# RUC Practical AI Final Project: **Adversarial Attack and Defense Evaluation on WildCats Image Classification**

### **Project Abstract:**

Machine learning models are increasingly used in wildlife conservation for species classification and tracking endangered wildlife. This project leverages data from Kaggle to build and evaluate models for wildcat conservation. Traditional models, such as RandomForest, serve as baselines for comparison against more advanced models like CNN, MobileNetV3, and EfficientNet B0, which capture more detailed features of wildcats.

A key focus of this project is to enhance the resilience of image processing systems against adversarial attacks, such as FGSM (Fast Gradient Sign Method), which subtly manipulate images to mislead classifiers. To defend against such attacks, ensemble methods, including JPEG compression followed by spatial smoothing, are applied.

Initial training without data augmentation revealed that MobileNetV3_small performed better in capturing important features (e.g., spots and lines) compared to optimizedCNN, with accuracy dropping drastically under FGSM attack—MobileNetV3_small with Adadelta optimizer fell from 96% to 6%, and with AdamW optimizer from 94% to 52%. However, applying the JPEG compression and spatial smoothing defense increased accuracy to 40% for the Adadelta optimizer model but reduced it to 36% for the AdamW optimizer model.

Further experiments with data augmentation (Horizontal and Vertical Flip, Color Jitter) showed a slight improvement in accuracy post-attack for the Adadelta optimizer model (from 6% to 16%), but a decrease for the AdamW optimizer model (from 52% to 38%). After defense methods were applied, the Adadelta model's accuracy dropped from 40% to 24%, while the AdamW model's accuracy increased from 36% to 48%.

These results suggest that the models may require further tuning or the use of surrogate models to better differentiate wildcats from background noise and enhance resilience to adversarial attacks. Overall, the project highlights the importance of robust machine learning models in wildlife conservation, particularly in the presence of adversarial threats.


### **Problem Addressed**

The conservation of endangered wildcat species is a critical issue, as these species face numerous threats to their survival. A major challenge lies in accurately monitoring wildcat populations, their health, and behavior—crucial information for developing effective conservation strategies. Wildcats are elusive, solitary, and often nocturnal, making them difficult to track using traditional methods. As a result, there are significant gaps in our understanding of their distribution, movement patterns, and ecological needs.

One key concern is the loss of natural habitats, driven by human activities such as deforestation, agriculture, and urbanization. Habitat fragmentation reduces the available space for wildcats, isolates populations, and limits access to vital resources. This fragmentation increases the risk of human-wildcat conflict, including livestock predation, which can lead to retaliation killings or displacement of wildcat populations.

Illegal hunting and poaching are also major threats, with demand for wildcat fur, bones, and other body parts fueling these activities. In areas with weak enforcement, poaching remains a persistent risk. The challenge of detecting and preventing poaching is compounded by the difficulty of monitoring large and remote areas effectively.

A promising solution to these challenges is the use of camera traps and imaging technology. Camera traps provide a non-invasive method for tracking wildcat populations, capturing images that help to monitor their movements, behavior, and health. These images offer valuable insights into population size, distribution, and habitat usage, and can help identify individual wildcats through unique markings or features. In addition, camera traps can capture evidence of human presence, such as footprints or illegal activities, providing critical data for anti-poaching efforts.

By leveraging camera trap images, conservationists can gather real-time data, monitor protected areas more efficiently, and inform conservation policies. This approach helps bridge the gap in monitoring efforts, reduces the risks posed by habitat fragmentation and illegal activities, and supports the development of strategies for protecting wildcat populations and their habitats.


### **Motivation**

The conservation of endangered wildcat species is critical as they play an essential role in maintaining the balance of ecosystems. Many wildcats are facing imminent threats due to factors such as habitat destruction, climate change, and poaching, leading to a rapid decline in their populations. This work is important because it focuses on developing and implementing effective strategies for monitoring these elusive species, which are often difficult to track due to their solitary and secretive nature.

By using advanced technologies such as camera traps, the project aims to gather crucial data on wildcat populations, their health, and movements. This information will support the creation of targeted conservation policies, the protection of critical habitats, and efforts to deter illegal hunting and human-wildcat conflict. If successful, the outcomes will benefit not only the wildcat populations but also local communities by preserving biodiversity, ensuring ecosystem services, and fostering a sustainable coexistence between wildlife and human activities. Ultimately, the success of this work will contribute to the broader goal of global biodiversity conservation and the long-term survival of these iconic species.


## **Literature Review / Previous Work**

Adversarial examples, first explored by Szegedy et al. (2013) and Goodfellow et al. (2014), reveal that small perturbations can lead deep neural networks (DNNs) to misclassify inputs. Goodfellow introduced the Fast Gradient Sign Method (FGSM) for generating adversarial examples, while also suggesting adversarial training as a potential defense, though not entirely effective. Subsequent works, such as Papernot et al. (2017), expanded the focus to black-box attacks, where attackers lack access to model parameters but can still manipulate outputs. Huang et al. (2017) demonstrated that adversarial examples could destabilize reinforcement learning policies, emphasizing the challenge in safety-critical applications.

The defense landscape includes various strategies like feature squeezing (Xu, 2017), which reduces the input feature space to make adversarial perturbations harder to detect. Wang et al. (2021) provide a comprehensive survey on the evolution of adversarial attack methods and corresponding defenses, highlighting the ongoing "arms race" between the two. Meanwhile, the practical impact of adversarial examples extends to fields like wildlife conservation, as seen in Norouzzadeh et al. (2018), where automated systems for animal identification can be compromised by adversarial inputs. Overall, adversarial robustness remains a critical area of research for ensuring the reliability of deep learning systems in real-world applications.  

