Federico Zanotti (ID: 2007716) - Lorenzo Corrado (ID: 2020623)

# Zeroth Order Methods for Adversarial Machine Learning
### Optimization for Data Science Project

September 16, 2021







## Import and Data preparation


In [None]:
# Import the libraries
import numpy as np
import matplotlib.pyplot as plt
import tensorflow as tf
from tensorflow import keras
from tensorflow.keras import layers
from keras import backend as K
from keras.optimizers import Optimizer
from keras.models import Model
from scipy.special import softmax
from scipy.optimize import minimize
from scipy.special import softmax
from tqdm import tqdm
import random
import gzip
import urllib.request
import time
import warnings
import os
from prettytable import PrettyTable


# Remove warnings in output
warnings.filterwarnings("ignore")

# Set seed
np.random.seed([2021])

In [None]:
# Download MNIST dataset
(x_train, y_train), (x_test, y_test) = tf.keras.datasets.mnist.load_data(path="mnist.npz")

# Model/data parameters
num_classes = 10
input_shape = (784,)

# Scale images in [0,1] range
x_train = x_train.astype("float32")/255
x_test = x_test.astype("float32")/255

# Make sure images have shape (28,28,1)
# x_train = np.expand_dims(x_train, -1)
# x_test = np.expand_dims(x_test, -1)

x_train = x_train.reshape((60000, 784))
x_test = x_test.reshape((10000, 784))

# Splitting training set in training and valid
validation_size = 5000

x_val = x_train[:validation_size]
y_val = y_train[:validation_size]
x_train = x_train[validation_size:]
y_train = y_train[validation_size:]

# One-hot encoding
y_train = keras.utils.to_categorical(y_train, num_classes)
y_val = keras.utils.to_categorical(y_val, num_classes)
y_test = keras.utils.to_categorical(y_test, num_classes)

In [None]:
# Define DNN architecture
model = keras.Sequential()
model.add(tf.keras.Input(shape=input_shape))
model.add(tf.keras.layers.Reshape((28,28,1), input_shape=input_shape))
model.add(tf.keras.layers.Conv2D(32, kernel_size=(3, 3), activation="relu"))
model.add(tf.keras.layers.Conv2D(32, kernel_size=(3, 3), activation="relu"))
model.add(tf.keras.layers.MaxPooling2D(pool_size=(2, 2)))
model.add(tf.keras.layers.Conv2D(64, kernel_size=(3, 3), activation="relu"))
model.add(tf.keras.layers.Conv2D(64, kernel_size=(3, 3), activation="relu"))
model.add(tf.keras.layers.MaxPooling2D(pool_size=(2, 2)))
model.add(tf.keras.layers.Flatten())
model.add(tf.keras.layers.Dense(200, activation="relu"))
model.add(tf.keras.layers.Dense(200, activation="relu"))
model.add(tf.keras.layers.Dense(num_classes, name="last_dense"))
model.add(tf.keras.layers.Activation("softmax"))

In [None]:
# # Take the output of the last layer before the softmax operation
dnn = Model(inputs=model.input, outputs=model.get_layer("last_dense").output)

In [None]:
model.compile(loss="categorical_crossentropy", optimizer="adam", metrics=["accuracy"])

## github link: https://github.com/IBM/ZOSVRG-BlackBox-Adv/tree/master/models
## Loads the weights
path = "/content/mnist"
if os.path.isfile(path):
  model.load_weights(path) 

else:
  print(f"file {path} does not exist")



## Utility Function

In [None]:
# Definition of the objective function to be minimized #(FOR ALL THE SAMPLES)
def F(x, y_true):
  """
  Loss function for all the examples

  Input:
  - x: images
  - y_true: true labels of the images

  """
  f = dnn.predict(x)
  f_yi = np.max(f*y_true, axis=1)
  f_j = np.max(f*np.where(y_true == 1, -1e10, 1), axis=1)
  
  return np.mean(np.where(f_yi - f_j > 0, f_yi - f_j, 0))

def F_Par(x, y_true):
  """
  Loss function for only one example

  Input:
  - x: image
  - y: true label of the image

  """
  f = dnn.predict(x)
  f_yi = np.max(f*y_true, axis=1)
  f_j = np.max(f*np.where(y_true == 1, -1e10, 1), axis=1)

  return np.where(f_yi-f_j > 0, f_yi-f_j, 0)

In [None]:
# Extract n images from the same class
def extract_images(n, c):
  """
  Extract some images of the same class

  Input:
  - n: number of images to extract
  - c: label

  """
  x_extr = np.copy(x_test[y_test.argmax(axis=1)==c][:n])
  y_extr = np.copy(y_test[y_test.argmax(axis=1)==c][:n])
  
  return x_extr, y_extr

In [None]:
def get_data(n, c):
  """

