#  adversarial training using custom loss


In [681]:
%load_ext autoreload
%autoreload 2

The autoreload extension is already loaded. To reload it, use:
  %reload_ext autoreload


In [682]:
import os
from os.path import join

import time 
import numpy as np
import pandas as pd
import cv2
import pickle
from tqdm import tqdm
from PIL import Image
import matplotlib.pyplot as plt

import tensorflow as tf
import gc


from tensorflow import convert_to_tensor
import tensorflow.keras.backend as K
from tensorflow.keras.models import  load_model,Model
from tensorflow.keras import applications
from tensorflow.keras.callbacks import ModelCheckpoint
from tensorflow.keras.layers import Dropout, Activation, Dense, GlobalMaxPooling2D,Conv2D,Flatten,MaxPooling2D,InputLayer
from tensorflow.keras.utils import to_categorical
from tensorflow.keras.losses import Loss,CategoricalCrossentropy

import copy

from efficientnet.tfkeras import EfficientNetB7
from tensorflow.keras import datasets
from foolbox.attacks import LinfFastGradientAttack,LinfDeepFoolAttack
from foolbox.distances import LpDistance
from foolbox.models import TensorFlowModel
from foolbox import criteria
from sklearn.metrics import classification_report


from art.attacks.evasion import SaliencyMapMethod
from art.estimators.classification import TensorFlowV2Classifier
from art.attacks.evasion import BoundaryAttack
from art.utils import load_dataset #to play with cifar images


gpus = tf.config.experimental.list_physical_devices('GPU')
tf.config.experimental.set_virtual_device_configuration(
    gpus[0],
    [tf.config.experimental.VirtualDeviceConfiguration(memory_limit=4*1024)]
)

In [683]:
tf.config.run_functions_eagerly(False)

In [700]:
tf.random.set_seed(0)

#### 1. Load Data

In [684]:
data=datasets.mnist.load_data(path='mnist.npz')
(X_train, y_train), (X_test, y_test) = tf.keras.datasets.fashion_mnist.load_data()
# X_train,y_train=data[0][0],data[0][1]
# X_test,y_test=data[1][0],data[1][1]
y_train = to_categorical(y_train, 10)
y_test = to_categorical(y_test, 10)

""" Train """
X_train_img = np.full((60000, 32, 32, 3), 0)
for i, s in enumerate(X_train):
    X_train_img[i] = cv2.cvtColor(np.pad(s,2), cv2.COLOR_GRAY2RGB)
    
""" Test """
X_test_img = np.full((10000, 32, 32, 3), 0)
for i, s in enumerate(X_test):
    X_test_img[i] = cv2.cvtColor(np.pad(s,2), cv2.COLOR_GRAY2RGB)
    
X_train=X_train_img
X_test= X_test_img

LABEL_NAMES = ['t_shirt', 'trouser', 'pullover', 'dress', 'coat', 'sandal', 'shirt', 'sneaker', 'bag', 'ankle_boots']

In [685]:
data_set=tf.data.Dataset.from_tensor_slices((X_train,y_train)).shuffle(buffer_size=100000).batch(32)

#### 2. Load models

In [686]:
class Model(tf.keras.Model):
    def __init__(self,c,learning_rate,epsilon):
        super(Model,self).__init__()
        
        self.c=c
        self.learning_rate=learning_rate
        self.epsilon=epsilon
        
        self.model = tf.keras.models.Sequential()
        self.model.add(Conv2D(64, (3, 3), activation='relu',input_shape=(32,32,3)))
        self.model.add(MaxPooling2D(2, 2))
        self.model.add(Conv2D(64, (3, 3), activation='relu'))
        self.model.add(MaxPooling2D(2, 2))
        self.model.add(Flatten())
        self.model.add(Dense(128, activation='relu'))
        self.model.add(Dense(10, activation='softmax'))

        self.loss = CategoricalCrossentropy()
        self.optimizer = tf.keras.optimizers.SGD(self.learning_rate)
#         self.optimizer=tf.keras.optimizers.Adam(self.learning_rate)

        
        
   
    @tf.function
    def train_step(self,x,y):

        with tf.GradientTape() as tape_w:  
            
            with tf.GradientTape() as tape_x:
                tape_x.watch(x)
                true_loss = self.loss(y, self.model(x))        
            gradient = tape_x.gradient(true_loss, x)       
            signed_grad = tf.sign(gradient)      
            adv_loss= self.loss(y, self.model(x-self.epsilon*signed_grad))    
            
