In [1]:
import torch
import torchvision
from torchvision import transforms
import random
import numpy as np
import matplotlib.pyplot as plt

In [2]:
random.seed(0)
np.random.seed(0)
torch.manual_seed(0)
torch.cuda.manual_seed(0)
torch.backends.cudnn.deterministic = True

In [3]:
# 3*3 convolutino
def conv3x3(in_channels, out_channels, stride=1):
    return torch.nn.Conv2d(in_channels, out_channels, kernel_size=3,
                    stride=stride, padding=1, bias=False)


# Residual block
class ResidualBlock(torch.nn.Module):
    def __init__(self, in_channels, out_channels, stride=1, downsample=None):
        super(ResidualBlock, self).__init__()
        self.conv1 = conv3x3(in_channels, out_channels, stride)
        self.bn1 = torch.nn.BatchNorm2d(out_channels)
        self.relu = torch.nn.ReLU(inplace=True)
        self.conv2 = conv3x3(out_channels, out_channels)
        self.bn2 = torch.nn.BatchNorm2d(out_channels)
        self.downsample = downsample

    def forward(self, x):
        residual = x
        out = self.conv1(x)
        out = self.bn1(out)
        out = self.relu(out)
        out = self.conv2(out)
        out = self.bn2(out)
        if self.downsample:
            residual = self.downsample(x)
        out += residual
        out = self.relu(out)
        return out


# ResNet
class ResNet(torch.nn.Module):
    def __init__(self, block, layers, num_classes=10):
        super(ResNet, self).__init__()
        self.in_channels = 16
        self.conv = conv3x3(1, 16)
        self.bn = torch.nn.BatchNorm2d(16)
        self.relu = torch.nn.ReLU(inplace=True)
        self.layer1 = self.make_layer(block, 16, layers[0])
        self.layer2 = self.make_layer(block, 32, layers[0], 1)
        self.layer3 = self.make_layer(block, 64, layers[1], 2)
        self.layer4 = self.make_layer(block, 128, layers[1], 1)
        self.max_pool = torch.nn.MaxPool2d(8)
        self.fc = torch.nn.Linear(128, num_classes)

    def make_layer(self, block, out_channels, blocks, stride=1):
        downsample = None
        if (stride != 1) or (self.in_channels != out_channels):
            downsample = torch.nn.Sequential(
                conv3x3(self.in_channels, out_channels, stride=stride),
                torch.nn.BatchNorm2d(out_channels))
        layers = []
        layers.append(block(self.in_channels, out_channels, stride, downsample))
        self.in_channels = out_channels
        for i in range(1, blocks):
            layers.append(block(out_channels, out_channels))
        return torch.nn.Sequential(*layers)

    def forward(self, x):
        out = self.conv(x)
        out = self.bn(out)
        out = self.layer1(out)
        out = self.layer2(out)
        out = self.layer3(out)
        out = self.layer4(out)
        out = self.max_pool(out)
        out = out.view(out.size(0), -1)
        out = self.fc(out)
        return out

In [4]:
net = torch.load('/home/matvey/Morozov/Научрук/Диплом/Diploma-Thesis/Модель/Models/FashionMNIST_ResNet.pth', map_location=torch.device('cpu'))
net = net.to('cpu')
net.eval()

ResNet(
  (conv): Conv2d(1, 16, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
  (bn): BatchNorm2d(16, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
  (relu): ReLU(inplace=True)
  (layer1): Sequential(
    (0): ResidualBlock(
      (conv1): Conv2d(16, 16, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn1): BatchNorm2d(16, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
      (relu): ReLU(inplace=True)
      (conv2): Conv2d(16, 16, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn2): BatchNorm2d(16, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    )
    (1): ResidualBlock(
      (conv1): Conv2d(16, 16, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
      (bn1): BatchNorm2d(16, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
      (relu): ReLU(inplace=True)
      (conv2): Conv2d(16, 16, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=

