gongzhitaao / tensorflow-adversarial Goto Github PK

Hi,

This is Bala. I have a query regarding adversarial attack.

Is there any adversarial attack that sustains/consists of added noise, after resize attack ? (adversarial image -> converting into High / low resolution image -> resize to original adverarial image size)

Thanks,
Bala

For a typical example

Human may read it as "4" only because we know it's handwriting. And handwriting is done with a pen, and written by strokes.

If I tell you this is not written by hand, but printed by a printer.
You probably tell me it's definitely a "9" not a "4".
(And you might use your common sense, that a printer might lack ink.)

If I just tell myself, they are not handwritings, they are prints, ink sprayed on water or paper made of rubber, many examples doesn't look strange anymore.

So the difference is probably in the training data.

TypeError: call() got an unexpected keyword argument 'logits'

I looked for dependencies part in the readme but didn't see it. I wondered which version of tensorflow this code is working on?

when i run the example fgsm_mnist, error happened: ImportError: No module named 'attacks'

hello，I want to test the jsma function,but I can't find ex_01.py in the repertory，so can you give me your ex_01.py?Thank you very much!!!

I try to use the code to attack models implemented in Keras. There is no problem when using fgsm. However, when I use deepfool, I get an error:
Traceback (most recent call last):
File "attack_mnist_keras.py", line 136, in
main()
File "attack_mnist_keras.py", line 127, in main
x_deepfool = deepfool(classifier_attack, x, epochs=3)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 50, in deepfool
name='deepfool')
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/functional_ops.py", line 423, in map_fn
swap_memory=swap_memory)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 3224, in while_loop
result = loop_context.BuildLoop(cond, body, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2956, in BuildLoop
pred, body, original_loop_vars, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2893, in _BuildLoop
body_result = body(*packed_vars_for_body)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/functional_ops.py", line 413, in compute
packed_fn_values = fn(packed_values)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 46, in _f
clip_max=clip_max, min_prob=min_prob)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 165, in _deepfoolx
name='_deepfoolx', back_prop=False)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 3224, in while_loop
result = loop_context.BuildLoop(cond, body, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2956, in BuildLoop
pred, body, original_loop_vars, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2893, in _BuildLoop
body_result = body(*packed_vars_for_body)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 144, in _body
for i in range(ydim)]
TypeError: 'NoneType' object cannot be interpreted as an integer

I found that in the deepfool.py, line 120 get y0 with shape (?, 10) rather than (1, 10). I have tried to ignore this and set ydim = 1, but I get another error:
Traceback (most recent call last):
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 1322, in _do_call
return fn(*args)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 1307, in _run_fn
options, feed_dict, fetch_list, target_list, run_metadata)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 1409, in _call_tf_sessionrun
run_metadata)
tensorflow.python.framework.errors_impl.InvalidArgumentError: slice index 1 of dimension 0 out of bounds.
[[Node: deepfool/while/_deepfoolx/strided_slice_4 = StridedSlice[Index=DT_INT64, T=DT_FLOAT, begin_mask=0, ellipsis_mask=0, end_mask=0, new_axis_mask=0, shrink_axis_mask=1, _device="/job:localhost/replica:0/task:0/device:GPU:0"](deepfool/while/_deepfoolx/stack, deepfool/while/_deepfoolx/strided_slice_4/stack/_147, deepfool/while/_deepfoolx/strided_slice_4/stack_1/_149, deepfool/while/_deepfoolx/strided_slice_4/Cast/_151)]]
[[Node: clip_by_value/_165 = _Recvclient_terminated=false, recv_device="/job:localhost/replica:0/task:0/device:CPU:0", send_device="/job:localhost/replica:0/task:0/device:GPU:0", send_device_incarnation=1, tensor_name="edge_781_clip_by_value", tensor_type=DT_FLOAT, _device="/job:localhost/replica:0/task:0/device:CPU:0"]]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "attack_mnist_keras.py", line 136, in
main()
File "attack_mnist_keras.py", line 129, in main
x_adv = make_deepfool(sess, x_deepfool, x, epochs, X_test, 3)
File "attack_mnist_keras.py", line 61, in make_deepfool
K.learning_phase(): 0})
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 900, in run
run_metadata_ptr)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 1135, in _run
feed_dict_tensor, options, run_metadata)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 1316, in _do_run
run_metadata)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/client/session.py", line 1335, in _do_call
raise type(e)(node_def, op, message)
tensorflow.python.framework.errors_impl.InvalidArgumentError: slice index 1 of dimension 0 out of bounds.
[[Node: deepfool/while/_deepfoolx/strided_slice_4 = StridedSlice[Index=DT_INT64, T=DT_FLOAT, begin_mask=0, ellipsis_mask=0, end_mask=0, new_axis_mask=0, shrink_axis_mask=1, _device="/job:localhost/replica:0/task:0/device:GPU:0"](deepfool/while/_deepfoolx/stack, deepfool/while/_deepfoolx/strided_slice_4/stack/_147, deepfool/while/_deepfoolx/strided_slice_4/stack_1/_149, deepfool/while/_deepfoolx/strided_slice_4/Cast/_151)]]
[[Node: clip_by_value/_165 = _Recvclient_terminated=false, recv_device="/job:localhost/replica:0/task:0/device:CPU:0", send_device="/job:localhost/replica:0/task:0/device:GPU:0", send_device_incarnation=1, tensor_name="edge_781_clip_by_value", tensor_type=DT_FLOAT, _device="/job:localhost/replica:0/task:0/device:CPU:0"]]

