├── SettingA-linf,unforeseen,corruptions ├── .DS_Store ├── border │ ├── dataset.py │ ├── model.py │ └── train_border.py ├── common_corruption │ └── automatic_corrupt.py ├── content │ ├── dataset.py │ ├── eval_digit.py │ ├── model.py │ ├── train_binary.py │ └── train_digit.py ├── data │ ├── .DS_Store │ ├── blackpip_linf_gen.py │ ├── blackpip_unforeseen_gen.py │ ├── blacksensor_linf_gen.py │ ├── blacksensor_unforeseen_gen.py │ ├── corruption_gen.py │ ├── white_linf_gen.py │ └── white_unforeseen_gen.py ├── img │ ├── 0.png │ ├── 1.png │ ├── 10.png │ ├── 11.png │ ├── 12.png │ ├── 13.png │ ├── 14.png │ ├── 15.png │ ├── 16.png │ ├── 17.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── 7.png │ ├── 8.png │ └── 9.png ├── linf_attack │ ├── black_box_pipeline_attack.py │ ├── black_box_sensor_attack.py │ ├── model.py │ └── white_box_sensor_attack.py ├── natural_attack │ ├── black_box_pipeline_attack.py │ ├── black_box_sensor_attack.py │ ├── dataset.py │ ├── elastic.py │ ├── fog.py │ ├── gabor.py │ ├── jpeg.py │ ├── model.py │ ├── snow.py │ └── white_box_sensor_attack.py ├── pipeline │ ├── .DS_Store │ ├── ckpt │ │ ├── graph_model_ratio=0.0.ckpt │ │ ├── graph_model_ratio=0.1.ckpt │ │ ├── graph_model_ratio=0.2.ckpt │ │ ├── graph_model_ratio=0.3.ckpt │ │ ├── graph_model_ratio=0.4.ckpt │ │ ├── graph_model_ratio=0.5.ckpt │ │ ├── graph_model_ratio=0.6.ckpt │ │ ├── graph_model_ratio=0.7.ckpt │ │ ├── graph_model_ratio=0.8.ckpt │ │ ├── graph_model_ratio=0.9.ckpt │ │ └── graph_model_ratio=1.0.ckpt │ ├── model.py │ ├── pipeline.py │ ├── reimplement_table_common_corruption.py │ ├── reimplement_table_linf_blackbox_pipeline.py │ ├── reimplement_table_linf_blackbox_sensor.py │ ├── reimplement_table_linf_whitebox.py │ ├── reimplement_table_unforeseen_blackbox_pipeline.py │ ├── reimplement_table_unforeseen_blackbox_sensor.py │ ├── reimplement_table_unforeseen_whitebox.py │ ├── sensing_signals_data.py │ ├── statistics │ │ ├── GT_test.npy │ │ ├── GT_train.npy │ │ ├── GT_val.npy │ │ ├── sensor_map.json │ │ ├── vars_test.npy │ │ ├── vars_train.npy │ │ └── vars_val.npy │ ├── train.py │ └── var_generator.py ├── raw │ ├── ROA.py │ ├── adv_train.py │ ├── dataset.py │ ├── doa_train.py │ ├── eval_adv.py │ ├── model.py │ └── train.py ├── readme.md └── substitute │ ├── dataset.py │ ├── model.py │ └── train.py ├── SettingB-stop_sign_attack ├── data │ ├── generate_sensory_data.py │ ├── physical_sticker_content.png │ └── physical_sticker_mask.png ├── img │ ├── 0.png │ └── 1.png ├── pipeline │ ├── ckpt │ │ ├── graph_model_ratio=0.0.ckpt │ │ ├── graph_model_ratio=0.1.ckpt │ │ ├── graph_model_ratio=0.2.ckpt │ │ ├── graph_model_ratio=0.3.ckpt │ │ ├── graph_model_ratio=0.4.ckpt │ │ ├── graph_model_ratio=0.5.ckpt │ │ ├── graph_model_ratio=0.6.ckpt │ │ ├── graph_model_ratio=0.7.ckpt │ │ ├── graph_model_ratio=0.8.ckpt │ │ ├── graph_model_ratio=0.9.ckpt │ │ └── graph_model_ratio=1.0.ckpt │ ├── model.py │ ├── pipeline.py │ ├── reimplement_table.py │ ├── sensing_signals │ │ ├── GT_stop_test.npy │ │ ├── adv_signals_with_CNN.npy │ │ ├── adv_signals_with_CNN_adv_16.npy │ │ ├── adv_signals_with_CNN_adv_32.npy │ │ ├── adv_signals_with_CNN_adv_4.npy │ │ ├── adv_signals_with_CNN_adv_8.npy │ │ ├── adv_signals_with_CNN_doa_5.npy │ │ ├── adv_signals_with_CNN_doa_7.npy │ │ ├── clean_signals_with_CNN.npy │ │ ├── clean_signals_with_CNN_adv_16.npy │ │ ├── clean_signals_with_CNN_adv_32.npy │ │ ├── clean_signals_with_CNN_adv_4.npy │ │ ├── clean_signals_with_CNN_adv_8.npy │ │ ├── clean_signals_with_CNN_doa_5.npy │ │ ├── clean_signals_with_CNN_doa_7.npy │ │ └── sensor_map.json │ ├── sensing_signals_data.py │ ├── tools │ │ ├── eval.py │ │ └── gen_sensing_signals.py │ └── var_generator.py ├── raw │ ├── ROA.py │ ├── adv_train.py │ ├── dataset.py │ ├── doa_train.py │ └── model.py └── readme.md └── readme.md /SettingA-linf,unforeseen,corruptions/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/.DS_Store -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/border/model.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from torch import nn 3 | 4 | class NEURAL(nn.Module): # end-to-end neural classifier 5 | 6 | def __init__(self,n_class,n_channel): 7 | 8 | super(NEURAL,self).__init__() 9 | 10 | ########################### Learn a color transform ########################### 11 | self.conv0 = nn.Sequential( 12 | nn.Conv2d(n_channel,3,1), #input_size=(n_channel*32*32) 13 | nn.ReLU() 14 | ) # output_size=(3*32*32) 15 | 16 | ########################### Level-1 ########################### 17 | self.conv1 = nn.Sequential( 18 | nn.Conv2d(3,32,5,1,2), #input_size=(3*32*32) 19 | nn.ReLU() 20 | ) # output_size=(32*32*32) 21 | 22 | self.conv2 = nn.Sequential( 23 | nn.Conv2d(32,32,5,1,2), #input_size=(32*32*32) 24 | nn.ReLU(), 25 | nn.MaxPool2d(kernel_size = 2,stride = 2) 26 | ) # output_size=(32*16*16) 27 | 28 | ########################### Level-2 ########################### 29 | self.conv3 = nn.Sequential( 30 | nn.Conv2d(32,64,3,1,1), #input_size=(32*16*16) 31 | nn.ReLU() 32 | ) # output_size=(64*16*16) 33 | 34 | self.conv4 = nn.Sequential( 35 | nn.Conv2d(64,64,3,1,1), #input_size=(64*16*16) 36 | nn.ReLU(), 37 | nn.MaxPool2d(kernel_size = 2,stride = 2) 38 | ) # output_size=(64*8*8) 39 | 40 | ########################### Level-3 ########################### 41 | self.conv5 = nn.Sequential( 42 | nn.Conv2d(64,128,3,1,1), #input_size=(64*8*8) 43 | nn.ReLU() 44 | ) # output_size=(128*8*8) 45 | 46 | self.conv6 = nn.Sequential( 47 | nn.Conv2d(128,128,3,1,1), #input_size=(128*8*8) 48 | nn.ReLU(), 49 | nn.MaxPool2d(kernel_size = 2,stride = 2) 50 | ) # output_size=(128*4*4) 51 | 52 | 53 | # num_fc = 32*16*16 + 64*8*8 + 128*4*4 = 14336 54 | self.fc1 = nn.Sequential( 55 | nn.Linear(14336,1024), 56 | nn.ReLU() 57 | ) 58 | self.fc2 = nn.Sequential( 59 | nn.Linear(1024,1024), 60 | nn.ReLU() 61 | ) 62 | self.fc3 = nn.Linear(1024,n_class) 63 | 64 | self.dropout = nn.Dropout(p=0.5) 65 | 66 | def forward(self,x): 67 | x = self.conv0(x) # Color Transform 68 | 69 | ## Scale 1 70 | x = self.conv1(x) 71 | x = self.conv2(x) 72 | x = self.dropout(x) 73 | scale_1 = x.view(x.size(0), -1) 74 | 75 | ## Scale 2 76 | x = self.conv3(x) 77 | x = self.conv4(x) 78 | x = self.dropout(x) 79 | scale_2 = x.view(x.size(0), -1) 80 | 81 | ## Scale 3 82 | x = self.conv5(x) 83 | x = self.conv6(x) 84 | x = self.dropout(x) 85 | scale_3 = x.view(x.size(0), -1) 86 | 87 | ###### FC ######################## 88 | embedding = torch.cat( (scale_1,scale_2,scale_3), axis = 1) 89 | 90 | x = self.fc1(embedding) 91 | x = self.dropout(x) 92 | 93 | x = self.fc2(x) 94 | x = self.dropout(x) 95 | 96 | x = self.fc3(x) 97 | return x 98 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/border/train_border.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import BorderData 4 | import time 5 | import argparse 6 | import os 7 | 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument('-gpu_id', type=int, required=True, help='id number of the gpu device') 10 | parser.add_argument('-pid', type=int, required=True, help='id number of the border type to be detected.') 11 | parser.add_argument('-isconservative', type=int, required=True, help='conservative or not?') 12 | args = parser.parse_args() 13 | 14 | gpu_id = args.gpu_id 15 | pid = args.pid 16 | isconservative = args.isconservative 17 | 18 | ckpt_dir = 'ckpt_pid=%d_isconservative=%d' % (pid,isconservative) 19 | 20 | if isconservative: 21 | w_p = 1 22 | w_n = 20 23 | thr_TPR = 0.5 24 | thr_TNR = 0.95 25 | if pid == 7: 26 | w_n = 5 27 | else: 28 | w_p = 20 29 | w_n = 1 30 | thr_TPR = 0.95 31 | thr_TNR = 0.5 32 | 33 | if pid == 5: 34 | thr_TPR = 0.85 35 | #w_p = 100 36 | w_p = 60 37 | w_n = 0.5 38 | 39 | if pid == 7: 40 | #w_p = 50 41 | w_p = 30 42 | w_n = 0.5 43 | 44 | if pid == 0 : 45 | w_p = 50 46 | w_n = 0.5 47 | 48 | 49 | print('w_p = %f , w_n = %f' % (w_p,w_n)) 50 | 51 | 52 | if not os.path.exists(ckpt_dir): 53 | os.mkdir(ckpt_dir) 54 | print('ckpt_dir : ',ckpt_dir) 55 | print('thr_TPR=%f, thr_TNR = %f' % (thr_TPR, thr_TNR)) 56 | print('w_p=%f, w_n = %f' % (w_p, w_n)) 57 | 58 | device = torch.device('cuda:%d' % gpu_id if torch.cuda.is_available() else 'cpu') 59 | print('working device : ', device) 60 | 61 | 62 | lr_rate = 0.001 63 | batch_size = 200 64 | n_iters = 40000 65 | 66 | 67 | def test(data,model): 68 | 69 | TPR = 0 70 | positive_num = 0 71 | 72 | TNR = 0 73 | negative_num = 0 74 | 75 | X = data.sequential_test_positive_batch() 76 | while X is not None: 77 | X = X.to(device) 78 | Y = model(X) 79 | Y = torch.argmax(Y,dim=1) 80 | positive_num += len(Y) 81 | for item in Y: 82 | if item==1: 83 | TPR+=1 84 | X = data.sequential_test_positive_batch() 85 | 86 | 87 | 88 | X = data.sequential_test_negative_batch() 89 | while X is not None: 90 | X = X.to(device) 91 | Y = model(X) 92 | Y = torch.argmax(Y,dim=1) 93 | negative_num += len(Y) 94 | for item in Y: 95 | if item==0: 96 | TNR+=1 97 | X = data.sequential_test_negative_batch() 98 | 99 | # return recall, precision 100 | print('TPR : %d / %d' % (TPR,positive_num)) 101 | print('TNR : %d / %d' % (TNR,negative_num)) 102 | 103 | return TPR/positive_num , TNR/negative_num 104 | 105 | 106 | 107 | 108 | 109 | 110 | print('[Data] Preparing .... ') 111 | data = BorderData(batch_size=batch_size,pid=pid) 112 | data.data_set_up(istrain=True) 113 | data.greeting() 114 | print('[Data] Done .... ') 115 | 116 | 117 | print('[Model] Preparing .... ') 118 | model = NEURAL(n_class=2,n_channel=3) 119 | model = model.to(device) 120 | print('[Model] Done .... ') 121 | 122 | 123 | 124 | 125 | loss_f = torch.nn.CrossEntropyLoss() 126 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 127 | st = time.time() 128 | 129 | GT_positive = torch.ones(batch_size).long().to(device) 130 | GT_negative = torch.zeros(batch_size).long().to(device) 131 | 132 | model.train() 133 | 134 | n_save = 0 135 | 136 | for i in range(n_iters): 137 | 138 | positive_samples, negative_samples = data.random_train_batch() 139 | positive_samples = positive_samples.to(device) 140 | negative_samples = negative_samples.to(device) 141 | 142 | Y_p = model(positive_samples) 143 | loss_p = loss_f(Y_p, GT_positive) 144 | 145 | Y_n = model(negative_samples) 146 | loss_n = loss_f(Y_n,GT_negative) 147 | 148 | loss = loss_p*w_p + loss_n*w_n 149 | 150 | optimizer.zero_grad() 151 | loss.backward() 152 | optimizer.step() 153 | now = (time.time() - st) / 60.0 154 | if (i+1) % 5000 == 0 : 155 | print(' ### Eval ###') 156 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 157 | 158 | model.eval() 159 | TPR, TNR = test(data,model) 160 | 161 | 162 | if TPR > thr_TPR and TNR > thr_TNR: 163 | ckpt_name = 'model_%d_TPR=%f_TNR=%f.ckpt' % (n_save,TPR,TNR) 164 | torch.save(model.state_dict(), ckpt_dir+'/'+ckpt_name) 165 | print('[save] : ',ckpt_dir+'/'+ckpt_name) 166 | n_save+=1 167 | 168 | model.train() 169 | 170 | 171 | print('[Training] Done ...') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/content/eval_digit.py: -------------------------------------------------------------------------------- 1 | import os 2 | import time 3 | 4 | import numpy as np 5 | import torch 6 | import cv2 7 | from dataset import DigitData 8 | from model import Model 9 | 10 | 11 | batch_size = 200 12 | 13 | number = { # class id -> content number sequence 14 | 0 : [0,10,10,10,10,10], 15 | 1 : [0,10,10,10,10,10], 16 | 2 : [0,10,10,10,10,10], 17 | 3 : [0,10,10,10,10,10], 18 | 4 : [0,10,10,10,10,10], 19 | 5 : [0,10,10,10,10,10], 20 | 6 : [0,10,10,10,10,10], 21 | 7 : [0,10,10,10,10,10], 22 | 8 : [2,5,0,10,10,10], 23 | 9 : [0,10,10,10,10,10], 24 | 10 : [2,2,0,10,10,10], 25 | 11 : [3,1,2,0,10,10] 26 | } 27 | 28 | def invert_number(labels): 29 | if labels[0]==0: 30 | return -1 31 | elif labels[1]==5: 32 | return 8 33 | elif labels[1]==2: 34 | return 10 35 | elif labels[1]==1: 36 | return 11 37 | 38 | def pre_process_image(image): 39 | image = cv2.resize(image,(54,54)) 40 | image = image/255.-.5 41 | return image 42 | 43 | 44 | print('preparing model ...') 45 | model = Model() 46 | model.restore('digit_log/model-16000.pth') 47 | model.cuda() 48 | model.eval() 49 | print('done.') 50 | 51 | print('preparing data ...') 52 | X = np.load('../data/data/patch_content_adv.npy') 53 | y = np.load('../data/data/raw_label_test.npy') 54 | labels = [] 55 | num = len(y) 56 | for i in range(num): 57 | c = y[i] 58 | labels.append(number[c]) 59 | y = torch.LongTensor(labels).cuda() 60 | X = torch.FloatTensor([pre_process_image(X[i]) for i in range(len(X))]).unsqueeze(1).cuda() 61 | print('done.') 62 | 63 | 64 | 65 | TP = np.zeros(12) 66 | FP = np.zeros(12) 67 | n_each_class = np.zeros(12) 68 | 69 | st = 0 70 | while st!= num: 71 | ed = min(st+batch_size,num) 72 | input_batch = X[st:ed] 73 | GT = y[st:ed] 74 | 75 | length_logits, digit1_logits, digit2_logits, digit3_logits, digit4_logits, digit5_logits = model(input_batch) 76 | length_prediction = length_logits.max(1)[1] 77 | digit1_prediction = digit1_logits.max(1)[1] 78 | digit2_prediction = digit2_logits.max(1)[1] 79 | digit3_prediction = digit3_logits.max(1)[1] 80 | digit4_prediction = digit4_logits.max(1)[1] 81 | digit5_prediction = digit5_logits.max(1)[1] 82 | 83 | 84 | 85 | this_batch_size = len(GT) 86 | 87 | for i in range(this_batch_size): 88 | 89 | inv_id = invert_number(GT[i]) 90 | if inv_id!=-1 : n_each_class[inv_id]+=1 91 | 92 | for k in [8,10,11]: 93 | gt_k = number[k] 94 | if gt_k[0] != length_prediction[i]: continue 95 | 96 | mark = True 97 | for item in range(1,6): 98 | if gt_k[item] != eval('digit%d_prediction' % item)[i] : 99 | mark = False 100 | if mark : 101 | if inv_id == k: TP[k]+=1 102 | else: FP[k]+=1 103 | 104 | st = ed 105 | 106 | print('proecss : %d/%d' % (st,num)) 107 | 108 | 109 | for i in [8,10,11]: 110 | print('### Class - %d' % i ) 111 | print(' Recall = %d/%d = %f' % (TP[i],n_each_class[i],TP[i]/n_each_class[i])) 112 | print(' Precision = %d/%d = %f' % (TP[i], TP[i]+FP[i], TP[i]/(TP[i]+FP[i]))) 113 | print('--------------------------------------------------------') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/content/train_binary.py: -------------------------------------------------------------------------------- 1 | from model import NEURAL 2 | from dataset import ContentData 3 | import torch 4 | import time 5 | import argparse 6 | import os 7 | 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument('-gpu_id', type=int, required=True, help='id number of the gpu device') 10 | parser.add_argument('-pid', type=int, required=True, help='id number of the content type to be detected') 11 | args = parser.parse_args() 12 | 13 | gpu_id = args.gpu_id 14 | pid = args.pid 15 | 16 | ckpt_dir = './binary_content/class_%d' % (pid) 17 | w_p = 1 18 | w_n = 20 19 | print('w_p = %f, w_n = %f' % (w_p,w_n) ) 20 | 21 | 22 | thr_TPR = 0.5 23 | thr_TNR = 0.95 24 | 25 | 26 | 27 | if not os.path.exists(ckpt_dir): 28 | os.mkdir(ckpt_dir) 29 | 30 | 31 | device = torch.device('cuda:%d' % gpu_id if torch.cuda.is_available() else 'cpu') 32 | print('working device : ', device) 33 | 34 | 35 | lr_rate = 0.01 36 | batch_size = 200 37 | n_iters = 40000 38 | 39 | 40 | def test(data,model): 41 | 42 | TPR = 0 43 | positive_num = 0 44 | 45 | TNR = 0 46 | negative_num = 0 47 | 48 | X = data.sequential_val_positive_batch() 49 | while X is not None: 50 | X = X.to(device) 51 | Y = model(X) 52 | Y = torch.argmax(Y,dim=1) 53 | positive_num += len(Y) 54 | for item in Y: 55 | if item==1: 56 | TPR+=1 57 | X = data.sequential_val_positive_batch() 58 | 59 | 60 | 61 | X = data.sequential_val_negative_batch() 62 | while X is not None: 63 | X = X.to(device) 64 | Y = model(X) 65 | Y = torch.argmax(Y,dim=1) 66 | negative_num += len(Y) 67 | for item in Y: 68 | if item==0: 69 | TNR+=1 70 | X = data.sequential_val_negative_batch() 71 | 72 | # return recall, precision 73 | print('TPR : %d / %d' % (TPR,positive_num)) 74 | print('TNR : %d / %d' % (TNR,negative_num)) 75 | 76 | return TPR/positive_num , TNR/negative_num 77 | 78 | 79 | 80 | 81 | 82 | 83 | print('[Data] Preparing .... ') 84 | data = ContentData(batch_size=batch_size,pid=pid) 85 | data.data_set_up(istrain=True) 86 | data.greeting() 87 | print('[Data] Done .... ') 88 | 89 | 90 | print('[Model] Preparing .... ') 91 | model = NEURAL(n_class=2,n_channel=1) 92 | model = model.to(device) 93 | print('[Model] Done .... ') 94 | 95 | 96 | 97 | 98 | loss_f = torch.nn.CrossEntropyLoss() 99 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 100 | st = time.time() 101 | 102 | GT_positive = torch.ones(batch_size).long().to(device) 103 | GT_negative = torch.zeros(batch_size).long().to(device) 104 | 105 | model.train() 106 | 107 | n_save = 0 108 | 109 | for i in range(n_iters): 110 | 111 | positive_samples, negative_samples = data.random_train_batch() 112 | positive_samples = positive_samples.to(device) 113 | negative_samples = negative_samples.to(device) 114 | 115 | Y_p = model(positive_samples) 116 | loss_p = loss_f(Y_p, GT_positive) 117 | 118 | Y_n = model(negative_samples) 119 | loss_n = loss_f(Y_n,GT_negative) 120 | 121 | loss = loss_p*w_p + loss_n*w_n 122 | 123 | optimizer.zero_grad() 124 | loss.backward() 125 | optimizer.step() 126 | now = (time.time() - st) / 60.0 127 | if (i+1) % 5000 == 0 : 128 | print(' ### Eval ###') 129 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 130 | 131 | model.eval() 132 | TPR, TNR = test(data,model) 133 | 134 | 135 | if TPR > thr_TPR and TNR > thr_TNR: 136 | ckpt_name = 'model_%d_TPR=%f_TNR=%f.ckpt' % (n_save,TPR,TNR) 137 | torch.save(model.state_dict(), ckpt_dir+'/'+ckpt_name) 138 | n_save+=1 139 | 140 | model.train() 141 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/content/train_digit.py: -------------------------------------------------------------------------------- 1 | import os 2 | import time 3 | 4 | import numpy as np 5 | import torch 6 | import torch.nn.functional 7 | import torch.optim as optim 8 | from torch.optim.lr_scheduler import StepLR 9 | 10 | from dataset import DigitData 11 | from model import Model 12 | 13 | batch_size = 100 14 | initial_learning_rate = 0.01 15 | initial_patience = 100 16 | decay_steps = 10000 17 | decay_rate = 0.9 18 | path_to_log_dir = './digit_log' 19 | path_to_restore_checkpoint_file = None 20 | 21 | def _loss(length_logits, digit1_logits, digit2_logits, digit3_logits, digit4_logits, digit5_logits, labels): 22 | length_cross_entropy = torch.nn.functional.cross_entropy(length_logits, labels[:,0]) 23 | digit1_cross_entropy = torch.nn.functional.cross_entropy(digit1_logits, labels[:,1]) 24 | digit2_cross_entropy = torch.nn.functional.cross_entropy(digit2_logits, labels[:,2]) 25 | digit3_cross_entropy = torch.nn.functional.cross_entropy(digit3_logits, labels[:,3]) 26 | digit4_cross_entropy = torch.nn.functional.cross_entropy(digit4_logits, labels[:,4]) 27 | digit5_cross_entropy = torch.nn.functional.cross_entropy(digit5_logits, labels[:,5]) 28 | loss = length_cross_entropy + digit1_cross_entropy + digit2_cross_entropy + digit3_cross_entropy + digit4_cross_entropy + digit5_cross_entropy 29 | return loss 30 | 31 | def _test(model,data): 32 | correct = 0 33 | tot = 0 34 | X,GT = data.sequential_val_batch() 35 | while X is not None: 36 | X = X.cuda() 37 | 38 | length_logits, digit1_logits, digit2_logits, digit3_logits, digit4_logits, digit5_logits = model(X) 39 | length_prediction = length_logits.max(1)[1] 40 | digit1_prediction = digit1_logits.max(1)[1] 41 | digit2_prediction = digit2_logits.max(1)[1] 42 | digit3_prediction = digit3_logits.max(1)[1] 43 | digit4_prediction = digit4_logits.max(1)[1] 44 | digit5_prediction = digit5_logits.max(1)[1] 45 | 46 | this_batch_size = len(GT) 47 | 48 | for i in range(this_batch_size): 49 | tot+=1 50 | if GT[i][0] != length_prediction[i]: continue 51 | mark = True 52 | for k in range(1,6): 53 | if GT[i][k] != eval('digit%d_prediction' % k)[i] : 54 | mark = False 55 | if mark : 56 | correct+=1 57 | 58 | X,GT = data.sequential_val_batch() 59 | 60 | #print('acc = %d / %d' % (correct,tot)) 61 | return correct/tot 62 | 63 | 64 | 65 | def _train(): 66 | 67 | num_steps_to_show_loss = 100 68 | num_steps_to_check = 1000 69 | 70 | step = 0 71 | patience = initial_patience 72 | best_accuracy = 0.0 73 | duration = 0.0 74 | 75 | print('preparing model ...') 76 | model = Model() 77 | #print('--- init from the SVHN model ---') 78 | #model.load_state_dict(torch.load('init.pth'),strict=False) 79 | model.cuda() 80 | print('done.') 81 | 82 | print('preparing data ...') 83 | data = DigitData(batch_size=batch_size) 84 | #print('=> Evaluating init performance...') 85 | #model.eval() 86 | #accuracy = _test(model,data) 87 | #model.train() 88 | #print('==> accuracy = %f' % (accuracy)) 89 | print('done.') 90 | 91 | optimizer = optim.SGD(model.parameters(), lr=initial_learning_rate, momentum=0.9, weight_decay=0.0005) 92 | scheduler = StepLR(optimizer, step_size=decay_steps, gamma=decay_rate) 93 | 94 | if path_to_restore_checkpoint_file is not None: 95 | assert os.path.isfile(path_to_restore_checkpoint_file), '%s not found' % path_to_restore_checkpoint_file 96 | step = model.restore(path_to_restore_checkpoint_file) 97 | scheduler.last_epoch = step 98 | print('Model restored from file: %s' % path_to_restore_checkpoint_file) 99 | 100 | path_to_losses_npy_file = os.path.join(path_to_log_dir, 'losses.npy') 101 | if os.path.isfile(path_to_losses_npy_file): 102 | losses = np.load(path_to_losses_npy_file) 103 | else: 104 | losses = np.empty([0], dtype=np.float32) 105 | 106 | 107 | start_time = time.time() 108 | 109 | model.train() 110 | 111 | while True: 112 | 113 | features_batch, labels_batch = data.random_train_batch() 114 | features_batch = features_batch.cuda() 115 | labels_batch = labels_batch.cuda() 116 | 117 | length_logits, digit1_logits, digit2_logits, digit3_logits, digit4_logits, digit5_logits = model(features_batch) 118 | loss = _loss(length_logits, digit1_logits, digit2_logits, digit3_logits, digit4_logits, digit5_logits, labels_batch) 119 | 120 | optimizer.zero_grad() 121 | loss.backward() 122 | optimizer.step() 123 | scheduler.step() 124 | step += 1 125 | 126 | if step % num_steps_to_show_loss == 0: 127 | duration = 0.0 128 | print('=> step %d, loss = %f, learning_rate = %f (Taken time : %f minutes)' % 129 | (step, loss.item(), scheduler.get_lr()[0], (time.time()-start_time)/60.0)) 130 | 131 | if step % num_steps_to_check != 0: continue 132 | 133 | losses = np.append(losses, loss.item()) 134 | np.save(path_to_losses_npy_file, losses) 135 | 136 | print('=> Evaluating on validation dataset...') 