In [5]:
test_tf = transforms.Compose([
    transforms.ToTensor()
])

test = torchvision.datasets.FashionMNIST('/home/matvey/Morozov/Научрук/Диплом/Diploma-Thesis/Модель/Datasets', download=False, train=False, transform=test_tf)
testloader = torch.utils.data.DataLoader(dataset=test, batch_size=256, shuffle=False)

In [6]:
labels = {
0 : 'T-shirt/top',
1 : 'Trouser',
2 : 'Pullover',
3 : 'Dress',
4 : 'Coat',
5 : 'Sandal',
6 : 'Shirt',
7 : 'Sneaker',
8 : 'Bag',
9 : 'Ankle boot'
}

In [7]:
from numpy.linalg import norm
from scipy.special import softmax

examples = enumerate(testloader)
batch_idx, (example_data, example_targets) = next(examples)

In [8]:
train = torchvision.datasets.FashionMNIST('/home/matvey/Morozov/Научрук/Диплом/Diploma-Thesis/Модель/Datasets', download=False, train=True, transform=test_tf)
trainloader = torch.utils.data.DataLoader(dataset=test, batch_size=10000, shuffle=False)

In [9]:
train_examples = enumerate(trainloader)
batch_idx, (train_data, train_targets) = next(train_examples)

In [10]:
from boundary_MCMC import boundary_attack_MCMC
from boundary import boundary_attack

In [11]:
def nearest_image(image, label, train_data, train_targets):
    image = image.data.cpu().numpy()[0]
    all_norm = []
    for i, train_image in enumerate(train_data):
        if train_targets[i].data.cpu().numpy() != label:
            train_image = train_image.data.cpu().numpy()
            diff = train_image - image
            norm_diff = norm(diff)
            all_norm.append(norm_diff)
        else:
            all_norm.append(1e20)            

    index = np.argmin(all_norm)
    return index

#### Boundary attack

In [12]:
i = 0

l1_norm = []
l2_norm = []
probs_init = []
probs_adv = []

while True:
    class_label = example_targets[i].data.numpy()
    image = example_data[i]
    label = example_targets[i].data.numpy()

    prediction = net(torch.tensor(image.reshape(1, 1, 28, 28))).data.numpy()
    prob_init = np.max(softmax(prediction))

    index = nearest_image(image, label, train_data, train_targets)
    x_init = train_data[index].data.numpy().reshape(28,28)
    x_target = example_data[i].data.numpy().reshape(28,28)

    adv_example, proba = boundary_attack(net, x_init, x_target, threshold=None, verbose=1, max_iter=5e3)

    l1 = np.linalg.norm(adv_example - x_target, ord=1)
    l2 = np.linalg.norm(adv_example - x_target, ord=2)
    probs_init.append(prob_init)
    probs_adv.append(proba)
    l1_norm.append(l1)
    l2_norm.append(l2)
    
    i += 1
    
    if i >= 30:
        break

Start boundary attack
distance: 0.0683, itetarion: 5001
Start boundary attack
distance: 0.0554, itetarion: 5001
Start boundary attack
distance: 0.1476, itetarion: 5001
Start boundary attack
distance: 0.1527, itetarion: 5001
Start boundary attack
distance: 0.1261, itetarion: 5001
Start boundary attack
distance: 0.1407, itetarion: 5001
Start boundary attack
distance: 0.1987, itetarion: 5001
Start boundary attack
distance: 0.3073, itetarion: 5001
Start boundary attack
distance: 0.0816, itetarion: 5001
Start boundary attack
distance: 0.0834, itetarion: 5001
Start boundary attack
distance: 0.1953, itetarion: 5001
Start boundary attack
distance: 0.1022, itetarion: 5001
Start boundary attack
distance: 0.1263, itetarion: 5001
Start boundary attack
distance: 0.0000, itetarion: 5001
Start boundary attack
distance: 0.0000, itetarion: 5001
Start boundary attack
distance: 0.1252, itetarion: 5001
Start boundary attack
distance: 0.1493, itetarion: 5001
Start boundary attack
distance: 0.0000, itetario

