# Basic Configs

In [1]:
from google.colab import drive
drive.mount('/content/gdrive')

Mounted at /content/gdrive


## Imports

In [2]:
import torch
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim

from torchvision import datasets, transforms
from torch.utils import data

import numpy as np
import matplotlib.pyplot as plt

## Global Variables

In [3]:
cuda = torch.cuda.is_available()
device = torch.device("cuda" if cuda else "cpu")
cpu = torch.device("cpu")
batch_size = 128
num_workers = 4

## Load Repo
- Rename the folder to `project`

In [None]:
# !rm -rf project

In [4]:
!git clone https://github.com/effie-0/IDL-Project.git

Cloning into 'IDL-Project'...
remote: Enumerating objects: 253, done.[K
remote: Counting objects: 100% (253/253), done.[K
remote: Compressing objects: 100% (187/187), done.[K
remote: Total 253 (delta 132), reused 132 (delta 54), pack-reused 0[K
Receiving objects: 100% (253/253), 1.60 MiB | 22.18 MiB/s, done.
Resolving deltas: 100% (132/132), done.


In [5]:
!mv IDL-Project project

# Load Functions

In [6]:
from project.summarize.load_data import AdvDataset, get_data

## Load Dataset

In [7]:
trainset, trainloader, testset, testloader = get_data(batch_size)

Downloading https://www.cs.toronto.edu/~kriz/cifar-10-python.tar.gz to ./data/cifar-10-python.tar.gz


HBox(children=(FloatProgress(value=1.0, bar_style='info', max=1.0), HTML(value='')))

Failed download. Trying https -> http instead. Downloading http://www.cs.toronto.edu/~kriz/cifar-10-python.tar.gz to ./data/cifar-10-python.tar.gz


HBox(children=(FloatProgress(value=1.0, bar_style='info', max=1.0), HTML(value='')))

Extracting ./data/cifar-10-python.tar.gz to ./data
Files already downloaded and verified


## Load Models

In [8]:
from project.summarize.classifier import ResidualBlock, ResNet18, cifar_resnet20, ResNet50, VGG

In [9]:
resnet18 = ResNet18(ResidualBlock)
resnet20 = cifar_resnet20('cifar10')  # With pretrained model
resnet50 = ResNet50()
vgg16 = VGG('VGG16')

Downloading: "https://github.com/chenyaofo/CIFAR-pretrained-models/releases/download/resnet/cifar10-resnet20-30abc31d.pth" to /root/.cache/torch/hub/checkpoints/cifar10-resnet20-30abc31d.pth


HBox(children=(FloatProgress(value=0.0, max=1117131.0), HTML(value='')))




### Load Trained Models

In [10]:
vgg16_path = "/content/gdrive/My Drive/18-786 IDL/IDL.dll/models/vgg16.pth"
vgg16.load_state_dict(torch.load(vgg16_path)['model_state_dict'])

resnet18_path = "/content/gdrive/My Drive/18-786 IDL/IDL.dll/models/ResNet18.pth"
resnet18.load_state_dict(torch.load(resnet18_path)['model_state_dict'])

resnet50_path = "/content/gdrive/My Drive/18-786 IDL/IDL.dll/models/Copy of ResNet50_49.pth"
resnet50.load_state_dict(torch.load(resnet50_path)['model_state_dict'])

<All keys matched successfully>

In [11]:
models = {
    'vgg16': vgg16,
    'resnet18': resnet18,
    'resnet20': resnet20,
    'resnet50': resnet50,
}

# Generate the Adversarial Samples

In [12]:
!pip install adversarial-robustness-toolbox

Collecting adversarial-robustness-toolbox
[?25l  Downloading https://files.pythonhosted.org/packages/0c/d6/cdffe8cd1bc10d95a058eff4135268db266c9a3f34467802d158ba9aa7f3/adversarial_robustness_toolbox-1.5.0-py3-none-any.whl (886kB)
[K     |████████████████████████████████| 890kB 4.2MB/s 
Collecting cma
[?25l  Downloading https://files.pythonhosted.org/packages/36/c0/0a1c41f7cad0a51e07991cf86423d0e6651d035f1fe7dcff48e8858848f2/cma-3.0.3-py2.py3-none-any.whl (230kB)
[K     |████████████████████████████████| 235kB 19.2MB/s 
[?25hCollecting ffmpeg-python
  Downloading https://files.pythonhosted.org/packages/d7/0c/56be52741f75bad4dc6555991fabd2e07b432d333da82c11ad701123888a/ffmpeg_python-0.2.0-py3-none-any.whl
Collecting mypy
[?25l  Downloading https://files.pythonhosted.org/packages/e2/cb/cf5530d063e7e703e2fbec677bfba633de6e70fe44bc323deeaa27f273b8/mypy-0.790-cp36-cp36m-manylinux1_x86_64.whl (21.0MB)
[K     |████████████████████████████████| 21.0MB 1.2MB/s 
Collecting pydub
  Download

