def _thread_fun(self, thread_id):
# create a thread-specifc RNG
rng = randomgen.RandomGenerator(randomgen.Xoroshiro128(seed=20 + thread_id))
rnd_normal = None
rnd_perlin = None
t = threading.currentThread()
while getattr(t, 'do_run', True):
# Prepare one of each sampling patterns
if rnd_normal is None:
rnd_normal = rng.standard_normal(size=self.shape, dtype='float32')
rnd_normal /= np.linalg.norm(rnd_normal)
if rnd_perlin is None:
rnd_perlin = create_perlin_noise(px=self.shape[0], color=self.perlin_color, batch_size=1,
normalize=True, precalc_fade=self.perlin_fade)[0]
# Lock and put them into the queues.
with self.cv_not_full:
if len(self.queue_normal) >= self.queue_lengths and len(self.queue_perlin) >= self.queue_lengths:
self.cv_not_full.wait()
# Fill one or both queues.
if len(self.queue_normal) < self.queue_lengths:
self.queue_normal.append(rnd_normal)
rnd_normal = None
if len(self.queue_perlin) < self.queue_lengths:
self.queue_perlin.append(rnd_perlin)
rnd_perlin = None
self.cv_not_empty.notify_all()
def sample_std_normal(thread_id, shape, dtype):
# create a thread-specifc RNG
rng = randomgen.RandomGenerator(
randomgen.Xoroshiro128(seed=20 + thread_id))
t = threading.currentThread()
while getattr(t, 'do_run', True):
rnd_normal = rng.standard_normal(size=shape, dtype=dtype)
rnd_normal_queue.put(rnd_normal)
def isAdvOrNot(net, image, A, B, N_i, n_components):
'''takes a single in image as pca vector'''
is_adv = 0
itr = 1
adv_ratio = 1
rng = randomgen.RandomGenerator()
img_act = pca.inverse_transform(image)
initial_vector = logit2probab(net.forward(np.reshape(img_act, (1, 32, 32, 3))))
#plt.imshow(np.reshape(img_act, (32, 32, 3))/255)
#plt.show()
while(is_adv == 0 and itr < N_i+1):
'''perturb'''
'''assuming dimension 3072'''
perturbation = rng.standard_normal(size=(n_components,), dtype=trans_x.dtype)
new_x = np.copy(image)
new_x[(3072-n_components):] += 10*perturbation
inv_x = pca.inverse_transform(new_x)
invx = np.reshape(inv_x,(1,32,32,3))
tmp_pred = net.forward(np.reshape(invx, (1,32,32,3)))
prob_vec = logit2probab(tmp_pred)
#plt.imshow(np.reshape(invx, (32, 32, 3))/255)
#plt.show()
adv_prob = getQ(prob_vec, initial_vector)
'''make this function'''
#adv_ratio = adv_ratio*adv_prob
adv_ratio = adv_ratio*adv_prob/abs(1-adv_prob)
#print('*adv_ratio now* ' + str(adv_ratio))
toPert = chkBounds(adv_ratio, A, B)
#print('chkBounds result = ' + str(toPert))
#print('perturbed cat = ' + str(np.argmax(prob_vec)))
#print('original cat = ' + str(np.argmax(initial_vector)))
if(np.argmax(prob_vec) != np.argmax(initial_vector)):
#print('Category Changed')
is_adv = 1
break
if(toPert == -1):
return 0, itr
elif(toPert == 1):
return 1, itr
else:
itr = itr + 1
if(itr > N_i):
itr = N_i
return is_adv, itr
def sample_std_normal(thread_id, shape, dtype):
# create a thread-specifc RNG
# rng =
sum_image_float = sum(map(lambda x: sum(map(sum, x)), a.image))
image_int = sum_image_float.astype(np.int64)
rng = randomgen.RandomGenerator(
np.random.seed(image_int + thread_id))
t = threading.currentThread()
