## Adv attack on Siamese

In [2]:
import os
from src.siamese import *
import torch.utils.data as data
from PIL import Image, ImageOps
import pickle
import numpy as np
from torchvision import transforms
import json
os.environ["CUDA_VISIBLE_DEVICES"]="1"

- Create croppped logo database for 1k phishing and 1k benign 

In [3]:
data_folder = './datasets/Sampled_phish1000/'
annot_file = './datasets/phish1000_coord.txt'
os.makedirs('./datasets/Sample_phish1000_crop', exist_ok=True)

for brand in os.listdir(data_folder):
    img = Image.open(data_folder + brand + '/shot.png')

    ## get ground-truth 
    with open(annot_file, 'r') as annotation_file:
        for num, line in enumerate(annotation_file):
            annotation = line.strip().split(',')
            site = ','.join(annotation[:-4])
            if site == brand:
                bbox_data_gt = np.array(list(annotation[-4:]))
                if len(bbox_data_gt) != 0:
                    bboxes_gt = bbox_data_gt[:4]
                    x_min_gt, y_min_gt, x_max_gt, y_max_gt = list(map(float, bboxes_gt))
                    gt_bbox = [x_min_gt, y_min_gt, x_max_gt, y_max_gt]
                    break   
#     print(gt_bbox)
    cropped = img.crop((x_min_gt, y_min_gt, x_max_gt, y_max_gt))
    cropped.save(os.path.join('./datasets/Sample_phish1000_crop', brand+'.png'))
    del gt_bbox


In [4]:
data_folder = './datasets/Sample_benign1000/'
annot_file = './datasets/benign1000_coord.txt'
os.makedirs('./datasets/Sample_benign1000_crop', exist_ok=True)

for brand in os.listdir(data_folder):
    img = Image.open(data_folder + brand + '/shot.png')

    ## get ground-truth 
    with open(annot_file, 'r') as annotation_file:
        for num, line in enumerate(annotation_file):
            annotation = line.strip().split(',')
            site = ','.join(annotation[:-4])
            if site == brand:
                bbox_data_gt = np.array(list(annotation[-4:]))
                if len(bbox_data_gt) != 0:
                    bboxes_gt = bbox_data_gt[:4]
                    x_min_gt, y_min_gt, x_max_gt, y_max_gt = list(map(float, bboxes_gt))
                    gt_bbox = [x_min_gt, y_min_gt, x_max_gt, y_max_gt]
                    break   
#     print(gt_bbox)
    cropped = img.crop((x_min_gt, y_min_gt, x_max_gt, y_max_gt))
    cropped.save(os.path.join('./datasets/Sample_benign1000_crop', brand+'.png'))
    del gt_bbox



- Define dataloader

In [3]:
class GetLoader(data.Dataset):
    def __init__(self, data_root, label_dict, transform=None, grayscale=False):
        
        self.transform = transform
        self.data_root = data_root
        self.grayscale = grayscale

        with open(label_dict, 'rb') as handle:
            self.label_dict = pickle.load(handle)

        self.classes = list(self.label_dict.keys())

        self.n_data = len(os.listdir(self.data_root))

        self.img_paths = []
        self.labels = []

        for data in os.listdir(self.data_root):
            image_path = data
            label = image_path.split('+')[0]
            
            # deal with inconsistency in naming 
            if brand_converter(label) == 'Microsoft':
                self.labels.append(label)
                
            elif brand_converter(label) == 'DHL Airways':
                self.labels.append('DHL')
                
            elif brand_converter(label) == 'DGI French Tax Authority':
                self.labels.append('DGI (French Tax Authority)')
                
            else:
                self.labels.append(brand_converter(label))

            self.img_paths.append(image_path)

    def __getitem__(self, item):

        img_path, label= self.img_paths[item], self.labels[item]
        img_path_full = os.path.join(self.data_root, img_path)
        
        if self.grayscale:
            img = Image.open(img_path_full).convert('L').convert('RGB')
        else:
            img = Image.open(img_path_full).convert('RGB')

        img = ImageOps.expand(img, (
            (max(img.size) - img.size[0]) // 2, (max(img.size) - img.size[1]) // 2,
            (max(img.size) - img.size[0]) // 2, (max(img.size) - img.size[1]) // 2), fill=(255, 255, 255))

