In [1]:
import tensorflow as tf
import tensorflow.keras.backend as K
from tensorflow.keras.datasets import mnist
from tensorflow.keras.utils import to_categorical
import numpy as np
import matplotlib as mpl
import matplotlib.pyplot as plt
from nn_robust_attacks.setup_mnist import MNIST, MNISTModel

Using TensorFlow backend.


In [2]:
sess = tf.Session(config=tf.ConfigProto())
K.set_session(sess)

data = MNIST()

# CNN Model for MNIST 
class MNIST_Model:
    def __init__(self, session=None):
        self.num_channels = 1
        self.image_size = 28
        self.num_labels = 10

        model = Sequential()

        model.add(Conv2D(32, (3, 3),
                         input_shape=(28, 28, 1)))
        model.add(Activation('relu'))
        model.add(Conv2D(32, (3, 3)))
        model.add(Activation('relu'))
        model.add(MaxPooling2D(pool_size=(2, 2)))

        model.add(Conv2D(64, (3, 3)))
        model.add(Activation('relu'))
        model.add(Conv2D(64, (3, 3)))
        model.add(Activation('relu'))
        model.add(MaxPooling2D(pool_size=(2, 2)))

        model.add(Flatten())
        model.add(Dense(200))
        model.add(Activation('relu'))
        model.add(Dense(200))
        model.add(Activation('relu'))
        model.add(Dense(10))

        self.model = model

    def predict(self, data):
        return self.model(data)

In [3]:
# Training variables
num_epochs = 10
batch_size = 128
train_temp = 1

training = False

# Model Training

In [4]:
from keras.models import load_model, Sequential
from keras.layers import Dense, Activation, Conv2D, MaxPooling2D, Flatten
from keras.optimizers import SGD

def fn(correct, predicted):
    return tf.nn.softmax_cross_entropy_with_logits(labels=correct,
                                                   logits=predicted/train_temp)

# Train first model 
modelname = "models/trained_model1"
model1 = MNIST_Model()
if training:            
    sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
    model1.model.compile(loss=fn,
                  optimizer=sgd,
                  metrics=['accuracy'])
    model1.model.fit(data.train_data, data.train_labels,
              batch_size=batch_size,
              validation_data=(data.validation_data, data.validation_labels),
              nb_epoch=num_epochs,
              shuffle=True)
    model1.model.save(modelname)
else:
    model1.model = load_model(modelname, custom_objects={'fn':fn})
        
model1.model.summary()


Instructions for updating:

Future major versions of TensorFlow will allow gradients to flow
into the labels input on backprop by default.

See `tf.nn.softmax_cross_entropy_with_logits_v2`.


Model: "sequential_5"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
conv2d_17 (Conv2D)           (None, 26, 26, 32)        320       
_________________________________________________________________
activation_25 (Activation)   (None, 26, 26, 32)        0         
_________________________________________________________________
conv2d_18 (Conv2D)           (None, 24, 24, 32)        9248      
_________________________________________________________________
activation_26 (Activation)   (None, 24, 24, 32)        0         
_________________________________________________________________
max_pooling2d_9 (MaxPooling2 (None, 12, 12, 32)        0         
___________________________________________________________

In [5]:
# Train second model 
modelname = "models/trained_model2"
model2 = MNIST_Model()
if training:            
    sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
    model2.model.compile(loss=fn,
                  optimizer=sgd,
                  metrics=['accuracy'])
    model2.model.fit(data.train_data, data.train_labels,
              batch_size=batch_size,
              validation_data=(data.validation_data, data.validation_labels),
              nb_epoch=num_epochs,
              shuffle=True)
    model2.model.save(modelname)
else:
    model2.model = load_model(modelname, custom_objects={'fn':fn})
    
model2.model.summary()

Model: "sequential_8"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
conv2d_29 (Conv2D)           (None, 26, 26, 32)        320       
_________________________________________________________________
activation_43 (Activation)   (None, 26, 26, 32)        0         
_________________________________________________________________
conv2d_30 (Conv2D)           (None, 24, 24, 32)        9248      
_________________________________________________________________
activation_44 (Activation)   (None, 24, 24, 32)        0         
_________________________________________________________________
max_pooling2d_15 (MaxPooling (None, 12, 12, 32)        0         
_________________________________________________________________
conv2d_31 (Conv2D)           (None, 10, 10, 64)        18496     
_________________________________________________________________
activation_45 (Activation)   (None, 10, 10, 64)       

In [6]:
# Train third model 
modelname = "models/trained_model3"
model3 = MNIST_Model()
if training:            
    sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
    model3.model.compile(loss=fn,
                  optimizer=sgd,
                  metrics=['accuracy'])
    model3.model.fit(data.train_data, data.train_labels,
              batch_size=batch_size,
              validation_data=(data.validation_data, data.validation_labels),
              nb_epoch=num_epochs,
              shuffle=True)
    model3.model.save(modelname)   
else:
    model3.model = load_model(modelname, custom_objects={'fn':fn})
    
model3.model.summary()