      # Combines both losses            
            total_loss= (1-self.c)*true_loss + self.c*adv_loss
            
    # Regular backward pass.
            gradients = tape_w.gradient(total_loss, self.model.trainable_variables)        
            self.optimizer.apply_gradients(zip(gradients, self.model.trainable_variables))
            
       
    def train(self,train_dataset, x_test,y_test,epochs):

        pred=list(map(np.argmax,self.model.predict(x_test)))
        true_values=list(map(np.argmax,y_test))
        acc=np.sum([1 for i in range(len(pred)) if pred[i]==true_values[i]])/len(pred)         
        print('Accuracy before training is {} '.format(acc))
        print('-----------')

        for epoch in range(epochs):
            if epoch!=0 and epoch%3==0:
                self.epsilon*=10
            start = time.time()
            for (x,y) in tqdm(train_dataset,position=0):
                x=tf.cast(x,dtype='float32')           
                self.train_step(x,y)           

            pred=list(map(np.argmax,self.model.predict(x_test)))
            true_values=list(map(np.argmax,y_test))
            acc=np.sum([1 for i in range(len(pred)) if pred[i]==true_values[i]])/len(pred)         

            print ('Time for epoch {} is {} sec'.format(epoch + 1, time.time()-start))
            print('-----------')
            print('Accuracy for epoch {} is {} '.format(epoch + 1, acc))        
            
       
    def call(self, inputs):
        x = self.model(inputs)
        return x

    


        

In [687]:
model_with_def=Model(c=0.5,learning_rate=0.001,epsilon=0.001)
model_without_def=Model(c=0,learning_rate=0.001,epsilon=0.001)
model_slight_defense=Model(c=0.25,learning_rate=0.001,epsilon=0.001)
model_strong_defense=Model(c=0.75,learning_rate=0.001,epsilon=0.001)

In [702]:
model_average_defense=Model(c=0.6,learning_rate=0.001,epsilon=0.001)

In [688]:
model_with_def.train(data_set, X_test[:1000],y_test[:1000], 10)

  0%|          | 0/1875 [00:00<?, ?it/s]

Accuracy before training is 0.091 
-----------


100%|██████████| 1875/1875 [00:11<00:00, 164.13it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 1 is 11.521335124969482 sec
-----------
Accuracy for epoch 1 is 0.86 


100%|██████████| 1875/1875 [00:10<00:00, 177.26it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 2 is 10.677022218704224 sec
-----------
Accuracy for epoch 2 is 0.875 


100%|██████████| 1875/1875 [00:10<00:00, 178.37it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 3 is 10.613824605941772 sec
-----------
Accuracy for epoch 3 is 0.883 


100%|██████████| 1875/1875 [00:10<00:00, 174.15it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 4 is 10.863420963287354 sec
-----------
Accuracy for epoch 4 is 0.897 


100%|██████████| 1875/1875 [00:10<00:00, 172.03it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 5 is 10.994032144546509 sec
-----------
Accuracy for epoch 5 is 0.895 


100%|██████████| 1875/1875 [00:10<00:00, 170.61it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 6 is 11.087900161743164 sec
-----------
Accuracy for epoch 6 is 0.889 


100%|██████████| 1875/1875 [00:10<00:00, 170.99it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 7 is 11.06132698059082 sec
-----------
Accuracy for epoch 7 is 0.89 


100%|██████████| 1875/1875 [00:10<00:00, 171.21it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 8 is 11.051707744598389 sec
-----------
Accuracy for epoch 8 is 0.904 


100%|██████████| 1875/1875 [00:10<00:00, 176.36it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 9 is 10.72933840751648 sec
-----------
Accuracy for epoch 9 is 0.892 


100%|██████████| 1875/1875 [00:10<00:00, 172.97it/s]


Time for epoch 10 is 10.939248323440552 sec
-----------
Accuracy for epoch 10 is 0.898 


In [689]:
model_without_def.train(data_set, X_test[:1000],y_test[:1000], 10)

  0%|          | 0/1875 [00:00<?, ?it/s]

Accuracy before training is 0.119 
-----------


100%|██████████| 1875/1875 [00:10<00:00, 170.66it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 1 is 11.084503889083862 sec
-----------
Accuracy for epoch 1 is 0.859 


