In [2]:
pip install adversarial-robustness-toolbox

Collecting adversarial-robustness-toolbox
  Downloading adversarial_robustness_toolbox-1.13.0-py3-none-any.whl (1.4 MB)
     |████████████████████████████████| 1.4 MB 2.1 MB/s            
Installing collected packages: adversarial-robustness-toolbox
Successfully installed adversarial-robustness-toolbox-1.13.0
Note: you may need to restart the kernel to use updated packages.


In [3]:
import numpy as np
from datetime import datetime 
%matplotlib inline
import matplotlib.pyplot as plt

In [None]:
# Pretrained Models 
# from keras.applications.densenet import DenseNet169, preprocess_input as densenet_preprocess_input 
from keras.applications.vgg16 import preprocess_input

from keras.preprocessing import image

# Load ART dependencies:
from art.estimators.classification import KerasClassifier

# Attacks 
from art.attacks.evasion import ProjectedGradientDescent
from art.attacks.evasion import FastGradientMethod
from art.attacks.evasion import BasicIterativeMethod 
from art.attacks.evasion import CarliniL2Method
from art.attacks.evasion import DeepFool
from art.attacks.evasion import FrameSaliencyAttack
from art.attacks.evasion import HopSkipJump

# Defenses 
from art.defences.preprocessor import SpatialSmoothing
from art.defences.preprocessor import FeatureSqueezing
from art.defences.preprocessor import GaussianAugmentation
from art.defences.preprocessor import LabelSmoothing


In [5]:
import tensorflow as tf
if tf.executing_eagerly():
    tf.compat.v1.disable_eager_execution()

tf.compat.v1.experimental.output_all_intermediates(True) 

import warnings
warnings.filterwarnings('ignore')

In [4]:
from art.preprocessing.preprocessing import Preprocessor

class VGG16Preprocessor(Preprocessor):

    def __call__(self, x, y=None):
        return preprocess_input(x.copy()), y

    def estimate_gradient(self, x, gradient):
        return gradient[..., ::-1]

# **CIFAR Section**

In [6]:
# Importing required modules

import tensorflow as tf
from tensorflow.keras import Sequential
from tensorflow.keras.callbacks import LambdaCallback 
import tensorflow.keras.layers as L
from tensorflow.keras.datasets import mnist, cifar10

import numpy as np
import matplotlib.pyplot as plt
from random import randint
from tqdm import tqdm

print(f'Tensorflow version: {tf.__version__}')
# tf.compat.v1.enable_eager_execution()


Tensorflow version: 2.6.2


In [7]:
# Utility functions
def print_shapes(x_train, x_test, y_train, y_test):
  print(f"x_train: {x_train.shape}\n"\
      f"x_test: {x_test.shape}\n"\
      f"y_train: {y_train.shape}\n"\
      f"y_test: {y_test.shape}\n")

In [8]:
# loading the dataset
(x_train, y_train), (x_test, y_test) = cifar10.load_data()
print_shapes(x_train, x_test, y_train, y_test)

Downloading data from https://www.cs.toronto.edu/~kriz/cifar-10-python.tar.gz
x_train: (50000, 32, 32, 3)
x_test: (10000, 32, 32, 3)
y_train: (50000, 1)
y_test: (10000, 1)



In [9]:
# Preprocessing images and labels
height, width, channels = 32, 32, 3
nb_classes = 10 
label_names = ['airplane', 'automobile', 'bird', 'cat', 'deer', 'dog', 'frog',
               'horse', 'ship', 'truck']

x_train = x_train / 255
x_test = x_test / 255

x_train = x_train.reshape((-1, height, width, channels))
x_test = x_test.reshape((-1, height, width, channels))

y_train = tf.keras.utils.to_categorical(y_train, nb_classes)
y_test = tf.keras.utils.to_categorical(y_test, nb_classes)

print_shapes(x_train, x_test, y_train, y_test)

x_train: (50000, 32, 32, 3)
x_test: (10000, 32, 32, 3)
y_train: (50000, 10)
y_test: (10000, 10)



