutation_test(sample_path)
index = np.random.choice(len(image_files), test_num, replace=False)
image_list = np.asarray(image_list)[index]
image_files = np.asarray(image_files)[index].tolist()
predicted_labels = np.asarray(predicted_labels)[index].tolist()
seed_number = len(image_list)
if datasets == 'mnist':
img_rows = 28
img_cols = 28
mutation_test = MutationTest(img_rows, img_cols, seed_number,
mutation_number, level)
mutation_test.mutation_generate(mutated, store_path,
utils.generate_value_1)
elif datasets == 'cifar10' or datasets == 'svhn':
img_rows = 32
img_cols = 32
mutation_test = MutationTest(img_rows, img_cols, seed_number,
mutation_number, level)
mutation_test.mutation_generate(mutated, store_path,
utils.generate_value_3)
store_string, result = mutation_test.mutation_test_adv(
preprocess_image_1, result, image_list, predicted_labels, sess, x,
preds, image_files, feed_dict)
with open(store_path + "/adv_result.csv", "w") as f:
f.write(store_string)
path = store_path + '/ori_jsma'
if not os.path.exists(path):
os.makedirs(path)
preds_test = np.asarray([])
for i in range(40):
preds_test = np.concatenate(
(preds_test,
model_argmax(sess,
x,
preds,
X_test[i * 250:(i + 1) * 250],
feed=feed_dict)))
inds_correct = np.asarray(np.where(preds_test == Y_test.argmax(axis=1))[0])
inds_correct = inds_correct[np.random.choice(len(inds_correct),
test_num,
replace=False)]
image_list = X_test[inds_correct]
real_labels = Y_test[inds_correct].argmax(axis=1)
np.save(path + '/ori_x.npy', np.asarray(image_list))
np.save(path + '/ori_y.npy', np.asarray(real_labels))
image_list = np.load(path + '/ori_x.npy')
real_labels = np.load(path + '/ori_y.npy')
store_string, result = mutation_test.mutation_test_ori(
result, image_list, sess, x, preds, feed_dict)
with open(store_path + "/ori_result.csv", "w") as f:
f.write(store_string)
with open(store_path + "/result.csv", "w") as f:
f.write(result)
# Close TF session
sess.close()
print('Finish.')
def multi_testing_criteria(datasets,
model_name,
samples_path,
others='',
train_num=0,
test_num=0,
std_range=0.0,
k_n=1000,
k_l=2,
de=False,
attack='fgsm',
just_adv=False,
epoch=4,
datasettype='test'):
"""
:param datasets
:param model
:param samples_path
:param std_range
:param k_n
:param k_l
:return:
"""
X_train, Y_train, X_test, Y_test = get_data(datasets)
X_train = X_train[:train_num]
if datasettype == 'train':
samples = X_train[:train_num]
else:
samples = X_test[:test_num]
if samples_path not in ['test']:
if not just_adv:
[image_list, _, _, _] = get_data_file(samples_path)
samples_adv = np.asarray(image_list)
samples = np.concatenate((samples, samples_adv))
print("Combine data")
else:
[image_list, _, _, _] = get_data_file(samples_path)
samples = np.asarray(image_list)
print("Just adv")
if de == True:
train_boundary_path = '../adv_result/' + datasets + '/' + attack + '/' + model_name + '/train_data'
[image_list_train, _, _, _] = get_data_file(train_boundary_path)
samples_train = np.asarray(image_list_train)
X_train_boundary = np.concatenate((samples_train, X_train))
store_path = "../multi_testing_criteria/" + datasets + "/" + model_name + "/" + attack + '/'
else:
X_train_boundary = X_train
store_path = "../multi_testing_criteria/" + datasets + "/" + model_name + "/ori/"
if not os.path.exists(store_path):
os.makedirs(store_path)
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch,
others=others)
boundary = neuron_boundary(sess, x, X_train_boundary, model, feed_dict)
sess.close()
del sess, preds, x, y, model, feed_dict
gc.collect()
np.save(store_path + "boundary.npy", np.asarray(boundary))
else:
boundary = np.load(store_path + "boundary.npy").tolist()
k_coverage, boundary_coverage, neuron_number = init_coverage_metric(
boundary, k_n)
if samples_path == 'test':
if datasettype == 'train':
store_path = store_path + 'train/'
else:
store_path = store_path + 'test/'
else:
if datasettype == 'train':
store_path = store_path + 'train_adv' + samples_path.split(
'/')[-3] + '/'
else:
store_path = store_path + 'test_adv' + samples_path.split(
'/')[-3] + '/'
if not os.path.exists(store_path):
cal = True
os.makedirs(store_path)
else:
cal = False
NP = []
n_batches = int(np.ceil(1.0 * samples.shape[0] / 256))
for num in range(n_batches):
print(num)
start = num * 256
end = np.minimum(len(samples), (num + 1) * 256)
if cal:
input_data = samples[start:end]
tf.reset_default_graph()
sess, preds, x, y, model, feed_dict = model_load(
datasets=datasets,
model_name=model_name,
de=de,
attack=attack,
epoch=epoch,
others=others)
layers_output = calculate_layers(sess, x, model, feed_dict,
input_data, store_path, num)
sess.close()
del sess, preds, x, y, model, feed_dict, input_data
gc.collect()
else:
layers_output = np.load(store_path + 'layers_output_' + str(num) +
'.npy')
k_coverage, boundary_coverage = update_multi_coverage_neuron(
layers_output, k_n, boundary, k_coverage, boundary_coverage,
std_range)
layer_coverage = calculate_coverage_layer(layers_output, k_l,
end - start)
if num == 0:
layer = [set([])] * layer_coverage.shape[0]
for i in range(len(layer_coverage)):
for j in range(len(layer_coverage[i])):
# |表示按位运算
layer[i] = layer[i] | layer_coverage[i][j]
sample_coverage = np.transpose(layer_coverage, (1, 0))
for i in range(len(sample_coverage)):
sc = sample_coverage[i].tolist()
if sc not in NP:
NP.append(sc)
del layers_output
gc.collect()
KMN = 0
NB = 0
SNA = 0
for i in range(len(k_coverage)):
for j in range(len(k_coverage[i])):
for t in range(len(k_coverage[i][j])):
if k_coverage[i][j][t] > 0:
KMN += 1
if boundary_coverage[i][j][1] > 0:
NB += 1
SNA += 1
if boundary_coverage[i][j][0] > 0:
NB += 1
KMN = 1.0 * KMN / (k_n * neuron_number)
NB = 1.0 * NB / (2 * neuron_number)
SNA = 1.0 * SNA / neuron_number
TKNC = sum(len(neurons) for neurons in layer)
TKNC = 1.0 * TKNC / neuron_number
TKNP = len(NP)
print([KMN, NB, SNA, TKNC, TKNP])
return [KMN, NB, SNA, TKNC, TKNP]