100%|██████████| 1875/1875 [00:10<00:00, 177.49it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 2 is 10.66518497467041 sec
-----------
Accuracy for epoch 2 is 0.879 


100%|██████████| 1875/1875 [00:10<00:00, 178.13it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 3 is 10.624125719070435 sec
-----------
Accuracy for epoch 3 is 0.891 


100%|██████████| 1875/1875 [00:10<00:00, 179.24it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 4 is 10.55917477607727 sec
-----------
Accuracy for epoch 4 is 0.895 


100%|██████████| 1875/1875 [00:10<00:00, 178.87it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 5 is 10.581048727035522 sec
-----------
Accuracy for epoch 5 is 0.887 


100%|██████████| 1875/1875 [00:10<00:00, 178.37it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 6 is 10.61289358139038 sec
-----------
Accuracy for epoch 6 is 0.88 


100%|██████████| 1875/1875 [00:10<00:00, 174.99it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 7 is 10.813978672027588 sec
-----------
Accuracy for epoch 7 is 0.893 


100%|██████████| 1875/1875 [00:10<00:00, 177.34it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 8 is 10.681093215942383 sec
-----------
Accuracy for epoch 8 is 0.897 


100%|██████████| 1875/1875 [00:10<00:00, 177.11it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 9 is 10.686333179473877 sec
-----------
Accuracy for epoch 9 is 0.9 


100%|██████████| 1875/1875 [00:10<00:00, 176.53it/s]


Time for epoch 10 is 10.719868898391724 sec
-----------
Accuracy for epoch 10 is 0.897 


In [690]:
model_slight_defense.train(data_set, X_test[:1000],y_test[:1000], 10)

  0%|          | 0/1875 [00:00<?, ?it/s]

Accuracy before training is 0.092 
-----------


100%|██████████| 1875/1875 [00:10<00:00, 171.05it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 1 is 11.059312105178833 sec
-----------
Accuracy for epoch 1 is 0.853 


100%|██████████| 1875/1875 [00:10<00:00, 175.75it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 2 is 10.76836895942688 sec
-----------
Accuracy for epoch 2 is 0.867 


100%|██████████| 1875/1875 [00:10<00:00, 173.93it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 3 is 10.879767417907715 sec
-----------
Accuracy for epoch 3 is 0.885 


100%|██████████| 1875/1875 [00:10<00:00, 175.70it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 4 is 10.77641487121582 sec
-----------
Accuracy for epoch 4 is 0.886 


100%|██████████| 1875/1875 [00:10<00:00, 174.02it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 5 is 10.870031833648682 sec
-----------
Accuracy for epoch 5 is 0.885 


100%|██████████| 1875/1875 [00:10<00:00, 180.15it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 6 is 10.505855560302734 sec
-----------
Accuracy for epoch 6 is 0.896 


100%|██████████| 1875/1875 [00:10<00:00, 172.84it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 7 is 10.946324110031128 sec
-----------
Accuracy for epoch 7 is 0.895 


100%|██████████| 1875/1875 [00:10<00:00, 174.70it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 8 is 10.830015897750854 sec
-----------
Accuracy for epoch 8 is 0.892 


100%|██████████| 1875/1875 [00:10<00:00, 175.40it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 9 is 10.786216974258423 sec
-----------
Accuracy for epoch 9 is 0.891 


100%|██████████| 1875/1875 [00:10<00:00, 176.40it/s]


Time for epoch 10 is 10.726639032363892 sec
-----------
Accuracy for epoch 10 is 0.9 


In [691]:
model_strong_defense.train(data_set, X_test[:1000],y_test[:1000], 10)

  0%|          | 0/1875 [00:00<?, ?it/s]

Accuracy before training is 0.082 
-----------


100%|██████████| 1875/1875 [00:11<00:00, 167.58it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 1 is 11.288469076156616 sec
-----------
Accuracy for epoch 1 is 0.85 


100%|██████████| 1875/1875 [00:10<00:00, 172.47it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 2 is 10.96502685546875 sec
-----------
Accuracy for epoch 2 is 0.878 


100%|██████████| 1875/1875 [00:10<00:00, 175.96it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 3 is 10.756346225738525 sec
-----------
Accuracy for epoch 3 is 0.874 


100%|██████████| 1875/1875 [00:10<00:00, 177.19it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 4 is 10.675750970840454 sec
-----------
Accuracy for epoch 4 is 0.884 