In [10]:

from __future__ import print_function
import keras
from keras.datasets import cifar10
from keras.preprocessing.image import ImageDataGenerator
from keras.models import Sequential
from keras.layers import Dense, Dropout, Activation, Flatten
from keras.layers import Conv2D, MaxPooling2D, BatchNormalization
from keras import optimizers
import numpy as np
from keras.layers.core import Lambda
from keras import backend as K
from keras import regularizers

import cv2
import sklearn.metrics as metrics

arryWeights_last = []

class cifar10vgg:
    arryWeights_last = []
    for i in range (512):
        arryWeights_last.append (i)

    for i in range (512):
        arryWeights_last[i] = 1

    def custom_layer_last(self, tensor):
        # for i in range(64):
        #   if i>=1:
        #     #tensor[i]*=arryWeights[i]
        #     tensor[i] * arryWeights[i]
        return tensor * self.arryWeights_last

    def __init__(self,train=False):
        #Sequential.__init__ (self)
        self.num_classes = 10
        self.weight_decay = 0.0005
        self.x_shape = [32,32,3]
        self.model = self.build_model()
        if train:
             self.model = self.train(self.model)
        else:
            self.model.load_weights('../input/vgg-cifar-wights/cifar10vgg.h5')

    def build_model(self):
        # Build the network of vgg for 10 classes with massive dropout and weight decay as described in the paper.
        model = Sequential()
        weight_decay = self.weight_decay

        model.add(Conv2D(64, (3, 3), padding='same',
                         input_shape=self.x_shape,kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.3))

        model.add(Conv2D(64, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())

        model.add(MaxPooling2D(pool_size=(2, 2)))

        model.add(Conv2D(128, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(128, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())

        model.add(MaxPooling2D(pool_size=(2, 2)))

        model.add(Conv2D(256, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(256, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(256, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())

        model.add(MaxPooling2D(pool_size=(2, 2)))


        model.add(Conv2D(512, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(512, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(512, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())

        model.add(MaxPooling2D(pool_size=(2, 2)))


        model.add(Conv2D(512, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(512, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())
        model.add(Dropout(0.4))

        model.add(Conv2D(512, (3, 3), padding='same',kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())

        model.add(Lambda(self.custom_layer_last, name="lambda_layer_last"))

        model.add(MaxPooling2D(pool_size=(2, 2)))
        model.add(Dropout(0.5))

        model.add(Flatten())
        model.add(Dense(512,kernel_regularizer=regularizers.l2(weight_decay)))
        model.add(Activation('relu'))
        model.add(BatchNormalization())

        model.add(Dropout(0.5))
        model.add(Dense(self.num_classes))
        model.add(Activation('softmax'))
        #model.summary()
        return model


    def normalize(self,X_train,X_test):
        #this function normalize inputs for zero mean and unit variance
        # it is used when training a model.
        # Input: training set and test set
        # Output: normalized training set and test set according to the trianing set statistics.
        mean = np.mean(X_train,axis=(0,1,2,3))
        std = np.std(X_train, axis=(0, 1, 2, 3))
        X_train = (X_train-mean)/(std+1e-7)
        X_test = (X_test-mean)/(std+1e-7)
        return X_train, X_test

    def normalize_production(self,x):
        #this function is used to normalize instances in production according to saved training set statistics
        # Input: X - a training set
        # Output X - a normalized training set according to normalization constants.

