In [None]:
import tensorflow as tf
from tensorflow.keras.datasets import cifar10
from tensorflow.keras.models import Sequential
from tensorflow.keras.layers import Conv2D, MaxPooling2D, Flatten, Dense, Dropout, BatchNormalization
from tensorflow.keras.regularizers import l2
from tensorflow.keras.utils import to_categorical

In [None]:
#tf.compat.v1.disable_eager_execution()

In [None]:
# Loading the dataset and preprocessing the dataset
(x_train, y_train), (x_test, y_test) = cifar10.load_data()

x_train = x_train.astype('float32') / 255.0
x_test = x_test.astype('float32') / 255.0

y_train = to_categorical(y_train, 10)
y_test = to_categorical(y_test, 10)

Downloading data from https://www.cs.toronto.edu/~kriz/cifar-10-python.tar.gz
[1m170498071/170498071[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m4s[0m 0us/step


In [None]:
model = Sequential([
    # First convolutional layer with L2 regularization and batch normalization
    Conv2D(32, (3, 3), activation='relu', kernel_regularizer=l2(0.001), input_shape=(32, 32, 3)),
    BatchNormalization(),
    MaxPooling2D((2, 2)),
    Dropout(0.3),  # Add dropout for regularization

    # Second convolutional layer with L2 regularization and batch normalization
    Conv2D(64, (3, 3), activation='relu', kernel_regularizer=l2(0.001)),
    BatchNormalization(),
    MaxPooling2D((2, 2)),
    Dropout(0.3),

    # Flatten the layers for fully connected layers
    Flatten(),

    # Fully connected layer with L2 regularization and batch normalization
    Dense(128, activation='relu', kernel_regularizer=l2(0.001)),
    BatchNormalization(),
    Dropout(0.4),

    # Output layer for classification
    Dense(10, activation='softmax')
])

  super().__init__(activity_regularizer=activity_regularizer, **kwargs)


In [None]:
model.summary()

In [None]:
model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])

In [None]:
model.fit(x_train, y_train, epochs=20, batch_size=64, validation_data=(x_test, y_test))

Epoch 1/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m20s[0m 13ms/step - accuracy: 0.3720 - loss: 2.2258 - val_accuracy: 0.5021 - val_loss: 1.8308
Epoch 2/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.5615 - loss: 1.5007 - val_accuracy: 0.5714 - val_loss: 1.4428
Epoch 3/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m5s[0m 4ms/step - accuracy: 0.6129 - loss: 1.3381 - val_accuracy: 0.6105 - val_loss: 1.3382
Epoch 4/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6363 - loss: 1.2774 - val_accuracy: 0.6438 - val_loss: 1.2740
Epoch 5/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6536 - loss: 1.2312 - val_accuracy: 0.5887 - val_loss: 1.4646
Epoch 6/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6661 - loss: 1.2025 - val_accuracy: 0.6872 - val_loss: 1.1518
Epoch 7/20
[1m782/782[0m

<keras.src.callbacks.history.History at 0x7bf13a6b0730>

## Implementing adversarial attack

In [None]:
pip install adversarial-robustness-toolbox

Collecting adversarial-robustness-toolbox
  Downloading adversarial_robustness_toolbox-1.18.2-py3-none-any.whl.metadata (11 kB)
Downloading adversarial_robustness_toolbox-1.18.2-py3-none-any.whl (1.7 MB)
[?25l   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/1.7 MB[0m [31m?[0m eta [36m-:--:--[0m[2K   [91m━━━━━━━━━━━━━━[0m[90m╺[0m[90m━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.6/1.7 MB[0m [31m18.3 MB/s[0m eta [36m0:00:01[0m[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m1.7/1.7 MB[0m [31m28.4 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: adversarial-robustness-toolbox
Successfully installed adversarial-robustness-toolbox-1.18.2


In [None]:
from art.attacks.evasion import FastGradientMethod, ProjectedGradientDescent
from art.estimators.classification import KerasClassifier
import numpy as np

In [None]:
import sys
sys.setrecursionlimit(3000)