Model: "sequential_7"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
conv2d_25 (Conv2D)           (None, 26, 26, 32)        320       
_________________________________________________________________
activation_37 (Activation)   (None, 26, 26, 32)        0         
_________________________________________________________________
conv2d_26 (Conv2D)           (None, 24, 24, 32)        9248      
_________________________________________________________________
activation_38 (Activation)   (None, 24, 24, 32)        0         
_________________________________________________________________
max_pooling2d_13 (MaxPooling (None, 12, 12, 32)        0         
_________________________________________________________________
conv2d_27 (Conv2D)           (None, 10, 10, 64)        18496     
_________________________________________________________________
activation_39 (Activation)   (None, 10, 10, 64)       

In [7]:
# Train fourth model 
modelname = "models/trained_model4"
model4 = MNIST_Model()
if training:            
    sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
    model4.model.compile(loss=fn,
                  optimizer=sgd,
                  metrics=['accuracy'])
    model4.model.fit(data.train_data, data.train_labels,
              batch_size=batch_size,
              validation_data=(data.validation_data, data.validation_labels),
              nb_epoch=num_epochs,
              shuffle=True)
    model4.model.save(modelname)
else:
    model4.model = load_model(modelname, custom_objects={'fn':fn})
    
model4.model.summary()

Model: "sequential_8"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
conv2d_29 (Conv2D)           (None, 26, 26, 32)        320       
_________________________________________________________________
activation_43 (Activation)   (None, 26, 26, 32)        0         
_________________________________________________________________
conv2d_30 (Conv2D)           (None, 24, 24, 32)        9248      
_________________________________________________________________
activation_44 (Activation)   (None, 24, 24, 32)        0         
_________________________________________________________________
max_pooling2d_15 (MaxPooling (None, 12, 12, 32)        0         
_________________________________________________________________
conv2d_31 (Conv2D)           (None, 10, 10, 64)        18496     
_________________________________________________________________
activation_45 (Activation)   (None, 10, 10, 64)       

# Preprocess / Setup

In [8]:
from keras.datasets import mnist as data_keras
from keras.utils import to_categorical

(x_train, y_train), (x_test, y_test) = data_keras.load_data()
x_train = x_train[...,np.newaxis] /255.0
x_test = x_test[...,np.newaxis] / 255.0
y_train = to_categorical(y_train)
y_test = to_categorical(y_test)

In [9]:
# Model performances
scores = model1.model.evaluate(x_test, y_test)
print("loss={}, accuracy={}".format(*scores))

scores = model2.model.evaluate(x_test, y_test)
print("loss={}, accuracy={}".format(*scores))

scores = model3.model.evaluate(x_test, y_test)
print("loss={}, accuracy={}".format(*scores))

scores = model4.model.evaluate(x_test, y_test)
print("loss={}, accuracy={}".format(*scores))

loss=0.060424025029380574, accuracy=0.9833999872207642
loss=0.060767219057303735, accuracy=0.9829999804496765
loss=0.1604284207782708, accuracy=0.9513999819755554
loss=0.06374289788251045, accuracy=0.979200005531311


In [10]:
plt.set_cmap('Greys_r')
plt.figure()

<Figure size 432x288 with 0 Axes>

<Figure size 432x288 with 0 Axes>

<Figure size 432x288 with 0 Axes>

In [11]:
true_label = 0
num_img = 25

targets = np.array([to_categorical(9)])
for i in range(0, num_img - 1):
    targets = np.vstack([targets, np.array(to_categorical(9))])
    
inputs = np.load('inputs_0.csv.npy')
print(targets)

[[0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]
 [0. 0. 0. 0. 0. 0. 0. 0. 0. 1.]]


In [12]:
print(len(inputs))

25


# Helper Functions

In [13]:
from numpy import savetxt

def save_results(inputs, adv, targets, subset_attacked):
    np.save('three_subset_data/inputs_precise_' + '_' + subset_attacked + '.csv', inputs)
    np.save('three_subset_data/adv_precise_' + subset_attacked + '.csv', adv)
    np.save('three_subset_data/targets_precise_' + subset_attacked + '.csv', targets)  

In [14]:
def get_label_confidence(image, model):
    pr = model.predict(image)
    pr = np.array([np.exp(x) for x in pr])
    pr = pr / np.sum(pr)
    image_class = model.predict_classes(image)
    return image_class[0], max(max(pr))

In [15]:
def attack_evaluation(num_img, adv, num_models):
    l = []
    for i in range(0, num_img):
        print(i)
        if num_models == 1:
            res = get_label_confidence(adv[i][np.newaxis, ...], model1.model)
        if num_models > 1: 
            res = [get_label_confidence(adv[i][np.newaxis, ...], model1.model), get_label_confidence(adv[i][np.newaxis, ...], model2.model), get_label_confidence(adv[i][np.newaxis, ...], model3.model)]
        print(res)
        l.append(res)
    return l

In [16]:
def size_of_attack(adv, inputs, num_img):
    perturb = adv - inputs
    perturb_mean =  np.sum(perturb) / num_img 
    perturb_std = np.std(np.array([sum(x) for x in perturb]))
    print('Mean', perturb_mean)
    print('Standard Deviation', perturb_std)

In [17]:
def transferability(num_img, adv):
    for i in range(0, num_img):
        print(i)
        print('Model 4', get_label_confidence(adv[i][np.newaxis, ...], model4.model))