100%|██████████| 1875/1875 [00:10<00:00, 174.36it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 5 is 10.853132247924805 sec
-----------
Accuracy for epoch 5 is 0.885 


100%|██████████| 1875/1875 [00:10<00:00, 180.93it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 6 is 10.469084739685059 sec
-----------
Accuracy for epoch 6 is 0.895 


100%|██████████| 1875/1875 [00:10<00:00, 174.70it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 7 is 10.827935695648193 sec
-----------
Accuracy for epoch 7 is 0.892 


100%|██████████| 1875/1875 [00:10<00:00, 173.35it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 8 is 10.911808729171753 sec
-----------
Accuracy for epoch 8 is 0.889 


100%|██████████| 1875/1875 [00:10<00:00, 174.12it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 9 is 10.867736577987671 sec
-----------
Accuracy for epoch 9 is 0.891 


100%|██████████| 1875/1875 [00:10<00:00, 180.67it/s]


Time for epoch 10 is 10.475807905197144 sec
-----------
Accuracy for epoch 10 is 0.901 


In [703]:
model_average_defense.train(data_set, X_test[:1000],y_test[:1000], 10)

  0%|          | 0/1875 [00:00<?, ?it/s]

Accuracy before training is 0.124 
-----------


100%|██████████| 1875/1875 [00:11<00:00, 160.60it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 1 is 11.774292945861816 sec
-----------
Accuracy for epoch 1 is 0.863 


100%|██████████| 1875/1875 [00:10<00:00, 177.89it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 2 is 10.629058361053467 sec
-----------
Accuracy for epoch 2 is 0.884 


100%|██████████| 1875/1875 [00:10<00:00, 174.73it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 3 is 10.834744215011597 sec
-----------
Accuracy for epoch 3 is 0.896 


100%|██████████| 1875/1875 [00:10<00:00, 178.06it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 4 is 10.63293981552124 sec
-----------
Accuracy for epoch 4 is 0.904 


100%|██████████| 1875/1875 [00:11<00:00, 169.36it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 5 is 11.170311689376831 sec
-----------
Accuracy for epoch 5 is 0.892 


100%|██████████| 1875/1875 [00:11<00:00, 170.42it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 6 is 11.101419687271118 sec
-----------
Accuracy for epoch 6 is 0.895 


100%|██████████| 1875/1875 [00:10<00:00, 172.74it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 7 is 10.95723581314087 sec
-----------
Accuracy for epoch 7 is 0.898 


100%|██████████| 1875/1875 [00:10<00:00, 176.81it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 8 is 10.700856447219849 sec
-----------
Accuracy for epoch 8 is 0.894 


100%|██████████| 1875/1875 [00:10<00:00, 173.31it/s]
  0%|          | 0/1875 [00:00<?, ?it/s]

Time for epoch 9 is 10.916675090789795 sec
-----------
Accuracy for epoch 9 is 0.898 


100%|██████████| 1875/1875 [00:10<00:00, 172.67it/s]


Time for epoch 10 is 10.954395055770874 sec
-----------
Accuracy for epoch 10 is 0.885 


In [692]:
def DOC (x_adv_list,x_list):
    N=len(x_adv_list)
    sum=0
    for i in range (N):        
        sum+=100*np.linalg.norm(np.reshape(x_adv_list[i] - x_list[i], -1),ord=1)/np.linalg.norm(np.reshape(x_list[i], -1),ord=1)
    return(sum/N)

def succes_rate (success_list):
    success=len([i for i in success_list if i==True])
    total=len(success_list)
    return(success/total)

Test de la resistance du modèle 

In [693]:
def attack_performances_computer(model_to_attack,predicting_model,attack, image_list, labels,epsilon):
    model_to_attack=TensorFlowModel(model_to_attack , bounds=(0, 255))
   
    success_on_attacked_model=[]
    success_on_predicting_model=[]
    adv_list=[]
    for i,image in enumerate(tqdm(image_list,position=0)):
        image = np.asarray(image)[:
                                  ,:,:3].astype('float32')
        image = convert_to_tensor(np.expand_dims(image,axis=0))
        label=labels[i]
        label = tf.convert_to_tensor(np.array([label]))
        _, clipped, is_adv = attack(model_to_attack,image,label,epsilons=epsilon)
        success_on_attacked_model.append(bool(is_adv[0][0]))
        adv_list.append(np.array(clipped[0][0]))
        prediction=predicting_model.predict(np.expand_dims(clipped[0][0],axis=0))
        if np.argmax(prediction)!=labels[i]:
            success_on_predicting_model.append(True)
        else:
            success_on_predicting_model.append(False)
            