In [None]:
from art.estimators.classification import KerasClassifier

In [None]:
from art.estimators.classification import TensorFlowV2Classifier

# Create a TensorFlowV2Classifier
classifier = TensorFlowV2Classifier(
    model=model,
    nb_classes=10,  # Number of output classes
    input_shape=(32, 32, 3),
    loss_object=tf.keras.losses.CategoricalCrossentropy(),
    clip_values=(0, 1)  # Ensure input values are in range [0, 1]
)

# Now you can use this classifier with ART attacks


In [None]:
# Generate adversarial samples using FGSM
fgsm_attack = FastGradientMethod(estimator=classifier, eps=0.1)
x_test_adv_fgsm = fgsm_attack.generate(x=x_test)

In [None]:
# Evaluate model on FGSM adversarial samples
test_loss_adv, test_acc_adv = model.evaluate(x_test_adv_fgsm, y_test)
print(f'Test accuracy on FGSM adversarial samples: {test_acc_adv}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.1044 - loss: 6.2939
Test accuracy on FGSM adversarial samples: 0.09640000015497208


In [None]:
# Generate adversarial samples using PGD
pgd_attack = ProjectedGradientDescent(estimator=classifier, eps=0.1, eps_step=0.01, max_iter=40)
x_test_adv_pgd = pgd_attack.generate(x=x_test)

PGD - Batches: 0it [00:00, ?it/s]

In [None]:
# Evaluate model on PGD adversarial samples
test_loss_adv_pgd, test_acc_adv_pgd = model.evaluate(x_test_adv_pgd, y_test)
print(f'Test accuracy on PGD adversarial samples: {test_acc_adv_pgd}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.1049 - loss: 24.4731
Test accuracy on PGD adversarial samples: 0.10679999738931656


## Implementing Hybrid defence for adversarial attacks

In [None]:
# Generate adversarial samples for adversarial training (using FGSM)
x_train_adv_fgsm = fgsm_attack.generate(x=x_train)

In [None]:
# Combine clean and adversarial data for adversarial training
x_train_combined = np.concatenate((x_train, x_train_adv_fgsm))
y_train_combined = np.concatenate((y_train, y_train))

In [None]:
# Retrain the model using adversarial examples (adversarial training)
model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])

In [None]:
model.fit(x_train_combined, y_train_combined, epochs=20, batch_size=64, validation_data=(x_test, y_test))

Epoch 1/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m16s[0m 7ms/step - accuracy: 0.5100 - loss: 1.6979 - val_accuracy: 0.6476 - val_loss: 1.3163
Epoch 2/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6070 - loss: 1.4420 - val_accuracy: 0.6718 - val_loss: 1.2487
Epoch 3/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m10s[0m 4ms/step - accuracy: 0.6224 - loss: 1.4009 - val_accuracy: 0.6801 - val_loss: 1.2106
Epoch 4/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m5s[0m 3ms/step - accuracy: 0.6253 - loss: 1.3885 - val_accuracy: 0.6604 - val_loss: 1.2544
Epoch 5/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6308 - loss: 1.3812 - val_accuracy: 0.6564 - val_loss: 1.2708
Epoch 6/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m7s[0m 4ms/step - accuracy: 0.6356 - loss: 1.3697 - val_accuracy: 0.6633 - val_loss: 1.2684
Epoch 7/20
[1

<keras.src.callbacks.history.History at 0x7bf03e636b90>

In [None]:
test_loss, test_acc = model.evaluate(x_test, y_test)
test_loss_adv, test_acc_adv = model.evaluate(x_test_adv_fgsm, y_test)
print(f'Test accuracy after adversarial training on clean images: {test_acc}')
print(f'Test accuracy after adversarial training on FGSM adversarial samples: {test_acc_adv}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6426 - loss: 1.3063
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6281 - loss: 1.4230
Test accuracy after adversarial training on clean images: 0.6460999846458435
Test accuracy after adversarial training on FGSM adversarial samples: 0.6262999773025513


In [None]:
# Implementing feature squeezing
def feature_squeeze(images, bit_depth=3):
    max_value = float(2**bit_depth - 1)
    return np.round(images * max_value) / max_value