In [18]:
def check_correct(subset, num_img, adv, num_models, target_label='9', true_label='0'):
    l = attack_evaluation(num_img, adv, num_models)
    correct = []
    for res in l:
        if subset == '1':
            output = True if res[0][0] == target_label and res[1][0] == true_label and res[2][0] == true_label else False
        elif subset == '2':
            output = True if res[0][0] == true_label and res[1][0] == target_label and res[2][0] == true_label else False
        elif subset == '3':
            output = True if res[0][0] == true_label and res[1][0] == true_label and res[2][0] == target_label else False
        elif subset == '12':
            output = True if res[0][0] == target_label and res[1][0] == target_label and res[2][0] == true_label else False
        elif subset == '13':
            output = True if res[0][0] == target_label and res[1][0] == true_label and res[2][0] == target_label else False
        elif subset == '23':
            output = True if res[0][0] == true_label and res[1][0] == target_label and res[2][0] == target_label else False
        elif subset == '123':
            output = True if res[0][0] == target_label and res[1][0] == target_label and res[2][0] == target_label else False
            
        if output:
            correct.append(l.index(res))
    return correct

In [19]:
def print_results(num_img, adv, num_models, inputs, subset):
    print(check_correct(subset, num_img, adv, num_models))
    print(size_of_attack(adv, inputs, num_img))
    print(transferability(num_img, adv))

In [20]:
def plot_adversarial(inputs, adv, num):
    fig, (ax1, ax2, ax3) = plt.subplots(1, 3)
    ax2.axis('off')
    ax2.imshow(inputs[0][:,:,0])
    ax1.axis('off')
    ax1.imshow(adv[0][:,:,0])
    ax3.axis('off')
    ax3.imshow(adv[0][:,:,0] - inputs[0][:,:,0])
    ax1.margins(0,0)
    ax2.margins(0,0)
    ax3.margins(0,0)

# Three Model Attack (1 Target)

## D : (A, D, D)

In [21]:
from nn_robust_attacks.l2_attack_tri_single_double import CarliniL2

subset = '1'
adv = CarliniL2(sess, model1, model2, model3, attack=False).attack(inputs, targets)
save_results(inputs, adv, targets, subset)



Instructions for updating:
Use tf.where in 2.0, which has the same broadcast rule as np.where

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [22]:
print_results(num_img, adv, 3, inputs, subset)

0

[(9, 0.32324442), (0, 0.87062556), (0, 0.99975914)]
1
[(9, 0.45522553), (0, 0.9968609), (0, 0.8531524)]
2
[(9, 0.41631514), (0, 0.94697416), (0, 0.98830336)]
3
[(9, 0.35437775), (0, 0.9856967), (0, 0.9643666)]
4
[(9, 0.39859313), (0, 0.9986787), (0, 0.9612285)]
5
[(9, 0.5620573), (0, 0.9881815), (0, 0.99582845)]
6
[(9, 0.4455867), (0, 0.99998516), (0, 0.98662806)]
7
[(9, 0.59526855), (0, 0.9999963), (0, 0.998516)]
8
[(9, 0.35050395), (0, 0.99654144), (0, 0.8273753)]
9
[(9, 0.53683645), (0, 0.9992297), (0, 0.997826)]
10
[(9, 0.57056546), (0, 0.99848926), (0, 0.99106467)]
11
[(9, 0.5267388), (0, 0.99983096), (0, 0.9437003)]
12
[(9, 0.39611426), (0, 0.93098456), (0, 0.9050708)]
13
[(9, 0.3635742), (0, 0.99987006), (0, 0.99487007)]
14
[(9, 0.44840413), (0, 0.9927082), (0, 0.96086735)]
15
[(9, 0.45714042), (0, 0.8648557), (0, 0.5865172)]
16
[(9, 0.49647892), (0, 0.8864677), (0, 0.5092822)]
17
[(9, 0.44669846), (0, 0.98452204), (0, 0.9427757)]
18
[(9, 0.6228279), (0, 0.99999124), (0, 0.99

In [23]:
subset = '2'
adv = CarliniL2(sess, model2, model1, model3, attack=False).attack(inputs, targets)
save_results(inputs, adv, targets, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [24]:
print_results(num_img, adv, 3, inputs, subset)

0
[(0, 0.949981), (9, 0.35371003), (0, 0.99973315)]
1
[(0, 0.7860172), (9, 0.45371675), (2, 0.9482958)]
2
[(0, 0.985366), (9, 0.51956826), (0, 0.9953221)]
3
[(0, 0.40550864), (9, 0.4226886), (0, 0.9338928)]
4
[(0, 0.99278426), (9, 0.29947597), (0, 0.86252546)]
5
[(0, 0.99990886), (9, 0.48427084), (0, 0.9997358)]
6
[(5, 0.56410044), (9, 0.46782923), (5, 0.6929341)]
7
[(0, 0.86610043), (9, 0.4338147), (2, 0.59629667)]
8
[(0, 0.99722373), (9, 0.436116), (0, 0.96541)]
9
[(0, 0.9965535), (9, 0.6269359), (0, 0.99797547)]
10
[(0, 0.9817143), (9, 0.4500998), (0, 0.93468636)]
11
[(0, 0.99920404), (9, 0.48090297), (0, 0.9673972)]
12
[(0, 0.99853086), (9, 0.51875687), (0, 0.9981402)]
13
[(6, 0.6437766), (9, 0.58406806), (0, 0.96363956)]
14
[(0, 0.99643207), (9, 0.41628775), (0, 0.983547)]
15
[(0, 0.9963474), (9, 0.33507583), (0, 0.86467206)]
16
[(0, 0.99978393), (9, 0.5717415), (0, 0.64874524)]
17
[(0, 0.99547696), (9, 0.52722275), (2, 0.5256951)]
18
[(0, 0.77530146), (9, 0.6172821), (0, 0.999411