        # label = np.array(label,dtype='float32')
        label = self.label_dict[label]
        if self.transform is not None:
            img = self.transform(img)

        return img, label

    def __len__(self):
        return self.n_data

- Load data for cropped 1k phishing 

In [4]:
mean = [0.5, 0.5, 0.5]
std = [0.5, 0.5, 0.5]

img_transforms = transforms.Compose(
    [transforms.Resize((128, 128)),
     transforms.ToTensor(),
     transforms.Normalize(mean=mean, std=std),
    ])

valid_set = GetLoader(data_root='./datasets/Sample_phish1000_crop/', 
                    label_dict='./datasets/target_dict.json',
                     transform=img_transforms)

In [6]:
with open('./datasets/target_dict.json', 'rb') as handle:
    label_dict = pickle.load(handle)
    
valid_loader = torch.utils.data.DataLoader(
  valid_set, batch_size=1, shuffle=False, pin_memory=True, drop_last=False)

print(len(valid_loader))

- Accuracy function

In [9]:
def compute_acc(dataloader, model, device):
    correct = 0
    total = 0

    for b, (x, y) in tqdm(enumerate(dataloader)):
        with torch.no_grad():
            x = x.to(device, non_blocking=True)
            y = y.to(device, non_blocking=True)
            logits = model(x)
            pred_cls = torch.argmax(logits, dim=1)

            correct += torch.sum(torch.eq(pred_cls, y)).item()
            total += y.shape[0]
            
    print('Accuracy after changing relu function: {:.2f}'.format(correct/total))    
    return correct/total

- Load model and compute original accuracy 

In [8]:
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# Initialize model
model = KNOWN_MODELS["BiT-M-R50x1"](head_size=277, zero_head=True)

# Load weights
checkpoint = torch.load('./src/phishpedia/resnetv2_rgb_new.pth.tar', 
                        map_location="cpu")["model"]

from collections import OrderedDict
new_state_dict = OrderedDict()
for k, v in checkpoint.items():
    name = k[7:] # remove `module.`
    new_state_dict[name] = v

model.load_state_dict(new_state_dict)

model.to(device)
model.eval()

compute_acc(valid_loader, model, device)


ResNetV2(
  (root): Sequential(
    (conv): StdConv2d(3, 64, kernel_size=(7, 7), stride=(2, 2), padding=(3, 3), bias=False)
    (pad): ConstantPad2d(padding=(1, 1, 1, 1), value=0)
    (pool): MaxPool2d(kernel_size=3, stride=2, padding=0, dilation=1, ceil_mode=False)
  )
  (body): Sequential(
    (block1): Sequential(
      (unit01): PreActBottleneck(
        (gn1): GroupNorm(32, 64, eps=1e-05, affine=True)
        (conv1): StdConv2d(64, 64, kernel_size=(1, 1), stride=(1, 1), bias=False)
        (gn2): GroupNorm(32, 64, eps=1e-05, affine=True)
        (conv2): StdConv2d(64, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
        (gn3): GroupNorm(32, 64, eps=1e-05, affine=True)
        (conv3): StdConv2d(64, 256, kernel_size=(1, 1), stride=(1, 1), bias=False)
        (relu): ReLU(inplace=True)
        (downsample): StdConv2d(64, 256, kernel_size=(1, 1), stride=(1, 1), bias=False)
      )
      (unit02): PreActBottleneck(
        (gn1): GroupNorm(32, 256, eps=1e-05, aff

## Compute accuracy after replacing ReLu with StepReLu

In [8]:
import torch
import torch.nn.functional as F
from torch import nn

In [9]:
class QuantizeRelu(nn.Module):
    def __init__(self, step_size = 0.01):
        super().__init__()
        self.step_size = step_size

    def forward(self, x):
        mask = torch.ge(x, 0).bool() # mask for positive values
        quantize = torch.ones_like(x) * self.step_size
        out = torch.mul(torch.floor(torch.div(x, quantize)), self.step_size) # quantize by step_size
        out = torch.mul(out, mask) # zero-out negative values
        out = torch.abs(out) # remove sign
        return out

In [11]:
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# Initialize model
model = KNOWN_MODELS["BiT-M-R50x1"](head_size=277, zero_head=True)

# Load weights
checkpoint = torch.load('./src/phishpedia/resnetv2_rgb_new.pth.tar', 
                        map_location="cpu")["model"]

from collections import OrderedDict
new_state_dict = OrderedDict()
for k, v in checkpoint.items():
    name = k[7:] # remove `module.`
    new_state_dict[name] = v

model.load_state_dict(new_state_dict)
# replace relu with defenselayer 
# model.body.block1.unit01.relu = QuantizeRelu()
# model.body.block1.unit02.relu = QuantizeRelu()
# model.body.block1.unit03.relu = QuantizeRelu()

