# Adversarial Attacks

This notebook relies on `openML_cc18_adversary.py` to summarize results. Shows average statistics for the $l2$ and $l_{\infty}$ norms. Also computes the classification error on the attacked data points (lower is better, indicating adversarial samples are classified as their original class more frequently).

In [1]:
import os
import numpy as np
import pandas as pd

In [2]:
def highlight_err(row):
    """ If err_adv_kdf is greater than err_adv_rf, then highlight
    that value. Otherwise, highlight err_adv_rf"""
    ret = ["" for _ in row.index]
    if row['err_adv_kdf'] < row['err_adv_rf']:
        # return 'background-color: yellow'
        ret[row.index.get_loc("err_adv_kdf")] = 'background-color: green'
        return ret
    else:
        # return 'background-color: green'
        ret[row.index.get_loc("err_adv_rf")] = 'background-color: green'
        return ret

def plot_adversarial(res_folder):
    files = os.listdir(res_folder)
    fname = []
    l2_rf = []
    l2_kdf = []
    linf_rf = []
    linf_kdf = []
    err_adv_kdf = []
    err_adv_rf = []
    delta_adv_err_list = []
    delta_adv_l2_list = []
    delta_adv_linf_list = []
    for file in files:
        # print(file, ': ')
        df = pd.read_csv(res_folder+'/'+file, index_col=0)

        l2_mean_rf = df['l2_rf'].mean()
        linf_mean_rf = df['linf_rf'].mean()

        l2_mean_kdf = df['l2_kdf'].mean()
        linf_mean_kdf = df['linf_kdf'].mean()

        err_adv_mean_kdf = df['err_adv_kdf'].mean()
        err_adv_mean_rf = df['err_adv_rf'].mean()

        err_mean_kdf = df['err_kdf'].mean()
        err_mean_rf = df['err_rf'].mean()

        delta_adv_err = np.mean(df['err_adv_kdf'] - df['err_adv_rf'])
        delta_adv_l2 = np.mean(df['l2_kdf'] - df['l2_rf'])
        delta_adv_linf = np.mean(df['linf_kdf'] - df['linf_rf'])

        fname.append(file)
        l2_rf.append(l2_mean_rf)
        l2_kdf.append(l2_mean_kdf)
        linf_rf.append(linf_mean_rf)
        linf_kdf.append(linf_mean_kdf)
        err_adv_kdf.append(err_adv_mean_kdf)
        err_adv_rf.append(err_adv_mean_rf)
        delta_adv_err_list.append(delta_adv_err)
        delta_adv_l2_list.append(delta_adv_l2)
        delta_adv_linf_list.append(delta_adv_linf)

    df = pd.DataFrame() 
    df['fname'] = fname
    df['l2_kdf'] = l2_kdf
    df['l2_rf'] = l2_rf
    df['linf_kdf'] = linf_kdf
    df['linf_rf'] = linf_rf
    df['err_adv_kdf'] = err_adv_kdf
    df['err_adv_rf'] = err_adv_rf
    df['delta_adv_err'] = delta_adv_err_list
    df['delta_adv_l2'] = delta_adv_l2_list
    df['delta_adv_linf'] = delta_adv_linf_list
    return df

## Hop Skip Jump Adversarial Attack

Original paper: https://arxiv.org/abs/1904.02144

In [3]:
res_folder = 'openml_res_adv_hsj'
df_disp = plot_adversarial(res_folder)
df_disp.style.apply(highlight_err, axis=1)

Unnamed: 0,fname,l2_kdf,l2_rf,linf_kdf,linf_rf,err_adv_kdf,err_adv_rf,delta_adv_err,delta_adv_l2,delta_adv_linf
0,openML_cc18_1049.csv,39.918677,25.831561,27.298635,13.613172,0.428,0.572,-0.144,14.087117,13.685463
1,openML_cc18_1063.csv,87.792802,32630.207334,75.051419,14032.988129,0.332,0.484,-0.152,-32542.414532,-13957.93671
2,openML_cc18_1067.csv,7.213227,27.645814,5.5238,14.087426,0.468,0.532,-0.064,-20.432587,-8.563625
3,openML_cc18_11.csv,1.478479,1.507334,1.186051,1.361326,1.0,1.0,0.0,-0.028855,-0.175274
4,openML_cc18_14.csv,0.265052,0.345474,0.101945,0.158027,0.88,1.0,-0.12,-0.080422,-0.056082
5,openML_cc18_16.csv,8.311941,9.510225,3.462915,5.341329,0.896,1.0,-0.104,-1.198284,-1.878413
6,openML_cc18_22.csv,0.782894,133.411888,0.617333,65.363008,0.872,1.0,-0.128,-132.628994,-64.745675
7,openML_cc18_37.csv,2.200088,34.545829,2.144728,28.618612,0.52,0.968,-0.448,-32.345741,-26.473885
8,openML_cc18_54.csv,15.530687,31.345929,11.143046,23.345415,0.848,1.0,-0.152,-15.815242,-12.202369