In [25]:
subset = '3'
adv = CarliniL2(sess, model3, model1, model2, attack=False).attack(inputs, targets)
save_results(inputs, adv, targets, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [26]:
print_results(num_img, adv, 3, inputs, subset)

0
[(0, 0.8467748), (0, 0.9976113), (9, 0.6117521)]
1
[(0, 0.9937953), (0, 0.9543954), (9, 0.47129753)]
2
[(0, 0.99813426), (0, 0.9990031), (9, 0.61823267)]
3
[(0, 0.81173986), (0, 0.9988991), (9, 0.44204438)]
4
[(0, 0.9984707), (0, 0.89241993), (9, 0.5816729)]
5
[(0, 0.9998487), (0, 0.9735053), (9, 0.57039475)]
6
[(0, 0.993304), (0, 0.9999938), (9, 0.62853765)]
7
[(0, 0.933812), (0, 0.99509966), (9, 0.6011878)]
8
[(0, 0.99982476), (0, 0.9991359), (9, 0.45399913)]
9
[(0, 0.98258334), (0, 0.9997511), (9, 0.6255183)]
10
[(0, 0.99746), (0, 0.9922415), (9, 0.5686123)]
11
[(0, 0.9989991), (0, 0.9976798), (9, 0.58147335)]
12
[(0, 0.9947899), (0, 0.998335), (9, 0.6247648)]
13
[(0, 0.99924225), (0, 0.9999991), (9, 0.6109549)]
14
[(0, 0.9896353), (0, 0.9876225), (9, 0.45578855)]
15
[(0, 0.965644), (0, 0.9959585), (9, 0.5183657)]
16
[(0, 0.99971133), (0, 0.981363), (9, 0.5051617)]
17
[(0, 0.90944064), (0, 0.9523251), (9, 0.4522745)]
18
[(5, 0.778101), (0, 0.99916905), (9, 0.6173192)]
19
[(0, 0.96

# Four Model Attack (2 Targets)
## A : (A, A, D)

In [27]:
from nn_robust_attacks.l2_attack_tri_single_double import CarliniL2

subset = '12'
adv = CarliniL2(sess, model1, model2, model3, attack=True).attack(inputs, targets)
save_results(inputs, adv, targets, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [28]:
print_results(num_img, adv, 3, inputs, subset)

0
[(9, 0.3824984), (9, 0.37668815), (0, 0.9959098)]
1
[(9, 0.35832846), (9, 0.4209774), (2, 0.83055305)]
2
[(9, 0.4390345), (9, 0.59577656), (0, 0.6395199)]
3
[(9, 0.38398322), (9, 0.33603352), (0, 0.943678)]
4
[(9, 0.273784), (9, 0.25826976), (3, 0.4928523)]
5
[(9, 0.6139722), (9, 0.46850076), (0, 0.952901)]
6
[(9, 0.49594647), (0, 0.9936137), (0, 0.8780544)]
7
[(9, 0.38620633), (9, 0.5338524), (0, 0.7553639)]
8
[(9, 0.44541487), (9, 0.39242074), (6, 0.4180638)]
9
[(9, 0.6238865), (0, 0.92844886), (0, 0.99558675)]
10
[(9, 0.43427056), (9, 0.42962372), (0, 0.86011606)]
11
[(9, 0.42286354), (9, 0.4324881), (2, 0.52672654)]
12
[(9, 0.61180234), (9, 0.5580177), (0, 0.99465114)]
13
[(9, 0.44865802), (9, 0.5397277), (2, 0.8573953)]
14
[(9, 0.4554763), (9, 0.4573705), (0, 0.9208268)]
15
[(9, 0.5883748), (9, 0.42116475), (2, 0.6187484)]
16
[(9, 0.46402216), (9, 0.58053046), (2, 0.9498767)]
17
[(9, 0.44860002), (9, 0.48902836), (0, 0.5813254)]
18
[(9, 0.6218228), (0, 0.7671981), (0, 0.97337645

In [29]:
subset = '13'
adv = CarliniL2(sess, model1, model3, model2, attack=True).attack(inputs, targets)
save_results(inputs, adv, targets, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [30]:
print_results(num_img, adv, 3, inputs, subset)