### **References**:

1. Szegedy, Christian, et al. "Intriguing properties of neural networks." *arXiv preprint arXiv:1312.6199*, 2013.  
2. Goodfellow, Ian J., Jonathon Shlens, and Christian Szegedy. "Explaining and harnessing adversarial examples." *arXiv preprint arXiv:1412.6572*, 2014.  
3. Papernot, Nicolas, et al. "Practical black-box attacks against machine learning." *Proceedings of the 2017 ACM on Asia conference on computer and communications security*, 2017.  
4. Huang, Sandy, et al. "Adversarial attacks on neural network policies." *arXiv preprint arXiv:1702.02284*, 2017.  
5. Xu, W. "Feature squeezing: Detecting adversarial examples in deep neural networks." *arXiv preprint arXiv:1704.01155*, 2017.  
6. Wang, Chengyu, Jia Wang, and Qiuzhen Lin. "Adversarial attacks and defenses in deep learning: A survey." *Intelligent Computing Theories and Application: 17th International Conference, ICIC 2021, Shenzhen, China*, Springer, 2021.  
7. Norouzzadeh, Mohammad Sadegh, et al. "Automatically identifying, counting, and describing wild animals in camera-trap images with deep learning." *Proceedings of the National Academy of Sciences* 115.25 (2018): E5716-E5725.


## **Wildcat Conservation through Machine Learning: A V-Model Approach**

## **Project Schedule & Methodology**

This project is aimed at developing a robust machine learning system for wildcat classification, with a focus on defending against adversarial attacks. The project will be carried out over **6 months**, following the **V-Model** software development approach, which integrates development and testing phases in parallel.

### **Project Phases Overview**

The project is divided into the following phases, each with corresponding development and testing/validation steps to ensure the final model is both accurate and resilient to adversarial perturbations.

### **Phase 1 – Requirement Analysis & Data Preparation (Month 1)**

#### **Development Phase**:
- **Problem Definition**:
  - Define the problem statement and performance metrics with stakeholders.
  - Assess the project's ethical, legal, privacy, and security implications.
  
- **Data Preparation**:
  - Collect and preprocess data for model training.
  - Clean and annotate the dataset.
  - Perform **Exploratory Data Analysis (EDA)** to understand data distributions and identify any potential issues.
  
#### **Testing/Validation Phase**:
- **Data Validation**:
  - Verify the integrity and labeling of the dataset.
  - Conduct checks for biases, class imbalances, and other data issues.
  
- **Feasibility Study**:
  - Ensure that the dataset is suitable for training models.
  - Evaluate the dataset's coverage and the quality of its labels.


### **Phase 2 – System Design & Model Development (Month 2)**

#### **Development Phase**:
- **Baseline Model Development**:
  - Develop baseline models such as **SVM** and **RandomForest** that do not rely on deep learning.
  
- **Advanced Model Design**:
  - Implement and evaluate advanced models such as **MobileNetV3** and **EfficientNet B0**.
  - Perform hyperparameter tuning and selection of the best model based on accuracy and other metrics.

#### **Testing/Validation Phase**:
- **Model Validation**:
  - Perform cross-validation to ensure models are robust and prevent overfitting.
  
- **Performance Testing**:
  - Measure and document baseline model performance using metrics like accuracy, precision, and F1-score.

### **Phase 3 – Model Evaluation & Adversarial Attack Simulation (Month 3)**

#### **Development Phase**:
- **Explainability**:
  - Apply **Captum** to assess model explainability and identify which features impact model decisions.
  
- **Adversarial Attack Simulation**:
  - Use **FGSM (Fast Gradient Sign Method)** to generate adversarial examples.
  - Assess the model's resilience under adversarial perturbations and measure accuracy drop.

#### **Testing/Validation Phase**:
- **Robustness Testing**:
  - Evaluate how the model performs under adversarial conditions.
  
- **Explainability Validation**:
  - Validate that the model focuses on the correct image pixels/features for making predictions.
  
- **Stress Testing**:
  - Measure the model's vulnerability to adversarial attacks and determine its level of robustness.

### **Phase 4 – Defense Design & Implementation (Month 4)**

#### **Development Phase**:
- **Defense Methods**:
  - Implement defenses like **JPEG compression** and **spatial smoothing** to improve model robustness.
  - Explore ensemble methods if standalone defenses are insufficient.

- **Data Augmentation**:
  - Apply augmentation techniques like horizontal/vertical flips and color jittering to enhance model generalization.

#### **Testing/Validation Phase**:
- **Defense Evaluation**:
  - Test the effectiveness of implemented defenses and their ability to improve resilience to adversarial attacks.

- **Augmentation Testing**:
  - Measure the effects of data augmentation on model accuracy and robustness.
  
- **Defense Testing**:
  - Evaluate the model’s performance after applying defenses under adversarial conditions.


### **Phase 5 – Model Optimization & Final Evaluation (Month 5)**

#### **Development Phase**:
- **Optimization**:
  - Further optimize the model with parameter tuning and comparative experiments.
  - Conduct final training and evaluate the performance using the chosen metrics.
  
- **Documentation**:
  - Document all model development decisions and tuning procedures.
  
#### **Testing/Validation Phase**:
- **Optimization Testing**:
  - Validate the model's performance after optimization and measure improvements in accuracy and robustness.

- **Conformance Testing**:
  - Ensure the final model meets the initial problem requirements and stakeholder expectations.

- **Regression Testing**:
  - Check for performance consistency after optimization to avoid introducing errors.

### **Phase 6 – Stakeholder Feedback & Deployment (Month 6)**

#### **Development Phase**:
- **Stakeholder Feedback**:
  - Present the final model performance to stakeholders in simple, understandable terms.
  - Collect feedback and make adjustments as necessary.

- **Deployment**:
  - Implement any necessary final changes based on stakeholder feedback and prepare the model for deployment.

#### **Testing/Validation Phase**:
- **User Acceptance Testing (UAT)**:
  - Conduct user acceptance tests to ensure the model meets stakeholders' needs.

- **Performance Evaluation**:
  - Reassess the model’s performance after deployment and ensure it is functioning as expected in real-world conditions.


