# ART - Adversarial Patch - TensorFlow v2

In [1]:
import warnings
warnings.filterwarnings('ignore')

import random
import numpy as np
from matplotlib import pyplot as plt
plt.rcParams['figure.figsize'] = [10, 10]
import imagenet_stubs
from imagenet_stubs.imagenet_2012_labels import name_to_label

import tensorflow as tf
from tensorflow.keras.applications.resnet50 import preprocess_input, decode_predictions
from tensorflow.keras.preprocessing import image

from art.estimators.classification import TensorFlowV2Classifier, EnsembleClassifier
from art.attacks.evasion import AdversarialPatch

In [2]:
import tensorflow as tf
print("Num GPUs Available: ", len(tf.config.experimental.list_physical_devices('GPU')))

Num GPUs Available:  0


In [3]:
print(tf.__version__)

2.3.0


# Settings

In [4]:
target_name = 'toaster'
image_shape = (224, 224, 3)
clip_values = (0, 255)
nb_classes  =1000
batch_size = 16
scale_min = 0.4
scale_max = 1.0
rotation_max = 22.5
learning_rate = 5000.
max_iter = 500

# Model definition

In [5]:
model = tf.keras.applications.resnet50.ResNet50(weights="imagenet")

mean_b = 103.939
mean_g = 116.779
mean_r = 123.680

tfc = TensorFlowV2Classifier(model=model, loss_object=None, train_step=None, nb_classes=nb_classes,
                             input_shape=image_shape, clip_values=clip_values, 
                             preprocessing=([mean_b, mean_g, mean_r], 1), zoo_Adam= True)

# Imagenet training images

In [6]:
images_list = list()

for image_path in imagenet_stubs.get_image_paths():
    im = image.load_img(image_path, target_size=(224, 224))
    im = image.img_to_array(im)
    im = im[:, :, ::-1].astype(np.float32) # RGB to BGR
    im = np.expand_dims(im, axis=0)
    images_list.append(im)

images = np.vstack(images_list)

In [7]:
def bgr_to_rgb(x):
    return x[:, :, ::-1]

# Adversarial patch generation

In [None]:
ap = AdversarialPatch(classifier=tfc, rotation_max=rotation_max, scale_min=scale_min, scale_max=scale_max,
                      learning_rate=learning_rate, max_iter=max_iter, batch_size=batch_size,
                      patch_shape=(224, 224, 3))

label = name_to_label(target_name)
y_one_hot = np.zeros(nb_classes)
y_one_hot[label] = 1.0
y_target = np.tile(y_one_hot, (images.shape[0], 1))

patch, patch_mask = ap.generate(x=images, y=y_target)

  3%|█▍                                         | 1/30 [00:03<01:39,  3.45s/it]

-74.0545604074239
68.39348698561065
patch tf.Tensor(
[[[ 15938.884   15938.815   15938.862 ]
  [ 15938.831  -15683.884   15938.579 ]
  [-15683.886  -15683.776  -15682.572 ]
  ...
  [-15683.886  -15683.883   15938.87  ]
  [ 15938.885  -15683.867   15938.84  ]
  [-15683.822   15938.875   15938.855 ]]

 [[-15683.883  -15683.888   15938.45  ]
  [ 15938.887  -15679.135   15938.887 ]
  [-15683.867   15938.887  -15683.885 ]
  ...
  [ 15938.668   15938.881   15938.888 ]
  [ 15938.779  -15683.852  -15683.848 ]
  [ 15938.885  -15683.852   15938.65  ]]

 [[ 15938.888  -15683.886   15938.884 ]
  [-15683.867  -15683.887  -15683.884 ]
  [ 15938.875  -15683.883  -15683.887 ]
  ...
  [ 15938.795   15938.882   15938.885 ]
  [-15683.643  -15683.887   15937.981 ]
  [ 15938.888   15938.8125  15938.869 ]]

 ...