        
    DOC_attack=DOC(adv_list,image_list)
    SR_on_attacked_model=succes_rate(success_on_attacked_model)
    SR_on_predicting_model=succes_rate(success_on_predicting_model)
    return(DOC_attack,SR_on_attacked_model,SR_on_predicting_model)


In [694]:
def attack_runner(model_to_attack,predicting_model,image_list, labels_list, epislons_list):   
    labels_list=list(map(np.argmax,labels_list))
    
    attack_FGSM=LinfFastGradientAttack()
    
   

    SR_FGSM_dic={}  
    SR_FGSM_dic_with_defense={}


    for epsilon in epislons_list:
        print('======'+'epislon: '+str(epsilon)+'======')
        DOC_FGSM,SR_FGSM,SR_FGSM_with_defense=attack_performances_computer(model_to_attack,predicting_model,attack_FGSM, image_list, labels_list,[epsilon])
              
        SR_FGSM_dic[DOC_FGSM]=SR_FGSM
        SR_FGSM_dic_with_defense[DOC_FGSM]=SR_FGSM_with_defense
        
    return(SR_FGSM_dic,SR_FGSM_dic_with_defense)

In [695]:
SR_FGSM_dic_with_defense,_=attack_runner(model_with_def,model_with_def,X_test[7000:7500], y_test[7000:7500], [0.0005,0.001,0.005,0.01,0.05,0.1,0.5,1])

  0%|          | 0/500 [00:00<?, ?it/s]



100%|██████████| 500/500 [00:18<00:00, 27.60it/s]
  1%|          | 3/500 [00:00<00:18, 26.28it/s]



100%|██████████| 500/500 [00:17<00:00, 27.83it/s]
  1%|          | 3/500 [00:00<00:17, 28.98it/s]



100%|██████████| 500/500 [00:18<00:00, 26.39it/s]
  1%|          | 3/500 [00:00<00:19, 26.01it/s]



100%|██████████| 500/500 [00:18<00:00, 27.55it/s]
  1%|          | 3/500 [00:00<00:16, 29.51it/s]



100%|██████████| 500/500 [00:17<00:00, 28.93it/s]
  1%|          | 3/500 [00:00<00:17, 29.06it/s]



100%|██████████| 500/500 [00:16<00:00, 29.64it/s]
  1%|          | 4/500 [00:00<00:16, 29.46it/s]



100%|██████████| 500/500 [00:19<00:00, 25.83it/s]
  1%|          | 3/500 [00:00<00:18, 27.31it/s]



100%|██████████| 500/500 [00:18<00:00, 26.32it/s]


In [696]:
SR_FGSM_dic_without_defense,_=attack_runner(model_without_def,model_without_def,X_test[7000:7500], y_test[7000:7500], [0.0005,0.001,0.005,0.01,0.05,0.1,0.5,1])

  0%|          | 2/500 [00:00<00:27, 18.21it/s]



100%|██████████| 500/500 [00:18<00:00, 26.45it/s]
  1%|          | 3/500 [00:00<00:17, 27.65it/s]



100%|██████████| 500/500 [00:18<00:00, 26.52it/s]
  1%|          | 3/500 [00:00<00:19, 25.27it/s]



100%|██████████| 500/500 [00:18<00:00, 26.52it/s]
  1%|          | 3/500 [00:00<00:18, 27.51it/s]



100%|██████████| 500/500 [00:18<00:00, 26.61it/s]
  1%|          | 3/500 [00:00<00:19, 25.07it/s]



100%|██████████| 500/500 [00:18<00:00, 26.58it/s]
  1%|          | 3/500 [00:00<00:17, 27.85it/s]



100%|██████████| 500/500 [00:18<00:00, 26.66it/s]
  1%|          | 3/500 [00:00<00:18, 27.60it/s]



100%|██████████| 500/500 [00:18<00:00, 26.63it/s]
  1%|          | 3/500 [00:00<00:17, 27.93it/s]



100%|██████████| 500/500 [00:19<00:00, 26.21it/s]


In [697]:
SR_FGSM_dic_slight_defense,_=attack_runner(model_slight_defense,model_slight_defense,X_test[7000:7500], y_test[7000:7500], [0.0005,0.001,0.005,0.01,0.05,0.1,0.5,1])

