## Universal Adversarial Perturbations (UAP) with DeepFool and ART

In [1]:
import warnings
warnings.filterwarnings('ignore')

import numpy as np
import tensorflow as tf
from art.estimators.classification import TensorFlowV2Classifier
from art.attacks.evasion import UniversalPerturbation
import imagenet_stubs

import sys
sys.path.append('../lib')
import utils
from utils import load_preprocess, show_adversarial_images

2024-06-10 19:29:13.994007: E external/local_xla/xla/stream_executor/cuda/cuda_dnn.cc:9261] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
2024-06-10 19:29:13.994040: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:607] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
2024-06-10 19:29:13.995145: E external/local_xla/xla/stream_executor/cuda/cuda_blas.cc:1515] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered


In [2]:
# Load pre-trained models
resnet_model = tf.keras.applications.ResNet50(weights='imagenet')
vgg_model = tf.keras.applications.VGG19(weights='imagenet')
inception_model = tf.keras.applications.InceptionV3(weights='imagenet')


In [3]:
from tensorflow.keras.preprocessing import image
images_list = list()
for image_path in imagenet_stubs.get_image_paths():
    im = image.load_img(image_path, target_size=(224, 224))
    im = image.img_to_array(im)
    im = im[:, :, ::-1].astype(np.float32) # RGB to BGR
    im = np.expand_dims(im, axis=0)
    images_list.append(im)
images = np.vstack(images_list)
print(len(images))

16


In [4]:
predictions = resnet_model.predict(images)
labels = np.argmax(predictions, axis=1)
print (len(labels), labels)

16 [681 866 658 119 931 162 797 557 640 880 377 353 105 250  79 267]


In [5]:
# Wrap models 
clip_values = (0, 255)
resnet_classifier = TensorFlowV2Classifier(model=resnet_model, nb_classes=1000, input_shape=(224, 224, 3),
                                           clip_values=clip_values)
vgg_classifier = TensorFlowV2Classifier(model=vgg_model, nb_classes=1000, input_shape=(224, 224, 3),
                                         clip_values=clip_values)
inception_classifier = TensorFlowV2Classifier(model=inception_model, nb_classes=1000, input_shape=(299, 299, 3),
                                               clip_values=clip_values)



In [6]:
# Create a UAP that is model-agnostic
attack = UniversalPerturbation(classifier=resnet_classifier, attacker="deepfool", max_iter=5)
adversarial_images = attack.generate(x=images)

Universal perturbation:   0%|          | 0/5 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]



DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

DeepFool:   0%|          | 0/1 [00:00<?, ?it/s]

In [24]:
# Evaluate the attack's success on VGG19
predictions_vgg = vgg_classifier.predict(adversarial_images)
success_vgg = np.argmax(predictions_vgg, axis=1) != labels
success_rate_vgg = np.mean(success_vgg) * 100
print('Success rate on VGG19: {:.2f}%'.format(success_rate_vgg))

Success rate on VGG19: 12.50%


In [30]:
# Evaluate the attack's success on InceptionV3
from tensorflow.image import resize
adversarial_images_resized = np.array([resize(image, (299, 299)).numpy() for image in adversarial_images])
predictions_inception = inception_classifier.predict(adversarial_images_resized)
success_inception = np.argmax(predictions_inception, axis=1) != labels
success_rate_inception = np.mean(success_inception) * 100
print('Success rate on InceptionV3: {:.2f}%'.format(success_rate_inception))

Success rate on InceptionV3: 100.00%
