├── Algorithms ├── AdversarialSaliencyMaps ├── README.md ├── cw_attack.py ├── cw_detection.py ├── fast_gradient.py ├── fgsm_detection.py └── fgsm_mnist_pca.py ├── Papers ├── 000.Machine Learning in Adversarial Settings-PPT.pdf ├── 1400.Evasion attacks against machine learning at test time.pdf └── README.md ├── README.md └── dataset └── README.md /Algorithms/AdversarialSaliencyMaps: -------------------------------------------------------------------------------- 1 | Test for adversarial saliency maps 2 | -------------------------------------------------------------------------------- /Algorithms/README.md: -------------------------------------------------------------------------------- 1 | ## This file provides some examples code to generate adversarial examples and some defend methds, but some codes are not complished. 2 | ### fgsm attack 3 | ### cw attack 4 | ### Adversarial examples detection test 5 | -------------------------------------------------------------------------------- /Algorithms/cw_attack.py: -------------------------------------------------------------------------------- 1 | import tensorflow as tf 2 | 3 | 4 | __all__ = ['cw'] 5 | 6 | 7 | def cw(model, x, y=None, eps=1.0, ord_=2, T=2, 8 | optimizer=tf.train.AdamOptimizer(learning_rate=0.1), alpha=0.9, 9 | min_prob=0, clip=(0.0, 1.0)): 10 | 11 | xshape = x.get_shape().as_list() 12 | noise = tf.get_variable('noise', xshape, tf.float32, 13 | initializer=tf.initializers.zeros) 14 | 15 | # scale input to (0, 1) 16 | x_scaled = (x - clip[0]) / (clip[1] - clip[0]) 17 | 18 | # change to sigmoid-space, clip to avoid overflow. 19 | z = tf.clip_by_value(x_scaled, 1e-8, 1-1e-8) 20 | xinv = tf.log(z / (1 - z)) / T 21 | 22 | # add noise in sigmoid-space and map back to input domain 23 | xadv = tf.sigmoid(T * (xinv + noise)) 24 | xadv = xadv * (clip[1] - clip[0]) + clip[0] 25 | 26 | ybar, logits = model(xadv, logits=True) 27 | ydim = ybar.get_shape().as_list()[1] 28 | 29 | if y is not None: 30 | y = tf.cond(tf.equal(tf.rank(y), 0), 31 | lambda: tf.fill([xshape[0]], y), 32 | lambda: tf.identity(y)) 33 | else: 34 | # we set target to the least-likely label 35 | y = tf.argmin(ybar, axis=1, output_type=tf.int32) 36 | 37 | mask = tf.one_hot(y, ydim, on_value=0.0, off_value=float('inf')) 38 | yt = tf.reduce_max(logits - mask, axis=1) 39 | yo = tf.reduce_max(logits, axis=1) 40 | 41 | # encourage to classify to a wrong category 42 | loss0 = tf.nn.relu(yo - yt + min_prob) 43 | 44 | axis = list(range(1, len(xshape))) 45 | ord_ = float(ord_) 46 | 47 | # make sure the adversarial images are visually close 48 | if 2 == ord_: 49 | # CW-L2 Original paper uses the reduce_sum version. These two 50 | # implementation does not differ much. 51 | 52 | # loss1 = tf.reduce_sum(tf.square(xadv-x), axis=axis) 53 | loss1 = tf.reduce_mean(tf.square(xadv-x)) 54 | else: 55 | # CW-Linf 56 | tau0 = tf.fill([xshape[0]] + [1]*len(axis), clip[1]) 57 | tau = tf.get_variable('cw8-noise-upperbound', dtype=tf.float32, 58 | initializer=tau0, trainable=False) 59 | diff = xadv - x - tau 60 | 61 | # if all values are smaller than the upper bound value tau, we reduce 62 | # this value via tau*0.9 to make sure L-inf does not get stuck. 63 | tau = alpha * tf.to_float(tf.reduce_all(diff < 0, axis=axis)) 64 | loss1 = tf.nn.relu(tf.reduce_sum(diff, axis=axis)) 65 | 66 | loss = eps*loss0 + loss1 67 | train_op = optimizer.minimize(loss, var_list=[noise]) 68 | 69 | # We may need to update tau after each iteration. Refer to the CW-Linf 70 | # section in the original paper. 71 | if 2 != ord_: 72 | train_op = tf.group(train_op, tau) 73 | 74 | return train_op, xadv, noise 75 | -------------------------------------------------------------------------------- /Algorithms/cw_detection.py: -------------------------------------------------------------------------------- 1 | import os 2 | from timeit import default_timer 3 | 4 | import numpy as np 5 | 6 | import matplotlib 7 | #matplotlib.use('Agg') # noqa: E402 8 | import matplotlib.pyplot as plt 9 | import matplotlib.gridspec as gridspec 10 | import keras 11 | from sklearn import decomposition 12 | 13 | import tensorflow as tf 14 | 15 | from cw_attack import cw 16 | 17 | 18 | os.environ['TF_CPP_MIN_LOG_LEVEL'] = '3' 19 | 20 | 21 | img_size = 28 22 | img_chan = 1 23 | n_classes = 10 24 | batch_size = 32 25 | ###################################### 26 | 27 | 28 | class Timer(object): 29 | def __init__(self, msg='Starting.....', timer=default_timer, factor=1, 30 | fmt="------- elapsed {:.4f}s --------"): 31 | self.timer = timer 32 | self.factor = factor 33 | self.fmt = fmt 34 | self.end = None 35 | self.msg = msg 36 | 37 | def __call__(self): 38 | """ 39 | Return the current time 40 | """ 41 | return self.timer() 42 | 43 | def __enter__(self): 44 | """ 45 | Set the start time 46 | """ 47 | #print(self.msg) 48 | self.start = self() 49 | return self 50 | 51 | def __exit__(self, exc_type, exc_value, exc_traceback): 52 | """ 53 | Set the end time 54 | """ 55 | self.end = self() 56 | #print(str(self)) 57 | 58 | def __repr__(self): 59 | return self.fmt.format(self.elapsed) 60 | 61 | @property 62 | def elapsed(self): 63 | if self.end is None: 64 | # if elapsed is called in the context manager scope 65 | return (self() - self.start) * self.factor 66 | else: 67 | # if elapsed is called out of the context manager scope 68 | return (self.end - self.start) * self.factor 69 | 70 | 71 | print('\nLoading MNIST') 72 | 73 | mnist = tf.keras.datasets.mnist 74 | (X_train, y_train), (X_test, y_test) = mnist.load_data() 75 | X_train = np.reshape(X_train, [-1, img_size, img_size, img_chan]) 76 | X_train = X_train.astype(np.float32) / 255 77 | X_test = np.reshape(X_test, [-1, img_size, img_size, img_chan]) 78 | X_test = X_test.astype(np.float32) / 255 79 | 80 | to_categorical = tf.keras.utils.to_categorical 81 | y_train = to_categorical(y_train) 82 | y_test = to_categorical(y_test) 83 | 84 | print('\nSpliting data') 85 | 86 | ind = np.random.permutation(X_train.shape[0]) 87 | X_train, y_train = X_train[ind], y_train[ind] 88 | 89 | VALIDATION_SPLIT = 0.1 90 | n = int(X_train.shape[0] * (1-VALIDATION_SPLIT)) 91 | X_valid = X_train[n:] 92 | X_train = X_train[:n] 93 | y_valid = y_train[n:] 94 | y_train = y_train[:n] 95 | 96 | 97 | 98 | # It takes a while to run through the full dataset, thus, we demo the result 99 | # through a smaller dataset. We could actually find the best parameter 100 | # configuration on a smaller dataset, and then apply to the full dataset. 101 | n_sample = 10000 102 | ind = np.random.choice(X_test.shape[0], size=n_sample, replace=False) 103 | X_test = X_test[ind] 104 | y_test = y_test[ind] 105 | 106 | 107 | print('\nConstruction graph') 108 | 109 | 110 | def model(x, logits=False, training=False): 111 | with tf.variable_scope('conv0'): 112 | z = tf.layers.conv2d(x, filters=32, kernel_size=[3, 3], 113 | padding='same', activation=tf.nn.relu) 114 | z = tf.layers.max_pooling2d(z, pool_size=[2, 2], strides=2) 115 | 116 | with tf.variable_scope('conv1'): 117 | z = tf.layers.conv2d(z, filters=64, kernel_size=[3, 3], 118 | padding='same', activation=tf.nn.relu) 119 | z = tf.layers.max_pooling2d(z, pool_size=[2, 2], strides=2) 120 | 121 | with tf.variable_scope('flatten'): 122 | shape = z.get_shape().as_list() 123 | z = tf.reshape(z, [-1, np.prod(shape[1:])]) 124 | 125 | with tf.variable_scope('mlp'): 126 | z = tf.layers.dense(z, units=128, activation=tf.nn.relu) 127 | z = tf.layers.dropout(z, rate=0.25, training=training) 128 | 129 | logits_ = tf.layers.dense(z, units=10, name='logits') 130 | y = tf.nn.softmax(logits_, name='ybar') 131 | 132 | if logits: 133 | return y, logits_ 134 | return y 135 | 136 | 137 | class Dummy: 138 | pass 139 | 140 | 141 | env = Dummy() 142 | 143 | 144 | with tf.variable_scope('model', reuse=tf.AUTO_REUSE): 145 | env.x = tf.placeholder(tf.float32, (None, img_size, img_size, img_chan), 146 | name='x') 147 | env.y = tf.placeholder(tf.float32, (None, n_classes), name='y') 148 | env.training = tf.placeholder_with_default(False, (), name='mode') 149 | 150 | env.ybar, logits = model(env.x, logits=True, training=env.training) 151 | 152 | with tf.variable_scope('acc'): 153 | count = tf.equal(tf.argmax(env.y, axis=1), tf.argmax(env.ybar, axis=1)) 154 | env.acc = tf.reduce_mean(tf.cast(count, tf.float32), name='acc') 155 | 156 | with tf.variable_scope('loss'): 157 | xent = tf.nn.softmax_cross_entropy_with_logits(labels=env.y, 158 | logits=logits) 159 | env.loss = tf.reduce_mean(xent, name='loss') 160 | 161 | with tf.variable_scope('train_op'): 162 | optimizer = tf.train.AdamOptimizer() 163 | vs = tf.global_variables() 164 | env.train_op = optimizer.minimize(env.loss, var_list=vs) 165 | 166 | env.saver = tf.train.Saver() 167 | 168 | # Note here that the shape has to be fixed during the graph construction 169 | # since the internal variable depends upon the shape. 170 | env.x_fixed = tf.placeholder( 171 | tf.float32, (batch_size, img_size, img_size, img_chan), 172 | name='x_fixed') 173 | env.adv_eps = tf.placeholder(tf.float32, (), name='adv_eps') 174 | env.adv_y = tf.placeholder(tf.int32, (), name='adv_y') 175 | 176 | optimizer = tf.train.AdamOptimizer(learning_rate=0.1) 177 | env.adv_train_op, env.xadv, env.noise = cw(model, env.x_fixed, 178 | y=env.adv_y, eps=env.adv_eps, 179 | optimizer=optimizer) 180 | 181 | print('\nInitializing graph') 182 | 183 | env.sess = tf.InteractiveSession() 184 | env.sess.run(tf.global_variables_initializer()) 185 | env.sess.run(tf.local_variables_initializer()) 186 | 187 | 188 | def evaluate(env, X_data, y_data, batch_size=128): 189 | """ 190 | Evaluate TF model by running env.loss and env.acc. 191 | """ 192 | print('\nEvaluating') 193 | 194 | n_sample = X_data.shape[0] 195 | n_batch = int((n_sample+batch_size-1) / batch_size) 196 | loss, acc = 0, 0 197 | 198 | for batch in range(n_batch): 199 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 200 | start = batch * batch_size 201 | end = min(n_sample, start + batch_size) 202 | cnt = end - start 203 | batch_loss, batch_acc = env.sess.run( 204 | [env.loss, env.acc], 205 | feed_dict={env.x: X_data[start:end], 206 | env.y: y_data[start:end]}) 207 | loss += batch_loss * cnt 208 | acc += batch_acc * cnt 209 | loss /= n_sample 210 | acc /= n_sample 211 | 212 | print(' loss: {0:.4f} acc: {1:.4f}'.format(loss, acc)) 213 | return loss, acc 214 | 215 | 216 | def train(env, X_data, y_data, X_valid=None, y_valid=None, epochs=1, 217 | load=False, shuffle=True, batch_size=128, name='model'): 218 | """ 219 | Train a TF model by running env.train_op. 220 | """ 221 | if load: 222 | if not hasattr(env, 'saver'): 223 | return print('\nError: cannot find saver op') 224 | print('\nLoading saved model') 225 | return env.saver.restore(env.sess, 'model/{}'.format(name)) 226 | 227 | print('\nTrain model') 228 | n_sample = X_data.shape[0] 229 | n_batch = int((n_sample+batch_size-1) / batch_size) 230 | for epoch in range(epochs): 231 | print('\nEpoch {0}/{1}'.format(epoch + 1, epochs)) 232 | 233 | if shuffle: 234 | print('\nShuffling data') 235 | ind = np.arange(n_sample) 236 | np.random.shuffle(ind) 237 | X_data = X_data[ind] 238 | y_data = y_data[ind] 239 | 240 | for batch in range(n_batch): 241 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 242 | start = batch * batch_size 243 | end = min(n_sample, start + batch_size) 244 | env.sess.run(env.train_op, feed_dict={env.x: X_data[start:end], 245 | env.y: y_data[start:end], 246 | env.training: True}) 247 | if X_valid is not None: 248 | evaluate(env, X_valid, y_valid) 249 | 250 | if hasattr(env, 'saver'): 251 | print('\n Saving model') 252 | os.makedirs('model', exist_ok=True) 253 | env.saver.save(env.sess, 'model/{}'.format(name)) 254 | 255 | 256 | def predict(env, X_data, batch_size=128): 257 | """ 258 | Do inference by running env.ybar. 259 | """ 260 | print('\nPredicting') 261 | n_classes = env.ybar.get_shape().as_list()[1] 262 | 263 | n_sample = X_data.shape[0] 264 | n_batch = int((n_sample+batch_size-1) / batch_size) 265 | yval = np.empty((n_sample, n_classes)) 266 | 267 | for batch in range(n_batch): 268 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 269 | start = batch * batch_size 270 | end = min(n_sample, start + batch_size) 271 | y_batch = env.sess.run(env.ybar, feed_dict={env.x: X_data[start:end]}) 272 | yval[start:end] = y_batch 273 | print() 274 | return yval 275 | 276 | 277 | def make_cw(env, X_data, epochs=1, eps=0.1, batch_size=batch_size): 278 | """ 279 | Generate adversarial via CW optimization. 