In [34]:
"""
This tutorial shows how to generate adversarial examples
using JSMA in white-box setting.
The original paper can be found at:
https://arxiv.org/abs/1511.07528
"""
# pylint: disable=missing-docstring
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals

import logging
import numpy as np
from six.moves import xrange
import tensorflow as tf

from cleverhans.attacks import FastGradientMethod
from cleverhans.loss import CrossEntropy
from cleverhans.attacks import CarliniWagnerL2
from cleverhans.attacks import SaliencyMapMethod
from cleverhans.attacks import DeepFool
from cleverhans.utils import other_classes, set_log_level
from cleverhans.utils import pair_visual, grid_visual, AccuracyReport
from cleverhans.utils_tf import model_eval, model_argmax

import tensorflow as tf
from tensorflow.examples.tutorials.mnist import input_data
from cleverhans_model import CleverhansModel
from model import Model as My_model

from tensorflow.python import pywrap_tensorflow
import math
from random import choice

import matplotlib.pyplot as plt

In [35]:
model_dir = "./models/nat"

num_examples = 10
batch_size = 2
num_batches = int(math.ceil(num_examples / batch_size))

mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_test = mnist.test.images
y_test = mnist.test.labels

Extracting MNIST_data/train-images-idx3-ubyte.gz
Extracting MNIST_data/train-labels-idx1-ubyte.gz
Extracting MNIST_data/t10k-images-idx3-ubyte.gz
Extracting MNIST_data/t10k-labels-idx1-ubyte.gz


In [4]:
def classify(sess, img):
    x = tf.placeholder(tf.float32, shape = [None, 784])
    c_model.fprop(x)
    return sess.run(c_model.get_pred(), feed_dict = {x: img})
def plot(img):
    plt.imshow(np.resize(img,[28,28]), cmap='Greys_r')

In [5]:
def init_graph(model_dir):
    tf.reset_default_graph()
    # print(scope_vars)
    # x = tf.placeholder(tf.float32, shape = [None, 784])

    model = My_model()
    c_model = CleverhansModel('CNN', 10, model)
    checkpoint = tf.train.latest_checkpoint(model_dir)
    reader=pywrap_tensorflow.NewCheckpointReader(checkpoint)
    saver = tf.train.Saver()
    config = tf.ConfigProto()
    config.log_device_placement=False
    config.allow_soft_placement=True
    config.gpu_options.allow_growth=True
    session = tf.Session(config=config)
    session.run(tf.global_variables_initializer())
    saver.restore(session, checkpoint)
    return session, c_model

def batch_attack(data, attack, **params):
    x_adv = []
    for ibatch in range(num_batches):
        bstart = ibatch * batch_size
        bend = min(bstart + batch_size, num_examples)
        print('batch size: {}'.format(bend - bstart))

        x_batch = data[bstart:bend, :]

        x_batch_adv = attack.generate_np(x_batch, **params)
        
        x_adv = x_adv + x_batch_adv.tolist()
        
    return x_adv

def save_npy(algm, x_adv, filename = '/adv.npy'):
    path = './adv_test/' + algm + filename
    x_adv_np = np.asarray(x_adv)
    np.save(path, x_adv_np)
    print("saved to: " + path)
    

In [18]:
session, c_model = init_graph(model_dir)

INFO:tensorflow:Restoring parameters from ./models/nat/checkpoint-7800


In [19]:
###########################################################################
# Craft adversarial examples using the Jacobian-based saliency map approach
###########################################################################

# y = tf.placeholder(tf.int64, shape = [None])
print("=============================================================")
print('JSMA: Crafting ' + str(num_examples) +
    ' adversarial examples')

jsma = SaliencyMapMethod(c_model, sess=session)
jsma_params = {'theta': 1., 'gamma': 0.1,
             'clip_min': 0., 'clip_max': 1.,
             'y_target': None}

x_adv = [] # adv accumulator

for sample_ind in xrange(0, num_examples):
    print('--------------------------------------')
    if(sample_ind % batch_size == 0):
        print('Attacking input batch %i/%i' % (sample_ind/batch_size + 1, num_examples/batch_size))
    sample = x_test[sample_ind:(sample_ind + 1)]
    adv = jsma.generate_np(sample, **jsma_params)
    x_adv.append(adv)
    
x_adv = np.concatenate(x_adv, axis=0)
save_npy('jsma', x_adv)
session.close()

[INFO 2019-05-06 13:30:04,950 cleverhans] Constructing new graph for attack SaliencyMapMethod


Crafting 10 adversarial examples
--------------------------------------
Attacking input batch 1/5
--------------------------------------
--------------------------------------
Attacking input batch 2/5
--------------------------------------
--------------------------------------
Attacking input batch 3/5
--------------------------------------
--------------------------------------
Attacking input batch 4/5
--------------------------------------
--------------------------------------
Attacking input batch 5/5
--------------------------------------
saved to: ./adv_test/jsma/adv.npy


In [13]:
session, c_model = init_graph(model_dir)

INFO:tensorflow:Restoring parameters from ./models/nat/checkpoint-7800


In [14]:
LEARNING_RATE = .001
CW_LEARNING_RATE = .2
ATTACK_ITERATIONS = 100

print('Iterating over {} batches'.format(num_batches))

# x = tf.placeholder(tf.float32, shape = [None, 784])
# y = tf.placeholder(tf.int64, shape = [None])

###########################################################################
# Craft adversarial examples using Carlini and Wagner's approach
###########################################################################
print("=============================================================")
print('CW: Crafting ' + str(num_examples) + ' adversarial examples')
print("This could take some time ...")