Caused by op 'deepfool/while/_deepfoolx/strided_slice_4', defined at:
File "attack_mnist_keras.py", line 136, in
main()
File "attack_mnist_keras.py", line 127, in main
x_deepfool = deepfool(classifier_attack, x, epochs=3)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 50, in deepfool
name='deepfool')
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/functional_ops.py", line 423, in map_fn
swap_memory=swap_memory)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 3224, in while_loop
result = loop_context.BuildLoop(cond, body, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2956, in BuildLoop
pred, body, original_loop_vars, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2893, in _BuildLoop
body_result = body(*packed_vars_for_body)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/functional_ops.py", line 413, in compute
packed_fn_values = fn(packed_values)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 46, in _f
clip_max=clip_max, min_prob=min_prob)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 166, in _deepfoolx
name='_deepfoolx', back_prop=False)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 3224, in while_loop
result = loop_context.BuildLoop(cond, body, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2956, in BuildLoop
pred, body, original_loop_vars, loop_vars, shape_invariants)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/control_flow_ops.py", line 2893, in _BuildLoop
body_result = body(*packed_vars_for_body)
File "/home/wangxiaosen/attack_gan/attack_keras/deepfool.py", line 149, in _body
gk, go = g[k0], tf.concat((g[:k0], g[(k0+1):]), axis=0)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/array_ops.py", line 597, in _slice_helper
name=name)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/array_ops.py", line 763, in strided_slice
shrink_axis_mask=shrink_axis_mask)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/ops/gen_array_ops.py", line 8148, in strided_slice
name=name)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/framework/op_def_library.py", line 787, in _apply_op_helper
op_def=op_def)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/framework/ops.py", line 3392, in create_op
op_def=op_def)
File "/opt/anaconda/anaconda3/lib/python3.6/site-packages/tensorflow/python/framework/ops.py", line 1718, in init
self._traceback = self._graph._extract_stack() # pylint: disable=protected-access

InvalidArgumentError (see above for traceback): slice index 1 of dimension 0 out of bounds.
[[Node: deepfool/while/_deepfoolx/strided_slice_4 = StridedSlice[Index=DT_INT64, T=DT_FLOAT, begin_mask=0, ellipsis_mask=0, end_mask=0, new_axis_mask=0, shrink_axis_mask=1, _device="/job:localhost/replica:0/task:0/device:GPU:0"](deepfool/while/_deepfoolx/stack, deepfool/while/_deepfoolx/strided_slice_4/stack/_147, deepfool/while/_deepfoolx/strided_slice_4/stack_1/_149, deepfool/while/_deepfoolx/strided_slice_4/Cast/_151)]]
[[Node: clip_by_value/_165 = _Recvclient_terminated=false, recv_device="/job:localhost/replica:0/task:0/device:CPU:0", send_device="/job:localhost/replica:0/task:0/device:GPU:0", send_device_incarnation=1, tensor_name="edge_781_clip_by_value", tensor_type=DT_FLOAT, _device="/job:localhost/replica:0/task:0/device:CPU:0"]]

I wonder if you could help me solve this problem. Thanks very much.

Hi,

I tried to change the model to one similar to(https://github.com/radioML/examples/blob/master/modulation_recognition/RML2016.10a_VTCNN2_example.ipynb) this model. Where total params is 2,830,427 (way more than your simple model). While generating adversarial crafting graph, I receive the following error
Traceback (most recent call last):
File "RML_TOS.py", line 121, in
x_adv = fgsm(_model_fn, x, epochs=9, eps=0.0001)
File "/home/pduraisamy/Adversarial/adversarial/fgsm.py", line 23, in fgsm
ybar = model(x_adv)
File "RML_TOS.py", line 117, in model_fn
logits, = ybar.op.inputs
ValueError: too many values to unpack
Exception AttributeError: "'NoneType' object has no attribute 'path'" in <function remove at 0x7fb07c21f140> ignored

Does it mean it couldn't handle deep network? Appreciate your help.

as in title.
I noticed that you have "tf.while_loop" in your code.
as far as I know, fast gradient is called fast because it doesn't have loop.
see section 2.1 in "ADVERSARIAL EXAMPLES IN THE PHYSICAL WORLD", of which the link appeared in the comment in your code:
In this paper we refer to this method as “fast” because it does not require an iterative procedure to
compute adversarial examples, and thus is much faster than other considered methods.
Your kindness would be appreciated if you may explain where did I make mistakes or misunderstand.

I found that you write the "fgmt" algrithm in "attackes/fast_gradient.py" but not achieve it. So I changed the file "example/fgsm_mnist.py" to achieved it but meet the problem as below:
ValueError: Cannot convert a partially known TensorShape to a Tensor: (?,)

the changed code is as below:

with tf.variable_scope('model', reuse=True):
    env.target = tf.placeholder(tf.int32, (), name='target')
    env.x_fgsm = fgmt(model, env.x, env.target, epochs=env.fgsm_epochs, eps=env.fgsm_eps)
...

def make_fgsm(sess, env, X_data, epochs=1, eps=0.01, batch_size=128):
...
    for batch in range(n_batch):
        start = batch * batch_size
        end = min(n_sample, start + batch_size)
        adv = sess.run(env.x_fgsm, feed_dict={
            env.x: X_data[start:end],
            env.target: np.random.choice(n_classes),
            env.fgsm_eps: eps,
            env.fgsm_epochs: epochs})
        X_adv[start:end] = adv
    return X_adv

I guess the type of target is wrong... Hoping for your reply~

recently I am working on model compression and if it influenced model robustness while facing adversarial samples, I tried ex06.py on cifar10, and after generating adversarial data, it would test against adversarial test data:
print('Testing against adversarial test data')
score = model.evaluate(X_adv, y_test)
print('\nloss: {0:.4f} acc: {1:.4f}'.format(score[0], score[1]))
I am a little confused, higher accuracy means better or worse robustness? or it's not related?
so could you please explain a little about adversarial data, thx!