### Adversarial Detection using FeatureSqueezing and MagNet

In this notebook, we'll explore adversarial detection using FeatureSqueezing and MagNet. This code has been adapted from [the EvadeML repository](https://github.com/mzweilin/EvadeML-Zoo) with changes to enable it to run properly with Python3 and Jupyter notebooks.

To run locally, I recommend following the latest instructions on the EvadeML repository and the [MagNet repository](https://github.com/Trevillie/MagNet).

In [None]:
%matplotlib inline

In [None]:
cd ../EvadeML-Zoo

In [None]:
from main import main

In [None]:
main(dataset_name="MNIST", 
     model_name="cleverhans", 
     detection="MagNet",
     attacks="FGSM?eps=0.1;BIM?eps=0.1&eps_iter=0.02;JSMA?targeted=next"
)

### Let's check out the adversarial examples generated

In [None]:
from IPython.display import Image 
from glob import glob

for img in glob('results/MNIST_100_1d1b8_cleverhans/MNIST_100*.png'):
    print("Attack", img)
    display(Image(filename=img))

#### Your Turn:
- How does FeatureSqueezing compare as a detection mechanism? To use the FeatureSqueezing, you will need to add proper parameters. Run the below cell for a few examples.
- Try a different attack or detection (to see all options, use `main(show_help=True)`).
- Try setting different parameters for the cleverhans attack above.
- Are your new attacks more successful? Why or why not?

In [None]:
!cat Reproduce_FeatureSqueezing.md | grep FeatureSqueezing

In [None]:
# %load ../solutions/feature_squeezing_detection.py


### And let's take a look at what attacks were not detected!

In [None]:
from IPython.display import Image 
from glob import glob

for img in glob('results/MNIST_100_1d1b8_cleverhans/undetected_attacks_*'):
    print(img)
    display(Image(filename=img))

In [None]:
main(dataset_name="CIFAR-10", 
     model_name="carlini", 
     attacks="fgsm?eps=0.0156;bim?eps=0.008&eps_iter=0.0012;deepfool?overshoot=10;carlinil2?targeted=next&batch_size=100&max_iterations=1000&confidence=5;carlinil2?targeted=ll&batch_size=100&max_iterations=1000&confidence=5;carlinil0?targeted=next&confidence=5;carlinil0?targeted=ll&confidence=5;jsma?targeted=next;jsma?targeted=ll;",
     detection="FeatureSqueezing?squeezers=bit_depth_5,median_filter_2_2,non_local_means_color_13_3_2&distance_measure=l1&threshold=1.7547;MagNet"
)

In [None]:
from IPython.display import Image 
from glob import glob

for img in glob('results/CIFAR*/undetected_attacks_*'):
    print(img)
    display(Image(filename=img))

### Questions for Discussion

- Why might this example have gone undetected?
- Out of the adversarial images, which can you identify? 
- As we can see from the detection rate, this works fairly well with MNIST; but it works much less well for color images, why might that be?