### **Summary of V-Model Approach**

The **V-Model** approach involves the following key phases:

1. **Development Phases** (Left side of the "V"):
   - Problem Definition & Data Preparation
   - Model Development & Baseline Setup
   - Model Evaluation & Adversarial Attack Simulation
   - Defense Design & Implementation
   - Model Optimization & Final Evaluation
   - Stakeholder Feedback & Deployment

2. **Testing/Validation Phases** (Right side of the "V"):
   - Data Validation & Feasibility Study
   - Model Validation & Performance Testing
   - Robustness Testing & Explainability Validation
   - Defense Evaluation & Augmentation Testing
   - Optimization Testing & Conformance Testing
   - User Acceptance Testing & Performance Evaluation

This project follows the **V-Model** approach, ensuring each development phase is accompanied by rigorous testing and validation. This method guarantees that the model is robust, well-tuned, and resilient to adversarial attacks while meeting the project requirements. By employing clear validation strategies at each stage, we ensure the reliability and fairness of the system, contributing to a successful wildcat conservation model.


## **Milestones**

- **Month 1**: Complete data collection, cleaning, and annotation.
- **Month 2**: Set up baseline models and perform initial evaluation.
- **Month 3**: Conduct adversarial attack simulations and document results.
- **Month 4**: Complete defense integration and evaluate their impact.
- **Month 5**: Further experiments, fine-tuning, and model validation.
- **Month 6**: Final evaluation and presentation to stakeholders.



## **Budget**

The following is a breakdown of the **estimated budget** for the project:

### **Personnel Costs**

- **Data Scientist/Engineer (2 people)**: $70,000 - $80,000  
- **Machine Learning Engineer (1 person)**: $80,000 - $90,000 
- **Project Manager (1 person)**: $20,000 - $30,000  

### **Cloud Computing & Infrastructure**

- **Cloud services (AWS/GCP)**: $5,000
- **Data storage**: $2,000  

### **Miscellaneous Costs**

- **Software licenses**: $1,000  
- **Conference/publication fees**: $2,000  

**Total Estimated Budget**: **$211,600**

## **Budget Considerations**

While the budget is generous to account for the complexity of neural networks and adversarial defense, it could be reduced through the use of open-source tools. When selecting open-source tools, consider the following questions:

- **Credibility of the Source**: Who developed the tool? Are they reputable in the field?  
- **Team Size and Maintenance**: Was the tool created by an individual or a team? Who maintains it, and how often is it updated?  
- **Documentation & Support**: Is the tool well-documented? Does it have an active user community or contributor documentation?  
- **Dependencies & Compatibility**: What dependencies does the tool require, and will they conflict with other project dependencies?  
- **Independent Evaluation**: Has the tool been peer-reviewed or independently evaluated?  
- **License**: What license does the tool have? Is it free to use for your intended application?  
- **Legal & Organizational Approval**: Does your organization have an approval process for open-source tools? Are there any legal restrictions?

## **Team and Productionization**

### **Team Composition**

The project team will include:

- **Data Scientist/Engineer**: Responsible for data acquisition, preprocessing, and augmentation.
- **Machine Learning Engineer**: Focuses on model development, adversarial attack simulations, and implementing defense methods.
- **Project Manager**: Manages the project timeline, coordinates the team, and ensures milestones are met.

### **Productionization Plan**

- Once models are optimized, they will be deployed in a cloud environment for **real-time updates** and testing.
- **Ongoing monitoring** and retraining will be implemented to adapt to new data and evolving adversarial techniques.


## **Success Indicators**

The success of the project will be measured by the following criteria:

1. **Model Performance**: Achieve high accuracy on clean data and maintain resilience under adversarial attack (with accuracy drop ≤ 20%).
2. **Defense Effectiveness**: Demonstrate at least a 20% improvement in performance after implementing defense techniques.
3. **Scalability**: Ensure successful deployment of models in a cloud-based platform for **real-world applications**.
4. **Wildlife Conservation Impact**: Show the model's effectiveness in classifying endangered wildcats with high accuracy in wildlife conservation scenarios.

By following best practices in **adversarial robustness** (as discussed in Ian Goodfellow's research), this project aims to produce **reliable machine learning models** that can withstand adversarial threats and contribute to wildlife conservation efforts.


## **Technical Approach**

- The first steps taken is to consider a non-neural network model if it could used as a baseline to solve the wildlife image classification.
- Here RandomForest approach is considered wherein the images are converted to three main features mean_R, mean_G, mean_B corresponding to the mean of the red , green, and blue channels.
- The variance of the RGB channels - var_R, var_G, var_B are also considered. 
- The GridSearch, Cross validation, scaled inputs, Principal Component Analysis were performed, however the accuracy of model `didnt exceed 26%`.
- Hence Machine learning methods involving neural network was considered.

In [1]:
%load_ext autoreload
%autoreload 2
%matplotlib widget
%reload_ext autoreload

import torch

# Data loading
from torch.utils.data import DataLoader
from torchvision.transforms import v2

# Visualization
import matplotlib.pyplot as plt
import seaborn as sns

# Seed and device configuration
torch.manual_seed(1)
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")

import os
import numpy as np

import sys

sys.path.append(os.path.abspath(os.path.join(os.getcwd(), "..")))

from finalproject.data_loading import read_wild_cats_annotation_file
from finalproject.data_loading import plot_batch_images
from finalproject.data_loading import WildCatsDataset
from pathlib import Path

from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import accuracy_score
from sklearn.model_selection import cross_val_score
from sklearn.preprocessing import StandardScaler
from sklearn.decomposition import PCA

from finalproject.data_loading import read_wild_cats_annotation_file
from finalproject.scikit_classification import (
    train_and_evaluate_randomforest,
    train_and_tune_randomforest_GridSearch,
)
from finalproject.scikit_classification import extract_features_from_dataframe

from finalproject.onnx_save_model import export_model_to_onnx

from finalproject.nn_models import MobileNetV3SmallCNN, OptimizedCNN
from finalproject.training_pipeline import (
    configure_training_device,
    train_modified_scheduler_with_early_stopping,
)
from finalproject.data_loading import plot_train_test_loss

import json
from dataclasses import dataclass, asdict
from typing import Any

from finalproject.captum_explainability import plot_explainability_with_captum_occlusion
from finalproject.captum_explainability import ONNXModelWrapper

from finalproject.adversarial_attack_defense import apply_fgsm_to_model
from finalproject.adversarial_attack_defense import test_fgsm_attack_batch_with_defense

In [2]:
import warnings

warnings.filterwarnings("ignore")

* The below line of code is to be used for downloading dataset from kaggle from command line.
* In case kaggle package is not installed, it can be done using `!poetry add kaggle`.
* The wildcats dataset used from kaggle can be downloaded directly from command line using `!kaggle datasets download -d gpiosenka/cats-in-the-wild-image-classification`
* After download,the zip file `cats-in-the-wild-image-classification.zip` will be unzipped to a folder `cats_in_wild_data` which would be required to be kept outside the finalproject and notebboks module.

