## Adversarial Training in Keras
This notebook is part of Module 3 of the [ODSC Europe 2021](https://odsc.com/europe/) workshop [Adversarial Attacks and Defence in Computer Vision 101](https://odsc.com/speakers/adversarial-attacks-and-defence-in-computer-vision-101/).  
![ODSC Logo](https://opendatascience.com/wp-content/uploads/2021/01/odsceutop.png)  
It shows how to perform Adversarial Training on a [DenseNet201](https://www.tensorflow.org/api_docs/python/tf/keras/applications/DenseNet201) model trained on the [CIFAR-10](https://www.cs.toronto.edu/~kriz/cifar.html) data set.  Adversarial attacks and training are performed throgh the Open Source [ART](https://adversarial-robustness-toolbox.org/) (Adversarial Robustness Toolbox) Python library.
For faster execution is suggested to execute this notebook in a GPU or TPU runtime.

Install ART.

In [None]:
!pip install adversarial-robustness-toolbox[tensorflow]

Collecting adversarial-robustness-toolbox[tensorflow]
[?25l  Downloading https://files.pythonhosted.org/packages/b7/55/ada2944007165070f8ebfaa25383f490095250b30da8d0dd125938531a0f/adversarial_robustness_toolbox-1.6.2-py3-none-any.whl (974kB)
[K     |▍                               | 10kB 21.1MB/s eta 0:00:01[K     |▊                               | 20kB 28.2MB/s eta 0:00:01[K     |█                               | 30kB 27.2MB/s eta 0:00:01[K     |█▍                              | 40kB 20.1MB/s eta 0:00:01[K     |█▊                              | 51kB 10.4MB/s eta 0:00:01[K     |██                              | 61kB 9.3MB/s eta 0:00:01[K     |██▍                             | 71kB 10.5MB/s eta 0:00:01[K     |██▊                             | 81kB 11.6MB/s eta 0:00:01[K     |███                             | 92kB 12.3MB/s eta 0:00:01[K     |███▍                            | 102kB 10.0MB/s eta 0:00:01[K     |███▊                            | 112kB 10.0MB/s eta 0:00

Import the necessary Python packages.

In [None]:
import warnings
warnings.filterwarnings('ignore')
import tensorflow as tf

from tensorflow.keras.datasets import cifar10
from tensorflow.keras.models import load_model
from tensorflow.keras.applications.densenet import preprocess_input
from tensorflow.keras.utils import to_categorical

from art import config
from art.utils import load_dataset, get_file
from art.estimators.classification import KerasClassifier
from art.attacks.evasion import FastGradientMethod
from art.attacks.evasion import BasicIterativeMethod
from art.defences.trainer import AdversarialTrainer

import numpy as np

%matplotlib inline
import matplotlib.pyplot as plt

Load the CIFAR-10 data set.

In [None]:
(x_train, y_train), (x_test, y_test) = cifar10.load_data()

Downloading data from https://www.cs.toronto.edu/~kriz/cifar-10-python.tar.gz


Preprocess the data and convert the labels to one-hot encodings.

In [None]:
def preprocess_data(X, Y):
    X = preprocess_input(X)
    Y = to_categorical(Y)

    return X, Y

In [None]:
x_train, y_train = preprocess_data(x_train, y_train)
x_test, y_test = preprocess_data(x_test, y_test)

Load the pre-trained CNN model on CIFAR-10.

In [None]:
tf.compat.v1.disable_eager_execution()

In [None]:
model_path = './cifar10.h5'
classifier_model = load_model(model_path)

In [None]:
classifier = KerasClassifier(model=classifier_model, use_logits=False, clip_values=[0,255])

Evaluate the performance of the model towards test legit images.

In [None]:
n = 100
y_pred = classifier.predict(x_test[:n])
accuracy = np.mean(np.argmax(y_pred, axis=1) == np.argmax(y_test[:n], axis=1))

In [None]:
print("Accuracy on first %i benign test samples: %f" % (n, accuracy))

Accuracy on first 100 benign test samples: 0.900000


Generate some adversarial samples (using FGSM) and evaluate the performance of the network against them.

In [None]:
attacker = FastGradientMethod(classifier, eps=0.5)
x_test_adv = attacker.generate(x_test[:100])

In [None]:
x_test_adv_pred = np.argmax(classifier.predict(x_test_adv), axis=1)
nb_correct_adv_pred = np.sum(x_test_adv_pred == np.argmax(y_test[:100], axis=1))

print("Adversarial test data (first 100 images):")
print("Correctly classified: {}".format(nb_correct_adv_pred))
print("Incorrectly classified: {}".format(100-nb_correct_adv_pred))

Adversarial test data (first 100 images):
Correctly classified: 39
Incorrectly classified: 61


Perform the adversarial training.

In [None]:
trainer = AdversarialTrainer(classifier, attacker, ratio=1.0)

In [None]:
trainer.fit(x_train, y_train, nb_epochs=20, batch_size=50)

HBox(children=(FloatProgress(value=0.0, description='Precompute adv samples', max=1.0, style=ProgressStyle(des…




HBox(children=(FloatProgress(value=0.0, description='Adversarial training epochs', max=20.0, style=ProgressSty…




Evaluate the robust classifier against the legit test data.

In [None]:
x_test_robust_pred = np.argmax(classifier.predict(x_test[:100]), axis=1)
nb_correct_robust_pred = np.sum(x_test_robust_pred == np.argmax(y_test[:100], axis=1))

print("Original test data (first 100 images):")
print("Correctly classified: {}".format(nb_correct_robust_pred))
print("Incorrectly classified: {}".format(100-nb_correct_robust_pred))

Original test data (first 100 images):
Correctly classified: 76
Incorrectly classified: 24


Evaluate the robust classifier against adversarial samples (FGSM).

In [None]:
attacker_robust = FastGradientMethod(classifier, eps=0.5)
x_test_adv_robust = attacker_robust.generate(x_test[:100])

In [None]:
x_test_adv_robust_pred = np.argmax(classifier.predict(x_test_adv_robust), axis=1)
nb_correct_adv_robust_pred = np.sum(x_test_adv_robust_pred == np.argmax(y_test[:100], axis=1))

print("Adversarial test data (first 100 images):")
print("Correctly classified: {}".format(nb_correct_adv_robust_pred))
print("Incorrectly classified: {}".format(100-nb_correct_adv_robust_pred))

Adversarial test data (first 100 images):
Correctly classified: 68
Incorrectly classified: 32