280 | """ 281 | print('\nMaking adversarials via CW') 282 | 283 | n_sample = X_data.shape[0] 284 | n_batch = int((n_sample + batch_size - 1) / batch_size) 285 | X_adv = np.empty_like(X_data) 286 | 287 | for batch in range(n_batch): 288 | with Timer('Batch {0}/{1} '.format(batch + 1, n_batch)): 289 | end = min(n_sample, (batch+1) * batch_size) 290 | start = end - batch_size 291 | feed_dict = { 292 | env.x_fixed: X_data[start:end], 293 | env.adv_eps: eps, 294 | env.adv_y: np.random.choice(n_classes)} 295 | 296 | # reset the noise before every iteration 297 | env.sess.run(env.noise.initializer) 298 | for epoch in range(epochs): 299 | env.sess.run(env.adv_train_op, feed_dict=feed_dict) 300 | 301 | xadv = env.sess.run(env.xadv, feed_dict=feed_dict) 302 | X_adv[start:end] = xadv 303 | 304 | return X_adv 305 | ################################################################################ 306 | def com_diff(y,y_pre): 307 | """ 308 | PCA前后的输出变化率 309 | """ 310 | z_y = np.argmax(y,axis=1) 311 | z_pca = np.argmax(y_pre,axis=1) 312 | n_samples = y.shape[0] 313 | diff_ori_pca = 0 314 | for index in range(n_samples): 315 | if z_y[index] != z_pca[index]: 316 | diff_ori_pca += 1 317 | diff_ori_pca /= n_samples 318 | return diff_ori_pca 319 | ################################################################################ 320 | def data_pca(X_data,n_components=5,zero = True,average = False,batch_size=128): 321 | """ 322 | 给一个28*28*1的输入,通过PCA处理 323 | 324 | X_test:(10000,28,28,1) 325 | 326 | """ 327 | #转成(10000,28,28) 328 | X_data = np.reshape(X_data,[-1, img_size,img_size]) 329 | pca = decomposition.PCA(n_components) 330 | 331 | n_sample = X_data.shape[0]#10000 332 | x_pca = np.empty_like(X_data)#tensor 333 | 334 | for sample in range(n_sample): 335 | print('pca {0}/{1}'.format(sample+1,n_sample),end='\r') 336 | model = pca.fit(X_data[sample]) 337 | #print(pca.explained_variance_ratio_) 338 | z = model.transform(X_data[sample]) 339 | #先降维,然后数据恢复 340 | ureduce = model.components_ 341 | x_rec = np.dot(z,ureduce) 342 | x_pca[sample] = x_rec 343 | #break 344 | #print(x_pca.shape) 345 | x_pca = np.reshape(x_pca,[-1, img_size, img_size, img_chan]) 346 | return x_pca 347 | 348 | ################################################################################ 349 | def decentra_data(X_test): 350 | """ 351 | 给一个10000*28*28*1的输入,各自减去平均值 352 | """ 353 | X_test = np.reshape(X_test,[-1, img_size,img_size]) 354 | n_sample = X_test.shape[0]#10000 355 | #print() 356 | x_decentra = np.empty_like(X_test) 357 | X_data = np.copy(X_test) 358 | for sample in range(n_sample): 359 | print('Decentration: {0}/{1}'.format(sample+1,n_sample),end='\r') 360 | input_pixel = np.reshape(X_data[sample],[-1]) 361 | #print(input_pixel.shape) 362 | sum = 0 363 | #print(input_pixel) 364 | for pixel in input_pixel: 365 | sum += pixel 366 | average = sum /(img_size*img_size) 367 | #print('average',average) 368 | for index in range(img_size*img_size): 369 | input_pixel[index] -= average 370 | #print(input_pixel) 371 | #print(input_pixel.shape) 372 | x_decentra[sample] = np.reshape(input_pixel,[img_size,img_size]) 373 | 374 | #break 375 | # print(X_test[0]) 376 | # print('--------------') 377 | # print(x_decentra[0]) 378 | 379 | x_decentra = np.reshape(x_decentra,[-1, img_size, img_size, img_chan]) 380 | 381 | return x_decentra 382 | ################################################################################ 383 | def random(X_test,gauss = True,random_scale = 0.4): 384 | """ 385 | 随机高斯噪声 386 | """ 387 | X_test = np.reshape(X_test,[-1, img_size,img_size]) 388 | n_sample = X_test.shape[0]#10000 389 | x_random = np.empty_like(X_test) 390 | X_data = np.copy(X_test) 391 | for sample in range(n_sample): 392 | print('Randomization: {0}/{1}'.format(sample+1,n_sample),end='\r') 393 | input_pixel = np.reshape(X_data[sample],[-1]) 394 | #sum = 0 395 | #print(input_pixel) 396 | # for pixel in input_pixel: 397 | # sum += pixel 398 | # average = sum /(img_size*img_size) 399 | 400 | for index in range(img_size*img_size): 401 | input_pixel[index] += np.random.normal(loc=0, scale= random_scale, size=None) 402 | x_random[sample] = np.reshape(input_pixel,[img_size,img_size]) 403 | x_random = np.reshape(x_random,[-1, img_size, img_size, img_chan]) 404 | return x_random 405 | ################################################################################ 406 | def ensemble(sess,env,x_test,x_adv,x_pca,x_adv_pca,x_decentra,x_adv_decentra,x_rand,x_adv_rand): 407 | """ 408 | 综合利用三种处理方法检测对抗样本 409 | """ 410 | y_clean = predict(sess, env, x_test) 411 | y_adv = predict(sess, env, x_adv) 412 | z_clean = np.argmax(y_clean,axis=1) 413 | z_adv = np.argmax(y_adv,axis=1) 414 | 415 | y_pca = predict(sess, env, x_pca) 416 | y_adv_pca = predict(sess, env, x_adv_pca) 417 | z_pca = np.argmax(y_pca,axis=1) 418 | z_adv_pca = np.argmax(y_adv_pca,axis=1) 419 | 420 | y_decentra = predict(sess, env, x_decentra) 421 | y_adv_decentra = predict(sess, env, x_adv_decentra) 422 | z_decentra = np.argmax(y_decentra,axis=1) 423 | z_adv_decentra = np.argmax(y_adv_decentra,axis=1) 424 | 425 | y_rand = predict(sess, env, x_rand) 426 | y_adv_rand = predict(sess, env, x_adv_rand) 427 | z_rand = np.argmax(y_rand,axis=1) 428 | z_adv_rand = np.argmax(y_adv_rand,axis=1) 429 | 430 | n_samples = y_clean.shape[0] 431 | TP = 0 432 | FN = 0 433 | FP = 0 434 | TN = 0 435 | 436 | for index in range(n_samples): 437 | if z_clean[index] == z_pca[index] and z_clean[index] == z_decentra[index] and z_clean[index] == z_rand[index]: 438 | TP += 1 439 | if z_adv[index] == z_adv_pca[index] and z_adv[index] == z_adv_decentra[index] and z_adv[index] == z_adv_rand[index]: 440 | FP += 1 441 | FN, TN = n_samples - TP, n_samples - FP 442 | 443 | #return TP/n_samples, FN/n_samples, FP/n_samples, TN/n_samples 444 | return TP,FN,FP,TN 445 | ################################################################################ 446 | def reduce_color_bits(x_test,bit_depth = 1): 447 | """ 448 | 减小MNIST图片的比特深度 449 | """ 450 | #print("bit_depth",bit_depth) 451 | x_test = np.reshape(x_test,[-1,img_size,img_size]) 452 | n_samples = x_test.shape[0] 453 | x_redu_bit = np.empty_like(x_test) 454 | x_data = np.copy(x_test) 455 | max_val = float(pow(2,bit_depth)-1) 456 | 457 | for sample in range(n_samples): 458 | #print('Reducing color bits: {0}/{1}'.format(sample+1,n_samples),end='\r') 459 | input_pixel = np.reshape(x_data[sample],[-1]) 460 | for index in range(img_size*img_size): 461 | x_int = np.rint(input_pixel[index]*max_val) 462 | x_float = x_int/max_val 463 | input_pixel[index] = x_float 464 | x_redu_bit[sample] = np.reshape(input_pixel,[img_size,img_size]) 465 | #break 466 | x_redu_bit = np.reshape(x_redu_bit,[-1, img_size, img_size, img_chan]) 467 | return x_redu_bit 468 | ###################################### rectify ################################# 469 | def rectify(x_test,decimal = 1): 470 | x_test = np.reshape(x_test,[-1,img_size,img_size]) 471 | n_samples = x_test.shape[0] 472 | x_rectify = np.empty_like(x_test) 473 | x_data = np.copy(x_test) 474 | 475 | for sample in range(n_samples): 476 | # print('Rectify bits: {0}/{1}'.format(sample+1,n_samples),end='\r') 477 | input_pixel = np.reshape(x_data[sample],[-1]) 478 | for index in range(img_size*img_size): 479 | input_pixel[index] = round(input_pixel[index],decimal) 480 | 481 | x_rectify[sample] = np.reshape(input_pixel,[img_size,img_size]) 482 | #break 483 | x_rectify = np.reshape(x_rectify,[-1, img_size, img_size, img_chan]) 484 | return x_rectify 485 | pass 486 | ################################################################################ 487 | def spatial_smooth(x_test): 488 | 489 | pass 490 | ################################# 结果评价 ###################################### 491 | def result_eval(sess,env,x_test,x_adv,x_test_pre,x_adv_pre): 492 | """ 493 | 从TP, FN, FP, TN, P, R 6个标准评价样本 494 | Accuracy = (TP+TN)/(TP+FN+FP+TN) 495 | """ 496 | TP, FN, FP, TN, Accuracy= 0, 0, 0, 0, 0 497 | y_test = predict(env, x_test) 498 | y_adv = predict(env, x_adv) 499 | y_test_pre = predict(env, x_test_pre) 500 | y_adv_pre = predict(env, x_adv_pre) 501 | 502 | #z = np.argmax(y,axis=1) 503 | z_test = np.argmax(y_test,axis=1) 504 | z_adv = np.argmax(y_adv,axis=1) 505 | z_test_pre = np.argmax(y_test_pre,axis=1) 506 | z_adv_pre = np.argmax(y_adv_pre,axis=1) 507 | 508 | n_samples = y_test.shape[0] 509 | 510 | for index in range(n_samples): 511 | if z_adv[index] != z_adv_pre[index]: 512 | TN += 1 513 | if z_test[index] == z_test_pre[index]: 514 | TP += 1 515 | 516 | FN, FP = n_samples - TP, n_samples - TN 517 | P , R = TP / (TP+FP) , TP / (TP+FN) 518 | Accuracy = (TP+TN)/(TP+FN+FP+TN) 519 | return TP, FN, FP, TN, P, R, Accuracy 520 | ################################################################################ 521 | # 522 | #pca_components = 1 523 | random_scale = 0.5 524 | bit_depth = 1 525 | decimal = 1 526 | ################################################################################ 527 | print('\nTraining') 528 | # train(env, X_train, y_train, X_valid, y_valid, load=False, epochs=5,name='mnist') 529 | train(env, X_train, y_train, X_valid, y_valid, load=True, epochs=5,name='mnist') 530 | 531 | print('\nGenerating adversarial data') 532 | X_adv = make_cw(env, X_test, eps=0.002, epochs=100) 533 | 534 | print("\nRectifing the samples") 535 | x_rectify = rectify(X_test,decimal = decimal) 536 | x_adc_rectify = rectify(X_adv,decimal = decimal) 537 | TP, FN, FP, TN, P, R , Accuracy= result_eval(env.sess,env,X_test,X_adv,x_rectify,x_adc_rectify) 538 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 539 | 540 | print("\nReducing color bits = 1") 541 | x_redu_bit = reduce_color_bits(X_test,bit_depth = 1) 542 | x_adv_redu_bit = reduce_color_bits(X_adv,bit_depth = 1) 543 | TP, FN, FP, TN, P, R, Accuracy = result_eval(env.sess,env,X_test,X_adv,x_redu_bit,x_adv_redu_bit) 544 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 545 | 546 | print("\nReducing color bits = 2") 547 | x_redu_bit = reduce_color_bits(X_test,bit_depth = 2) 548 | x_adv_redu_bit = reduce_color_bits(X_adv,bit_depth = 2) 549 | TP, FN, FP, TN, P, R, Accuracy = result_eval(env.sess,env,X_test,X_adv,x_redu_bit,x_adv_redu_bit) 550 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 551 | 552 | # 测试pca的维度选择 553 | for pca_components in [1,5,10,20]: 554 | print('\nGenerating PCA data, n_components={0}'.format(pca_components)) 555 | X_pca = data_pca(X_test,n_components = pca_components) 556 | X_adv_pca = data_pca(X_adv,n_components = pca_components) 557 | TP, FN, FP, TN, P, R, Accuracy = result_eval(env.sess,env,X_test,X_adv,X_pca,X_adv_pca) 558 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 559 | 560 | print('\nGenerating decenration data') 561 | x_decentra = decentra_data(X_test) 562 | X_adv_decentra = decentra_data(X_adv) 563 | TP, FN, FP, TN, P, R, Accuracy = result_eval(env.sess,env,X_test,X_adv,x_decentra,X_adv_decentra) 564 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 565 | 566 | print('\nGenerating randomization data') 567 | x_rand = random(X_test) 568 | X_adv_rand = random(X_adv) 569 | TP, FN, FP, TN, P, R, Accuracy = result_eval(env.sess,env,X_test,X_adv,x_rand,X_adv_rand) 570 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 571 | 572 | -------------------------------------------------------------------------------- /Algorithms/fast_gradient.py: -------------------------------------------------------------------------------- 1 | import tensorflow as tf 2 | 3 | 4 | __all__ = [ 5 | 'fgm', # fast gradient method 6 | 'fgmt' # fast gradient method with target 7 | ] 8 | 9 | 10 | def fgm(model, x, eps=0.01, epochs=1, sign=True, clip_min=0., clip_max=1.): 11 | """ 12 | Fast gradient method. 