while getattr(t, 'do_run', True):
rnd_normal = rng.standard_normal(size=shape, dtype=dtype)
rnd_normal_queue.put(rnd_normal)
def dropout_layer(layer, p_dropout):
"""
Dropout some components of a layer according to p_dropout
:param layer: given layer
:param p_dropout: percent dropout
:return: pruned layer
"""
random_generator = randomgen.RandomGenerator()
shared_random_number_generator = shared_randomstreams.RandomStreams(
random_generator.randint(0, high=999999))
mask = shared_random_number_generator.binomial(n=1,
p=1 - p_dropout,
size=layer.shape)
return layer * tensor.cast(mask, theano.config.floatX)
def isClnOrNot(net, image, B, N_i, n_components):
is_adv = [-1]
itr = 1
#adv_ratio = 1
rng = randomgen.RandomGenerator()
img_act = pca.inverse_transform(image)
initial_vector = logit2probab(net.forward(np.reshape(img_act, (1, 32, 32, 3))))
adv_ratio = np.ones(len(initial_vector))
#plt.imshow(np.reshape(img_act, (32, 32, 3))/255)
#plt.show()
while(np.amin(is_adv) == -1 and itr < N_i+1):
'''perturb'''
'''assuming dimension 3072'''
perturbation = rng.standard_normal(size=(n_components,), dtype=trans_x.dtype)
new_x = np.copy(image)
new_x[(3072-n_components):] += 10*perturbation
inv_x = pca.inverse_transform(new_x)
invx = np.reshape(inv_x,(1,32,32,3))
tmp_pred = net.forward(np.reshape(invx, (1,32,32,3)))
prob_vec = logit2probab(tmp_pred)
#plt.imshow(np.reshape(invx, (32, 32, 3))/255)
#plt.show()
adv_prob = getQCln(prob_vec, initial_vector, net)
adv_ratio = np.divide(np.multiply(adv_ratio, adv_prob), [abs(1-x) for x in adv_prob])
toPert = chkBoundsCln(adv_ratio, B)
is_adv = chkCleaned(toPert, prob_vec, initial_vector)
if(np.amin(is_adv) != -1):
#just a numerical hack
adv_ratio[is_adv[-1]] = adv_ratio[is_adv[-1]] + 2*B
itr = itr+1
##just another numnerical hack, for an easier code
##after analyzing the list returned we can easily determine the predicted correct category
return [x-B for x in adv_ratio], itr
def _thread_fun(self, thread_id):
# create a thread-specifc RNG
rng = randomgen.RandomGenerator(
randomgen.Xoroshiro128(seed=20 + thread_id))
rnd_normal = None
rnd_lowfreq = None
t = threading.currentThread()
while getattr(t, 'do_run', True):
# Prepare one of each sampling patterns
if rnd_normal is None:
rnd_normal = rng.standard_normal(size=self.shape,
dtype='float32')
rnd_normal /= np.linalg.norm(rnd_normal)
if rnd_lowfreq is None:
# MODIFIED
# There are two concurring implementations of lowfreq noise, Perlin Noise by Brunner et al. and IDCT noise by Guo et al.
# We found them to be pretty much equivalent, but Guo's has a much simpler implementation :)
#
# Therefore we replaced Perlin noise with Guo's lowfreq generator.
# ALSO, the actual noise frequency is an important hyperparameter. Brunner et al. use a constant frequency for ImageNet.
# We found that using a random (low-ish) frequency works much better, as we can span a much larger spectrum, and also avoid the
# round "bubbles" found in the original "Guessing Smart" paper.
freq = rng.uniform(-5., 1.)
