Merge branch 'dev'

Changes:
  - Add logging
  - Add PGD evasion attack
  - Add model theft attack and sigmoid defence
  - Add thermometer encoding in defences
  - Correct adversarial trainer to match Madry setup
  - Update examples and  notebooks
  - Add visualization module

Conflicts:
	notebooks/adversarial-training-mnist.ipynb

Author: Irina Nicolae

art/__init__.py

@@ -1,6 +1,42 @@
+import json
+import logging
+import logging.config
 import os
 
-import json
+from numpy import float32
+
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'formatters': {
+        'std': {
+            'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s',
+            'datefmt': '%Y-%m-%d %H:%M'
+        }
+    },
+    'handlers': {
+        'default': {
+            'class': 'logging.NullHandler',
+        },
+        'test': {
+            'class': 'logging.StreamHandler',
+            'formatter': 'std',
+            'level': logging.DEBUG
+        }
+    },
+    'loggers': {
+        '': {
+            'handlers': ['default']
+        },
+        'testLogger': {
+            'handlers': ['test'],
+            'level': 'INFO',
+            'propagate': True
+        }
+    }
+}
+logging.config.dictConfig(LOGGING)
+logger = logging.getLogger(__name__)
 
 _folder = os.path.expanduser('~')
 if not os.access(_folder, os.W_OK):
@@ -19,8 +55,7 @@
     try:
         os.makedirs(_folder)
     except OSError:
-        # Log warning here
-        pass
+        logger.warning('Unable to create folder for configuration file.', exc_info=True)
 
 if not os.path.exists(_config_path):
     # Generate default config
@@ -30,8 +65,9 @@
         with open(_config_path, 'w') as f:
             f.write(json.dumps(_config, indent=4))
     except IOError:
-        # Log warning here
-        pass
+        logger.warning('Unable to create configuration file', exc_info=True)
 
 if 'DATA_PATH' in _config:
     DATA_PATH = _config['DATA_PATH']
+
+NUMPY_DTYPE = float32

art/attacks/__init__.py

@@ -7,6 +7,9 @@
 from art.attacks.fast_gradient import FastGradientMethod
 from art.attacks.iterative_method import BasicIterativeMethod
 from art.attacks.newtonfool import NewtonFool
+from art.attacks.projected_gradient_descent import ProjectedGradientDescent
 from art.attacks.saliency_map import SaliencyMapMethod
 from art.attacks.universal_perturbation import UniversalPerturbation
 from art.attacks.virtual_adversarial import VirtualAdversarialMethod
+from art.attacks.model_theft import ModelTheft
+from art.attacks.sampling_model_theft import SamplingModelTheft

art/attacks/carlini.py

@@ -1,21 +1,23 @@
 from __future__ import absolute_import, division, print_function, unicode_literals
 
-import tensorflow as tf
-import numpy as np
+import logging
 import unittest
+
 import keras
 import keras.backend as k
-from keras.models import Sequential
-from keras.layers import Dense, Flatten, Conv2D, MaxPooling2D
+import numpy as np
+import tensorflow as tf
 import torch.nn as nn
 import torch.optim as optim
+from keras.layers import Dense, Flatten, Conv2D, MaxPooling2D
+from keras.models import Sequential
 
-from art.attacks.carlini import CarliniL2Method
-from art.classifiers.tensorflow import TFClassifier
-from art.classifiers.keras import KerasClassifier
-from art.classifiers.pytorch import PyTorchClassifier
+from art.attacks import CarliniL2Method
+from art.classifiers import KerasClassifier, PyTorchClassifier, TFClassifier
 from art.utils import load_mnist, random_targets
 
+logger = logging.getLogger('testLogger')
+
 BATCH_SIZE, NB_TRAIN, NB_TEST = 100, 5000, 10
 
 
@@ -84,7 +86,7 @@ def test_failure_attack(self):
 
         # Failure attack
         cl2m = CarliniL2Method(classifier=tfc, targeted=True, max_iter=0, binary_search_steps=0,
-                               learning_rate=0, initial_const=1, decay=0)
+                               learning_rate=0, initial_const=1)
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertTrue((x_test_adv <= 1.0001).all())
@@ -126,48 +128,44 @@ def test_tfclassifier(self):
         tfc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
 