13 | 14 | See https://arxiv.org/abs/1412.6572 and https://arxiv.org/abs/1607.02533 15 | for details. This implements the revised version since the original FGM 16 | has label leaking problem (https://arxiv.org/abs/1611.01236). 17 | 18 | :param model: A wrapper that returns the output as well as logits. 19 | :param x: The input placeholder. 20 | :param eps: The scale factor for noise. 21 | :param epochs: The maximum epoch to run. 22 | :param sign: Use gradient sign if True, otherwise use gradient value. 23 | :param clip_min: The minimum value in output. 24 | :param clip_max: The maximum value in output. 25 | 26 | :return: A tensor, contains adversarial samples for each input. 27 | """ 28 | xadv = tf.identity(x) #返回相同tensor的op 29 | 30 | ybar = model(xadv) 31 | yshape = ybar.get_shape().as_list() 32 | ydim = yshape[1] 33 | 34 | indices = tf.argmax(ybar, axis=1) 35 | target = tf.cond( 36 | tf.equal(ydim, 1), 37 | lambda: tf.nn.relu(tf.sign(ybar - 0.5)), 38 | lambda: tf.one_hot(indices, ydim, on_value=1.0, off_value=0.0)) 39 | 40 | if 1 == ydim: 41 | loss_fn = tf.nn.sigmoid_cross_entropy_with_logits 42 | else: 43 | loss_fn = tf.nn.softmax_cross_entropy_with_logits 44 | 45 | if sign: 46 | noise_fn = tf.sign 47 | else: 48 | noise_fn = tf.identity 49 | 50 | eps = tf.abs(eps) 51 | 52 | def _cond(xadv, i): 53 | return tf.less(i, epochs) 54 | 55 | def _body(xadv, i): 56 | ybar, logits = model(xadv, logits=True) 57 | loss = loss_fn(labels=target, logits=logits) 58 | dy_dx, = tf.gradients(loss, xadv) 59 | xadv = tf.stop_gradient(xadv + eps*noise_fn(dy_dx)) 60 | xadv = tf.clip_by_value(xadv, clip_min, clip_max) 61 | return xadv, i+1 62 | 63 | xadv, _ = tf.while_loop(_cond, _body, (xadv, 0), back_prop=False, 64 | name='fast_gradient') 65 | return xadv 66 | 67 | 68 | def fgmt(model, x, y=None, eps=0.01, epochs=1, sign=True, clip_min=0., 69 | clip_max=1.): 70 | """ 71 | Fast gradient method with target 72 | 73 | See https://arxiv.org/pdf/1607.02533.pdf. This method is different from 74 | FGM that instead of decreasing the probability for the correct label, it 75 | increases the probability for the desired label. 76 | 77 | :param model: A model that returns the output as well as logits. 78 | :param x: The input placeholder. 79 | :param y: The desired target label, set to the least-likely class if None. 80 | :param eps: The noise scale factor. 81 | :param epochs: Maximum epoch to run. 82 | :param sign: Use gradient sign if True, otherwise gradient values. 83 | :param clip_min: Minimum value in output. 84 | :param clip_max: Maximum value in output. 85 | """ 86 | xadv = tf.identity(x) 87 | 88 | ybar = model(xadv) 89 | ydim = ybar.get_shape().as_list()[1] 90 | n = tf.shape(ybar)[0] 91 | 92 | if y is None: 93 | indices = tf.argmin(ybar, axis=1) 94 | else: 95 | indices = tf.cond(tf.equal(0, tf.rank(y)), 96 | lambda: tf.zeros([n], dtype=tf.int32) + y, 97 | lambda: tf.zeros([n], dtype=tf.int32)) 98 | 99 | target = tf.cond( 100 | tf.equal(ydim, 1), 101 | lambda: 1 - ybar, 102 | lambda: tf.one_hot(indices, ydim, on_value=1.0, off_value=0.0)) 103 | 104 | if 1 == ydim: 105 | loss_fn = tf.nn.sigmoid_cross_entropy_with_logits 106 | else: 107 | loss_fn = tf.nn.softmax_cross_entropy_with_logits 108 | 109 | if sign: 110 | noise_fn = tf.sign 111 | else: 112 | noise_fn = tf.identity 113 | 114 | eps = -tf.abs(eps) 115 | 116 | def _cond(xadv, i): 117 | return tf.less(i, epochs) 118 | 119 | def _body(xadv, i): 120 | ybar, logits = model(xadv, logits=True) 121 | loss = loss_fn(labels=target, logits=logits) 122 | dy_dx, = tf.gradients(loss, xadv) 123 | xadv = tf.stop_gradient(xadv + eps*noise_fn(dy_dx)) 124 | xadv = tf.clip_by_value(xadv, clip_min, clip_max) 125 | return xadv, i+1 126 | 127 | xadv, _ = tf.while_loop(_cond, _body, (xadv, 0), back_prop=False, 128 | name='fast_gradient_target') 129 | return xadv 130 | -------------------------------------------------------------------------------- /Algorithms/fgsm_detection.py: -------------------------------------------------------------------------------- 1 | """ 2 | Dependencies: python3, tensorflow v1.4, numpy, matplotlib 3 | """ 4 | import os 5 | 6 | import numpy as np 7 | 8 | import matplotlib 9 | #matplotlib.use('Agg') # 设置Agg属性,可以让图形不显示,直接保存 10 | import matplotlib.pyplot as plt 11 | import matplotlib.gridspec as gridspec #可以自定义输出图形布局的库 12 | import keras 13 | import tensorflow as tf 14 | from sklearn import decomposition 15 | 16 | 17 | from fast_gradient import fgm 18 | 19 | """ 20 | parameters in this code 21 | """ 22 | img_size = 28 23 | img_chan = 1 24 | n_classes = 10 25 | pca_components = 27 26 | random_scale = 0.5 27 | bit_depth = 1 28 | print("========================="*2) 29 | print('\nLoading MNIST') 30 | #读取mnist数据集 31 | 32 | mnist = keras.datasets.mnist 33 | #处理之前,X_train.shape : (60000,28,28) 34 | (X_train, y_train), (X_test, y_test) = mnist.load_data() 35 | #print("X_train",X_train.shape) 36 | #处理之后,X_train.shape : (60000,28,28,1) 37 | X_train = np.reshape(X_train, [-1, img_size, img_size, img_chan]) 38 | #print("X_train2",X_train.shape) 39 | #print(type(X_train)) 40 | X_train = X_train.astype(np.float32) / 255 41 | 42 | X_test = np.reshape(X_test, [-1, img_size, img_size, img_chan]) 43 | X_test = X_test.astype(np.float32) / 255 44 | #print("x_test",X_test[0].shape) 45 | 46 | #将MNIST标签变成one-hot表示 47 | to_categorical = keras.utils.to_categorical 48 | #print("y_train",y_train[0]) 49 | y_train = to_categorical(y_train) 50 | y_test = to_categorical(y_test) 51 | #print("y_train",y_train[0]) 52 | 53 | print("=========================") 54 | print('\nSpliting data') 55 | 56 | #随机改变array的次序 57 | #X_train.shape:(60000,28,28,1) 58 | # X_train.shape[0] = 60000 59 | ind = np.random.permutation(X_train.shape[0]) 60 | #随机化X_train和y_train的顺序 61 | X_train, y_train = X_train[ind], y_train[ind] 62 | 63 | #从训练集中分出10%作为验证集 64 | VALIDATION_SPLIT = 0.1 65 | n = int(X_train.shape[0] * (1-VALIDATION_SPLIT)) 66 | #n = 5400 67 | X_valid = X_train[n:] 68 | X_train = X_train[:n] 69 | y_valid = y_train[n:] 70 | y_train = y_train[:n] 71 | 72 | 73 | print('\nConstruction graph') 74 | 75 | """ 76 | 定义一个分类模型: 77 | 注意在这里的with语句和python中的其他地方with语句不一样,执行完毕之后conv0/和conv1/等空间还是在内存中,如果再次执行with tf.variable_scope('conv0'),就会生成名为conv0_1的空间。但是可以通过with tf.variable_scope('conv0',reuse=True)共享变量空间 78 | """ 79 | def model(x, logits=False, training=False): 80 | with tf.variable_scope('conv0'): 81 | z = tf.layers.conv2d(x, filters=32, kernel_size=[3, 3], 82 | padding='same', activation=tf.nn.relu) 83 | z = tf.layers.max_pooling2d(z, pool_size=[2, 2], strides=2) 84 | 85 | with tf.variable_scope('conv1'): 86 | z = tf.layers.conv2d(z, filters=64, kernel_size=[3, 3], 87 | padding='same', activation=tf.nn.relu) 88 | z = tf.layers.max_pooling2d(z, pool_size=[2, 2], strides=2) 89 | 90 | with tf.variable_scope('flatten'): 91 | shape = z.get_shape().as_list() 92 | z = tf.reshape(z, [-1, np.prod(shape[1:])]) 93 | 94 | with tf.variable_scope('mlp'): 95 | z = tf.layers.dense(z, units=128, activation=tf.nn.relu) 96 | #tf.layers.dropout()中的training参数:Whether to return the output in training mode (apply dropout) or in inference mode (return the input untouched). 97 | z = tf.layers.dropout(z, rate=0.25, training=training) 98 | 99 | logits_ = tf.layers.dense(z, units=10, name='logits') 100 | y = tf.nn.softmax(logits_, name='ybar') 101 | #根据ligits的值决定模型是返回最终的分类值y还是模型最后输出层的值。 102 | if logits: 103 | return y, logits_ 104 | return y 105 | 106 | 107 | class Dummy: 108 | """ 109 | x : tf.placeholder(tf.float32, (None, img_size, img_size, img_chan),name='x') 110 | y : tf.placeholder(tf.float32, (None, n_classes), name='y') 111 | training : tf.placeholder_with_default(False, (), name='mode') 112 | ybar : model(env.x, logits=True, training=env.training) 113 | acc : tf.reduce_mean(tf.cast(count, tf.float32), name='acc') 114 | loss : tf.reduce_mean(xent, name='loss') 115 | train_op : optimizer.minimize(env.loss) 116 | saver : tf.train.Saver() 117 | fgsm_eps : tf.placeholder(tf.float32, (), name='fgsm_eps') 学习率 118 | fgsm_epochs : tf.placeholder(tf.int32, (), name='fgsm_epochs') 迭代次数 119 | x_fgsm : fgm(model, env.x, epochs=env.fgsm_epochs, eps=env.fgsm_eps) 120 | 121 | """ 122 | pass 123 | 124 | 125 | env = Dummy() 126 | 127 | 128 | with tf.variable_scope('model'): 129 | env.x = tf.placeholder(tf.float32, (None, img_size, img_size, img_chan), 130 | name='x') 131 | env.y = tf.placeholder(tf.float32, (None, n_classes), name='y') 132 | env.training = tf.placeholder_with_default(False, (), name='mode') 133 | 134 | env.ybar, logits = model(env.x, logits=True, training=env.training) 135 | 136 | with tf.variable_scope('acc'): 137 | count = tf.equal(tf.argmax(env.y, axis=1), tf.argmax(env.ybar, axis=1)) 138 | env.acc = tf.reduce_mean(tf.cast(count, tf.float32), name='acc') 139 | 140 | with tf.variable_scope('loss'): 141 | xent = tf.nn.softmax_cross_entropy_with_logits(labels=env.y, 142 | logits=logits) 143 | env.loss = tf.reduce_mean(xent, name='loss') 144 | 145 | with tf.variable_scope('train_op'): 146 | optimizer = tf.train.AdamOptimizer() 147 | env.train_op = optimizer.minimize(env.loss) 148 | 149 | env.saver = tf.train.Saver() 150 | 151 | with tf.variable_scope('model', reuse=True): 152 | env.fgsm_eps = tf.placeholder(tf.float32, (), name='fgsm_eps') 153 | env.fgsm_epochs = tf.placeholder(tf.int32, (), name='fgsm_epochs') 154 | env.x_fgsm = fgm(model, env.x, epochs=env.fgsm_epochs, eps=env.fgsm_eps) 155 | 156 | print('\nInitializing graph') 157 | 158 | sess = tf.InteractiveSession() 159 | sess.run(tf.global_variables_initializer()) 160 | sess.run(tf.local_variables_initializer()) 161 | 162 | 163 | def evaluate(sess, env, X_data, y_data, batch_size=128): 164 | """ 165 | Evaluate TF model by running env.loss and env.acc. 166 | """ 167 | print('Evaluating') 168 | 169 | n_sample = X_data.shape[0] 170 | n_batch = int((n_sample+batch_size-1) / batch_size) 171 | loss, acc = 0, 0 172 | 173 | for batch in range(n_batch): 174 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 175 | start = batch * batch_size 176 | end = min(n_sample, start + batch_size) 177 | cnt = end - start 178 | batch_loss, batch_acc = sess.run( 179 | [env.loss, env.acc], 180 | feed_dict={env.x: X_data[start:end], 181 | env.y: y_data[start:end]}) 182 | loss += batch_loss * cnt 183 | acc += batch_acc * cnt 184 | loss /= n_sample 185 | acc /= n_sample 186 | 187 | print(' loss: {0:.4f} acc: {1:.4f}'.format(loss, acc)) 188 | return loss, acc 189 | 190 | 191 | 192 | 193 | def train(sess, env, X_data, y_data, X_valid=None, y_valid=None, epochs=1, 194 | load=False, shuffle=True, batch_size=128, name='model'): 195 | """ 196 | Train a TF model by running env.train_op. 197 | """ 198 | if load: 199 | if not hasattr(env, 'saver'): 200 | return print('\nError: cannot find saver op') 201 | print('\nLoading saved model') 202 | return env.saver.restore(sess, 'model/{}'.format(name)) 203 | 204 | print('\nTrain model') 205 | n_sample = X_data.shape[0] 206 | n_batch = int((n_sample+batch_size-1) / batch_size) 207 | for epoch in range(epochs): 208 | print('\nEpoch {0}/{1}'.format(epoch + 1, epochs)) 209 | 210 | if shuffle: 211 | print('\nShuffling data') 212 | ind = np.arange(n_sample) 213 | np.random.shuffle(ind) 214 | X_data = X_data[ind] 215 | y_data = y_data[ind] 216 | 217 | for batch in range(n_batch): 218 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 219 | start = batch * batch_size 220 | end = min(n_sample, start + batch_size) 221 | sess.run(env.train_op, feed_dict={env.x: X_data[start:end], 222 | env.y: y_data[start:end], 223 | env.training: True}) 224 | if X_valid is not None: 225 | evaluate(sess, env, X_valid, y_valid) 226 | 