# Instantiate a CW attack object
cw = CarliniWagnerL2(c_model, sess=session)

cw_params = {'binary_search_steps': 1,
               "y_target": None,
               'max_iterations': ATTACK_ITERATIONS,
               'learning_rate': CW_LEARNING_RATE,
               'batch_size': batch_size,
               'initial_const': 10}

x_adv = batch_attack(x_test, cw, **cw_params)
save_npy('cw', x_adv)
session.close()

[INFO 2019-05-06 13:26:57,060 cleverhans] Constructing new graph for attack CarliniWagnerL2


Iterating over 5 batches
Crafting 10 adversarial examples
This could take some time ...
batch size: 2
batch size: 2
batch size: 2
batch size: 2
batch size: 2
saved to: ./adv_test/cw/adv.npy


In [15]:
session, c_model = init_graph(model_dir)

INFO:tensorflow:Restoring parameters from ./models/nat/checkpoint-7800


In [16]:
fgsm_params = {
  'eps': 0.3,
  'clip_min': 0.,
  'clip_max': 1.
}

# Set TF random seed to improve reproducibility
tf.set_random_seed(2333)

# x = tf.placeholder(tf.float32, shape = [None, 784])
# y = tf.placeholder(tf.int64, shape = [None])

###########################################################################
# Craft adversarial examples using FGSM
###########################################################################
print("=============================================================")
print('FGSM: Crafting ' + str(num_examples) + ' adversarial examples')

fgsm = FastGradientMethod(c_model, sess=session)
x_adv = batch_attack(x_test, fgsm, **fgsm_params)
save_npy('fgsm', x_adv)
session.close()

[INFO 2019-05-06 13:26:59,279 cleverhans] Constructing new graph for attack FastGradientMethod


Crafting 10 adversarial examples
batch size: 2
Instructions for updating:
dim is deprecated, use axis instead
batch size: 2
batch size: 2
batch size: 2
batch size: 2
saved to: ./adv_test/fgsm/adv.npy


In [36]:
session, c_model = init_graph(model_dir)

INFO:tensorflow:Restoring parameters from ./models/nat/checkpoint-7800


In [37]:

###########################################################################
# Craft adversarial examples using FGSM
###########################################################################
print("DEEPFOOL: =============================================================")
print('Crafting ' + str(num_examples) + ' adversarial examples')

deepfool = DeepFool(c_model, sess=session)
x_adv = batch_attack(x_test, deepfool)
save_npy('deepfool', x_adv)

session.close()

[INFO 2019-05-06 13:42:14,137 cleverhans] Constructing new graph for attack DeepFool


Crafting 10 adversarial examples
batch size: 2


[INFO 2019-05-06 13:42:15,831 cleverhans] Attack result at iteration 5 is [7 2]
[INFO 2019-05-06 13:42:15,892 cleverhans] Attack result at iteration 10 is [7 2]
[INFO 2019-05-06 13:42:15,949 cleverhans] Attack result at iteration 15 is [3 1]
[INFO 2019-05-06 13:42:15,952 cleverhans] 2 out of 2 become adversarial examples at iteration 15
[INFO 2019-05-06 13:42:16,011 cleverhans] Attack result at iteration 5 is [1 0]
[INFO 2019-05-06 13:42:16,069 cleverhans] Attack result at iteration 10 is [1 0]
[INFO 2019-05-06 13:42:16,110 cleverhans] Attack result at iteration 14 is [8 2]
[INFO 2019-05-06 13:42:16,111 cleverhans] 2 out of 2 become adversarial examples at iteration 14


batch size: 2
batch size: 2


[INFO 2019-05-06 13:42:16,168 cleverhans] Attack result at iteration 5 is [4 1]
[INFO 2019-05-06 13:42:16,221 cleverhans] Attack result at iteration 10 is [4 1]
[INFO 2019-05-06 13:42:16,245 cleverhans] Attack result at iteration 12 is [9 7]
[INFO 2019-05-06 13:42:16,246 cleverhans] 2 out of 2 become adversarial examples at iteration 12
[INFO 2019-05-06 13:42:16,301 cleverhans] Attack result at iteration 5 is [4 9]
[INFO 2019-05-06 13:42:16,355 cleverhans] Attack result at iteration 10 is [8 9]
[INFO 2019-05-06 13:42:16,388 cleverhans] Attack result at iteration 13 is [8 4]
[INFO 2019-05-06 13:42:16,389 cleverhans] 2 out of 2 become adversarial examples at iteration 13
[INFO 2019-05-06 13:42:16,448 cleverhans] Attack result at iteration 5 is [5 9]


