Code for paper "Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality". ICLR 2018, https://arxiv.org/abs/1801.02613

Update: added BatchNormalization to after Conv and ReLU. 17 Sept. 2018.

1. Pre-train DNN models:

python train_model.py -d mnist -e 50 -b 128

2. Craft adversarial examples:

python craft_adv_samples.py -d cifar -a cw-l2 -b 100

3.Extract detection characteristics:

python extract_characteristics.py -d cifar -a cw-l2 -r lid -k 20 -b 100

4. Train simple detectors:

python detect_adv_examples.py -d cifar -a fgsm -t cw-l2 -r lid

Dependencies:

python 3.5, tqdm, tensorflow = 1.8, Keras >= 2.0, cleverhans >= 1.0.0 (may need extra change to pass in keras learning rate)

Kernal Density and Bayesian Uncertainty are from https://github.com/rfeinman/detecting-adversarial-samples ("Detecting Adversarial Samples from Artifacts" (Feinman et al. 2017))

---

If you came across the error:

tensorflow.python.framework.errors_impl.InvalidArgumentError: input_1:0 is both fed and fetched.

Solution: in function get_layer_wise_activations() (util.py), do the following change: acts = [layer.output for layer in model.layers[1:]] # let the layer index start from 1.

Reason: this possibly cause by the input layer is defined as a sepearte layer, with both input and output is X.