227 | if hasattr(env, 'saver'): 228 | print('\n Saving model') 229 | os.makedirs('model', exist_ok=True) 230 | env.saver.save(sess, 'model/{}'.format(name)) 231 | 232 | 233 | def predict(sess, env, X_data, batch_size=128): 234 | """ 235 | Do inference by running env.ybar. 236 | """ 237 | print('\nPredicting') 238 | n_classes = env.ybar.get_shape().as_list()[1] 239 | 240 | n_sample = X_data.shape[0] 241 | n_batch = int((n_sample+batch_size-1) / batch_size) 242 | yval = np.empty((n_sample, n_classes)) 243 | 244 | for batch in range(n_batch): 245 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 246 | start = batch * batch_size 247 | end = min(n_sample, start + batch_size) 248 | y_batch = sess.run(env.ybar, feed_dict={env.x: X_data[start:end]}) 249 | yval[start:end] = y_batch 250 | print() 251 | return yval 252 | 253 | 254 | def make_fgsm(sess, env, X_data, epochs=1, eps=0.01, batch_size=128): 255 | """ 256 | Generate FGSM by running env.x_fgsm. 257 | """ 258 | print('\nMaking adversarials via FGSM') 259 | 260 | n_sample = X_data.shape[0] 261 | n_batch = int((n_sample + batch_size - 1) / batch_size) 262 | X_adv = np.empty_like(X_data) 263 | 264 | for batch in range(n_batch): 265 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 266 | start = batch * batch_size 267 | end = min(n_sample, start + batch_size) 268 | adv = sess.run(env.x_fgsm, feed_dict={ 269 | env.x: X_data[start:end], 270 | env.fgsm_eps: eps, 271 | env.fgsm_epochs: epochs}) 272 | X_adv[start:end] = adv 273 | print() 274 | 275 | return X_adv 276 | ################################################################################ 277 | def com_diff(y,y_pre): 278 | """ 279 | PCA前后的输出变化率 280 | """ 281 | z_y = np.argmax(y,axis=1) 282 | z_pca = np.argmax(y_pre,axis=1) 283 | n_samples = y.shape[0] 284 | diff_ori_pca = 0 285 | for index in range(n_samples): 286 | if z_y[index] != z_pca[index]: 287 | diff_ori_pca += 1 288 | diff_ori_pca /= n_samples 289 | return diff_ori_pca 290 | ################################################################################ 291 | def data_pca(X_data,n_components=5,zero = True,average = False,batch_size=128): 292 | """ 293 | 给一个28*28*1的输入,通过PCA处理 294 | 295 | X_test:(10000,28,28,1) 296 | 297 | """ 298 | #转成(10000,28,28) 299 | X_data = np.reshape(X_data,[-1, img_size,img_size]) 300 | pca = decomposition.PCA(n_components) 301 | 302 | n_sample = X_data.shape[0]#10000 303 | x_pca = np.empty_like(X_data)#tensor 304 | 305 | for sample in range(n_sample): 306 | print('pca {0}/{1}'.format(sample+1,n_sample),end='\r') 307 | model = pca.fit(X_data[sample]) 308 | #print(pca.explained_variance_ratio_) 309 | z = model.transform(X_data[sample]) 310 | #先降维,然后数据恢复 311 | ureduce = model.components_ 312 | x_rec = np.dot(z,ureduce) 313 | x_pca[sample] = x_rec 314 | #break 315 | #print(x_pca.shape) 316 | x_pca = np.reshape(x_pca,[-1, img_size, img_size, img_chan]) 317 | return x_pca 318 | 319 | ################################################################################ 320 | def decentra_data(X_test): 321 | """ 322 | 给一个10000*28*28*1的输入,各自减去平均值 323 | """ 324 | X_test = np.reshape(X_test,[-1, img_size,img_size]) 325 | n_sample = X_test.shape[0]#10000 326 | #print() 327 | x_decentra = np.empty_like(X_test) 328 | X_data = np.copy(X_test) 329 | for sample in range(n_sample): 330 | print('Decentration: {0}/{1}'.format(sample+1,n_sample),end='\r') 331 | input_pixel = np.reshape(X_data[sample],[-1]) 332 | #print(input_pixel.shape) 333 | sum = 0 334 | #print(input_pixel) 335 | for pixel in input_pixel: 336 | sum += pixel 337 | average = sum /(img_size*img_size) 338 | #print('average',average) 339 | for index in range(img_size*img_size): 340 | input_pixel[index] -= average 341 | #print(input_pixel) 342 | #print(input_pixel.shape) 343 | x_decentra[sample] = np.reshape(input_pixel,[img_size,img_size]) 344 | 345 | #break 346 | # print(X_test[0]) 347 | # print('--------------') 348 | # print(x_decentra[0]) 349 | 350 | x_decentra = np.reshape(x_decentra,[-1, img_size, img_size, img_chan]) 351 | 352 | return x_decentra 353 | ################################################################################ 354 | def random(X_test,gauss = True,random_scale = 0.4): 355 | """ 356 | 随机高斯噪声 357 | """ 358 | X_test = np.reshape(X_test,[-1, img_size,img_size]) 359 | n_sample = X_test.shape[0]#10000 360 | x_random = np.empty_like(X_test) 361 | X_data = np.copy(X_test) 362 | for sample in range(n_sample): 363 | print('Randomization: {0}/{1}'.format(sample+1,n_sample),end='\r') 364 | input_pixel = np.reshape(X_data[sample],[-1]) 365 | #sum = 0 366 | #print(input_pixel) 367 | # for pixel in input_pixel: 368 | # sum += pixel 369 | # average = sum /(img_size*img_size) 370 | 371 | for index in range(img_size*img_size): 372 | input_pixel[index] += np.random.normal(loc=0, scale= random_scale, size=None) 373 | x_random[sample] = np.reshape(input_pixel,[img_size,img_size]) 374 | x_random = np.reshape(x_random,[-1, img_size, img_size, img_chan]) 375 | return x_random 376 | ################################################################################ 377 | def ensemble(sess,env,x_test,x_adv,x_pca,x_adv_pca,x_decentra,x_adv_decentra,x_rand,x_adv_rand): 378 | """ 379 | 综合利用三种处理方法检测对抗样本 380 | """ 381 | y_clean = predict(sess, env, x_test) 382 | y_adv = predict(sess, env, x_adv) 383 | z_clean = np.argmax(y_clean,axis=1) 384 | z_adv = np.argmax(y_adv,axis=1) 385 | 386 | y_pca = predict(sess, env, x_pca) 387 | y_adv_pca = predict(sess, env, x_adv_pca) 388 | z_pca = np.argmax(y_pca,axis=1) 389 | z_adv_pca = np.argmax(y_adv_pca,axis=1) 390 | 391 | y_decentra = predict(sess, env, x_decentra) 392 | y_adv_decentra = predict(sess, env, x_adv_decentra) 393 | z_decentra = np.argmax(y_decentra,axis=1) 394 | z_adv_decentra = np.argmax(y_adv_decentra,axis=1) 395 | 396 | y_rand = predict(sess, env, x_rand) 397 | y_adv_rand = predict(sess, env, x_adv_rand) 398 | z_rand = np.argmax(y_rand,axis=1) 399 | z_adv_rand = np.argmax(y_adv_rand,axis=1) 400 | 401 | n_samples = y_clean.shape[0] 402 | TP = 0 403 | FN = 0 404 | FP = 0 405 | TN = 0 406 | 407 | for index in range(n_samples): 408 | if z_clean[index] == z_pca[index] and z_clean[index] == z_decentra[index] and z_clean[index] == z_rand[index]: 409 | TP += 1 410 | if z_adv[index] == z_adv_pca[index] and z_adv[index] == z_adv_decentra[index] and z_adv[index] == z_adv_rand[index]: 411 | FP += 1 412 | FN, TN = n_samples - TP, n_samples - FP 413 | 414 | #return TP/n_samples, FN/n_samples, FP/n_samples, TN/n_samples 415 | return TP,FN,FP,TN 416 | ################################################################################ 417 | def reduce_color_bits(x_test,bit_depth = 1): 418 | """ 419 | 减小MNIST图片的比特深度 420 | """ 421 | #print("bit_depth",bit_depth) 422 | x_test = np.reshape(x_test,[-1,img_size,img_size]) 423 | n_samples = x_test.shape[0] 424 | x_redu_bit = np.empty_like(x_test) 425 | x_data = np.copy(x_test) 426 | max_val = float(pow(2,bit_depth)-1) 427 | 428 | for sample in range(n_samples): 429 | #print('Reducing color bits: {0}/{1}'.format(sample+1,n_samples),end='\r') 430 | input_pixel = np.reshape(x_data[sample],[-1]) 431 | for index in range(img_size*img_size): 432 | x_int = np.rint(input_pixel[index]*max_val) 433 | x_float = x_int/max_val 434 | input_pixel[index] = x_float 435 | x_redu_bit[sample] = np.reshape(input_pixel,[img_size,img_size]) 436 | #break 437 | x_redu_bit = np.reshape(x_redu_bit,[-1, img_size, img_size, img_chan]) 438 | return x_redu_bit 439 | ################################################################################ 440 | def spatial_smooth(x_test): 441 | 442 | pass 443 | ################################# 结果评价 ###################################### 444 | def result_eval(sess,env,x_test,x_adv,x_test_pre,x_adv_pre): 445 | """ 446 | 从TP, FN, FP, TN, P, R 6个标准评价样本 447 | Accuracy = (TP+TN)/(TP+FN+FP+TN) 448 | """ 449 | TP, FN, FP, TN, Accuracy = 0, 0, 0, 0 450 | y_test = predict(sess, env, x_test) 451 | y_adv = predict(sess, env, x_adv) 452 | y_test_pre = predict(sess, env, x_test_pre) 453 | y_adv_pre = predict(sess, env, x_adv_pre) 454 | 455 | #z = np.argmax(y,axis=1) 456 | z_test = np.argmax(y_test,axis=1) 457 | z_adv = np.argmax(y_adv,axis=1) 458 | z_test_pre = np.argmax(y_test_pre,axis=1) 459 | z_adv_pre = np.argmax(y_adv_pre,axis=1) 460 | 461 | n_samples = y_test.shape[0] 462 | 463 | for index in range(n_samples): 464 | if z_adv[index] != z_adv_pre[index]: 465 | TN += 1 466 | if z_test[index] == z_test_pre[index]: 467 | TP += 1 468 | 469 | FN, FP = n_samples - TP, n_samples - TN 470 | P , R = TP / (TP+FP) , TP / (TP+FN) 471 | Accuracy = (TP+TN)/(TP+FN+FP+TN) 472 | return TP, FN, FP, TN, P, R, Accuracy 473 | ################################################################################ 474 | ################################################################################ 475 | # X_test = np.reshape(X_test,[-1, img_size,img_size]) 476 | # print("-------------",X_test[0]) 477 | # plt.figure() 478 | # plt.imshow(np.reshape(X_test[0],[img_size,img_size]),cmap="binary") 479 | # plt.show() 480 | # x_redu_bit = reduce_color_bits(X_test,bit_depth) 481 | # x_redu_bit = np.reshape(x_redu_bit,[-1, img_size,img_size]) 482 | # print("-------------",x_redu_bit[0]) 483 | ################################################################################ 484 | ##################################### Testing ################################## 485 | print('\nTraining') 486 | 487 | #是否需要重新训练 488 | train(sess, env, X_train, y_train, X_valid, y_valid, load=True, epochs=5,name='mnist') 489 | #train(sess, env, X_train, y_train, X_valid, y_valid, load=False, epochs=5, name='mnist') 490 | 491 | print('\nGenerating adversarial data') 492 | X_adv = make_fgsm(sess, env, X_test, eps=0.02, epochs=12) 493 | 494 | # print("\nReducing color bits") 495 | # x_redu_bit = reduce_color_bits(X_test,bit_depth = 1) 496 | # x_adv_redu_bit = reduce_color_bits(X_adv,bit_depth = 1) 497 | # TP, FN, FP, TN, P, R, Accuracy = result_eval(sess,env,X_test,X_adv,x_redu_bit,x_adv_redu_bit) 498 | # print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 499 | 500 | # print('\nGenerating PCA data, n_components={0}'.format(pca_components)) 501 | # X_pca = data_pca(X_test,n_components = pca_components) 502 | # X_adv_pca = data_pca(X_adv,n_components = pca_components) 503 | # TP, FN, FP, TN, P, R, Accuracy = result_eval(sess,env,X_test,X_adv,X_pca,X_adv_pca) 504 | # print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 505 | 506 | # print('\nGenerating decenration data') 507 | # x_decentra = decentra_data(X_test) 508 | # X_adv_decentra = decentra_data(X_adv) 509 | # TP, FN, FP, TN, P, R, Accuracy = result_eval(sess,env,X_test,X_adv,x_decentra,X_adv_decentra) 510 | # print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 511 | 512 | # print('\nGenerating randomization data') 513 | # x_rand = random(X_test) 514 | # X_adv_rand = random(X_adv) 515 | # TP, FN, FP, TN, P, R, Accuracy = result_eval(sess,env,X_test,X_adv,x_rand,X_adv_rand) 516 | # print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN,"\nP:",P,"\nR:",R) 517 | 518 | 519 | # TP,FN,FP,TN = ensemble(sess, env, X_test, X_adv, X_pca, X_adv_pca, x_decentra, X_adv_decentra, x_rand, X_adv_rand) 520 | # print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN) 521 | 522 | 523 | 524 | """ 525 | #print('\nClean data PCA') 526 | #X_pca = data_pca(X_test,n_components = pca_components) 527 | 528 | #不同n的变化 529 | X_pca = [] 530 | for n in range(img_size): 531 | n += 1 532 | print('Origin data PCA for components = {0}'.format(n)) 533 | X_pca.append(data_pca(X_test,n_components = n)) 534 | 535 | #print('\nAdversarial data PCA') 536 | #X_adv_pca = data_pca(X_adv,n_components = pca_components) 537 | 538 | X_adv_pca = []#经过PCA处理的所有对抗样本的数组 539 | for n in range(img_size): 540 | n += 1 541 | print('Adversarial data PCA for components = {0}'.format(n)) 542 | X_adv_pca.append(data_pca(X_adv,n_components = n)) 543 | 544 | 545 | #画出四种MNIST图像 