freq_ratio = 1. / (1. + np.exp(-freq))
rnd_lowfreq = create_idct_noise(size_px=299,
ratio=freq_ratio,
normalize=True,
rng_gen=rng)
rnd_lowfreq = (rnd_lowfreq, freq)
# Lock and put them into the queues.
with self.cv_not_full:
if len(self.queue_normal) >= self.queue_lengths and len(
self.queue_lowfreq) >= self.queue_lengths:
self.cv_not_full.wait()
# Fill one or both queues.
if len(self.queue_normal) < self.queue_lengths:
self.queue_normal.append(rnd_normal)
rnd_normal = None
if len(self.queue_lowfreq) < self.queue_lengths:
self.queue_lowfreq.append(rnd_lowfreq)
rnd_lowfreq = None
self.cv_not_empty.notify_all()
def generate_candidate_alternative(rnd_normal_queue,
bounds,
original,
perturbed,
unnormalized_source_direction,
source_direction,
source_norm,
spherical_step,
source_step,
internal_dtype,
rng=None):
if rng is None:
try:
import randomgen
except ImportError: # pragma: no cover
raise ImportError('To use the BoundaryAttack,'
' please install the randomgen'
' module (e.g. pip install randomgen)')
sum_perturbed_float = sum(
map(lambda x: sum(map(sum, x)), perturbed))
perturbed_int = sum_perturbed_float.astype(np.int64)
rng = randomgen.RandomGenerator(np.random.seed(perturbed_int))
# ===========================================================
# perform initial work
# ===========================================================
assert original.dtype == internal_dtype
assert perturbed.dtype == internal_dtype
shape = original.shape
min_, max_ = bounds
# ===========================================================
# draw a random direction
# ===========================================================
# randomgen's rnd is faster and more flexible than numpy's if
# has a dtype argument and supports the much faster Ziggurat method
if rnd_normal_queue is None:
perturbation = rng.standard_normal(size=shape,
dtype=original.dtype)
else:
perturbation = rnd_normal_queue.get()
assert perturbation.dtype == internal_dtype
# ===========================================================
# normalize perturbation and subtract source direction
# (to stay on sphere)
# ===========================================================
perturbation *= spherical_step * source_norm / norm(perturbation)
perturbation -= np.vdot(perturbation, source_direction) \
* source_direction
spherical_perturbation = perturbed + perturbation
np.clip(spherical_perturbation, min_, max_, out=spherical_perturbation)
# refine spherical perturbation
refinement_threshold = min(1e-5, source_step / 10)
for refinements in range(30):
spherical_source_direction = spherical_perturbation - original
spherical_norm = norm(spherical_source_direction)
diff_norm = spherical_norm - source_norm
if np.abs(diff_norm) / source_norm <= refinement_threshold:
break
spherical_perturbation -= diff_norm / spherical_norm \
* spherical_source_direction
np.clip(spherical_perturbation,
min_,
max_,
out=spherical_perturbation)
else: # pragma: no cover
refinements += 1
# ===========================================================
# add perturbation in direction of source
# ===========================================================
new_source_direction = original - spherical_perturbation
new_source_direction_norm = norm(new_source_direction)
assert perturbed.dtype == internal_dtype
assert original.dtype == internal_dtype
assert spherical_perturbation.dtype == internal_dtype
perturbation = spherical_perturbation.copy()
length = source_step * source_norm / new_source_direction_norm
perturbation += length * new_source_direction
np.clip(perturbation, min_, max_, out=perturbation)
assert spherical_perturbation.dtype == internal_dtype
assert perturbation.dtype == internal_dtype
data = (perturbation, spherical_perturbation)
return data
def generate_candidate_default(rnd_normal_queue,
bounds,
original,
perturbed,
unnormalized_source_direction,
source_direction,
source_norm,
spherical_step,
source_step,
internal_dtype,
rng=None):
if rng is None:
try:
import randomgen
except ImportError: # pragma: no cover
raise ImportError('To use the BoundaryAttack,'
' please install the randomgen'
' module (e.g. pip install randomgen)')
sum_perturbed_float = sum(
map(lambda x: sum(map(sum, x)), perturbed))
perturbed_int = sum_perturbed_float.astype(np.int64)
rng = randomgen.RandomGenerator(np.random.seed(perturbed_int))