In [13]:
print(l1_norm)
print(l2_norm)
print(probs_init)
print(probs_adv)

[0.24114148082180678, 0.18043313546536685, 0.4847651059800589, 0.5388055075428733, 0.458960110817897, 0.5069033549659488, 0.6044546054488082, 1.014176389330994, 0.2636660183904034, 0.2876706967769222, 0.701438256866413, 0.37064203240221216, 0.40868881618738767, 6.442700650182438e-25, 3.3324097443911234e-24, 0.4388125680948526, 0.5170826108336536, 1.079290929264249e-25, 0.27442586926329154, 6.791056577355476e-24, 0.3292480368088997, 0.3416398265998047, 1.2434919860522619e-25, 0.1856378544511018, 1.417215223733199, 0.05524213949897118, 0.20739116987885522, 9.629471883406152e-25, 0.23476290719031864, 0.25835870489094187]
[0.06825219647428395, 0.05538283177503224, 0.1475644622996372, 0.15269663976117007, 0.12612338920721122, 0.14071479507772974, 0.19867633312157368, 0.3073042718211766, 0.08158041675877216, 0.08338847474412843, 0.195318298141276, 0.10219454585041834, 0.1262900451987517, 3.401732806986504e-25, 3.291352290143727e-24, 0.125190060513033, 0.149322415181229, 1.0315600021906346e-2

### Boundary MCMC

In [None]:
i = 0

l1_norm_MCMC = []
l2_norm_MCMC = []
probs_init_MCMC = []
probs_adv_MCMC = []

while True:
    class_label = example_targets[i].data.numpy()
    image = example_data[i]
    label = example_targets[i].data.numpy()
    
    prediction = net(torch.tensor(image.reshape(1, 1, 28, 28))).data.numpy()
    prob_init = np.max(softmax(prediction))
    
    index = nearest_image(image, label, train_data, train_targets)
    x_init = train_data[index].data.numpy().reshape(28,28)
    x_target = example_data[i].data.numpy().reshape(28,28)
    
    adv_example, proba = boundary_attack_MCMC(net, x_init, x_target, threshold=l2_norm[i], max_iter=2e4, verbose=1)
    
    l1 = np.linalg.norm(adv_example - x_target, ord=1)
    l2 = np.linalg.norm(adv_example - x_target, ord=2)
    probs_init_MCMC.append(prob_init)
    probs_adv_MCMC.append(proba)
    l1_norm_MCMC.append(l1)
    l2_norm_MCMC.append(l2)
    
    i += 1
    
    if i >= 30:
        break

Start boundary attack
distance: 0.0786, itetarion: 20001, alpha: 0.902, probability: 0.499
Start boundary attack
distance: 0.0553, itetarion: 2917, alpha: 0.975, probability: 0.492
Start boundary attack
distance: 0.1478, itetarion: 17887, alpha: 0.636, probability: 0.494
Start boundary attack
distance: 0.1527, itetarion: 3874, alpha: 0.632, probability: 0.506
Start boundary attack
distance: 0.1259, itetarion: 1842, alpha: 0.741, probability: 0.334
Start boundary attack
distance: 0.1408, itetarion: 5130, alpha: 0.612, probability: 0.515
Start boundary attack
distance: 0.2463, itetarion: 20001, alpha: 1.522, probability: 0.527
Start boundary attack
distance: 0.3067, itetarion: 3663, alpha: 0.944, probability: 0.519
Start boundary attack
distance: 0.0901, itetarion: 20001, alpha: 0.554, probability: 0.509
Start boundary attack
distance: 0.0830, itetarion: 6984, alpha: 0.860, probability: 0.501
Start boundary attack
distance: 0.3232, itetarion: 2116, alpha: 0.607, probability: 0.422

In [None]:
print(np.mean(probs_adv_MCMC))

In [None]:
print(np.mean(probs_adv))