546 | plt.figure() 547 | plt.subplot(1,4,1) 548 | plt.imshow(np.reshape(X_test[0],[img_size,img_size]),cmap="binary") 549 | plt.subplot(1,4,2) 550 | plt.imshow(np.reshape(X_pca[0],[img_size,img_size]),cmap="binary") 551 | plt.subplot(1,4,3) 552 | plt.imshow(np.reshape(X_adv[0],[img_size,img_size]),cmap="binary") 553 | plt.subplot(1,4,4) 554 | plt.imshow(np.reshape(X_adv_pca[0],[img_size,img_size]),cmap="binary") 555 | plt.show() 556 | """ 557 | ################################################################################ 558 | 559 | # print('\nEvaluating on clean data') 560 | # evaluate(sess, env, X_test, y_test) 561 | # print('\nEvaluating on randomization clean data') 562 | # evaluate(sess, env, x_rand, y_test) 563 | # print('\nEvaluating on adversarial data') 564 | # evaluate(sess, env, X_adv, y_test) 565 | # print('\nEvaluating on randomization adversarial data') 566 | # evaluate(sess, env, X_adv_rand, y_test) 567 | 568 | 569 | # print('\nEvaluating on clean data') 570 | # evaluate(sess, env, X_test, y_test) 571 | # print('\nEvaluating on decentration clean data') 572 | # evaluate(sess, env, x_decentra, y_test) 573 | # print('\nEvaluating on adversarial data') 574 | # evaluate(sess, env, X_adv, y_test) 575 | # print('\nEvaluating on decentration adversarial data') 576 | # evaluate(sess, env, X_adv_decentra, y_test) 577 | 578 | 579 | """ 580 | plt.figure() 581 | plt.subplot(1,4,1) 582 | plt.imshow(np.reshape(X_test[0],[img_size,img_size]),cmap="binary") 583 | plt.subplot(1,4,2) 584 | plt.imshow(np.reshape(x_rand[0],[img_size,img_size]),cmap="binary") 585 | plt.subplot(1,4,3) 586 | plt.imshow(np.reshape(X_adv[0],[img_size,img_size]),cmap="binary") 587 | plt.subplot(1,4,4) 588 | plt.imshow(np.reshape(X_adv_rand[0],[img_size,img_size]),cmap="binary") 589 | plt.show() 590 | 591 | print('\nEvaluating on pca_clean data, components = {0}'.format(pca_components)) 592 | evaluate(sess, env, X_pca, y_test) 593 | 594 | clean_pca_acc = [] 595 | for index,X_pca_singal in enumerate(X_pca): 596 | print('Evaluating on clean data, components = {0}'.format(index)) 597 | loss,acc = evaluate(sess, env, X_pca_singal, y_test) 598 | clean_pca_acc.append(acc) 599 | 600 | print('\nEvaluating on pca_adv data, components = {0}'.format(pca_components)) 601 | evaluate(sess, env, X_adv_pca, y_test) 602 | 603 | adv_pca_acc = [] 604 | for index,X_adv_pca_singal in enumerate(X_adv_pca): 605 | print('Evaluating on pca_adv data, components = {0}'.format(index)) 606 | loss,acc = evaluate(sess, env, X_adv_pca_singal, y_test) 607 | adv_pca_acc.append(acc) 608 | """ 609 | """ 610 | #画出准确率随着N的变化的图像 611 | plt.figure() 612 | plt.subplot(1,2,1) 613 | plt.plot(clean_pca_acc) 614 | plt.subplot(1,2,2) 615 | plt.plot(adv_pca_acc) 616 | plt.show() 617 | """ 618 | ################################################################################ 619 | """ 620 | print('\nComparison of output between origin data and randomization data') 621 | 622 | y_clean = predict(sess, env, X_test) #(10000,10) 623 | y_rand = predict(sess, env, x_rand) 624 | y_adv = predict(sess, env, X_adv) 625 | y_adv_rand = predict(sess, env, X_adv_rand) 626 | 627 | #分析高斯随机前后输出的变化情况 628 | diff_clean = com_diff(y_clean,y_rand) 629 | diff_adv = com_diff(y_adv,y_adv_rand) 630 | print("经过高斯随机处理(方差0.4)后,真实样本分类发生改变的概率",diff_clean) 631 | print("经过高斯随机处理(方差0.4)后,对抗样本分类发生改变的概率",diff_adv) 632 | 633 | ################################################################################ 634 | 635 | print('\nComparison of output between origin data and decentration data') 636 | 637 | y_clean = predict(sess, env, X_test) #(10000,10) 638 | y_decentra = predict(sess, env, x_decentra) 639 | y_adv = predict(sess, env, X_adv) 640 | y_adv_decentra = predict(sess, env, X_adv_decentra) 641 | 642 | #分析去中心前后输出的变化情况 643 | diff_clean = com_diff(y_clean,y_decentra) 644 | diff_adv = com_diff(y_adv,y_adv_decentra) 645 | print("经过去中心化处理后,真实样本分类发生改变的概率",diff_clean) 646 | print("经过去中心化处理后,对抗样本分类发生改变的概率",diff_adv) 647 | 648 | ################################################################################ 649 | 650 | print('\nComparison of output between origin data and PCA data') 651 | 652 | y_clean = predict(sess, env, X_test) #(10000,10) 653 | y_pca = predict(sess, env, X_pca) 654 | y_adv = predict(sess, env, X_adv) 655 | y_adv_pca = predict(sess, env, X_adv_pca) 656 | 657 | #分析PCA前后输出的变化情况 658 | diff_clean = com_diff(y_clean,y_pca) 659 | diff_adv = com_diff(y_adv,y_adv_pca) 660 | print("经过PCA处理后,真实样本分类发生改变的概率",diff_clean," components =",pca_components) 661 | print("经过PCA处理后,对抗样本分类发生改变的概率",diff_adv," components =",pca_components) 662 | ################################### reducing color bits ############################################# 663 | # diff_clean_all = [] 664 | # diff_adv_all = [] 665 | # for bit_depth_1 in range(1,8): 666 | # x_redu_bit = reduce_color_bits(X_test,bit_depth = bit_depth_1 ) 667 | # x_adv_redu_bit = reduce_color_bits(X_adv,bit_depth = bit_depth_1) 668 | # y_clean = predict(sess, env, X_test) #(10000,10) 669 | # y_redu_bit = predict(sess, env, x_redu_bit) 670 | # y_adv = predict(sess, env, X_adv) 671 | # y_adv_redu_bit = predict(sess, env, x_adv_redu_bit) 672 | # diff_clean = com_diff(y_clean,y_redu_bit) 673 | # diff_adv = com_diff(y_adv,y_adv_redu_bit) 674 | # diff_clean_all.append(diff_clean) 675 | # diff_adv_all.append(diff_adv) 676 | # print("经过color reduce(bit_depth = {0})后,真实样本分类发生改变的概率".format(bit_depth_1),diff_clean) 677 | # print("经过color reduce(bit_depth = {0})后,对抗样本分类发生改变的概率".format(bit_depth_1),diff_adv) 678 | # plt.figure() 679 | # plt.plot(diff_clean_all) 680 | # plt.plot(diff_adv_all) 681 | # plt.show() 682 | #画出四种MNIST图像 683 | # plt.figure() 684 | # plt.subplot(1,4,1) 685 | # plt.imshow(np.reshape(X_test[0],[img_size,img_size]),cmap="binary") 686 | # plt.subplot(1,4,2) 687 | # plt.imshow(np.reshape(x_redu_bit[0],[img_size,img_size]),cmap="binary") 688 | # plt.subplot(1,4,3) 689 | # plt.imshow(np.reshape(X_adv[0],[img_size,img_size]),cmap="binary") 690 | # plt.subplot(1,4,4) 691 | # plt.imshow(np.reshape(x_adv_redu_bit[0],[img_size,img_size]),cmap="binary") 692 | # plt.show() 693 | 694 | # print("\nComparison of output between origin data and reduction color bits data") 695 | # y_clean = predict(sess, env, X_test) #(10000,10) 696 | # y_redu_bit = predict(sess, env, x_redu_bit) 697 | # y_adv = predict(sess, env, X_adv) 698 | # y_adv_redu_bit = predict(sess, env, x_adv_redu_bit) 699 | # diff_clean = com_diff(y_clean,y_redu_bit) 700 | # diff_adv = com_diff(y_adv,y_adv_redu_bit) 701 | # print("经过color reduce(bit_depth = {0})后,真实样本分类发生改变的概率".format(bit_depth),diff_clean) 702 | # print("经过color reduce(bit_depth = {0})后,对抗样本分类发生改变的概率".format(bit_depth),diff_adv) 703 | 704 | """ 705 | 706 | #随机抽取十个样本并打印图片 707 | # print('\nRandomly sample adversarial data from each category') 708 | # 709 | # z0 = np.argmax(y_test, axis=1) #正确label 710 | # 711 | # z1 = np.argmax(y_clean, axis=1) #测试label 712 | # z2 = np.argmax(y_adv, axis=1) #对抗样本label 713 | # 714 | # X_tmp = np.empty((10, 28, 28)) 715 | # y_tmp = np.empty((10, 10)) 716 | # for i in range(10): 717 | # print('Target {0}'.format(i)) 718 | # ind, = np.where(np.all([z0 == i, z1 == i, z2 != i], axis=0)) 719 | # cur = np.random.choice(ind) 720 | # X_tmp[i] = np.squeeze(X_adv[cur]) 721 | # y_tmp[i] = y_adv[cur] 722 | # 723 | # print('\nPlotting results',"*"*20) 724 | # 725 | # fig = plt.figure(figsize=(10, 1.2)) 726 | # gs = gridspec.GridSpec(1, 10, wspace=0.05, hspace=0.05) 727 | # 728 | # label = np.argmax(y_tmp, axis=1) 729 | # proba = np.max(y_tmp, axis=1) 730 | # for i in range(10): 731 | # ax = fig.add_subplot(gs[0, i]) 732 | # ax.imshow(X_tmp[i], cmap='gray', interpolation='none') 733 | # ax.set_xticks([]) 734 | # ax.set_yticks([]) 735 | # ax.set_xlabel('{0} ({1:.2f})'.format(label[i], proba[i]), 736 | # fontsize=12) 737 | # 738 | # print('\nSaving figure') 739 | # 740 | # gs.tight_layout(fig) 741 | # os.makedirs('img', exist_ok=True) 742 | # plt.savefig('img/fgsm_mnist.png') 743 | # #plt.show() 744 | -------------------------------------------------------------------------------- /Algorithms/fgsm_mnist_pca.py: -------------------------------------------------------------------------------- 1 | """ 2 | Dependencies: python3, tensorflow v1.4, numpy, matplotlib 3 | """ 4 | import os 5 | 6 | import numpy as np 7 | 8 | import matplotlib 9 | #matplotlib.use('Agg') # 设置Agg属性,可以让图形不显示,直接保存 10 | import matplotlib.pyplot as plt 11 | import matplotlib.gridspec as gridspec #可以自定义输出图形布局的库 12 | import keras 13 | import tensorflow as tf 14 | from sklearn import decomposition 15 | 16 | 17 | from fast_gradient import fgm 18 | 19 | 20 | img_size = 28 21 | img_chan = 1 22 | n_classes = 10 23 | pca_components = 10 24 | random = 0.5 25 | print("========================="*2) 26 | print('\nLoading MNIST') 27 | #读取mnist数据集 28 | 29 | mnist = keras.datasets.mnist 30 | #处理之前,X_train.shape : (60000,28,28) 31 | (X_train, y_train), (X_test, y_test) = mnist.load_data() 32 | #print("X_train",X_train.shape) 33 | #处理之后,X_train.shape : (60000,28,28,1) 34 | X_train = np.reshape(X_train, [-1, img_size, img_size, img_chan]) 35 | #print("X_train2",X_train.shape) 36 | #print(type(X_train)) 37 | X_train = X_train.astype(np.float32) / 255 38 | 39 | X_test = np.reshape(X_test, [-1, img_size, img_size, img_chan]) 40 | X_test = X_test.astype(np.float32) / 255 41 | #print("x_test",X_test[0].shape) 42 | 43 | #将MNIST标签变成one-hot表示 44 | to_categorical = keras.utils.to_categorical 45 | #print("y_train",y_train[0]) 46 | y_train = to_categorical(y_train) 47 | y_test = to_categorical(y_test) 48 | #print("y_train",y_train[0]) 49 | 50 | print("=========================") 51 | print('\nSpliting data') 52 | 53 | #随机改变array的次序 54 | #X_train.shape:(60000,28,28,1) 55 | # X_train.shape[0] = 60000 56 | ind = np.random.permutation(X_train.shape[0]) 57 | #随机化X_train和y_train的顺序 58 | X_train, y_train = X_train[ind], y_train[ind] 59 | 60 | #从训练集中分出10%作为验证集 61 | VALIDATION_SPLIT = 0.1 62 | n = int(X_train.shape[0] * (1-VALIDATION_SPLIT)) 63 | #n = 5400 64 | X_valid = X_train[n:] 65 | X_train = X_train[:n] 66 | y_valid = y_train[n:] 67 | y_train = y_train[:n] 68 | 69 | 70 | print('\nConstruction graph') 71 | 72 | """ 73 | 定义一个分类模型: 74 | 注意在这里的with语句和python中的其他地方with语句不一样,执行完毕之后conv0/和conv1/等空间还是在内存中,如果再次执行with tf.variable_scope('conv0'),就会生成名为conv0_1的空间。但是可以通过with tf.variable_scope('conv0',reuse=True)共享变量空间 75 | """ 76 | def model(x, logits=False, training=False): 77 | with tf.variable_scope('conv0'): 78 | z = tf.layers.conv2d(x, filters=32, kernel_size=[3, 3], 79 | padding='same', activation=tf.nn.relu) 80 | z = tf.layers.max_pooling2d(z, pool_size=[2, 2], strides=2) 81 | 82 | with tf.variable_scope('conv1'): 83 | z = tf.layers.conv2d(z, filters=64, kernel_size=[3, 3], 84 | padding='same', activation=tf.nn.relu) 85 | z = tf.layers.max_pooling2d(z, pool_size=[2, 2], strides=2) 86 | 87 | with tf.variable_scope('flatten'): 88 | shape = z.get_shape().as_list() 89 | z = tf.reshape(z, [-1, np.prod(shape[1:])]) 90 | 91 | with tf.variable_scope('mlp'): 92 | z = tf.layers.dense(z, units=128, activation=tf.nn.relu) 93 | #tf.layers.dropout()中的training参数:Whether to return the output in training mode (apply dropout) or in inference mode (return the input untouched). 94 | z = tf.layers.dropout(z, rate=0.25, training=training) 95 | 96 | logits_ = tf.layers.dense(z, units=10, name='logits') 97 | y = tf.nn.softmax(logits_, name='ybar') 98 | #根据ligits的值决定模型是返回最终的分类值y还是模型最后输出层的值。 