Merge remote-tracking branch 'upstream/dev' into dev

Author: minhitbk

CONTRIBUTING.md

@@ -0,0 +1,6 @@
+# Contributing to Nemesis
+
+Adding new features, improving documentation, fixing bugs, or writing tutorials are all examples of helpful contributions. Furthermore, if you are publishing a new attack or defense, we strongly encourage you to add it to Nemesis so that others may evaluate it fairly in their own work.
+
+Bug fixes can be initiated through Github pull requests. When making code contributions to Nemesis, we ask that you follow the `PEP 8` coding standard and that you provide unit tests for the new features.
+

README.md

@@ -11,6 +11,7 @@ Nemesis contains implementations of the following attacks:
 * Jacobian Saliency Map ([Papernot et al., 2016](https://arxiv.org/abs/1511.07528))
 * Universal Perturbation ([Moosavi-Dezfooli et al., 2016](https://arxiv.org/abs/1610.08401))
 * Virtual Adversarial Method ([Moosavi-Dezfooli et al., 2015](https://arxiv.org/abs/1507.00677))
+* C&W Attack ([Carlini and Wagner, 2016](https://arxiv.org/abs/1608.04644))
 
 The following defense methods are also supported:
 * Feature squeezing ([Xu et al., 2017](http://arxiv.org/abs/1704.01155))

requirements.txt

@@ -1,26 +1,4 @@
-appdirs==1.4.3
-click==6.7
-cycler==0.10.0
-Flask==0.12.2
-h5py==2.7.0
-itsdangerous==0.24
-Jinja2==2.9.6
 Keras==2.0.4
-MarkupSafe==1.0
 matplotlib==2.0.1
-numpy==1.12.1
-olefile==0.44
-packaging==16.8
-picasso-viz==0.1.1
-Pillow==4.1.1
-protobuf==3.3.0
-pyparsing==2.2.0
-python-dateutil==2.6.0
-pytz==2017.2
-PyYAML==3.12
-requests==2.14.2
 scipy==0.19.0
-six==1.10.0
 tensorflow==1.1.0
-Theano==0.9.0
-Werkzeug==0.12.1

src/attacks/attack.py

@@ -1,6 +1,7 @@
-from __future__ import absolute_import, division, print_function
+from __future__ import absolute_import, division, print_function, unicode_literals
 
-from abc import ABCMeta
+import abc
+import sys
 
 import numpy as np
 import tensorflow as tf
@@ -34,12 +35,17 @@ def class_derivative(preds, x, num_labels=10):
     """
     return [tf.gradients(preds[:, i], x) for i in range(num_labels)]
 
+# Ensure compatibility with Python 2 and 3 when using ABCMeta
+if sys.version_info >= (3, 4):
+    ABC = abc.ABC
+else:
+    ABC = abc.ABCMeta(str('ABC'), (), {})
 
-class Attack:
+
+class Attack(ABC):
     """
-    Abstract base class for all attack classes. Adapted from cleverhans (https://github.com/openai/cleverhans).
+    Abstract base class for all attack classes.
     """
-    __metaclass__ = ABCMeta
     attack_params = ['classifier', 'session']
 
     def __init__(self, classifier, sess=None):

src/attacks/carlini.py

@@ -1,6 +1,4 @@
-from __future__ import absolute_import, division, print_function
-
-from config import config_dict
+from __future__ import absolute_import, division, print_function, unicode_literals
 
 import keras.backend as k
 import tensorflow as tf

src/attacks/carlini_unittest.py

@@ -1,8 +1,5 @@
-from __future__ import absolute_import, division, print_function
+from __future__ import absolute_import, division, print_function, unicode_literals
 
-from config import config_dict
-
-from cleverhans.attacks_tf import fgm
 from keras import backend as k
 import numpy as np
 import tensorflow as tf
@@ -13,25 +10,25 @@
 class FastGradientMethod(Attack):
     """
     This attack was originally implemented by Goodfellow et al. (2015) with the infinity norm (and is known as the "Fast
-    Gradient Sign Method"). This implementation is inspired by the one in Cleverhans
-    (https://github.com/tensorflow/cleverhans) which extends the attack to other norms, and is therefore called the Fast
+    Gradient Sign Method"). This implementation extends the attack to other norms, and is therefore called the Fast
     Gradient Method. Paper link: https://arxiv.org/abs/1412.6572
     """
-    attack_params = ['ord', 'y', 'y_val', 'clip_min', 'clip_max']
+    attack_params = ['ord', 'y', 'y_val', 'targeted', 'clip_min', 'clip_max']
 