In [3]:
annotations_file_path = "./cats_in_wild_data/WILDCATS.CSV"
train_data, test_data, validation_data, idx_to_class = read_wild_cats_annotation_file(
    annotations_file_path
)

In [4]:
train_data.iloc[0, :]

class id                                       0
filepaths          train/AFRICAN LEOPARD/001.jpg
labels                           AFRICAN LEOPARD
data set                                   train
scientific name           Panthera pardus pardus
Name: 0, dtype: object

In [5]:
idx_to_class

{0: 'AFRICAN LEOPARD',
 1: 'CARACAL',
 2: 'CHEETAH',
 3: 'CLOUDED LEOPARD',
 4: 'JAGUAR',
 5: 'LIONS',
 6: 'OCELOT',
 7: 'PUMA',
 8: 'SNOW LEOPARD',
 9: 'TIGER'}

- This `image_directory (image_dir)` would be further used for Custom Dataset Loader (WildCatsDataset) using torch.
- The `Path package from pathlib`, helps to determine the current directory where the notebook is present.
- This helps to run the program without confined to a single system.

In [6]:
curr_work_dir = Path.cwd()
current_dir_abs = os.path.abspath(curr_work_dir)
parent_dir = os.path.dirname(current_dir_abs)
image_dir = os.path.join(parent_dir, "./cats_in_wild_data")

## Non-ML Models

### Random Forest

In [7]:
dataset_folder_absolute_path = os.path.join(parent_dir, "./cats_in_wild_data")

X_train, y_train = extract_features_from_dataframe(
    dataset_folder_absolute_path, train_data
)
X_test, y_test = extract_features_from_dataframe(
    dataset_folder_absolute_path, test_data
)

train_and_evaluate_randomforest(X_train, y_train, X_test, y_test)

Training accuracy: 100.00%
Test accuracy: 20.00%


### RandomForest with GridSearch

In [None]:
param_grid = {
    "n_estimators": [100, 200],
    "max_depth": [10, 20, None],
    "min_samples_split": [2, 5, 10],  # Minimum samples to split a node
    "min_samples_leaf": [1, 2, 4],  # Minimum samples in each leaf
    "max_features": ["sqrt", "log2"],  # Features to consider for each split
    "bootstrap": [True, False],
}

train_and_tune_randomforest_GridSearch(X_train, y_train, X_test, y_test, param_grid)

### RandomForest with Cross Validation

In [None]:
classifier = RandomForestClassifier(random_state=42)
cross_validation_scores = cross_val_score(
    classifier, X_train, y_train, cv=5, scoring="accuracy"
)

print(f"Cross-validation scores: {cross_validation_scores}")
print(f"Average cross-validation score: {cross_validation_scores.mean() * 100:.2f}%")

### RandomForest with scaled inputs

In [None]:
# Standardize the features
scaler = StandardScaler()
X_train_scaled = scaler.fit_transform(X_train)
X_test_scaled = scaler.transform(X_test)

classifier = RandomForestClassifier(random_state=42)
classifier.fit(X_train_scaled, y_train)
y_pred = classifier.predict(X_test_scaled)
test_accuracy = accuracy_score(y_test, y_pred)
print(f"Test accuracy with scaled features: {test_accuracy * 100:.2f}%")

### Applying PCA with RandomForest

In [None]:
# Determine the number of features
n_components = min(6, X_train.shape[1])

# Apply PCA
pca = PCA(n_components=n_components)
X_train_pca = pca.fit_transform(X_train)
X_test_pca = pca.transform(X_test)

classifier = RandomForestClassifier(random_state=42)
classifier.fit(X_train_pca, y_train)
y_pred = classifier.predict(X_test_pca)
test_accuracy = accuracy_score(y_test, y_pred)
print(f"Test accuracy with PCA: {test_accuracy * 100:.2f}%")

**Is supervised machine learning feasible for wildlife image classification?**

- Since non-ML models are unable to capture the pattern in images to differentiate the cats, the accuracy of the models does not increase above 
`26%`. 
- As the complexity of the image is `high`, we conclude that `ML models are more suited for image classification` to capture
higher in-depth information of pixels in image.

## Deep Learning

- In this section, we consider the CNN models (Convolutional Neural Network) from pytorch which will be tuned using hyperparameter tuning.
- MobileNetV3_small is also considered for experimentation if the model can learn the features of wildcats image.

In [12]:
batch_size = 64
train_dataloader = DataLoader(
    WildCatsDataset(
        img_dir=image_dir,
        data=train_data,
    ),
    batch_size=batch_size,
    shuffle=True,
)
test_dataloader = DataLoader(
    WildCatsDataset(
        img_dir=image_dir,
        data=test_data,
    ),
    batch_size=batch_size,
    shuffle=True,
)
validation_dataloader = DataLoader(
    WildCatsDataset(
        img_dir=image_dir,
        data=validation_data,
    ),
    batch_size=batch_size,
    shuffle=True,
)

In [13]:
batch = next(iter(train_dataloader))

- A Sample of the test data are displayed along with their labels below which also serves as a means to confirm the successful loading of datasets.

In [None]:
plot_batch_images(batch, rows=3, columns=3)

In [None]:
batch["image_input"][0].shape

- The torch.Size depicts the dimensions of the image which is the Channel, Height and Width.