0
[(9, 0.41511208), (0, 0.9948797), (9, 0.6395456)]
1
[(9, 0.41298515), (0, 0.5479139), (9, 0.6436556)]
2
[(9, 0.49351186), (0, 0.9993655), (9, 0.6949969)]
3
[(9, 0.43751758), (0, 0.97552836), (9, 0.55844206)]
4
[(9, 0.26696268), (0, 0.89330816), (9, 0.5347385)]
5
[(9, 0.4991471), (0, 0.93583274), (9, 0.7023665)]
6
[(9, 0.47274145), (0, 0.9999679), (9, 0.5835684)]
7
[(9, 0.57434), (0, 0.99998736), (9, 0.6250877)]
8
[(9, 0.44983515), (0, 0.99732006), (9, 0.5078943)]
9
[(9, 0.6197173), (0, 0.9990114), (9, 0.6267106)]
10
[(9, 0.47251558), (0, 0.94864637), (9, 0.52466667)]
11
[(9, 0.46084917), (0, 0.9971144), (9, 0.66652775)]
12
[(9, 0.58338517), (0, 0.9984222), (9, 0.7039394)]
13
[(9, 0.46767598), (0, 0.99963963), (9, 0.5853792)]
14
[(9, 0.44215995), (0, 0.7025754), (9, 0.42135412)]
15
[(9, 0.6207462), (0, 0.99928254), (9, 0.65162027)]
16
[(9, 0.43736702), (0, 0.9411561), (9, 0.47136626)]
17
[(9, 0.4864315), (0, 0.65756506), (9, 0.6271658)]
18
[(9, 0.6048867), (0, 0.99985915), (0, 0.58572

In [31]:
subset = '23'
adv = CarliniL2(sess, model2, model3, model1, attack=True).attack(inputs, targets)
save_results(inputs, adv, targets, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [32]:
print_results(num_img, adv, 3, inputs, subset)

0
[(0, 0.67484885), (9, 0.43171215), (9, 0.59564936)]
1
[(0, 0.9101144), (9, 0.4463734), (9, 0.5151157)]
2
[(0, 0.99827147), (9, 0.61965126), (9, 0.60002536)]
3
[(0, 0.5083779), (9, 0.42791343), (9, 0.4555713)]
4
[(0, 0.99676883), (9, 0.28839815), (9, 0.56435347)]
5
[(0, 0.9999612), (9, 0.57807964), (0, 0.80584484)]
6
[(5, 0.8337991), (9, 0.42010862), (9, 0.48729944)]
7
[(0, 0.9838441), (9, 0.53089696), (9, 0.64563245)]
8
[(0, 0.99828786), (9, 0.6036297), (9, 0.5265877)]
9
[(0, 0.99568456), (9, 0.61956763), (9, 0.66511124)]
10
[(0, 0.9979577), (9, 0.5512138), (9, 0.6182271)]
11
[(0, 0.99932724), (9, 0.53451324), (9, 0.6080404)]
12
[(0, 0.99556315), (9, 0.44573927), (9, 0.67349845)]
13
[(0, 0.9976284), (9, 0.6211972), (9, 0.7335409)]
14
[(0, 0.98249465), (9, 0.4153106), (9, 0.50588304)]
15
[(0, 0.9860785), (9, 0.39389217), (9, 0.5120828)]
16
[(0, 0.99987257), (9, 0.6133369), (9, 0.5946044)]
17
[(0, 0.9682597), (9, 0.47527885), (9, 0.39640942)]
18
[(0, 0.9929605), (9, 0.6240797), (9, 0.6

# Three Model Attack (3 Targets)
## A : (A, A, A)

In [34]:
from nn_robust_attacks.l2_attack_tri_all import CarliniL2

In [36]:
subset = '123'
adv = CarliniL2(sess, model1, model2, model3).attack(inputs, targets)
save_results(inputs, adv, targets, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [37]:
print_results(num_img, adv, 3, inputs, subset)

0
[(9, 0.4083145), (9, 0.48559606), (9, 0.64010376)]
1
[(9, 0.32987833), (9, 0.32980576), (9, 0.9914405)]
2
[(9, 0.49522084), (9, 0.5186061), (9, 0.9635328)]
3
[(9, 0.36391404), (0, 0.90404516), (0, 0.504534)]
4
[(9, 0.25159082), (9, 0.2123195), (9, 0.60969555)]
5
[(9, 0.5183968), (9, 0.92208), (9, 0.93999016)]
6
[(9, 0.5059434), (0, 0.9929944), (9, 0.53836393)]
7
[(9, 0.52457964), (0, 0.52299535), (9, 0.68112826)]
8
[(9, 0.5018914), (9, 0.5786265), (9, 0.94680333)]
9
[(9, 0.52567023), (0, 0.5089842), (9, 0.8507797)]
10
[(9, 0.48956633), (9, 0.48323366), (9, 0.7326973)]
11
[(9, 0.51266044), (0, 0.5019511), (9, 0.9943257)]
12
[(9, 0.5173443), (9, 0.50027543), (9, 0.9526575)]
13
[(9, 0.5123826), (0, 0.50281537), (9, 0.98374975)]
14
[(9, 0.3475652), (0, 0.43061373), (9, 0.9080536)]
15
[(9, 0.52426517), (9, 0.48847142), (9, 0.9108487)]
16
[(9, 0.3933988), (9, 0.9952365), (9, 0.9959925)]
17
[(9, 0.420876), (0, 0.40872413), (9, 0.63030505)]
18
[(9, 0.52406985), (0, 0.943961), (9, 0.58543086)