  Get n images of same class 

  Input:
  -n: sample size
  -c: label of image

  """
  img_in, y_true_in = extract_images(n,c)
  x_ori = np.copy(img_in)
  x = np.copy(x_ori)
  return x, x_ori, y_true_in 

In [None]:
def stop_attack(x, y_true):
  """ 
  Stopping criterion

  Input: 
  - x: images
  - y_true: true label of images

  """
  success = dnn.predict(x).argmax(axis=1)
  return sum(success==y_true.argmax(axis=1))==0


In [None]:
def RandGradEst(x, y_true, v):
  """
  Two-point (gaussian) random gradient estimator

  Input:
  - x: image
  - y_true: true label of the image
  - v: smoothing parameter 
  """
  u = np.random.standard_normal((1,d))
  F_plus = F(x + v*u, y_true)
  F_ = F(x, y_true)
  
  return (d/v)*(F_plus - F_)*u

In [None]:
def Avg_RandGradEst(x, y_true, q, v):
  """
  Averaged (gaussian) random gradient estimator

  Input:
  - x: image
  - y_true: true label of the image
  - q: number of random directions
  - v: smoothing parameter
  """
  g = 0
  u = np.random.standard_normal((q,d))
  F_ = F(x, y_true)
  for j in range(q):
    F_plus = F(x + v*u[j], y_true)
    g = g + (F_plus - F_)*u[j]

  return (d/(v*q))*g

In [None]:
def CoordGradEst(x, y_true, mu):
  """
  Coordinate-wise gradient estimator
  
  Input:
  - x: images
  - y_true: true labels of the images
  - mu: smoothing parameter

  """
  q = 0
  for j in tqdm(range(d)):
    F_plus = F(x + mu*e(j,d), y_true)
    F_minus = F(x - mu*e(j,d), y_true)
    diff = F_plus - F_minus
    q = q + (diff)*e(j,d)
   
  return q/(2*mu)

In [None]:
def attack_success_rate(x, y):
  """
  Calculate in percentage the Attack Success Rate of x

  Input:
  - x: images
  - y: true labels of images
  """
  predicted=softmax(dnn.predict(x)).argmax(axis=1)
  # print(predicted)
  true_values=y.argmax(axis=1)
  adversarial=len(predicted)-sum(predicted==true_values)
  wrong_label=(adversarial/len(predicted))*100
  return round(wrong_label,1)


In [None]:
def plot_all(loss_ZSCG, loss_FZFW, loss_FZCGS, epochs, n, title="",savefig=""):
  """
  Utility function to plot the loss of three algorithms
  
  Input:
  - loss_ZSCG: loss of methods ZSCG
  - loss_FZFW: loss of methods FZFW
  - loss_FZSCG: loss of methods FZSCG
  - epochs: number of iterations
  - n: sample size

  """
  plt.figure(figsize=(10,8))
  plt.plot(loss_ZSCG, label=f"ZSCG with {n} examples")
  plt.plot(loss_FZFW, label=f"FZFW with {n} examples")
  plt.plot(loss_FZCGS, label=f"FZCGS with {n} examples")
  plt.grid("on")
  plt.legend()
  plt.xticks(np.arange(0,epochs+10,10))
  plt.xlabel("# iterations")
  plt.ylabel("loss")
  if title!="":
    plt.title(title)
  if savefig != "":
    plt.savefig(savefig)
  plt.show()



In [None]:
def nice_table(x_mod, y_true, param1, param2):
  """
  Utility function to visualize a nice plot for the grid search of Hyperparams
  
  Input:
  - x_mod: images perturbated
  - y_true: true label of images
  - param1: (name of param1, value of param1)
  - param1: (name of param2, value of param2)
  """
  param1_list = param1[1]
  param2_list = param2[1]
  j=0
  i=0
  t= PrettyTable([param1[0], param2[0], "ASR (%)"])
  for el in x_mod:
    asr=attack_success_rate(el, y_true)
    if i==len(param2_list):
      i=0
      p2 = param2_list[i]
      j +=1
      p1=param1_list[j]
    else:
      p2 = param2_list[i]
      p1=param1_list[j]
    i +=1
    
    t.add_row([f" {p1}", f" {p2}", asr])
  return t

## Algorithm 1. Zeroth-Order Stochastic Conditional Gradient Method (ZSCG)

K. Balasubramanian et al., 2018.

In [None]:
def Avg_RandGradEst_Par(x, y_true, q, v, d):
  """
  Averaged (gaussian) random gradient estimator in parallel

  Input:
  - x: image
  - y_true: true label of the image
  - q: number of random directions
  - v: smoothing parameter
  """
  g = 0
  u = np.random.standard_normal((q,d))
  x_par_plus = np.array([x + v*u[j] for j in range(q)]).reshape((q,d))
  diff = F_Par(x_par_plus, y_true) - F(x, y_true)

  for j in range(q):
    g = g + (diff[j]/v) * u[j] 
  
  return (d/(q*v))*g

In [None]:
def ZSCG(N, d, s, m_k, x, y_true_in,v=-1,alpha=-1, B=1,verbose=True, clip=False):
  """