## Model - Training and Testing

- At this part of the sections all 3 models - `OptimizedCNN`, `MobileNetV3_small with adadelta` optimizer and `MobileNetV3_small with adamW` optimizer are considered for training.
- Experminentation was performed by tuning the hyper parameters of the model to have a training accuracy above `70%`.
- The documentation of the parameters along with timetaken to run program, minimum test loss and training loss are pesesnt in `Parameter tuning.xlsx`
- The 3 mentioned models have accuracy above `70%`, which has serves as criteria to select these 3 models for further anlysis to determine which of them is more robust and resilient to adversarial attacks.

### Training Parameters

In [16]:
@dataclass
class TrainingParameters:
    """Training parameters for a simple neural network trainer."""

    batch_size: int = 64
    test_batch_size: int = 64
    epochs: int = 20
    lr: float = 1.0
    gamma: float = 0.5
    step_size: int = 5
    weight_decay: float = 0
    no_cuda: bool = True  # Enable or disable CUDA
    no_mps: bool = True  # Enable or disable GPU on MacOS
    dry_run: bool = False
    seed: int = 1
    log_interval: int = 10
    save_model: bool = True
    optimizer_type: str = "adadelta"

    def to_json(self, file_path: str):
        """Serialize the dataclass to a JSON file."""
        with open(file_path, "w") as f:
            json.dump(asdict(self), f, indent=4)
        print(f"Training parameters saved to {file_path}")

    @classmethod
    def from_json(cls, file_path: str) -> "TrainingParameters":
        """Load the training parameters from a JSON file."""
        with open(file_path, "r") as f:
            data = json.load(f)
        return cls(**data)

### MobileNetV3_small with adadelta optimizer

In [None]:
def execute_training_pipeline_mobilenet(optimizer="adadelta"):
    if optimizer != "adadelta":
        params = TrainingParameters(optimizer_type=optimizer)
        params.to_json("training_parameters.json")

    training_params = TrainingParameters.from_json("training_parameters.json")
    device, train_kwargs, test_kwargs = configure_training_device(training_params)
    model = MobileNetV3SmallCNN().to(device)
    return train_modified_scheduler_with_early_stopping(
        model,
        training_params,
        device,
        train_dataloader,
        test_dataloader,
        f"WildCats_MobileNetV3SmallCNN_{optimizer}1_0_step5_gam0_5",
        patience=10,
    )


(
    mobilenet_train_loss_lst,
    mobilenet_test_loss_lst,
    mobilenet_train_accuracies_lst,
    mobilenet_test_accuracies_lst,
    mobilenet_trained_model,
) = execute_training_pipeline_mobilenet()

print(
    "The minimum training and testing loss is {} {}".format(
        np.min(mobilenet_train_loss_lst), np.min(mobilenet_test_loss_lst)
    )
)

### MobileNetV3_small with AdamW optimizer

In [None]:
(
    mobilenet_adamw_train_loss_lst,
    mobilenet_adamw_test_loss_lst,
    mobilenet_adamw_train_accuracies_lst,
    mobilenet_adamw_test_accuracies_lst,
    mobilenet_adamw_trained_model,
) = execute_training_pipeline_mobilenet(optimizer="adamw")

print(
    "The minimum training and testing loss is {} {}".format(
        np.min(mobilenet_adamw_train_loss_lst), np.min(mobilenet_adamw_test_loss_lst)
    )
)

### Plotting the training and test loss - MobileNetV3_small

- Lower the testing loss better the model generalizes the test image data.
- Lower the training loss (when training loss is very much lower than test loss), the model becomes overfitted to training data.
- Epoch represents the number of cycles the model is run which is controlled by the `training_parameters.json`

In [None]:
epochs = np.arange(1, 21, 1)
plot_train_test_loss(
    epochs,
    mobilenet_train_loss_lst,
    mobilenet_test_loss_lst,
    model_title="MobileNetV3_small",
)

In [None]:
epochs = np.arange(1, 21, 1)
plot_train_test_loss(
    epochs,
    mobilenet_adamw_train_loss_lst,
    mobilenet_adamw_test_loss_lst,
    model_title="MobileNetV3_small_AdamW",
)

### OptimizedCNN

In [None]:
def execute_training_pipeline_optimizedcnn():
    params = TrainingParameters(optimizer_type="adadelta")
    params.to_json("training_parameters.json")
    training_params = TrainingParameters.from_json("training_parameters.json")
    device, train_kwargs, test_kwargs = configure_training_device(training_params)
    model = OptimizedCNN().to(device)
    return train_modified_scheduler_with_early_stopping(
        model,
        training_params,
        device,
        train_dataloader,
        test_dataloader,
        "WildCats_OptimizedCNN_adadelta1_0_k4_step5_gam0_5",
        patience=10,
    )


(
    cnn_train_loss_lst,
    cnn_test_loss_lst,
    cnn_train_accuracies_lst,
    cnn_test_accuracies_lst,
    cnn_trained_model,
) = execute_training_pipeline_optimizedcnn()

print(
    "The minimum training and testing loss is {} {}".format(
        np.min(cnn_train_loss_lst), np.min(cnn_test_loss_lst)
    )
)

In [None]:
epochs = np.arange(1, 21, 1)
plot_train_test_loss(
    epochs, cnn_train_loss_lst, cnn_test_loss_lst, model_title="OptimizedCNN"
)

## ONNX Model saving

- The PyTorch models are stored in ONNX format which helps with linking the training and inference code.
- This also helps to run inference faster as the perfomance is atleast `3 times` faster when using ONNX to load model, when compared to using pickle files to load and perform inference on the model

In [None]:
mobilenet_model_path = export_model_to_onnx(
    mobilenet_trained_model, "mobilenet_trained_model"
)
mobilenet_adamw_model_path = export_model_to_onnx(
    mobilenet_adamw_trained_model, "mobilenet_adamw_trained_model"
)
optimizedcnn_model_path = export_model_to_onnx(
    cnn_trained_model, "optimizedcnn_trained_model"
)

## Model Explainability with Captum

- This section of the notebook help to provide a visual representation on the pixels which are considered important by the model.
- These pixels are then further used for making decision by the model.
- Here we use the Occlusion method of explainability from Captum library as it provides a user friendly approach and has methods to show the pixels which are important with different shades to color to deteremine more important features based on darker shade.