 [[ 15938.882  -15683.876   15938.88  ]
  [-15683.88    15938.888   15938.886 ]
  [ 15938.865  -15683.588   15938.883 ]
  ...
  [-15683.887   15928.233  -15680.61  ]
  [-15683.885   15938.882   159

  7%|██▊                                        | 2/30 [00:06<01:34,  3.38s/it]

-11.957248305191115
11.45072181389073
patch tf.Tensor(
[[[ 27045.871   31267.977   33623.5   ]
  [ 29698.719  -28418.686   14646.323 ]
  [-28813.043  -36816.246   -7792.535 ]
  ...
  [-28268.686  -27968.191   23577.809 ]
  [ 31730.004  -32044.586   32446.553 ]
  [-36362.227   27903.844   36422.047 ]]

 [[-28734.73   -28704.684   11314.359 ]
  [ 31305.492  -33076.414   27208.137 ]
  [-32826.047   29432.375  -31067.18  ]
  ...
  [  9699.094   32294.281   30312.89  ]
  [ 24864.41   -21453.402  -36949.8   ]
  [ 33409.902  -34196.99     6199.4395]]

 [[ 31135.998  -32473.934   30708.178 ]
  [-22487.465  -31215.977  -29378.895 ]
  [ 29295.482  -30707.33   -32378.031 ]
  ...
  [ 26823.713   31127.844   32950.07  ]
  [-34636.27   -28742.443   37202.414 ]
  [ 30981.855   20226.967   20465.582 ]]

 ...

 [[ 26176.068  -29893.441   25328.771 ]
  [-23978.492   29321.979   32903.773 ]
  [ 36349.703   -6813.665   31423.75  ]
  ...
  [-28452.691   37035.527  -13289.082 ]
  [-29886.576   30245.586   3

 10%|████▎                                      | 3/30 [00:09<01:30,  3.35s/it]

-10.566101480267024
10.303448369086306
patch tf.Tensor(
[[[ 35428.93    34347.863   51401.633 ]
  [ 40988.57   -33779.906   12928.408 ]
  [-41612.375  -57598.637   -7512.633 ]
  ...
  [-43802.934  -39238.023   32513.943 ]
  [ 40977.71   -50066.33    49160.594 ]
  [-52673.996   34710.2     53192.96  ]]

 [[-41567.78   -41612.77    -3914.0674]
  [ 41968.38   -43362.78    37239.613 ]
  [-51496.184   42309.812  -47125.477 ]
  ...
  [ -3924.8623  44344.188   41647.617 ]
  [ 37291.293  -34944.03   -58822.977 ]
  [ 46981.01   -43296.258     525.4468]]

 [[ 44423.004  -45167.38    43663.36  ]
  [-27481.213  -45583.1    -39713.312 ]
  [ 47738.668  -42542.25   -45863.957 ]
  ...
  [ 35423.35    45530.516   48573.027 ]
  [-57632.914  -38122.664   60833.445 ]
  [ 44937.723   28653.754   20171.785 ]]

 ...

 [[ 37636.746  -37135.434   38603.67  ]
  [-33443.695   41309.53    45058.06  ]
  [ 49241.84    -8345.8955  46568.484 ]
  ...
  [-39794.574   60439.45   -28326.938 ]
  [-42655.42    40589.92    

 13%|█████▋                                     | 4/30 [00:13<01:26,  3.31s/it]

-17.717434933153363
19.813633603106087
patch tf.Tensor(
[[[ 45511.51    45874.805   73028.03  ]
  [ 59570.57   -42127.336   18008.02  ]
  [-54036.695  -71933.15     4044.8252]
  ...
  [-58564.605  -40231.95    45113.16  ]
  [ 47703.95   -68667.18    61840.71  ]
  [-56012.37    30573.146   74628.89  ]]

 [[-48935.91   -53448.285  -24403.047 ]
  [ 46748.715  -53520.34    46958.64  ]
  [-74550.63    59093.406  -64274.223 ]
  ...
  [  4037.1782  58912.35    50427.91  ]
  [ 31965.812  -47078.395  -70320.82  ]
  [ 62157.     -51352.316    1208.5411]]

 [[ 57683.85   -54474.117   50370.203 ]
  [-27384.021  -59018.273  -53607.62  ]
  [ 68730.94   -57966.938  -60898.508 ]
  ...
  [ 24916.332   60854.6     66871.45  ]
  [-79403.77   -44479.58    84039.8   ]
  [ 58702.168   46054.04    26410.996 ]]

 ...

