# Adversarial Attacks

This notebook relies on `openML_cc18_adversary.py` to generate results. Shows average statistics for the $l2$ and $l_{\infty}$ norms. Also computes the classification error on the attacked data points (lower is better).

This is still a work in progress. Need to investigate the attacks a bit more.

In [1]:
import os
import numpy as np
import pandas as pd

In [11]:
def highlight_err(row):
    """ If err_adv_kdf is greater than err_adv_rf, then highlight
    that value. Otherwise, highlight err_adv_rf"""
    ret = ["" for _ in row.index]
    if row['err_adv_kdf'] < row['err_adv_rf']:
        # return 'background-color: yellow'
        ret[row.index.get_loc("err_adv_kdf")] = 'background-color: green'
        return ret
    else:
        # return 'background-color: green'
        ret[row.index.get_loc("err_adv_rf")] = 'background-color: green'
        return ret

def plot_adversarial(res_folder):
    files = os.listdir(res_folder)
    fname = []
    l2_rf = []
    l2_kdf = []
    linf_rf = []
    linf_kdf = []
    err_adv_kdf = []
    err_adv_rf = []
    delta_adv_err_list = []
    delta_adv_l2_list = []
    delta_adv_linf_list = []
    for file in files:
        # print(file, ': ')
        df = pd.read_csv(res_folder+'/'+file, index_col=0)

        l2_mean_rf = df['l2_rf'].mean()
        linf_mean_rf = df['linf_rf'].mean()

        l2_mean_kdf = df['l2_kdf'].mean()
        linf_mean_kdf = df['linf_kdf'].mean()

        err_adv_mean_kdf = df['err_adv_kdf'].mean()
        err_adv_mean_rf = df['err_adv_rf'].mean()

        err_mean_kdf = df['err_kdf'].mean()
        err_mean_rf = df['err_rf'].mean()

        delta_adv_err = np.mean(df['err_adv_kdf'] - df['err_adv_rf'])
        delta_adv_l2 = np.mean(df['l2_kdf'] - df['l2_rf'])
        delta_adv_linf = np.mean(df['linf_kdf'] - df['linf_rf'])

        # print("l2_rf = {:.2f} \t l2_kdf = {:.2f} \t err_kdf = {:.2f}".format(l2_mean_rf, l2_mean_kdf, err_adv_mean_kdf))
        # print("linf_rf = {:.2f} \t linf_kdf = {:.2f} \t err_rf = {:.2f}".format(linf_mean_rf, linf_mean_kdf, err_adv_mean_rf))

        fname.append(file)
        l2_rf.append(l2_mean_rf)
        l2_kdf.append(l2_mean_kdf)
        linf_rf.append(linf_mean_rf)
        linf_kdf.append(linf_mean_kdf)
        err_adv_kdf.append(err_adv_mean_kdf)
        err_adv_rf.append(err_adv_mean_rf)
        delta_adv_err_list.append(delta_adv_err)
        delta_adv_l2_list.append(delta_adv_l2)
        delta_adv_linf_list.append(delta_adv_linf)

    df = pd.DataFrame() 
    df['fname'] = fname
    df['l2_kdf'] = l2_kdf
    df['l2_rf'] = l2_rf
    df['linf_kdf'] = linf_kdf
    df['linf_rf'] = linf_rf
    df['err_adv_kdf'] = err_adv_kdf
    df['err_adv_rf'] = err_adv_rf
    df['delta_adv_err'] = delta_adv_err_list
    df['delta_adv_l2'] = delta_adv_l2_list
    df['delta_adv_linf'] = delta_adv_linf_list
    return df

## ZOO Adversarial Attack
Original paper: https://arxiv.org/abs/1708.03999

In [12]:
res_folder = 'openml_res_adv_zoo'
df_disp = plot_adversarial(res_folder)
# df_disp = df_disp[(df_disp['l2_kdf'] != 0) & (df_disp['l2_rf'] != 0)]  # Where machine ran out of memory
df_disp.style.apply(highlight_err, axis=1)

