-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtarget_mi_fgsm_attack.py
184 lines (152 loc) · 6.99 KB
/
target_mi_fgsm_attack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
import os
import numpy as np
import pandas as pd
import tensorflow as tf
import imageio
from PIL import Image
from scipy.misc import imresize
from tensorflow.contrib.slim.nets import resnet_v1, inception, vgg
slim = tf.contrib.slim
# 声明一些攻击参数
CHECKPOINTS_DIR = '/Users/yuqiang/Undergraduate/2019/AI/data/checkpoints/'
model_checkpoint_map = {
'inception_v1': os.path.join(CHECKPOINTS_DIR,'inception_v1', 'inception_v1.ckpt'),
'resnet_v1_50': os.path.join(CHECKPOINTS_DIR, 'resnet_v1_50','model.ckpt-49800'),
'vgg_16': os.path.join(CHECKPOINTS_DIR, 'vgg_16', 'vgg_16.ckpt')}
input_dir = ''
output = ''
max_epsilon = 32.0
num_iter = 20
batch_size = 11
momentum = 1.0
# 在图片数据输入模型前,做一些预处理
def preprocess_for_model(images, model_type):
if 'inception' in model_type.lower():
images = tf.image.resize_bilinear(images, [224, 224], align_corners=False)
# tensor-scalar operation
images = (images / 255.0) * 2.0 - 1.0
return images
if 'resnet' in model_type.lower() or 'vgg' in model_type.lower():
_R_MEAN = 123.68
_G_MEAN = 116.78
_B_MEAN = 103.94
images = tf.image.resize_bilinear(images, [224, 224], align_corners=False)
tmp_0 = images[:, :, :, 0] - _R_MEAN
tmp_1 = images[:, :, :, 1] - _G_MEAN
tmp_2 = images[:, :, :, 2] - _B_MEAN
images = tf.stack([tmp_0, tmp_1, tmp_2], 3)
return images
def load_images_with_target_label(input_dir):
images = []
filenames = []
target_labels = []
idx = 0
dev = pd.read_csv(os.path.join(input_dir, 'dev.csv'))
filename2label = {dev.iloc[i]['filename'] : dev.iloc[i]['targetedLabel'] for i in range(len(dev))}
for filename in filename2label.keys():
image = imageio.imread(os.path.join(input_dir, filename), pilmode='RGB')
images.append(image)
filenames.append(filename)
target_labels.append(filename2label[filename])
idx += 1
if idx == 11:
images = np.array(images)
yield filenames, images, target_labels
filenames = []
images = []
target_labels = []
idx = 0
if idx > 0:
images = np.array(images)
yield filenames, images, target_labels
def save_images(images, filenames, output_dir):
for i, filename in enumerate(filenames):
image = (((images[i] + 1.0) * 0.5) * 255.0).astype(np.uint8)
# resize back to [299, 299]
image = image.resize((299, 299))
Image.fromarray(image).save(os.path.join(output_dir, filename), format='PNG')
def check_or_create_dir(directory):
"""Check if directory exists otherwise create it."""
