def target_graph(x, target_class_input, i, x_max, x_min, grad):
eps = 2.0 * FLAGS.max_epsilon / 255.0
alpha = eps / FLAGS.num_iter
num_classes = 110
with slim.arg_scope(inception.inception_v1_arg_scope()):
logits_inc_v1, end_points_inc_v1 = inception.inception_v1(
x, num_classes=num_classes, is_training=False, scope='InceptionV1')
# rescale pixle range from [-1, 1] to [0, 255] for resnet_v1 and vgg's input
image = (((x + 1.0) * 0.5) * 255.0)
processed_imgs_res_v1_50 = preprocess_for_model(image, 'resnet_v1_50')
with slim.arg_scope(resnet_v1.resnet_arg_scope()):
logits_res_v1_50, end_points_res_v1_50 = resnet_v1.resnet_v1_50(
processed_imgs_res_v1_50,
num_classes=num_classes,
is_training=False,
scope='resnet_v1_50')
end_points_res_v1_50['logits'] = tf.squeeze(
end_points_res_v1_50['resnet_v1_50/logits'], [1, 2])
end_points_res_v1_50['probs'] = tf.nn.softmax(
end_points_res_v1_50['logits'])
# image = (((x + 1.0) * 0.5) * 255.0)#.astype(np.uint8)
processed_imgs_vgg_16 = preprocess_for_model(image, 'vgg_16')
with slim.arg_scope(vgg.vgg_arg_scope()):
logits_vgg_16, end_points_vgg_16 = vgg.vgg_16(processed_imgs_vgg_16,
num_classes=num_classes,
is_training=False,
scope='vgg_16')
end_points_vgg_16['logits'] = end_points_vgg_16['vgg_16/fc8']
end_points_vgg_16['probs'] = tf.nn.softmax(end_points_vgg_16['logits'])
########################
one_hot = tf.one_hot(target_class_input, num_classes)
########################
logits = (end_points_inc_v1['Logits'] + end_points_res_v1_50['logits'] +
end_points_vgg_16['logits']) / 3.0
cross_entropy = tf.losses.softmax_cross_entropy(one_hot,
logits,
label_smoothing=0.0,
weights=1.0)
noise = tf.gradients(cross_entropy, x)[0]
noise = noise / tf.reshape(
tf.contrib.keras.backend.std(tf.reshape(noise, [FLAGS.batch_size, -1]),
axis=1), [FLAGS.batch_size, 1, 1, 1])
noise = FLAGS.momentum * grad + noise
noise = noise / tf.reshape(
tf.contrib.keras.backend.std(tf.reshape(noise, [FLAGS.batch_size, -1]),
axis=1), [FLAGS.batch_size, 1, 1, 1])
x = x - alpha * tf.clip_by_value(tf.round(noise), -2, 2)
x = tf.clip_by_value(x, x_min, x_max)
i = tf.add(i, 1)
return x, target_class_input, i, x_max, x_min, noise
def target_attack(input_dir, output_dir):
eps = 2.0 * FLAGS.max_epsilon / 255.0
batch_shape = [FLAGS.batch_size, FLAGS.image_height, FLAGS.image_width, 3]
with tf.Graph().as_default():
raw_inputs = tf.placeholder(tf.uint8, shape=[None, 224, 224, 3])
processed_imgs = preprocess_for_model(raw_inputs, 'inception_v1')
x_input = tf.placeholder(tf.float32, shape=batch_shape)
x_max = tf.clip_by_value(x_input + eps, -1.0, 1.0)
x_min = tf.clip_by_value(x_input - eps, -1.0, 1.0)
# y = tf.constant(np.zeros([batch_size]), tf.int64)
y = tf.placeholder(tf.int32, shape=[FLAGS.batch_size])
i = tf.constant(0)
grad = tf.zeros(shape=batch_shape)
x_adv, _, _, _, _, _ = tf.while_loop(
stop, target_graph, [x_input, y, i, x_max, x_min, grad])
target_class_input = tf.placeholder(tf.int32, shape=[FLAGS.batch_size])
i = tf.constant(0)
grad = tf.zeros(shape=batch_shape)
s1 = tf.train.Saver(slim.get_model_variables(scope='InceptionV1'))
s2 = tf.train.Saver(slim.get_model_variables(scope='resnet_v1_50'))