### OptimizedCNN

In [24]:
for batch in test_dataloader:
    image_input = batch["image_input"]
    target_class = batch["target"]

    sample_image = image_input[0].unsqueeze(
        0
    )  # Add batch dimension (Shape: [1, 3, 224, 224])
    target_class = target_class[0]  # The target class

    break

In [None]:
optimizedcnn_onnx_model = ONNXModelWrapper(optimizedcnn_model_path)

plot_explainability_with_captum_occlusion(
    optimizedcnn_onnx_model,
    sample_image,
    target_class=target_class.item(),
    overall_title="OptimizedCNN",
)

- Here by applying the masking the unimportant pixels with darker shade, the image pixels which are not shaded under `Masked positive attribution ` provides a clear explanation on which pixels were used as basis by the model for interpretation.
- Based on the above image, we are able to see that `OptimizedCNN` does not learn the underlying information of image as expected.
- Hence this model is dropped due to poor explainability of the features .

### MobileNetV3_small

In [None]:
mobilenet_onnx_model = ONNXModelWrapper(mobilenet_model_path)

plot_explainability_with_captum_occlusion(
    mobilenet_onnx_model,
    sample_image,
    target_class=target_class.item(),
    overall_title="MobileNetV3_small",
)

### MobileNetV3_small_AdamW

In [None]:
mobilenet_adamw_onnx_model = ONNXModelWrapper(mobilenet_adamw_model_path)

plot_explainability_with_captum_occlusion(
    mobilenet_adamw_onnx_model,
    sample_image,
    target_class=target_class.item(),
    overall_title="MobileNetV3_small_AdamW",
)

- Unlike `OptimizedCNN`, the positive attribution of `MobilenetV3_small` model shows a clear difference wherein the face , outline, the pattern on the animal are considered for prediction.
- Hence `MobilenetV3_small` model with adadelta and `MobilenetV3_small` with AdamW optimizer would be considered for adversarial attack for further considerations.

## Adversarial Attack

- In Wildlife Image classification, FGSM (Fast Gradient Sign Method) adversarial attack is one of the most used ones.
- The Fast Gradient Sign Method (FGSM) is a technique used to test the vulnerability of machine learning models to adversarial attacks. In simple terms, it’s a way to trick a model into making wrong predictions by subtly changing the input data (like images), in a way that is almost invisible to the human eye.
-  Epsilon (ε) is a crucial parameter that controls the magnitude of the change (or "perturbation") applied to an image in order to deceive the model. It determines how much the input data (e.g., an image) is altered during the adversarial attack.
- The larger the epsilon, the more the image is modified, making it more likely that the model will misclassify the image. Conversely, smaller values of epsilon result in smaller, more subtle changes, which may still fool the model but are less noticeable.

### MobileNetV3_small with adadelta optimizer

In [None]:
# Apply FGSM attack to MobileNetV3
apply_fgsm_to_model(
    mobilenet_onnx_model, mobilenet_trained_model, test_dataloader, epsilon=0.5
)

### MobileNetV3_small with AdamW optimizer

In [None]:
# Apply FGSM attack to MobileNetV3 with AdamW optimizer
apply_fgsm_to_model(
    mobilenet_adamw_onnx_model,
    mobilenet_adamw_trained_model,
    test_dataloader,
    epsilon=0.5,
)

## Adversarial Defense

- In adversarial defense, `JPEG compression` and `spatial smoothing` are common techniques used to mitigate the impact of adversarial attacks like FGSM. 
- `JPEG compression` reduces high-frequency noise by simplifying the image, effectively removing subtle perturbations introduced by the attack, making it harder for the model to be misled. 
- `Spatial smoothing`, on the other hand, blurs the image, reducing sharp variations in pixel values, which helps to eliminate adversarial noise. 
- `Ensemble methods` combine multiple models to improve robustness by aggregating their predictions, making it less likely that all models will be fooled by the same adversarial attack. These defenses work together to enhance the model's resilience, ensuring more reliable performance even in the presence of adversarial perturbations.-

### MobileNetV3_small with adadelta optimizer

In [None]:
test_fgsm_attack_batch_with_defense(
    mobilenet_onnx_model,
    mobilenet_trained_model,
    test_dataloader,
    epsilon=0.1,
    sqrt_n_images=3,
    jpg_quality=50,
    window_size=3,
)

### MobileNetV3_small with AdamW optimizer

In [None]:
test_fgsm_attack_batch_with_defense(
    mobilenet_adamw_onnx_model,
    mobilenet_adamw_trained_model,
    test_dataloader,
    epsilon=0.1,
    sqrt_n_images=3,
    jpg_quality=50,
    window_size=3,
)

- For above defense mechanisms with `MobileNetV3_small models` with different optimizers, the accuracy of the classification is increased from `6% to 20%` for `MobileNetV3_small with adadelta` optimizer model.
- However the defense has decreased the accuracy of classification from `54% on adversarial images to 50% from adversarial test images` when used an `ensemble method` for defensse.
- To make model more robust, we will consider data augmentation to verify if that could help improve the model accuracy.

## Data Augmentation to make model more robust

- Here as part of data augmentation, we perform random rotation of the image, followed by random horizontal and vertical flip on the image.
- We also add color jitter with minial values of brightness, contrast, saturation, hue to the training data.
- This is done to make dure that the features learned by the model is wihtin the animal's body outline instead of the background pixels.