if not os.path.exists(directory):
os.makedirs(directory)
def target_graph(x, y, i, x_max, x_min, grad):
eps = 2.0 * max_epsilon / 255.0
alpha = eps / num_iter
num_classes = 110
with slim.arg_scope(inception.inception_v1_arg_scope()):
logits_inc_v1, end_points_inc_v1 = inception.inception_v1(
x, num_classes=num_classes, is_training=False, scope='InceptionV1')
# rescale pixle range from [-1, 1] to [0, 255] for resnet_v1 and vgg's input
image = (((x + 1.0) * 0.5) * 255.0)
processed_imgs_res_v1_50 = preprocess_for_model(image, 'resnet_v1_50')
with slim.arg_scope(resnet_v1.resnet_arg_scope()):
logits_res_v1_50, end_points_res_v1_50 = resnet_v1.resnet_v1_50(
processed_imgs_res_v1_50, num_classes=num_classes, is_training=False, scope='resnet_v1_50')
end_points_res_v1_50['logits'] = tf.squeeze(end_points_res_v1_50['resnet_v1_50/logits'], [1, 2])
end_points_res_v1_50['probs'] = tf.nn.softmax(end_points_res_v1_50['logits'])
# image = (((x + 1.0) * 0.5) * 255.0)#.astype(np.uint8)
processed_imgs_vgg_16 = preprocess_for_model(image, 'vgg_16')
with slim.arg_scope(vgg.vgg_arg_scope()):
logits_vgg_16, end_points_vgg_16 = vgg.vgg_16(
processed_imgs_vgg_16, num_classes=num_classes, is_training=False, scope='vgg_16')
end_points_vgg_16['logits'] = end_points_vgg_16['vgg_16/fc8']
end_points_vgg_16['probs'] = tf.nn.softmax(end_points_vgg_16['logits'])
########################
one_hot = tf.one_hot(y, num_classes)
########################
logits = (end_points_inc_v1['Logits'] + end_points_res_v1_50['logits'] + end_points_vgg_16['logits']) / 3.0
cross_entropy = tf.losses.softmax_cross_entropy(one_hot,
logits,
label_smoothing=0.0,
weights=1.0)
noise = tf.gradients(cross_entropy, x)[0]
noise = noise / tf.reshape(
tf.contrib.keras.backend.std(tf.reshape(noise, [batch_size, -1]), axis=1),
[batch_size, 1, 1, 1])
noise = momentum * grad + noise
noise = noise / tf.reshape(
tf.contrib.keras.backend.std(tf.reshape(noise, [batch_size, -1]), axis=1),
[batch_size, 1, 1, 1])
x = x - alpha * tf.clip_by_value(tf.round(noise), -2, 2)
x = tf.clip_by_value(x, x_min, x_max)
i = tf.add(i, 1)
return x, y, i, x_max, x_min, noise
def stop(x, y, i, x_max, x_min, grad):
return tf.less(i, num_iter)
# Momentum Iterative FGSM
def target_mi_fgsm_attack(input_dir, output_dir):
# some parameter
eps = 2.0 * max_epsilon / 255.0
batch_shape = [batch_size, 224, 224, 3]
check_or_create_dir(output_dir)
with tf.Graph().as_default():
# Prepare graph
raw_inputs = tf.placeholder(tf.uint8, shape=[None, 299, 299, 3])
# preprocessing for model input,
# note that images for all classifier will be normalized to be in [-1, 1]
processed_imgs = preprocess_for_model(raw_inputs, 'inception_v1')
x_input = tf.placeholder(tf.float32, shape=batch_shape)
x_max = tf.clip_by_value(x_input + eps, -1.0, 1.0)
x_min = tf.clip_by_value(x_input - eps, -1.0, 1.0)
# y = tf.constant(np.zeros([batch_size]), tf.int64)
y = tf.placeholder(tf.int32, shape=[batch_size])
i = tf.constant(0)
grad = tf.zeros(shape=batch_shape)
x_adv, _, _, _, _, _ = tf.while_loop(stop, target_graph, [x_input, y, i, x_max, x_min, grad])
# Run computation
s1 = tf.train.Saver(slim.get_model_variables(scope='InceptionV1'))
s2 = tf.train.Saver(slim.get_model_variables(scope='resnet_v1_50'))
s3 = tf.train.Saver(slim.get_model_variables(scope='vgg_16'))
with tf.Session() as sess:
s1.restore(sess, model_checkpoint_map['inception_v1'])
s2.restore(sess, model_checkpoint_map['resnet_v1_50'])
s3.restore(sess, model_checkpoint_map['vgg_16'])
for filenames, raw_images, target_labels in load_images_with_target_label(input_dir):
processed_imgs_ = sess.run(processed_imgs, feed_dict={raw_inputs: raw_images})
adv_images = sess.run(x_adv, feed_dict={x_input: processed_imgs_, y: target_labels})
save_images(adv_images, filenames, output_dir)
if __name__ == '__main__':
input_dir = '/Users/yuqiang/Undergraduate/2019/AI/dev_data'
output_dir = '/Users/yuqiang/Undergraduate/2019/AI/output'
target_mi_fgsm_attack(input_dir, output_dir)
pass