In [None]:
# Apply feature squeezing to test set
x_test_squeezed = feature_squeeze(x_test)
x_test_adv_squeezed = feature_squeeze(x_test_adv_fgsm)

In [None]:
# Evaluate the model on squeezed clean and adversarial samples
test_loss_squeezed, test_acc_squeezed = model.evaluate(x_test_squeezed, y_test)
test_loss_adv_squeezed, test_acc_adv_squeezed = model.evaluate(x_test_adv_squeezed, y_test)
print(f'Test accuracy on squeezed clean images: {test_acc_squeezed}')
print(f'Test accuracy on squeezed FGSM adversarial samples: {test_acc_adv_squeezed}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6247 - loss: 1.3634
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6142 - loss: 1.4691
Test accuracy on squeezed clean images: 0.625
Test accuracy on squeezed FGSM adversarial samples: 0.6114000082015991


In [None]:
# Combining adversarial training with feature squeezing
# Retrain model with adversarial training and evaluate with feature squeezing

# Apply feature squeezing to adversarial training examples
x_train_adv_fgsm_squeezed = feature_squeeze(x_train_adv_fgsm)

In [None]:
# Combine clean, adversarial, and squeezed adversarial data for final training
x_train_combined_final = np.concatenate((x_train, x_train_adv_fgsm_squeezed))
y_train_combined_final = np.concatenate((y_train, y_train))

In [None]:
model.fit(x_train_combined_final, y_train_combined_final, epochs=20, batch_size=64, validation_data=(x_test, y_test))

Epoch 1/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6408 - loss: 1.3457 - val_accuracy: 0.6608 - val_loss: 1.2590
Epoch 2/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6466 - loss: 1.3345 - val_accuracy: 0.6445 - val_loss: 1.3509
Epoch 3/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m10s[0m 4ms/step - accuracy: 0.6468 - loss: 1.3377 - val_accuracy: 0.6662 - val_loss: 1.2483
Epoch 4/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m5s[0m 3ms/step - accuracy: 0.6449 - loss: 1.3372 - val_accuracy: 0.6847 - val_loss: 1.1946
Epoch 5/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6470 - loss: 1.3352 - val_accuracy: 0.6586 - val_loss: 1.2757
Epoch 6/20
[1m1563/1563[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6462 - loss: 1.3312 - val_accuracy: 0.6880 - val_loss: 1.2067
Epoch 7/20
[1m

<keras.src.callbacks.history.History at 0x7bf10015b7c0>

In [None]:
test_loss, test_acc = model.evaluate(x_test_squeezed, y_test)
test_loss_adv, test_acc_adv = model.evaluate(x_test_adv_squeezed, y_test)
print(f'Test accuracy with hybrid defense on squeezed clean images: {test_acc}')
print(f'Test accuracy with hybrid defense on squeezed FGSM adversarial samples: {test_acc_adv}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6393 - loss: 1.3252
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6342 - loss: 1.4364
Test accuracy with hybrid defense on squeezed clean images: 0.6366000175476074
Test accuracy with hybrid defense on squeezed FGSM adversarial samples: 0.632099986076355


In [None]:
import numpy as np
import matplotlib.pyplot as plt

# Function to add Gaussian noise to images
def add_gaussian_noise(images, noise_factor=0.1):
    noise = np.random.normal(loc=0.0, scale=noise_factor, size=images.shape)
    noisy_images = images + noise
    # Clip values to be in the valid range [0, 1]
    noisy_images = np.clip(noisy_images, 0.0, 1.0)
    return noisy_images

# Create a set of noisy images from the original test set
x_test_noisy = add_gaussian_noise(x_test, noise_factor=0.1)

# Evaluate the model on noisy images
test_loss_noisy, test_acc_noisy = model.evaluate(x_test_noisy, y_test)
print(f'Test accuracy on noisy images: {test_acc_noisy}')

