# 準備

## artのインストール

In [None]:
!pip3 install adversarial-robustness-toolbox



## ライブラリのインポート

In [None]:
import random
import numpy as np
import matplotlib.pyplot as plt

# TensorFlow with Keras.
import tensorflow as tf
from tensorflow.keras.models import Model
from tensorflow.keras.layers import Input, Dense, Flatten, Conv2D
from tensorflow.keras.layers import MaxPooling2D, GlobalAveragePooling2D, Dropout
tf.compat.v1.disable_eager_execution()

# ART
import art
from art.attacks.evasion import FastGradientMethod
from art.estimators.classification import KerasClassifier

## CIFAR10のロード・前処理

In [None]:
# CIFAR10のロード。
(X_train, y_train), (X_test, y_test) = tf.keras.datasets.cifar10.load_data()

# CIFAR10のラベル。
classes = ['airplane', 'automobile', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck']
num_classes = len(classes)

In [None]:
# 正規化。
X_train = X_train.astype('float32') / 255
X_test = X_test.astype('float32') / 255

# ラベルをOne-hot-vector化。
y_train = tf.keras.utils.to_categorical(y_train, num_classes)
y_test = tf.keras.utils.to_categorical(y_test, num_classes)

## 摂動を作るためのClassifierの作成



### モデル定義

In [None]:
# モデルの定義。
inputs = Input(shape=(32, 32, 3))
x = Conv2D(64, (3, 3), padding='SAME', activation='relu')(inputs)
x = Conv2D(64, (3, 3), padding='SAME', activation='relu')(x)
x = Dropout(0.25)(x)
x = MaxPooling2D()(x)

x = Conv2D(128, (3,3), padding='SAME', activation='relu')(x)
x = Conv2D(128, (3,3), padding='SAME', activation='relu')(x)
x = Dropout(0.25)(x)
x = MaxPooling2D()(x)

x = Conv2D(256, (3,3), padding='SAME', activation='relu')(x)
x = Conv2D(256, (3,3), padding='SAME', activation='relu')(x)
x = GlobalAveragePooling2D()(x)

x = Dense(1024, activation='relu')(x)
x = Dropout(0.25)(x)
y = Dense(10, activation='softmax')(x)

model = Model(inputs, y)

# モデルのコンパイル。
model.compile(optimizer=tf.keras.optimizers.Adam(),
              loss='categorical_crossentropy',
              metrics=['accuracy'])
model.summary()

Model: "model_7"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
input_4 (InputLayer)         [(None, 32, 32, 3)]       0         
_________________________________________________________________
conv2d_18 (Conv2D)           (None, 32, 32, 64)        1792      
_________________________________________________________________
conv2d_19 (Conv2D)           (None, 32, 32, 64)        36928     
_________________________________________________________________
dropout_9 (Dropout)          (None, 32, 32, 64)        0         
_________________________________________________________________
max_pooling2d_6 (MaxPooling2 (None, 16, 16, 64)        0         
_________________________________________________________________
conv2d_20 (Conv2D)           (None, 16, 16, 128)       73856     
_________________________________________________________________
conv2d_21 (Conv2D)           (None, 16, 16, 128)       1475

### 学習の実行

In [None]:
# 学習の実行。
model.fit(X_train, y_train,
          batch_size=512,
          epochs=30,
          validation_data=(X_test, y_test),
          shuffle=True)

Train on 50000 samples, validate on 10000 samples
Epoch 1/30



Epoch 2/30
Epoch 3/30
Epoch 4/30
Epoch 5/30
Epoch 6/30
Epoch 7/30
Epoch 8/30
Epoch 9/30
Epoch 10/30
Epoch 11/30
Epoch 12/30
Epoch 13/30
Epoch 14/30
Epoch 15/30
Epoch 16/30
Epoch 17/30
Epoch 18/30
Epoch 19/30
Epoch 20/30
Epoch 21/30
Epoch 22/30
Epoch 23/30
Epoch 24/30
Epoch 25/30
Epoch 26/30
Epoch 27/30
Epoch 28/30
Epoch 29/30
Epoch 30/30


<keras.callbacks.History at 0x7fc602414210>

### モデルの精度評価

In [None]:
model.evaluate(X_test, y_test)

[0.8451863438129426, 0.814]

## Assistive Signalsの作成

In [None]:
# 入力データの特徴量の最小値・最大値を指定。
# 特徴量は0.0～1.0の範囲に収まるように正規化しているため、最小値は0.0、最大値は1.0とする。
min_pixel_value = 0.0
max_pixel_value = 1.0

# モデルをART Keras Classifierでラップ。
classifier = KerasClassifier(model=model, clip_values=(min_pixel_value, max_pixel_value), use_logits=False)

