In [1]:
import os
import warnings
warnings.filterwarnings('ignore')
os.environ['TF_CPP_MIN_LOG_LEVEL'] = '3'
os.environ["CUDA_DEVICE_ORDER"] = "PCI_BUS_ID"
os.environ["CUDA_VISIBLE_DEVICES"]="1"
import pandas as pd
import numpy as np
from gtda.time_series import SlidingWindow
import matplotlib.pyplot as plt
import tensorflow as tf
from tensorflow.python.keras.backend import set_session
config = tf.compat.v1.ConfigProto() 
config.gpu_options.allow_growth = True  
config.log_device_placement = True  
sess2 = tf.compat.v1.Session(config=config)
set_session(sess2) 
import tensorflow_datasets as tfds
from tensorflow.keras.models import load_model
from tensorflow.keras.losses import MSE
from tqdm import tqdm

Device mapping:
/job:localhost/replica:0/task:0/device:GPU:0 -> device: 0, name: NVIDIA GeForce RTX 3090, pci bus id: 0000:21:00.0, compute capability: 8.6



## Import Dataset

In [2]:
dataset_name = "cifar10"
(ds_train, ds_test), ds_info = tfds.load(
    dataset_name, split=["train", "test"], with_info=True, as_supervised=True
)
NUM_CLASSES = ds_info.features["label"].num_classes

IMG_SIZE = 380
batch_size = 1
size = (IMG_SIZE, IMG_SIZE)
ds_train = ds_train.map(lambda image, label: (tf.image.resize(image, size), label))
ds_test = ds_test.map(lambda image, label: (tf.image.resize(image, size), label))

def input_preprocess(image, label):
    label = tf.one_hot(label, NUM_CLASSES)
    return image, label


ds_train = ds_train.map(
    input_preprocess, num_parallel_calls=tf.data.AUTOTUNE
)
ds_train = ds_train.batch(batch_size=batch_size, drop_remainder=True)
ds_train = ds_train.prefetch(tf.data.AUTOTUNE)

ds_test = ds_test.map(input_preprocess)
ds_test = ds_test.batch(batch_size=batch_size, drop_remainder=True)

## Load Model

In [3]:
model = load_model('/home/nesl/209as_sec/cifar10/Large Models/EfficientNetB4/enet_b4_cifar10.h5')
model.summary()

Model: "model"
__________________________________________________________________________________________________
Layer (type)                    Output Shape         Param #     Connected to                     
input_1 (InputLayer)            [(None, 380, 380, 3) 0                                            
__________________________________________________________________________________________________
rescaling (Rescaling)           (None, 380, 380, 3)  0           input_1[0][0]                    
__________________________________________________________________________________________________
normalization (Normalization)   (None, 380, 380, 3)  7           rescaling[0][0]                  
__________________________________________________________________________________________________
stem_conv_pad (ZeroPadding2D)   (None, 381, 381, 3)  0           normalization[0][0]              
______________________________________________________________________________________________

## Attack

In [4]:
def pgd_attack(model,iterations, image, label, alpha, eps):
    gen_img = tf.identity(image)
    gen_img = gen_img + tf.random.uniform(gen_img.get_shape().as_list(), minval=-eps, 
                                          maxval=eps, dtype=tf.dtypes.float32)
    x_temp = image
    for iter in range(iterations):
        imgv = tf.Variable(gen_img)
        with tf.GradientTape() as tape:
            tape.watch(imgv)
            predictions = model(imgv)
            loss = tf.keras.losses.CategoricalCrossentropy()(label, predictions)
            grads = tape.gradient(loss,imgv)
        signed_grads = tf.sign(grads)
        gen_img = gen_img + (alpha*signed_grads)
        gen_img = tf.clip_by_value(gen_img, image-eps, image+eps)
    return gen_img