  Zeroth-Order Stochastic Gradient Method

  Input:
  - N: number of epochs
  - d: dimension of data
  - s: distorsion
  - x: images
  - y_true_in: true label of images
  - v: smoothing parameter 
  - alpha: step size
  - B: parameter of convergence theory
  - verbose: True/False for printing computations
  - clip: True/False activate clipping
  
  """
  if v==-1:
    v = np.sqrt(2/(N*(d+3)**3))
  if alpha==-1:
    alpha = 1/np.sqrt(N)

  x_ori=np.copy(x)
  loss_ZSCG = []
  perturbations = []
  loss_ZSCG.append(F(x, y_true_in))
  if verbose:
    print("Epoch:", 0, "Loss:", F(x_ori, y_true_in), "Distortion:", np.max(np.abs(x-x_ori)))
  for k in range(N):
      
    # Get the gradient estimate
    v_k = 0
    for i in tqdm(range(x.shape[0]), disable= not verbose):
      v_k = v_k + Avg_RandGradEst_Par(x[i:i+1], y_true_in[i:i+1], m_k, v, d)    
    v_k = (1/n)*v_k

    x_k = -s * np.sign(v_k) + x_ori # Solve the LMO
    x = (1 - alpha)*x+ alpha*x_k
    if clip:
      x= x_ori + np.clip((x-x_ori), 0, 1)

    perturbations.append(x)
    loss_ZSCG.append(F(x, y_true_in))

    if verbose:
      print("-"*100)
      print("Epoch:", k+1, "Loss:", loss_ZSCG[k], "Distortion:", np.round(np.max(np.abs(x-x_ori)),5), "Elapsed Time:")

    if stop_attack(x, y_true_in):
      print("Attack successful! stopping computation...")
      return loss_ZSCG, x

  ZSCG_x_perturbated = x

  print("ZSCG Final loss = ", loss_ZSCG[-1])
  return loss_ZSCG, ZSCG_x_perturbated, perturbations

## Algorithm 2. Faster Zeroth-Order Frank-Wolfe Method (FZFW)
Gao et al., 2020.

In [None]:
def e(i, d):
  """
  Orthogonal basis vector

  Input:
  - i: index
  - d: dimensions
  
  """
  ei = np.zeros(d)
  ei[i] = 1
  return ei

In [None]:
def CoordGradEst_Par(x, y_true, mu,d):
  """
  Coordinate-wise gradient estimator in parallel

  Input:
  - x: image
  - y_true: true label of the image
  - mu: smoothing parameter
  
  """
  x_par_plus = np.array([x + mu*e(j,d) for j in range(d)]).reshape(d,d)
  x_par_minus = np.array([x - mu*e(j,d) for j in range(d)]).reshape(d,d)
  diff = F_Par(x_par_plus, y_true) - F_Par(x_par_minus, y_true)
  
  q = 0
  for j in range(d):
    q = q + (diff[j])*(e(j,d)) 
    
  return (1/(2*mu))*q

In [None]:
def FZFW(K,d,n,s,gamma, mu,x,y_true_in, verbose=True, clip=False): 
  """
  Faster Zeroth-Order Frank-Wolfe Method
  
  Input:
  - K: number of epochs
  - d: dimension of data
  - n: sample size
  - s: distorsion
  - gamma: step size 
  - mu: smoothing parameter 
  - x: images
  - y_true_in: true label of images
  - verbose: True/False for printing computations
  - clip: True/False activate clipping
  
  """
  s_1=n
  q = s_2 = int(np.sqrt(n))
  if gamma==-1:
    gamma = 1/np.sqrt(K)
  if mu==-1:
    mu = 1/np.sqrt(d*K)
  x_ori=np.copy(x)


  loss_FZFW = []
  perturbations=[]
  loss_FZFW.append(F(x_ori, y_true_in))
  if verbose:
    print("Epoch:", 0, "Loss:", F(x_ori, y_true_in), "Distortion:", np.max(np.abs(x-x_ori)))
    print("-"*100)


  for k in range(K):
    if (k % q == 0):

      v_k = 0
      for i in tqdm(range(s_1), disable= not verbose):
        v_k = v_k + CoordGradEst_Par(x[i:i+1], y_true_in[i:i+1], mu,d)
      v_k=v_k/s_1
      v_k_1 = v_k

    else:



      v_k = 0
      s2_idx = np.random.randint(0, n, s_2) 

      for idx in tqdm(s2_idx,  disable= not verbose):
        v_k = v_k + CoordGradEst_Par(x[idx:idx+1], y_true_in[idx:idx+1], mu,d) - CoordGradEst_Par(x_k_1[idx:idx+1], y_true_in[idx:idx+1], mu,d) + v_k_1
      v_k = (1/s_2) * v_k
      v_k_1 = v_k