s3 = tf.train.Saver(slim.get_model_variables(scope='vgg_16'))
with tf.Session() as sess:
s1.restore(sess, model_checkpoint_map['inception_v1'])
s2.restore(sess, model_checkpoint_map['resnet_v1_50'])
s3.restore(sess, model_checkpoint_map['vgg_16'])
for filenames, raw_images, target_labels in load_images_with_target_label(
input_dir):
processed_imgs_ = sess.run(processed_imgs,
feed_dict={raw_inputs: raw_images})
adv_images = sess.run(x_adv,
feed_dict={
x_input: processed_imgs_,
y: target_labels
})
save_ijcai_images(adv_images, filenames, output_dir)
def target_graph_large(x, target_class_input, i, x_max, x_min, grad):
eps = 2.0 * FLAGS.max_epsilon / 255.0
alpha = eps / 12
momentum = FLAGS.momentum
num_classes = 110
with slim.arg_scope(inception.inception_v1_arg_scope()):
logits_inc_v1, end_points_inc_v1 = inception.inception_v1(
x, num_classes=num_classes, is_training=False, scope='InceptionV1')
# rescale pixle range from [-1, 1] to [0, 255] for resnet_v1 and vgg's input
image = (((x + 1.0) * 0.5) * 255.0)
processed_imgs_res_v1_50 = preprocess_for_model(image, 'resnet_v1_50')
with slim.arg_scope(resnet_v1.resnet_arg_scope()):
logits_res_v1_50, end_points_res_v1_50 = resnet_v1.resnet_v1_50(
processed_imgs_res_v1_50,
num_classes=num_classes,
is_training=False,
scope='resnet_v1_50')
end_points_res_v1_50['logits'] = tf.squeeze(
end_points_res_v1_50['resnet_v1_50/logits'], [1, 2])
end_points_res_v1_50['probs'] = tf.nn.softmax(
end_points_res_v1_50['logits'])
# image = (((x + 1.0) * 0.5) * 255.0)#.astype(np.uint8)
processed_imgs_vgg_16 = preprocess_for_model(image, 'vgg_16')
with slim.arg_scope(vgg.vgg_arg_scope()):
logits_vgg_16, end_points_vgg_16 = vgg.vgg_16(processed_imgs_vgg_16,
num_classes=num_classes,
is_training=False,
scope='vgg_16')
end_points_vgg_16['logits'] = end_points_vgg_16['vgg_16/fc8']
end_points_vgg_16['probs'] = tf.nn.softmax(end_points_vgg_16['logits'])
one_hot_target_class = tf.one_hot(target_class_input, num_classes)
logits = (logits_inc_v1 + logits_vgg_16 + logits_res_v1_50) / 3.0
# auxlogits = (4 * end_points_v3['AuxLogits'] + end_points_adv_v3['AuxLogits'] + end_points_ens3_adv_v3['AuxLogits'] +
# end_points_ens4_adv_v3['AuxLogits'] + 4 * end_points_ensadv_res_v2['AuxLogits']) / 11
# auxlogits =
cross_entropy = tf.losses.softmax_cross_entropy(one_hot_target_class,
logits,
label_smoothing=0.0,
weights=1.0)
# cross_entropy += tf.losses.softmax_cross_entropy(one_hot_target_class,
# auxlogits,
# label_smoothing=0.0,
# weights=0.4)
noise = tf.gradients(cross_entropy, x)[0]
noise = noise / tf.reduce_mean(tf.abs(noise), [1, 2, 3], keep_dims=True)
noise = momentum * grad + noise
# noise = tf.gradients(cross_entropy, x)[0]
# noise = noise / tf.reshape(tf.contrib.keras.backend.std(tf.reshape(noise, [FLAGS.batch_size, -1]), axis=1),
# [FLAGS.batch_size, 1, 1, 1])
# noise = momentum * grad + noise
# noise = noise / tf.reshape(tf.contrib.keras.backend.std(tf.reshape(noise, [FLAGS.batch_size, -1]), axis=1),
# [FLAGS.batch_size, 1, 1, 1])
x = x - alpha * tf.clip_by_value(tf.round(noise), -2, 2)
x = tf.clip_by_value(x, x_min, x_max)
i = tf.add(i, 1)
return x, target_class_input, i, x_max, x_min, noise