         # First attack
-        cl2m = CarliniL2Method(classifier=tfc, targeted=True, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=tfc, targeted=True, max_iter=10)
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
-        print("CW2 Target: %s" % target)
-        print("CW2 Actual: %s" % y_pred_adv)
-        print("CW2 Success Rate: %f" % (sum(target == y_pred_adv)/float(len(target))))
+        logger.debug('CW2 Target: %s', target)
+        logger.debug('CW2 Actual: %s', y_pred_adv)
+        logger.info('CW2 Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
         self.assertTrue((target == y_pred_adv).any())
 
         # Second attack
-        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=10)
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
-        self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
-        print("CW2 Target: %s" % target)
-        print("CW2 Actual: %s" % y_pred_adv)
-        print("CW2 Success Rate: %f" % (sum(target != y_pred_adv)/float(len(target))))
+        logger.debug('CW2 Target: %s', target)
+        logger.debug('CW2 Actual: %s', y_pred_adv)
+        logger.info('CW2 Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
         self.assertTrue((target != y_pred_adv).any())
 
         # Third attack
-        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=10)
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         y_pred = np.argmax(tfc.predict(x_test), axis=1)
         y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
-        print("CW2 Target: %s" % y_pred)
-        print("CW2 Actual: %s" % y_pred_adv)
-        print("CW2 Success Rate: %f" % (sum(y_pred != y_pred_adv)/float(len(y_pred))))
+        logger.debug('CW2 Target: %s', y_pred)
+        logger.debug('CW2 Actual: %s', y_pred_adv)
+        logger.info('CW2 Success Rate: %.2f', (sum(y_pred != y_pred_adv) / float(len(y_pred))))
         self.assertTrue((y_pred != y_pred_adv).any())
 
     def test_krclassifier(self):
@@ -197,48 +195,44 @@ def test_krclassifier(self):
         krc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
 
         # First attack
-        cl2m = CarliniL2Method(classifier=krc, targeted=True, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=krc, targeted=True, max_iter=10)
         params = {'y': random_targets(y_test, krc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
-        print("CW2 Target: %s" % target)
-        print("CW2 Actual: %s" % y_pred_adv)
-        print("CW2 Success Rate: %f" % (sum(target == y_pred_adv)/float(len(target))))
+        logger.debug('CW2 Target: %s', target)
+        logger.debug('CW2 Actual: %s', y_pred_adv)
+        logger.info('CW2 Success Rate: %.2f', (sum(target == y_pred_adv) / float(len(target))))
         self.assertTrue((target == y_pred_adv).any())
 
         # Second attack
-        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=10)
         params = {'y': random_targets(y_test, krc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
-        self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
-        print("CW2 Target: %s" % target)
-        print("CW2 Actual: %s" % y_pred_adv)
-        print("CW2 Success Rate: %f" % (sum(target != y_pred_adv)/float(len(target))))
+        logger.debug('CW2 Target: %s', target)
+        logger.debug('CW2 Actual: %s', y_pred_adv)
+        logger.info('CW2 Success Rate: %.2f', (sum(target != y_pred_adv) / float(len(target))))
         self.assertTrue((target != y_pred_adv).any())
 
         # Third attack
-        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=10)
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         y_pred = np.argmax(krc.predict(x_test), axis=1)
         y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
-        print("CW2 Target: %s" % y_pred)
-        print("CW2 Actual: %s" % y_pred_adv)
-        print("CW2 Success Rate: %f" % (sum(y_pred != y_pred_adv)/float(len(y_pred))))
+        logger.debug('CW2 Target: %s', y_pred)
+        logger.debug('CW2 Actual: %s', y_pred_adv)
+        logger.info('CW2 Success Rate: %.2f', (sum(y_pred != y_pred_adv) / float(len(y_pred))))
         self.assertTrue((y_pred != y_pred_adv).any())
 
     def test_ptclassifier(self):
@@ -263,8 +257,7 @@ def test_ptclassifier(self):
         ptc.fit(x_train, y_train, batch_size=BATCH_SIZE, nb_epochs=10)
 