# model.body.block2.unit01.relu = QuantizeRelu()
# model.body.block2.unit02.relu = QuantizeRelu()
# model.body.block2.unit03.relu = QuantizeRelu()
# model.body.block2.unit04.relu = QuantizeRelu()

# model.body.block3.unit01.relu = QuantizeRelu()
# model.body.block3.unit02.relu = QuantizeRelu()
# model.body.block3.unit03.relu = QuantizeRelu()
# model.body.block3.unit04.relu = QuantizeRelu()
# model.body.block3.unit05.relu = QuantizeRelu()
# model.body.block3.unit06.relu = QuantizeRelu()

model.body.block4.unit01.relu = QuantizeRelu()
model.body.block4.unit02.relu = QuantizeRelu()
model.body.block4.unit03.relu = QuantizeRelu()

model.to(device)
model.eval()

compute_acc(valid_loader, model, device)

ResNetV2(
  (root): Sequential(
    (conv): StdConv2d(3, 64, kernel_size=(7, 7), stride=(2, 2), padding=(3, 3), bias=False)
    (pad): ConstantPad2d(padding=(1, 1, 1, 1), value=0)
    (pool): MaxPool2d(kernel_size=3, stride=2, padding=0, dilation=1, ceil_mode=False)
  )
  (body): Sequential(
    (block1): Sequential(
      (unit01): PreActBottleneck(
        (gn1): GroupNorm(32, 64, eps=1e-05, affine=True)
        (conv1): StdConv2d(64, 64, kernel_size=(1, 1), stride=(1, 1), bias=False)
        (gn2): GroupNorm(32, 64, eps=1e-05, affine=True)
        (conv2): StdConv2d(64, 64, kernel_size=(3, 3), stride=(1, 1), padding=(1, 1), bias=False)
        (gn3): GroupNorm(32, 64, eps=1e-05, affine=True)
        (conv3): StdConv2d(64, 256, kernel_size=(1, 1), stride=(1, 1), bias=False)
        (relu): ReLU(inplace=True)
        (downsample): StdConv2d(64, 256, kernel_size=(1, 1), stride=(1, 1), bias=False)
      )
      (unit02): PreActBottleneck(
        (gn1): GroupNorm(32, 256, eps=1e-05, aff

## Compute accuracy after attack with/without defense (support FGSM, StepLL, CWL2, DeepFool)

In [None]:
from src.adv_attack.attack.Attack import *

criterion = nn.CrossEntropyLoss()
check = adversarial_attack(method='deepfool', model=model, dataloader=valid_loader, 
                           device=device, num_classes=277, save_data=True)

acc, _ = check.batch_attack()

print(acc)

1it [16:40, 1000.57s/it]

0
Test Accuracy = 1.0


2it [33:04, 995.72s/it] 

1
Test Accuracy = 1.0


3it [49:44, 996.75s/it]

2
Test Accuracy = 1.0


4it [1:05:55, 989.16s/it]

3
Test Accuracy = 1.0


5it [1:22:16, 986.79s/it]

4
Test Accuracy = 1.0


6it [1:38:44, 987.02s/it]

5
Test Accuracy = 1.0


7it [1:54:42, 978.49s/it]

6
Test Accuracy = 1.0


8it [2:10:58, 977.71s/it]

7
Test Accuracy = 1.0


9it [2:27:29, 981.54s/it]

8
Test Accuracy = 1.0


10it [2:43:49, 981.19s/it]

9
Test Accuracy = 1.0


11it [3:00:15, 982.68s/it]

10
Test Accuracy = 1.0
11


13it [3:16:40, 835.58s/it]

12
Test Accuracy = 0.9230769230769231


14it [3:33:04, 880.10s/it]

13
Test Accuracy = 0.9285714285714286


15it [3:49:20, 908.91s/it]

14
Test Accuracy = 0.9333333333333333


16it [4:05:43, 931.21s/it]

15
Test Accuracy = 0.9375


17it [4:22:01, 945.22s/it]

16
Test Accuracy = 0.9411764705882353
17


19it [4:38:22, 808.80s/it]

18
Test Accuracy = 0.8947368421052632


20it [4:54:54, 863.63s/it]

19
Test Accuracy = 0.9


21it [5:11:07, 896.36s/it]

20
Test Accuracy = 0.9047619047619048


22it [5:27:36, 924.33s/it]

