def create_adv(sess, dataset, attack):
img, label, target_label = get_attack_original(cfg.attack_name, dataset, n=cfg.number_img, targeted=True)
att_dir = get_dir(cfg.data_dir, dataset.name, cfg.attack_name, attack.model.name)
att_file = os.path.join(att_dir, 'adv_images.npy')
if os.path.isfile(att_file):
tf.logging.debug('Loading adv img from %s', att_file)
adv_img = np.load(att_file)
else:
tf.logging.debug('Creating empty array for adv img')
adv_img = np.empty(shape=(0, *dataset.shape), dtype='float32')
c_prop = _c_prop(att_dir)
num_adv = len(adv_img)
tf.logging.info('Starting at img %d', num_adv)
for i in range(num_adv, cfg.number_img):
tic = time.time()
adv = cw_attack(sess, img[i], target_label[i], attack, cfg.max_opt_iter, cfg.max_bin_iter, c_prop)
if adv is None:
tf.logging.info('Attack failed...')
# If attack didn't succeed, mark image with NaN
adv = np.empty_like(img[i])
adv[:] = np.nan
adv_img = np.append(adv_img, [adv], axis=0)
np_save_bak(att_file, adv_img)
tf.logging.info('Number of adv images: %d', i)
tf.logging.info('Finished iteration in %.2f', time.time()-tic)
def main(args):
model_class = get_model(args[1])
dataset = dataset_by_name(args[2])
params = get_params(args[1], dataset.name)
tf.logging.debug('Creating attack ops')
attack = CWAttackOp(model_class,
params,
dataset.shape,
dataset.num_classes,
kappa=cfg.kappa,
rand_start_std=cfg.rand_start_std)
ckpt_dir = get_dir(cfg.ckpt_dir, dataset.name, attack.model.name)
saver = tf.train.Saver(var_list=tf.global_variables(scope=attack.model.scope))
tf.logging.debug('Starting session')
with tf.Session() as sess:
try:
save_path = tf.train.latest_checkpoint(ckpt_dir)
saver.restore(sess, save_path)
create_adv(sess, dataset, attack)
except KeyboardInterrupt:
print("Manual interrupt occured")
def create_adv(sess, dataset, fgsm):
img, label = get_attack_original(attack_name, dataset)
att_dir = get_dir(cfg.data_dir, dataset.name, attack_name, fgsm.model.name)
# max_norm = max_norm_ratio * _avg_norm(dataset)
# tf.logging.info('Using max norm %f', max_norm)
for idx in np.array_split(np.arange(len(label)), num_split):
tf.logging.info('Attacking range {}-{}'.format(idx.min(), idx.max()))
att_file = os.path.join(
att_dir, 'adv_perts{}-{}.npy'.format(idx.min(), idx.max()))
if os.path.isfile(att_file):
tf.logging.debug('Loading pert from %s', att_file)
perts = np.load(att_file)
else:
tf.logging.debug('Creating empty array for perts')
perts = np.empty(shape=(0, *dataset.shape), dtype='float32')
num_adv = len(perts)
for i in range(num_adv, pert_per_split):
attack = UniversalPerturbation(fgsm,
img[idx],
label[idx],
batch_size=batch_size,
max_it=max_it,
target_rate=target_rate)
tic = time.time()
attack.fit(sess)
perts = np.append(perts, [attack.perturbation], axis=0)
np_save_bak(att_file, perts, num_bak=2)
tf.logging.info('Finished iteration in %.2f', time.time() - tic)
def main(args):
model_class = get_model(args[1])
dataset = dataset_by_name(args[2])
params = get_params(args[1], dataset.name)
tf.logging.debug('Building model')
model = model_class(trainable=False,
num_classes=dataset.num_classes,
shape=dataset.shape,
**params)
tf.logging.debug('Creating attack ops')
fgsm = FGSM(model, fgsm_eps)
ckpt_dir = get_dir(cfg.ckpt_dir, dataset.name, model.name)
saver = tf.train.Saver(var_list=tf.global_variables(scope=model.scope))
tf.logging.debug('Starting session')
with tf.Session() as sess:
try:
save_path = tf.train.latest_checkpoint(ckpt_dir)
saver.restore(sess, save_path)
create_adv(sess, dataset, fgsm)
except KeyboardInterrupt:
print("Manual interrupt occurred")
def measure_universal(dataset_name, model, sess, source_name):
attack_name = 'universal_perturbation'
tf.logging.info('Measuring %s: source %s, target %s', attack_name, source_name, model.name)
attack_path = os.path.join(cfg.data_dir, dataset_name, attack_name, 'originals.npz')
with np.load(attack_path) as npz:
img = npz['img']