## Precise Attacks

In [24]:
from numpy import savetxt

def save_results_precise(inputs, adv, subset_attacked):
    np.save('three_subset_data/inputs_precise_' + '_' + subset_attacked + '.csv', inputs) 
    np.save('three_subset_data/adv_precise_' + subset_attacked + '.csv', adv)

In [25]:
from random import choice

def random_lab():
    return int(choice([i for i in range(0,9) if i not in [0]]))

In [26]:
num_img = 25

'''
lab = to_categorical(random_lab())
targets = np.array([np.pad(lab, (0, 10 - len(lab)), 'constant')])
for i in range(0, num_img - 1):
    lab = to_categorical(random_lab())
    targets = np.vstack([targets, np.pad(lab, (0, 10 - len(lab)), 'constant')])

lab = to_categorical(random_lab())
targets2 = np.array([np.pad(lab, (0, 10 - len(lab)), 'constant')])
for i in range(0, num_img - 1):
    lab = to_categorical(random_lab())
    targets2 = np.vstack([targets2, np.pad(lab, (0, 10 - len(lab)), 'constant')])
    
lab = to_categorical(random_lab())
targets3 = np.array([np.pad(lab, (0, 10 - len(lab)), 'constant')])
for i in range(0, num_img - 1):
    lab = to_categorical(random_lab())
    targets3 = np.vstack([targets3, np.pad(lab, (0, 10 - len(lab)), 'constant')])
'''
targets = np.load('three_subset_data/targets_precise_1.csv.npy')
targets2 = np.load('three_subset_data/targets2_precise_1.csv.npy')
targets3 = np.load('three_subset_data/targets3_precise_1.csv.npy')
inputs = np.load('three_subset_data/inputs_precise__123.csv.npy')

## Attack Two

In [45]:
from nn_robust_attacks.l2_attack_tri_single_double_precise import CarliniL2

subset = '12'
adv = CarliniL2(sess, model2, model1, model3, attack=True).attack(inputs, targets, targets2)
save_results_precise(inputs, adv, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [46]:
print_results(num_img, adv, 3, inputs, subset)

0
[(2, 0.22751673), (8, 0.22732571), (0, 0.7803579)]
1
[(7, 0.3322462), (1, 0.3574647), (2, 0.6218517)]
2
[(0, 0.8930859), (2, 0.4264366), (0, 0.5463271)]
3
[(2, 0.37693205), (8, 0.4306687), (0, 0.51211053)]
4
[(4, 0.4077864), (8, 0.31073156), (0, 0.7990739)]
5
[(0, 0.42775023), (1, 0.41099614), (0, 0.87197924)]
6
[(3, 0.39889795), (3, 0.51777273), (0, 0.5144189)]
7
[(0, 0.22569248), (4, 0.41936544), (0, 0.9638265)]
8
[(0, 0.9881447), (5, 0.6150648), (0, 0.9813182)]
9
[(4, 0.39888075), (4, 0.27482176), (2, 0.54785514)]
10
[(6, 0.34902298), (1, 0.34935698), (0, 0.8263409)]
11
[(0, 0.92953575), (5, 0.36190605), (9, 0.7181346)]
12
[(7, 0.40337187), (6, 0.31083682), (9, 0.7171918)]
13
[(6, 0.414838), (2, 0.62524784), (0, 0.770006)]
14
[(5, 0.6279868), (3, 0.43044078), (0, 0.704282)]
15
[(2, 0.5774342), (3, 0.457123), (2, 0.7180475)]
16
[(0, 0.8533173), (2, 0.40184626), (0, 0.7498372)]
17
[(5, 0.42841783), (6, 0.45378312), (0, 0.9035122)]
18
[(1, 0.28076157), (6, 0.37688297), (0, 0.9992152)

In [47]:
subset = '13'
adv = CarliniL2(sess, model2, model1, model3, attack=True).attack(inputs, targets, targets2)
save_results_precise(inputs, adv, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [48]:
print_results(num_img, adv, 3, inputs, subset)

0
[(2, 0.22751673), (8, 0.22732571), (0, 0.7803579)]
1
[(7, 0.3322462), (1, 0.3574647), (2, 0.6218517)]
2
[(0, 0.8930859), (2, 0.4264366), (0, 0.5463271)]
3
[(2, 0.37693205), (8, 0.4306687), (0, 0.51211053)]
4
[(4, 0.4077864), (8, 0.31073156), (0, 0.7990739)]
5
[(0, 0.42775023), (1, 0.41099614), (0, 0.87197924)]
6
[(3, 0.39889795), (3, 0.51777273), (0, 0.5144189)]
7
[(0, 0.22569248), (4, 0.41936544), (0, 0.9638265)]
8
[(0, 0.9881447), (5, 0.6150648), (0, 0.9813182)]
9
[(4, 0.39888075), (4, 0.27482176), (2, 0.54785514)]
10
[(6, 0.34902298), (1, 0.34935698), (0, 0.8263409)]
11
[(0, 0.92953575), (5, 0.36190605), (9, 0.7181346)]
12
[(7, 0.40337187), (6, 0.31083682), (9, 0.7171918)]
13
[(6, 0.414838), (2, 0.62524784), (0, 0.770006)]
14
[(5, 0.6279868), (3, 0.43044078), (0, 0.704282)]
15
[(2, 0.5774342), (3, 0.457123), (2, 0.7180475)]
16
[(0, 0.8533173), (2, 0.40184626), (0, 0.7498372)]
17
[(5, 0.42841783), (6, 0.45378312), (0, 0.9035122)]
18
[(1, 0.28076157), (6, 0.37688297), (0, 0.9992152)