In [None]:
# FGSMインスタンスの作成。
attack_targeted = FastGradientMethod(estimator=classifier, eps=0.10, targeted=True)
# 敵対的サンプルの生成（ベース画像はテストデータとする）。
X_test_assistive = attack_targeted.generate(x=X_test, y=y_test)

## 非標的型攻撃としてのFGSMによる摂動を作成
以下、この摂動を上乗せした画像のことを「敵対的画像」と呼ぶ。

In [None]:
attack_notargeted = FastGradientMethod(estimator=classifier, eps=0.10, targeted=False)
X_test_adv = attack_notargeted.generate(X_test)

## 敵対的画像に対するモデルの精度評価

### cleanのみで学習したモデルとAssistive Signals

In [None]:
model.evaluate(X_test_assistive, y_test)

[0.06220840414933918, 0.9837]

### cleanのみで学習したモデルと敵対的攻撃画像

In [None]:
model.evaluate(X_test_adv, y_test)

[14.784507040405273, 0.1109]

# Assistive Signals入りの画像のみで学習

In [None]:
X_train_assistive = attack_targeted.generate(x=X_train, y=y_train)

In [None]:
model2 = Model(inputs, y)

# モデルのコンパイル。
model2.compile(optimizer=tf.keras.optimizers.Adam(),
              loss='categorical_crossentropy',
              metrics=['accuracy'])

In [None]:
model2.fit(X_train_assistive, y_train,
          batch_size=512,
          epochs=30,
          shuffle=True)

Train on 50000 samples
Epoch 1/30
Epoch 2/30
Epoch 3/30
Epoch 4/30
Epoch 5/30
Epoch 6/30
Epoch 7/30
Epoch 8/30
Epoch 9/30
Epoch 10/30
Epoch 11/30
Epoch 12/30
Epoch 13/30
Epoch 14/30
Epoch 15/30
Epoch 16/30
Epoch 17/30
Epoch 18/30
Epoch 19/30
Epoch 20/30
Epoch 21/30
Epoch 22/30
Epoch 23/30
Epoch 24/30
Epoch 25/30
Epoch 26/30
Epoch 27/30
Epoch 28/30
Epoch 29/30
Epoch 30/30


<keras.callbacks.History at 0x7fc60275c3d0>

In [None]:
# assistive train data
model2.evaluate(X_train_assistive, y_train)

[0.012166566797296401, 0.99586]

In [None]:
# clean test data
model2.evaluate(X_test, y_test)

[0.8451863438129426, 0.814]

In [None]:
# assistive test data
model2.evaluate(X_test_assistive, y_test)

[0.06220840414933918, 0.9837]

In [None]:
# adversarial test data
model2.evaluate(X_test_adv, y_test)

[14.784507040405273, 0.1109]

# Assistive Signals入り画像とクリーン画像を5:5で学習

In [None]:
X_train_half = list(X_train[:25000])
X_train_half.extend(X_train_assistive[25000:])
X_train_half = np.array(X_train_half)

In [None]:
model3 = Model(inputs, y)

# モデルのコンパイル。
model3.compile(optimizer=tf.keras.optimizers.Adam(),
              loss='categorical_crossentropy',
              metrics=['accuracy'])

In [None]:
model3.fit(X_train_half, y_train,
          batch_size=512,
          epochs=30,
          shuffle=True)

Train on 50000 samples
Epoch 1/30
Epoch 2/30
Epoch 3/30
Epoch 4/30
Epoch 5/30
Epoch 6/30
Epoch 7/30
Epoch 8/30
Epoch 9/30
Epoch 10/30
Epoch 11/30
Epoch 12/30
Epoch 13/30
Epoch 14/30
Epoch 15/30
Epoch 16/30
Epoch 17/30
Epoch 18/30
Epoch 19/30
Epoch 20/30
Epoch 21/30
Epoch 22/30
Epoch 23/30
Epoch 24/30
Epoch 25/30
Epoch 26/30
Epoch 27/30
Epoch 28/30
Epoch 29/30
Epoch 30/30


<keras.callbacks.History at 0x7fc6013bccd0>

In [None]:
# assistive train data
model3.evaluate(X_train_assistive, y_train)



[0.012166566797296401, 0.99586]

In [None]:
# clean test data
model3.evaluate(X_test, y_test)

[0.8451863438129426, 0.814]

In [None]:
# assistive test data
model3.evaluate(X_test_assistive, y_test)

[0.06220840414933918, 0.9837]

In [None]:
# adversarial test data
model3.evaluate(X_test_adv, y_test)

[14.784507040405273, 0.1109]