source_path = os.path.join(cfg.data_dir, dataset_name, attack_name, source_name)
adv_files = [fn for fn in os.listdir(source_path) if fn.endswith('.npy')]
for adv_file_name in adv_files:
pert_file = os.path.join(source_path, adv_file_name)
perts = np.load(pert_file)
if cfg.amplify_perturbation is not None:
tf.logging.debug('Amplifying perturbations')
perts *= cfg.amplify_perturbation
tf.logging.info('Loaded adv images %s', pert_file)
prob_list = []
for pert in perts:
prob_list.append(get_probabilities(model, img+pert, sess, cfg.batch_size))
save_dir = get_dir(cfg.data_dir, dataset_name, attack_name, 'Measure_' + source_name + '_' + model.name)
save_file = os.path.join(save_dir, 'probabilities_' + adv_file_name)
np.save(save_file, prob_list)
def measure_normal_attack(attack_name, dataset_name, model, sess, source_name):
tf.logging.info('Measuring %s: source %s, target %s', attack_name, source_name, model.name)
source_path = os.path.join(cfg.data_dir, dataset_name, attack_name, source_name)
adv_files = [fn for fn in os.listdir(source_path) if fn.endswith('.npy')]
assert len(adv_files) == 1, 'No valid .npy file found for {},{}'.format(attack_name, source_name)
adv_file_name = adv_files[0]
adv_file = os.path.join(source_path, adv_file_name)
adv_img = np.load(adv_file)
tf.logging.info('Loaded adv images %s', adv_file)
if cfg.amplify_perturbation is not None:
tf.logging.debug('Amplifying perturbations')
attack_path = os.path.join(cfg.data_dir, dataset_name, attack_name, 'originals.npz')
with np.load(attack_path) as npz:
img = npz['img']
img = img[:len(adv_img)]
pert = adv_img - img
pert *= cfg.amplify_perturbation
adv_img = img + pert
probs = get_probabilities(model, adv_img, sess, cfg.batch_size)
amp_str = ('amp' + str(cfg.amplify_perturbation) + '_') if cfg.amplify_perturbation is not None else ''
save_dir = get_dir(cfg.data_dir, dataset_name, attack_name,
'Measure_' + source_name + '_' + amp_str + model.name)
save_file = os.path.join(save_dir, 'probabilities_' + adv_file_name)
np.save(save_file, probs)
def main(args):
model_name = args[1]
model_class = get_model(model_name)
source_name = args[2]
dataset = dataset_by_name(args[3])
if len(args) < 5:
attacks = ['carlini_wagner', 'boundary_attack', 'deepfool', 'universal_perturbation']
else:
attacks = args[4].split(',')
params = get_params(model_name, dataset.name)
tf.logging.debug('Creating model graph')
model = model_class(trainable=False, num_classes=dataset.num_classes, shape=dataset.shape, **params)
ckpt_dir = get_dir(cfg.ckpt_dir, dataset.name, model.name)
saver = tf.train.Saver(var_list=tf.global_variables(scope=model.scope))
if cfg.stop_before_session:
exit()
tf.logging.debug('Starting session')
with tf.Session() as sess:
try:
save_path = tf.train.latest_checkpoint(ckpt_dir)
saver.restore(sess, save_path)
for attack in attacks:
measure_attack(attack, dataset.name, model, sess, source_name)
except KeyboardInterrupt:
print("Manual interrupt occurred")
def main(args):
model_class = get_model(args[1])
dataset = dataset_by_name(args[2])
params = get_params(args[1], dataset.name)
load_config(dataset.name, optional=True)
with tf.variable_scope('data'):
tf.logging.debug('Load data')
train_data = to_tf_dataset(dataset, is_train=True, batch_size=cfg.batch_size,
aug_strength=cfg.data_aug,
aug_prob=cfg.aug_prob,
aug_flip=cfg.aug_flip)
test_data = to_tf_dataset(dataset, is_train=False, batch_size=cfg.batch_size)
iterator = tf.data.Iterator.from_structure(train_data.output_types,
train_data.output_shapes)
img, label = iterator.get_next()
tf.logging.debug('Creating iterator initializer')
train_init = iterator.make_initializer(train_data)
test_init = iterator.make_initializer(test_data)
tf.train.create_global_step()
create_epoch()
tf.logging.debug('Creating model graph')
model = model_class(img=img, label=label, num_classes=dataset.num_classes, **params)
ckpt_dir = get_dir(cfg.ckpt_dir, dataset.name, model.name)