99 | if logits: 100 | return y, logits_ 101 | return y 102 | 103 | 104 | class Dummy: 105 | """ 106 | x : tf.placeholder(tf.float32, (None, img_size, img_size, img_chan),name='x') 107 | y : tf.placeholder(tf.float32, (None, n_classes), name='y') 108 | training : tf.placeholder_with_default(False, (), name='mode') 109 | ybar : model(env.x, logits=True, training=env.training) 110 | acc : tf.reduce_mean(tf.cast(count, tf.float32), name='acc') 111 | loss : tf.reduce_mean(xent, name='loss') 112 | train_op : optimizer.minimize(env.loss) 113 | saver : tf.train.Saver() 114 | fgsm_eps : tf.placeholder(tf.float32, (), name='fgsm_eps') 学习率 115 | fgsm_epochs : tf.placeholder(tf.int32, (), name='fgsm_epochs') 迭代次数 116 | x_fgsm : fgm(model, env.x, epochs=env.fgsm_epochs, eps=env.fgsm_eps) 117 | 118 | """ 119 | pass 120 | 121 | 122 | env = Dummy() 123 | 124 | 125 | with tf.variable_scope('model'): 126 | env.x = tf.placeholder(tf.float32, (None, img_size, img_size, img_chan), 127 | name='x') 128 | env.y = tf.placeholder(tf.float32, (None, n_classes), name='y') 129 | env.training = tf.placeholder_with_default(False, (), name='mode') 130 | 131 | env.ybar, logits = model(env.x, logits=True, training=env.training) 132 | 133 | with tf.variable_scope('acc'): 134 | count = tf.equal(tf.argmax(env.y, axis=1), tf.argmax(env.ybar, axis=1)) 135 | env.acc = tf.reduce_mean(tf.cast(count, tf.float32), name='acc') 136 | 137 | with tf.variable_scope('loss'): 138 | xent = tf.nn.softmax_cross_entropy_with_logits(labels=env.y, 139 | logits=logits) 140 | env.loss = tf.reduce_mean(xent, name='loss') 141 | 142 | with tf.variable_scope('train_op'): 143 | optimizer = tf.train.AdamOptimizer() 144 | env.train_op = optimizer.minimize(env.loss) 145 | 146 | env.saver = tf.train.Saver() 147 | 148 | with tf.variable_scope('model', reuse=True): 149 | env.fgsm_eps = tf.placeholder(tf.float32, (), name='fgsm_eps') 150 | env.fgsm_epochs = tf.placeholder(tf.int32, (), name='fgsm_epochs') 151 | env.x_fgsm = fgm(model, env.x, epochs=env.fgsm_epochs, eps=env.fgsm_eps) 152 | 153 | print('\nInitializing graph') 154 | 155 | sess = tf.InteractiveSession() 156 | sess.run(tf.global_variables_initializer()) 157 | sess.run(tf.local_variables_initializer()) 158 | 159 | 160 | def evaluate(sess, env, X_data, y_data, batch_size=128): 161 | """ 162 | Evaluate TF model by running env.loss and env.acc. 163 | """ 164 | print('Evaluating') 165 | 166 | n_sample = X_data.shape[0] 167 | n_batch = int((n_sample+batch_size-1) / batch_size) 168 | loss, acc = 0, 0 169 | 170 | for batch in range(n_batch): 171 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 172 | start = batch * batch_size 173 | end = min(n_sample, start + batch_size) 174 | cnt = end - start 175 | batch_loss, batch_acc = sess.run( 176 | [env.loss, env.acc], 177 | feed_dict={env.x: X_data[start:end], 178 | env.y: y_data[start:end]}) 179 | loss += batch_loss * cnt 180 | acc += batch_acc * cnt 181 | loss /= n_sample 182 | acc /= n_sample 183 | 184 | print(' loss: {0:.4f} acc: {1:.4f}'.format(loss, acc)) 185 | return loss, acc 186 | 187 | 188 | 189 | 190 | def train(sess, env, X_data, y_data, X_valid=None, y_valid=None, epochs=1, 191 | load=False, shuffle=True, batch_size=128, name='model'): 192 | """ 193 | Train a TF model by running env.train_op. 194 | """ 195 | if load: 196 | if not hasattr(env, 'saver'): 197 | return print('\nError: cannot find saver op') 198 | print('\nLoading saved model') 199 | return env.saver.restore(sess, 'model/{}'.format(name)) 200 | 201 | print('\nTrain model') 202 | n_sample = X_data.shape[0] 203 | n_batch = int((n_sample+batch_size-1) / batch_size) 204 | for epoch in range(epochs): 205 | print('\nEpoch {0}/{1}'.format(epoch + 1, epochs)) 206 | 207 | if shuffle: 208 | print('\nShuffling data') 209 | ind = np.arange(n_sample) 210 | np.random.shuffle(ind) 211 | X_data = X_data[ind] 212 | y_data = y_data[ind] 213 | 214 | for batch in range(n_batch): 215 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 216 | start = batch * batch_size 217 | end = min(n_sample, start + batch_size) 218 | sess.run(env.train_op, feed_dict={env.x: X_data[start:end], 219 | env.y: y_data[start:end], 220 | env.training: True}) 221 | if X_valid is not None: 222 | evaluate(sess, env, X_valid, y_valid) 223 | 224 | if hasattr(env, 'saver'): 225 | print('\n Saving model') 226 | os.makedirs('model', exist_ok=True) 227 | env.saver.save(sess, 'model/{}'.format(name)) 228 | 229 | 230 | def predict(sess, env, X_data, batch_size=128): 231 | """ 232 | Do inference by running env.ybar. 233 | """ 234 | print('\nPredicting') 235 | n_classes = env.ybar.get_shape().as_list()[1] 236 | 237 | n_sample = X_data.shape[0] 238 | n_batch = int((n_sample+batch_size-1) / batch_size) 239 | yval = np.empty((n_sample, n_classes)) 240 | 241 | for batch in range(n_batch): 242 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 243 | start = batch * batch_size 244 | end = min(n_sample, start + batch_size) 245 | y_batch = sess.run(env.ybar, feed_dict={env.x: X_data[start:end]}) 246 | yval[start:end] = y_batch 247 | print() 248 | return yval 249 | 250 | 251 | def make_fgsm(sess, env, X_data, epochs=1, eps=0.01, batch_size=128): 252 | """ 253 | Generate FGSM by running env.x_fgsm. 254 | """ 255 | print('\nMaking adversarials via FGSM') 256 | 257 | n_sample = X_data.shape[0] 258 | n_batch = int((n_sample + batch_size - 1) / batch_size) 259 | X_adv = np.empty_like(X_data) 260 | 261 | for batch in range(n_batch): 262 | print(' batch {0}/{1}'.format(batch + 1, n_batch), end='\r') 263 | start = batch * batch_size 264 | end = min(n_sample, start + batch_size) 265 | adv = sess.run(env.x_fgsm, feed_dict={ 266 | env.x: X_data[start:end], 267 | env.fgsm_eps: eps, 268 | env.fgsm_epochs: epochs}) 269 | X_adv[start:end] = adv 270 | print() 271 | 272 | return X_adv 273 | ################################################################################ 274 | def com_diff(y,y_pca): 275 | """ 276 | PCA前后的输出变化率 277 | """ 278 | z_y = np.argmax(y,axis=1) 279 | z_pca = np.argmax(y_pca,axis=1) 280 | n_samples = y.shape[0] 281 | diff_ori_pca = 0 282 | for index in range(n_samples): 283 | if z_y[index] != z_pca[index]: 284 | diff_ori_pca += 1 285 | diff_ori_pca /= n_samples 286 | return diff_ori_pca 287 | ################################################################################ 288 | def data_pca(X_data,n_components=5,zero = True,average = False,batch_size=128): 289 | """ 290 | 给一个28*28*1的输入,通过PCA处理 291 | 292 | X_test:(10000,28,28,1) 293 | 294 | """ 295 | #转成(10000,28,28) 296 | X_data = np.reshape(X_data,[-1, img_size,img_size]) 297 | pca = decomposition.PCA(n_components) 298 | 299 | n_sample = X_data.shape[0]#10000 300 | x_pca = np.empty_like(X_data)#tensor 301 | 302 | for sample in range(n_sample): 303 | print('pca {0}/{1}'.format(sample+1,n_sample),end='\r') 304 | model = pca.fit(X_data[sample]) 305 | #print(pca.explained_variance_ratio_) 306 | z = model.transform(X_data[sample]) 307 | #先降维,然后数据恢复 308 | ureduce = model.components_ 309 | x_rec = np.dot(z,ureduce) 310 | x_pca[sample] = x_rec 311 | #break 312 | #print(x_pca.shape) 313 | x_pca = np.reshape(x_pca,[-1, img_size, img_size, img_chan]) 314 | return x_pca 315 | 316 | ################################################################################ 317 | def decentra_data(X_test): 318 | """ 319 | 给一个10000*28*28*1的输入,各自减去平均值 320 | """ 321 | X_test = np.reshape(X_test,[-1, img_size,img_size]) 322 | n_sample = X_test.shape[0]#10000 323 | #print() 324 | x_decentra = np.empty_like(X_test) 325 | X_data = np.copy(X_test) 326 | for sample in range(n_sample): 327 | print('Decentration: {0}/{1}'.format(sample+1,n_sample),end='\r') 328 | input_pixel = np.reshape(X_data[sample],[-1]) 329 | #print(input_pixel.shape) 330 | sum = 0 331 | #print(input_pixel) 332 | for pixel in input_pixel: 333 | sum += pixel 334 | average = sum /(img_size*img_size) 335 | #print('average',average) 336 | for index in range(img_size*img_size): 337 | input_pixel[index] -= average 338 | #print(input_pixel) 339 | #print(input_pixel.shape) 340 | x_decentra[sample] = np.reshape(input_pixel,[img_size,img_size]) 341 | 342 | #break 343 | # print(X_test[0]) 344 | # print('--------------') 345 | # print(x_decentra[0]) 346 | 347 | x_decentra = np.reshape(x_decentra,[-1, img_size, img_size, img_chan]) 348 | 349 | return x_decentra 350 | ################################################################################ 351 | def random(X_test,gauss = True,randmax = 0.1): 352 | """ 353 | 随机高斯噪声 354 | """ 355 | X_test = np.reshape(X_test,[-1, img_size,img_size]) 356 | n_sample = X_test.shape[0]#10000 357 | x_random = np.empty_like(X_test) 358 | X_data = np.copy(X_test) 359 | for sample in range(n_sample): 360 | print('Randomization: {0}/{1}'.format(sample+1,n_sample),end='\r') 361 | input_pixel = np.reshape(X_data[sample],[-1]) 362 | sum = 0 363 | #print(input_pixel) 364 | # for pixel in input_pixel: 365 | # sum += pixel 366 | # average = sum /(img_size*img_size) 367 | 368 | for index in range(img_size*img_size): 369 | input_pixel[index] += np.random.normal(loc=0, scale=0.4, size=None) 370 | x_random[sample] = np.reshape(input_pixel,[img_size,img_size]) 371 | x_random = np.reshape(x_random,[-1, img_size, img_size, img_chan]) 372 | return x_random 373 | ################################################################################ 374 | def ensemble(sess,env,x_test,x_adv,x_pca,x_adv_pca,x_decentra,x_adv_decentra,x_rand,x_adv_rand): 375 | """ 376 | 综合利用三种处理方法检测对抗样本 377 | """ 378 | y_clean = predict(sess, env, x_test) 379 | y_adv = predict(sess, env, x_adv) 380 | z_clean = np.argmax(y_clean,axis=1) 381 | z_adv = np.argmax(y_adv,axis=1) 382 | 383 | y_pca = predict(sess, env, x_pca) 384 | y_adv_pca = predict(sess, env, x_adv_pca) 385 | z_pca = np.argmax(y_pca,axis=1) 386 | z_adv_pca = np.argmax(y_adv_pca,axis=1) 387 | 388 | y_decentra = predict(sess, env, x_decentra) 389 | y_adv_decentra = predict(sess, env, x_adv_decentra) 390 | z_decentra = np.argmax(y_decentra,axis=1) 391 | z_adv_decentra = np.argmax(y_adv_decentra,axis=1) 392 | 393 | y_rand = predict(sess, env, x_rand) 394 | y_adv_rand = predict(sess, env, x_adv_rand) 395 | z_rand = np.argmax(y_rand,axis=1) 396 | z_adv_rand = np.argmax(y_adv_rand,axis=1) 397 | 398 | n_samples = y_clean.shape[0] 399 | TP = 0 400 | FN = 0 401 | FP = 0 402 | TN = 0 403 | 404 | for index in range(n_samples): 405 | if z_clean[index] == z_pca[index] and z_clean[index] == z_decentra[index] and z_clean[index] == z_rand[index]: 406 | TP += 1 407 | if z_adv[index] == z_adv_pca[index] and z_adv[index] == z_adv_decentra[index] and z_adv[index] == z_adv_rand[index]: 408 | FP += 1 409 | FN, TN = n_samples - TP, n_samples - FP 410 | 411 | #return TP/n_samples, FN/n_samples, FP/n_samples, TN/n_samples 412 | return TP,FN,FP,TN 413 | ################################################################################ 414 | print('\nTraining') 415 | 416 | #是否需要重新训练 417 | train(sess, env, X_train, y_train, X_valid, y_valid, load=True, epochs=5,name='mnist') 418 | #train(sess, env, X_train, y_train, X_valid, y_valid, load=False, epochs=5, name='mnist') 419 | 420 | print('\nGenerating adversarial data') 421 | 422 | X_adv = make_fgsm(sess, env, X_test, eps=0.02, epochs=12) 423 | 424 | print('\nGenerating PCA data') 425 | X_pca = data_pca(X_test,n_components = pca_components) 426 | X_adv_pca = data_pca(X_adv,n_components = pca_components) 427 | 428 | print('\nGenerating decenration data') 429 | x_decentra = decentra_data(X_test) 430 | X_adv_decentra = decentra_data(X_adv) 431 | 432 | print('\nGenerating randomization data') 433 | x_rand = random(X_test) 434 | X_adv_rand = random(X_adv) 435 | # print(X_test[0][0]) 436 | # print(x_rand[0][0]) 437 | TP,FN,FP,TN = ensemble(sess, env, X_test, X_adv, X_pca, X_adv_pca, x_decentra, X_adv_decentra, x_rand, X_adv_rand) 438 | print("TP:",TP,"\nFN:",FN,"\nFP:",FP,"\nTN:",TN) 439 | 440 | """ 441 | #print('\nClean data PCA') 442 | #X_pca = data_pca(X_test,n_components = pca_components) 443 | 444 | #不同n的变化 445 | X_pca = [] 446 | for n in range(img_size): 447 | n += 1 448 | print('Origin data PCA for components = {0}'.format(n)) 449 | X_pca.append(data_pca(X_test,n_components = n)) 450 | 451 | #print('\nAdversarial data PCA') 452 | #X_adv_pca = data_pca(X_adv,n_components = pca_components) 453 | 454 | X_adv_pca = []#经过PCA处理的所有对抗样本的数组 455 | for n in range(img_size): 456 | n += 1 457 | print('Adversarial