137 | model.eval() 138 | accuracy = _test(model,data) 139 | model.train() 140 | print('==> accuracy = %f, best accuracy %f' % (accuracy, best_accuracy)) 141 | 142 | if accuracy > best_accuracy: 143 | path_to_checkpoint_file = model.store(path_to_log_dir, step=step) 144 | print('=> Model saved to file: %s' % path_to_checkpoint_file) 145 | patience = initial_patience 146 | best_accuracy = accuracy 147 | else: 148 | patience -= 1 149 | 150 | print('=> patience = %d' % patience) 151 | if patience == 0: 152 | return 153 | 154 | 155 | 156 | if not os.path.exists(path_to_log_dir): 157 | os.makedirs(path_to_log_dir) 158 | 159 | print('Start training') 160 | _train() 161 | print('Done') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/data/.DS_Store -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/blackpip_linf_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | attack_mapping = { 47 | '[black_box_pipeline]pgd_4_adv_X_test.npy' : '[black_box_pipeline]pgd_4_adv', 48 | '[black_box_pipeline]pgd_8_adv_X_test.npy' : '[black_box_pipeline]pgd_8_adv', 49 | '[black_box_pipeline]pgd_16_adv_X_test.npy' : '[black_box_pipeline]pgd_16_adv', 50 | '[black_box_pipeline]pgd_32_adv_X_test.npy' : '[black_box_pipeline]pgd_32_adv' 51 | } 52 | 53 | 54 | 55 | print('Generate border & content edge ......') 56 | 57 | for file_path in attack_mapping.keys(): 58 | #phase = black_box_natural_mapping[file_path] 59 | phase = attack_mapping[file_path] 60 | 61 | border = [] 62 | content = [] 63 | 64 | X = np.load('./data/'+file_path) 65 | num = len(X) 66 | 67 | print('> phase : %s , %d samples' % (phase,num)) 68 | 69 | for i in range(num): 70 | img = X[i] 71 | img = cv2.resize(img,(128,128)) 72 | b_img, c_img = preprocess(img) 73 | border.append(b_img) 74 | content.append(c_img) 75 | 76 | if (i+1)%200 == 0: 77 | print('> %s data : %d/%d' % (phase,i+1,num)) 78 | 79 | print('> %s data : %d/%d' % (phase,i+1,num)) 80 | 81 | 82 | border = np.array(border) 83 | content = np.array(content) 84 | 85 | np.save('./data/%s_border.npy' % phase,border) 86 | np.save('./data/%s_content.npy' % phase,content) 87 | 88 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/blackpip_unforeseen_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | attack_mapping = { 47 | '[black_box_pipeline]fog_256_adv_X_test.npy' : '[black_box_pipeline]fog_256_adv', 48 | '[black_box_pipeline]fog_512_adv_X_test.npy' : '[black_box_pipeline]fog_512_adv', 49 | 50 | '[black_box_pipeline]snow_0.25_adv_X_test.npy' : '[black_box_pipeline]snow_0.25_adv', 51 | '[black_box_pipeline]snow_0.75_adv_X_test.npy' : '[black_box_pipeline]snow_0.75_adv', 52 | 53 | '[black_box_pipeline]jpeg_0.125_adv_X_test.npy' : '[black_box_pipeline]jpeg_0.125_adv', 54 | '[black_box_pipeline]jpeg_0.25_adv_X_test.npy' : '[black_box_pipeline]jpeg_0.25_adv', 55 | 56 | '[black_box_pipeline]gabor_20_adv_X_test.npy' : '[black_box_pipeline]gabor_20_adv', 57 | '[black_box_pipeline]gabor_40_adv_X_test.npy' : '[black_box_pipeline]gabor_40_adv', 58 | 59 | '[black_box_pipeline]elastic_1.5_adv_X_test.npy' : '[black_box_pipeline]elastic_1.5_adv', 60 | '[black_box_pipeline]elastic_2.0_adv_X_test.npy' : '[black_box_pipeline]elastic_2.0_adv', 61 | } 62 | 63 | 64 | 65 | print('Generate border & content edge ......') 66 | 67 | for file_path in attack_mapping.keys(): 68 | #phase = black_box_natural_mapping[file_path] 69 | phase = attack_mapping[file_path] 70 | 71 | border = [] 72 | content = [] 73 | 74 | X = np.load('./data/'+file_path) 75 | num = len(X) 76 | 77 | print('> phase : %s , %d samples' % (phase,num)) 78 | 79 | for i in range(num): 80 | img = X[i] 81 | img = cv2.resize(img,(128,128)) 82 | b_img, c_img = preprocess(img) 83 | #b_img = cv2.resize(b_img,(32,32)) 84 | #c_img = cv2.resize(c_img,(128,32)) 85 | border.append(b_img) 86 | content.append(c_img) 87 | 88 | if (i+1)%200 == 0: 89 | print('> %s data : %d/%d' % (phase,i+1,num)) 90 | 91 | print('> %s data : %d/%d' % (phase,i+1,num)) 92 | 93 | 94 | border = np.array(border) 95 | content = np.array(content) 96 | 97 | np.save('./data/%s_border.npy' % phase,border) 98 | np.save('./data/%s_content.npy' % phase,content) 99 | 100 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/blacksensor_linf_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | attack_mapping = { 47 | '[black_box_sensor]pgd_4_adv_X_test.npy' : '[black_box_sensor]pgd_4_adv', 48 | '[black_box_sensor]pgd_8_adv_X_test.npy' : '[black_box_sensor]pgd_8_adv', 49 | '[black_box_sensor]pgd_16_adv_X_test.npy' : '[black_box_sensor]pgd_16_adv', 50 | '[black_box_sensor]pgd_32_adv_X_test.npy' : '[black_box_sensor]pgd_32_adv' 51 | } 52 | 53 | 54 | print('Generate border & content edge ......') 55 | 56 | for file_path in attack_mapping.keys(): 57 | #phase = black_box_natural_mapping[file_path] 58 | phase = attack_mapping[file_path] 59 | 60 | border = [] 61 | content = [] 62 | 63 | X = np.load('./data/'+file_path) 64 | num = len(X) 65 | 66 | print('> phase : %s , %d samples' % (phase,num)) 67 | 68 | for i in range(num): 69 | img = X[i] 70 | img = cv2.resize(img,(128,128)) 71 | b_img, c_img = preprocess(img) 72 | #b_img = cv2.resize(b_img,(32,32)) 73 | #c_img = cv2.resize(c_img,(128,32)) 74 | border.append(b_img) 75 | content.append(c_img) 76 | 77 | if (i+1)%200 == 0: 78 | print('> %s data : %d/%d' % (phase,i+1,num)) 79 | 80 | print('> %s data : %d/%d' % (phase,i+1,num)) 81 | 82 | 83 | border = np.array(border) 84 | content = np.array(content) 85 | 86 | np.save('./data/%s_border.npy' % phase,border) 87 | np.save('./data/%s_content.npy' % phase,content) 88 | 89 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/blacksensor_unforeseen_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | attack_mapping = { 47 | '[black_box_sensor]fog_256_adv_X_test.npy' : '[black_box_sensor]fog_256_adv', 48 | '[black_box_sensor]fog_512_adv_X_test.npy' : '[black_box_sensor]fog_512_adv', 49 | 50 | '[black_box_sensor]snow_0.25_adv_X_test.npy' : '[black_box_sensor]snow_0.25_adv', 51 | '[black_box_sensor]snow_0.75_adv_X_test.npy' : '[black_box_sensor]snow_0.75_adv', 52 | 53 | '[black_box_sensor]jpeg_0.125_adv_X_test.npy' : '[black_box_sensor]jpeg_0.125_adv', 54 | '[black_box_sensor]jpeg_0.25_adv_X_test.npy' : '[black_box_sensor]jpeg_0.25_adv', 55 | 56 | '[black_box_sensor]gabor_20_adv_X_test.npy' : '[black_box_sensor]gabor_20_adv', 57 | '[black_box_sensor]gabor_40_adv_X_test.npy' : '[black_box_sensor]gabor_40_adv', 58 | 59 | '[black_box_sensor]elastic_1.5_adv_X_test.npy' : '[black_box_sensor]elastic_1.5_adv', 60 | '[black_box_sensor]elastic_2.0_adv_X_test.npy' : '[black_box_sensor]elastic_2.0_adv', 61 | } 62 | 63 | 64 | 65 | print('Generate border & content edge ......') 66 | 67 | for file_path in attack_mapping.keys(): 68 | #phase = black_box_natural_mapping[file_path] 69 | phase = attack_mapping[file_path] 70 | 71 | border = [] 72 | content = [] 73 | 74 | X = np.load('./data/'+file_path) 75 | num = len(X) 76 | 77 | print('> phase : %s , %d samples' % (phase,num)) 78 | 79 | for i in range(num): 80 | img = X[i] 81 | img = cv2.resize(img,(128,128)) 82 | b_img, c_img = preprocess(img) 83 | #b_img = cv2.resize(b_img,(32,32)) 84 | #c_img = cv2.resize(c_img,(128,32)) 85 | border.append(b_img) 86 | content.append(c_img) 87 | 88 | if (i+1)%200 == 0: 89 | print('> %s data : %d/%d' % (phase,i+1,num)) 90 | 91 | print('> %s data : %d/%d' % (phase,i+1,num)) 92 | 93 | 94 | border = np.array(border) 95 | content = np.array(content) 96 | 97 | np.save('./data/%s_border.npy' % phase,border) 98 | np.save('./data/%s_content.npy' % phase,content) 99 | 100 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/corruption_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | 47 | common_corruption_mapping={ 48 | '[corruption]fog_adv_X_test.npy' : '[corruption]fog_adv', 49 | '[corruption]contrast_adv_X_test.npy' : '[corruption]contrast_adv', 50 | '[corruption]brightness_adv_X_test.npy' : '[corruption]brightness_adv' 51 | } 52 | 53 | 54 | print('Generate border & content edge ......') 55 | 56 | for file_path in common_corruption_mapping.keys(): 57 | 58 | phase = common_corruption_mapping[file_path] 59 | 60 | border = [] 61 | content = [] 62 | 63 | X = np.load('./data/'+file_path) 64 | num = len(X) 65 | 66 | print('> phase : %s , %d samples' % (phase,num)) 67 | 68 | for i in range(num): 69 | img = X[i] 70 | img = cv2.resize(img,(128,128)) 71 | b_img, c_img = preprocess(img) 72 | border.append(b_img) 73 | content.append(c_img) 74 | 75 | if (i+1)%200 == 0: 76 | print('> %s data : %d/%d' % (phase,i+1,num)) 77 | 78 | print('> %s data : %d/%d' % (phase,i+1,num)) 79 | 80 | 81 | border = np.array(border) 82 | content = np.array(content) 83 | 84 | np.save('./data/%s_border.npy' % phase,border) 85 | np.save('./data/%s_content.npy' % phase,content) 86 | 87 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/white_linf_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | 47 | linf_attack_mapping = { 48 | 49 | '[clean]pgd_4_adv_X_test.npy' : '[clean]pgd_4_adv', 50 | '[clean]pgd_8_adv_X_test.npy' : '[clean]pgd_8_adv', 51 | '[clean]pgd_16_adv_X_test.npy' : '[clean]pgd_16_adv', 52 | '[clean]pgd_32_adv_X_test.npy' : '[clean]pgd_32_adv', 53 | 54 | '[adv_4]pgd_4_adv_X_test.npy' : '[adv_4]pgd_4_adv', 55 | '[adv_4]pgd_8_adv_X_test.npy' : '[adv_4]pgd_8_adv', 56 | '[adv_4]pgd_16_adv_X_test.npy' : '[adv_4]pgd_16_adv', 57 | '[adv_4]pgd_32_adv_X_test.npy' : '[adv_4]pgd_32_adv', 58 | 59 | '[adv_8]pgd_4_adv_X_test.npy' : '[adv_8]pgd_4_adv', 60 | '[adv_8]pgd_8_adv_X_test.npy' : '[adv_8]pgd_8_adv', 61 | '[adv_8]pgd_16_adv_X_test.npy' : '[adv_8]pgd_16_adv', 62 | '[adv_8]pgd_32_adv_X_test.npy' : '[adv_8]pgd_32_adv', 63 | 64 | '[adv_16]pgd_4_adv_X_test.npy' : '[adv_16]pgd_4_adv', 65 | '[adv_16]pgd_8_adv_X_test.npy' : '[adv_16]pgd_8_adv', 66 | '[adv_16]pgd_16_adv_X_test.npy' : '[adv_16]pgd_16_adv', 67 | '[adv_16]pgd_32_adv_X_test.npy' : '[adv_16]pgd_32_adv', 68 | 69 | '[adv_32]pgd_4_adv_X_test.npy' : '[adv_32]pgd_4_adv', 70 | '[adv_32]pgd_8_adv_X_test.npy' : '[adv_32]pgd_8_adv', 71 | '[adv_32]pgd_16_adv_X_test.npy' : '[adv_32]pgd_16_adv', 72 | '[adv_32]pgd_32_adv_X_test.npy' : '[adv_32]pgd_32_adv', 73 | 74 | '[doa_5]pgd_4_adv_X_test.npy' : '[doa_5]pgd_4_adv', 75 | '[doa_5]pgd_8_adv_X_test.npy': '[doa_5]pgd_8_adv', 76 | '[doa_5]pgd_16_adv_X_test.npy': '[doa_5]pgd_16_adv', 77 | '[doa_5]pgd_32_adv_X_test.npy': '[doa_5]pgd_32_adv', 78 | 79 | '[doa_7]pgd_4_adv_X_test.npy': '[doa_7]pgd_4_adv', 80 | '[doa_7]pgd_8_adv_X_test.npy': '[doa_7]pgd_8_adv', 81 | '[doa_7]pgd_16_adv_X_test.npy': '[doa_7]pgd_16_adv', 82 | '[doa_7]pgd_32_adv_X_test.npy': '[doa_7]pgd_32_adv' 83 | } 84 | 85 | 86 | 87 | 88 | print('Generate border & content edge ......') 89 | 90 | for file_path in linf_attack_mapping.keys(): 91 | 92 | phase = linf_attack_mapping[file_path] 93 | 94 | border = [] 95 | content = [] 96 | 97 | X = np.load('./data/'+file_path) 98 | num = len(X) 99 | 100 | print('> phase : %s , %d samples' % (phase,num)) 101 | 102 | for i in range(num): 103 | img = X[i] 104 | img = cv2.resize(img,(128,128)) 105 | b_img, c_img = preprocess(img) 106 | border.append(b_img) 107 | content.append(c_img) 108 | 109 | if (i+1)%200 == 0: 110 | print('> %s data : %d/%d' % (phase,i+1,num)) 111 | 112 | print('> %s data : %d/%d' % (phase,i+1,num)) 113 | 114 | 115 | border = np.array(border) 116 | content = np.array(content) 117 | 118 | np.save('./data/%s_border.npy' % phase,border) 119 | np.save('./data/%s_content.npy' % phase,content) 120 | 121 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/data/white_unforeseen_gen.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | 4 | 5 | def foreground_segmentation(img): 6 | mask = np.zeros((128,128),np.uint8) 7 | ## Foreground Segmentation 8 | bgdModel = np.zeros((1,65),np.float64) 9 | fgdModel = np.zeros((1,65),np.float64) 10 | rect = (1,1,126,126) 11 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,5,cv2.GC_INIT_WITH_RECT) 12 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 13 | return mask2 14 | 15 | def preprocess(img): 16 | 17 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 18 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 19 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 20 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 21 | temp = cv2.GaussianBlur(temp,(7,7),0) 22 | mask = foreground_segmentation(temp) 23 | 24 | mask_larger = cv2.resize(mask,(138,138)) 25 | mask_smaller = cv2.resize(mask,(90,90)) 26 | 27 | border = img.copy() 28 | for i in range(3): 29 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 30 | mask[:,:] = 1 31 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 32 | for i in range(3): 33 | border[:,:,i] = border[:,:,i] * mask 34 | 35 | content = img.copy() 36 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 37 | content = cv2.GaussianBlur(content,(7,7),0) 38 | content = cv2.equalizeHist(content) 39 | content = cv2.Canny(content, 20, 50) 40 | mask[:,:] = 0 41 | mask[19:109,19:109] = mask_smaller[:,:] 42 | content *= mask 43 | 44 | return border, content 45 | 46 | natural_attack_mapping = { 47 | 48 | ## Fog 49 | '[clean]fog_256_adv_X_test.npy' : '[clean]fog_256_adv', 50 | '[clean]fog_512_adv_X_test.npy' : '[clean]fog_512_adv', 51 | 52 | '[adv_4]fog_256_adv_X_test.npy' : '[adv_4]fog_256_adv', 53 | '[adv_4]fog_512_adv_X_test.npy' : '[adv_4]fog_512_adv', 54 | 55 | '[adv_8]fog_256_adv_X_test.npy' : '[adv_8]fog_256_adv', 56 | '[adv_8]fog_512_adv_X_test.npy' : '[adv_8]fog_512_adv', 57 | 58 | '[adv_16]fog_256_adv_X_test.npy' : '[adv_16]fog_256_adv', 59 | '[adv_16]fog_512_adv_X_test.npy' : '[adv_16]fog_512_adv', 60 | 61 | '[adv_32]fog_256_adv_X_test.npy' : '[adv_32]fog_256_adv', 62 | '[adv_32]fog_512_adv_X_test.npy' : '[adv_32]fog_512_adv', 63 | 64 | '[doa_5]fog_256_adv_X_test.npy' : '[doa_5]fog_256_adv', 65 | '[doa_5]fog_512_adv_X_test.npy' : '[doa_5]fog_512_adv', 66 | 67 | '[doa_7]fog_256_adv_X_test.npy' : '[doa_7]fog_256_adv', 68 | '[doa_7]fog_512_adv_X_test.npy' : '[doa_7]fog_512_adv', 69 | 70 | 71 | ## Snow 72 | '[clean]snow_0.25_adv_X_test.npy' : '[clean]snow_0.25_adv', 73 | '[clean]snow_0.75_adv_X_test.npy' : '[clean]snow_0.75_adv', 74 | 75 | '[adv_4]snow_0.25_adv_X_test.npy' : '[adv_4]snow_0.25_adv', 76 | '[adv_4]snow_0.75_adv_X_test.npy' : '[adv_4]snow_0.75_adv', 77 | 78 | '[adv_8]snow_0.25_adv_X_test.npy' : '[adv_8]snow_0.25_adv', 79 | '[adv_8]snow_0.75_adv_X_test.npy' : '[adv_8]snow_0.75_adv', 80 | 81 | '[adv_16]snow_0.25_adv_X_test.npy' : '[adv_16]snow_0.25_adv', 82 | '[adv_16]snow_0.75_adv_X_test.npy' : '[adv_16]snow_0.75_adv', 83 | 84 | '[adv_32]snow_0.25_adv_X_test.npy' : '[adv_32]snow_0.25_adv', 85 | '[adv_32]snow_0.75_adv_X_test.npy' : '[adv_32]snow_0.75_adv', 86 | 87 | '[doa_5]snow_0.25_adv_X_test.npy' : '[doa_5]snow_0.25_adv', 88 | '[doa_5]snow_0.75_adv_X_test.npy' : '[doa_5]snow_0.75_adv', 89 | 90 | '[doa_7]snow_0.25_adv_X_test.npy' : '[doa_7]snow_0.25_adv', 91 | '[doa_7]snow_0.75_adv_X_test.npy' : '[doa_7]snow_0.75_adv', 92 | 93 | 94 | ## JPEG 95 | '[clean]jpeg_0.125_adv_X_test.npy' : '[clean]jpeg_0.125_adv', 96 | '[clean]jpeg_0.25_adv_X_test.npy' : '[clean]jpeg_0.25_adv', 97 | 98 | '[adv_4]jpeg_0.125_adv_X_test.npy' : '[adv_4]jpeg_0.125_adv', 99 | '[adv_4]jpeg_0.25_adv_X_test.npy' : '[adv_4]jpeg_0.25_adv', 100 | 101 | '[adv_8]jpeg_0.125_adv_X_test.npy' : '[adv_8]jpeg_0.125_adv', 102 | '[adv_8]jpeg_0.25_adv_X_test.npy' : '[adv_8]jpeg_0.25_adv', 103 | 104 | '[adv_16]jpeg_0.125_adv_X_test.npy' : '[adv_16]jpeg_0.125_adv', 105 | '[adv_16]jpeg_0.25_adv_X_test.npy' : '[adv_16]jpeg_0.25_adv', 106 | 107 | '[adv_32]jpeg_0.125_adv_X_test.npy' : '[adv_32]jpeg_0.125_adv', 108 | '[adv_32]jpeg_0.25_adv_X_test.npy' : '[adv_32]jpeg_0.25_adv', 109 | 110 | '[doa_5]jpeg_0.125_adv_X_test.npy' : '[doa_5]jpeg_0.125_adv', 111 | '[doa_5]jpeg_0.25_adv_X_test.npy' : '[doa_5]jpeg_0.25_adv', 112 | 113 | '[doa_7]jpeg_0.125_adv_X_test.npy' : '[doa_7]jpeg_0.125_adv', 114 | '[doa_7]jpeg_0.25_adv_X_test.npy' : '[doa_7]jpeg_0.25_adv', 115 | 116 | 117 | ## Gabor 118 | '[clean]gabor_20_adv_X_test.npy' : '[clean]gabor_20_adv', 119 | '[clean]gabor_40_adv_X_test.npy' : '[clean]gabor_40_adv', 120 | 121 | '[adv_4]gabor_20_adv_X_test.npy' : '[adv_4]gabor_20_adv', 122 | '[adv_4]gabor_40_adv_X_test.npy' : '[adv_4]gabor_40_adv', 123 | 124 | '[adv_8]gabor_20_adv_X_test.npy' : '[adv_8]gabor_20_adv', 125 | '[adv_8]gabor_40_adv_X_test.npy' : '[adv_8]gabor_40_adv', 126 | 127 | '[adv_16]gabor_20_adv_X_test.npy' : '[adv_16]gabor_20_adv', 128 | '[adv_16]gabor_40_adv_X_test.npy' : '[adv_16]gabor_40_adv', 129 | 130 | '[adv_32]gabor_20_adv_X_test.npy' : '[adv_32]gabor_20_adv', 131 | '[adv_32]gabor_40_adv_X_test.npy' : '[adv_32]gabor_40_adv', 132 | 133 | '[doa_5]gabor_20_adv_X_test.npy' : '[doa_5]gabor_20_adv', 134 | '[doa_5]gabor_40_adv_X_test.npy' : '[doa_5]gabor_40_adv', 135 | 136 | '[doa_7]gabor_20_adv_X_test.npy' : '[doa_7]gabor_20_adv', 137 | '[doa_7]gabor_40_adv_X_test.npy' : '[doa_7]gabor_40_adv', 138 | 139 | 140 | ## Elastic 141 | '[clean]elastic_1.5_adv_X_test.npy' : '[clean]elastic_1.5_adv', 142 | '[clean]elastic_2.0_adv_X_test.npy' : '[clean]elastic_2.0_adv', 143 | 144 | '[adv_4]elastic_1.5_adv_X_test.npy' : '[adv_4]elastic_1.5_adv', 145 | '[adv_4]elastic_2.0_adv_X_test.npy' : '[adv_4]elastic_2.0_adv', 146 | 147 | '[adv_8]elastic_1.5_adv_X_test.npy' : '[adv_8]elastic_1.5_adv', 148 | '[adv_8]elastic_2.0_adv_X_test.npy' : '[adv_8]elastic_2.0_adv', 149 | 150 | '[adv_16]elastic_1.5_adv_X_test.npy' : '[adv_16]elastic_1.5_adv', 151 | '[adv_16]elastic_2.0_adv_X_test.npy' : '[adv_16]elastic_2.0_adv', 152 | 153 | '[adv_32]elastic_1.5_adv_X_test.npy' : '[adv_32]elastic_1.5_adv', 154 | '[adv_32]elastic_2.0_adv_X_test.npy' : '[adv_32]elastic_2.0_adv', 155 | 156 | '[doa_5]elastic_1.5_adv_X_test.npy' : '[doa_5]elastic_1.5_adv', 157 | '[doa_5]elastic_2.0_adv_X_test.npy' : '[doa_5]elastic_2.0_adv', 158 | 159 | '[doa_7]elastic_1.5_adv_X_test.npy' : '[doa_7]elastic_1.5_adv', 160 | '[doa_7]elastic_2.0_adv_X_test.npy' : '[doa_7]elastic_2.0_adv', 161 | } 162 | 163 | 164 | 165 | 166 | print('Generate border & content edge ......') 167 | 168 | for file_path in natural_attack_mapping.keys(): 169 | 170 | phase = natural_attack_mapping[file_path] 171 | 172 | border = [] 173 | content = [] 174 | 175 | X = np.load('./data/'+file_path) 176 | num = len(X) 177 | 178 | print('> phase : %s , %d samples' % (phase,num)) 179 | 180 | for i in range(num): 181 | img = X[i] 182 | img = cv2.resize(img,(128,128)) 183 | b_img, c_img = preprocess(img) 184 | border.append(b_img) 185 | content.append(c_img) 186 | 187 | if (i+1)%200 == 0: 188 | print('> %s data : %d/%d' % (phase,i+1,num)) 189 | 190 | print('> %s data : %d/%d' % (phase,i+1,num)) 191 | 192 | 193 | border = np.array(border) 194 | content = np.array(content) 195 | 196 | np.save('./data/%s_border.npy' % phase,border) 197 | np.save('./data/%s_content.npy' % phase,content) 198 | 199 | print('Done ..... \n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/0.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/1.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/10.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/11.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/12.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/13.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/14.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/15.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/16.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/17.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/2.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/3.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/4.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/5.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/6.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/7.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/8.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/img/9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/img/9.png -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/linf_attack/black_box_pipeline_attack.py: -------------------------------------------------------------------------------- 1 | from model import NEURAL 2 | import torch 3 | import time 4 | import torch.nn.functional as F 5 | import numpy as np 6 | import argparse 7 | import os 8 | 9 | parser = argparse.ArgumentParser() 10 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 11 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 12 | args = parser.parse_args() 13 | 14 | 15 | enable_cuda = args.enable_cuda 16 | gpu_id = args.gpu_id 17 | 18 | 19 | if enable_cuda: 20 | device = torch.device('cuda:%d' % gpu_id) 21 | else: 22 | device = torch.device('cpu') 23 | 24 | 25 | def pgd_attack_random(model, images, labels, eps=1, alpha=1, iters=40, randomize=True): 26 | """ Construct L_inf adversarial examples on the examples X """ 27 | model.eval() 28 | labels = labels.to(device) 29 | if randomize: 30 | delta = torch.rand_like(images, requires_grad=True).to(device) 31 | delta.data = delta.data * 2 * eps - eps 32 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 33 | else: 34 | delta = torch.zeros_like(images, requires_grad=True).to(device) 35 | 36 | for t in range(iters): 37 | loss = torch.nn.CrossEntropyLoss()(model(images + delta ), labels) 38 | loss.backward() 39 | 40 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-eps,eps) 41 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 42 | delta.grad.zero_() 43 | 44 | return delta+images 45 | 46 | 47 | batch_size = 200 48 | n_class = 12 49 | 50 | 51 | 52 | print('[Data] Preparing .... ') 53 | X = torch.FloatTensor( np.load('../data/data/raw_feature_test.npy') / 255.0 - 0.5 ).permute(0,3,1,2).to(device) 54 | GT = torch.LongTensor( np.load('../data/data/raw_label_test.npy') ).to(device) 55 | print('[Data] Done .... ') 56 | 57 | 58 | 59 | print('[Model] Preparing .... ') 60 | sub_model = NEURAL(n_class=12,n_channel=3) 61 | sub_model = sub_model.to(device) 62 | ckpt = torch.load('../substitute/sub_pipeline.ckpt',map_location=device) 63 | sub_model.load_state_dict(ckpt) 64 | sub_model.eval() 65 | print('[Model] Done .... ') 66 | 67 | adv_type = ['pgd_4', 'pgd_8', 'pgd_16', 'pgd_32'] 68 | 69 | name_to_value = { 70 | 'pgd_4' : 4/255, 71 | 'pgd_8' : 8/255, 72 | 'pgd_16' : 16/255, 73 | 'pgd_32' : 32/255 74 | } 75 | 76 | for adv in adv_type: 77 | 78 | print('---------- Adv : %s --------------' % adv) 79 | 80 | adv_sample = [] 81 | batch_size = 50 82 | num = len(GT) 83 | st = 0 84 | 85 | while st!