    x_k_1 = np.copy(x)
    u_k = -s * np.sign(v_k) + x_ori # Solve the LMO
    d_k = u_k - x
    x = x + gamma*d_k


    if clip:
      x= x_ori + np.clip((x-x_ori), 0, 1)
    
    perturbations.append(x)
    loss_FZFW.append(F(x, y_true_in))

    if verbose:
      print("Epoch:", k+1, "Loss:", loss_FZFW[k+1], "Distortion:", np.round(np.max(np.abs(x-x_ori)),5))
      print("-"*100)

    if stop_attack(x, y_true_in):
      print("Attack successful! stopping computation...")
      return loss_FZFW, x
    

 
  FZFW_x_perturbated = x

  print("FZFW Final loss = ", loss_FZFW[-1])

  return loss_FZFW, FZFW_x_perturbated, perturbations


## Algorithm 3. Faster Zeroth-Order Conditional Gradient Sliding Method (FZCGS)

Gao et al., 2020.

In [None]:
def CondG(g, u, gamma, eta, x_ori, s, d):
  """
  Conditional Gradient Sliding Algorithm
  
  Input:
  - g: gradient
  - u: images perturbated
  - eta: threshold parameter
  - x_ori: images without perturbations
  - s: distorsion
  - d: dimension of images

  """
  t=1
  u_t=u
  
  while (True):
    grad = g + (1/gamma)*(u_t-u)
    v = -s * np.sign(g) + x_ori
    V = np.dot(grad, (u_t-v).T)
    if (np.max(V) <= eta):
      return u_t
    if t==100:
      return u_t

    else:
      
      d = v-u_t
      alpha = np.dot((1/gamma) * (u-u_t)-g, d.T) / ((1/gamma)*np.dot(d, d.T))
      alpha = np.min(alpha) 
      if (alpha > 1):
        alpha = 1     
      u_t = (1-alpha)*u_t + alpha*v
      t = t+1
  


In [None]:
def FZCGS(K,d,n,s,gamma, mu, eta, x,y_true_in, verbose=True, clip=False):
  """
  Faster Zeroth-Order Conditional Gradient Method
  
  Input:
  - K: number of epochs
  - d: dimension of data
  - n: sample size
  - s: distorsion
  - gamma: step size 
  - mu: smoothing parameter 
  - eta: treshold parameter 
  - x: images
  - y_true_in: true label of images
  - verbose: True/False for printing computations
  - clip: True/False activate clipping
  
  """
  s_1 = n
  q = s_2 = int(np.sqrt(n))
  if gamma==-1:
    gamma = 1/np.sqrt(K)
  if mu==-1:
    mu = 1/np.sqrt(d*K)
  if eta==-1:
    eta = 1/K
  x_ori=np.copy(x)


  loss_FZCGS = []
  perturbations=[]
  loss_FZCGS.append(F(x_ori, y_true_in))
  if verbose:
    print("Epoch:", 0, "Loss:", F(x_ori, y_true_in), "Distortion:", np.max(np.abs(x-x_ori)))
    print("-"*100)

  for k in range(K):
    
    if (k % q == 0):
      

      v_k = 0
      for i in tqdm(range(s_1), disable=not verbose):
        v_k = v_k + CoordGradEst_Par(x[i:i+1], y_true_in[i:i+1], mu,d)
      v_k=v_k/s_1
      v_k_1 = v_k

    else:
    

      v_k = 0
      s2_idx = np.random.randint(0, n, s_2) 
    
      for idx in tqdm(s2_idx,  disable= not verbose):
        # idx = np.random.randint(0,n)
        v_k = v_k + CoordGradEst_Par(x[idx:idx+1], y_true_in[idx:idx+1], mu, d) - CoordGradEst_Par(x_k_1[idx:idx+1], y_true_in[idx:idx+1], mu,d) + v_k_1
      v_k = (1/s_2) * v_k
      v_k_1 = v_k


    x_k_1 = np.copy(x)
    x = CondG(v_k, x, gamma, eta, x_ori, s, d) # Cong procedure


    if clip:
      x= x_ori + np.clip((x-x_ori), 0, 1)
    perturbations.append(x)
    loss_FZCGS.append(F(x, y_true_in))
    if verbose:
      print("-"*100)
      print("Epoch:", k+1, "Loss:", loss_FZCGS[k], "Distortion:", np.round(np.max(np.abs(x-x_ori)),5))
    if stop_attack(x, y_true_in):
      print("Attack successful! stopping computation...")
      return loss_FZCGS, x
    


  FZCGS_x_perturbated = x

  print("FZCGS Final loss = ", loss_FZCGS[-1])

  return loss_FZCGS, FZCGS_x_perturbated, perturbations

## Experiments



### More Examples

#### Example same class

In [None]:
n=512
x, x_ori, y_true_in = get_data(n, 4)
epochs=200


In [None]:
F(x, y_true_in)