In [5]:
eps = [0.1,0.3,0.5,0.7,0.9,1.0,2.0]
iterations = 5
alpha = [0.1,0.3,0.5,0.7,0.9,1.0]
take_size = 1000
accu_num = []
eps_list = []
alpha_list = []

for al in alpha:
    for item in eps:
        countadv = 0
        for image, label in tqdm(ds_test.take(take_size)):
            imageLabel = np.array(label).argmax()
            imagePred = model.predict(image)
            imagePred = imagePred.argmax()
            adversary = pgd_attack(model,iterations,image, label, alpha=al, eps=item)
            pred = model.predict(adversary)
            adversaryPred = pred[0].argmax()
            if imagePred == adversaryPred:
                countadv += 1
            
        print("Adversarial accuracy : ", countadv / take_size)
        accu_num.append(countadv / take_size)
        eps_list.append(item)
        alpha_list.append(al)

100%|███████████████████████████████████████| 1000/1000 [18:19<00:00,  1.10s/it]


Adversarial accuracy :  0.912


100%|███████████████████████████████████████| 1000/1000 [19:05<00:00,  1.15s/it]


Adversarial accuracy :  0.588


100%|███████████████████████████████████████| 1000/1000 [18:40<00:00,  1.12s/it]


Adversarial accuracy :  0.449


100%|███████████████████████████████████████| 1000/1000 [18:09<00:00,  1.09s/it]


Adversarial accuracy :  0.393


100%|███████████████████████████████████████| 1000/1000 [18:05<00:00,  1.09s/it]


Adversarial accuracy :  0.345


100%|███████████████████████████████████████| 1000/1000 [18:00<00:00,  1.08s/it]


Adversarial accuracy :  0.328


100%|███████████████████████████████████████| 1000/1000 [17:40<00:00,  1.06s/it]


Adversarial accuracy :  0.212


100%|███████████████████████████████████████| 1000/1000 [17:41<00:00,  1.06s/it]


Adversarial accuracy :  0.916


100%|███████████████████████████████████████| 1000/1000 [17:40<00:00,  1.06s/it]


Adversarial accuracy :  0.54


100%|███████████████████████████████████████| 1000/1000 [17:42<00:00,  1.06s/it]


Adversarial accuracy :  0.224


100%|███████████████████████████████████████| 1000/1000 [17:48<00:00,  1.07s/it]


Adversarial accuracy :  0.124


100%|███████████████████████████████████████| 1000/1000 [17:19<00:00,  1.04s/it]


Adversarial accuracy :  0.103


100%|███████████████████████████████████████| 1000/1000 [16:54<00:00,  1.01s/it]


Adversarial accuracy :  0.098


100%|███████████████████████████████████████| 1000/1000 [16:56<00:00,  1.02s/it]


Adversarial accuracy :  0.079


100%|███████████████████████████████████████| 1000/1000 [16:56<00:00,  1.02s/it]


Adversarial accuracy :  0.916


100%|███████████████████████████████████████| 1000/1000 [16:52<00:00,  1.01s/it]


Adversarial accuracy :  0.584


100%|███████████████████████████████████████| 1000/1000 [16:51<00:00,  1.01s/it]


Adversarial accuracy :  0.226


100%|███████████████████████████████████████| 1000/1000 [16:52<00:00,  1.01s/it]


Adversarial accuracy :  0.131


100%|███████████████████████████████████████| 1000/1000 [16:50<00:00,  1.01s/it]


Adversarial accuracy :  0.094


100%|███████████████████████████████████████| 1000/1000 [16:57<00:00,  1.02s/it]


Adversarial accuracy :  0.087


100%|███████████████████████████████████████| 1000/1000 [16:54<00:00,  1.01s/it]


Adversarial accuracy :  0.065


100%|███████████████████████████████████████| 1000/1000 [16:53<00:00,  1.01s/it]


Adversarial accuracy :  0.916


100%|███████████████████████████████████████| 1000/1000 [16:49<00:00,  1.01s/it]


Adversarial accuracy :  0.625


100%|███████████████████████████████████████| 1000/1000 [16:23<00:00,  1.02it/s]


Adversarial accuracy :  0.281


100%|███████████████████████████████████████| 1000/1000 [16:28<00:00,  1.01it/s]


Adversarial accuracy :  0.139


100%|███████████████████████████████████████| 1000/1000 [16:21<00:00,  1.02it/s]


Adversarial accuracy :  0.099


100%|███████████████████████████████████████| 1000/1000 [16:22<00:00,  1.02it/s]