In [33]:
from art.attacks.evasion import FastGradientMethod, ProjectedGradientDescentPyTorch, CarliniLInfMethod, DeepFool
from art.estimators.classification import PyTorchClassifier

In [37]:
from project.summarize.normal_train import evaluate

## Prepare Attacks

## Eps = 0.03

In [31]:
def generate_attack(test_loader, classifier, attack):
    adv_examples = []
    # Loop over all examples in test set
    for image, target in test_loader:
        # Send the data and label to the device
        # image, target = image.to(device), target.to(device)

        # Call Attack
        adv_data = attack.generate(x=image, y=target)

        # adv_data = adv_data.squeeze().detach().cpu().numpy()
        # adv_examples.append( (target.flatten().detach().cpu().numpy(), adv_data) )
        adv_examples.append( (target.flatten().numpy(), adv_data) )
        # pred_list.append((init_pred.flatten().detach().cpu().numpy(), final_pred.flatten().detach().cpu().numpy()))
    
    label = [j for i in adv_examples for j in i[0]]
    adv_ex = [j for i in adv_examples for j in i[1]]

    dataset = AdvDataset(adv_ex, label)
    loader = data.DataLoader(dataset,
                             batch_size=batch_size, 
                             shuffle=False,
                             num_workers=num_workers)

    # Return the accuracy and an adversarial example
    return dataset, loader

In [41]:
samples = {}
criterion = nn.CrossEntropyLoss()
shape = trainset[0][0].shape
eps = 0.03

for model_name, model in models.items():
    model.to(device)
    model.eval()
    classifier = PyTorchClassifier(
        model=model,
        loss=criterion,
        input_shape=shape,
        nb_classes=10)
    attack_samples = {}

    print('model name = ', model_name)
    print('FGM')
    attack = FastGradientMethod(estimator=classifier, eps=eps)
    dataset, loader = generate_attack(testloader, classifier, attack)
    attack_samples['FGM'] = dataset, loader

    _, acc = evaluate(model, loader, criterion, device)
    print('acc = ', acc)

    print('PGD')
    attack = ProjectedGradientDescentPyTorch(estimator=classifier, eps=eps, eps_step=0.01, max_iter=10)
    dataset, loader = generate_attack(testloader, classifier, attack)
    attack_samples['PGD'] = dataset, loader

    _, acc = evaluate(model, loader, criterion, device)
    print('acc = ', acc)

    print('C&W')
    attack = CarliniLInfMethod(classifier=classifier, eps=eps, max_iter=10)
    dataset, loader = generate_attack(testloader, classifier, attack)
    attack_samples['C&W'] = dataset, loader

    _, acc = evaluate(model, loader, criterion, device)
    print('acc = ', acc)

    # print('DeepFool')
    # attack = DeepFool(classifier=classifier, max_iter=10, epsilon=eps)
    # dataset, loader = generate_attack(testloader, classifier, attack)
    # attack_samples['DeepFool'] = dataset, loader

    # _, acc = evaluate(model, loader, criterion, device)
    # print('acc = ', acc)

    model.to(cpu)
    del classifier
    torch.cuda.empty_cache()
    
    samples[model_name] = attack_samples

model name =  vgg16
FGM
acc =  37.830000000000005
PGD


  x_grad = torch.tensor(x).to(self._device)
  y_grad = torch.tensor(y).to(self._device)


acc =  16.66
C&W


C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.54s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.70s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.95s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.61s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.48s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.18s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.40s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.31s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.13s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.81s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.40s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.49s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.80s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.26s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.25s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.64s/it]
C&W L_inf: 100%|██████████| 1/1 [00:04<00:00,  4.39s/it]
C&W L_inf: 100%|██████████| 1/1