# Visualize some noisy images and their predictions
def visualize_noisy_predictions(noisy_images, original_images, model, num_images=5):
    indices = np.random.choice(len(noisy_images), num_images, replace=False)
    plt.figure(figsize=(15, 5))

    for i, idx in enumerate(indices):
        noisy_image = noisy_images[idx]
        original_image = original_images[idx]
        prediction = model.predict(np.expand_dims(noisy_image, axis=0))
        predicted_class = np.argmax(prediction)
        true_class = np.argmax(y_test[idx])

        plt.subplot(2, num_images, i + 1)
        plt.imshow(original_image)
        plt.title(f'True: {true_class}')
        plt.axis('off')

        plt.subplot(2, num_images, i + num_images + 1)
        plt.imshow(noisy_image)
        plt.title(f'Predicted: {predicted_class}')
        plt.axis('off')

    plt.tight_layout()
    plt.show()

# Visualize predictions on noisy images
visualize_noisy_predictions(x_test_noisy, x_test, model)

In [None]:
import matplotlib.pyplot as plt

# Evaluate the model on the clean images
test_loss_clean, test_acc_clean = model.evaluate(x_test, y_test)
print(f'Test accuracy on clean images: {test_acc_clean}')

# Visualize some clean images and their predictions
def visualize_clean_predictions(clean_images, model, num_images=5):
    indices = np.random.choice(len(clean_images), num_images, replace=False)
    plt.figure(figsize=(15, 5))

    for i, idx in enumerate(indices):
        clean_image = clean_images[idx]
        prediction = model.predict(np.expand_dims(clean_image, axis=0))
        predicted_class = np.argmax(prediction)
        true_class = np.argmax(y_test[idx])

        plt.subplot(1, num_images, i + 1)
        plt.imshow(clean_image)
        plt.title(f'True: {true_class}, Predicted: {predicted_class}')
        plt.axis('off')

    plt.tight_layout()
    plt.show()

# Visualize predictions on clean images
visualize_clean_predictions(x_test, model)

In [None]:
from tensorflow.keras.preprocessing.image import ImageDataGenerator

In [None]:
# Create an ImageDataGenerator for data augmentation
datagen = ImageDataGenerator(
    rotation_range=15,  # Randomly rotate images in the range (degrees, 0 to 15)
    width_shift_range=0.1,  # Randomly shift images horizontally
    height_shift_range=0.1,  # Randomly shift images vertically
    shear_range=0.1,  # Shear angle in counter-clockwise direction in degrees
    zoom_range=0.1,  # Randomly zoom into images
    horizontal_flip=True,  # Randomly flip images
    fill_mode='nearest'  # Fill in new pixels
)

In [None]:
# Fit the generator to the training data
datagen.fit(x_train)

In [None]:
# Now, fit the model using the generator
model.fit(datagen.flow(x_train, y_train, batch_size=64),
          epochs=20,
          validation_data=(x_test, y_test),
          steps_per_epoch=len(x_train) // 64)  # Steps per epoch based on batch size

Epoch 1/20


  self._warn_if_super_not_called()


[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m44s[0m 50ms/step - accuracy: 0.5958 - loss: 1.4514 - val_accuracy: 0.5981 - val_loss: 1.4454
Epoch 2/20
[1m  1/781[0m [37m━━━━━━━━━━━━━━━━━━━━[0m [1m4s[0m 6ms/step - accuracy: 0.5312 - loss: 1.5591

  self.gen.throw(typ, value, traceback)


[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 842us/step - accuracy: 0.5312 - loss: 1.5591 - val_accuracy: 0.5948 - val_loss: 1.4715
Epoch 3/20
[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m36s[0m 45ms/step - accuracy: 0.6239 - loss: 1.3553 - val_accuracy: 0.6134 - val_loss: 1.3910
Epoch 4/20
[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.6406 - loss: 1.3303 - val_accuracy: 0.6300 - val_loss: 1.3324
Epoch 5/20
[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m37s[0m 42ms/step - accuracy: 0.6282 - loss: 1.3359 - val_accuracy: 0.6435 - val_loss: 1.3082
Epoch 6/20
[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 831us/step - accuracy: 0.5938 - loss: 1.5211 - val_accuracy: 0.6392 - val_loss: 1.3175
Epoch 7/20
[1m781/781[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m35s[0m 44ms/step - accuracy: 0.6276 - loss: 1.3