= num: 86 | ed = min(st+batch_size,num) 87 | input_batch = X[st:ed] 88 | gt_batch = GT[st:ed] 89 | 90 | adv_batch = pgd_attack_random(sub_model,input_batch,gt_batch,eps=name_to_value[adv],alpha=1/255,iters=40,randomize=True) 91 | 92 | adv_batch = ( ( adv_batch.cpu().permute(0,2,3,1).detach().numpy() + 0.5 ) * 255 ).astype(np.uint8) 93 | this_batch_size = len(gt_batch) 94 | for i in range(this_batch_size): 95 | adv_sample.append(adv_batch[i]) 96 | ## ... debug codes omitted 97 | st = ed 98 | 99 | adv_sample = np.array(adv_sample, dtype=np.uint8) 100 | print('[Attack] : Done, adversarial examples are generated.') 101 | np.save('../data/data/[black_box_pipeline]%s_adv_X_test.npy' % (adv), adv_sample) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/linf_attack/black_box_sensor_attack.py: -------------------------------------------------------------------------------- 1 | from model import NEURAL 2 | import torch 3 | import time 4 | import torch.nn.functional as F 5 | import numpy as np 6 | import argparse 7 | import os 8 | 9 | parser = argparse.ArgumentParser() 10 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 11 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 12 | args = parser.parse_args() 13 | 14 | 15 | enable_cuda = args.enable_cuda 16 | gpu_id = args.gpu_id 17 | 18 | 19 | if enable_cuda: 20 | device = torch.device('cuda:%d' % gpu_id) 21 | else: 22 | device = torch.device('cpu') 23 | 24 | 25 | 26 | def pgd_attack_random(model, images, labels, eps=1, alpha=1, iters=40, randomize=True): 27 | """ Construct L_inf adversarial examples on the examples X """ 28 | model.eval() 29 | labels = labels.to(device) 30 | if randomize: 31 | delta = torch.rand_like(images, requires_grad=True).to(device) 32 | delta.data = delta.data * 2 * eps - eps 33 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 34 | else: 35 | delta = torch.zeros_like(images, requires_grad=True).to(device) 36 | 37 | for t in range(iters): 38 | loss = torch.nn.CrossEntropyLoss()(model(images + delta ), labels) 39 | loss.backward() 40 | 41 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-eps,eps) 42 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 43 | delta.grad.zero_() 44 | 45 | return delta+images 46 | 47 | 48 | 49 | batch_size = 200 50 | n_class = 12 51 | 52 | 53 | 54 | print('[Data] Preparing .... ') 55 | X = torch.FloatTensor( np.load('../data/data/raw_feature_test.npy') / 255.0 - 0.5 ).permute(0,3,1,2).to(device) 56 | GT = torch.LongTensor( np.load('../data/data/raw_label_test.npy') ).to(device) 57 | print('[Data] Done .... ') 58 | 59 | 60 | 61 | print('[Model] Preparing .... ') 62 | sub_model = NEURAL(n_class=12,n_channel=3) 63 | sub_model = sub_model.to(device) 64 | ckpt = torch.load('../substitute/sub.ckpt',map_location=device) 65 | sub_model.load_state_dict(ckpt) 66 | sub_model.eval() 67 | print('[Model] Done .... ') 68 | 69 | 70 | 71 | 72 | adv_type = ['pgd_4', 'pgd_8', 'pgd_16', 'pgd_32'] 73 | 74 | name_to_value = { 75 | 'pgd_4' : 4/255, 76 | 'pgd_8' : 8/255, 77 | 'pgd_16' : 16/255, 78 | 'pgd_32' : 32/255 79 | } 80 | 81 | for adv in adv_type: 82 | 83 | print('---------- Adv : %s --------------' % adv) 84 | 85 | adv_sample = [] 86 | batch_size = 50 87 | num = len(GT) 88 | st = 0 89 | 90 | while st!= num: 91 | ed = min(st+batch_size,num) 92 | input_batch = X[st:ed] 93 | gt_batch = GT[st:ed] 94 | 95 | 96 | 97 | adv_batch = pgd_attack_random(sub_model,input_batch,gt_batch,eps=name_to_value[adv],alpha=1/255,iters=40,randomize=False) 98 | adv_batch = ( ( adv_batch.cpu().permute(0,2,3,1).detach().numpy() + 0.5 ) * 255 ).astype(np.uint8) 99 | this_batch_size = len(gt_batch) 100 | for i in range(this_batch_size): 101 | adv_sample.append(adv_batch[i]) 102 | ## Some debug codes. Omitted 103 | st = ed 104 | 105 | adv_sample = np.array(adv_sample, dtype=np.uint8) 106 | print('[Attack] : Done, adversarial examples are generated.') 107 | 108 | np.save('../data/data/[black_box_sensor]%s_adv_X_test.npy' % (adv), adv_sample) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/linf_attack/model.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from torch import nn 3 | 4 | class NEURAL(nn.Module): # end-to-end neural classifier 5 | 6 | def __init__(self,n_class,n_channel): 7 | 8 | super(NEURAL,self).__init__() 9 | 10 | ########################### Learn a color transform ########################### 11 | self.conv0 = nn.Sequential( 12 | nn.Conv2d(n_channel,3,1), #input_size=(n_channel*32*32) 13 | nn.ReLU() 14 | ) # output_size=(3*32*32) 15 | 16 | ########################### Level-1 ########################### 17 | self.conv1 = nn.Sequential( 18 | nn.Conv2d(3,32,5,1,2), #input_size=(3*32*32) 19 | nn.ReLU() 20 | ) # output_size=(32*32*32) 21 | 22 | self.conv2 = nn.Sequential( 23 | nn.Conv2d(32,32,5,1,2), #input_size=(32*32*32) 24 | nn.ReLU(), 25 | nn.MaxPool2d(kernel_size = 2,stride = 2) 26 | ) # output_size=(32*16*16) 27 | 28 | ########################### Level-2 ########################### 29 | self.conv3 = nn.Sequential( 30 | nn.Conv2d(32,64,3,1,1), #input_size=(32*16*16) 31 | nn.ReLU() 32 | ) # output_size=(64*16*16) 33 | 34 | self.conv4 = nn.Sequential( 35 | nn.Conv2d(64,64,3,1,1), #input_size=(64*16*16) 36 | nn.ReLU(), 37 | nn.MaxPool2d(kernel_size = 2,stride = 2) 38 | ) # output_size=(64*8*8) 39 | 40 | ########################### Level-3 ########################### 41 | self.conv5 = nn.Sequential( 42 | nn.Conv2d(64,128,3,1,1), #input_size=(64*8*8) 43 | nn.ReLU() 44 | ) # output_size=(128*8*8) 45 | 46 | self.conv6 = nn.Sequential( 47 | nn.Conv2d(128,128,3,1,1), #input_size=(128*8*8) 48 | nn.ReLU(), 49 | nn.MaxPool2d(kernel_size = 2,stride = 2) 50 | ) # output_size=(128*4*4) 51 | 52 | 53 | # num_fc = 32*16*16 + 64*8*8 + 128*4*4 = 14336 54 | self.fc1 = nn.Sequential( 55 | nn.Linear(14336,1024), 56 | nn.ReLU() 57 | ) 58 | self.fc2 = nn.Sequential( 59 | nn.Linear(1024,1024), 60 | nn.ReLU() 61 | ) 62 | self.fc3 = nn.Linear(1024,n_class) 63 | 64 | self.dropout = nn.Dropout(p=0.5) 65 | 66 | def forward(self,x): 67 | x = self.conv0(x) # Color Transform 68 | 69 | ## Scale 1 70 | x = self.conv1(x) 71 | x = self.conv2(x) 72 | x = self.dropout(x) 73 | scale_1 = x.view(x.size(0), -1) 74 | 75 | ## Scale 2 76 | x = self.conv3(x) 77 | x = self.conv4(x) 78 | x = self.dropout(x) 79 | scale_2 = x.view(x.size(0), -1) 80 | 81 | ## Scale 3 82 | x = self.conv5(x) 83 | x = self.conv6(x) 84 | x = self.dropout(x) 85 | scale_3 = x.view(x.size(0), -1) 86 | 87 | ###### FC ######################## 88 | embedding = torch.cat( (scale_1,scale_2,scale_3), dim = 1) 89 | 90 | x = self.fc1(embedding) 91 | x = self.dropout(x) 92 | 93 | x = self.fc2(x) 94 | x = self.dropout(x) 95 | 96 | x = self.fc3(x) 97 | return x 98 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/linf_attack/white_box_sensor_attack.py: -------------------------------------------------------------------------------- 1 | import torch.nn.functional as F 2 | from model import NEURAL 3 | import torch 4 | import time 5 | import numpy as np 6 | import argparse 7 | import os 8 | 9 | parser = argparse.ArgumentParser() 10 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 11 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 12 | args = parser.parse_args() 13 | 14 | 15 | enable_cuda = args.enable_cuda 16 | gpu_id = args.gpu_id 17 | 18 | 19 | if enable_cuda: 20 | device = torch.device('cuda:%d' % gpu_id) 21 | else: 22 | device = torch.device('cpu') 23 | 24 | 25 | 26 | def pgd_attack_random(model, images, labels, eps=1, alpha=1, iters=40, randomize=True): 27 | """ Construct L_inf adversarial examples on the examples X """ 28 | model.eval() 29 | labels = labels.to(device) 30 | if randomize: 31 | delta = torch.rand_like(images, requires_grad=True).to(device) 32 | delta.data = delta.data * 2 * eps - eps 33 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 34 | else: 35 | delta = torch.zeros_like(images, requires_grad=True).to(device) 36 | 37 | for t in range(iters): 38 | loss = torch.nn.CrossEntropyLoss()(model(images + delta ), labels) 39 | loss.backward() 40 | 41 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-eps,eps) 42 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 43 | delta.grad.zero_() 44 | 45 | return delta+images 46 | 47 | n_class = 12 48 | 49 | 50 | 51 | print('[Data] Preparing .... ') 52 | X = torch.FloatTensor( np.load('../data/data/raw_feature_test.npy') / 255.0 - 0.5 ).permute(0,3,1,2).to(device) 53 | GT = torch.LongTensor( np.load('../data/data/raw_label_test.npy') ).to(device) 54 | print('[Data] Done .... ') 55 | 56 | 57 | 58 | 59 | 60 | 61 | print('[Model] Preparing .... ') 62 | main_sensor = NEURAL(n_class=12,n_channel=3) 63 | main_sensor = main_sensor.to(device) 64 | main_sensor.eval() 65 | print('[Model] Done .... ') 66 | 67 | 68 | 69 | for adv_trained_model in ['clean', 'adv_4', 'adv_8', 'adv_16', 'adv_32', 'doa_5', 'doa_7']: # 7 baselines 70 | 71 | print('>>>>>>>>>> model : %s' % adv_trained_model) 72 | 73 | if adv_trained_model == 'clean': 74 | ckpt = torch.load('../pipeline/sensor/main/main.ckpt',map_location=device) 75 | else: 76 | ckpt = torch.load('../pipeline/sensor/main/main_%s.ckpt' % adv_trained_model ,map_location=device) 77 | main_sensor.load_state_dict(ckpt) 78 | 79 | 80 | print('[Attack] : Start to attack.') 81 | 82 | adv_type = ['pgd_4', 'pgd_8', 'pgd_16','pgd_32'] 83 | 84 | name_to_value = { 85 | 'pgd_4' : 4/255, 86 | 'pgd_8' : 8/255, 87 | 'pgd_16' : 16/255, 88 | 'pgd_32' : 32/255 89 | } 90 | 91 | for adv in adv_type: 92 | 93 | print('---------- Adv : %s --------------' % adv) 94 | 95 | success = 0 96 | adv_sample = [] 97 | batch_size = 50 98 | num = len(GT) 99 | st = 0 100 | 101 | while st!= num: 102 | ed = min(st+batch_size,num) 103 | input_batch = X[st:ed] 104 | gt_batch = GT[st:ed] 105 | adv_batch = pgd_attack_random(main_sensor,input_batch,gt_batch,eps=name_to_value[adv],alpha=1/255,iters=40,randomize=False) 106 | 107 | 108 | Y_adv = main_sensor(adv_batch) 109 | Y_adv = torch.argmax(Y_adv,dim=1) 110 | 111 | adv_batch = ( ( adv_batch.cpu().permute(0,2,3,1).detach().numpy() + 0.5 ) * 255 ).astype(np.uint8) 112 | this_batch_size = len(gt_batch) 113 | for i in range(this_batch_size): 114 | adv_sample.append(adv_batch[i]) 115 | if Y_adv[i]!=gt_batch[i]: success+=1 116 | st = ed 117 | 118 | print('process : %d/%d, accuracy=%d/%d, success=%d/%d' % (st,num,num-success,num,success,num)) 119 | 120 | adv_sample = np.array(adv_sample, dtype=np.uint8) 121 | print('[Attack] : Done, adversarial examples are generated.') 122 | 123 | np.save('../data/data/[%s]%s_adv_X_test.npy' % (adv_trained_model,adv), adv_sample) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/natural_attack/black_box_pipeline_attack.py: -------------------------------------------------------------------------------- 1 | import torch.nn.functional as F 2 | from model import NEURAL 3 | import torch 4 | from torch import nn 5 | import time 6 | import cv2 7 | import numpy as np 8 | import functools 9 | 10 | from fog import FogAttack 11 | from snow import SnowAttack 12 | from gabor import GaborAttack 13 | from jpeg import JPEGAttack 14 | from elastic import ElasticAttack 15 | 16 | 17 | import os 18 | 19 | os.environ['CUDA_VISIBLE_DEVICES']='0,1' 20 | 21 | #device = torch.device('cuda:0' if torch.cuda.is_available() else 'cpu') 22 | 23 | n_class = 12 24 | n_iters = 200 25 | resol = 32 26 | 27 | 28 | 29 | 30 | print('[Data] Preparing .... ') 31 | X = torch.FloatTensor( np.load('../data/data/raw_feature_test.npy') / 255.0 - 0.5 ).permute(0,3,1,2).cuda() 32 | GT = torch.LongTensor( np.load('../data/data/raw_label_test.npy') ).cuda() 33 | print('[Data] Done .... ') 34 | 35 | 36 | 37 | print('[Model] Preparing .... ') 38 | 39 | sub_model = NEURAL(n_class=12,n_channel=3) 40 | ckpt = torch.load('../substitute/sub_pipeline.ckpt', map_location = 'cuda') # black-box sensor attack 41 | 42 | sub_model = nn.DataParallel(sub_model) 43 | sub_model = sub_model.cuda() 44 | 45 | sub_model.module.load_state_dict(ckpt) 46 | 47 | sub_model.eval() 48 | print('[Model] Done .... ') 49 | 50 | 51 | 52 | attack_mapping = { 53 | 'fog_256' : functools.partial(FogAttack, n_iters, 256, (0.001/n_iters)**0.5, resol, scale_each=False), 54 | 'fog_512' : functools.partial(FogAttack, n_iters, 512, (0.001/n_iters)**0.5, resol, scale_each=False), 55 | 'snow_0.25' : functools.partial(SnowAttack, n_iters, 0.25, (0.001/n_iters)**0.5, resol, scale_each=False), 56 | 'snow_0.75' : functools.partial(SnowAttack, n_iters, 0.75, (0.001/n_iters)**0.5, resol, scale_each=False), 57 | 'jpeg_0.125' : functools.partial(JPEGAttack, n_iters, 0.125, 0.125/(n_iters**0.5), resol, scale_each=False, opt='linf'), 58 | 'jpeg_0.25' : functools.partial(JPEGAttack, n_iters, 0.25, 0.25/(n_iters**0.5), resol, scale_each=False, opt='linf'), 59 | 60 | 'gabor_20' : functools.partial(GaborAttack, n_iters, 20, (0.001/n_iters)**0.5, resol, scale_each=False), 61 | 'gabor_40' : functools.partial(GaborAttack, n_iters, 40, (0.001/n_iters)**0.5, resol, scale_each=False), 62 | 63 | 'elastic_1.5' : functools.partial(ElasticAttack, n_iters, 1.5, 1.5/(n_iters**0.5), resol, scale_each=False), 64 | 'elastic_2.0' : functools.partial(ElasticAttack, n_iters, 2.0, 2.0/(n_iters**0.5), resol, scale_each=False) 65 | } 66 | 67 | 68 | phase = 'black_box_pipeline' 69 | 70 | 71 | 72 | for attack_type in attack_mapping.keys(): 73 | 74 | print('> attack : %s' % attack_type) 75 | attacker = attack_mapping[attack_type]() 76 | 77 | adv_sample = [] 78 | num = len(GT) 79 | st = 0 80 | batch_size = 800 81 | 82 | while st!= num: 83 | ed = min(st+batch_size,num) 84 | 85 | input_batch = X[st:ed] 86 | gt_batch = GT[st:ed] 87 | this_batch_size = len(gt_batch) 88 | 89 | # --------------- attack --------------- 90 | adv_batch = attacker(sub_model,input_batch,gt_batch,avoid_target=True,scale_eps=False) 91 | # -------------------------------------- 92 | 93 | adv_batch = ( ( adv_batch.cpu().permute(0,2,3,1).detach().numpy() + 0.5 ) * 255 ).astype(np.uint8) 94 | 95 | for i in range(this_batch_size): 96 | adv_sample.append(adv_batch[i]) 97 | st = ed 98 | 99 | adv_sample = np.array(adv_sample, dtype=np.uint8) 100 | print('[Attack] : Done, adversarial examples are generated.') 101 | save_path = '../data/data/[%s]%s_adv_X_test.npy' % (phase,attack_type) 102 | print('[Save] : %s' % save_path) 103 | np.save(save_path, adv_sample) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/natural_attack/black_box_sensor_attack.py: -------------------------------------------------------------------------------- 1 | import torch.nn.functional as F 2 | from model import NEURAL 3 | import torch 4 | from torch import nn 5 | import time 6 | import cv2 7 | import numpy as np 8 | import functools 9 | 10 | from fog import FogAttack 11 | from snow import SnowAttack 12 | from gabor import GaborAttack 13 | from jpeg import JPEGAttack 14 | from elastic import ElasticAttack 15 | 16 | 17 | import os 18 | 19 | os.environ['CUDA_VISIBLE_DEVICES']='2,3' 20 | 21 | #device = torch.device('cuda:0' if torch.cuda.is_available() else 'cpu') 22 | 23 | n_class = 12 24 | n_iters = 200 25 | resol = 32 26 | 27 | 28 | 29 | 30 | print('[Data] Preparing .... ') 31 | X = torch.FloatTensor( np.load('../data/data/raw_feature_test.npy') / 255.0 - 0.5 ).permute(0,3,1,2).cuda() 32 | GT = torch.LongTensor( np.load('../data/data/raw_label_test.npy') ).cuda() 33 | print('[Data] Done .... ') 34 | 35 | 36 | sub_model = NEURAL(n_class=12,n_channel=3) 37 | ckpt = torch.load('../substitute/sub.ckpt', map_location = 'cuda') # black-box sensor attack 38 | 39 | sub_model = nn.DataParallel(sub_model) 40 | sub_model = sub_model.cuda() 41 | 42 | sub_model.module.load_state_dict(ckpt) 43 | 44 | sub_model.eval() 45 | print('[Model] Done .... ') 46 | 47 | 48 | 49 | attack_mapping = { 50 | 'fog_256' : functools.partial(FogAttack, n_iters, 256, (0.001/n_iters)**0.5, resol, scale_each=False), 51 | 'fog_512' : functools.partial(FogAttack, n_iters, 512, (0.001/n_iters)**0.5, resol, scale_each=False), 52 | 'snow_0.25' : functools.partial(SnowAttack, n_iters, 0.25, (0.001/n_iters)**0.5, resol, scale_each=False), 53 | 'snow_0.75' : functools.partial(SnowAttack, n_iters, 0.75, (0.001/n_iters)**0.5, resol, scale_each=False), 54 | 'jpeg_0.125' : functools.partial(JPEGAttack, n_iters, 0.125, 0.125/(n_iters**0.5), resol, scale_each=False, opt='linf'), 55 | 'jpeg_0.25' : functools.partial(JPEGAttack, n_iters, 0.25, 0.25/(n_iters**0.5), resol, scale_each=False, opt='linf'), 56 | 57 | 'gabor_20' : functools.partial(GaborAttack, n_iters, 20, (0.001/n_iters)**0.5, resol, scale_each=False), 58 | 'gabor_40' : functools.partial(GaborAttack, n_iters, 40, (0.001/n_iters)**0.5, resol, scale_each=False), 59 | 60 | 'elastic_1.5' : functools.partial(ElasticAttack, n_iters, 1.5, 1.5/(n_iters**0.5), resol, scale_each=False), 61 | 'elastic_2.0' : functools.partial(ElasticAttack, n_iters, 2.0, 2.0/(n_iters**0.5), resol, scale_each=False) 62 | } 63 | 64 | 65 | phase = 'black_box_sensor' 66 | 67 | 68 | 69 | for attack_type in attack_mapping.keys(): 70 | print('> attack : %s' % attack_type) 71 | attacker = attack_mapping[attack_type]() 72 | 73 | adv_sample = [] 74 | num = len(GT) 75 | st = 0 76 | batch_size = 800 77 | 78 | while st!= num: 79 | ed = min(st+batch_size,num) 80 | 81 | input_batch = X[st:ed] 82 | gt_batch = GT[st:ed] 83 | this_batch_size = len(gt_batch) 84 | 85 | random_target_batch = np.random.randint(0,n_class,[this_batch_size])#np.full([this_batch_size],11,dtype=np.long) 86 | for i in range(this_batch_size): 87 | while random_target_batch[i]==gt_batch[i]: 88 | random_target_batch[i] = np.random.randint(0,n_class) 89 | random_target_batch = torch.LongTensor(random_target_batch).cuda() 90 | 91 | # --------------- attack --------------- 92 | adv_batch = attacker(sub_model,input_batch,gt_batch,avoid_target=True,scale_eps=False) 93 | # -------------------------------------- 94 | 95 | adv_batch = ( ( adv_batch.cpu().permute(0,2,3,1).detach().numpy() + 0.5 ) * 255 ).astype(np.uint8) 96 | 97 | for i in range(this_batch_size): 98 | adv_sample.append(adv_batch[i]) 99 | st = ed 100 | 101 | adv_sample = np.array(adv_sample, dtype=np.uint8) 102 | print('[Attack] : Done, adversarial examples are generated.') 103 | save_path = '../data/data/[%s]%s_adv_X_test.npy' % (phase,attack_type) 104 | print('[Save] : %s' % save_path) 105 | np.save(save_path, adv_sample) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/natural_attack/model.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from torch import nn 3 | 4 | class NEURAL(nn.Module): # end-to-end neural classifier 5 | 6 | def __init__(self,n_class,n_channel): 7 | 8 | super(NEURAL,self).__init__() 9 | 10 | ########################### Learn a color transform ########################### 11 | self.conv0 = nn.Sequential( 12 | nn.Conv2d(n_channel,3,1), #input_size=(n_channel*32*32) 13 | nn.ReLU() 14 | ) # output_size=(3*32*32) 15 | 16 | ########################### Level-1 ########################### 17 | self.conv1 = nn.Sequential( 18 | nn.Conv2d(3,32,5,1,2), #input_size=(3*32*32) 19 | nn.ReLU() 20 | ) # output_size=(32*32*32) 21 | 22 | self.conv2 = nn.Sequential( 23 | nn.Conv2d(32,32,5,1,2), #input_size=(32*32*32) 24 | nn.ReLU(), 25 | nn.MaxPool2d(kernel_size = 2,stride = 2) 26 | ) # output_size=(32*16*16) 27 | 28 | ########################### Level-2 ########################### 29 | self.conv3 = nn.Sequential( 30 | nn.Conv2d(32,64,3,1,1), #input_size=(32*16*16) 31 | nn.ReLU() 32 | ) # output_size=(64*16*16) 33 | 34 | self.conv4 = nn.Sequential( 35 | nn.Conv2d(64,64,3,1,1), #input_size=(64*16*16) 36 | nn.ReLU(), 37 | nn.MaxPool2d(kernel_size = 2,stride = 2) 38 | ) # output_size=(64*8*8) 39 | 40 | ########################### Level-3 ########################### 41 | self.conv5 = nn.Sequential( 42 | nn.Conv2d(64,128,3,1,1), #input_size=(64*8*8) 43 | nn.ReLU() 44 | ) # output_size=(128*8*8) 45 | 46 | self.conv6 = nn.Sequential( 47 | nn.Conv2d(128,128,3,1,1), #input_size=(128*8*8) 48 | nn.ReLU(), 49 | nn.MaxPool2d(kernel_size = 2,stride = 2) 50 | ) # output_size=(128*4*4) 51 | 52 | 53 | # num_fc = 32*16*16 + 64*8*8 + 128*4*4 = 14336 54 | self.fc1 = nn.Sequential( 55 | nn.Linear(14336,1024), 56 | nn.ReLU() 57 | ) 58 | self.fc2 = nn.Sequential( 59 | nn.Linear(1024,1024), 60 | nn.ReLU() 61 | ) 62 | self.fc3 = nn.Linear(1024,n_class) 63 | 64 | self.dropout = nn.Dropout(p=0.5) 65 | 66 | def forward(self,x): 67 | x = self.conv0(x) # Color Transform 68 | 69 | ## Scale 1 70 | x = self.conv1(x) 71 | x = self.conv2(x) 72 | x = self.dropout(x) 73 | scale_1 = x.reshape(x.size(0), -1) 74 | 75 | ## Scale 2 76 | x = self.conv3(x) 77 | x = self.conv4(x) 78 | x = self.dropout(x) 79 | scale_2 = x.reshape(x.size(0), -1) 80 | 81 | ## Scale 3 82 | x = self.conv5(x) 83 | x = self.conv6(x) 84 | x = self.dropout(x) 85 | scale_3 = x.reshape(x.size(0), -1) 86 | 87 | ###### FC ######################## 88 | embedding = torch.cat( (scale_1,scale_2,scale_3), dim = 1) 89 | 90 | x = self.fc1(embedding) 91 | x = self.dropout(x) 92 | 93 | x = self.fc2(x) 94 | x = self.dropout(x) 95 | 96 | x = self.fc3(x) 97 | return x 98 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/natural_attack/white_box_sensor_attack.py: -------------------------------------------------------------------------------- 1 | import torch.nn.functional as F 2 | from model import NEURAL 3 | import torch 4 | from torch import nn 5 | import time 6 | import cv2 7 | import numpy as np 8 | import functools 9 | 10 | from fog import FogAttack 11 | from snow import SnowAttack 12 | from gabor import GaborAttack 13 | from jpeg import JPEGAttack 14 | from elastic import ElasticAttack 15 | 16 | 17 | import os 18 | 19 | os.environ['CUDA_VISIBLE_DEVICES']='0,1,2,3' 20 | 21 | n_class = 12 22 | n_iters = 200 23 | resol = 32 24 | 25 | 26 | 27 | 28 | print('[Data] Preparing .... ') 29 | X = torch.FloatTensor( np.load('../data/data/raw_feature_test.npy') / 255.0 - 0.5 ).permute(0,3,1,2).cuda() 30 | GT = torch.LongTensor( np.load('../data/data/raw_label_test.npy') ).cuda() 31 | print('[Data] Done .... ') 32 | 33 | 34 | 35 | print('[Model] Preparing .... ') 36 | main_sensor = NEURAL(n_class=12,n_channel=3) 37 | main_sensor = nn.DataParallel(main_sensor) 38 | main_sensor = main_sensor.cuda() 39 | main_sensor.eval() 40 | print('[Model] Done .... ') 41 | 42 | 43 | 44 | attack_mapping = { 45 | 'fog_256' : functools.partial(FogAttack, n_iters, 256, (0.001/n_iters)**0.5, resol, scale_each=False), 46 | 'fog_512' : functools.partial(FogAttack, n_iters, 512, (0.001/n_iters)**0.5, resol, scale_each=False), 47 | 'snow_0.25' : functools.partial(SnowAttack, n_iters, 0.25, (0.001/n_iters)**0.5, resol, scale_each=False), 48 | 'snow_0.75' : functools.partial(SnowAttack, n_iters, 0.75, (0.001/n_iters)**0.5, resol, scale_each=False), 49 | 'jpeg_0.125' : functools.partial(JPEGAttack, n_iters, 0.125, 0.125/(n_iters**0.5), resol, scale_each=False, opt='linf'), 50 | 'jpeg_0.25' : functools.partial(JPEGAttack, n_iters, 0.25, 0.25/(n_iters**0.5), resol, scale_each=False, opt='linf'), 51 | 52 | 'gabor_20' : functools.partial(GaborAttack, n_iters, 20, (0.001/n_iters)**0.5, resol, scale_each=False), 53 | 'gabor_40' : functools.partial(GaborAttack, n_iters, 40, (0.001/n_iters)**0.5, resol, scale_each=False), 54 | 55 | 'elastic_1.5' : functools.partial(ElasticAttack, n_iters, 1.5, 1.5/(n_iters**0.5), resol, scale_each=False), 56 | 'elastic_2.0' : functools.partial(ElasticAttack, n_iters, 2.0, 2.0/(n_iters**0.5), resol, scale_each=False) 57 | } 58 | 59 | 60 | 61 | model_mapping = { 62 | 'main.ckpt' : 'clean', 63 | 'main_adv_4.ckpt' : 'adv_4', 64 | 'main_adv_8.ckpt' : 'adv_8', 65 | 'main_adv_16.ckpt': 'adv_16', 66 | 'main_adv_32.ckpt' : 'adv_32', 67 | 'main_doa_5.ckpt' : 'doa_5', 68 | 'main_doa_7.ckpt' : 'doa_7' 69 | } 70 | 71 | 72 | for attack_type in attack_mapping.keys(): 73 | 74 | attacker = attack_mapping[attack_type]() 75 | 76 | 77 | for model_path in ['main.ckpt', 'main_adv_4.ckpt', 'main_adv_8.ckpt', 'main_adv_16.ckpt', 'main_adv_32.ckpt', 'main_doa_5.ckpt', 'main_doa_7.ckpt']: 78 | phase = model_mapping[model_path] 79 | print('> adv = %s, model = %s' % (attack_type, model_path) ) 80 | ckpt = torch.load('../pipeline/sensor/main/%s' % model_path, map_location='cpu') 81 | main_sensor.module.load_state_dict(ckpt) 82 | main_sensor.eval() 83 | print('(ckpt loaded)') 84 | 85 | success = 0 86 | adv_sample = [] 87 | num = len(GT) 88 | st = 0 89 | batch_size = 800 90 | 91 | while st!