In [32]:
transform = v2.Compose(
    [
        v2.RandomRotation(30),
        v2.RandomHorizontalFlip(),
        v2.RandomVerticalFlip(),
        v2.ColorJitter(brightness=0.2, contrast=0.2, saturation=0.2, hue=0.2),
    ]
)

In [33]:
batch_size = 64
train_dataloader_augmented = DataLoader(
    WildCatsDataset(img_dir=image_dir, data=train_data, transform=transform),
    batch_size=batch_size,
    shuffle=True,
)
test_dataloader_augmented = DataLoader(
    WildCatsDataset(img_dir=image_dir, data=test_data, transform=transform),
    batch_size=batch_size,
    shuffle=True,
)

In [34]:
batch = next(iter(train_dataloader_augmented))

In [None]:
plot_batch_images(batch, rows=3, columns=3)

## Model - Training and Testing

In [None]:
def execute_training_pipeline_mobilenet(optimizer="adadelta"):
    if optimizer != "adadelta":
        params = TrainingParameters(optimizer_type=optimizer)
        params.to_json("training_parameters.json")

    training_params = TrainingParameters.from_json("training_parameters.json")
    device, train_kwargs, test_kwargs = configure_training_device(training_params)
    model = MobileNetV3SmallCNN().to(device)
    return train_modified_scheduler_with_early_stopping(
        model,
        training_params,
        device,
        train_dataloader_augmented,
        test_dataloader,
        f"WildCats_MobileNetV3SmallCNN_{optimizer}1_0_step5_gam0_5_augmented",
        patience=10,
    )


(
    mobilenet_train_loss_lst_aug,
    mobilenet_test_loss_lst_aug,
    mobilenet_train_accuracies_lst_aug,
    mobilenet_test_accuracies_lst_aug,
    mobilenet_trained_model_aug,
) = execute_training_pipeline_mobilenet()

print(
    "The minimum training and testing loss is {} {}".format(
        np.min(mobilenet_train_loss_lst_aug), np.min(mobilenet_test_loss_lst_aug)
    )
)

In [None]:
(
    mobilenet_adamw_train_loss_lst_aug,
    mobilenet_adamw_test_loss_lst_aug,
    mobilenet_adamw_train_accuracies_lst_aug,
    mobilenet_adamw_test_accuracies_lst_aug,
    mobilenet_adamw_trained_model_aug,
) = execute_training_pipeline_mobilenet(optimizer="adamw")

print(
    "The minimum training and testing loss is {} {}".format(
        np.min(mobilenet_adamw_train_loss_lst_aug),
        np.min(mobilenet_adamw_test_loss_lst_aug),
    )
)

In [None]:
epochs = np.arange(1, 17, 1)
plot_train_test_loss(
    epochs,
    mobilenet_train_loss_lst_aug,
    mobilenet_test_loss_lst_aug,
    model_title="MobileNetV3_small_augmented",
)

In [None]:
epochs = np.arange(1, 19, 1)
plot_train_test_loss(
    epochs,
    mobilenet_adamw_train_loss_lst_aug,
    mobilenet_adamw_test_loss_lst_aug,
    model_title="MobileNetV3_small_AdamW_augmented",
)

- As a result of data augmentation, we are able to see that the test accuracy of the model remains same as before without augmentation.
- We will look into the explainability and adversarial attacks to determine which model is better suited for classification.

### ONNX Saving - Model with Data Augmentation

In [None]:
mobilenet_model_path_aug = export_model_to_onnx(
    mobilenet_trained_model_aug, "mobilenet_trained_model_augmented"
)
mobilenet_model_path_aug

In [None]:
mobilenet_adamw_model_path_aug = export_model_to_onnx(
    mobilenet_adamw_trained_model_aug, "mobilenet_adamw_trained_model_augmented"
)
mobilenet_adamw_model_path_aug

## Model Explainability

In [42]:
for batch in test_dataloader_augmented:
    image_input = batch["image_input"]
    target_class = batch["target"]

    sample_image_aug = image_input[0].unsqueeze(
        0
    )  # Add batch dimension (Shape: [1, 3, 224, 224])
    target_class_aug = target_class[0]  # The target class

    break

### MobileNetV3_small - Occlusion

In [None]:
mobilenet_onnx_model_aug = ONNXModelWrapper(mobilenet_model_path_aug)

plot_explainability_with_captum_occlusion(
    mobilenet_onnx_model_aug,
    sample_image_aug,
    target_class=target_class_aug.item(),
    overall_title="MobileNetV3_small_augmented",
)

### MobileNetV3_small_AdamW - Occlusion

In [None]:
mobilenet_adamw_onnx_model_aug = ONNXModelWrapper(mobilenet_adamw_model_path_aug)

plot_explainability_with_captum_occlusion(
    mobilenet_adamw_onnx_model_aug,
    sample_image_aug,
    target_class=target_class_aug.item(),
    overall_title="MobileNetV3_small_AdamW_augmented",
)

- From the explainability, we are able to see that even with data augmentation, the majority of teh priority features are within the animal's boundary.
- Since results from explainability are unable to provide a concrete proof on which model to select, we proceed with adversarial attack to make the decision of teh better model.

## Adversarial Attack - FGSM

### MobileNetV3_small with adadelta optimizer

In [None]:
# Apply FGSM attack to MobileNetV3
apply_fgsm_to_model(
    mobilenet_onnx_model_aug, mobilenet_trained_model_aug, test_dataloader, epsilon=0.4
)

### MobileNetV3_small with AdamW optimizer

In [None]:
# Apply FGSM attack to MobileNetV3 with AdamW optimizer
apply_fgsm_to_model(
    mobilenet_adamw_onnx_model_aug,
    mobilenet_adamw_trained_model_aug,
    test_dataloader,
    epsilon=0.1,
)

- After data augmentation, we are able to see that for `MobileNetV3_small with adadelta` optimizer model, the accuracy jumped without defense from `6%` to `16%`, and for `MobileNetV3_small with AdamW` optimizer model, accuracy decreased from `54%` to `38%`.
- This suggests that the augmentation is better on model with adadelta optimizer to make it resilient to FGSM attack when compared to model with `AdamW` optimizer.

## Adversarial Defense

### MobilenetV3_small with adadelta optimizer

In [None]:
test_fgsm_attack_batch_with_defense(
    mobilenet_onnx_model_aug,
    mobilenet_trained_model_aug,
    test_dataloader,
    epsilon=0.5,
    sqrt_n_images=3,
    jpg_quality=65,
    window_size=3,
)

### MobileNetV3_small with AdamW optimizer

In [None]:
test_fgsm_attack_batch_with_defense(
    mobilenet_adamw_onnx_model_aug,
    mobilenet_adamw_trained_model_aug,
    test_dataloader,
    epsilon=0.1,
    sqrt_n_images=3,
    jpg_quality=65,
    window_size=3,
)

- After ensemble defense, we are able to see that for `MobileNetV3_small with adaDelta optimizer` model, the accuracy dropped from 16% to 14% after augmentation.
- For `MobileNetV3_small with AdamW optimizer` model, the accuracy jumped from `34%` to `54%`.
- This implies after data augmentaion, the ensemble defense better works with `MobileNetV3_small with AdamW optimizer` model.