Unnamed: 0,fname,l2_kdf,l2_rf,linf_kdf,linf_rf,err_adv_kdf,err_adv_rf,delta_adv_err,delta_adv_l2,delta_adv_linf
0,openML_cc18_1049.csv,0.000401,0.0004,0.0004,0.0004,0.004,0.004,0.0,1e-06,0.0
1,openML_cc18_1063.csv,0.0004,0.0004,0.0004,0.0004,0.004,0.004,0.0,-0.0,-0.0
2,openML_cc18_1067.csv,0.009817,0.0004,0.0096,0.0004,0.056,0.004,0.052,0.009417,0.0092
3,openML_cc18_11.csv,0.005771,0.0,0.005532,0.0,0.036,0.0,0.036,0.005771,0.005532
4,openML_cc18_14.csv,0.043491,0.022931,0.042901,0.022799,0.244,0.16,0.084,0.02056,0.020102
5,openML_cc18_1462.csv,0.00235,0.001306,0.00235,0.001306,0.016,0.008,0.008,0.001045,0.001045
6,openML_cc18_1464.csv,0.001095,0.0,0.001095,0.0,0.008,0.0,0.008,0.001095,0.001095
7,openML_cc18_1475.csv,0.007296,0.0052,0.007199,0.0052,0.048,0.044,0.004,0.002096,0.002
8,openML_cc18_1494.csv,0.008302,0.007269,0.0083,0.0072,0.056,0.056,0.0,0.001034,0.0011
9,openML_cc18_1497.csv,0.004,0.019633,0.004,0.0196,0.024,0.136,-0.112,-0.015633,-0.0156


## Hop Skip Jump Adversarial Attack

Original paper: https://arxiv.org/abs/1904.02144

In [13]:
res_folder = 'openml_res_adv_hsj'
df_disp = plot_adversarial(res_folder)
# df_disp = df_disp[(df_disp['l2_kdf'] != 0) & (df_disp['l2_rf'] != 0)]  # Where machine ran out of memory
df_disp.style.apply(highlight_err, axis=1)

Unnamed: 0,fname,l2_kdf,l2_rf,linf_kdf,linf_rf,err_adv_kdf,err_adv_rf,delta_adv_err,delta_adv_l2,delta_adv_linf
0,openML_cc18_1049.csv,39.918677,25.831561,27.298635,13.613172,0.428,0.572,-0.144,14.087117,13.685463
1,openML_cc18_1063.csv,87.792802,32630.207334,75.051419,14032.988129,0.332,0.484,-0.152,-32542.414532,-13957.93671
2,openML_cc18_1067.csv,7.213227,27.645814,5.5238,14.087426,0.468,0.532,-0.064,-20.432587,-8.563625
3,openML_cc18_11.csv,1.478479,1.507334,1.186051,1.361326,1.0,1.0,0.0,-0.028855,-0.175274
4,openML_cc18_14.csv,0.265052,0.345474,0.101945,0.158027,0.88,1.0,-0.12,-0.080422,-0.056082
5,openML_cc18_16.csv,8.311941,9.510225,3.462915,5.341329,0.896,1.0,-0.104,-1.198284,-1.878413
6,openML_cc18_18.csv,0.358273,175.979682,0.306038,168.222689,0.828,1.0,-0.172,-175.621409,-167.916651
7,openML_cc18_22.csv,0.782894,133.411888,0.617333,65.363008,0.872,1.0,-0.128,-132.628994,-64.745675
8,openML_cc18_37.csv,2.200088,34.545829,2.144728,28.618612,0.52,0.968,-0.448,-32.345741,-26.473885
9,openML_cc18_54.csv,15.530687,31.345929,11.143046,23.345415,0.848,1.0,-0.152,-15.815242,-12.202369