= num: 92 | ed = min(st+batch_size,num) 93 | 94 | input_batch = X[st:ed] 95 | gt_batch = GT[st:ed] 96 | this_batch_size = len(gt_batch) 97 | # 1 : 0.13, 2 : 0.147 98 | 99 | # --------------- attack --------------- 100 | adv_batch = attacker(main_sensor,input_batch,gt_batch,avoid_target=True,scale_eps=False) 101 | # -------------------------------------- 102 | 103 | Y_adv = main_sensor(adv_batch) 104 | Y_adv = torch.argmax(Y_adv,dim=1) 105 | 106 | adv_batch = ( ( adv_batch.cpu().permute(0,2,3,1).detach().numpy() + 0.5 ) * 255 ).astype(np.uint8) 107 | 108 | for i in range(this_batch_size): 109 | adv_sample.append(adv_batch[i]) 110 | if Y_adv[i]!=gt_batch[i]: success+=1 111 | st = ed 112 | 113 | print('process : %d/%d, accuracy=%d/%d, success=%d/%d' % (st,num,num-success,num,success,num)) 114 | 115 | adv_sample = np.array(adv_sample, dtype=np.uint8) 116 | print('[Attack] : Done, adversarial examples are generated.') 117 | save_path = '../data/data/[%s]%s_adv_X_test.npy' % (phase,attack_type) 118 | print('[Save] : %s' % save_path) 119 | np.save(save_path, adv_sample) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/.DS_Store -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.0.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.0.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.1.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.1.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.2.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.2.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.3.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.3.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.4.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.4.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.5.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.5.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.6.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.6.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.7.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.7.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.8.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.8.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.9.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=0.9.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=1.0.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/ckpt/graph_model_ratio=1.0.ckpt -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/pipeline.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | 4 | """ 5 | Probabilistic reasoning component that makes final decision based on sensing signals. 6 | "deterministic sensor" corresponds to the "consequential sensor" in our paper. 7 | "conservative sensor" corresponds to the "antecedential sensor" in our paper. 8 | """ 9 | class pipeline: 10 | 11 | def __init__(self,n_class): 12 | self.n_class = n_class 13 | self.main_sensor = None 14 | self.conservative_sensor = [ [] for i in range(n_class) ] 15 | self.deterministc_sensor = [ [] for i in range(n_class) ] 16 | self.num_conservative = np.zeros(n_class,dtype = np.int) 17 | self.num_deterministic = np.zeros(n_class, dtype=np.int) 18 | self.id_conservative = [ [] for i in range(n_class) ] 19 | self.id_deterministic = [ [] for i in range(n_class) ] 20 | self.id_main = 0 21 | self.already_built = False 22 | 23 | def set_main_sensor(self,main_sensor): 24 | self.main_sensor = main_sensor 25 | 26 | def add_conservative_sensor(self,class_id,var_id,sensor): 27 | self.conservative_sensor[class_id].append(sensor) 28 | self.id_conservative[class_id].append(var_id) 29 | self.num_conservative[class_id]+=1 30 | 31 | def add_deterministic_sensor(self,class_id,var_id,sensor): 32 | self.deterministc_sensor[class_id].append(sensor) 33 | self.id_deterministic[class_id].append(var_id) 34 | self.num_deterministic[class_id]+=1 35 | 36 | def build_graph(self): 37 | if self.main_sensor is None: 38 | return False 39 | 40 | cnt = 1 41 | 42 | # id for conservative sensors 43 | for i in range(self.n_class): 44 | cnt += self.num_conservative[i] 45 | 46 | 47 | # id for deterministic sensors 48 | for i in range(self.n_class): 49 | cnt += self.num_deterministic[i] 50 | 51 | 52 | self.num_sensor = cnt 53 | 54 | # weight for each sensor 55 | self.weight = torch.ones( int(self.num_sensor) ) 56 | self.weight.requires_grad = True 57 | 58 | self.already_built = True 59 | 60 | #print('conservative_id : ',self.id_conservative) 61 | #print('deterministic_id : ',self.id_deterministic) 62 | return True 63 | 64 | def inference(self,X): 65 | # X : sensor variable ==> batch_size x num_of_sensors 66 | #print(X) 67 | score = [] 68 | for i in range(self.n_class): 69 | #print('## class-%d' % i) 70 | 71 | factor_main = (X[:, 0] == i) * self.weight[0] 72 | factor_conservative = torch.zeros(factor_main.shape) 73 | factor_deterministic = torch.zeros(factor_main.shape) 74 | 75 | #print('conservative --->') 76 | for j in range(self.num_conservative[i]): 77 | sid = self.id_conservative[i][j] 78 | factor_conservative+= (X[:,sid]==1) * self.weight[sid] 79 | #print('sid : %d, result : ' % sid, X[:,sid]==1) 80 | 81 | #print('deterministic --->') 82 | for j in range(self.num_deterministic[i]): 83 | sid = self.id_deterministic[i][j] 84 | factor_deterministic+= -1 * ( (X[:,sid]==0) * self.weight[sid] ) 85 | #print('sid : %d, result : ' % sid, X[:,sid]==0) 86 | 87 | 88 | #print('factor conservative :',factor_conservative) 89 | #print('factor deterministic :',factor_deterministic) 90 | #print('factor main :',factor_main) 91 | 92 | 93 | result = torch.exp(factor_main + factor_conservative + factor_deterministic) 94 | result = result.unsqueeze(1) 95 | 96 | score.append( result ) 97 | #exit(0) 98 | score = torch.cat(score,dim=1) 99 | return score 100 | 101 | def step(self,step_size): # maximize the likelihood 102 | 103 | self.weight = self.weight + step_size*self.weight.grad 104 | for i in range(self.num_sensor): 105 | if self.weight[i]<0: 106 | self.weight[i] = 0 107 | #self.weight[0] = 1 # fix the weight for the main sensor 108 | 109 | self.weight = torch.tensor(self.weight.data, requires_grad=True) 110 | 111 | if self.weight.grad is not None: 112 | self.weight.grad.data.fill_(0) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/reimplement_table_common_corruption.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | import os 4 | import json 5 | from model import NEURAL,Model 6 | from var_generator import var_generator 7 | from pipeline import pipeline 8 | from sensing_signals_data import sensing_data 9 | import argparse 10 | 11 | parser = argparse.ArgumentParser() 12 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 13 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 14 | parser.add_argument('-alpha', type=str, default='0.2', choices=['0.0','0.1','0.2','0.3','0.4','0.5','0.6','0.7','0.8','0.9','1.0'],\ 15 | help='adversarial ratio, options = [0.0,0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.0]') 16 | args = parser.parse_args() 17 | 18 | 19 | enable_cuda = args.enable_cuda 20 | gpu_id = args.gpu_id 21 | alpha = args.alpha 22 | 23 | print('alpha = %s' % alpha) 24 | 25 | signal_dir = 'sensing_signals/' 26 | if not os.path.exists(signal_dir): 27 | os.mkdir(signal_dir) 28 | 29 | if enable_cuda: 30 | device = torch.device('cuda:%d' % gpu_id) 31 | else: 32 | device = torch.device('cpu') 33 | 34 | main_sensor_list = { 35 | # standard CNN main sensor 36 | 'CNN' : './sensor/main/main.ckpt', 37 | # adversarially trained CNN main sensor 38 | 'CNN_adv_4' : './sensor/main/main_adv_4.ckpt', 39 | 'CNN_adv_8' : './sensor/main/main_adv_8.ckpt', 40 | 'CNN_adv_16' : './sensor/main/main_adv_16.ckpt', 41 | 'CNN_adv_32' : './sensor/main/main_adv_32.ckpt', 42 | # DOA trained CNN main sensor 43 | 'CNN_doa_5' : './sensor/main/main_doa_5.ckpt', 44 | 'CNN_doa_7' : './sensor/main/main_doa_7.ckpt' 45 | } 46 | 47 | 48 | n_class = 12 49 | batch_size = 100 50 | 51 | 52 | ##### Sensors & Variables ################## 53 | digit_sensor = './sensor/content/digit.pth' 54 | 55 | con_sensors_for_class = { 56 | './sensor/border/type_0_con.ckpt' : [0], 57 | './sensor/border/type_1_con.ckpt' : [1], 58 | './sensor/border/type_2_con.ckpt' : [2], 59 | './sensor/border/type_3_con.ckpt' : [3], 60 | './sensor/content/class_4.ckpt' : [4], 61 | './sensor/content/class_5.ckpt' : [5], 62 | './sensor/border/type_5_con.ckpt' : [6], 63 | './sensor/content/class_7.ckpt' : [7], 64 | './sensor/content/digit.pth' : [8,10,11], # digit recognition model for speed-limit 50/20/120 65 | './sensor/border/type_7_con.ckpt' : [9] 66 | } 67 | 68 | det_sensors_for_class = { 69 | './sensor/border/type_0_det.ckpt' : [0], 70 | './sensor/border/type_1_det.ckpt' : [1], 71 | './sensor/border/type_2_det.ckpt' : [2], 72 | './sensor/border/type_3_det.ckpt' : [3], 73 | './sensor/border/type_4_det.ckpt' : [4,5], 74 | './sensor/border/type_5_det.ckpt' : [6], 75 | './sensor/border/type_6_det.ckpt' : [7,8,10,11], 76 | './sensor/border/type_7_det.ckpt' : [9] 77 | } 78 | 79 | aux_sensor_map = { # sensor_ckpt : [ (class_id, sensor_variable_id), ... ] 80 | './sensor/border/type_0_con.ckpt' : [], 81 | './sensor/border/type_1_con.ckpt' : [], 82 | './sensor/border/type_2_con.ckpt' : [], 83 | './sensor/border/type_3_con.ckpt' : [], 84 | './sensor/content/class_4.ckpt' : [], 85 | './sensor/content/class_5.ckpt' : [], 86 | './sensor/border/type_5_con.ckpt' : [], 87 | './sensor/content/class_7.ckpt' : [], 88 | './sensor/content/digit.pth' : [], 89 | './sensor/border/type_7_con.ckpt' : [], 90 | './sensor/border/type_0_det.ckpt' : [], 91 | './sensor/border/type_1_det.ckpt' : [], 92 | './sensor/border/type_2_det.ckpt' : [], 93 | './sensor/border/type_3_det.ckpt' : [], 94 | './sensor/border/type_4_det.ckpt' : [], 95 | './sensor/border/type_5_det.ckpt' : [], 96 | './sensor/border/type_6_det.ckpt' : [], 97 | './sensor/border/type_7_det.ckpt' : [] 98 | } 99 | 100 | 101 | cnt = 1 102 | 103 | for i in range(n_class): 104 | for item in con_sensors_for_class.keys(): 105 | if i in con_sensors_for_class[item]: # if sensor 'item' is for class-i, then create a variable for it. 106 | aux_sensor_map[item].append( (i,cnt) ) 107 | cnt+=1 108 | 109 | for i in range(n_class): 110 | for item in det_sensors_for_class.keys(): 111 | if i in det_sensors_for_class[item]: 112 | aux_sensor_map[item].append( (i,cnt) ) 113 | cnt+=1 114 | 115 | with open(signal_dir+'sensor_map.json','w') as file_obj: 116 | json.dump(aux_sensor_map,file_obj) 117 | ####################################################### 118 | 119 | 120 | 121 | 122 | ############# data ########################################## 123 | 124 | phase_to_data = { # [GT, raw_img, border_img, content_img] 125 | # clean traffic sign samples 126 | #'clean' : ['../data/data/raw_label_test.npy', '../data/data/raw_feature_test.npy', '../data/data/test_border.npy', '../data/data/test_content.npy'], 127 | # adversarial traffic sign samples 128 | 'fog' : ['../data/data/raw_label_test.npy', '../data/data/[corruption]fog_adv_X_test.npy', '../data/data/[corruption]fog_adv_border.npy', '../data/data/[corruption]fog_adv_content.npy'], 129 | 130 | 'contrast' : ['../data/data/raw_label_test.npy', '../data/data/[corruption]contrast_adv_X_test.npy', '../data/data/[corruption]contrast_adv_border.npy', '../data/data/[corruption]contrast_adv_content.npy'], 131 | 132 | 'brightness' : ['../data/data/raw_label_test.npy', '../data/data/[corruption]brightness_adv_X_test.npy', '../data/data/[corruption]brightness_adv_border.npy', '../data/data/[corruption]brightness_adv_content.npy'] 133 | 134 | } 135 | 136 | phase_set = phase_to_data.keys() 137 | data_dir = '../data/data/' 138 | ############################################################# 139 | 140 | 141 | def test(model,data): 142 | 143 | n_class = 12 144 | 145 | num_each_class = np.zeros(n_class) 146 | correct_each_class = np.zeros(n_class) 147 | mis_from_A_to_B = np.zeros((n_class,n_class)) 148 | 149 | var, gt =data.sequential_test_batch() 150 | correct = 0 151 | tot = 0 152 | while var is not None: 153 | this_batch_size = len(gt) 154 | 155 | scores = model.inference(var) 156 | Y = torch.argmax(scores,dim=1) 157 | 158 | tot += this_batch_size 159 | for i in range(this_batch_size): 160 | num_each_class[gt[i]]+=1 161 | if Y[i] == gt[i]: 162 | correct+=1 163 | correct_each_class[gt[i]]+=1 164 | else: 165 | mis_from_A_to_B[gt[i]][Y[i]]+=1 166 | var, gt = data.sequential_test_batch() 167 | 168 | print('[KEMLP] acc = %d/%d = %f' % (correct,tot,correct/tot)) 169 | 170 | model = torch.load('./ckpt/graph_model_ratio=%s.ckpt' % alpha) 171 | gt_path = '../data/data/raw_label_test.npy' 172 | 173 | 174 | print('====================== Natural Corruption ======================') 175 | 176 | 177 | for main_sensor in main_sensor_list.keys(): 178 | 179 | 180 | main_sensor_name = main_sensor 181 | main_sensor = main_sensor_list[main_sensor] 182 | 183 | print('>>>> Main Sensor : %s' % main_sensor_name) 184 | 185 | my_generator = var_generator(main_sensor_path=main_sensor, digit_sensor_path=digit_sensor, n_class = n_class,\ 186 | batch_size = batch_size, var_cnt=cnt, con_list = con_sensors_for_class.keys(), det_list = det_sensors_for_class.keys(),\ 187 | aux_list = aux_sensor_map, device = device) 188 | 189 | for phase in phase_to_data.keys(): 190 | 191 | print('------------------- %s data --------------------------' % phase) 192 | 193 | signal_list = phase_to_data[phase] 194 | 195 | print('|| CNN-Only') 196 | VARS = my_generator.gen_vars(signal_list) 197 | path = signal_dir + '[corruption]%s_signals_with_%s.npy' % (phase, main_sensor_name) 198 | np.save(path, VARS) 199 | 200 | print('|| KEMLP-Enhanced') 201 | sensing_signals_path = path 202 | data = sensing_data(batch_size=100, train_data = None, test_data = [sensing_signals_path, gt_path]) 203 | test(model,data) 204 | print('---------------------------------------\n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/reimplement_table_linf_blackbox_pipeline.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | import os 4 | import json 5 | from model import NEURAL,Model 6 | from var_generator import var_generator 7 | from pipeline import pipeline 8 | from sensing_signals_data import sensing_data 9 | import argparse 10 | 11 | parser = argparse.ArgumentParser() 12 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 13 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 14 | parser.add_argument('-alpha', type=str, default='0.2', choices=['0.0','0.1','0.2','0.3','0.4','0.5','0.6','0.7','0.8','0.9','1.0'],\ 15 | help='adversarial ratio, options = [0.0,0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.0]') 16 | args = parser.parse_args() 17 | 18 | 19 | enable_cuda = args.enable_cuda 20 | gpu_id = args.gpu_id 21 | alpha = args.alpha 22 | 23 | print('alpha = %s' % alpha) 24 | 25 | signal_dir = 'sensing_signals/' 26 | if not os.path.exists(signal_dir): 27 | os.mkdir(signal_dir) 28 | 29 | if enable_cuda: 30 | device = torch.device('cuda:%d' % gpu_id) 31 | else: 32 | device = torch.device('cpu') 33 | 34 | main_sensor_list = { 35 | # standard CNN main sensor 36 | 'CNN' : './sensor/main/main.ckpt', 37 | # adversarially trained CNN main sensor 38 | 'CNN_adv_4' : './sensor/main/main_adv_4.ckpt', 39 | 'CNN_adv_8' : './sensor/main/main_adv_8.ckpt', 40 | 'CNN_adv_16' : './sensor/main/main_adv_16.ckpt', 41 | 'CNN_adv_32' : './sensor/main/main_adv_32.ckpt', 42 | # DOA trained CNN main sensor 43 | 'CNN_doa_5' : './sensor/main/main_doa_5.ckpt', 44 | 'CNN_doa_7' : './sensor/main/main_doa_7.ckpt' 45 | } 46 | 47 | 48 | n_class = 12 49 | batch_size = 100 50 | 51 | 52 | ##### Sensors & Variables ################## 53 | digit_sensor = './sensor/content/digit.pth' 54 | 55 | con_sensors_for_class = { 56 | './sensor/border/type_0_con.ckpt' : [0], 57 | './sensor/border/type_1_con.ckpt' : [1], 58 | './sensor/border/type_2_con.ckpt' : [2], 59 | './sensor/border/type_3_con.ckpt' : [3], 60 | './sensor/content/class_4.ckpt' : [4], 61 | './sensor/content/class_5.ckpt' : [5], 62 | './sensor/border/type_5_con.ckpt' : [6], 63 | './sensor/content/class_7.ckpt' : [7], 64 | './sensor/content/digit.pth' : [8,10,11], # digit recognition model for speed-limit 50/20/120 65 | './sensor/border/type_7_con.ckpt' : [9] 66 | } 67 | 68 | det_sensors_for_class = { 69 | './sensor/border/type_0_det.ckpt' : [0], 70 | './sensor/border/type_1_det.ckpt' : [1], 71 | './sensor/border/type_2_det.ckpt' : [2], 72 | './sensor/border/type_3_det.ckpt' : [3], 73 | './sensor/border/type_4_det.ckpt' : [4,5], 74 | './sensor/border/type_5_det.ckpt' : [6], 75 | './sensor/border/type_6_det.ckpt' : [7,8,10,11], 76 | './sensor/border/type_7_det.ckpt' : [9] 77 | } 78 | 79 | aux_sensor_map = { # sensor_ckpt : [ (class_id, sensor_variable_id), ... ] 80 | './sensor/border/type_0_con.ckpt' : [], 81 | './sensor/border/type_1_con.ckpt' : [], 82 | './sensor/border/type_2_con.ckpt' : [], 83 | './sensor/border/type_3_con.ckpt' : [], 84 | './sensor/content/class_4.ckpt' : [], 85 | './sensor/content/class_5.ckpt' : [], 86 | './sensor/border/type_5_con.ckpt' : [], 87 | './sensor/content/class_7.ckpt' : [], 88 | './sensor/content/digit.pth' : [], 89 | './sensor/border/type_7_con.ckpt' : [], 90 | './sensor/border/type_0_det.ckpt' : [], 91 | './sensor/border/type_1_det.ckpt' : [], 92 | './sensor/border/type_2_det.ckpt' : [], 93 | './sensor/border/type_3_det.ckpt' : [], 94 | './sensor/border/type_4_det.ckpt' : [], 95 | './sensor/border/type_5_det.ckpt' : [], 96 | './sensor/border/type_6_det.ckpt' : [], 97 | './sensor/border/type_7_det.ckpt' : [] 98 | } 99 | 100 | 101 | cnt = 1 102 | 103 | for i in range(n_class): 104 | for item in con_sensors_for_class.keys(): 105 | if i in con_sensors_for_class[item]: # if sensor 'item' is for class-i, then create a variable for it. 106 | aux_sensor_map[item].append( (i,cnt) ) 107 | cnt+=1 108 | 109 | for i in range(n_class): 110 | for item in det_sensors_for_class.keys(): 111 | if i in det_sensors_for_class[item]: 112 | aux_sensor_map[item].append( (i,cnt) ) 113 | cnt+=1 114 | 115 | with open(signal_dir+'sensor_map.json','w') as file_obj: 116 | json.dump(aux_sensor_map,file_obj) 117 | ####################################################### 118 | 119 | 120 | 121 | 122 | ############# data ########################################## 123 | 124 | phase_to_data = { # [GT, raw_img, border_img, content_img] 125 | # clean traffic sign samples 126 | 'clean' : ['../data/data/raw_label_test.npy', '../data/data/raw_feature_test.npy', '../data/data/test_border.npy', '../data/data/test_content.npy'], 127 | # adversarial traffic sign samples 128 | 'linf_4' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_pipeline]pgd_4_adv_X_test.npy', '../data/data/[black_box_pipeline]pgd_4_adv_border.npy', '../data/data/[black_box_pipeline]pgd_4_adv_content.npy'], 129 | 130 | 'linf_8' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_pipeline]pgd_8_adv_X_test.npy', '../data/data/[black_box_pipeline]pgd_8_adv_border.npy', '../data/data/[black_box_pipeline]pgd_8_adv_content.npy'], 131 | 132 | 'linf_16' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_pipeline]pgd_16_adv_X_test.npy', '../data/data/[black_box_pipeline]pgd_16_adv_border.npy', '../data/data/[black_box_pipeline]pgd_16_adv_content.npy'], 133 | 134 | 'linf_32' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_pipeline]pgd_32_adv_X_test.npy', '../data/data/[black_box_pipeline]pgd_32_adv_border.npy', '../data/data/[black_box_pipeline]pgd_32_adv_content.npy'], 135 | 136 | } 137 | 138 | phase_set = phase_to_data.keys() 139 | data_dir = '../data/data/' 140 | ############################################################# 141 | 142 | 143 | def test(model,data): 144 | 145 | n_class = 12 146 | 147 | num_each_class = np.zeros(n_class) 148 | correct_each_class = np.zeros(n_class) 149 | mis_from_A_to_B = np.zeros((n_class,n_class)) 150 | 151 | var, gt =data.sequential_test_batch() 152 | correct = 0 153 | tot = 0 154 | while var is not None: 155 | this_batch_size = len(gt) 156 | 157 | scores = model.inference(var) 158 | Y = torch.argmax(scores,dim=1) 159 | 160 | tot += this_batch_size 161 | for i in range(this_batch_size): 162 | num_each_class[gt[i]]+=1 163 | if Y[i] == gt[i]: 164 | correct+=1 165 | correct_each_class[gt[i]]+=1 166 | else: 167 | mis_from_A_to_B[gt[i]][Y[i]]+=1 168 | var, gt = data.sequential_test_batch() 169 | 170 | print('[KEMLP] acc = %d/%d = %f' % (correct,tot,correct/tot)) 171 | 172 | model = torch.load('./ckpt/graph_model_ratio=%s.ckpt' % alpha) 173 | gt_path = '../data/data/raw_label_test.npy' 174 | 175 | 176 | print('====================== Black-box Pipeline Linf Attack ======================') 177 | 178 | 179 | for main_sensor in main_sensor_list.keys(): 180 | 181 | 182 | main_sensor_name = main_sensor 183 | main_sensor = main_sensor_list[main_sensor] 184 | 185 | print('>>>> Main Sensor : %s' % main_sensor_name) 186 | 187 | my_generator = var_generator(main_sensor_path=main_sensor, digit_sensor_path=digit_sensor, n_class = n_class,\ 188 | batch_size = batch_size, var_cnt=cnt, con_list = con_sensors_for_class.keys(), det_list = det_sensors_for_class.keys(),\ 189 | aux_list = aux_sensor_map, device = device) 190 | 191 | for phase in phase_to_data.keys(): 192 | 193 | print('------------------- %s data --------------------------' % phase) 194 | 195 | signal_list = phase_to_data[phase] 196 | 197 | print('|| CNN-Only') 198 | VARS = my_generator.gen_vars(signal_list) 199 | path = signal_dir + '[black_box_pipeline]%s_signals_with_%s.npy' % (phase, main_sensor_name) 200 | np.save(path, VARS) 201 | 202 | print('|| KEMLP-Enhanced') 203 | sensing_signals_path = path 204 | data = sensing_data(batch_size=100, train_data = None, test_data = [sensing_signals_path, gt_path]) 205 | test(model,data) 206 | print('---------------------------------------\n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/reimplement_table_linf_blackbox_sensor.