        #these values produced during first training and are general for the standard cifar10 training set normalization
        mean = 120.707
        std = 64.15
        return (x-mean)/(std+1e-7)

    def predict(self,x,normalize=True,batch_size=50):
        if normalize:
            x = self.normalize_production(x)
        return self.model.predict(x,batch_size)

In [11]:
import tensorflow as tf
# from keras.applications import VGG16
# from vis.utils import utils

from keras.utils import np_utils


from keras import activations
from keras.models import Sequential, Model, load_model

    
# Build the VGG16 network with ImageNet weights
model = cifar10vgg ()
# model = utils.apply_modifications(model)

2022-12-26 20:35:32.582228: I tensorflow/stream_executor/cuda/cuda_gpu_executor.cc:937] successful NUMA node read from SysFS had negative value (-1), but there must be at least one NUMA node, so returning NUMA node zero
2022-12-26 20:35:32.583380: I tensorflow/stream_executor/cuda/cuda_gpu_executor.cc:937] successful NUMA node read from SysFS had negative value (-1), but there must be at least one NUMA node, so returning NUMA node zero
2022-12-26 20:35:32.584452: I tensorflow/stream_executor/cuda/cuda_gpu_executor.cc:937] successful NUMA node read from SysFS had negative value (-1), but there must be at least one NUMA node, so returning NUMA node zero
2022-12-26 20:35:32.585189: I tensorflow/stream_executor/cuda/cuda_gpu_executor.cc:937] successful NUMA node read from SysFS had negative value (-1), but there must be at least one NUMA node, so returning NUMA node zero
2022-12-26 20:35:32.586002: I tensorflow/stream_executor/cuda/cuda_gpu_executor.cc:937] successful NUMA node read from S

In [12]:
from __future__ import print_function
import keras
from keras.datasets import cifar10
from keras.preprocessing.image import ImageDataGenerator
from keras.models import Sequential
from keras.layers import Dense, Dropout, Activation, Flatten
from keras.layers import Conv2D, MaxPooling2D, BatchNormalization
from keras import optimizers
import numpy as np
from keras.layers.core import Lambda
from keras import backend as K
from keras import regularizers

import cv2
import sklearn.metrics as metrics

from keras.utils import np_utils

from keras.datasets import cifar10

(x_train, y_train), (x_test, y_test) = cifar10.load_data()
x_train = x_train.astype('float32')
x_test = x_test.astype('float32')

y_train = keras.utils.np_utils.to_categorical(y_train, 10)
y_test = keras.utils.np_utils.to_categorical(y_test, 10)

# predicted_x = model.predict (x_test)
# residuals = np.argmax (predicted_x, 1) != np.argmax (y_test, 1)

# loss = sum (residuals) / len (residuals)
# print ("the validation 0/1 loss is: ", loss)
# # print ("accu is: ", 1- loss)
# orig_acc = 1 - loss
# print ("origin accu is: ", 1- loss)
# original_loss = model.evaluate(x_test, y_test, verbose=0)
# print('original model loss:', original_loss, '\n')

# **CIFAR perturbation section**

In [13]:
# Pretrained Models 
# from keras.applications.densenet import DenseNet169, preprocess_input as densenet_preprocess_input 
from keras.applications.vgg16 import preprocess_input

from keras.preprocessing import image

# Load ART dependencies:
from art.estimators.classification import KerasClassifier

# Attacks 
from art.attacks.evasion import ProjectedGradientDescent
from art.attacks.evasion import FastGradientMethod
from art.attacks.evasion import BasicIterativeMethod 
from art.attacks.evasion import CarliniL2Method
from art.attacks.evasion import DeepFool
from art.attacks.evasion import FrameSaliencyAttack
from art.attacks.evasion import HopSkipJump

# Defenses 
from art.defences.preprocessor import SpatialSmoothing
from art.defences.preprocessor import FeatureSqueezing
from art.defences.preprocessor import GaussianAugmentation
from art.defences.preprocessor import LabelSmoothing


In [14]:
import tensorflow as tf
if tf.executing_eagerly():
    tf.compat.v1.disable_eager_execution()

tf.compat.v1.experimental.output_all_intermediates(True) 

import warnings
warnings.filterwarnings('ignore')