data PCA for components = {0}'.format(n)) 458 | X_adv_pca.append(data_pca(X_adv,n_components = n)) 459 | 460 | 461 | #画出四种MNIST图像 462 | plt.figure() 463 | plt.subplot(1,4,1) 464 | plt.imshow(np.reshape(X_test[0],[img_size,img_size]),cmap="binary") 465 | plt.subplot(1,4,2) 466 | plt.imshow(np.reshape(X_pca[0],[img_size,img_size]),cmap="binary") 467 | plt.subplot(1,4,3) 468 | plt.imshow(np.reshape(X_adv[0],[img_size,img_size]),cmap="binary") 469 | plt.subplot(1,4,4) 470 | plt.imshow(np.reshape(X_adv_pca[0],[img_size,img_size]),cmap="binary") 471 | plt.show() 472 | """ 473 | ################################################################################ 474 | """ 475 | print('\nEvaluating on clean data') 476 | evaluate(sess, env, X_test, y_test) 477 | print('\nEvaluating on randomization clean data') 478 | evaluate(sess, env, x_rand, y_test) 479 | print('\nEvaluating on adversarial data') 480 | evaluate(sess, env, X_adv, y_test) 481 | print('\nEvaluating on randomization adversarial data') 482 | evaluate(sess, env, X_adv_rand, y_test) 483 | 484 | 485 | print('\nEvaluating on clean data') 486 | evaluate(sess, env, X_test, y_test) 487 | print('\nEvaluating on decentration clean data') 488 | evaluate(sess, env, x_decentra, y_test) 489 | print('\nEvaluating on adversarial data') 490 | evaluate(sess, env, X_adv, y_test) 491 | print('\nEvaluating on decentration adversarial data') 492 | evaluate(sess, env, X_adv_decentra, y_test) 493 | """ 494 | 495 | """ 496 | plt.figure() 497 | plt.subplot(1,4,1) 498 | plt.imshow(np.reshape(X_test[0],[img_size,img_size]),cmap="binary") 499 | plt.subplot(1,4,2) 500 | plt.imshow(np.reshape(x_rand[0],[img_size,img_size]),cmap="binary") 501 | plt.subplot(1,4,3) 502 | plt.imshow(np.reshape(X_adv[0],[img_size,img_size]),cmap="binary") 503 | plt.subplot(1,4,4) 504 | plt.imshow(np.reshape(X_adv_rand[0],[img_size,img_size]),cmap="binary") 505 | plt.show() 506 | 507 | print('\nEvaluating on pca_clean data, components = {0}'.format(pca_components)) 508 | evaluate(sess, env, X_pca, y_test) 509 | 510 | clean_pca_acc = [] 511 | for index,X_pca_singal in enumerate(X_pca): 512 | print('Evaluating on clean data, components = {0}'.format(index)) 513 | loss,acc = evaluate(sess, env, X_pca_singal, y_test) 514 | clean_pca_acc.append(acc) 515 | 516 | print('\nEvaluating on pca_adv data, components = {0}'.format(pca_components)) 517 | evaluate(sess, env, X_adv_pca, y_test) 518 | 519 | adv_pca_acc = [] 520 | for index,X_adv_pca_singal in enumerate(X_adv_pca): 521 | print('Evaluating on pca_adv data, components = {0}'.format(index)) 522 | loss,acc = evaluate(sess, env, X_adv_pca_singal, y_test) 523 | adv_pca_acc.append(acc) 524 | """ 525 | """ 526 | #画出准确率随着N的变化的图像 527 | plt.figure() 528 | plt.subplot(1,2,1) 529 | plt.plot(clean_pca_acc) 530 | plt.subplot(1,2,2) 531 | plt.plot(adv_pca_acc) 532 | plt.show() 533 | """ 534 | ################################################################################ 535 | """ 536 | print('\nComparison of output between origin data and randomization data') 537 | 538 | y_clean = predict(sess, env, X_test) #(10000,10) 539 | y_rand = predict(sess, env, x_rand) 540 | y_adv = predict(sess, env, X_adv) 541 | y_adv_rand = predict(sess, env, X_adv_rand) 542 | 543 | #分析高斯随机前后输出的变化情况 544 | diff_clean = com_diff(y_clean,y_rand) 545 | diff_adv = com_diff(y_adv,y_adv_rand) 546 | print("经过高斯随机处理(方差0.4)后,真实样本分类发生改变的概率",diff_clean) 547 | print("经过高斯随机处理(方差0.4)后,对抗样本分类发生改变的概率",diff_adv) 548 | 549 | ################################################################################ 550 | 551 | print('\nComparison of output between origin data and decentration data') 552 | 553 | y_clean = predict(sess, env, X_test) #(10000,10) 554 | y_decentra = predict(sess, env, x_decentra) 555 | y_adv = predict(sess, env, X_adv) 556 | y_adv_decentra = predict(sess, env, X_adv_decentra) 557 | 558 | #分析去中心前后输出的变化情况 559 | diff_clean = com_diff(y_clean,y_decentra) 560 | diff_adv = com_diff(y_adv,y_adv_decentra) 561 | print("经过去中心化处理后,真实样本分类发生改变的概率",diff_clean) 562 | print("经过去中心化处理后,对抗样本分类发生改变的概率",diff_adv) 563 | 564 | ################################################################################ 565 | 566 | print('\nComparison of output between origin data and PCA data') 567 | 568 | y_clean = predict(sess, env, X_test) #(10000,10) 569 | y_pca = predict(sess, env, X_pca) 570 | y_adv = predict(sess, env, X_adv) 571 | y_adv_pca = predict(sess, env, X_adv_pca) 572 | 573 | #分析PCA前后输出的变化情况 574 | diff_clean = com_diff(y_clean,y_pca) 575 | diff_adv = com_diff(y_adv,y_adv_pca) 576 | print("经过PCA处理后,真实样本分类发生改变的概率",diff_clean," components =",pca_components) 577 | print("经过PCA处理后,对抗样本分类发生改变的概率",diff_adv," components =",pca_components) 578 | 579 | 580 | 581 | #随机抽取十个样本并打印图片 582 | print('\nRandomly sample adversarial data from each category') 583 | 584 | z0 = np.argmax(y_test, axis=1) #正确label 585 | 586 | z1 = np.argmax(y_clean, axis=1) #测试label 587 | z2 = np.argmax(y_adv, axis=1) #对抗样本label 588 | 589 | X_tmp = np.empty((10, 28, 28)) 590 | y_tmp = np.empty((10, 10)) 591 | for i in range(10): 592 | print('Target {0}'.format(i)) 593 | ind, = np.where(np.all([z0 == i, z1 == i, z2 != i], axis=0)) 594 | cur = np.random.choice(ind) 595 | X_tmp[i] = np.squeeze(X_adv[cur]) 596 | y_tmp[i] = y_adv[cur] 597 | 598 | print('\nPlotting results',"*"*20) 599 | 600 | fig = plt.figure(figsize=(10, 1.2)) 601 | gs = gridspec.GridSpec(1, 10, wspace=0.05, hspace=0.05) 602 | 603 | label = np.argmax(y_tmp, axis=1) 604 | proba = np.max(y_tmp, axis=1) 605 | for i in range(10): 606 | ax = fig.add_subplot(gs[0, i]) 607 | ax.imshow(X_tmp[i], cmap='gray', interpolation='none') 608 | ax.set_xticks([]) 609 | ax.set_yticks([]) 610 | ax.set_xlabel('{0} ({1:.2f})'.format(label[i], proba[i]), 611 | fontsize=12) 612 | 613 | print('\nSaving figure') 614 | 615 | gs.tight_layout(fig) 616 | os.makedirs('img', exist_ok=True) 617 | plt.savefig('img/fgsm_mnist.png') 618 | #plt.show() 619 | """ 620 | -------------------------------------------------------------------------------- /Papers/000.Machine Learning in Adversarial Settings-PPT.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wufans/Adversarial-Attack-Algorithms/540fddc1213073acbe4188c71fd0e39e989f02a4/Papers/000.Machine Learning in Adversarial Settings-PPT.pdf -------------------------------------------------------------------------------- /Papers/1400.Evasion attacks against machine learning at test time.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wufans/Adversarial-Attack-Algorithms/540fddc1213073acbe4188c71fd0e39e989f02a4/Papers/1400.Evasion attacks against machine learning at test time.pdf -------------------------------------------------------------------------------- /Papers/README.md: -------------------------------------------------------------------------------- 1 | ## There are some papers of PDF form. 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Summary of papers in Adversarial Settings 2 | 3 | A comprehensive summary in this direction! 4 | 5 | --- 6 | ## Background of Deep Learning Security and applications of adversarial attack 7 | :white_check_mark: 000.Machine Learning in Adversarial Settings-PPT 8 | 9 | :white_check_mark: 0603.Can Machine Learning Be Secure 10 | 11 | :white_check_mark: 1100.Adversarial Machine Learning 12 | 13 | :white_check_mark: 1610.Accessorize to a Crime : Real and Stealthy Attacks on State-of-the-Art Face Recognition 14 | 15 | :white_check_mark: 1707.NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles 16 | 17 | :white_check_mark: 1710.Standard detectors aren't (currently) fooled by physical adversarial stop signs 18 | 19 | --- 20 | ## Existence of adversarial examples 21 | :white_check_mark: 1500.Fundamental limits on adversarial robustness 22 | 23 | :white_check_mark: 1503.Explaining and Harnessing Adversarial Examples 24 | 25 | :white_check_mark: 1608.A Boundary Tilting Persepective on the Phenomenon of Adversarial Examples 26 | 27 | :white_check_mark: 1608.Robustness of classifiers:from adversarial to random noise 28 | 29 | :white_check_mark: 1705.Analysis of universal adversarial perturbations 30 | 31 | :white_check_mark: 1801.High Dimensional Spaces, Deep Learning and Adversarial Examples 32 | 33 | --- 34 | ## Attack Algorithms 35 | :white_check_mark: 1400.Evasion attacks against machine learning at test time 36 | 37 | :white_check_mark: 1402.Intriguing properties of neural networks 38 | 39 | :white_check_mark: 1503.Explaining and Harnessing Adversarial Examples 40 | 41 | :white_check_mark: 1504.Deep neural networks are easily fooled High confidence predictions for unrecognizable images 42 | 43 | :white_check_mark: 1507.Distributional Smoothing with Virtual Adversarial Training 44 | 45 | :white_check_mark: 1507.Manitest-Are classifiers really invariant 46 | 47 | :white_check_mark: 1510.Exploring the space of adversarial images 48 | 49 | :white_check_mark: 1510.The Limitations of Deep Learning in Adversarial Settings 50 | 51 | :white_check_mark: 1601.Adversarial Perturbations Against Deep Neural Networks for Malware Classification 52 | 53 | :white_check_mark: 1602.Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples 54 | 55 | :white_check_mark: 1605.Transferability in Machine Learning from Phenomena to Black-Box Attacks using Adversarial Samples 56 | 57 | :white_check_mark: 1607.DeepFool_ A Simple and Accurate Method to Fool Deep Neural Networks 58 | 59 | :white_check_mark: 1608.Stealing Machine Learning Models via Prediction APIs 60 | 61 | :white_check_mark: 1610.DeepDGA-Adversarially Tuned Domain Generation and Detection 62 | 63 | :white_check_mark: 1611.Delving into Transferable Adversarial Examples and Black-box Attacks 64 | 65 | :white_check_mark: 1612.Simple Black-Box Adversarial Perturbations for Deep Networks 66 | 67 | :white_check_mark: 1700.Concrete Problems for Autonomous Vehicle Safety_ Advantages of Bayesian Deep Learning 68 | 69 | :white_check_mark: 1701.Vulnerability of Deep Reinforcement Learning to Policy Induction Attacks 70 | 71 | :white_check_mark: 1702.Adversarial Attacks on Neural Network Policies 72 | 73 | :white_check_mark: 1702.Adversarial examples for generative models 74 | 75 | :white_check_mark: 1702.Adversarial examples in the physical world 76 | 77 | :white_check_mark: 1702.Adversarial machine learning at scale 78 | 79 | :white_check_mark: 1702.Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN 80 | 81 | :white_check_mark: 1702.Towards Deep Learning Models Resistant to Adversarial Attacks 82 | 83 | :white_check_mark: 1703.Adversarial Transformation Networks: Learning to Generate Adversarial Examples 84 | 85 | :white_check_mark: 1703.Generative Poisoning Attack Method Against Neural Networks 86 | 87 | :white_check_mark: 1703.Notes on Adversarial Examples 88 | 89 | :white_check_mark: 1703.Tactics of Adversarial Attack on Deep Reinforcement Learning Agents 90 | 91 | :white_check_mark: 1703.Towards Evaluating the Robustness of Neural Networks 92 | 93 | :white_check_mark: 1703.Universal adversarial perturbations 94 | 95 | :white_check_mark: 1705.Analysis of universal adversarial perturbations 96 | 97 | :white_check_mark: 1705.Ensemble Adversarial Training Attacks and Defenses 98 | 99 | :white_check_mark: 1705.Generative Adversarial Trainer Defense to Adversarial Perturbations with GAN 100 | 101 | :white_check_mark: 1705.Stabilizing Adversarial Nets With Prediction Methods 102 | 103 | :white_check_mark: 1707.APE-GAN-- Adversarial Perturbation Elimination with GAN 104 | 105 | :white_check_mark: 1707.Evading Machine Learning Malware Detection 106 | 107 | :white_check_mark: 1707.Fast Feature Fool-A data independent approach to universal adversarial perturbations 108 | 109 | :white_check_mark: 1707.Robust Physical-World Attacks on Machine Learning Models 110 | 111 | :white_check_mark: 1707.Robust Physical-World Attacks on Deep Learning Visual Classification 112 | 113 | :white_check_mark: 1707.Synthesizing Robust Adversarial Examples 114 | 115 | :white_check_mark: 1708.Machine Learning as an Adversarial Service Learning Black-Box Adversarial Examples 116 | 117 | :white_check_mark: 1708.Proof of Work Without All the Work 118 | 119 | :white_check_mark: 1709.Can you fool AI with adversarial examples on a visual Turing test 120 | 121 | :white_check_mark: 1709.EAD Elastic Net Attacks to Deep Neural Networks via Adversarial Examples 122 | 123 | :white_check_mark: 1709.Ground-Truth Adversarial Examples 124 | 125 | :white_check_mark: 1710.One pixel attack for fooling deep neural networks 126 | 127 | :white_check_mark: 1711.Security Risks in Deep Learning Implementations 128 | 129 | :white_check_mark: 1712.Adversarial Patch 130 | 131 | :white_check_mark: 1712.Robust Deep Reinforcement Learning with Adversarial Attacks 132 | 133 | :white_check_mark: 1712.Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning 134 | 135 | :white_check_mark: 1712.Where Classification Fails, Interpretation Rises 136 | 137 | :white_check_mark: 1801.Learning to Evade Static PE Machine Learning Malware Models via Reinforcement Learning 138 | 139 | :white_check_mark: 1801.LaVAN-Localized and Visible Adversarial Noise 140 | 141 | :white_check_mark: 1803.Improving Transferability of Adversarial Examples with Input Diversity 142 | 143 | --- 144 | ## Defence Strategies 145 | :white_check_mark: 1603.Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks 146 | 147 | :white_check_mark: 1604.Improving the robustness of deep neural networks via stability training 148 | 149 | :white_check_mark: 1605.Adversarial Training Methods for Semi-Supervised Text Classification 150 | 151 | :white_check_mark: 1607.Defensive Distillation is Not Robust to Adversarial Examples 152 | 153 | :white_check_mark: 1608.A study of the effect of JPG compression on adversarial images 154 | 155 | :white_check_mark: 1610.Adversary Resistant Deep Neural Networks with an Application to Malware Detection 156 | 157 | :white_check_mark: 1703.Biologically inspired protection of deep networks from adversarial attacks 158 | 159 | :white_check_mark: 1704.Enhancing Robustness of Machine Learning Systems via Data Transformations 160 | 161 | :white_check_mark: 1704.Feature Squeezing Detecting Adversarial Examples in Deep Neural Networks 162 | 163 | :white_check_mark: 1705.Detecting Adversarial Examples in Deep Neural Networks 164 | 165 | :white_check_mark: 1705.Extending Defensive Distillation 166 | 167 | :white_check_mark: 1705.Feature Squeezing Mitigates and Detects Carlini Wagner Adversarial Examples 168 | 169 | :white_check_mark: 1705.Generative Adversarial Trainer Defense to Adversarial Perturbations with GAN 170 | 171 | :white_check_mark: 1705.MagNet-a Two-Pronged Defense against Adversarial Examples 172 | 173 | :white_check_mark: 1706.Adversarial Example Defenses :Ensembles of Weak Defenses are not Strong 174 | 175 | :white_check_mark: 1707.AE-GAN adversarial eliminating with GAN 176 | 177 | :white_check_mark: 1707.APE-GAN-- Adversarial Perturbation Elimination with GAN 178 | 179 | :white_check_mark: 1709.Mitigating Evasion Attacks to Deep Neural Networks via Region-based Classification 180 | 181 | :white_check_mark: 1711.Mitigating adversarial effects through randomization 182 | 183 | :white_check_mark: 1805.Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models 184 | 185 | --- 186 | ## Related survey researches 187 | :white_check_mark: 1606.Concrete Problems in AI Safety 188 | 189 | :white_check_mark: 1610.SoK Towards the Science of Security and Privacy in Machine Learning 190 | 191 | :white_check_mark: 1611.Towards the Science of Security and Privacy in Machine Learning 192 | 193 | :white_check_mark: 1707.A Survey on Resilient Machine Learning 194 | 195 | :white_check_mark: 1712.Adversarial Examples-Attacks and Defenses for Deep Learning 196 | 197 | :white_check_mark: 1801.Threat of Adversarial Attacks on Deep Learning in Computer Vision-A Survey 198 | 199 | :white_check_mark: 1802.Adversarial Risk and the Dangers of Evaluating Against Weak Attacks 200 | 201 | --- 202 | ## Detection papers 203 | :white_check_mark: 1612.Adversarial Examples Detection in Deep Networks with Convolutional Filter Statistics 204 | 205 | :white_check_mark: 1702.On Detecting Adversarial Perturbations 206 | 207 | :white_check_mark: 1702.On the (Statistical) Detection of Adversarial Examples 208 | 209 | :white_check_mark: 1703.Blocking Transferability of Adversarial Examples in Black-Box Learning Systems 210 | 211 | :white_check_mark: 1703.Detecting Adversarial Samples from Artifacts 212 | 213 | :white_check_mark: 1704.SafetyNet-Detecting and Rejecting Adversarial Examples Robustly 214 | 215 | :white_check_mark: 1705.Adversarial Examples Are Not Easily Detected-Bypassing Ten Detection Methods 216 | 217 | :white_check_mark: 1712.Defense against Adversarial Attacks Using High-Level Representation Guided Denoiser 218 | 219 | :white_check_mark: 1803.Detecting Adversarial Examples via Neural Fingerprinting 220 | 221 | --- 222 | ## Adversarial attack in physical world 223 | :white_check_mark: 1600.Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition 224 | 225 | :white_check_mark: 1702.Adversarial examples in the physical world 226 | 227 | :white_check_mark: 1707.Robust Physical-World Attacks on Machine Learning Models 228 | 229 | :white_check_mark: 1707.NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles 230 | 231 | :white_check_mark: 1707.Synthesizing Robust Adversarial Examples 232 | 233 | :white_check_mark: 1707.Robust Physical-World Attacks on Deep Learning Visual Classification 234 | 235 | :white_check_mark: 1710.Standard detectors aren’t (currently) fooled by physical adversarial stop signs 236 | 237 | :white_check_mark: 1801.Audio Adversarial Examples: Targeted Attacks on Speech-to-Text 238 | 239 | 240 | --- 241 | ## :book: (Updating)Adversarial Attack Reasearch in Security Areas 242 | 243 | :white_check_mark: 1606.Adversarial Perturbations Against Deep Neural Networks for Malware Classificationc 244 | 245 | :white_check_mark: 1705.Black-Box Attacks against RNN based Malware Detection Algorithms 246 | 247 | :white_check_mark: 1706.Automated Poisoning Attacks and Defenses in Malware Detection Systems:An Adversarial Machine Learning Approach 248 | 249 | :white_check_mark: 1707.Evading Machine Learning Malware Detection 250 | 251 | :white_check_mark: 1710.Malware Detection by Eating a Whole EXE 252 | 253 | :white_check_mark: 1712.Attack and Defense of Dynamic Analysis-Based, Adversarial Neural Malware Classification Models 254 | 255 | :white_check_mark: 1801.Learning to Evade Static PE Machine Learning Malware Models via Reinforcement Learning 256 | 257 | :white_check_mark: 1803.Adversarial Malware Binaries_ Evading Deep Learning for Malware Detection in Executables 258 | 259 | :white_check_mark: 1803.Malytics_ A Malware Detection Scheme 260 | 261 | :white_check_mark: 1804.Generic Black-Box End-to-End Attack against RNNs and Other API Calls Based Malware Classifiers 262 | 263 | :white_check_mark: 1805.Adversarial Attacks on Neural Networks for Graph Data 264 | 265 | :white_check_mark: 1810.Exploring Adversarial Examples in Malware Detection 266 | 267 | :white_check_mark: 1811.rsarial Examples for Malware Detection 268 | 269 | :white_check_mark: 1812.earning under Attack_ Vulnerability Exploitation and Security Measures 270 | 271 | -------------------------------------------------------------------------------- /dataset/README.md: -------------------------------------------------------------------------------- 1 | # 实验数据集整理 2 | 3 | ## 常用数据集 4 | - CIFAR 5 | 【A. Torralba and R. Fergus and W. T. Freeman, 80 Million Tiny Images: a Large Database for NonParametric Object and Scene Recognition, IEEE PAMI, 2008】 6 | - ImageNet 7 | 【Deng, Jia, Dong, Wei, Socher, Richard, jia Li, Li, Li, Kai, and Fei-fei, Li. Imagenet: A large-scale hierarchical image database. In In CVPR, 2009.】 8 | - MNIST 9 | 【LeCun, Y., Jackel, L., Bottou, L., Brunot, A., Cortes, C., Denker, J., Drucker,H., Guyon, I., M¨uller, U., S¨ackinger, E., Simard, P., Vapnik, V.: Comparison of learning algorithms for handwritten digit recognition. In: Int’l Conf. on Art. Neu.Net. pp. 53–60 (1995)】 10 | - Traffic sign 11 | 【STALLKAMP, J., SCHLIPSING, M., SALMEN, J., AND IGEL, C.Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural Networks, 0 (2012),.】 12 | - DREBIN Android恶意软件数据集 13 | (D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In Proceedings of the 2014 Network and Distributed System Security Symposium(NDSS), 2014.) 14 | 15 | 16 | ## 安全领域整理的相关数据集 17 | 18 | ## 恶意软件/恶意文件/恶意邮件/ Cerber 勒索 19 | 20 | - A-1:恶意软件邮件地址:https://github.com/WSTNPHX/scripts-and-tools/blob/master/malware-email-addresses.txt(下载) 21 | - A-2: 恶意软件(exe文件)下载: http://vxvault.net/ViriList.php(爬虫) 22 | - A-3: 恶意软件域名列表:http://dns-bh.sagadc.org/dynamic_dns.txt(下载) 23 | - A-4: theZoo: theZoo是一个恶意软件分析的开源项目,目前由Shahak Shalev维护。该项目里面包含了几乎所有版本的恶意软件。GitHub - ytisf/theZoo: A repository of LIVE malwares for your own joy and pleasure 24 | - A-5:OpenMalware: http://www.offensivecomputing.net/ (DannyQuis发起的开源恶意软件搜索平台。) 25 | - A-6:Contagio: http://contagiodump.blogspot.com/ (Contagio是恶意软件收集平台,主要收集最新的恶意软件样本,威胁以及恶意软件分析) 26 | - A-7: MalShare: http://malshare.com/ (MalShare 旨在建立一个公共的恶意软件数据库,同时也提供一些工具) 27 | - A-8:MalwareBlacklist: http://www.malwareblacklist.com/showMDL.php (malwareblacklist收录了恶意软件的URL和样本) 28 | - A-9:VirusShare: VirusShare.com(这个网站提供恶意样本,恶意软件事件库,分析,和病毒样本的代码) 29 | ### Github上面的公开数据集: 30 | - A-10: https://github.com/ashishb/android-malware:安卓的恶意代码样本数据。 31 | - A-11 :https://github.com/RamadhanAmizudin/malware:各种恶意软件的源代码 32 | - A-12: https://github.com/Te-k/malware-classification:用CSV存储的恶意代码 33 | ### Kaggle关于Malware detection的挑战赛(都有对应数据集可供下载): 34 | - A-13: https://www.kaggle.com/nsaravana/malware-detection 35 | - A-14: https://www.kaggle.com/c/malware-classification 36 | - A-15: https://www.kaggle.com/c/ml-fall2016-android-malware 37 | - A-16: https://www.kaggle.com/c/adcg-2016-malware-anomaly-detection-w-peinfo 38 | 39 | ## 恶意域名url与钓鱼网站 40 | - B-1:Alexa收录知名网站域名:http://alexa.chinaz.com/(爬虫) 41 | - B-2:恶意网站以及对应的ip:http://cybercrime-tracker.net/all.php (下载) 42 | - B-3: ZeuS Tracker提供IP和域名黑名单: https://zeustracker.abuse.ch/blocklist.php(下载) 43 | - B-4: Malware domain list数据库: http://www.malwaredomainlist.com/ 44 | - B-5: 用流行僵尸程序样本生成恶意域名,比如Conficker, Strom, Kraken 45 | 46 | ## 网络流量信息 47 | - C-1:CISC 2010 48 | - C-2: Kdd99 49 | - C-3:CAIDA数据集http://www.caida.org/data(下载) 50 | - C-4:UNIBS数据集www.ing.unibs.it/ntw/tools/traces/index.php (下载) 51 | - C-5:WIDE数据集http://mawi.wide.ad.jp/mawi (下载) 52 | - C-6:WITS数据集www.wand.net.nz/wits (只能通过IPV6主机访问) 53 | 54 | ## 自动驾驶 55 | - D-1:交通标志牌:http://btsd.ethz.ch/shareddata/(下载) 56 | - D-2:德国交通标志牌:http://benchmark.ini.rub.de/?section=gtsrb&subsection=dataset(下载) 57 | - D-3: KITTI :很知名的数据集 数据集链接 http://www.cvlibs.net/datasets/kitti/ 58 | - D-4:Oxford RobotCar :对牛津的一部分连续的道路进行了上百次数据采集,收集到了多种天气、行人和交通情况下的数据,也有建筑和道路施工时的数据。1000小时以上。 数据集链接 http://robotcar-dataset.robots.ox.ac.uk/datasets/ 59 | - D-5:Cityscape :一个面向城市道路街景语义理解的数据集 60 | 数据集链接 https://www.cityscapes-dataset.com/ 61 | - D-6:Comma.ai :geohot创办的comma.ai的数据集,80G左右 62 | 数据集链接 https://github.com/commaai/research 63 | - D-7:Udacity 64 | 数据集链接 https://github.com/udacity/self-driving-car/tree/master/datasets 65 | 也有模拟器 66 | - D-8:BDDV 67 | Berkeley的大规模自动驾驶视频数据集 68 | 数据集链接 http://data-bdd.berkeley.edu/#video 69 | - D-9:GTA 70 | grand theft auto游戏 71 | 网站链接 http://www.rockstargames.com/grandtheftauto/ 72 | - D-10:TORCS 73 | The Open Racing Car Simulator 74 | 数据集链接 http://torcs.sourceforge.net/ 75 | - D-11:CARLA 76 | Intel和丰田共同推出的一个开源的模拟器 77 | 数据集链接 http://carla.org/ 78 | 代码链接 https://github.com/carla-simulator/carla 79 | 80 | ## 噪音与隐藏指令(攻击用语音指令数据集训练的模型) 81 | - F-1: 谷歌语音命令数据集地址: 82 | http://download.tensorflow.org/data/speech_commands_v0.01.tar.gz (下载) 83 | --------------------------------------------------------------------------------