# ===========================================================
# perform initial work
# ===========================================================
assert original.dtype == internal_dtype
assert perturbed.dtype == internal_dtype
shape = original.shape
min_, max_ = bounds
# ===========================================================
# draw a random direction
# ===========================================================
# randomgen's rnd is faster and more flexible than numpy's if
# has a dtype argument and supports the much faster Ziggurat method
if rnd_normal_queue is None:
perturbation = rng.standard_normal(size=shape,
dtype=original.dtype)
else:
perturbation = rnd_normal_queue.get()
assert perturbation.dtype == internal_dtype
# ===========================================================
# calculate candidate on sphere
# ===========================================================
dot = np.vdot(perturbation, source_direction)
perturbation -= dot * source_direction
perturbation *= spherical_step * source_norm / norm(perturbation)
D = 1 / np.sqrt(spherical_step**2 + 1)
direction = perturbation - unnormalized_source_direction
spherical_candidate = original + D * direction
np.clip(spherical_candidate, min_, max_, out=spherical_candidate)
# ===========================================================
# add perturbation in direction of source
# ===========================================================
new_source_direction = original - spherical_candidate
new_source_direction_norm = norm(new_source_direction)
assert perturbed.dtype == internal_dtype
assert original.dtype == internal_dtype
assert spherical_candidate.dtype == internal_dtype
# length if spherical_candidate would be exactly on the sphere
length = source_step * source_norm
# length including correction for deviation from sphere
deviation = new_source_direction_norm - source_norm
length += deviation
# make sure the step size is positive
length = max(0, length)
# normalize the length
length = length / new_source_direction_norm
candidate = spherical_candidate + length * new_source_direction
np.clip(candidate, min_, max_, out=candidate)
assert spherical_candidate.dtype == internal_dtype
assert candidate.dtype == internal_dtype
data = (candidate, spherical_candidate)
return data
''' Detecting whether input images are adversarial or not
n_components : number of least significant coefficients to perturb
n_sample : number of samples to generate
perturbation : a perturbation sampled from std normal for n_components
inv_x : inverse transformed image after adding perturbation
preds_y : classifier predctions for updated images
preds_a : classifier predctions for updated images
result : output will be stored in result array at cooresponding indices as follows:
1 for adversarial images
0 for non-adversarial images
'''
n_components = 1000
n_sample = 25
rng = randomgen.RandomGenerator()
result = np.zeros(no_of_image, dtype = int)
for k in range(n_sample):
perturbation = rng.standard_normal(size=(n_components,), dtype=trans_x.dtype)
new_x = np.copy(trans_x)
for i in range(no_of_image):
new_x[i][(3072-n_components):] += 10*perturbation
inv_x = pca.inverse_transform(new_x)
invx = np.reshape(inv_x,((no_of_image,32,32,3))
pred = model.forward(invx)
preds_y = np.array([np.argmax(pred[i]) for i in range(n-s)])
def generate_candidate_alternative(bounds,
original,
perturbed,
unnormalized_source_direction,
source_direction,
source_norm,
spherical_step,
source_step,
internal_dtype,
sample_gen,
normal_factor,
rng=None):
if rng is None:
try:
import randomgen
except ImportError: # pragma: no cover
raise ImportError('To use the BoundaryAttack,'
' please install the randomgen'
' module (e.g. pip install randomgen)')
rng = randomgen.RandomGenerator()
# ===========================================================
# perform initial work
# ===========================================================
assert original.dtype == internal_dtype
assert perturbed.dtype == internal_dtype
shape = original.shape
min_, max_ = bounds
# ===========================================================
# draw a random direction
# ===========================================================
if rng.uniform() < normal_factor:
perturbation = sample_gen.get_normal()
else:
perturbation = np.float64(sample_gen.get_perlin())
assert perturbation.dtype == internal_dtype