In [15]:
from art.estimators.classification import KerasClassifier
import numpy as np
# from art.attacks.evasion import FastGradientMethod
from art.attacks.evasion import auto_projected_gradient_descent

from art.estimators.classification import TensorFlowV2Classifier
from sklearn.metrics import accuracy_score as accuracy 
from matplotlib import pyplot as plt

from tensorflow import keras
# model1 = keras.models.load_model("gdrive/MyDrive/CIFAR10.h5")


from art.preprocessing.preprocessing import Preprocessor

class VGG16Preprocessor(Preprocessor):

    def __call__(self, x, y=None):
        return preprocess_input(x.copy()), y

    def estimate_gradient(self, x, gradient):
        return gradient[..., ::-1]
    

# # Create the ART preprocessor and classifier wrapper:
preprocessor = VGG16Preprocessor()
# classifier = KerasClassifier(clip_values=(0, 255), model=model, preprocessing=preprocessor)
classifier = KerasClassifier(clip_values=(0, 255), model=model.model, preprocessing=preprocessor)

**FGSM**

In [12]:
from sklearn.metrics import accuracy_score as accuracy 
from keras.utils.np_utils import to_categorical 
from art.attacks.evasion import FastGradientMethod

# (x_train, y_train), (x_test, y_test) = cifar10.load_data()
(x_train, y_train), (x_test, y_test) = cifar10.load_data()
# x_train = x_train / 255
# x_test = x_test / 255

# x_train = x_train.reshape((-1, height, width, channels))
# x_test = x_test.reshape((-1, height, width, channels))

# y_train = tf.keras.utils.to_categorical(y_train, nb_classes)
# y_test = tf.keras.utils.to_categorical(y_test, nb_classes)


attack = FastGradientMethod(estimator=classifier, eps=24) # it should be from 16 to 96 according to ADVERSARIAL VISUAL ROBUSTNESS BY CAUSAL INTERVENTION
x_test_adv = attack.generate(x=x_test)



NameError: name 'classifier' is not defined

In [None]:
model.summary()

**PGD**

In [None]:
from art.attacks.evasion import ProjectedGradientDescent 
(x_train, y_train), (x_test, y_test) = cifar10.load_data()

attack = ProjectedGradientDescent(classifier, targeted=False, max_iter=10, eps_step=1, eps=24)  
# attack = BasicIterativeMethod(classifier, eps=1.0, eps_step=0.1, batch_size=128, verbose=False)
x_test_adv = attack.generate(x=x_test)
predictions = classifier.predict(x_test_adv)
perturbation = np.mean(np.abs((x_test_adv - x_test)))
print("Eps value=0.1")
print("Accuracy on adversarial test examples: {}%".format(accuracy(np.argmax(predictions, axis=1),y_test) * 100))
print('Average perturbation: {:4.2f}'.format(perturbation))


In [33]:
# x_test_adv[0][0]

**BIM**

In [None]:
from art.attacks.evasion import BasicIterativeMethod 
(x_train, y_train), (x_test, y_test) = cifar10.load_data()

attack = BasicIterativeMethod(estimator=classifier, targeted=False, eps=24)
# attack = BasicIterativeMethod(classifier, eps=1.0, eps_step=0.1, batch_size=128, verbose=False)
x_test_adv = attack.generate(x=x_test)
predictions = classifier.predict(x_test_adv)
perturbation = np.mean(np.abs((x_test_adv - x_test)))
print("Eps value=0.1")
print("Accuracy on adversarial test examples: {}%".format(accuracy(np.argmax(predictions, axis=1),y_test) * 100))
print('Average perturbation: {:4.2f}'.format(perturbation))


In [18]:
import ast
import glob
import shutil
import os

for i in range(0, 10):
# for i in range(1000):
    if not os.path.exists('PGD/classes/' + str(i) +'/'):
        os.makedirs('PGD/classes/' + str(i) +'/')