In [49]:
subset = '23'
adv = CarliniL2(sess, model2, model1, model3, attack=True).attack(inputs, targets, targets2)
save_results_precise(inputs, adv, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [50]:
print_results(num_img, adv, 3, inputs, subset)

0
[(2, 0.22751673), (8, 0.22732571), (0, 0.7803579)]
1
[(7, 0.3322462), (1, 0.3574647), (2, 0.6218517)]
2
[(0, 0.8930859), (2, 0.4264366), (0, 0.5463271)]
3
[(2, 0.37693205), (8, 0.4306687), (0, 0.51211053)]
4
[(4, 0.4077864), (8, 0.31073156), (0, 0.7990739)]
5
[(0, 0.42775023), (1, 0.41099614), (0, 0.87197924)]
6
[(3, 0.39889795), (3, 0.51777273), (0, 0.5144189)]
7
[(0, 0.22569248), (4, 0.41936544), (0, 0.9638265)]
8
[(0, 0.9881447), (5, 0.6150648), (0, 0.9813182)]
9
[(4, 0.39888075), (4, 0.27482176), (2, 0.54785514)]
10
[(6, 0.34902298), (1, 0.34935698), (0, 0.8263409)]
11
[(0, 0.92953575), (5, 0.36190605), (9, 0.7181346)]
12
[(7, 0.40337187), (6, 0.31083682), (9, 0.7171918)]
13
[(6, 0.414838), (2, 0.62524784), (0, 0.770006)]
14
[(5, 0.6279868), (3, 0.43044078), (0, 0.704282)]
15
[(2, 0.5774342), (3, 0.457123), (2, 0.7180475)]
16
[(0, 0.8533173), (2, 0.40184626), (0, 0.7498372)]
17
[(5, 0.42841783), (6, 0.45378312), (0, 0.9035122)]
18
[(1, 0.28076157), (6, 0.37688297), (0, 0.9992152)

## Attack Three

In [24]:
from nn_robust_attacks.l2_attack_tri_all_precise import CarliniL2

subset = '123'
adv = CarliniL2(sess, model1, model2, model3).attack(inputs, targets, targets2, targets3)

In [31]:
save_results_precise(inputs, adv, targets, targets2, targets3, subset)

In [32]:
print_results(num_img, adv, 3, inputs, subset)

0

[(8, 0.22931163), (0, 0.24119292), (2, 0.49734968)]
1
[(1, 0.2774371), (2, 0.3460972), (2, 0.4450813)]
2
[(2, 0.34723264), (6, 0.4957799), (6, 0.33089155)]
3
[(8, 0.51334786), (0, 0.7680857), (0, 0.9236573)]
4
[(8, 0.22148012), (2, 0.3232478), (2, 0.50041735)]
5
[(1, 0.32832178), (1, 0.27326328), (0, 0.32707277)]
6
[(3, 0.290025), (0, 0.9595372), (0, 0.44787318)]
7
[(4, 0.4247916), (2, 0.49607393), (0, 0.42440605)]
8
[(5, 0.5251935), (0, 0.5150743), (0, 0.60387456)]
9
[(4, 0.24926613), (9, 0.24031255), (9, 0.20975932)]
10
[(1, 0.26685163), (2, 0.27023965), (3, 0.31509104)]
11
[(5, 0.5192941), (5, 0.32737496), (9, 0.32016718)]
12
[(6, 0.3224034), (7, 0.23304516), (0, 0.24503112)]
13
[(2, 0.38263765), (0, 0.9869019), (0, 0.5410768)]
14
[(3, 0.35673776), (5, 0.4343168), (2, 0.522454)]
15
[(3, 0.26290148), (2, 0.91570514), (5, 0.36093426)]
16
[(2, 0.5115148), (2, 0.35788184), (2, 0.35904416)]
17
[(6, 0.44213966), (5, 0.42149654), (0, 0.36507797)]
18
[(6, 0.5256549), (0, 0.99981654), (0,

## Attack One

In [27]:
from nn_robust_attacks.l2_attack_tri_single_double import CarliniL2

In [51]:
subset = '1'
adv = CarliniL2(sess, model1, model2, model3, attack=False).attack(inputs, targets)
save_results_precise(inputs, adv, subset)

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [52]:
print_results(num_img, adv, 3, inputs, subset)