 [[ 36737.805  -49913.984   41797.42  ]
  [-46711.156   53437.65    60815.59  ]
  [ 68272.13   -16791.836   55433.035 ]
  ...
  [-52448.2     81768.164  -47952.824 ]
  [-52289.664   49881.03    

 17%|███████▏                                   | 5/30 [00:16<01:22,  3.28s/it]

-11.682816226695419
11.565997321158756
patch tf.Tensor(
[[[ 54084.09    61268.773   79381.375 ]
  [ 77135.86   -46664.53    20104.133 ]
  [-64739.93   -91120.43    22525.656 ]
  ...
  [-69085.586  -36959.707   55482.246 ]
  [ 54153.996  -91304.72    70335.06  ]
  [-66626.41    24290.434   87798.2   ]]

 [[-59219.27   -65679.11   -47373.42  ]
  [ 51196.06   -45285.336   54564.746 ]
  [-96921.71    75011.06   -78901.61  ]
  ...
  [ 15669.486   76534.94    57178.49  ]
  [ 26150.86   -48780.867  -84033.93  ]
  [ 77827.17   -64194.9     14534.323 ]]

 [[ 70479.47   -62575.293   56981.22  ]
  [-29944.812  -69885.47   -65367.355 ]
  [ 86652.59   -72179.24   -76930.54  ]
  ...
  [ 19024.953   70926.01    86302.39  ]
  [-89984.28   -51331.17   106937.89  ]
  [ 70457.055   66686.41    30736.52  ]]

 ...

 [[ 39263.246  -58832.676   45028.22  ]
  [-58393.08    64512.81    75308.58  ]
  [ 77445.484  -28253.281   61308.04  ]
  ...
  [-64246.906  105998.32   -69031.4   ]
  [-61013.723   48129.414   

 20%|████████▌                                  | 6/30 [00:19<01:18,  3.28s/it]

-7.2285773773114865
7.564388894507685
patch tf.Tensor(
[[[  62845.953    72386.83     87331.43  ]
  [  97380.14    -50582.703    21760.49  ]
  [ -74475.78   -103030.73     43091.59  ]
  ...
  [ -75819.86    -32966.668    65348.31  ]
  [  57667.887  -113546.38     71336.1   ]
  [ -68466.15     18041.229   100788.42  ]]

 [[ -66727.94    -77023.61    -66026.31  ]
  [  56064.19    -34325.637    62432.465 ]
  [-118487.21     89882.1     -91786.17  ]
  ...
  [  27991.773    93931.82     62756.203 ]
  [  24560.514   -52085.566   -92281.516 ]
  [  89963.07    -76568.09     27682.207 ]]

 [[  81663.516   -71314.25     64642.61  ]
  [ -25150.996   -80781.7     -75063.26  ]
  [ 101712.89    -87669.25    -88596.74  ]
  ...
  [   9104.533    77018.21    105701.86  ]
  [ -96451.414   -57527.254   127740.01  ]
  [  80692.72     77222.63     38170.13  ]]

 ...

 [[  42482.3     -67825.7      46069.67  ]
  [ -67469.32     73677.5      87724.54  ]
  [  90419.      -39110.324    66906.84  ]
  ...
  [ -7

 23%|██████████                                 | 7/30 [00:22<01:15,  3.27s/it]

-7.074285862091376
9.018392255367697
patch tf.Tensor(
[[[  73317.42     86040.68    100879.84  ]
  [ 114066.195   -51818.43     12081.987 ]
  [ -83347.55   -119758.45     59644.566 ]
  ...
  [ -81750.37    -29479.201    75099.61  ]
  [  58809.023  -128215.91     63406.836 ]
  [ -70971.5       9411.371   117498.67  ]]