Adversarial accuracy :  0.085


100%|███████████████████████████████████████| 1000/1000 [16:25<00:00,  1.01it/s]


Adversarial accuracy :  0.057


100%|███████████████████████████████████████| 1000/1000 [16:24<00:00,  1.02it/s]


Adversarial accuracy :  0.916


100%|███████████████████████████████████████| 1000/1000 [16:28<00:00,  1.01it/s]


Adversarial accuracy :  0.625


100%|███████████████████████████████████████| 1000/1000 [16:20<00:00,  1.02it/s]


Adversarial accuracy :  0.346


100%|███████████████████████████████████████| 1000/1000 [16:20<00:00,  1.02it/s]


Adversarial accuracy :  0.158


100%|███████████████████████████████████████| 1000/1000 [16:26<00:00,  1.01it/s]


Adversarial accuracy :  0.112


100%|███████████████████████████████████████| 1000/1000 [16:22<00:00,  1.02it/s]


Adversarial accuracy :  0.1


100%|███████████████████████████████████████| 1000/1000 [16:22<00:00,  1.02it/s]


Adversarial accuracy :  0.058


100%|███████████████████████████████████████| 1000/1000 [16:17<00:00,  1.02it/s]


Adversarial accuracy :  0.916


100%|███████████████████████████████████████| 1000/1000 [16:20<00:00,  1.02it/s]


Adversarial accuracy :  0.624


100%|███████████████████████████████████████| 1000/1000 [16:35<00:00,  1.00it/s]


Adversarial accuracy :  0.382


100%|███████████████████████████████████████| 1000/1000 [17:03<00:00,  1.02s/it]


Adversarial accuracy :  0.179


100%|███████████████████████████████████████| 1000/1000 [17:02<00:00,  1.02s/it]


Adversarial accuracy :  0.12


100%|███████████████████████████████████████| 1000/1000 [17:05<00:00,  1.03s/it]


Adversarial accuracy :  0.101


100%|███████████████████████████████████████| 1000/1000 [17:04<00:00,  1.02s/it]

Adversarial accuracy :  0.056





In [6]:
accu_num

[0.912,
 0.588,
 0.449,
 0.393,
 0.345,
 0.328,
 0.212,
 0.916,
 0.54,
 0.224,
 0.124,
 0.103,
 0.098,
 0.079,
 0.916,
 0.584,
 0.226,
 0.131,
 0.094,
 0.087,
 0.065,
 0.916,
 0.625,
 0.281,
 0.139,
 0.099,
 0.085,
 0.057,
 0.916,
 0.625,
 0.346,
 0.158,
 0.112,
 0.1,
 0.058,
 0.916,
 0.624,
 0.382,
 0.179,
 0.12,
 0.101,
 0.056]

In [7]:
eps_list

[0.1,
 0.3,
 0.5,
 0.7,
 0.9,
 1.0,
 2.0,
 0.1,
 0.3,
 0.5,
 0.7,
 0.9,
 1.0,
 2.0,
 0.1,
 0.3,
 0.5,
 0.7,
 0.9,
 1.0,
 2.0,
 0.1,
 0.3,
 0.5,
 0.7,
 0.9,
 1.0,
 2.0,
 0.1,
 0.3,
 0.5,
 0.7,
 0.9,
 1.0,
 2.0,
 0.1,
 0.3,
 0.5,
 0.7,
 0.9,
 1.0,
 2.0]

In [8]:
alpha_list

[0.1,
 0.1,
 0.1,
 0.1,
 0.1,
 0.1,
 0.1,
 0.3,
 0.3,
 0.3,
 0.3,
 0.3,
 0.3,
 0.3,
 0.5,
 0.5,
 0.5,
 0.5,
 0.5,
 0.5,
 0.5,
 0.7,
 0.7,
 0.7,
 0.7,
 0.7,
 0.7,
 0.7,
 0.9,
 0.9,
 0.9,
 0.9,
 0.9,
 0.9,
 0.9,
 1.0,
 1.0,
 1.0,
 1.0,
 1.0,
 1.0,
 1.0]