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | import os 4 | import json 5 | from model import NEURAL,Model 6 | from var_generator import var_generator 7 | from pipeline import pipeline 8 | from sensing_signals_data import sensing_data 9 | import argparse 10 | 11 | parser = argparse.ArgumentParser() 12 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 13 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 14 | parser.add_argument('-alpha', type=str, default='0.2', choices=['0.0','0.1','0.2','0.3','0.4','0.5','0.6','0.7','0.8','0.9','1.0'],\ 15 | help='adversarial ratio, options = [0.0,0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.0]') 16 | args = parser.parse_args() 17 | 18 | 19 | enable_cuda = args.enable_cuda 20 | gpu_id = args.gpu_id 21 | alpha = args.alpha 22 | 23 | print('alpha = %s' % alpha) 24 | 25 | signal_dir = 'sensing_signals/' 26 | if not os.path.exists(signal_dir): 27 | os.mkdir(signal_dir) 28 | 29 | if enable_cuda: 30 | device = torch.device('cuda:%d' % gpu_id) 31 | else: 32 | device = torch.device('cpu') 33 | 34 | main_sensor_list = { 35 | # standard CNN main sensor 36 | 'CNN' : './sensor/main/main.ckpt', 37 | # adversarially trained CNN main sensor 38 | 'CNN_adv_4' : './sensor/main/main_adv_4.ckpt', 39 | 'CNN_adv_8' : './sensor/main/main_adv_8.ckpt', 40 | 'CNN_adv_16' : './sensor/main/main_adv_16.ckpt', 41 | 'CNN_adv_32' : './sensor/main/main_adv_32.ckpt', 42 | # DOA trained CNN main sensor 43 | 'CNN_doa_5' : './sensor/main/main_doa_5.ckpt', 44 | 'CNN_doa_7' : './sensor/main/main_doa_7.ckpt' 45 | } 46 | 47 | 48 | n_class = 12 49 | batch_size = 100 50 | 51 | 52 | ##### Sensors & Variables ################## 53 | digit_sensor = './sensor/content/digit.pth' 54 | 55 | con_sensors_for_class = { 56 | './sensor/border/type_0_con.ckpt' : [0], 57 | './sensor/border/type_1_con.ckpt' : [1], 58 | './sensor/border/type_2_con.ckpt' : [2], 59 | './sensor/border/type_3_con.ckpt' : [3], 60 | './sensor/content/class_4.ckpt' : [4], 61 | './sensor/content/class_5.ckpt' : [5], 62 | './sensor/border/type_5_con.ckpt' : [6], 63 | './sensor/content/class_7.ckpt' : [7], 64 | './sensor/content/digit.pth' : [8,10,11], # digit recognition model for speed-limit 50/20/120 65 | './sensor/border/type_7_con.ckpt' : [9] 66 | } 67 | 68 | det_sensors_for_class = { 69 | './sensor/border/type_0_det.ckpt' : [0], 70 | './sensor/border/type_1_det.ckpt' : [1], 71 | './sensor/border/type_2_det.ckpt' : [2], 72 | './sensor/border/type_3_det.ckpt' : [3], 73 | './sensor/border/type_4_det.ckpt' : [4,5], 74 | './sensor/border/type_5_det.ckpt' : [6], 75 | './sensor/border/type_6_det.ckpt' : [7,8,10,11], 76 | './sensor/border/type_7_det.ckpt' : [9] 77 | } 78 | 79 | aux_sensor_map = { # sensor_ckpt : [ (class_id, sensor_variable_id), ... ] 80 | './sensor/border/type_0_con.ckpt' : [], 81 | './sensor/border/type_1_con.ckpt' : [], 82 | './sensor/border/type_2_con.ckpt' : [], 83 | './sensor/border/type_3_con.ckpt' : [], 84 | './sensor/content/class_4.ckpt' : [], 85 | './sensor/content/class_5.ckpt' : [], 86 | './sensor/border/type_5_con.ckpt' : [], 87 | './sensor/content/class_7.ckpt' : [], 88 | './sensor/content/digit.pth' : [], 89 | './sensor/border/type_7_con.ckpt' : [], 90 | './sensor/border/type_0_det.ckpt' : [], 91 | './sensor/border/type_1_det.ckpt' : [], 92 | './sensor/border/type_2_det.ckpt' : [], 93 | './sensor/border/type_3_det.ckpt' : [], 94 | './sensor/border/type_4_det.ckpt' : [], 95 | './sensor/border/type_5_det.ckpt' : [], 96 | './sensor/border/type_6_det.ckpt' : [], 97 | './sensor/border/type_7_det.ckpt' : [] 98 | } 99 | 100 | 101 | cnt = 1 102 | 103 | for i in range(n_class): 104 | for item in con_sensors_for_class.keys(): 105 | if i in con_sensors_for_class[item]: # if sensor 'item' is for class-i, then create a variable for it. 106 | aux_sensor_map[item].append( (i,cnt) ) 107 | cnt+=1 108 | 109 | for i in range(n_class): 110 | for item in det_sensors_for_class.keys(): 111 | if i in det_sensors_for_class[item]: 112 | aux_sensor_map[item].append( (i,cnt) ) 113 | cnt+=1 114 | 115 | with open(signal_dir+'sensor_map.json','w') as file_obj: 116 | json.dump(aux_sensor_map,file_obj) 117 | ####################################################### 118 | 119 | 120 | 121 | 122 | ############# data ########################################## 123 | 124 | phase_to_data = { # [GT, raw_img, border_img, content_img] 125 | # clean traffic sign samples 126 | 'clean' : ['../data/data/raw_label_test.npy', '../data/data/raw_feature_test.npy', '../data/data/test_border.npy', '../data/data/test_content.npy'], 127 | # adversarial traffic sign samples 128 | 'linf_4' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_sensor]pgd_4_adv_X_test.npy', '../data/data/[black_box_sensor]pgd_4_adv_border.npy', '../data/data/[black_box_sensor]pgd_4_adv_content.npy'], 129 | 130 | 'linf_8' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_sensor]pgd_8_adv_X_test.npy', '../data/data/[black_box_sensor]pgd_8_adv_border.npy', '../data/data/[black_box_sensor]pgd_8_adv_content.npy'], 131 | 132 | 'linf_16' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_sensor]pgd_16_adv_X_test.npy', '../data/data/[black_box_sensor]pgd_16_adv_border.npy', '../data/data/[black_box_sensor]pgd_16_adv_content.npy'], 133 | 134 | 'linf_32' : ['../data/data/raw_label_test.npy', '../data/data/[black_box_sensor]pgd_32_adv_X_test.npy', '../data/data/[black_box_sensor]pgd_32_adv_border.npy', '../data/data/[black_box_sensor]pgd_32_adv_content.npy'], 135 | 136 | } 137 | 138 | phase_set = phase_to_data.keys() 139 | data_dir = '../data/data/' 140 | ############################################################# 141 | 142 | 143 | def test(model,data): 144 | 145 | n_class = 12 146 | 147 | num_each_class = np.zeros(n_class) 148 | correct_each_class = np.zeros(n_class) 149 | mis_from_A_to_B = np.zeros((n_class,n_class)) 150 | 151 | var, gt =data.sequential_test_batch() 152 | correct = 0 153 | tot = 0 154 | while var is not None: 155 | this_batch_size = len(gt) 156 | 157 | scores = model.inference(var) 158 | Y = torch.argmax(scores,dim=1) 159 | 160 | tot += this_batch_size 161 | for i in range(this_batch_size): 162 | num_each_class[gt[i]]+=1 163 | if Y[i] == gt[i]: 164 | correct+=1 165 | correct_each_class[gt[i]]+=1 166 | else: 167 | mis_from_A_to_B[gt[i]][Y[i]]+=1 168 | var, gt = data.sequential_test_batch() 169 | 170 | print('[KEMLP] acc = %d/%d = %f' % (correct,tot,correct/tot)) 171 | 172 | model = torch.load('./ckpt/graph_model_ratio=%s.ckpt' % alpha) 173 | gt_path = '../data/data/raw_label_test.npy' 174 | 175 | 176 | print('====================== Black-box Sensor Linf Attack ======================') 177 | 178 | 179 | for main_sensor in main_sensor_list.keys(): 180 | 181 | 182 | main_sensor_name = main_sensor 183 | main_sensor = main_sensor_list[main_sensor] 184 | 185 | print('>>>> Main Sensor : %s' % main_sensor_name) 186 | 187 | my_generator = var_generator(main_sensor_path=main_sensor, digit_sensor_path=digit_sensor, n_class = n_class,\ 188 | batch_size = batch_size, var_cnt=cnt, con_list = con_sensors_for_class.keys(), det_list = det_sensors_for_class.keys(),\ 189 | aux_list = aux_sensor_map, device = device) 190 | 191 | for phase in phase_to_data.keys(): 192 | 193 | print('------------------- %s data --------------------------' % phase) 194 | 195 | signal_list = phase_to_data[phase] 196 | 197 | print('|| CNN-Only') 198 | VARS = my_generator.gen_vars(signal_list) 199 | path = signal_dir + '[black_box_sensor]%s_signals_with_%s.npy' % (phase, main_sensor_name) 200 | np.save(path, VARS) 201 | 202 | print('|| KEMLP-Enhanced') 203 | sensing_signals_path = path 204 | data = sensing_data(batch_size=100, train_data = None, test_data = [sensing_signals_path, gt_path]) 205 | test(model,data) 206 | print('---------------------------------------\n') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/sensing_signals_data.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | 4 | class sensing_data: 5 | 6 | def __init__(self, train_data, test_data, batch_size=50): 7 | 8 | super().__init__() 9 | 10 | self.batch_size = batch_size 11 | 12 | if train_data is not None: 13 | self.vars_train = torch.FloatTensor( np.load(train_data[0]) ) 14 | self.gt_train = np.load(train_data[1]) 15 | self.num_train = len(self.gt_train) 16 | 17 | if test_data is not None: 18 | self.vars_test = torch.FloatTensor( np.load(test_data[0]) ) 19 | self.gt_test = np.load(test_data[1]) 20 | self.num_test = len(self.gt_test) 21 | self.test_batch_cnt = 0 22 | 23 | def random_train_batch(self): 24 | # Create a set of random indices. 25 | idx = np.random.choice(self.num_train,size=self.batch_size,replace=False) 26 | return self.vars_train[idx], self.gt_train[idx] 27 | 28 | def adv_random_train_batch(self): 29 | idx = np.random.choice(self.num_train,size=self.batch_size,replace=False) 30 | adv_var = torch.clone(self.vars_train[idx]) 31 | adv_var[:,0] = torch.randint(10,[self.batch_size]) 32 | return adv_var, self.gt_train[idx] 33 | 34 | def sequential_test_batch(self): 35 | if self.test_batch_cnt==-1: 36 | self.test_batch_cnt=0 37 | return None,None 38 | 39 | st = self.test_batch_cnt*self.batch_size 40 | ed = min(st+self.batch_size,self.num_test) 41 | 42 | vars_batch = self.vars_test[st:ed] 43 | gt_batch = self.gt_test[st:ed] 44 | 45 | if ed == self.num_test: 46 | self.test_batch_cnt=-1 47 | else: 48 | self.test_batch_cnt+=1 49 | 50 | return vars_batch, gt_batch 51 | 52 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/GT_test.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/statistics/GT_test.npy -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/GT_train.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/statistics/GT_train.npy -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/GT_val.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/statistics/GT_val.npy -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/sensor_map.json: -------------------------------------------------------------------------------- 1 | {"./sensor/border/type_0_con.ckpt": [[0, 1]], "./sensor/border/type_1_con.ckpt": [[1, 2]], "./sensor/border/type_2_con.ckpt": [[2, 3]], "./sensor/border/type_3_con.ckpt": [[3, 4]], "./sensor/content/class_4.ckpt": [[4, 5]], "./sensor/content/class_5.ckpt": [[5, 6]], "./sensor/border/type_5_con.ckpt": [[6, 7]], "./sensor/content/class_7.ckpt": [[7, 8]], "./sensor/content/digit.pth": [[8, 9], [10, 11], [11, 12]], "./sensor/border/type_7_con.ckpt": [[9, 10]], "./sensor/border/type_0_det.ckpt": [[0, 13]], "./sensor/border/type_1_det.ckpt": [[1, 14]], "./sensor/border/type_2_det.ckpt": [[2, 15]], "./sensor/border/type_3_det.ckpt": [[3, 16]], "./sensor/border/type_4_det.ckpt": [[4, 17], [5, 18]], "./sensor/border/type_5_det.ckpt": [[6, 19]], "./sensor/border/type_6_det.ckpt": [[7, 20], [8, 21], [10, 23], [11, 24]], "./sensor/border/type_7_det.ckpt": [[9, 22]]} -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/vars_test.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/statistics/vars_test.npy -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/vars_train.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/statistics/vars_train.npy -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/statistics/vars_val.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingA-linf,unforeseen,corruptions/pipeline/statistics/vars_val.npy -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/pipeline/train.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | from pipeline import pipeline 4 | from pipeline_dataset import pipeline_data 5 | import json 6 | 7 | 8 | def test(model,data): 9 | var, gt =data.sequential_test_batch() 10 | correct = 0 11 | tot = 0 12 | while var is not None: 13 | this_batch_size = len(gt) 14 | 15 | scores = model.inference(var) 16 | Y = torch.argmax(scores,dim=1) 17 | 18 | 19 | tot += this_batch_size 20 | for i in range(this_batch_size): 21 | if Y[i] == gt[i]: 22 | correct+=1 23 | var, gt = data.sequential_test_batch() 24 | 25 | print('acc = %d/%d = %f' % (correct,tot,correct/tot)) 26 | 27 | 28 | batch_size = 50 29 | n_iter = 4000 30 | n_class = 12 31 | 32 | with open('./statistics/sensor_map.json', 'r') as f: 33 | sensor_map = json.load(f) 34 | 35 | 36 | 37 | for K in range(11): 38 | ratio = K/10.0 39 | print('## ratio = %f' % ratio) 40 | 41 | model = pipeline(n_class=n_class) 42 | model.set_main_sensor('./sensor/main/main.ckpt') 43 | 44 | clean_ratio = 2*(1-ratio) 45 | adv_ratio = 2*ratio 46 | 47 | for item in sensor_map.keys(): 48 | var_list = sensor_map[item] 49 | isconservative = not item.endswith('det.ckpt') 50 | 51 | if isconservative: 52 | for sid in var_list: 53 | model.add_conservative_sensor(class_id=sid[0],var_id=sid[1],sensor=item) 54 | else: 55 | for sid in var_list: 56 | model.add_deterministic_sensor(class_id=sid[0],var_id=sid[1],sensor=item) 57 | 58 | 59 | if not model.build_graph(): 60 | print('Failed to build graph. Terminaite ..') 61 | exit(0) 62 | 63 | 64 | # use the sensing signals of validation set to train the weights --- because the sensors performs nearly perfect on the training set due to overftting 65 | data = pipeline_data(batch_size=batch_size, train_data = './statistics/vars_val.npy', \ 66 | train_GT='./statistics/GT_val.npy', test_data = './statistics/vars_test.npy', test_GT='./statistics/GT_test.npy') 67 | 68 | for i in range(n_iter): 69 | 70 | ## Clean data 71 | var, gt = data.random_train_batch() 72 | 73 | scores = model.inference(var) # batch x num_class 74 | 75 | sum_scores = scores.sum(dim=1) 76 | for j in range(batch_size): 77 | scores[j,:] /= sum_scores[j] 78 | likelihood = scores[0][gt[0]] 79 | for j in range(1,batch_size): 80 | likelihood+=scores[j][gt[j]] 81 | likelihood/=batch_size 82 | 83 | ## Adversarial data 84 | var, gt = data.adv_random_train_batch() 85 | scores = model.inference(var) # batch x num_class 86 | sum_scores = scores.sum(dim=1) 87 | for j in range(batch_size): 88 | scores[j,:] /= sum_scores[j] 89 | likelihood_adv = scores[0][gt[0]] 90 | for j in range(1,batch_size): 91 | likelihood_adv+=scores[j][gt[j]] 92 | likelihood_adv/=batch_size 93 | 94 | likelihood = clean_ratio*likelihood + adv_ratio*likelihood_adv 95 | 96 | likelihood.backward() 97 | model.step(step_size=0.1) 98 | 99 | 100 | print('weight : ',model.weight) 101 | test(model,data) 102 | torch.save(model,'./ckpt/graph_model_ratio=%.1f.ckpt' % ratio) -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/raw/adv_train.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import DataMain 4 | import time 5 | import argparse 6 | import os 7 | 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument('-gpu_id', type=int, required=True, help='id number of the gpu device') 10 | parser.add_argument('-attack_eps', type=int, required=True, help='noise magnitude in adversarial training') 11 | args = parser.parse_args() 12 | 13 | gpu_id = args.gpu_id 14 | attack_eps = args.attack_eps 15 | 16 | device = torch.device('cuda:%d' % gpu_id if torch.cuda.is_available() else 'cpu') 17 | 18 | lr_rate = 0.01 19 | batch_size = 200 20 | n_iters = 50000 21 | main_sensor_path = '../pipeline/sensor/main/main.ckpt' 22 | 23 | ckpt_root = 'adv_train_%d_ckpt/' % attack_eps 24 | if not os.path.exists(ckpt_root): 25 | os.mkdir(ckpt_root) 26 | 27 | 28 | def pgd_attack_random(model, images, labels, eps=1, alpha=1, iters=40, randomize=True): 29 | """ Construct L_inf adversarial examples on the examples X """ 30 | model.eval() 31 | labels = labels.to(device) 32 | if randomize: 33 | delta = torch.rand_like(images, requires_grad=True).to(device) 34 | delta.data = delta.data * 2 * eps - eps 35 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 36 | else: 37 | delta = torch.zeros_like(images, requires_grad=True).to(device) 38 | 39 | images = images.clone().to(device) 40 | for t in range(iters): 41 | loss = torch.nn.CrossEntropyLoss()(model(images + delta ), labels) 42 | loss.backward() 43 | 44 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-eps,eps) 45 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 46 | delta.grad.zero_() 47 | 48 | return (delta+images).detach() 49 | 50 | def test(data,model): 51 | 52 | correct_adv = 0 53 | correct = 0 54 | tot = 0 55 | X,GT = data.sequential_val_batch() 56 | while X is not None: 57 | 58 | X = X.to(device) 59 | X_adv = pgd_attack_random(model, X, GT, eps=attack_eps/255.0, alpha=1/255, iters=40, randomize=True) 60 | #pgd_attack(model,X,GT,eps=attack_eps/255.0,alpha=1/255,iters=40) 61 | 62 | Y = model(X) 63 | Y = torch.argmax(Y,dim=1) 64 | 65 | Y_adv = model(X_adv) 66 | Y_adv = torch.argmax(Y_adv,dim=1) 67 | 68 | this_batch_size = len(Y) 69 | 70 | for i in range(this_batch_size): 71 | tot+=1 72 | if GT[i] == Y[i]: 73 | correct+=1 74 | if GT[i] == Y_adv[i]: 75 | correct_adv+=1 76 | X,GT = data.sequential_val_batch() 77 | 78 | print('acc = %d/%d, adv_acc = %d/%d' % (correct,tot, correct_adv,tot)) 79 | 80 | return correct_adv/tot 81 | 82 | 83 | 84 | 85 | 86 | print('[Data] Preparing .... ') 87 | data = DataMain(batch_size=batch_size) 88 | data.data_set_up(istrain=True) 89 | data.greeting() 90 | print('[Data] Done .... ') 91 | 92 | 93 | print('[Model] Preparing .... ') 94 | model = NEURAL(n_class=12,n_channel=3) 95 | ckpt = torch.load(main_sensor_path,map_location = 'cpu') 96 | model.load_state_dict(ckpt) 97 | model = model.to(device) 98 | model.eval() 99 | adv_acc = test(data,model) 100 | print('[Load successfully] initial adv accuracy = %f' % adv_acc) 101 | print('[Model] Done .... ') 102 | 103 | 104 | if attack_eps >= 16: 105 | lr_rate = 0.002 106 | batch_size = 200 107 | 108 | 109 | loss_f = torch.nn.CrossEntropyLoss() 110 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 111 | 112 | st = time.time() 113 | 114 | model.train() 115 | max_acc = 0 116 | save_n = 0 117 | stable_iter = 0 118 | 119 | print('[Training] Starting ...') 120 | for i in range(n_iters): 121 | 122 | X,GT = data.random_train_batch() 123 | 124 | X = X.to(device) 125 | GT = GT.to(device) 126 | 127 | # 20 iterations for adv-train 128 | X_adv = pgd_attack_random(model, X, GT, eps=attack_eps/255.0, alpha=2/255, iters=20, randomize=True) 129 | 130 | Y = model(X_adv) 131 | loss = loss_f(Y,GT) 132 | 133 | optimizer.zero_grad() 134 | loss.backward() 135 | optimizer.step() 136 | now = (time.time() - st) / 60.0 137 | 138 | if (i+1) % 10 ==0: 139 | print('[process: %d/%d] Loss = %f' % (i+1,n_iters,loss)) 140 | 141 | if (i+1) % 1000 == 0 : 142 | print(' ### Eval ###') 143 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 144 | model.eval() 145 | 146 | score = test(data,model) 147 | 148 | if score>max_acc: 149 | print('[save]..') 150 | max_acc = score 151 | stable_iter = 0 152 | torch.save(model.state_dict(), ckpt_root+'model_' + str(save_n) + '_adv_acc=%f.ckpt'%(score)) 153 | save_n+=1 154 | else: 155 | stable_iter += 1 156 | if stable_iter == 10: 157 | print('Stable ... Training END ..') 158 | break 159 | model.train() 160 | 161 | 162 | print('[Training] Done ...') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/raw/doa_train.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import DataMain 4 | import time 5 | import argparse 6 | import os 7 | import ROA 8 | 9 | 10 | device = torch.device('cuda:1' if torch.cuda.is_available() else 'cpu') 11 | 12 | lr_rate = 0.01 13 | batch_size = 200 14 | n_iters = 50000 15 | main_sensor_path = '../pipeline/sensor/main/main.ckpt' 16 | 17 | ckpt_root = 'adv_train_doa_5x5_ckpt/' 18 | if not os.path.exists(ckpt_root): 19 | os.mkdir(ckpt_root) 20 | 21 | 22 | 23 | def test(data,model,attacker): 24 | 25 | correct_adv = 0 26 | correct = 0 27 | tot = 0 28 | X,GT = data.sequential_val_batch() 29 | while X is not None: 30 | 31 | X = X.to(device) 32 | X_adv = attacker.exhaustive_search(X,GT,0.05,30,5,5,2,2,False) 33 | 34 | Y = model(X) 35 | Y = torch.argmax(Y,dim=1) 36 | 37 | Y_adv = model(X_adv) 38 | Y_adv = torch.argmax(Y_adv,dim=1) 39 | 40 | this_batch_size = len(Y) 41 | 42 | for i in range(this_batch_size): 43 | tot+=1 44 | if GT[i] == Y[i]: 45 | correct+=1 46 | if GT[i] == Y_adv[i]: 47 | correct_adv+=1 48 | X,GT = data.sequential_val_batch() 49 | 50 | print('acc = %d/%d, adv_acc = %d/%d' % (correct,tot, correct_adv,tot)) 51 | 52 | return correct_adv/tot 53 | 54 | 55 | 56 | 57 | 58 | print('[Data] Preparing .... ') 59 | data = DataMain(batch_size=batch_size) 60 | data.data_set_up(istrain=True) 61 | data.greeting() 62 | print('[Data] Done .... ') 63 | 64 | 65 | print('[Model] Preparing .... ') 66 | model = NEURAL(n_class=12,n_channel=3) 67 | ckpt = torch.load(main_sensor_path,map_location = 'cpu') 68 | model.load_state_dict(ckpt) 69 | model = model.to(device) 70 | model.eval() 71 | attacker = ROA.ROA(base_classifier=model,size=32) 72 | adv_acc = test(data,model,attacker) 73 | print('[Load successfully] initial adv accuracy = %f' % adv_acc) 74 | print('[Model] Done .... ') 75 | 76 | 77 | 78 | 79 | loss_f = torch.nn.CrossEntropyLoss() 80 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 81 | 82 | st = time.time() 83 | 84 | model.train() 85 | max_acc = 0 86 | save_n = 0 87 | stable_iter = 0 88 | 89 | print('[Training] Starting ...') 