  0%|          | 2/500 [00:00<00:27, 18.13it/s]



100%|██████████| 500/500 [00:18<00:00, 26.49it/s]
  1%|          | 3/500 [00:00<00:19, 25.17it/s]



100%|██████████| 500/500 [00:18<00:00, 26.64it/s]
  1%|          | 3/500 [00:00<00:19, 25.84it/s]



100%|██████████| 500/500 [00:18<00:00, 26.54it/s]
  1%|          | 3/500 [00:00<00:19, 25.05it/s]



100%|██████████| 500/500 [00:18<00:00, 26.65it/s]
  1%|          | 3/500 [00:00<00:17, 27.66it/s]



100%|██████████| 500/500 [00:18<00:00, 26.52it/s]
  1%|          | 3/500 [00:00<00:20, 24.12it/s]



100%|██████████| 500/500 [00:18<00:00, 26.55it/s]
  1%|          | 3/500 [00:00<00:17, 27.64it/s]



100%|██████████| 500/500 [00:18<00:00, 26.63it/s]
  1%|          | 3/500 [00:00<00:17, 27.76it/s]



100%|██████████| 500/500 [00:18<00:00, 26.73it/s]


In [698]:
SR_FGSM_dic_strong_defense,_=attack_runner(model_strong_defense,model_strong_defense,X_test[7000:7500], y_test[7000:7500], [0.0005,0.001,0.005,0.01,0.05,0.1,0.5,1])

  0%|          | 2/500 [00:00<00:27, 18.10it/s]



100%|██████████| 500/500 [00:19<00:00, 26.27it/s]
  1%|          | 3/500 [00:00<00:18, 27.60it/s]



100%|██████████| 500/500 [00:18<00:00, 26.56it/s]
  1%|          | 3/500 [00:00<00:20, 23.86it/s]



100%|██████████| 500/500 [00:18<00:00, 26.43it/s]
  1%|          | 3/500 [00:00<00:17, 27.74it/s]



100%|██████████| 500/500 [00:18<00:00, 26.68it/s]
  1%|          | 3/500 [00:00<00:19, 25.02it/s]



100%|██████████| 500/500 [00:18<00:00, 26.45it/s]
  1%|          | 3/500 [00:00<00:18, 27.59it/s]



100%|██████████| 500/500 [00:18<00:00, 26.43it/s]
  1%|          | 3/500 [00:00<00:19, 25.17it/s]



100%|██████████| 500/500 [00:18<00:00, 26.59it/s]
  1%|          | 3/500 [00:00<00:17, 27.71it/s]



100%|██████████| 500/500 [00:18<00:00, 26.44it/s]


In [None]:
SR_FGSM_dic_average_defense,_=attack_runner(model_average_defense,model_average_defense,X_test[7000:7500], y_test[7000:7500], [0.0005,0.001,0.005,0.01,0.05,0.1,0.5,1])

  0%|          | 2/500 [00:00<00:31, 15.90it/s]



100%|██████████| 500/500 [00:19<00:00, 26.06it/s]
  1%|          | 3/500 [00:00<00:18, 27.58it/s]



100%|██████████| 500/500 [00:20<00:00, 24.54it/s]
  1%|          | 3/500 [00:00<00:23, 20.84it/s]



 50%|█████     | 251/500 [00:10<00:09, 26.20it/s]

In [None]:
plt.plot(list(SR_FGSM_dic_with_defense.keys()),list(SR_FGSM_dic_with_defense.values()),label='c=0.5')
plt.plot(list(SR_FGSM_dic_without_defense.keys()),list(SR_FGSM_dic_without_defense.values()),label='c=0')
plt.plot(list(SR_FGSM_dic_slight_defense.keys()),list(SR_FGSM_dic_slight_defense.values()),label='c=0.25')
plt.plot(list(SR_FGSM_dic_strong_defense.keys()),list(SR_FGSM_dic_strong_defense.values()),label='c=0.75')
plt.plot(list(SR_FGSM_dic_average_defense.keys()),list(SR_FGSM_dic_average_defense.values()),label='c=0.6')
plt.xscale('log')
plt.grid(True,which="both", linestyle='--')
plt.title('Successs rate for different degrees of change \n on Mnist images for the effnet model',fontsize=11)
plt.xlabel('DOC (%)')
plt.ylabel('SR')
plt.legend(loc='upper left')