 [[ -71475.766   -86911.86    -80317.45  ]
  [  59745.4     -22493.664    69523.625 ]
  [-135115.97    102947.43   -103189.44  ]
  ...
  [  40738.094   107432.07     67827.66  ]
  [  31145.617   -52992.035   -98145.03  ]
  [ 102214.34    -80704.305    34375.19  ]]

 [[  92483.28    -80715.766    72198.89  ]
  [ -21678.395   -91507.98    -82666.96  ]
  [ 116989.305  -100949.625   -99657.06  ]
  ...
  [  -6025.339    80322.234   125545.25  ]
  [ -94286.03    -64073.32    151963.67  ]
  [  90799.97     87725.67     47616.01  ]]

 ...

 [[  47135.56    -72376.53     48698.4   ]
  [ -75356.516    81600.87     99908.94  ]
  [  94956.15    -49075.086    68156.81  ]
  ...
  [ -82

 27%|███████████▍                               | 8/30 [00:26<01:11,  3.24s/it]

-19.894681133421603
21.179211233935614
patch tf.Tensor(
[[[  83569.86    100420.27    103141.5   ]
  [ 113053.99    -52034.977    10697.248 ]
  [ -88356.18   -116774.625    76384.19  ]
  ...
  [ -80215.98    -23961.781    88523.41  ]
  [  63369.605  -139027.42     72614.93  ]
  [ -66018.3      -6862.038   135493.11  ]]

 [[ -70268.28    -98937.24    -89413.195 ]
  [  67635.32    -23023.62     73585.414 ]
  [-133642.03    115373.07   -111933.53  ]
  ...
  [  48251.977   126605.97     71722.695 ]
  [  47594.266   -50841.832  -107159.6   ]
  [ 110356.984   -86010.08     39556.754 ]]

 [[ 105142.836   -90999.65     81146.984 ]
  [  -9886.069  -102789.734   -89280.336 ]
  [ 123489.5    -107395.25   -114092.78  ]
  ...
  [ -23040.438    92008.48    146278.55  ]
  [ -82170.91    -65335.305   178220.05  ]
  [ 103543.7      97600.61     59600.418 ]]

 ...

 [[  51732.95    -84579.82     54373.445 ]
  [ -76723.06     87438.33    108393.37  ]
  [ 106296.305   -53032.39     58981.938 ]
  ...
  [ -

 30%|████████████▉                              | 9/30 [00:29<01:08,  3.24s/it]

-1.4983696257579475
1.5258074878308938
patch tf.Tensor(
[[[ 9.26566250e+04  1.13941859e+05  1.05095328e+05]
  [ 1.12020148e+05 -5.22305859e+04  8.03574512e+03]
  [-9.34317969e+04 -1.13751828e+05  9.09531094e+04]
  ...
  [-7.91637812e+04 -1.91052461e+04  9.96344453e+04]
  [ 6.74687578e+04 -1.49433344e+05  8.09287109e+04]
  [-6.03223750e+04 -2.14169395e+04  1.52630547e+05]]

 [[-6.93359141e+04 -1.09628062e+05 -9.70760391e+04]
  [ 7.47126328e+04 -2.35252578e+04  7.72991797e+04]
  [-1.32032281e+05  1.26530945e+05 -1.19970469e+05]
  ...
  [ 5.50746406e+04  1.43828797e+05  7.53617812e+04]
  [ 6.23377109e+04 -4.94700156e+04 -1.15741914e+05]
  [ 1.17717367e+05 -9.11733438e+04  4.48080117e+04]]

 [[ 1.16679953e+05 -1.00143961e+05  8.96379922e+04]
  [ 1.52288770e+03 -1.13313453e+05 -9.51074688e+04]
  [ 1.30238453e+05 -1.13370898e+05 -1.26907969e+05]
  ...
  [-3.82190781e+04  1.02479656e+05  1.64988688e+05]
  [-7.09724141e+04 -6.62905156e+04  2.01607922e+05]
  [ 1.15138891e+05  1.06232539e+05  7.