90 | for i in range(n_iters): 91 | 92 | X,GT = data.random_train_batch() 93 | 94 | X = X.to(device) 95 | GT = GT.to(device) 96 | 97 | X_adv = attacker.exhaustive_search(X,GT,0.05,30,7,7,2,2,False) 98 | #pgd_attack(model,X,GT,eps=attack_eps/255.0,alpha=1/255,iters=40) 99 | Y = model(X_adv) 100 | loss = loss_f(Y,GT) 101 | 102 | optimizer.zero_grad() 103 | loss.backward() 104 | optimizer.step() 105 | now = (time.time() - st) / 60.0 106 | 107 | if (i+1) % 10 ==0: 108 | print('[process: %d/%d]' % (i+1,n_iters)) 109 | 110 | if (i+1) % 1000 == 0 : 111 | print(' ### Eval ###') 112 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 113 | model.eval() 114 | 115 | score = test(data,model,attacker) 116 | 117 | if score>max_acc: 118 | print('[save]..') 119 | max_acc = score 120 | stable_iter = 0 121 | torch.save(model.state_dict(), ckpt_root+'model_' + str(save_n) + '_adv_acc=%f.ckpt'%(score)) 122 | save_n+=1 123 | else: 124 | stable_iter += 1 125 | if stable_iter == 10: 126 | print('Stable ... Training END ..') 127 | break 128 | model.train() 129 | 130 | 131 | print('[Training] Done ...') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/raw/eval_adv.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import DataMain 4 | import time 5 | import argparse 6 | import os 7 | 8 | 9 | device = torch.device('cuda:3' if torch.cuda.is_available() else 'cpu') 10 | 11 | 12 | batch_size = 200 13 | ckpt_root = './adv_checkpoint/' 14 | 15 | 16 | 17 | def pgd_attack(model, images, labels, eps=0.3, alpha=2/255, iters=40) : 18 | # let's do untargeted attack 19 | images = images.clone().to(device) 20 | labels = labels.to(device) 21 | loss = torch.nn.CrossEntropyLoss() 22 | 23 | ori_images = images.data 24 | 25 | for i in range(iters) : 26 | images.requires_grad = True 27 | outputs = model(images) 28 | 29 | model.zero_grad() 30 | cost = loss(outputs, labels).to(device) 31 | cost.backward() 32 | 33 | adv_images = images + alpha*images.grad.sign() 34 | eta = torch.clamp(adv_images - ori_images, min=-eps, max=eps) 35 | images = torch.clamp(ori_images + eta, min=-0.5, max=0.5).detach_() 36 | 37 | return images 38 | 39 | def pgd_attack_random(model, images, labels, eps=1, alpha=1, iters=40, randomize=True): 40 | """ Construct L_inf adversarial examples on the examples X """ 41 | model.eval() 42 | labels = labels.to(device) 43 | if randomize: 44 | delta = torch.rand_like(images, requires_grad=True).to(device) 45 | delta.data = delta.data * 2 * eps - eps 46 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 47 | else: 48 | delta = torch.zeros_like(images, requires_grad=True).to(device) 49 | 50 | for t in range(iters): 51 | loss = torch.nn.CrossEntropyLoss()(model(images + delta ), labels) 52 | loss.backward() 53 | 54 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-eps,eps) 55 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 56 | delta.grad.zero_() 57 | 58 | return delta+images 59 | 60 | 61 | def test(data,model,attack_eps): 62 | 63 | correct_adv = 0 64 | correct = 0 65 | tot = 0 66 | X,GT = data.sequential_test_batch() 67 | 68 | while X is not None: 69 | 70 | X = X.to(device) 71 | X_adv = pgd_attack_random(model,X,GT,eps=attack_eps/255.0,alpha=1/255,iters=100,randomize=True) 72 | 73 | Y = model(X) 74 | Y = torch.argmax(Y,dim=1) 75 | 76 | Y_adv = model(X_adv) 77 | Y_adv = torch.argmax(Y_adv,dim=1) 78 | 79 | this_batch_size = len(Y) 80 | 81 | for i in range(this_batch_size): 82 | tot+=1 83 | if GT[i] == Y[i]: 84 | correct+=1 85 | if GT[i] == Y_adv[i]: 86 | correct_adv+=1 87 | 88 | X,GT = data.sequential_test_batch() 89 | 90 | print('acc = %d/%d, adv_acc = %d/%d' % (correct,tot, correct_adv,tot)) 91 | 92 | 93 | 94 | 95 | 96 | print('[Data] Preparing .... ') 97 | data = DataMain(batch_size=batch_size) 98 | data.data_set_up(istrain=True) 99 | data.greeting() 100 | print('[Data] Done .... ') 101 | 102 | 103 | print('[Model] Preparing .... ') 104 | model = NEURAL(n_class=12,n_channel=3) 105 | model = model.to(device) 106 | model.eval() 107 | print('[Model] Done .... ') 108 | 109 | #ckpt = torch.load(main_sensor_path,map_location = 'cpu') 110 | #model.load_state_dict(ckpt) 111 | 112 | 113 | for adv_model in [4,8,16,32]: 114 | ckpt = torch.load( ckpt_root + 'adv_%d.ckpt' % adv_model , map_location = device) 115 | model.load_state_dict(ckpt) 116 | print('------------- Adv training eps = %d/255 ---------------' % adv_model ) 117 | for attack_eps in [0,2,4,8,16]: 118 | print('> attack_eps = %d/255' % attack_eps) 119 | test(data,model,attack_eps) 120 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/raw/model.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from torch import nn 3 | 4 | class NEURAL(nn.Module): # end-to-end neural classifier 5 | 6 | def __init__(self,n_class,n_channel): 7 | 8 | super(NEURAL,self).__init__() 9 | 10 | ########################### Learn a color transform ########################### 11 | self.conv0 = nn.Sequential( 12 | nn.Conv2d(n_channel,3,1), #input_size=(n_channel*32*32) 13 | nn.ReLU() 14 | ) # output_size=(3*32*32) 15 | 16 | ########################### Level-1 ########################### 17 | self.conv1 = nn.Sequential( 18 | nn.Conv2d(3,32,5,1,2), #input_size=(3*32*32) 19 | nn.ReLU() 20 | ) # output_size=(32*32*32) 21 | 22 | self.conv2 = nn.Sequential( 23 | nn.Conv2d(32,32,5,1,2), #input_size=(32*32*32) 24 | nn.ReLU(), 25 | nn.MaxPool2d(kernel_size = 2,stride = 2) 26 | ) # output_size=(32*16*16) 27 | 28 | ########################### Level-2 ########################### 29 | self.conv3 = nn.Sequential( 30 | nn.Conv2d(32,64,3,1,1), #input_size=(32*16*16) 31 | nn.ReLU() 32 | ) # output_size=(64*16*16) 33 | 34 | self.conv4 = nn.Sequential( 35 | nn.Conv2d(64,64,3,1,1), #input_size=(64*16*16) 36 | nn.ReLU(), 37 | nn.MaxPool2d(kernel_size = 2,stride = 2) 38 | ) # output_size=(64*8*8) 39 | 40 | ########################### Level-3 ########################### 41 | self.conv5 = nn.Sequential( 42 | nn.Conv2d(64,128,3,1,1), #input_size=(64*8*8) 43 | nn.ReLU() 44 | ) # output_size=(128*8*8) 45 | 46 | self.conv6 = nn.Sequential( 47 | nn.Conv2d(128,128,3,1,1), #input_size=(128*8*8) 48 | nn.ReLU(), 49 | nn.MaxPool2d(kernel_size = 2,stride = 2) 50 | ) # output_size=(128*4*4) 51 | 52 | 53 | # num_fc = 32*16*16 + 64*8*8 + 128*4*4 = 14336 54 | self.fc1 = nn.Sequential( 55 | nn.Linear(14336,1024), 56 | nn.ReLU() 57 | ) 58 | self.fc2 = nn.Sequential( 59 | nn.Linear(1024,1024), 60 | nn.ReLU() 61 | ) 62 | self.fc3 = nn.Linear(1024,n_class) 63 | 64 | self.dropout = nn.Dropout(p=0.5) 65 | 66 | def forward(self,x): 67 | x = self.conv0(x) # Color Transform 68 | 69 | ## Scale 1 70 | x = self.conv1(x) 71 | x = self.conv2(x) 72 | x = self.dropout(x) 73 | scale_1 = x.view(x.size(0), -1) 74 | 75 | ## Scale 2 76 | x = self.conv3(x) 77 | x = self.conv4(x) 78 | x = self.dropout(x) 79 | scale_2 = x.view(x.size(0), -1) 80 | 81 | ## Scale 3 82 | x = self.conv5(x) 83 | x = self.conv6(x) 84 | x = self.dropout(x) 85 | scale_3 = x.view(x.size(0), -1) 86 | 87 | ###### FC ######################## 88 | embedding = torch.cat( (scale_1,scale_2,scale_3), dim = 1) 89 | 90 | x = self.fc1(embedding) 91 | x = self.dropout(x) 92 | 93 | x = self.fc2(x) 94 | x = self.dropout(x) 95 | 96 | x = self.fc3(x) 97 | return x 98 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/raw/train.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import DataMain 4 | import time 5 | 6 | device = torch.device('cuda:0' if torch.cuda.is_available() else 'cpu') 7 | lr_rate = 0.01 8 | batch_size = 200 9 | n_iters = 50000 10 | 11 | 12 | def test(data,model): 13 | 14 | STOP_true_positive = 0 15 | STOP_false_positive = 0 16 | STOP_num = 0 17 | 18 | correct = 0 19 | tot = 0 20 | X,GT = data.sequential_val_batch() 21 | while X is not None: 22 | 23 | X = X.to(device) 24 | GT = GT.to(device) 25 | 26 | Y = model(X) 27 | Y = torch.argmax(Y,dim=1) 28 | 29 | this_batch_size = len(Y) 30 | 31 | for i in range(this_batch_size): 32 | tot+=1 33 | 34 | if GT[i] == Y[i]: 35 | correct+=1 36 | 37 | if GT[i] == 0: 38 | STOP_num+=1 39 | if Y[i]==0: 40 | STOP_true_positive+=1 41 | elif Y[i]==0: 42 | STOP_false_positive+=1 43 | 44 | X,GT = data.sequential_val_batch() 45 | print('acc = %d / %d' % (correct,tot)) 46 | 47 | 48 | recall = STOP_true_positive/STOP_num 49 | if STOP_true_positive+STOP_false_positive == 0: 50 | precision = 0 51 | else: 52 | precision = STOP_true_positive/(STOP_true_positive+STOP_false_positive) 53 | print('stop sign : recall = %d/%d = %f, precision = %d/%d = %f' % \ 54 | (STOP_true_positive,STOP_num, recall, \ 55 | STOP_true_positive,STOP_true_positive+STOP_false_positive, precision) ) 56 | 57 | return correct/tot 58 | 59 | 60 | 61 | 62 | 63 | print('[Data] Preparing .... ') 64 | data = DataMain(batch_size=batch_size) 65 | data.data_set_up(istrain=True) 66 | data.greeting() 67 | print('[Data] Done .... ') 68 | 69 | 70 | print('[Model] Preparing .... ') 71 | model = NEURAL(n_class=12,n_channel=3) 72 | model = model.to(device) 73 | print('[Model] Done .... ') 74 | 75 | loss_f = torch.nn.CrossEntropyLoss() 76 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 77 | 78 | st = time.time() 79 | 80 | model.train() 81 | max_acc = 0 82 | save_n = 0 83 | stable_iter = 0 84 | 85 | print('[Training] Starting ...') 86 | for i in range(n_iters): 87 | 88 | X,GT = data.random_train_batch() 89 | 90 | X = X.to(device) 91 | GT = GT.to(device) 92 | 93 | Y = model(X) 94 | loss = loss_f(Y,GT) 95 | 96 | optimizer.zero_grad() 97 | loss.backward() 98 | optimizer.step() 99 | now = (time.time() - st) / 60.0 100 | 101 | if (i+1) % 1000 == 0 : 102 | #if (i+1) % 10 == 0 : 103 | print(' ### Eval ###') 104 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 105 | model.eval() 106 | 107 | score = test(data,model) 108 | 109 | if score>max_acc: 110 | print('[save]..') 111 | max_acc = score 112 | stable_iter = 0 113 | torch.save(model.state_dict(), './checkpoint/model_' + str(save_n) + '_acc=%f.ckpt'%(score)) 114 | save_n+=1 115 | else: 116 | stable_iter += 1 117 | if stable_iter == 10: 118 | print('Stable ... Training END ..') 119 | break 120 | model.train() 121 | 122 | 123 | print('[Training] Done ...') -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Setting-A 4 | 5 | This directory contains the code for evaluating our KEMLP framework against : 6 | 7 | * **$L_\infty$ attack** 8 | 9 | 10 | 11 | * **Unforeseen attacks** 12 | 13 | 14 | 15 | * **Natural corruption** 16 | 17 | 18 | 19 |

20 | 21 | ## Reimplement $L_\infty$ Attack 22 | 23 | For $L_{\infty}$ attack, we generate the adversarial examples under three different attack settings: 24 | 25 | * **Whitebox sensor attack** 26 | 27 | 28 | 29 | ```bash 30 | cd pipeline 31 | python reimplement_table_linf_whitebox.py 32 | ``` 33 | 34 | * **Blackbox sensor attack** 35 | 36 | image-20210211194144345 37 | 38 | ```bash 39 | cd pipeline 40 | python reimplement_table_linf_blackbox_sensor.py 41 | ``` 42 | 43 | * **Blackbox pipeline attack** 44 | 45 | image-20210211194220988 46 | 47 | ```bash 48 | cd pipeline 49 | python reimplement_table_linf_blackbox_pipeline.py 50 | ``` 51 | 52 |

53 | 54 | ## Reimplement Unforeseen Attacks 55 | 56 | * **Whitebox sensor attack** 57 | 58 | image-20210211194220988 59 | 60 | ```bash 61 | cd pipeline 62 | python reimplement_table_unforeseen_whitebox.py 63 | ``` 64 | 65 | * **Blackbox sensor attack** 66 | 67 | image-20210211205621986 68 | 69 | ```bash 70 | cd pipeline 71 | python reimplement_table_unforeseen_blackbox_sensor.py 72 | ``` 73 | 74 | * **Blackbox pipeline attack** 75 | 76 | image-20210211205742555 77 | 78 | ```bash 79 | cd pipeline 80 | python reimplement_table_unforeseen_blackbox_pipeline.py 81 | ``` 82 | 83 |

84 | 85 | ## Reimplement Common Corruptions 86 | 87 | image-20210211210026437 88 | 89 | ```bash 90 | cd pipeline 91 | python reimplement_table_common_corruption.py 92 | ``` 93 | 94 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/substitute/model.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from torch import nn 3 | 4 | class NEURAL(nn.Module): # end-to-end neural classifier 5 | 6 | def __init__(self,n_class,n_channel): 7 | 8 | super(NEURAL,self).__init__() 9 | 10 | ########################### Learn a color transform ########################### 11 | self.conv0 = nn.Sequential( 12 | nn.Conv2d(n_channel,3,1), #input_size=(n_channel*32*32) 13 | nn.ReLU() 14 | ) # output_size=(3*32*32) 15 | 16 | ########################### Level-1 ########################### 17 | self.conv1 = nn.Sequential( 18 | nn.Conv2d(3,32,5,1,2), #input_size=(3*32*32) 19 | nn.ReLU() 20 | ) # output_size=(32*32*32) 21 | 22 | self.conv2 = nn.Sequential( 23 | nn.Conv2d(32,32,5,1,2), #input_size=(32*32*32) 24 | nn.ReLU(), 25 | nn.MaxPool2d(kernel_size = 2,stride = 2) 26 | ) # output_size=(32*16*16) 27 | 28 | ########################### Level-2 ########################### 29 | self.conv3 = nn.Sequential( 30 | nn.Conv2d(32,64,3,1,1), #input_size=(32*16*16) 31 | nn.ReLU() 32 | ) # output_size=(64*16*16) 33 | 34 | self.conv4 = nn.Sequential( 35 | nn.Conv2d(64,64,3,1,1), #input_size=(64*16*16) 36 | nn.ReLU(), 37 | nn.MaxPool2d(kernel_size = 2,stride = 2) 38 | ) # output_size=(64*8*8) 39 | 40 | ########################### Level-3 ########################### 41 | self.conv5 = nn.Sequential( 42 | nn.Conv2d(64,128,3,1,1), #input_size=(64*8*8) 43 | nn.ReLU() 44 | ) # output_size=(128*8*8) 45 | 46 | self.conv6 = nn.Sequential( 47 | nn.Conv2d(128,128,3,1,1), #input_size=(128*8*8) 48 | nn.ReLU(), 49 | nn.MaxPool2d(kernel_size = 2,stride = 2) 50 | ) # output_size=(128*4*4) 51 | 52 | 53 | # num_fc = 32*16*16 + 64*8*8 + 128*4*4 = 14336 54 | self.fc1 = nn.Sequential( 55 | nn.Linear(14336,1024), 56 | nn.ReLU() 57 | ) 58 | self.fc2 = nn.Sequential( 59 | nn.Linear(1024,1024), 60 | nn.ReLU() 61 | ) 62 | self.fc3 = nn.Linear(1024,n_class) 63 | 64 | self.dropout = nn.Dropout(p=0.5) 65 | 66 | def forward(self,x): 67 | x = self.conv0(x) # Color Transform 68 | 69 | ## Scale 1 70 | x = self.conv1(x) 71 | x = self.conv2(x) 72 | x = self.dropout(x) 73 | scale_1 = x.reshape(x.size(0), -1) 74 | 75 | ## Scale 2 76 | x = self.conv3(x) 77 | x = self.conv4(x) 78 | x = self.dropout(x) 79 | scale_2 = x.reshape(x.size(0), -1) 80 | 81 | ## Scale 3 82 | x = self.conv5(x) 83 | x = self.conv6(x) 84 | x = self.dropout(x) 85 | scale_3 = x.reshape(x.size(0), -1) 86 | 87 | ###### FC ######################## 88 | embedding = torch.cat( (scale_1,scale_2,scale_3), dim = 1) 89 | 90 | x = self.fc1(embedding) 91 | x = self.dropout(x) 92 | 93 | x = self.fc2(x) 94 | x = self.dropout(x) 95 | 96 | x = self.fc3(x) 97 | return x 98 | -------------------------------------------------------------------------------- /SettingA-linf,unforeseen,corruptions/substitute/train.py: -------------------------------------------------------------------------------- 1 | from dataset import DataSubstitute 2 | from model import NEURAL 3 | import torch 4 | import time 5 | import argparse 6 | import os 7 | 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 10 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 11 | parser.add_argument('-mode', type=int, default=0, help='mode-0 : main task model substitute, mode-1 : pipeline substitute') 12 | args = parser.parse_args() 13 | 14 | 15 | enable_cuda = args.enable_cuda 16 | gpu_id = args.gpu_id 17 | mode = args.mode 18 | 19 | ckpt_dir = 'checkpoint' 20 | 21 | if not os.path.exists(ckpt_dir): 22 | os.mkdir(ckpt_dir) 23 | 24 | 25 | if enable_cuda: 26 | device = torch.device('cuda:%d' % gpu_id) 27 | else: 28 | device = torch.device('cpu') 29 | 30 | 31 | lr_rate = 0.01 32 | batch_size = 200 33 | n_iters = 20000 34 | n_class = 12 35 | 36 | 37 | def test(data,model): 38 | correct = 0 39 | tot = 0 40 | X,GT = data.sequential_val_batch() 41 | while X is not None: 42 | 43 | X = X.to(device) 44 | GT = GT.to(device) 45 | Y = model(X) 46 | Y = torch.argmax(Y,dim=1) 47 | 48 | this_batch_size = len(Y) 49 | 50 | for i in range(this_batch_size): 51 | tot+=1 52 | if GT[i] == Y[i]: 53 | correct+=1 54 | 55 | X,GT = data.sequential_val_batch() 56 | 57 | print('acc = %d / %d' % (correct,tot)) 58 | return correct/tot 59 | 60 | 61 | 62 | print('[Data] Preparing .... ') 63 | data = DataSubstitute(mode=mode,batch_size=batch_size) 64 | data.data_set_up(istrain=True) 65 | data.greeting() 66 | print('[Data] Done .... ') 67 | 68 | 69 | print('[Model] Preparing .... ') 70 | model = NEURAL(n_class=n_class, n_channel=3) 71 | model = model.to(device) 72 | print('[Model] Done .... ') 73 | 74 | loss_f = torch.nn.CrossEntropyLoss() 75 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 76 | 77 | st = time.time() 78 | 79 | model.train() 80 | max_acc = 0 81 | save_n = 0 82 | stable_iter = 0 83 | 84 | print('[Training] Starting ...') 85 | for i in range(n_iters): 86 | 87 | X,GT = data.random_train_batch() 88 | 89 | X = X.to(device) 90 | GT = GT.to(device) 91 | 92 | Y = model(X) 93 | loss = loss_f(Y,GT) 94 | 95 | optimizer.zero_grad() 96 | loss.backward() 97 | optimizer.step() 98 | now = (time.time() - st) / 60.0 99 | 100 | if (i+1) % 1000 == 0 : 101 | print(' ### Eval ###') 102 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 103 | model.eval() 104 | 105 | score = test(data,model) 106 | 107 | if score>max_acc: 108 | print('[save]..') 109 | max_acc = score 110 | stable_iter = 0 111 | torch.save(model.state_dict(), './checkpoint/model_' + str(save_n) + '.ckpt') 112 | save_n+=1 113 | else: 114 | stable_iter += 1 115 | if stable_iter == 10: 116 | print('Stable ... Training END ..') 117 | break 118 | model.train() 119 | #print('recall = %f, precision = %f' % (recall,precision)) 120 | 121 | 122 | print('[Training] Done ...') -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/data/generate_sensory_data.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import cv2 3 | import pickle 4 | 5 | 6 | def foreground_segmentation(img): 7 | mask = np.zeros((128,128),np.uint8) 8 | ## Foreground Segmentation 9 | bgdModel = np.zeros((1,65),np.float64) 10 | fgdModel = np.zeros((1,65),np.float64) 11 | rect = (1,1,126,126) 12 | cv2.grabCut(img,mask,rect,bgdModel,fgdModel,15,cv2.GC_INIT_WITH_RECT) 13 | mask2 = np.where((mask==2)|(mask==0),0,1).astype(np.uint8) 14 | return mask2 15 | 16 | def preprocess(img): 17 | 18 | temp = cv2.cvtColor(img, cv2.COLOR_BGR2HSV) 19 | temp[:,:,1] = cv2.equalizeHist(temp[:,:,1]) 20 | temp[:,:,2] = cv2.equalizeHist(temp[:,:,2]) 21 | temp = cv2.cvtColor(temp, cv2.COLOR_HSV2BGR) 22 | temp = cv2.GaussianBlur(temp,(7,7),0) 23 | mask = foreground_segmentation(temp) 24 | 25 | mask_larger = cv2.resize(mask,(138,138)) 26 | mask_smaller = cv2.resize(mask,(90,90)) 27 | 28 | border = img.copy() 29 | for i in range(3): 30 | border[:,:,i] = border[:,:,i] * mask_larger[5:133,5:133] 31 | mask[:,:] = 1 32 | mask[19:109,19:109] = 1 - mask_smaller[:,:] 33 | for i in range(3): 34 | border[:,:,i] = border[:,:,i] * mask 35 | 36 | content = img.copy() 37 | content = cv2.cvtColor(content,cv2.COLOR_BGR2GRAY) 38 | content = cv2.GaussianBlur(content,(7,7),0) 39 | content = cv2.equalizeHist(content) 40 | content = cv2.Canny(content, 20, 50) 41 | mask[:,:] = 0 42 | mask[19:109,19:109] = mask_smaller[:,:] 43 | content *= mask 44 | 45 | return border, content 46 | 47 | 48 | 49 | for sample_path in ['stop_sign_adv_X_test.npy', 'stop_sign_X_test.npy']: 50 | 51 | X = np.load('./data/%s' % sample_path) 52 | 53 | num = len(X) 54 | 55 | border = [] 56 | content = [] 57 | 58 | for i in range(num): 59 | img = X[i] 60 | img = cv2.resize(img,(128,128)) 61 | b_img, c_img = preprocess(img) 62 | border.append(b_img) 63 | content.append(c_img) 64 | 65 | print('[%s] %d/%d' % (sample_path,i+1,num)) 66 | 67 | border = np.array(border) 68 | content = np.array(content) 69 | 70 | if sample_path == 'stop_sign_X_test.npy': 71 | np.save('./data/stop_sign_border_test.npy',border) 72 | np.save('./data/stop_sign_content_test.npy',content) 73 | else: 74 | np.save('./data/stop_sign_adv_border_test.npy', border) 75 | np.save('./data/stop_sign_adv_content_test.npy', content) 76 | -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/data/physical_sticker_content.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/data/physical_sticker_content.png -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/data/physical_sticker_mask.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/data/physical_sticker_mask.png -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/img/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/img/0.png -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/img/1.png -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.0.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.0.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.1.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.1.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.2.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.2.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.3.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.3.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.4.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.4.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.5.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.5.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.6.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.6.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.7.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.7.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.8.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.8.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.9.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=0.9.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=1.0.ckpt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/ckpt/graph_model_ratio=1.0.ckpt -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/pipeline.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | 4 | """ 5 | Probabilistic reasoning component that makes final decision based on sensing signals. 6 | "deterministic sensor" corresponds to the "consequential sensor" in our paper. 7 | "conservative sensor" corresponds to the "antecedential sensor" in our paper. 