21
Test Accuracy = 0.9090909090909091


23it [5:43:53, 940.02s/it]

22
Test Accuracy = 0.9130434782608695


24it [6:00:24, 955.37s/it]

23
Test Accuracy = 0.9166666666666666


25it [6:16:42, 962.28s/it]

24
Test Accuracy = 0.92


26it [6:33:01, 967.05s/it]

25
Test Accuracy = 0.9230769230769231


27it [6:49:19, 970.37s/it]

26
Test Accuracy = 0.9259259259259259


28it [7:05:50, 976.67s/it]

27
Test Accuracy = 0.9285714285714286


29it [7:22:04, 975.97s/it]

28
Test Accuracy = 0.9310344827586207


30it [7:38:24, 977.20s/it]

29
Test Accuracy = 0.9333333333333333


31it [7:54:23, 971.55s/it]

30
Test Accuracy = 0.9354838709677419


32it [8:10:41, 973.64s/it]

31
Test Accuracy = 0.9375


33it [8:27:07, 977.10s/it]

32
Test Accuracy = 0.9393939393939394


34it [8:43:30, 978.88s/it]

33
Test Accuracy = 0.9411764705882353


35it [9:00:37, 993.32s/it]

34
Test Accuracy = 0.9428571428571428


36it [9:17:51, 1005.76s/it]

35
Test Accuracy = 0.9444444444444444


37it [9:34:45, 1008.22s/it]

36
Test Accuracy = 0.9459459459459459


38it [9:51:14, 1002.22s/it]

37
Test Accuracy = 0.9473684210526315


39it [10:07:41, 997.74s/it]

38
Test Accuracy = 0.9487179487179487


40it [10:24:05, 993.57s/it]

39
Test Accuracy = 0.95


41it [10:40:37, 993.12s/it]

40
Test Accuracy = 0.9512195121951219


42it [10:56:53, 988.06s/it]

41
Test Accuracy = 0.9523809523809523


43it [11:13:26, 989.44s/it]

42
Test Accuracy = 0.9534883720930233


44it [11:29:46, 986.74s/it]

43
Test Accuracy = 0.9545454545454546


45it [11:46:23, 989.69s/it]

44
Test Accuracy = 0.9555555555555556


46it [12:02:40, 986.07s/it]

45
Test Accuracy = 0.9565217391304348


47it [12:19:10, 987.27s/it]

46
Test Accuracy = 0.9574468085106383


48it [12:35:31, 985.41s/it]

47
Test Accuracy = 0.9583333333333334
48


50it [12:51:54, 837.17s/it]

49
Test Accuracy = 0.94


51it [13:08:13, 879.86s/it]

50
Test Accuracy = 0.9411764705882353


52it [13:24:32, 909.44s/it]

51
Test Accuracy = 0.9423076923076923


53it [13:41:02, 933.74s/it]

52
Test Accuracy = 0.9433962264150944


54it [13:57:25, 948.39s/it]

53
Test Accuracy = 0.9444444444444444


55it [14:13:48, 958.92s/it]

54
Test Accuracy = 0.9454545454545454
55


57it [14:30:16, 819.44s/it]

56
Test Accuracy = 0.9298245614035088


58it [14:46:59, 874.34s/it]

57
Test Accuracy = 0.9310344827586207


59it [15:03:31, 909.82s/it]

58
Test Accuracy = 0.9322033898305084
59


61it [15:20:05, 785.89s/it]

60
Test Accuracy = 0.9180327868852459
61


63it [15:36:37, 698.91s/it]

62
Test Accuracy = 0.9047619047619048


64it [15:52:55, 782.78s/it]

63
Test Accuracy = 0.90625


65it [16:09:30, 846.33s/it]

64
Test Accuracy = 0.9076923076923077


66it [16:26:07, 891.65s/it]

65
Test Accuracy = 0.9090909090909091


67it [16:42:30, 918.88s/it]

66
Test Accuracy = 0.9104477611940298


68it [16:58:52, 937.79s/it]

67
Test Accuracy = 0.9117647058823529


69it [17:15:20, 953.09s/it]

68
Test Accuracy = 0.9130434782608695


70it [17:31:49, 963.78s/it]

69
Test Accuracy = 0.9142857142857143


71it [17:48:15, 970.44s/it]

70
Test Accuracy = 0.9154929577464789


72it [18:04:22, 969.52s/it]

71
Test Accuracy = 0.9166666666666666


73it [18:20:17, 964.96s/it]

72
Test Accuracy = 0.9178082191780822
73
74


76it [18:36:41, 773.85s/it]