-    def __init__(self, classifier, sess=None, ord=np.inf, y=None, clip_min=None, clip_max=None):
+    def __init__(self, classifier, sess=None, ord=np.inf, y=None, targeted=False, clip_min=None, clip_max=None):
         """Create a FastGradientMethod instance.
-        :param ord: (optional) Order of the norm (mimics Numpy). Possible values: np.inf, 1 or 2.
+        :param ord: (optional) Order of the norm. Possible values: np.inf, 1 or 2.
         :param y: (optional) A placeholder for the model labels. Only provide this parameter if you'd like to use true
                   labels when crafting adversarial samples. Otherwise, model predictions are used as labels to avoid the
                   "label leaking" effect (explained in this paper: https://arxiv.org/abs/1611.01236). Default is None.
                   Labels should be one-hot-encoded.
+        :param targeted: (optional boolean) Should the attack target one specific class
         :param clip_min: (optional float) Minimum input component value
         :param clip_max: (optional float) Maximum input component value
         """
         super(FastGradientMethod, self).__init__(classifier, sess)
 
-        kwargs = {'ord': ord, 'clip_min': clip_min, 'clip_max': clip_max, 'y': y}
+        kwargs = {'ord': ord, 'targeted': targeted, 'clip_min': clip_min, 'clip_max': clip_max, 'y': y}
         self.set_params(**kwargs)
 
     def generate_graph(self, x, eps=0.3, **kwargs):
@@ -48,11 +45,43 @@ def generate_graph(self, x, eps=0.3, **kwargs):
         """
         self.set_params(**kwargs)
 
-        return fgm(x, self.classifier._get_predictions(x, log=False), y=self.y, eps=eps, ord=self.ord,
-                   clip_min=self.clip_min, clip_max=self.clip_max)
+        preds = self.classifier._get_predictions(x, log=False)
+
+        if not hasattr(self, 'y') or self.y is None:
+            # Use model predictions as correct outputs
+            preds_max = tf.reduce_max(preds, 1, keep_dims=True)
+            y = tf.to_float(tf.equal(preds, preds_max))
+            y = tf.stop_gradient(y)
+        else:
+            y = self.y
+        y = y / tf.reduce_sum(y, 1, keep_dims=True)
+
+        loss = tf.nn.softmax_cross_entropy_with_logits(logits=preds, labels=y)
+        if self.targeted:
+            loss = -loss
+        grad, = tf.gradients(loss, x)
+
+        # Apply norm bound
+        if self.ord == np.inf:
+            grad = tf.sign(grad)
+        elif self.ord == 1:
+            ind = list(range(1, len(x.get_shape())))
+            grad = grad / tf.reduce_sum(tf.abs(grad), reduction_indices=ind, keep_dims=True)
+        elif self.ord == 2:
+            ind = list(range(1, len(x.get_shape())))
+            grad = grad / tf.sqrt(tf.reduce_sum(tf.square(grad), reduction_indices=ind, keep_dims=True))
+
+        # Apply perturbation and clip
+        x_adv_op = x + eps * grad
+        if self.clip_min is not None and self.clip_max is not None:
+            x_adv_op = tf.clip_by_value(x_adv_op, self.clip_min, self.clip_max)
+
+        return x_adv_op
 
     def minimal_perturbations(self, x, x_val, eps_step=0.1, eps_max=1., **kwargs):
-        """Iteratively compute the minimal perturbation necessary to make the class prediction change.
+        """Iteratively compute the minimal perturbation necessary to make the class prediction change. Stop when the
+        first adversarial example was found.
+
         :param x: (required) A placeholder for the input.
         :param x_val: (required) A Numpy array with the original inputs.
         :param eps_step: (optional float) The increase in the perturbation for each iteration
@@ -67,14 +96,14 @@ def minimal_perturbations(self, x, x_val, eps_step=0.1, eps_max=1., **kwargs):
         eps = eps_step
 
         while len(curr_indexes) != 0 and eps <= eps_max:
-            # adversarial crafting
+            # Adversarial crafting
             adv_x_op = self.generate_graph(x, eps=eps, **kwargs)
             adv_y = tf.argmax(self.model(adv_x_op), 1)
 
             feed_dict = {x: x_val[curr_indexes], k.learning_phase(): 0}
             new_adv_x, new_y = self.sess.run([adv_x_op, adv_y], feed_dict=feed_dict)
 
-            # update
+            # Update
             adv_x[curr_indexes] = new_adv_x
             curr_indexes = np.where(y[curr_indexes] == new_y)[0]
 
@@ -93,6 +122,7 @@ def generate(self, x_val, **kwargs):
                   Labels should be one-hot-encoded.
         :param clip_min: (optional float) Minimum input component value
         :param clip_max: (optional float) Maximum input component value
+        :return: A Numpy array holding the adversarial examples.
         """
 
         input_shape = list(x_val.shape)

src/attacks/fast_gradient.py

@@ -1,4 +1,4 @@
-from __future__ import absolute_import, division, print_function
+from __future__ import absolute_import, division, print_function, unicode_literals
 
 import unittest