acc =  19.68
model name =  resnet18
FGM
acc =  43.519999999999996
PGD




acc =  32.36
C&W


C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.07s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.86s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.99s/it]
C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.06s/it]
C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.70s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.36s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.61s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.83s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.66s/it]
C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.28s/it]
C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.06s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.85s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.78s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.99s/it]
C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.22s/it]
C&W L_inf: 100%|██████████| 1/1 [00:06<00:00,  6.30s/it]
C&W L_inf: 100%|██████████| 1/1 [00:07<00:00,  7.13s/it]
C&W L_inf: 100%|██████████| 1/1

acc =  33.98
model name =  resnet20
FGM
acc =  33.910000000000004
PGD




acc =  3.7699999999999996
C&W


C&W L_inf: 100%|██████████| 1/1 [00:02<00:00,  2.02s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.87s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.73s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.99s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.98s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.68s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.91s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.96s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.82s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.83s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.94s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.97s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.84s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.94s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.90s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.63s/it]
C&W L_inf: 100%|██████████| 1/1 [00:01<00:00,  1.85s/it]
C&W L_inf: 100%|██████████| 1/1

acc =  3.54
model name =  resnet50
FGM
acc =  40.589999999999996
PGD




acc =  20.3
C&W


C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.72s/it]
C&W L_inf: 100%|██████████| 1/1 [00:16<00:00, 16.74s/it]
C&W L_inf: 100%|██████████| 1/1 [00:16<00:00, 16.95s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.18s/it]
C&W L_inf: 100%|██████████| 1/1 [00:19<00:00, 19.74s/it]
C&W L_inf: 100%|██████████| 1/1 [00:17<00:00, 17.01s/it]
C&W L_inf: 100%|██████████| 1/1 [00:17<00:00, 17.13s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.54s/it]
C&W L_inf: 100%|██████████| 1/1 [00:17<00:00, 17.56s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.80s/it]
C&W L_inf: 100%|██████████| 1/1 [00:19<00:00, 19.15s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.13s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.22s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.65s/it]
C&W L_inf: 100%|██████████| 1/1 [00:17<00:00, 17.82s/it]
C&W L_inf: 100%|██████████| 1/1 [00:16<00:00, 16.46s/it]
C&W L_inf: 100%|██████████| 1/1 [00:18<00:00, 18.43s/it]
C&W L_inf: 100%|██████████| 1/1

acc =  22.09


# 4x4 Matrix

In [42]:
matrix = {}

for model_name, model in models.items():
    line = {}
    matrix[model_name] = line
    model.to(device)
    for adv_name, attack_samples in samples.items():
        print('classifier: ', model_name, ';  adversarial data comes from: ', adv_name)
        line[adv_name] = {}
        for attack_name, (dataset, loader) in attack_samples.items():
            loss, acc = evaluate(model, loader, criterion, device)
            line[adv_name][attack_name] = acc
            print('attack: ', attack_name, ';  acc = ', acc)
        print('-' * 20)
    model.to(cpu)
    torch.cuda.empty_cache()

classifier:  vgg16 ;  adversarial data comes from:  vgg16
attack:  FGM ;  acc =  37.830000000000005
attack:  PGD ;  acc =  16.66
attack:  C&W ;  acc =  19.68
--------------------
classifier:  vgg16 ;  adversarial data comes from:  resnet18
attack:  FGM ;  acc =  82.39
attack:  PGD ;  acc =  82.03
attack:  C&W ;  acc =  89.75
--------------------
classifier:  vgg16 ;  adversarial data comes from:  resnet20
attack:  FGM ;  acc =  85.39
attack:  PGD ;  acc =  84.92
attack:  C&W ;  acc =  91.42
--------------------
classifier:  vgg16 ;  adversarial data comes from:  resnet50
attack:  FGM ;  acc =  82.64
attack:  PGD ;  acc =  81.89999999999999
attack:  C&W ;  acc =  90.02
--------------------
classifier:  resnet18 ;  adversarial data comes from:  vgg16
attack:  FGM ;  acc =  83.05
attack:  PGD ;  acc =  83.21
attack:  C&W ;  acc =  88.52
--------------------
classifier:  resnet18 ;  adversarial data comes from:  resnet18
attack:  FGM ;  acc =  43.519999999999996
attack:  PGD ;  acc =  32.3