0
[(8, 0.3192493), (0, 0.5126946), (0, 0.98637205)]
1
[(1, 0.35620135), (0, 0.8146885), (0, 0.96919197)]
2
[(2, 0.56046146), (0, 0.99085766), (9, 0.7058627)]
3
[(8, 0.44482234), (0, 0.9912154), (0, 0.98214376)]
4
[(8, 0.4535975), (0, 0.9957376), (0, 0.9991999)]
5
[(1, 0.40509117), (0, 0.89075834), (0, 0.91423243)]
6
[(3, 0.29764992), (0, 0.99991965), (0, 0.9955644)]
7
[(4, 0.5546381), (0, 0.99999595), (0, 0.99558544)]
8
[(5, 0.60314536), (0, 0.99714166), (0, 0.999078)]
9
[(4, 0.45856094), (0, 0.9984247), (0, 0.9439026)]
10
[(1, 0.3444604), (0, 0.70912725), (2, 0.92240524)]
11
[(5, 0.6219305), (0, 0.9998321), (0, 0.9985762)]
12
[(6, 0.52176476), (5, 0.5485437), (0, 0.99392265)]
13
[(2, 0.46580032), (0, 0.9999946), (0, 0.9994785)]
14
[(3, 0.4453181), (0, 0.99801064), (0, 0.94418955)]
15
[(3, 0.40218395), (0, 0.881091), (0, 0.9363208)]
16
[(2, 0.43446115), (0, 0.6298853), (0, 0.99364483)]
17
[(6, 0.57816535), (0, 0.92578584), (0, 0.9232029)]
18
[(6, 0.6118071), (0, 0.99999166), (0, 0.9993

In [53]:
subset = '2'
adv = CarliniL2(sess, model2, model1, model3, attack=False).attack(inputs, targets)

In [54]:
save_results_precise(inputs, adv, subset)

In [55]:
print_results(num_img, adv, 3, inputs, subset)

0
[(0, 0.6695675), (8, 0.2518022), (0, 0.94396573)]
1
[(0, 0.985698), (1, 0.34053022), (0, 0.8177963)]
2
[(0, 0.9837795), (2, 0.36068037), (0, 0.68485665)]
3
[(0, 0.6205043), (8, 0.3977573), (0, 0.9047545)]
4
[(0, 0.99628633), (8, 0.3582933), (0, 0.96911097)]
5
[(0, 0.9999589), (1, 0.4441792), (0, 0.9976232)]
6
[(0, 0.94509697), (3, 0.4540281), (0, 0.959745)]
7
[(0, 0.9915913), (4, 0.4031553), (0, 0.96672136)]
8
[(0, 0.99968714), (5, 0.4635133), (0, 0.9981708)]
9
[(0, 0.9397759), (4, 0.25750566), (0, 0.7367805)]
10
[(0, 0.9625412), (1, 0.34394836), (0, 0.76938426)]
11
[(0, 0.9998545), (5, 0.5819696), (0, 0.98804194)]
12
[(0, 0.9501584), (6, 0.35192397), (9, 0.7923705)]
13
[(0, 0.9897953), (2, 0.5312077), (9, 0.7642507)]
14
[(0, 0.99832076), (3, 0.44684646), (0, 0.94883734)]
15
[(0, 0.9909736), (3, 0.44588473), (0, 0.70803165)]
16
[(0, 0.99922794), (2, 0.46438506), (0, 0.95499855)]
17
[(0, 0.9529043), (6, 0.51016074), (0, 0.76186794)]
18
[(0, 0.84735674), (6, 0.44186687), (0, 0.9989421)

In [28]:
subset = '3'
adv = CarliniL2(sess, model3, model1, model2, attack=False).attack(inputs, targets)
save_results_precise(inputs, adv, subset)



Instructions for updating:
Use tf.where in 2.0, which has the same broadcast rule as np.where

go up to 25
tick 0
tick 1
tick 2
tick 3
tick 4
tick 5
tick 6
tick 7
tick 8
tick 9
tick 10
tick 11
tick 12
tick 13
tick 14
tick 15
tick 16
tick 17
tick 18
tick 19
tick 20
tick 21
tick 22
tick 23
tick 24


In [29]:
print_results(num_img, adv, 3, inputs, subset)

0

[(0, 0.8642509), (0, 0.993336), (8, 0.39542022)]
1
[(0, 0.997655), (0, 0.9982135), (1, 0.35073206)]
2
[(0, 0.9893363), (0, 0.97136325), (2, 0.52278614)]
3
[(4, 0.6443389), (0, 0.962155), (8, 0.41533786)]
4
[(0, 0.995052), (0, 0.95089847), (8, 0.33963168)]
5
[(0, 0.99368197), (0, 0.9920444), (1, 0.295053)]
6
[(0, 0.5084786), (0, 0.99991626), (3, 0.28589544)]
7
[(0, 0.9526039), (0, 0.9997382), (4, 0.39805132)]
8
[(0, 0.99996036), (0, 0.99988353), (5, 0.6198326)]
9
[(0, 0.9854913), (0, 0.9958635), (4, 0.4065512)]
10
[(0, 0.8077627), (0, 0.6010343), (1, 0.29761037)]
11
[(0, 0.99947685), (0, 0.9866587), (5, 0.4516323)]
12
[(0, 0.80067897), (0, 0.86469895), (6, 0.3553055)]
13
[(0, 0.975245), (0, 0.99983597), (2, 0.47023854)]
14
[(0, 0.9961983), (0, 0.96264774), (3, 0.36411116)]
15
[(0, 0.95416987), (0, 0.7905536), (3, 0.44605315)]
16
[(0, 0.9963096), (5, 0.51735395), (2, 0.5948621)]
17
[(0, 0.83702356), (0, 0.83570385), (6, 0.37106773)]
18
[(0, 0.79769176), (0, 0.9938373), (6, 0.4361939)]