## Conformance testing

In [None]:
from finalproject.conformance_validation_test import test_model_conformance_only

training_parameters = TrainingParameters.from_json("training_parameters.json")
batch_size = 64
train_dataloader_augmented = DataLoader(
    WildCatsDataset(img_dir=image_dir, data=train_data, transform=transform),
    batch_size=batch_size,
    shuffle=True,
)
test_model_conformance_only(
    mobilenet_adamw_trained_model_aug,
    training_parameters,
    device,
    train_dataloader_augmented,
    test_dataloader,
)

# Main Results

## Model Selection Based on Occam's Razor
- **Occam's Razor Principle**: Select the simplest yet most effective model.
- **Analysis**:
  - *Before Augmentation*: MobileNetV3SmallCNN_AdamW outperforms MobileNetV3SmallCNN_adadelta:
    - Adversarial accuracy: 54% (AdamW) vs. 6% (Adadelta).
    - Adversarial defense accuracy: 50% (AdamW) vs. 20% (Adadelta).
  - *After Augmentation*: MobileNetV3SmallCNN_AdamW remains superior:
    - Adversarial accuracy: 38% (AdamW) vs. 16% (Adadelta).
    - Adversarial defense accuracy: 50% (AdamW) vs. 14% (Adadelta).
- **Recommendation**: 
  - Choosing **MobileNetV3SmallCNN_AdamW** due to its consistent performance across all metrics while maintaining comparable simplicity.



## Actionable Insights for Wildlife Conservation

## Adversarial Robustness
- **Improved Adversarial Defense**: 
  - *MobileNetV3SmallCNN_AdamW* with adversarial defenses achieves up to 50% accuracy under adversarial conditions, ensuring reliable classification even in noisy, tampered, or adversarially attacked images.
  - This robustness is crucial in real-world conservation environments where image data can be distorted due to various challenges such as poor lighting, motion blur, or even intentional tampering.

## Augmentation and Preprocessing
- **Enhanced Robustness with Augmentation**: 
  - Data augmentation, particularly **spatial smoothing** and **JPEG compression**, enhances the model's ability to handle adversarial scenarios. 
  - For example, using spatial smoothing with a window size of 3 and JPEG compression with quality set to 65 significantly improved model performance during training and testing.
- **Implementation in Field Conditions**:
  - These preprocessing techniques ensure the model can operate effectively in challenging conditions often encountered in wildlife conservation efforts, such as poor image quality or environmental noise.

## Deployment Strategy
- **Model Deployment**: 
  - Deploy **MobileNetV3SmallCNN_AdamW** in real-time wildlife monitoring systems to classify wildlife species, particularly endangered wildcats, from images captured by camera traps or drones.
- **Preprocessing Pipeline**:
  - Incorporate adversarial defense strategies like spatial smoothing and JPEG compression into the deployment pipeline to mitigate potential adversarial attacks or image distortions that might affect performance in field conditions.

# Applications in Wildlife Conservation

## Anti-Poaching Efforts
- **Wildlife Surveillance**: 
  - The model can be deployed to automatically identify wildcats in camera trap images, providing alerts for potential poaching activities.
  - With its adversarial robustness, the model ensures high accuracy even in difficult conditions, such as when images are deliberately altered to mislead monitoring systems.

## Population Monitoring
- **Long-Term Species Tracking**: 
  - Use the model to track endangered species over time, ensuring accurate population estimates despite challenges like low-quality images, weather disruptions, or environmental noise.
  - Reliable classification even in adverse conditions supports ongoing conservation efforts and provides actionable data for better management decisions.


# Future Work

The next steps for this project focus on improving model performance, robustness, and expanding its scope to handle more diverse and challenging real-world conditions.

1. **Data Collection**:
   - Collect more diverse datasets of wildcats, including images from various habitats and environmental conditions, to improve the model’s generalization and robustness.

2. **Hyperparameter Tuning**:
   - Perform more rigorous hyperparameter tuning for the **MobileNetV3Small** with **AdamW** optimizer, exploring different learning rates, batch sizes, and other hyperparameters to achieve optimal performance.

3. **Data Augmentation**:
   - Implement a wider variety of data augmentation techniques to better prepare the model for varying conditions such as:
     - **Nighttime images** with low-light conditions.
     - Images with different **seasonal changes** (e.g., winter, spring, summer, fall).
     - **Light contrast variations** to simulate different environmental lighting scenarios.
   
4. **Exploring Adversarial Attacks**:
   - Investigate the impact of additional types of **adversarial attacks**, such as **Project Gradient Descent (PGD)** or **DeepFool**, to better understand the model's vulnerabilities and further strengthen its defenses.

5. **Adversarial Training & Robustness**:
   - Implement **adversarial training** and **distillation** techniques to improve model resilience.
   - Explore the use of **ensemble methods** that combine different models or attack-defense strategies to bolster robustness against adversarial manipulations.

6. **Model Expansion**:
   - Expand the model to classify a wider variety of **wildcat species**, including the addition of their **scientific names** for better precision in species identification, aiding in detailed wildlife population studies.

These improvements will ensure that the model remains reliable, adaptable, and capable of supporting more effective wildlife conservation efforts under a broader range of environmental conditions.


# Summary
*MobileNetV3SmallCNN_AdamW* has proven to be the most effective model for wildlife conservation monitoring systems, particularly when considering its performance in adversarial settings. By combining this model with preprocessing techniques such as spatial smoothing and JPEG compression, we can ensure robust and reliable classification of endangered species like wildcats. This will significantly support wildlife conservation efforts, including anti-poaching operations and long-term population monitoring. 