<keras.src.callbacks.history.History at 0x7bf100438220>

In [None]:
# Evaluate the model on clean and adversarial samples
test_loss, test_acc = model.evaluate(x_test, y_test)
test_loss_adv, test_acc_adv = model.evaluate(x_test_adv_fgsm, y_test)

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 3ms/step - accuracy: 0.6785 - loss: 1.1706
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.1159 - loss: 7.0808


In [None]:
print(f'Test accuracy after data augmentation on clean images: {test_acc}')
print(f'Test accuracy after data augmentation on FGSM adversarial samples: {test_acc_adv}')

Test accuracy after data augmentation on clean images: 0.6829000115394592
Test accuracy after data augmentation on FGSM adversarial samples: 0.11219999939203262


In [None]:
from tensorflow.keras.models import clone_model

In [None]:
# Define a function to create a CNN model
def create_model():
    model = Sequential([
        Conv2D(32, (3, 3), activation='relu', kernel_regularizer=l2(0.001), input_shape=(32, 32, 3)),
        BatchNormalization(),
        MaxPooling2D((2, 2)),
        Dropout(0.3),
        Conv2D(64, (3, 3), activation='relu', kernel_regularizer=l2(0.001)),
        BatchNormalization(),
        MaxPooling2D((2, 2)),
        Dropout(0.3),
        Flatten(),
        Dense(128, activation='relu', kernel_regularizer=l2(0.001)),
        BatchNormalization(),
        Dropout(0.4),
        Dense(10, activation='softmax')
    ])
    model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])
    return model

In [None]:
# Create and train multiple models
num_models = 3
models = [create_model() for _ in range(num_models)]

for i, model in enumerate(models):
    print(f'Training model {i+1}')
    model.fit(x_train, y_train, epochs=20, batch_size=64, validation_data=(x_test, y_test))


  super().__init__(activity_regularizer=activity_regularizer, **kwargs)


Training model 1
Epoch 1/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m15s[0m 12ms/step - accuracy: 0.3706 - loss: 2.2314 - val_accuracy: 0.4701 - val_loss: 1.7973
Epoch 2/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.5710 - loss: 1.4839 - val_accuracy: 0.4953 - val_loss: 1.7106
Epoch 3/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6103 - loss: 1.3480 - val_accuracy: 0.5734 - val_loss: 1.4813
Epoch 4/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m6s[0m 4ms/step - accuracy: 0.6285 - loss: 1.2800 - val_accuracy: 0.6457 - val_loss: 1.2560
Epoch 5/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6506 - loss: 1.2339 - val_accuracy: 0.6762 - val_loss: 1.1784
Epoch 6/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m5s[0m 4ms/step - accuracy: 0.6630 - loss: 1.2169 - val_accuracy: 0.6856 - val_loss: 1.1666
Epoch 7/2

In [None]:
# Function to make predictions using the ensemble of models
def ensemble_predict(models, x):
    predictions = np.array([model.predict(x) for model in models])
    return np.mean(predictions, axis=0)

In [None]:
# Evaluate ensemble on clean test set
ensemble_predictions = ensemble_predict(models, x_test)
ensemble_predictions_classes = np.argmax(ensemble_predictions, axis=1)
y_test_classes = np.argmax(y_test, axis=1)
test_acc_clean = np.mean(ensemble_predictions_classes == y_test_classes)
print(f'Test accuracy on clean images (ensemble): {test_acc_clean}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 3ms/step
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 3ms/step
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step
Test accuracy on clean images (ensemble): 0.7201


In [None]:
# Evaluate ensemble on FGSM adversarial samples
ensemble_predictions_adv = ensemble_predict(models, x_test_adv_fgsm)
ensemble_predictions_classes_adv = np.argmax(ensemble_predictions_adv, axis=1)
test_acc_adv_fgsm = np.mean(ensemble_predictions_classes_adv == y_test_classes)
print(f'Test accuracy on FGSM adversarial samples (ensemble): {test_acc_adv_fgsm}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 2ms/step
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 2ms/step
Test accuracy on FGSM adversarial samples (ensemble): 0.153


In [None]:
import numpy as np

def mixup_data(x, y, alpha=0.2):
    """Applies Mixup data augmentation."""
    if alpha <= 0:
        raise ValueError("Alpha must be positive.")