75
Test Accuracy = 0.8947368421052632


77it [18:53:15, 839.89s/it]

76
Test Accuracy = 0.8961038961038961


78it [19:09:26, 879.28s/it]

77
Test Accuracy = 0.8974358974358975


79it [19:25:17, 900.93s/it]

78
Test Accuracy = 0.8987341772151899


80it [19:41:30, 922.48s/it]

79
Test Accuracy = 0.9


81it [19:57:54, 941.02s/it]

80
Test Accuracy = 0.9012345679012346


82it [20:14:10, 951.43s/it]

81
Test Accuracy = 0.9024390243902439


83it [20:30:15, 955.38s/it]

82
Test Accuracy = 0.9036144578313253


84it [20:46:41, 964.62s/it]

83
Test Accuracy = 0.9047619047619048


85it [21:02:53, 966.84s/it]

84
Test Accuracy = 0.9058823529411765


86it [21:19:16, 971.84s/it]

85
Test Accuracy = 0.9069767441860465


87it [21:35:56, 980.21s/it]

86
Test Accuracy = 0.9080459770114943


88it [21:52:26, 983.10s/it]

87
Test Accuracy = 0.9090909090909091


89it [22:08:43, 981.31s/it]

88
Test Accuracy = 0.9101123595505618


90it [22:24:56, 978.88s/it]

89
Test Accuracy = 0.9111111111111111
90
91


## Compute accuracy after attack with/without defense (support BPDA with LInfPGD attack)

In [10]:
from advertorch.bpda import BPDAWrapper
from advertorch.attacks import LinfPGDAttack

In [25]:
# original model
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
model = KNOWN_MODELS["BiT-M-R50x1"](head_size=180, zero_head=True)
model.load_state_dict(torch.load('./src/phishpedia/resnetv2_rgb_new.pth.tar', map_location=device))
model.to(device)

# BPDA approximation of gradients
defense_layer = BPDAWrapper(QuantizeRelu())

# replace relu with defenselayer 
model.body.block1.unit01.relu = defense_layer
model.body.block1.unit02.relu = defense_layer
model.body.block1.unit03.relu = defense_layer

model.body.block2.unit01.relu = defense_layer
model.body.block2.unit02.relu = defense_layer
model.body.block2.unit03.relu = defense_layer
model.body.block2.unit04.relu = defense_layer

model.body.block3.unit01.relu = defense_layer
model.body.block3.unit02.relu = defense_layer
model.body.block3.unit03.relu = defense_layer
model.body.block3.unit04.relu = defense_layer
model.body.block3.unit05.relu = defense_layer
model.body.block3.unit06.relu = defense_layer

model.body.block4.unit01.relu = defense_layer
model.body.block4.unit02.relu = defense_layer
model.body.block4.unit03.relu = defense_layer

bpda_adversary = LinfPGDAttack(
    model, loss_fn=nn.CrossEntropyLoss(reduction="sum"), eps=0.05,
    nb_iter=100, eps_iter=0.005, rand_init=True, clip_min=0.0, clip_max=1.0,
    targeted=False)

In [27]:
perturb_correct = 0
total = 0

for cln_data, true_label in tqdm(valid_loader):
    cln_data, true_label = cln_data.to(device), true_label.to(device)
    bpda_adv = bpda_adversary.perturb(cln_data, true_label)
    
    logits = model(bpda_adv)
    pred_cls = torch.argmax(logits, dim=1)
    perturb_correct += torch.sum(torch.eq(pred_cls, true_label)).item()
    total += len(true_label)
    
    print(perturb_correct/total)
    
print(perturb_correct/total)



 12%|█▎        | 1/8 [21:33<2:30:57, 1293.95s/it]

0.890625


 25%|██▌       | 2/8 [44:51<2:12:30, 1325.09s/it]

0.9140625


 38%|███▊      | 3/8 [1:08:51<1:53:17, 1359.44s/it]

0.9166666666666666


 50%|█████     | 4/8 [1:32:18<1:31:34, 1373.62s/it]

0.92578125


 62%|██████▎   | 5/8 [1:56:15<1:09:38, 1392.77s/it]

0.9203125


 75%|███████▌  | 6/8 [2:19:34<46:29, 1394.78s/it]  

0.921875


 88%|████████▊ | 7/8 [2:43:00<23:17, 1397.87s/it]

0.9274553571428571


100%|██████████| 8/8 [2:58:41<00:00, 1340.19s/it]

0.9274924471299094