8 | """ 9 | class pipeline: 10 | 11 | def __init__(self,n_class): 12 | self.n_class = n_class 13 | self.main_sensor = None 14 | self.conservative_sensor = [ [] for i in range(n_class) ] 15 | self.deterministc_sensor = [ [] for i in range(n_class) ] 16 | self.num_conservative = np.zeros(n_class,dtype = np.int) 17 | self.num_deterministic = np.zeros(n_class, dtype=np.int) 18 | self.id_conservative = [ [] for i in range(n_class) ] 19 | self.id_deterministic = [ [] for i in range(n_class) ] 20 | self.id_main = 0 21 | self.already_built = False 22 | 23 | def set_main_sensor(self,main_sensor): 24 | self.main_sensor = main_sensor 25 | 26 | def add_conservative_sensor(self,class_id,var_id,sensor): 27 | self.conservative_sensor[class_id].append(sensor) 28 | self.id_conservative[class_id].append(var_id) 29 | self.num_conservative[class_id]+=1 30 | 31 | def add_deterministic_sensor(self,class_id,var_id,sensor): 32 | self.deterministc_sensor[class_id].append(sensor) 33 | self.id_deterministic[class_id].append(var_id) 34 | self.num_deterministic[class_id]+=1 35 | 36 | def build_graph(self): 37 | if self.main_sensor is None: 38 | return False 39 | 40 | cnt = 1 41 | 42 | # id for conservative sensors 43 | for i in range(self.n_class): 44 | cnt += self.num_conservative[i] 45 | 46 | 47 | # id for deterministic sensors 48 | for i in range(self.n_class): 49 | cnt += self.num_deterministic[i] 50 | 51 | 52 | self.num_sensor = cnt 53 | 54 | # weight for each sensor 55 | self.weight = torch.ones( int(self.num_sensor) ) 56 | self.weight.requires_grad = True 57 | 58 | self.already_built = True 59 | 60 | #print('conservative_id : ',self.id_conservative) 61 | #print('deterministic_id : ',self.id_deterministic) 62 | return True 63 | 64 | def inference(self,X): 65 | # X : sensor variable ==> batch_size x num_of_sensors 66 | #print(X) 67 | score = [] 68 | for i in range(self.n_class): 69 | #print('## class-%d' % i) 70 | 71 | factor_main = (X[:, 0] == i) * self.weight[0] 72 | factor_conservative = torch.zeros(factor_main.shape) 73 | factor_deterministic = torch.zeros(factor_main.shape) 74 | 75 | #print('conservative --->') 76 | for j in range(self.num_conservative[i]): 77 | sid = self.id_conservative[i][j] 78 | factor_conservative+= (X[:,sid]==1) * self.weight[sid] 79 | #print('sid : %d, result : ' % sid, X[:,sid]==1) 80 | 81 | #print('deterministic --->') 82 | for j in range(self.num_deterministic[i]): 83 | sid = self.id_deterministic[i][j] 84 | factor_deterministic+= -1 * ( (X[:,sid]==0) * self.weight[sid] ) 85 | #print('sid : %d, result : ' % sid, X[:,sid]==0) 86 | 87 | 88 | #print('factor conservative :',factor_conservative) 89 | #print('factor deterministic :',factor_deterministic) 90 | #print('factor main :',factor_main) 91 | 92 | 93 | result = torch.exp(factor_main + factor_conservative + factor_deterministic) 94 | result = result.unsqueeze(1) 95 | 96 | score.append( result ) 97 | #exit(0) 98 | score = torch.cat(score,dim=1) 99 | return score 100 | 101 | def step(self,step_size): # maximize the likelihood 102 | 103 | self.weight = self.weight + step_size*self.weight.grad 104 | for i in range(self.num_sensor): 105 | if self.weight[i]<0: 106 | self.weight[i] = 0 107 | #self.weight[0] = 1 # fix the weight for the main sensor 108 | 109 | self.weight = torch.tensor(self.weight.data, requires_grad=True) 110 | 111 | if self.weight.grad is not None: 112 | self.weight.grad.data.fill_(0) -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/reimplement_table.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | import os 4 | import json 5 | from model import NEURAL,Model 6 | from var_generator import var_generator 7 | from pipeline import pipeline 8 | from sensing_signals_data import sensing_data 9 | import argparse 10 | 11 | parser = argparse.ArgumentParser() 12 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 13 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 14 | parser.add_argument('-alpha', type=str, default='0.4', choices=['0.0','0.1','0.2','0.3','0.4','0.5','0.6','0.7','0.8','0.9','1.0'],\ 15 | help='adversarial ratio, options = [0.0,0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.0]') 16 | args = parser.parse_args() 17 | 18 | 19 | enable_cuda = args.enable_cuda 20 | gpu_id = args.gpu_id 21 | alpha = args.alpha 22 | 23 | signal_dir = 'sensing_signals/' 24 | if not os.path.exists(signal_dir): 25 | os.mkdir(signal_dir) 26 | 27 | if enable_cuda: 28 | device = torch.device('cuda:%d' % gpu_id) 29 | else: 30 | device = torch.device('cpu') 31 | 32 | main_sensor_list = { 33 | # standard CNN main sensor 34 | 'CNN' : './sensor/main/main.ckpt', 35 | # adversarially trained CNN main sensor 36 | 'CNN_adv_4' : './sensor/main/main_adv_4.ckpt', 37 | 'CNN_adv_8' : './sensor/main/main_adv_8.ckpt', 38 | 'CNN_adv_16' : './sensor/main/main_adv_16.ckpt', 39 | 'CNN_adv_32' : './sensor/main/main_adv_32.ckpt', 40 | # DOA trained CNN main sensor 41 | 'CNN_doa_5' : './sensor/main/main_doa_5.ckpt', 42 | 'CNN_doa_7' : './sensor/main/main_doa_7.ckpt' 43 | } 44 | 45 | 46 | n_class = 12 47 | batch_size = 100 48 | 49 | 50 | ##### Sensors & Variables ################## 51 | digit_sensor = './sensor/content/digit.pth' 52 | 53 | con_sensors_for_class = { 54 | './sensor/border/type_0_con.ckpt' : [0], 55 | './sensor/border/type_1_con.ckpt' : [1], 56 | './sensor/border/type_2_con.ckpt' : [2], 57 | './sensor/border/type_3_con.ckpt' : [3], 58 | './sensor/content/class_4.ckpt' : [4], 59 | './sensor/content/class_5.ckpt' : [5], 60 | './sensor/border/type_5_con.ckpt' : [6], 61 | './sensor/content/class_7.ckpt' : [7], 62 | './sensor/content/digit.pth' : [8,10,11], # digit recognition model for speed-limit 50/20/120 63 | './sensor/border/type_7_con.ckpt' : [9] 64 | } 65 | 66 | det_sensors_for_class = { 67 | './sensor/border/type_0_det.ckpt' : [0], 68 | './sensor/border/type_1_det.ckpt' : [1], 69 | './sensor/border/type_2_det.ckpt' : [2], 70 | './sensor/border/type_3_det.ckpt' : [3], 71 | './sensor/border/type_4_det.ckpt' : [4,5], 72 | './sensor/border/type_5_det.ckpt' : [6], 73 | './sensor/border/type_6_det.ckpt' : [7,8,10,11], 74 | './sensor/border/type_7_det.ckpt' : [9] 75 | } 76 | 77 | aux_sensor_map = { # sensor_ckpt : [ (class_id, sensor_variable_id), ... ] 78 | './sensor/border/type_0_con.ckpt' : [], 79 | './sensor/border/type_1_con.ckpt' : [], 80 | './sensor/border/type_2_con.ckpt' : [], 81 | './sensor/border/type_3_con.ckpt' : [], 82 | './sensor/content/class_4.ckpt' : [], 83 | './sensor/content/class_5.ckpt' : [], 84 | './sensor/border/type_5_con.ckpt' : [], 85 | './sensor/content/class_7.ckpt' : [], 86 | './sensor/content/digit.pth' : [], 87 | './sensor/border/type_7_con.ckpt' : [], 88 | './sensor/border/type_0_det.ckpt' : [], 89 | './sensor/border/type_1_det.ckpt' : [], 90 | './sensor/border/type_2_det.ckpt' : [], 91 | './sensor/border/type_3_det.ckpt' : [], 92 | './sensor/border/type_4_det.ckpt' : [], 93 | './sensor/border/type_5_det.ckpt' : [], 94 | './sensor/border/type_6_det.ckpt' : [], 95 | './sensor/border/type_7_det.ckpt' : [] 96 | } 97 | 98 | 99 | cnt = 1 100 | 101 | for i in range(n_class): 102 | for item in con_sensors_for_class.keys(): 103 | if i in con_sensors_for_class[item]: # if sensor 'item' is for class-i, then create a variable for it. 104 | aux_sensor_map[item].append( (i,cnt) ) 105 | cnt+=1 106 | 107 | for i in range(n_class): 108 | for item in det_sensors_for_class.keys(): 109 | if i in det_sensors_for_class[item]: 110 | aux_sensor_map[item].append( (i,cnt) ) 111 | cnt+=1 112 | 113 | with open(signal_dir+'sensor_map.json','w') as file_obj: 114 | json.dump(aux_sensor_map,file_obj) 115 | ####################################################### 116 | 117 | 118 | 119 | 120 | ############# data ########################################## 121 | 122 | phase_to_data = { # [GT, raw_img, border_img, content_img] 123 | # clean stop sign samples 124 | 'clean' : ['../data/data/stop_sign_label.npy', '../data/data/stop_sign_X_test.npy', '../data/data/stop_sign_border_test.npy', '../data/data/stop_sign_content_test.npy'], 125 | # adversarial stop sign samples 126 | 'adv' : ['../data/data/stop_sign_label.npy', '../data/data/stop_sign_adv_X_test.npy', '../data/data/stop_sign_adv_border_test.npy', '../data/data/stop_sign_adv_content_test.npy'] 127 | } 128 | 129 | phase_set = phase_to_data.keys() 130 | data_dir = '../data/data/' 131 | ############################################################# 132 | 133 | 134 | def test(model,data): 135 | 136 | n_class = 12 137 | 138 | num_each_class = np.zeros(n_class) 139 | correct_each_class = np.zeros(n_class) 140 | mis_from_A_to_B = np.zeros((n_class,n_class)) 141 | 142 | var, gt =data.sequential_test_batch() 143 | correct = 0 144 | tot = 0 145 | while var is not None: 146 | this_batch_size = len(gt) 147 | 148 | scores = model.inference(var) 149 | Y = torch.argmax(scores,dim=1) 150 | 151 | tot += this_batch_size 152 | for i in range(this_batch_size): 153 | num_each_class[gt[i]]+=1 154 | if Y[i] == gt[i]: 155 | correct+=1 156 | correct_each_class[gt[i]]+=1 157 | else: 158 | mis_from_A_to_B[gt[i]][Y[i]]+=1 159 | var, gt = data.sequential_test_batch() 160 | 161 | print('[KEMLP] acc = %d/%d = %f' % (correct,tot,correct/tot)) 162 | 163 | model = torch.load('./ckpt/graph_model_ratio=%s.ckpt' % alpha) 164 | gt_path = './sensing_signals/GT_stop_test.npy' 165 | 166 | 167 | for main_sensor in main_sensor_list.keys(): 168 | 169 | 170 | main_sensor_name = main_sensor 171 | main_sensor = main_sensor_list[main_sensor] 172 | 173 | print('>>>> Main Sensor : %s' % main_sensor_name) 174 | 175 | my_generator = var_generator(main_sensor_path=main_sensor, digit_sensor_path=digit_sensor, n_class = n_class,\ 176 | batch_size = batch_size, var_cnt=cnt, con_list = con_sensors_for_class.keys(), det_list = det_sensors_for_class.keys(),\ 177 | aux_list = aux_sensor_map, device = device) 178 | 179 | for phase in phase_to_data.keys(): 180 | 181 | print('------------------- %s data --------------------------' % phase) 182 | signal_list = phase_to_data[phase] 183 | 184 | print('|| CNN-Only') 185 | VARS = my_generator.gen_vars(signal_list) 186 | path = signal_dir + '%s_signals_with_%s.npy' % (phase, main_sensor_name) 187 | np.save(path, VARS) 188 | 189 | print('|| KEMLP-Enhanced') 190 | sensing_signals_path = path 191 | data = sensing_data(batch_size=40, train_data = None, test_data = [sensing_signals_path, gt_path]) 192 | test(model,data) 193 | print('---------------------------------------\n') -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/GT_stop_test.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/GT_stop_test.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_16.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_16.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_32.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_32.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_4.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_4.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_8.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_adv_8.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_doa_5.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_doa_5.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_doa_7.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/adv_signals_with_CNN_doa_7.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_16.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_16.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_32.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_32.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_4.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_4.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_8.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_adv_8.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_doa_5.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_doa_5.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_doa_7.npy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AI-secure/Knowledge-Enhanced-Machine-Learning-Pipeline/8cda8102577c1203f5781844238b53626e68dac4/SettingB-stop_sign_attack/pipeline/sensing_signals/clean_signals_with_CNN_doa_7.npy -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals/sensor_map.json: -------------------------------------------------------------------------------- 1 | {"./sensor/border/type_0_con.ckpt": [[0, 1]], "./sensor/border/type_1_con.ckpt": [[1, 2]], "./sensor/border/type_2_con.ckpt": [[2, 3]], "./sensor/border/type_3_con.ckpt": [[3, 4]], "./sensor/content/class_4.ckpt": [[4, 5]], "./sensor/content/class_5.ckpt": [[5, 6]], "./sensor/border/type_5_con.ckpt": [[6, 7]], "./sensor/content/class_7.ckpt": [[7, 8]], "./sensor/content/digit.pth": [[8, 9], [10, 11], [11, 12]], "./sensor/border/type_7_con.ckpt": [[9, 10]], "./sensor/border/type_0_det.ckpt": [[0, 13]], "./sensor/border/type_1_det.ckpt": [[1, 14]], "./sensor/border/type_2_det.ckpt": [[2, 15]], "./sensor/border/type_3_det.ckpt": [[3, 16]], "./sensor/border/type_4_det.ckpt": [[4, 17], [5, 18]], "./sensor/border/type_5_det.ckpt": [[6, 19]], "./sensor/border/type_6_det.ckpt": [[7, 20], [8, 21], [10, 23], [11, 24]], "./sensor/border/type_7_det.ckpt": [[9, 22]]} -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/sensing_signals_data.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | 4 | class sensing_data: 5 | 6 | def __init__(self, train_data, test_data, batch_size=50): 7 | 8 | super().__init__() 9 | 10 | self.batch_size = batch_size 11 | 12 | if train_data is not None: 13 | self.vars_train = torch.FloatTensor( np.load(train_data[0]) ) 14 | self.gt_train = np.load(train_data[1]) 15 | self.num_train = len(self.gt_train) 16 | 17 | if test_data is not None: 18 | self.vars_test = torch.FloatTensor( np.load(test_data[0]) ) 19 | self.gt_test = np.load(test_data[1]) 20 | self.num_test = len(self.gt_test) 21 | self.test_batch_cnt = 0 22 | 23 | def random_train_batch(self): 24 | # Create a set of random indices. 25 | idx = np.random.choice(self.num_train,size=self.batch_size,replace=False) 26 | return self.vars_train[idx], self.gt_train[idx] 27 | 28 | def adv_random_train_batch(self): 29 | idx = np.random.choice(self.num_train,size=self.batch_size,replace=False) 30 | adv_var = torch.clone(self.vars_train[idx]) 31 | adv_var[:,0] = torch.randint(10,[self.batch_size]) 32 | return adv_var, self.gt_train[idx] 33 | 34 | def sequential_test_batch(self): 35 | if self.test_batch_cnt==-1: 36 | self.test_batch_cnt=0 37 | return None,None 38 | 39 | st = self.test_batch_cnt*self.batch_size 40 | ed = min(st+self.batch_size,self.num_test) 41 | 42 | vars_batch = self.vars_test[st:ed] 43 | gt_batch = self.gt_test[st:ed] 44 | 45 | if ed == self.num_test: 46 | self.test_batch_cnt=-1 47 | else: 48 | self.test_batch_cnt+=1 49 | 50 | return vars_batch, gt_batch 51 | 52 | -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/tools/eval.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | from pipeline import pipeline 4 | from sensing_signals_data import sensing_data 5 | import json 6 | import argparse 7 | 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument('-main_sensor', type=str, default='CNN', help='selected main sensor for building KEMLP model') 10 | parser.add_argument('-alpha', type=str, default='0.4', choices=['0.0','0.1','0.2','0.3','0.4','0.5','0.6','0.7','0.8','0.9','1.0'],\ 11 | help='adversarial ratio, options = [0.0,0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.0]') 12 | args = parser.parse_args() 13 | 14 | 15 | main_sensor = args.main_sensor 16 | alpha = args.alpha 17 | 18 | 19 | n_class = 12 20 | 21 | def test(model,data): 22 | 23 | num_each_class = np.zeros(n_class) 24 | correct_each_class = np.zeros(n_class) 25 | mis_from_A_to_B = np.zeros((n_class,n_class)) 26 | 27 | var, gt =data.sequential_test_batch() 28 | correct = 0 29 | tot = 0 30 | while var is not None: 31 | this_batch_size = len(gt) 32 | 33 | scores = model.inference(var) 34 | Y = torch.argmax(scores,dim=1) 35 | 36 | tot += this_batch_size 37 | for i in range(this_batch_size): 38 | num_each_class[gt[i]]+=1 39 | if Y[i] == gt[i]: 40 | correct+=1 41 | correct_each_class[gt[i]]+=1 42 | else: 43 | mis_from_A_to_B[gt[i]][Y[i]]+=1 44 | var, gt = data.sequential_test_batch() 45 | 46 | print('acc = %d/%d = %f' % (correct,tot,correct/tot)) 47 | 48 | 49 | batch_size = 40 50 | 51 | 52 | 53 | 54 | phases = ['clean', 'adv'] 55 | 56 | print('>>>> Main Sensor : %s\n\n' % main_sensor) 57 | 58 | for phase in phases: 59 | 60 | print('##### %s data #####' % phase) 61 | model = torch.load('./ckpt/graph_model_ratio=%s.ckpt' % alpha) 62 | 63 | sensing_signals_path = './sensing_signals/%s_signals_with_%s.npy' % (phase, main_sensor) 64 | gt_path = './sensing_signals/GT_stop_test.npy' 65 | 66 | data = sensing_data(batch_size=batch_size, train_data = None, test_data = [sensing_signals_path, gt_path],) 67 | test(model,data) 68 | print('---------------------------------------\n') -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/pipeline/tools/gen_sensing_signals.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import torch 3 | import os 4 | import json 5 | from model import NEURAL,Model 6 | from var_generator import var_generator 7 | import argparse 8 | 9 | parser = argparse.ArgumentParser() 10 | parser.add_argument('-enable_cuda', type=bool, default=True, help='whether use cuda device') 11 | parser.add_argument('-gpu_id', type=int, default=0, help='id number of the gpu device') 12 | parser.add_argument('-main_sensor', type=str, default='CNN', help='selected main sensor for building KEMLP model') 13 | args = parser.parse_args() 14 | 15 | 16 | enable_cuda = args.enable_cuda 17 | gpu_id = args.gpu_id 18 | main_sensor = args.main_sensor 19 | 20 | signal_dir = 'sensing_signals/' 21 | if not os.path.exists(signal_dir): 22 | os.mkdir(signal_dir) 23 | 24 | if enable_cuda: 25 | device = torch.device('cuda:%d' % gpu_id) 26 | else: 27 | device = torch.device('cpu') 28 | 29 | main_sensor_list = { 30 | # standard CNN main sensor 31 | 'CNN' : './sensor/main/main.ckpt', 32 | # adversarially trained CNN main sensor 33 | 'CNN_adv_4' : './sensor/main/main_adv_4.ckpt', 34 | 'CNN_adv_8' : './sensor/main/main_adv_8.ckpt', 35 | 'CNN_adv_16' : './sensor/main/main_adv_16.ckpt', 36 | 'CNN_adv_32' : './sensor/main/main_adv_32.ckpt', 37 | # DOA trained CNN main sensor 38 | 'CNN_doa_5' : './sensor/main/main_doa_5.ckpt', 39 | 'CNN_doa_7' : './sensor/main/main_doa_7.ckpt' 40 | } 41 | 42 | if main_sensor not in main_sensor_list.keys(): 43 | print('Invalid main sensor. Supported main sensor types:') 44 | print(main_sensor_list.keys()) 45 | exit(0) 46 | else: 47 | main_sensor_name = main_sensor 48 | main_sensor = main_sensor_list[main_sensor] 49 | 50 | n_class = 12 51 | batch_size = 100 52 | 53 | 54 | ##### Sensors & Variables ################## 55 | digit_sensor = './sensor/content/digit.pth' 56 | 57 | con_sensors_for_class = { 58 | './sensor/border/type_0_con.ckpt' : [0], 59 | './sensor/border/type_1_con.ckpt' : [1], 60 | './sensor/border/type_2_con.ckpt' : [2], 61 | './sensor/border/type_3_con.ckpt' : [3], 62 | './sensor/content/class_4.ckpt' : [4], 63 | './sensor/content/class_5.ckpt' : [5], 64 | './sensor/border/type_5_con.ckpt' : [6], 65 | './sensor/content/class_7.ckpt' : [7], 66 | './sensor/content/digit.pth' : [8,10,11], # digit recognition model for speed-limit 50/20/120 67 | './sensor/border/type_7_con.ckpt' : [9] 68 | } 69 | 70 | det_sensors_for_class = { 71 | './sensor/border/type_0_det.ckpt' : [0], 72 | './sensor/border/type_1_det.ckpt' : [1], 73 | './sensor/border/type_2_det.ckpt' : [2], 74 | './sensor/border/type_3_det.ckpt' : [3], 75 | './sensor/border/type_4_det.ckpt' : [4,5], 76 | './sensor/border/type_5_det.ckpt' : [6], 77 | './sensor/border/type_6_det.ckpt' : [7,8,10,11], 78 | './sensor/border/type_7_det.ckpt' : [9] 79 | } 80 | 81 | aux_sensor_map = { # sensor_ckpt : [ (class_id, sensor_variable_id), ... ] 82 | './sensor/border/type_0_con.ckpt' : [], 83 | './sensor/border/type_1_con.ckpt' : [], 84 | './sensor/border/type_2_con.ckpt' : [], 85 | './sensor/border/type_3_con.ckpt' : [], 86 | './sensor/content/class_4.ckpt' : [], 87 | './sensor/content/class_5.ckpt' : [], 88 | './sensor/border/type_5_con.ckpt' : [], 89 | './sensor/content/class_7.ckpt' : [], 90 | './sensor/content/digit.pth' : [], 91 | './sensor/border/type_7_con.ckpt' : [], 92 | './sensor/border/type_0_det.ckpt' : [], 93 | './sensor/border/type_1_det.ckpt' : [], 94 | './sensor/border/type_2_det.ckpt' : [], 95 | './sensor/border/type_3_det.ckpt' : [], 96 | './sensor/border/type_4_det.ckpt' : [], 97 | './sensor/border/type_5_det.ckpt' : [], 98 | './sensor/border/type_6_det.ckpt' : [], 99 | './sensor/border/type_7_det.ckpt' : [] 100 | } 101 | 102 | 103 | cnt = 1 104 | 105 | for i in range(n_class): 106 | for item in con_sensors_for_class.keys(): 107 | if i in con_sensors_for_class[item]: # if sensor 'item' is for class-i, then create a variable for it. 108 | aux_sensor_map[item].append( (i,cnt) ) 109 | cnt+=1 110 | 111 | for i in range(n_class): 112 | for item in det_sensors_for_class.keys(): 113 | if i in det_sensors_for_class[item]: 114 | aux_sensor_map[item].append( (i,cnt) ) 115 | cnt+=1 116 | 117 | print('num_variable = %d' % cnt) 118 | 119 | with open(signal_dir+'sensor_map.json','w') as file_obj: 120 | json.dump(aux_sensor_map,file_obj) 121 | ####################################################### 122 | 123 | 124 | 125 | 126 | ############# data ########################################## 127 | 128 | phase_to_data = { # [GT, raw_img, border_img, content_img] 129 | # clean stop sign samples 130 | 'clean' : ['stop_sign_label.npy', 'stop_sign_X_test.npy', 'stop_sign_border_test.npy', 'stop_sign_content_test.npy'], 131 | # adversarial stop sign samples 132 | 'adv' : ['stop_sign_label.npy', 'stop_sign_adv_X_test.npy', 'stop_sign_adv_border_test.npy', 'stop_sign_adv_content_test.npy'] 133 | } 134 | 135 | phase_set = phase_to_data.keys() 136 | data_dir = '../data/data/' 137 | ############################################################# 138 | 139 | 140 | 141 | 142 | 143 | my_generator = var_generator(main_sensor_path=main_sensor, digit_sensor_path=digit_sensor, n_class = n_class,\ 144 | batch_size = batch_size, var_cnt=cnt, con_list = con_sensors_for_class.keys(), det_list = det_sensors_for_class.keys(),\ 145 | aux_list = aux_sensor_map, device = device) 146 | 147 | for phase in phase_to_data.keys(): 148 | 149 | print('------------------- phase : %s --------------------------' % phase) 150 | signal_list = phase_to_data[phase] 151 | for k,item in enumerate(signal_list): 152 | signal_list[k] = data_dir+item 153 | VARS = my_generator.gen_vars(signal_list) 154 | np.save(signal_dir + '%s_signals_with_%s.npy' % (phase, main_sensor_name),VARS) 155 | 156 | print('\n\n\n\n\n\n') -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/raw/adv_train.