# ===========================================================
# normalize perturbation and subtract source direction
# (to stay on sphere)
# ===========================================================
perturbation *= spherical_step * source_norm / norm(perturbation)
perturbation -= np.vdot(perturbation, source_direction) \
* source_direction
spherical_perturbation = perturbed + perturbation
np.clip(spherical_perturbation, min_, max_, out=spherical_perturbation)
# refine spherical perturbation
refinement_threshold = min(1e-5, source_step / 10)
for refinements in range(30):
spherical_source_direction = spherical_perturbation - original
spherical_norm = norm(spherical_source_direction)
diff_norm = spherical_norm - source_norm
if np.abs(diff_norm) / source_norm <= refinement_threshold:
break
spherical_perturbation -= diff_norm / spherical_norm \
* spherical_source_direction
np.clip(spherical_perturbation,
min_,
max_,
out=spherical_perturbation)
else: # pragma: no cover
refinements += 1
# ===========================================================
# add perturbation in direction of source
# ===========================================================
new_source_direction = original - spherical_perturbation
new_source_direction_norm = norm(new_source_direction)
assert perturbed.dtype == internal_dtype
assert original.dtype == internal_dtype
assert spherical_perturbation.dtype == internal_dtype
perturbation = spherical_perturbation.copy()
length = source_step * source_norm / new_source_direction_norm
perturbation += length * new_source_direction
np.clip(perturbation, min_, max_, out=perturbation)
assert spherical_perturbation.dtype == internal_dtype
assert perturbation.dtype == internal_dtype
data = (perturbation, spherical_perturbation)
return data
def generate_candidate_default(bounds,
original,
perturbed,
unnormalized_source_direction,
source_direction,
source_norm,
spherical_step,
source_step,
internal_dtype,
sample_gen,
normal_factor,
rng=None):
if rng is None:
try:
import randomgen
except ImportError: # pragma: no cover
raise ImportError('To use the BoundaryAttack,'
' please install the randomgen'
' module (e.g. pip install randomgen)')
rng = randomgen.RandomGenerator()
# ===========================================================
# perform initial work
# ===========================================================
assert original.dtype == internal_dtype
assert perturbed.dtype == internal_dtype
shape = original.shape
min_, max_ = bounds
# ===========================================================
# draw a random direction
# ===========================================================
if rng.uniform() < normal_factor:
perturbation = sample_gen.get_normal()
else:
perturbation = np.float64(sample_gen.get_perlin())
assert perturbation.dtype == internal_dtype
# ===========================================================
# calculate candidate on sphere
# ===========================================================
dot = np.vdot(perturbation, source_direction)
perturbation -= dot * source_direction
perturbation *= spherical_step * source_norm / norm(perturbation)
D = 1 / np.sqrt(spherical_step**2 + 1)
direction = perturbation - unnormalized_source_direction
spherical_candidate = original + D * direction
np.clip(spherical_candidate, min_, max_, out=spherical_candidate)
# ===========================================================
# add perturbation in direction of source
# ===========================================================
new_source_direction = original - spherical_candidate
new_source_direction_norm = norm(new_source_direction)
assert perturbed.dtype == internal_dtype
assert original.dtype == internal_dtype
assert spherical_candidate.dtype == internal_dtype
# length if spherical_candidate would be exactly on the sphere
length = source_step * source_norm
# length including correction for deviation from sphere
deviation = new_source_direction_norm - source_norm
length += deviation
# make sure the step size is positive
length = max(0, length)
# normalize the length
length = length / new_source_direction_norm
candidate = spherical_candidate + length * new_source_direction
np.clip(candidate, min_, max_, out=candidate)
assert spherical_candidate.dtype == internal_dtype
assert candidate.dtype == internal_dtype
data = (candidate, spherical_candidate)
return data