batch size: 2
batch size: 2


[INFO 2019-05-06 13:42:16,501 cleverhans] Attack result at iteration 10 is [5 9]
[INFO 2019-05-06 13:42:16,522 cleverhans] Attack result at iteration 12 is [6 7]
[INFO 2019-05-06 13:42:16,523 cleverhans] 2 out of 2 become adversarial examples at iteration 12


saved to: ./adv_test/deepfool/adv.npy


In [40]:
np.asarray(x_adv).shape

(10, 784)

In [26]:
def init_my_model(model_dir):
    tf.reset_default_graph()
    # print(scope_vars)
    x = tf.placeholder(tf.float32, shape = [None, 784])
    y = tf.placeholder(tf.int64, shape = [None])
    
    model = My_model()
    model.build_and_eval(x, y)
    
    checkpoint = tf.train.latest_checkpoint(model_dir)
    reader=pywrap_tensorflow.NewCheckpointReader(checkpoint)
    saver = tf.train.Saver()
    config = tf.ConfigProto()
    config.log_device_placement=False
    config.allow_soft_placement=True
    config.gpu_options.allow_growth=True
    session = tf.Session(config=config)
    session.run(tf.global_variables_initializer())
    saver.restore(session, checkpoint)
    return session, model

def generate_adv_attr(session, model, img_path, tar_path, num_examples = num_examples):

    
    
    adv_test = np.load(img_path)

    # train_total_data = np.column_stack((adv_test,true_labels))


    # In[16]:


    labeled_pred = model.softmax_layer[:,model.y_input[0]]
    grad = tf.gradients(labeled_pred, model.x_input)
    def integrated_gradient(img, target_label_index, steps = 50, baseline=None):
        if baseline is None:
            baseline = 0*img
        assert(baseline.shape == img.shape)
        steps=steps

        # Scale input and compute gradients.
        scaled_inputs = [baseline + (float(i)/steps)*(img-baseline) for i in range(0, steps+1)]

        gradient = session.run(grad, feed_dict = {model.x_input:np.squeeze(scaled_inputs),model.y_input:target_label_index})
        avg_grads = np.average(gradient[0][:-1], axis=0)
        integrated_gradients = (img-baseline)*avg_grads  # shape: <inp.shape>
        return integrated_gradients


    # In[17]:


    feature_attributions = []
    for i in range(num_examples):
        x = adv_test[i]
        y = session.run(model.y_pred, feed_dict={model.x_input: [x]})[0]
        feature_attributions.append(integrated_gradient(x, [y]))


    print('Storing examples')
    feature_attributions = np.asarray(feature_attributions)
    np.save(tar_path, feature_attributions)
    print('Examples stored in {}'.format(tar_path))


In [27]:

model_dir = "./models/"
adv_dir = "./adv_test/"
tar_dir = "./features/test/"

algm = ['/fgsm/','/cw/','/jsma/','/deepfool/']
# loss = ['/xent/', '/cw/']
model_name = '/nat/'
name = 'adv.npy'


In [31]:

# mnist = input_data.read_data_sets('MNIST_data', one_hot=False)
# labels = mnist.test.labels

for a in range(len(algm)):
    print("=============================================================")
    a_path = algm[a] + name
    model_path = model_dir + model_name
    print("model_path:" + model_path)
    session, model = init_my_model(model_path)
    
    adv_path = adv_dir + a_path
    tar_path = tar_dir + a_path

    print("adv_path:" + adv_path)
    generate_adv_attr(session, model, adv_path, tar_path)
    session.close()



model_path:./models//nat/
INFO:tensorflow:Restoring parameters from ./models//nat/checkpoint-7800
adv_path:./adv_test//fgsm/adv.npy
Storing examples
Examples stored in ./features/test//fgsm/adv.npy
model_path:./models//nat/
INFO:tensorflow:Restoring parameters from ./models//nat/checkpoint-7800
adv_path:./adv_test//cw/adv.npy
Storing examples
Examples stored in ./features/test//cw/adv.npy
model_path:./models//nat/
INFO:tensorflow:Restoring parameters from ./models//nat/checkpoint-7800
adv_path:./adv_test//jsma/adv.npy
Storing examples
Examples stored in ./features/test//jsma/adv.npy
model_path:./models//nat/
INFO:tensorflow:Restoring parameters from ./models//nat/checkpoint-7800
adv_path:./adv_test//deepfool/adv.npy


ValueError: Cannot feed value of shape (1,) for Tensor 'Placeholder:0', which has shape '(?, 784)'