In [None]:
loss_Z, x_Z, p1=ZSCG(epochs, 784, 0.1, 1, x, y_true_in,verbose=True)
loss_FZ, x_FZ,p2=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True)
loss_FZC, x_FZC,p3=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True)


In [None]:
plot_all(loss_Z, loss_FZ, loss_FZC, epochs, n, savefig="final_sameclass.jpg")

In [None]:
from tabulate import tabulate
asr_alg1=attack_success_rate(x_Z, y_true_in)
asr_alg2=attack_success_rate(x_FZ, y_true_in)
asr_alg3=attack_success_rate(x_FZC, y_true_in)


print(tabulate([['ZSCG', asr_alg1], ['FZFW', asr_alg2], ['FZF-CGS', asr_alg3]], headers=['Algorithm', 'ASR (%)'], tablefmt='orgtbl'))

In [None]:
n_to_show=9
idx= random.sample(range(0, n), n_to_show)
print(idx)
final = {"ZSCG": x_Z[idx], "FZFW": x_FZ[idx], "FZCGS": x_FZC[idx]}
x_toshow=x[idx]
true_label =y_true_in[idx].argmax(axis=1)

fig, ax = plt.subplots(4, n_to_show, figsize=(30,18))
for i in range(n_to_show):
  ax[0, i].imshow(x_toshow[i:i+1].reshape(28,28), cmap="gray")
  ax[0,i].set_title(f"True Label = {true_label[i]}")
row=0
for alg, data in final.items():
  row += 1
  predicted=softmax(dnn.predict(data)).argmax(axis=1)
  
  for j in range(n_to_show):
    color="black"
    ax[row, j].imshow(data[j:j+1].reshape(28,28), cmap="gray", )
    if predicted[j] != true_label[j]:
      color="red"
    ax[row, j].set_title(f"{alg} label predicted {predicted[j]}", color=color)

plt.savefig("100-examples-same-MNIST.jpg")
plt.show()


### Hyperparams


#### Algorithm 1

In [None]:
n=36
x, _, y_true_in = get_data(n, 4)
epochs=50

In [None]:
v_list = [10**-1,10**-3,10**-5,10**-7,10**-9]
alpha_list= [10**-1,10**-3,10**-5,10**-6,10**-7]
loss_ZSCG_all = []
x_ZSCG_all = []
epochs=50
for v in v_list:
  for alpha in alpha_list: 
    print(f"Computing ZSCG with v = {v} and alpha = {alpha}")
    loss_Z, x_Z,_=ZSCG(epochs, 784, 0.1, 30, x, y_true_in, v, alpha, verbose=False)
    loss_ZSCG_all.append(loss_Z)
    x_ZSCG_all.append(x_Z)




In [None]:
table_ZSCG = nice_table(x_ZSCG_all, y_true_in, ("V", v_list), ("Alpha", alpha_list))
print(table_ZSCG)

In [None]:
v_test_list=[10**-1, 10**-3, 10**-5, 10**-7]
loss_list = []
x_Z_list=[]
for v_el in v_test_list:
  l, x_Z_new,_=ZSCG(epochs, 784, 0.1, 30, x, y_true_in, v=v_el, alpha=10**-1, verbose=True)
  loss_list.append(l)
  x_Z_list.append(x_Z_new)

In [None]:
plt.figure(figsize=(10,8))
for i in range(len(loss_list)):
  plt.plot(loss_list[i], label =f"v={v_test_list[i]}")  
  plt.grid("on")
  plt.legend()
plt.savefig("zscg_different_params.jpg")
plt.show()

#### Algorithm 2

In [None]:
gamma_list = [10**-1,10**-3,10**-5,10**-7]
mu_list= [10**-1,10**-3,10**-5,10**-7]
loss_FZFW_all = []
x_FZFW_all = []
epochs=50
for gamma in gamma_list:
  for mu in mu_list: 
    print(f"Computing FZFW with gamma = {gamma} and mu = {mu}")
    loss_FZFW, x_FZFW, _=FZFW(epochs, 784, n,0.1,  gamma, mu,x, y_true_in, verbose=False)
    loss_FZFW_all.append(loss_FZFW)
    x_FZFW_all.append(x_FZFW)



In [None]:
table_FZFW = nice_table(x_FZFW_all, y_true_in, ("Gamma", gamma_list), ("Mu", mu_list))
print(table_FZFW)

In [None]:
mu_test_list=[10**-1, 10**-3, 10**-5]
loss_list = []
x_F_list=[]
for mu_el in mu_test_list:
  l, x_F_new,_=FZFW(epochs, 784, n,0.1,  gamma=0.1, mu=mu_el,x=x, y_true_in=y_true_in, verbose=True)
  loss_list.append(l)
  x_F_list.append(x_F_new)