log_dir = get_dir(cfg.log_dir, dataset.name, model.name)
if cfg.stop_before_session:
exit()
tf.logging.debug('Starting session')
with tf.Session() as sess:
try:
train_with_test(sess, model, train_init, test_init, ckpt_dir, log_dir)
except KeyboardInterrupt:
print("Manual interrupt occured")
def measure_original(attack_name, dataset_name, model, sess):
tf.logging.info('Measuring %s: source %s on originals', attack_name, model.name)
original_file = os.path.join(cfg.data_dir, dataset_name, attack_name, 'originals.npz')
with np.load(original_file) as npz:
img = npz['img']
tf.logging.info('Loaded adv images %s', original_file)
probs = get_probabilities(model, img, sess, cfg.batch_size)
save_dir = get_dir(cfg.data_dir, dataset_name, attack_name, 'Measure_original_' + model.name)
save_file = os.path.join(save_dir, 'probabilities_originals.npy')
np.save(save_file, probs)
def attack_activations(sess, attack_name, dataset, model):
tf.logging.info('Activations for %s', attack_name)
orig, _ = get_attack_original(attack_name, dataset)
adv = get_adv(model.name, attack_name, dataset.name)
orig = orig[:cfg.batch_size]
if 'universal' in attack_name.lower():
adv = orig + adv[0]
else:
adv = adv[:cfg.batch_size]
directory = get_dir(cfg.data_dir, dataset.name, attack_name, 'activations')
tf.logging.info('Measuring originals')
save_activations(sess, feed_dict={model.img: orig, model.label: [0]}, directory=directory, file_prefix='original_')
tf.logging.info('Measuring adversarial examples')
save_activations(sess, feed_dict={model.img: adv, model.label: [0]}, directory=directory, file_prefix='adversarial_')
def main(args):
model_class = get_model(args[1])
dataset = dataset_by_name(args[2])
params = get_params(args[1], dataset.name)
tf.logging.debug('Creating attack ops')
deepfool = DeepfoolOp(model_class, dataset=dataset, params=params)
ckpt_dir = get_dir(cfg.ckpt_dir, dataset.name, deepfool.model.name)
saver = tf.train.Saver(var_list=tf.global_variables(
scope=deepfool.model.scope))
tf.logging.debug('Starting session')
with tf.Session() as sess:
try:
sess.graph.finalize()
save_path = tf.train.latest_checkpoint(ckpt_dir)
saver.restore(sess, save_path)
create_adv(sess, dataset, deepfool)
except KeyboardInterrupt:
print("Manual interrupt occured")
def get_attack_original(attack_name,
dataset,
n=None,
targeted=False,
override=False):
"""
Loads original images from file, or creates file with random test images.
Args:
attack_name: string, name of the attack
dataset: ImgDataset instance
n: number of images. If image file already exists, None will load all.
If file doesn't exists yet, or override is True, n must not be None
override: If true, generate a new file
"""
num_classes = dataset.num_classes
path = get_dir(cfg.data_dir, dataset.name, attack_name)
file_name = os.path.join(path, 'originals.npz')
if not os.path.isfile(file_name) or override:
_, (img, label) = dataset.data
idx = np.random.permutation(len(img))
img = img[idx]
label = label[idx]
img = img[:n]
label = label[:n]
save_kwargs = {'img': img, 'label': label}
if targeted:
target_label = np.random.randint(low=0,
high=num_classes,
size=label.size,
dtype=label.dtype)
# Make sure label and target label are different
same_idx = np.where(label == target_label)[0]
while same_idx.size > 0:
target_label[same_idx] = np.random.randint(low=0,
high=num_classes,
size=same_idx.size,
dtype=label.dtype)
same_idx = np.where(label == target_label)[0]
save_kwargs['target_label'] = target_label
tf.logging.debug('Saving to file %s', file_name)
np.savez(file_name, **save_kwargs)
else:
tf.logging.debug('Loading from file %s', file_name)
with np.load(file_name) as npzfile:
img = npzfile['img']
label = npzfile['label']
img = img[:n]
label = label[:n]
if 'target_label' in npzfile.keys():
target_label = npzfile['target_label']
target_label = target_label[:n]
if targeted:
return img, label, target_label
return img, label