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import DataMain 4 | import time 5 | import argparse 6 | import os 7 | 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument('-gpu_id', type=int, required=True, help='id number of the gpu device') 10 | parser.add_argument('-attack_eps', type=int, required=True, help='noise magnitude in adversarial training') 11 | args = parser.parse_args() 12 | 13 | gpu_id = args.gpu_id 14 | attack_eps = args.attack_eps 15 | 16 | device = torch.device('cuda:%d' % gpu_id if torch.cuda.is_available() else 'cpu') 17 | 18 | lr_rate = 0.01 19 | batch_size = 200 20 | n_iters = 3000 21 | main_sensor_path = '../pipeline/sensor/main/main.ckpt' 22 | 23 | ckpt_root = 'adv_train_%d_ckpt/' % attack_eps 24 | if not os.path.exists(ckpt_root): 25 | os.mkdir(ckpt_root) 26 | 27 | 28 | def pgd_attack_random(model, images, labels, eps=1, alpha=1, iters=40, randomize=True): 29 | """ Construct L_inf adversarial examples on the examples X """ 30 | model.eval() 31 | labels = labels.to(device) 32 | if randomize: 33 | delta = torch.rand_like(images, requires_grad=True).to(device) 34 | delta.data = delta.data * 2 * eps - eps 35 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 36 | else: 37 | delta = torch.zeros_like(images, requires_grad=True).to(device) 38 | 39 | images = images.clone().to(device) 40 | for t in range(iters): 41 | loss = torch.nn.CrossEntropyLoss()(model(images + delta ), labels) 42 | loss.backward() 43 | 44 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-eps,eps) 45 | delta.data = (delta.data + images ).clamp(-0.5,0.5)-(images) 46 | delta.grad.zero_() 47 | 48 | return (delta+images).detach() 49 | 50 | 51 | def test(data,model): 52 | 53 | correct_adv = 0 54 | correct = 0 55 | tot = 0 56 | X,GT = data.sequential_val_batch() 57 | while X is not None: 58 | 59 | X = X.to(device) 60 | X_adv = pgd_attack_random(model, X, GT, eps=attack_eps/255.0, alpha=1/255, iters=40, randomize=True) 61 | #pgd_attack(model,X,GT,eps=attack_eps/255.0,alpha=1/255,iters=40) 62 | 63 | Y = model(X) 64 | Y = torch.argmax(Y,dim=1) 65 | 66 | Y_adv = model(X_adv) 67 | Y_adv = torch.argmax(Y_adv,dim=1) 68 | 69 | this_batch_size = len(Y) 70 | 71 | for i in range(this_batch_size): 72 | tot+=1 73 | if GT[i] == Y[i]: 74 | correct+=1 75 | if GT[i] == Y_adv[i]: 76 | correct_adv+=1 77 | X,GT = data.sequential_val_batch() 78 | 79 | print('acc = %d/%d, adv_acc = %d/%d' % (correct,tot, correct_adv,tot)) 80 | 81 | return correct_adv/tot 82 | 83 | 84 | 85 | 86 | 87 | print('[Data] Preparing .... ') 88 | data = DataMain(batch_size=batch_size) 89 | data.data_set_up(istrain=True) 90 | data.greeting() 91 | print('[Data] Done .... ') 92 | 93 | 94 | print('[Model] Preparing .... ') 95 | model = NEURAL(n_class=43,n_channel=3) 96 | ckpt = torch.load(main_sensor_path,map_location = 'cpu') 97 | model.load_state_dict(ckpt) 98 | model = model.to(device) 99 | model.eval() 100 | adv_acc = test(data,model) 101 | print('[Load successfully] initial adv accuracy = %f' % adv_acc) 102 | print('[Model] Done .... ') 103 | 104 | 105 | if attack_eps >= 16: 106 | lr_rate = 0.002 107 | batch_size = 200 108 | #batch_size//=2 109 | 110 | 111 | loss_f = torch.nn.CrossEntropyLoss() 112 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 113 | 114 | st = time.time() 115 | 116 | model.train() 117 | max_acc = 0 118 | save_n = 0 119 | stable_iter = 0 120 | 121 | print('[Training] Starting ...') 122 | for i in range(n_iters): 123 | 124 | X,GT = data.random_train_batch() 125 | 126 | X = X.to(device) 127 | GT = GT.to(device) 128 | 129 | # PGD attack for adversarial training 130 | X_adv = pgd_attack_random(model, X, GT, eps=attack_eps/255.0, alpha=1/255, iters=20, randomize=True) 131 | 132 | 133 | Y = model(X_adv) 134 | loss = loss_f(Y,GT) 135 | 136 | optimizer.zero_grad() 137 | loss.backward() 138 | optimizer.step() 139 | now = (time.time() - st) / 60.0 140 | 141 | if (i+1) % 10 ==0: 142 | print('[process: %d/%d] Loss = %f' % (i+1,n_iters,loss)) 143 | 144 | if (i+1) % 1000 == 0 : 145 | print(' ### Eval ###') 146 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 147 | model.eval() 148 | 149 | score = test(data,model) 150 | 151 | if score>max_acc: 152 | print('[save]..') 153 | max_acc = score 154 | stable_iter = 0 155 | torch.save(model.state_dict(), ckpt_root+'model_' + str(save_n) + '_adv_acc=%f.ckpt'%(score)) 156 | save_n+=1 157 | else: 158 | stable_iter += 1 159 | if stable_iter == 10: 160 | print('Stable ... Training END ..') 161 | break 162 | model.train() 163 | 164 | print('[Training] Done ...') 165 | -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/raw/dataset.py: -------------------------------------------------------------------------------- 1 | import os 2 | import math 3 | import cv2 4 | import numpy as np 5 | import torch 6 | import pickle 7 | 8 | class DataMain: 9 | 10 | def __init__(self,batch_size = 50, n_class=2, n_each=5, ang_rot=10,trans_rot=2,shear_rot=2): 11 | 12 | super().__init__() 13 | 14 | ang_rot,trans_rot,shear_rot 15 | self.batch_size = batch_size 16 | self.n_class = n_class 17 | self.n_each = n_each 18 | self.ang_rot = ang_rot 19 | self.trans_rot = trans_rot 20 | self.shear_rot = shear_rot 21 | 22 | ############################### Load data ################################### 23 | self.X_train = np.load('../data/data/raw_feature_train.npy') 24 | self.y_train = np.load('../data/data/raw_label_train.npy') 25 | 26 | self.X_test = np.load('../data/data/raw_feature_test.npy') 27 | self.y_test = np.load('../data/data/raw_label_test.npy') 28 | self.X_test = np.array([self.pre_process_image(self.X_test[i]) for i in range(len(self.X_test))],dtype = np.float32) 29 | self.y_test = np.array(self.y_test,dtype=np.long) 30 | 31 | self.X_val = np.load('../data/data/raw_feature_val.npy') 32 | self.y_val = np.load('../data/data/raw_label_val.npy') 33 | self.X_val = np.array([self.pre_process_image(self.X_val[i]) for i in range(len(self.X_val))],dtype = np.float32) 34 | self.y_val = np.array(self.y_val,dtype=np.long) 35 | 36 | self.test_batch_cnt = 0 37 | self.val_batch_cnt = 0 38 | self.train_batch_cnt = 0 39 | ############################################################################## 40 | 41 | def pre_process_image(self,image): 42 | image = image/255.-.5 43 | return image 44 | 45 | def transform_image(self,image,ang_range,shear_range,trans_range): 46 | # Random rotation & translation & shear for data augmentation 47 | 48 | # Rotation 49 | ang_rot = np.random.uniform(ang_range)-ang_range/2 50 | rows,cols,ch = image.shape 51 | Rot_M = cv2.getRotationMatrix2D((cols/2,rows/2),ang_rot,1) 52 | 53 | # Translation 54 | tr_x = trans_range*np.random.uniform()-trans_range/2 55 | tr_y = trans_range*np.random.uniform()-trans_range/2 56 | Trans_M = np.float32([[1,0,tr_x],[0,1,tr_y]]) 57 | 58 | # Shear 59 | pts1 = np.float32([[5,5],[20,5],[5,20]]) 60 | pt1 = 5+shear_range*np.random.uniform()-shear_range/2 61 | pt2 = 20+shear_range*np.random.uniform()-shear_range/2 62 | pts2 = np.float32([[pt1,5],[pt2,pt1],[5,pt2]]) 63 | shear_M = cv2.getAffineTransform(pts1,pts2) 64 | 65 | image = cv2.warpAffine(image,Rot_M,(cols,rows)) 66 | image = cv2.warpAffine(image,Trans_M,(cols,rows)) 67 | image = cv2.warpAffine(image,shear_M,(cols,rows)) 68 | image = self.pre_process_image(image) 69 | return image 70 | 71 | def get_index_dict(self,y_train): 72 | # Returns image indices of each class 73 | # Assumes that the labels are 0 to N-1 74 | dict_indices = {} 75 | ind_all = np.arange(len(y_train)) 76 | 77 | for i in range(len(np.unique(y_train))): 78 | ind_i = ind_all[y_train == i] 79 | dict_indices[i] = ind_i 80 | return dict_indices 81 | 82 | def gen_extra_data(self,X_train,y_train,N_classes,n_each,ang_range,shear_range,trans_range,randomize_Var): 83 | # Augment the whole data set, each sample is repeated for n_each time. 84 | dict_indices = self.get_index_dict(y_train) 85 | n_class = len(np.unique(y_train)) 86 | 87 | X_arr = [] 88 | Y_arr = [] 89 | n_train = len(X_train) 90 | 91 | for i in range(n_train): 92 | for i_n in range(n_each): 93 | img_trf = self.transform_image(X_train[i], 94 | ang_range,shear_range,trans_range) 95 | X_arr.append(img_trf) 96 | Y_arr.append(y_train[i]) 97 | 98 | X_arr = np.array(X_arr,dtype = np.float32()) 99 | Y_arr = np.array(Y_arr,dtype = np.long) 100 | 101 | if (randomize_Var == 1): # shuffle the dataset 102 | random_state = np.random.get_state() 103 | np.random.shuffle(X_arr) 104 | np.random.set_state(random_state) 105 | np.random.shuffle(Y_arr) 106 | 107 | X_arr = torch.FloatTensor(X_arr) 108 | Y_arr = torch.LongTensor(Y_arr) 109 | 110 | return X_arr,Y_arr 111 | 112 | def data_set_up(self,istrain=True): 113 | if istrain: 114 | self.image_train_aug, self.y_train_aug = \ 115 | self.gen_extra_data(self.X_train,self.y_train,self.n_class,self.n_each,\ 116 | self.ang_rot,self.trans_rot,self.shear_rot,1) 117 | 118 | self.image_train_aug = self.image_train_aug.permute(0,3,1,2) 119 | else: 120 | #self.X_train = np.array([self.pre_process_image(self.X_train[i]) for i in range(len(self.X_train))],dtype = np.float32) 121 | self.X_train = np.array([self.pre_process_image(self.X_train[i]) for i in range(len(self.X_train))],dtype = np.float32) 122 | self.y_train = np.array(self.y_train,dtype=np.long) 123 | 124 | self.X_train = torch.FloatTensor(self.X_train) 125 | self.X_train = self.X_train.permute(0,3,1,2) 126 | self.y_train = torch.LongTensor(self.y_train) 127 | 128 | 129 | 130 | self.X_test = torch.FloatTensor(self.X_test) 131 | self.X_test = self.X_test.permute(0,3,1,2) 132 | self.y_test = torch.LongTensor(self.y_test) 133 | 134 | self.X_val = torch.FloatTensor(self.X_val) 135 | self.X_val = self.X_val.permute(0,3,1,2) 136 | self.y_val = torch.LongTensor(self.y_val) 137 | 138 | 139 | 140 | def random_train_batch(self): 141 | 142 | # Number of images in the training-set. 143 | num_images = len(self.image_train_aug) 144 | # Create a set of random indices. 145 | idx = np.random.choice(num_images,size=self.batch_size,replace=False) 146 | 147 | # Use the random index to select random images and labels. 148 | features_batch = self.image_train_aug[idx, :,:,:] 149 | labels_batch = self.y_train_aug[idx] 150 | 151 | return features_batch, labels_batch 152 | 153 | def random_test_batch(self): 154 | 155 | num_images = len(self.X_test) 156 | idx = np.random.choice(num_images,size=10000,replace=False) 157 | 158 | features_batch = self.X_test[idx, :,:,:] 159 | labels_batch = self.y_test[idx] 160 | 161 | return features_batch, labels_batch 162 | 163 | def sequential_test_batch(self): 164 | num_images = len(self.X_test) 165 | if self.test_batch_cnt==-1: 166 | self.test_batch_cnt = 0 167 | return None,None 168 | else: 169 | st = self.test_batch_cnt*self.batch_size 170 | ed = min(st+self.batch_size,num_images) 171 | if ed == num_images: 172 | self.test_batch_cnt=-1 173 | else: 174 | self.test_batch_cnt+=1 175 | return self.X_test[st:ed,:,:,:], self.y_test[st:ed] 176 | 177 | def sequential_val_batch(self): 178 | num_images = len(self.X_val) 179 | if self.val_batch_cnt==-1: 180 | self.val_batch_cnt = 0 181 | return None,None 182 | else: 183 | st = self.val_batch_cnt*self.batch_size 184 | ed = min(st+self.batch_size,num_images) 185 | if ed == num_images: 186 | self.val_batch_cnt=-1 187 | else: 188 | self.val_batch_cnt+=1 189 | return self.X_val[st:ed,:,:,:], self.y_val[st:ed] 190 | 191 | def sequential_train_batch(self): 192 | num_images = len(self.X_train) 193 | if self.train_batch_cnt==-1: 194 | self.train_batch_cnt = 0 195 | return None,None 196 | else: 197 | st = self.train_batch_cnt*self.batch_size 198 | ed = min(st+self.batch_size,num_images) 199 | if ed == num_images: 200 | self.train_batch_cnt=-1 201 | else: 202 | self.train_batch_cnt+=1 203 | return self.X_train[st:ed,:,:,:], self.y_train[st:ed] 204 | 205 | 206 | def greeting(self): 207 | print("****************** raw data *******************") 208 | -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/raw/doa_train.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from model import NEURAL 3 | from dataset import DataMain 4 | import time 5 | import argparse 6 | import os 7 | import ROA 8 | 9 | parser = argparse.ArgumentParser() 10 | parser.add_argument('-gpu_id', type=int, required=True, help='id number of the gpu device') 11 | parser.add_argument('-patch_size', type=int, required=True, help='noise magnitude in adversarial training') 12 | parser.add_argument('-train_id', type=int, required=True, help='id of training task') 13 | args = parser.parse_args() 14 | 15 | 16 | gpu_id = args.gpu_id 17 | patch_size = args.patch_size 18 | train_id = args.train_id 19 | 20 | print('gpu-id : ', gpu_id) 21 | print('patch_size : ', patch_size) 22 | print('train-id : ', train_id) 23 | 24 | 25 | device = torch.device('cuda:%d' % gpu_id if torch.cuda.is_available() else 'cpu') 26 | 27 | lr_rate = 0.01 28 | batch_size = 200 29 | n_iters = 5000 30 | main_sensor_path = '../pipeline/sensor/main/main.ckpt' 31 | 32 | ckpt_root = 'adv_train_doa_%dx%d_ckpt_%d/' % (patch_size,patch_size,train_id) 33 | if not os.path.exists(ckpt_root): 34 | os.mkdir(ckpt_root) 35 | 36 | print('saving path :',ckpt_root) 37 | 38 | 39 | def test(data,model,attacker): 40 | 41 | correct_adv = 0 42 | correct = 0 43 | tot = 0 44 | X,GT = data.sequential_val_batch() 45 | while X is not None: 46 | 47 | X = X.to(device) 48 | GT = GT.to(device) 49 | 50 | X_adv = attacker.exhaustive_search(X,GT,0.05,30,patch_size,patch_size,2,2,False) 51 | 52 | Y = model(X) 53 | Y = torch.argmax(Y,dim=1) 54 | 55 | Y_adv = model(X_adv) 56 | Y_adv = torch.argmax(Y_adv,dim=1) 57 | 58 | this_batch_size = len(Y) 59 | 60 | for i in range(this_batch_size): 61 | tot+=1 62 | if GT[i] == Y[i]: 63 | correct+=1 64 | if GT[i] == Y_adv[i]: 65 | correct_adv+=1 66 | X,GT = data.sequential_val_batch() 67 | 68 | print('acc = %d/%d, adv_acc = %d/%d' % (correct,tot, correct_adv,tot)) 69 | 70 | return correct_adv/tot 71 | 72 | 73 | 74 | 75 | 76 | print('[Data] Preparing .... ') 77 | data = DataMain(batch_size=batch_size) 78 | data.data_set_up(istrain=True) 79 | data.greeting() 80 | print('[Data] Done .... ') 81 | 82 | 83 | print('[Model] Preparing .... ') 84 | print('start from : ', main_sensor_path) 85 | model = NEURAL(n_class=43,n_channel=3) 86 | ckpt = torch.load(main_sensor_path,map_location = 'cpu') 87 | model.load_state_dict(ckpt) 88 | model = model.to(device) 89 | model.eval() 90 | attacker = ROA.ROA(base_classifier=model,size=32,device=device) 91 | adv_acc = test(data,model,attacker) 92 | print('[Load successfully] initial adv accuracy = %f' % adv_acc) 93 | print('[Model] Done .... ') 94 | 95 | 96 | 97 | 98 | loss_f = torch.nn.CrossEntropyLoss() 99 | optimizer = torch.optim.SGD(model.parameters(), lr=lr_rate, momentum=0.9, weight_decay = 1e-4) 100 | 101 | st = time.time() 102 | 103 | model.train() 104 | max_acc = 0 105 | save_n = 0 106 | stable_iter = 0 107 | 108 | 109 | print('[Training] Starting ...') 110 | for i in range(n_iters): 111 | 112 | X,GT = data.random_train_batch() 113 | 114 | X = X.to(device) 115 | GT = GT.to(device) 116 | 117 | X_adv = attacker.exhaustive_search(X,GT,0.05,30,patch_size,patch_size,2,2,False) 118 | 119 | X_adv = torch.cat([X_adv,X],dim=0) 120 | GT = torch.cat([GT,GT],dim=0) 121 | 122 | model.train() 123 | 124 | Y = model(X_adv) 125 | loss = loss_f(Y,GT) 126 | 127 | optimizer.zero_grad() 128 | loss.backward() 129 | optimizer.step() 130 | now = (time.time() - st) / 60.0 131 | 132 | if (i+1) % 10 ==0: 133 | print('[process: %d/%d] loss = %f' % (i+1,n_iters,loss)) 134 | 135 | if (i+1) % 1000 == 0 : 136 | print(' ### Eval ###') 137 | print('Time = %f minutes, Iter = %d/%d, Loss = %f' % (now,i+1,n_iters,loss)) 138 | model.eval() 139 | 140 | score = test(data,model,attacker) 141 | 142 | if score>max_acc: 143 | print('[save]..') 144 | max_acc = score 145 | stable_iter = 0 146 | torch.save(model.state_dict(), ckpt_root+'model_' + str(save_n) + '_adv_acc=%f.ckpt'%(score)) 147 | save_n+=1 148 | else: 149 | stable_iter += 1 150 | if stable_iter == 10: 151 | print('Stable ... Training END ..') 152 | break 153 | model.train() 154 | 155 | 156 | print('[Training] Done ...') -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/raw/model.py: -------------------------------------------------------------------------------- 1 | import torch 2 | from torch import nn 3 | 4 | class NEURAL(nn.Module): # end-to-end neural classifier 5 | 6 | def __init__(self,n_class,n_channel): 7 | 8 | super(NEURAL,self).__init__() 9 | 10 | ########################### Learn a color transform ########################### 11 | self.conv0 = nn.Sequential( 12 | nn.Conv2d(n_channel,3,1), #input_size=(n_channel*32*32) 13 | nn.ReLU() 14 | ) # output_size=(3*32*32) 15 | 16 | ########################### Level-1 ########################### 17 | self.conv1 = nn.Sequential( 18 | nn.Conv2d(3,32,5,1,2), #input_size=(3*32*32) 19 | nn.ReLU() 20 | ) # output_size=(32*32*32) 21 | 22 | self.conv2 = nn.Sequential( 23 | nn.Conv2d(32,32,5,1,2), #input_size=(32*32*32) 24 | nn.ReLU(), 25 | nn.MaxPool2d(kernel_size = 2,stride = 2) 26 | ) # output_size=(32*16*16) 27 | 28 | ########################### Level-2 ########################### 29 | self.conv3 = nn.Sequential( 30 | nn.Conv2d(32,64,3,1,1), #input_size=(32*16*16) 31 | nn.ReLU() 32 | ) # output_size=(64*16*16) 33 | 34 | self.conv4 = nn.Sequential( 35 | nn.Conv2d(64,64,3,1,1), #input_size=(64*16*16) 36 | nn.ReLU(), 37 | nn.MaxPool2d(kernel_size = 2,stride = 2) 38 | ) # output_size=(64*8*8) 39 | 40 | ########################### Level-3 ########################### 41 | self.conv5 = nn.Sequential( 42 | nn.Conv2d(64,128,3,1,1), #input_size=(64*8*8) 43 | nn.ReLU() 44 | ) # output_size=(128*8*8) 45 | 46 | self.conv6 = nn.Sequential( 47 | nn.Conv2d(128,128,3,1,1), #input_size=(128*8*8) 48 | nn.ReLU(), 49 | nn.MaxPool2d(kernel_size = 2,stride = 2) 50 | ) # output_size=(128*4*4) 51 | 52 | 53 | # num_fc = 32*16*16 + 64*8*8 + 128*4*4 = 14336 54 | self.fc1 = nn.Sequential( 55 | nn.Linear(14336,1024), 56 | nn.ReLU() 57 | ) 58 | self.fc2 = nn.Sequential( 59 | nn.Linear(1024,1024), 60 | nn.ReLU() 61 | ) 62 | self.fc3 = nn.Linear(1024,n_class) 63 | 64 | self.dropout = nn.Dropout(p=0.5) 65 | 66 | def forward(self,x): 67 | x = self.conv0(x) # Color Transform 68 | 69 | ## Scale 1 70 | x = self.conv1(x) 71 | x = self.conv2(x) 72 | x = self.dropout(x) 73 | scale_1 = x.view(x.size(0), -1) 74 | 75 | ## Scale 2 76 | x = self.conv3(x) 77 | x = self.conv4(x) 78 | x = self.dropout(x) 79 | scale_2 = x.view(x.size(0), -1) 80 | 81 | ## Scale 3 82 | x = self.conv5(x) 83 | x = self.conv6(x) 84 | x = self.dropout(x) 85 | scale_3 = x.view(x.size(0), -1) 86 | 87 | ###### FC ######################## 88 | embedding = torch.cat( (scale_1,scale_2,scale_3), dim = 1) 89 | 90 | x = self.fc1(embedding) 91 | x = self.dropout(x) 92 | 93 | x = self.fc2(x) 94 | x = self.dropout(x) 95 | 96 | x = self.fc3(x) 97 | return x 98 | -------------------------------------------------------------------------------- /SettingB-stop_sign_attack/readme.md: -------------------------------------------------------------------------------- 1 | # Setting-B : Stop Sign Attack 2 | 3 | This directory contains the code for evaluating our KEMLP framework against **physically implementable stop sign attack**. ([[1]](#ref-1),[[2]](#ref-2)) 4 | 5 | 6 | 7 | (**left:** the attacked stop sign sample; **middle:** the extracted border information from the attacked sample; **right:** the extracted content information from the attacked sample) 8 | 9 | To be consistent with [[1]](#ref-1), we use the same dataset (a modified version of GTSRB dataset where the German stop signs are replaced with US stop signs from LISA dataset), GTSRB-CNN model (the same architecture and the same parameters), stop sign samples, and adversarial stickers from [[1]](#ref-1). 10 | 11 |

12 | 13 | ## Reimplement the table 14 | 15 | image-20210211193002455 16 | 17 | ```bash 18 | cd pipeline 19 | python reimplement_table.py 20 | ``` 21 | 22 |

23 | 24 | ## Reference 25 | 26 | [1] Eykholt, Kevin, et al. "Robust physical-world attacks on deep learning visual classification." *Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition*. 2018. 27 | 28 | [2] Wu, Tong, Liang Tong, and Yevgeniy Vorobeychik. "Defending against physically realizable attacks on image classification." *arXiv preprint arXiv:1909.09552* (2019). 29 | 30 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Code Repository for Knowledge Enhanced Machine Learning Pipeline against Diverse Adversarial Attacks 2 | 3 | * Complete repository with full data and pretrained models : 4 | 5 | https://www.dropbox.com/sh/4xxz10xxi0o5kjb/AAAhkYrCtHWD-huP3D_FCK1Ga?dl=0 6 | 7 | * Evaluation against $\mathcal{L}_\infty$, unforeseen attacks and common corruptions : `./SettingA-linf,unforeseen,corruptions` 8 | 9 | * Setup 10 | 11 | * Download `./SettingA-linf,unforeseen,corruptions/data/data` from the dropbox directory, which contains all the clean data, pregenerated adversarial examples, preporcessed sensory information. 12 | 13 | * Download `./SettingA-linf,unforeseen,corruptions/pipeline/sensor` from the dropbox directory, which contains all the sensors (submodels) for KEMLP (SettingA). 14 | 15 | * Reimplement tables : Please refer to `./SettingA-linf,unforeseen,corruptions/readme.md` 16 | 17 | * Evaluation against physical stop sign attack : `./SettingB-stop_sign_attack` 18 | 19 | * Setup 20 | * Download `./SettingB-stop_sign_attack/data/data` from the dropbox directory, which contains all the clean data, pregenerated adversarial examples, preporcessed sensory information. 21 | * Download `./SettingB-stop_sign_attack/pipeline/sensor` from the dropbox directory, which contains all the sensors (submodels) for KEMLP (SettingB). 22 | * Reimplement tables : Please refer to `./SettingB-stop_sign_attack/readme.md` 23 | 24 | * Environment Dependency 25 | 26 | * python 3.6 27 | * pytorch 1.7.0 28 | * cv2 --------------------------------------------------------------------------------