In [None]:
plt.figure(figsize=(10,8))
for i in range(len(loss_list)):
  plt.plot(loss_list[i], label =f"mu={mu_test_list[i]}")  
  plt.grid("on")
  plt.legend()
plt.savefig("fzfw_different_params.jpg")
plt.show()

#### Algorithm 3

In [None]:
eta_list= [10**-1,10**-3,10**-5,10**-7]

loss_FZCGS_all = []
x_FZCGS_all = []
epochs=50
gamma_final = 0.1
mu_final = [10**-1, 10**-3, 10**-5]
for mu in mu_final:
  for eta in eta_list: 
    print(f"Computing FZFW with gamma = {gamma_final} , mu = {mu} and eta = {eta}")
    loss_FZCGS, x_FZCGS,_=FZCGS(epochs, 784, n,0.1, gamma_final, mu, eta, x, y_true_in,verbose=False)
    loss_FZCGS_all.append(loss_FZCGS)
    x_FZCGS_all.append(x_FZCGS)



In [None]:
table_FZCGS = nice_table(x_FZCGS_all, y_true_in, ("Mu", mu_list), ("Eta", eta_list),)
print(table_FZCGS)

In [None]:
plt.figure(figsize=(10,8))
j=0
for i in range(4):
    plt.plot(loss_FZCGS_all[i+8], label =f"mu={mu_final[2]} ; eta= {eta_list[i]}")  
    plt.grid("on")
    plt.legend()
plt.savefig("fzscg_different_params_3.jpg")
plt.show()

### Different mk

In [None]:
n=16
x, _, y_true_in = get_data(n, 4)
epochs=50



In [None]:
F(x, y_true_in)


In [None]:
q= [1,10,20,30,100]
loss_all_q = []
x_pert_q = []
pert_q = []
for elq in q:
  loss_Z, x_Z, p1=ZSCG(epochs, 784, 0.1,elq, x, y_true_in,verbose=True)
  loss_all_q.append(loss_Z)
  x_pert_q.append(x_Z)
  pert_q.append(p1)



In [None]:
plt.figure(figsize=(10,8))
for i in range(len(loss_all_q)):
  plt.plot(loss_all_q[i],label=f"q = {q[i]}" )
  plt.grid("on")
  plt.legend()

plt.savefig("zscg_diff_q_n_16.jpg")
plt.show()

In [None]:
n=16
x = np.copy(x_test[:n])
x_ori=np.copy(x)
y_true_in = np.copy(y_test[:n])
epochs=50

In [None]:
F(x, y_true_in)


In [None]:
q= [1,10,20,30,100]
loss_all_q = []
x_pert_q = []
pert_q = []
for elq in q:
  loss_Z, x_Z, p1=ZSCG(epochs, 784, 0.1,elq, x, y_true_in,verbose=True)
  loss_all_q.append(loss_Z)
  x_pert_q.append(x_Z)
  pert_q.append(p1)



In [None]:
plt.figure(figsize=(10,8))
for i in range(len(loss_all_q)):
  plt.plot(loss_all_q[i],label=f"q = {q[i]}" )
  plt.grid("on")
  plt.legend()

plt.savefig("zscg_diff_q_n_16_diff_class.jpg")
plt.show()

### Clips vs No Clip

#### Same class

In [None]:
n=16
x, _, y_true_in = get_data(n, 4)
epochs=50



In [None]:
loss_Z, x_Z,_=ZSCG(epochs, 784, 0.1, 30, x, y_true_in,-1,-1, verbose=True, clip = True)
loss_FZ, x_FZ,_=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True, clip = True)
loss_FZC, x_FZC,_=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True, clip = True)


In [None]:
graph1=plot_all(loss_Z, loss_FZ, loss_FZC, epochs, n, title="CLIP", savefig="clip.jpg")

In [None]:
loss_Z_noclip, x_Z_noclip,_=ZSCG(epochs, 784, 0.1, 30, x, y_true_in,-1,-1, verbose=True, clip = False)
loss_FZ_noclip, x_FZ_noclip,_=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True, clip = False)
loss_FZC_noclip, x_FZC_noclip,_=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True, clip = False)


In [None]:
plot_all(loss_Z_noclip, loss_FZ_noclip, loss_FZC_noclip, epochs, n, title="NO CLIP", savefig="noclip.jpg")

#### Different class

In [None]:
n=16
x = np.copy(x_test[:n])
x_ori=np.copy(x)
y_true_in=  np.copy(y_test[:n])
epochs=50

In [None]:
y_true_in.argmax(axis=1)

In [None]:
loss_Z, x_Z,_=ZSCG(epochs, 784, 0.1, 30, x, y_true_in,-1,-1, verbose=True, clip = True)
loss_FZ, x_FZ,_=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True, clip = True)
loss_FZC, x_FZC,_=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True, clip = True)