 33%|██████████████                            | 10/30 [00:32<01:04,  3.24s/it]

-15.901881984276372
15.6595415100644
patch tf.Tensor(
[[[ 107049.266   122745.82    107335.54  ]
  [ 111115.164   -49691.426     6817.6787]
  [ -96826.45   -121763.86     86401.305 ]
  ...
  [ -78162.88    -16716.043   108823.67  ]
  [  70272.016  -156212.88     87807.29  ]
  [ -50686.914   -36761.797   164245.3   ]]

 [[ -68134.55   -121455.36   -101565.15  ]
  [  84182.875   -17018.787    82371.03  ]
  [-130638.75    133239.8    -128408.7   ]
  ...
  [  63012.277   159398.69     75302.1   ]
  [  71502.195   -43408.94   -128079.1   ]
  [ 130971.695  -103095.93     48957.008 ]]

 [[ 127688.516  -104048.766   100303.66  ]
  [  14404.353  -120270.8    -104506.11  ]
  [ 142588.3    -110806.414  -136480.53  ]
  ...
  [ -51070.79    118058.62    182386.12  ]
  [ -52596.453   -67643.57    224247.8   ]
  [ 124021.41    113869.7      71691.38  ]]

 ...

 [[  54259.94   -104974.81     67702.99  ]
  [ -86376.21     96538.95    118210.13  ]
  [ 126727.12    -54054.42     49971.434 ]
  ...
  [-107

 37%|███████████████▍                          | 11/30 [00:35<01:01,  3.23s/it]

-10.945790138041584
10.60732185085662
patch tf.Tensor(
[[[ 120053.28   135320.6    112679.66 ]
  [ 107043.414  -45739.26     6550.778]
  [ -97904.72  -128223.11    78759.28 ]
  ...
  [ -77496.48   -16061.41   118834.36 ]
  [  76234.18  -165164.28    96249.44 ]
  [ -34799.09   -49603.18   179538.39 ]]

 [[ -67798.95  -132327.94  -108271.85 ]
  [  92361.88    -5627.624   86820.79 ]
  [-128472.69   138507.39  -136377.39 ]
  ...
  [  66148.2    175717.48    75460.99 ]
  [  82105.56   -36178.195 -141661.4  ]
  [ 143103.25  -115510.29    50239.04 ]]

 [[ 136704.81  -106388.266  106719.38 ]
  [  25921.4   -128522.14  -111247.47 ]
  [ 153908.6   -113841.85  -144032.73 ]
  ...
  [ -63738.035  134940.98   198346.94 ]
  [ -43756.34   -70204.125  245608.11 ]
  [ 131898.66   124921.45    67937.16 ]]

 ...

 [[  54718.12  -115758.16    70898.4  ]
  [ -96756.44   100857.4    121276.02 ]
  [ 133476.19   -49240.797   48910.438]
  ...
  [-110635.25   171964.73  -176193.3  ]
  [ -56727.453   59100.598   

In [None]:
plt.imshow((bgr_to_rgb(patch) * patch_mask).astype(np.uint8))

# Evaluation

In [None]:
patched_images = ap.apply_patch(images, scale=0.5)

In [None]:
def predict_model(classifier, image):
    plt.imshow(bgr_to_rgb(image.astype(np.uint8)))
    plt.show()
    
    image = np.copy(image)
    image = np.expand_dims(image, axis=0)
    
    prediction = classifier.predict(image)
    
    top = 5
    prediction_decode = decode_predictions(prediction, top=top)[0]
    print('Predictions:')
    
    lengths = list()
    for i in range(top):
        lengths.append(len(prediction_decode[i][1]))
    max_length = max(lengths)
    
    for i in range(top):
        name = prediction_decode[i][1]
        name = name.ljust(max_length, " ")
        probability = prediction_decode[i][2]
        output_str = "{} {:.2f}".format(name, probability)
        print(output_str)

In [None]:
predict_model(tfc, patched_images[0])

In [None]:
predict_model(tfc, patched_images[1])

In [None]:
predict_model(tfc, patched_images[2])