In [39]:
(x_train, y_train), (x_test, y_test) = cifar10.load_data()

**Save PGD test set**

In [None]:
from PIL import Image
import numpy
import re 

for i in range (len (x_test_adv)):
    print((y_test[i]))
    clas = subStr = str(y_test[i]).split('[')[1].split(']')[0]
    print(clas)
    dst = "PGD/classes/" + clas +'/'+ str(i) + '.png' # replace PGD/FGSM/BIM
    print("dist: ", dst)
#         Path(folder_Copy+j+"/").mkdir(parents=True, exist_ok=True)
    img_numpy = np.array(x_test_adv[i])
    PIL_image = Image.fromarray(img_numpy.astype('uint8'), 'RGB')
    PIL_image.save(dst)

In [None]:
!zip -r file.zip './PGD'
from IPython.display import FileLink

In [42]:
FileLink(r'file.zip')

In [None]:
import keras
from keras.layers import Lambda
from keras import backend as K
from keras.layers import Conv2D, MaxPooling2D, BatchNormalization, GlobalAveragePooling2D, MaxPool2D 
from keras.layers import Lambda
import time
from keras.utils.np_utils import to_categorical 

from tensorflow.keras.applications.vgg19 import preprocess_input, decode_predictions

(x_train, y_train), (x_test, y_test) = cifar10.load_data()
x_train = x_train.astype('float32')
x_test = x_test.astype('float32')

y_train = to_categorical(y_train, 10)
y_test = to_categorical(y_test, 10)
indices_Of_Pert_Images =[]
k=0
for i in range (len (x_test)):
    probs = model.predict (x_test[np.newaxis, i])

    prediction = probs.argmax (axis=1)
    probOrig = probs.max()

    probs_pert = model.predict(x_test_adv[np.newaxis, i])

    prediction_pert = probs_pert.argmax (axis=1)
    pro_pert = probs_pert.max ()
    
    if prediction[0]== np.argmax (y_test[i]) and prediction_pert[0]!= np.argmax (y_test[i]) :
        k+=1
        print(np.argmax (y_test[i]) , "is misclaissified as ", prediction_pert[0])  
        print('not correctly classified:', k)
#       print('current accuracy:', k/len(x_test))
        print('indice perturb : ' ,i)
        indices_Of_Pert_Images.append(i)

**Acc after perturbation**

In [None]:
import keras
from keras.layers import Lambda
from keras import backend as K
from keras.layers import Conv2D, MaxPooling2D, BatchNormalization, GlobalAveragePooling2D, MaxPool2D 
from keras.layers import Lambda
import time
from keras.utils.np_utils import to_categorical 

from tensorflow.keras.applications.vgg19 import preprocess_input, decode_predictions

(x_train, y_train), (x_test, y_test) = cifar10.load_data()
x_train = x_train.astype('float32')
x_test = x_test.astype('float32')

y_train = to_categorical(y_train, 10)
y_test = to_categorical(y_test, 10)


max_acc=0
k=0
for i in range ( len (x_test)):
    max_acc=0
    top_predicted=0
    for each_model in arrays_of_VGG_Caus:
        # Use the model to classify the digit
        probs = each_model.predict (x_test[np.newaxis, i])
        prediction = probs.argmax (axis=1)
        probOrig = probs.max ()
        orig_acc = probOrig
        print ('pred[0]', prediction[0])
        print('origin acc', orig_acc)
        print ("[INFO] Predicted: {}, Actual: {}".format (
        prediction[0], np.argmax (y_test[i])))
        if orig_acc>max_acc:
            top_predicted=prediction[0]
#         K.clear_session ()    
    print('----------------------------------------')        
#     print('all models verified and top predicted is', top_predicted)
    if top_predicted== np.argmax (y_test[i]):
          print('image number', i)
          k+=1
          print('correctly classified:', k)
          print('current accuracy:', k/len(x_test))
    print('----------------------------------------')