In [None]:
plot_all(loss_Z, loss_FZ, loss_FZC, epochs, n, title="CLIP", savefig="clip_diffclass.jpg")

In [None]:
loss_Z_noclip, x_Z_noclip,_=ZSCG(epochs, 784, 0.1, 30, x, y_true_in,-1,-1, verbose=True, clip = False)
loss_FZ_noclip, x_FZ_noclip,_=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True, clip = False)
loss_FZC_noclip, x_FZC_noclip,_=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True, clip = False)


In [None]:
plot_all(loss_Z_noclip, loss_FZ_noclip, loss_FZC_noclip, epochs, n, title="NO CLIP", savefig="noclip_diffclass.jpg")

### Perturbations vs Accuracy

#### Same Class

In [None]:
n=64
x, x_ori, y_true_in = get_data(n, 4)
epochs=50



In [None]:
loss_Z_, x_Z,p1=ZSCG(epochs, 784, 0.1, 30, x, y_true_in,-1,-1, verbose=True, clip = False)
loss_FZ, x_FZ,p2=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True, clip = False)
loss_FZC, x_FZC,p3=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True, clip = False)


In [None]:
def data_for_perturbations_plot(perturbations, x_ori, y_true_in):
  acc_list=[]
  dist=[]
  for pert in perturbations:
    asr=attack_success_rate(pert, y_true_in)
    distorsion=np.round(np.max(np.abs(pert-x_ori)),5)
    acc_list.append(asr)
    dist.append(distorsion)


  return dist, acc_list




In [None]:
dist1, acc_list1 = data_for_perturbations_plot(p1, x_ori, y_true_in)
dist2, acc_list2 = data_for_perturbations_plot(p2, x_ori, y_true_in)
dist3, acc_list3 = data_for_perturbations_plot(p3, x_ori, y_true_in)




In [None]:
plt.figure(figsize=(10,8))
plt.plot(dist1, acc_list1, label = f"ZSCG with {n} examples")
plt.plot(dist2, acc_list2, label = f"FZFW with {n} examples")
plt.plot(dist3, acc_list3, label = f"FZCGS with {n} examples")
plt.xlabel("perturbations")
plt.ylabel("ASR (%)")
plt.legend()
plt.grid("On")
plt.savefig("pert_asr_n512_sameclass.jpg")

#### Different Class

In [None]:
n=64
x = np.copy(x_test[:n])
x_ori=np.copy(x)
y_true_in = np.copy(y_test[:n])
epochs=50

In [None]:
loss_Z_, x_Z,p1=ZSCG(epochs, 784, 0.1, 30, x, y_true_in,-1,-1, verbose=True, clip = False)
loss_FZ, x_FZ,p2=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True, clip = False)
loss_FZC, x_FZC,p3=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True, clip = False)


In [None]:
dist1, acc_list1 = data_for_perturbations_plot(p1, x_ori, y_true_in)
dist2, acc_list2 = data_for_perturbations_plot(p2, x_ori, y_true_in)
dist3, acc_list3 = data_for_perturbations_plot(p3, x_ori, y_true_in)




In [None]:
plt.figure(figsize=(10,8))
plt.plot(dist1, acc_list1, label = f"ZSCG with {n} examples")
plt.plot(dist2, acc_list2, label = f"FZFW with {n} examples")
plt.plot(dist3, acc_list3, label = f"FZCGS with {n} examples")
plt.xlabel("perturbations")
plt.ylabel("ASR (%)")
plt.legend()
plt.grid("On")
plt.savefig("pert_asr_n64_diffclass.jpg")

In [None]:
dist1, acc_list1 = data_for_perturbations_plot(p1_2, x_ori, y_true_in)
dist2, acc_list2 = data_for_perturbations_plot(p2_2, x_ori, y_true_in)
dist3, acc_list3 = data_for_perturbations_plot(p3_2, x_ori, y_true_in)




In [None]:
plt.figure(figsize=(10,8))
plt.plot(dist1, acc_list1, label = f"ZSCG with {n} examples")
plt.plot(dist2, acc_list2, label = f"FZFW with {n} examples")
plt.plot(dist3, acc_list3, label = f"FZCGS with {n} examples")
plt.xlabel("perturbations")
plt.ylabel("ASR (%)")
plt.legend()
plt.grid("On")
plt.savefig("pert_asr_n512_diffclass.jpg")

In [None]:
acc_list1

### Attack ZSCG with q = 1 and increasing sample size

In [None]:
size= [16,128, 256,512]

epochs=50


loss_all_q = []
x_pert_q = []
pert_q = []
for elsize in size:
  n=elsize
  x, x_ori, y_true_in = get_data(n, 4)
  loss_Z, x_Z, p1=ZSCG(epochs, 784, 0.1,1, x, y_true_in,verbose=True)
  loss_all_q.append(loss_Z)
  x_pert_q.append(x_Z)
  pert_q.append(p1)