    # Randomly sample a mixing coefficient
    lam = np.random.beta(alpha, alpha)

    # Randomly sample indices for mixing
    batch_size = x.shape[0]
    index = np.random.permutation(batch_size)

    # Create mixed inputs and labels
    mixed_x = lam * x + (1 - lam) * x[index, :]
    mixed_y = lam * y + (1 - lam) * y[index, :]

    return mixed_x, mixed_y

In [None]:
# Training with Mixup
for epoch in range(20):  # Number of epochs
    print(f'Epoch {epoch + 1}/{20}')

    # Create mixed data
    x_train_mixup, y_train_mixup = mixup_data(x_train, y_train, alpha=0.2)

    # Train the model on mixed data
    model.fit(x_train_mixup, y_train_mixup, epochs=1, batch_size=64, validation_data=(x_test, y_test))



Epoch 1/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.7048 - loss: 1.5682 - val_accuracy: 0.6502 - val_loss: 1.2917
Epoch 2/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m4s[0m 5ms/step - accuracy: 0.7103 - loss: 1.1428 - val_accuracy: 0.6991 - val_loss: 1.1281
Epoch 3/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6509 - loss: 1.8591 - val_accuracy: 0.7380 - val_loss: 1.1039
Epoch 4/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6987 - loss: 1.4348 - val_accuracy: 0.6811 - val_loss: 1.1500
Epoch 5/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m3s[0m 4ms/step - accuracy: 0.6433 - loss: 1.8008 - val_accuracy: 0.7042 - val_loss: 1.1431
Epoch 6/20
[1m782/782[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m4s[0m 5ms/step - accuracy: 0.6910 - loss: 1.1698 - val_accuracy: 0.6885 - val_loss: 1.1601
Epoch 7/20
[1m782/782[0m 

In [None]:
# After training, evaluate the model on clean and FGSM adversarial samples
test_loss, test_acc = model.evaluate(x_test, y_test)
test_loss_adv, test_acc_adv = model.evaluate(x_test_adv_fgsm, y_test)

print(f'Test accuracy after Mixup on clean images: {test_acc}')
print(f'Test accuracy after Mixup on FGSM adversarial samples: {test_acc_adv}')

[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m2s[0m 2ms/step - accuracy: 0.7381 - loss: 1.0459
[1m313/313[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m1s[0m 2ms/step - accuracy: 0.1744 - loss: 3.1819
Test accuracy after Mixup on clean images: 0.7372999787330627
Test accuracy after Mixup on FGSM adversarial samples: 0.16689999401569366


In [None]:
from art.attacks.evasion import ProjectedGradientDescent

# Generate adversarial samples using FGSM
fgsm_attack = FastGradientMethod(estimator=classifier, eps=0.1)
x_train_adv_fgsm = fgsm_attack.generate(x=x_train)


In [None]:
# Generate adversarial samples using PGD
pgd_attack = ProjectedGradientDescent(estimator=classifier, eps=0.1, eps_step=0.01, max_iter=40)
x_train_adv_pgd = pgd_attack.generate(x=x_train)

PGD - Batches: 0it [00:00, ?it/s]

KeyboardInterrupt: 

In [None]:
# Combine clean and adversarial data for adversarial training
x_train_combined = np.concatenate((x_train, x_train_adv_fgsm, x_train_adv_pgd))
y_train_combined = np.concatenate((y_train, y_train, y_train))  # Duplicate labels for each set

In [None]:
# Retrain the model using the combined dataset (clean + adversarial)
model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])

In [None]:
model.fit(x_train_combined, y_train_combined, epochs=20, batch_size=64, validation_data=(x_test, y_test))

In [None]:
# Evaluate on clean and FGSM adversarial samples
test_loss, test_acc = model.evaluate(x_test, y_test)
test_loss_adv_fgsm, test_acc_adv_fgsm = model.evaluate(x_test_adv_fgsm, y_test)

print(f'Test accuracy after adversarial training on clean images: {test_acc}')
print(f'Test accuracy after adversarial training on FGSM adversarial samples: {test_acc_adv_fgsm}')