         # First attack
-        cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=10)
         params = {'y': random_targets(y_test, ptc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
@@ -275,20 +268,17 @@ def test_ptclassifier(self):
         self.assertTrue((target == y_pred_adv).any())
 
         # Second attack
-        cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10)
         params = {'y': random_targets(y_test, ptc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
-        self.assertFalse((x_test == x_test_adv).all())
         self.assertTrue((x_test_adv <= 1.0001).all())
         self.assertTrue((x_test_adv >= -0.0001).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
         self.assertTrue((target != y_pred_adv).any())
 
         # Third attack
-        cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=100, binary_search_steps=1,
-                               learning_rate=1, initial_const=10, decay=0)
+        cl2m = CarliniL2Method(classifier=ptc, targeted=False, max_iter=10)
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())

art/attacks/carlini_unittest.py

@@ -1,28 +1,34 @@
 from __future__ import absolute_import, division, print_function, unicode_literals
 
+import logging
+
 import numpy as np
 
 from art.attacks.attack import Attack
 
+logger = logging.getLogger(__name__)
+
 
 class DeepFool(Attack):
     """
     Implementation of the attack from Moosavi-Dezfooli et al. (2015).
     Paper link: https://arxiv.org/abs/1511.04599
     """
-    attack_params = Attack.attack_params + ['max_iter']
+    attack_params = Attack.attack_params + ['max_iter', 'epsilon']
 
-    def __init__(self, classifier, max_iter=100):
+    def __init__(self, classifier, max_iter=100, epsilon=1e-6):
         """
         Create a DeepFool attack instance.
 
         :param classifier: A trained model.
         :type classifier: :class:`Classifier`
         :param max_iter: The maximum number of iterations.
         :type max_iter: `int`
+        :param epsilon: Overshoot parameter.
+        :type epsilon: `float`
         """
         super(DeepFool, self).__init__(classifier)
-        params = {'max_iter': max_iter}
+        params = {'max_iter': max_iter, 'epsilon': epsilon}
         self.set_params(**params)
 
     def generate(self, x, **kwargs):
@@ -33,6 +39,8 @@ def generate(self, x, **kwargs):
         :type x: `np.ndarray`
         :param max_iter: The maximum number of iterations.
         :type max_iter: `int`
+        :param epsilon: Overshoot parameter.
+        :type epsilon: `float`
         :return: An array holding the adversarial examples.
         :rtype: `np.ndarray`
         """
@@ -64,7 +72,7 @@ def generate(self, x, **kwargs):
                 value = np.ma.array(np.abs(f_diff) / norm, mask=mask)
 
                 l = value.argmin(fill_value=np.inf)
-                r = (abs(f_diff[l]) / pow(np.linalg.norm(grad_diff[l]), 2)) * grad_diff[l]
+                r = (abs(f_diff[l]) / (pow(np.linalg.norm(grad_diff[l]), 2) + tol)) * grad_diff[l]
 
                 # Add perturbation and clip result
                 xj = np.clip(xj + r, clip_min, clip_max)
@@ -76,7 +84,11 @@ def generate(self, x, **kwargs):
 
                 nb_iter += 1
 
-            x_adv[j] = xj[0]
+            x_adv[j] = np.clip(x[j] + (1 + self.epsilon) * (xj[0] - x[j]), clip_min, clip_max)
+
+        preds = np.argmax(self.classifier.predict(x), axis=1)
+        preds_adv = np.argmax(self.classifier.predict(x_adv), axis=1)
+        logger.info('Success rate of DeepFool attack: %.2f%%', (np.sum(preds != preds_adv) / x.shape[0]))
 
         return x_adv
 
@@ -92,4 +104,8 @@ def set_params(self, **kwargs):
         if type(self.max_iter) is not int or self.max_iter <= 0:
             raise ValueError("The number of iterations must be a positive integer.")
 
+        if self.epsilon < 0:
+            raise ValueError("The overshoot parameter must not be negative.")
+
         return True
+