In [None]:
plt.figure(figsize=(10,8))
plt.xlabel("iterations")
plt.ylabel("loss")
  
for i in range(len(size)):

  plt.plot(loss_all_q[i] ,label = f"ZSCG with {size[i]} examples and q = 1")
  
  
  
plt.legend()
plt.grid("On")
plt.savefig("zscg_diff_examples_q_1.jpg")
plt.show()

### Change Distorsion

#### Distorsion = 0.2

In [None]:
n=16
x, _, y_true_in = get_data(n, 4)
epochs=100

In [None]:
loss_Z, x_Z=ZSCG(epochs, 784, 0.2, 30, x, y_true_in, verbose=True)
loss_FZ, x_FZ=FZFW(epochs, 784,n, 0.2, x, y_true_in, verbose=True)
loss_FZC, x_FZC=FZCGS(epochs, 784,n, 0.2, x, y_true_in, verbose=True)


In [None]:
plot_all(loss_Z, loss_FZ, loss_FZC, epochs)

In [None]:
from tabulate import tabulate
asr_alg1=attack_success_rate(x_Z, x)
asr_alg2=attack_success_rate(x_FZ, x)
asr_alg3=attack_success_rate(x_FZC, x)


print(tabulate([['ZSCG', asr_alg1], ['FZFW', asr_alg2], ['FZF-CGS', asr_alg3]], headers=['Algorithm', 'ASR (%)'], tablefmt='orgtbl'))

In [None]:
final = {"ZSCG": x_Z, "FZFW": x_FZ, "FZCGS": x_FZC}
true_label = list(softmax(dnn.predict(x)).argmax(axis=1))
fig, ax = plt.subplots(4, n, figsize=(30,18))
for i in range(x.shape[0]):
  ax[0, i].imshow(x[i:i+1].reshape(28,28), cmap="gray")
  ax[0,i].set_title(f"True Label = {true_label[i]}")
row=0
for alg, data in final.items():
  row += 1
  predicted=softmax(dnn.predict(data)).argmax(axis=1)
  
  for j in range(n):
    color="black"
    ax[row, j].figure
    ax[row, j].imshow(data[j:j+1].reshape(28,28), cmap="gray", )
    if predicted[j] != true_label[j]:
      color="red"
    ax[row, j].set_title(f"{alg} label predicted {predicted[j]}", color=color)


plt.show()

#### Distorsion = 0.3

In [None]:
n=9
x, _, y_true_in = get_data(n, 4)
epochs=100


In [None]:
loss_Z, x_Z=ZSCG(epochs, 784, 0.3, 100, x, y_true_in, verbose=True)
loss_FZ, x_FZ=FZFW(epochs, 784,n, 0.3, x, y_true_in, verbose=True)
loss_FZC, x_FZC=FZCGS(epochs, 784,n, 0.3, x, y_true_in, verbose=True)


In [None]:
plot_all(loss_Z, loss_FZ, loss_FZC, epochs)

In [None]:
from tabulate import tabulate
asr_alg1=attack_success_rate(x_Z, x)
asr_alg2=attack_success_rate(x_FZ, x)
asr_alg3=attack_success_rate(x_FZC, x)


print(tabulate([['ZSCG', asr_alg1], ['FZFW', asr_alg2], ['FZF-CGS', asr_alg3]], headers=['Algorithm', 'ASR (%)'], tablefmt='orgtbl'))

In [None]:
final = {"ZSCG": x_Z, "FZFW": x_FZ, "FZCGS": x_FZC}
true_label = list(softmax(dnn.predict(x)).argmax(axis=1))
fig, ax = plt.subplots(4, n, figsize=(30,18))
for i in range(x.shape[0]):
  ax[0, i].imshow(x[i:i+1].reshape(28,28), cmap="gray")
  ax[0,i].set_title(f"True Label = {true_label[i]}")
row=0
for alg, data in final.items():
  row += 1
  predicted=softmax(dnn.predict(data)).argmax(axis=1)
  
  for j in range(n):
    color="black"
    ax[row, j].figure
    ax[row, j].imshow(data[j:j+1].reshape(28,28), cmap="gray", )
    if predicted[j] != true_label[j]:
      color="red"
    ax[row, j].set_title(f"{alg} label predicted {predicted[j]}", color=color)


plt.show()

In [None]:
loss_Z2, x_Z2,p1_2=ZSCG(epochs, 784, 0.1, 1, x, y_true_in,-1,-1, verbose=True)
loss_FZ2, x_FZ2,p2_2=FZFW(epochs, 784,n, 0.1,-1,-1 ,x, y_true_in, verbose=True)
loss_FZC2, x_FZC2,p3_2=FZCGS(epochs, 784,n, 0.1, -1,-1,-1,x, y_true_in, verbose=True)
