Merge from dev

Author: Irina Nicolae

.travis.yml

@@ -0,0 +1,56 @@
+sudo: required
+dist: trusty
+language: python
+matrix:
+  include:
+      - python: 2.7
+        env:
+          - KERAS_BACKEND=tensorflow
+          - TENSORFLOW_V=1.4.1
+      - python: 2.7
+        env:
+          - KERAS_BACKEND=tensorflow
+          - TENSORFLOW_V=1.1.0
+      - python: 3.5
+        env:
+          - KERAS_BACKEND=tensorflow
+          - TENSORFLOW_V=1.1.0
+      - python: 3.5
+        env:
+          - KERAS_BACKEND=tensorflow
+          - TENSORFLOW_V=1.4.1
+
+before_install:
+  - if [[ "$TRAVIS_PYTHON_VERSION" == "2.7" ]]; then
+      wget https://repo.continuum.io/miniconda/Miniconda2-latest-Linux-x86_64.sh -O miniconda.sh;
+    else
+      wget https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh -O miniconda.sh;
+    fi
+  - bash miniconda.sh -b -p $HOME/miniconda
+  - export PATH="$HOME/miniconda/bin:$PATH"
+  - hash -r
+  - conda config --set always_yes yes --set changeps1 no
+  - conda update -q conda
+  - conda info -a
+
+install:
+  - conda create -q -n test-environment python=$TRAVIS_PYTHON_VERSION numpy scipy matplotlib pandas h5py
+  - source activate test-environment
+  # Install TensorFlow
+  - if [[ "$TRAVIS_PYTHON_VERSION" == "2.7" && "$TENSORFLOW_V" == "1.4.1" ]]; then
+      pip install https://storage.googleapis.com/tensorflow/linux/cpu/tensorflow-1.4.1-cp27-none-linux_x86_64.whl;
+    elif [[ "$TRAVIS_PYTHON_VERSION" == "2.7" && "$TENSORFLOW_V" == "1.1.0" ]]; then
+      pip install https://storage.googleapis.com/tensorflow/linux/cpu/tensorflow-1.1.0-cp27-none-linux_x86_64.whl;
+    elif [[ "$TRAVIS_PYTHON_VERSION" == "3.5" && "$TENSORFLOW_V" == "1.4.1" ]]; then
+      pip install https://storage.googleapis.com/tensorflow/linux/cpu/tensorflow-1.4.1-cp35-cp35m-linux_x86_64.whl;
+    elif [[ "$TRAVIS_PYTHON_VERSION" == "3.5" && "$TENSORFLOW_V" == "1.1.0" ]]; then
+      pip install https://storage.googleapis.com/tensorflow/linux/cpu/tensorflow-1.1.0-cp35-cp35m-linux_x86_64.whl;
+    fi
+  - pip install keras
+  - conda install libgcc
+  - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/travis/miniconda/envs/test-environment/lib
+  - export PYTHONPATH=".":$PYTHONPATH
+
+script:
+  - mkdir ./data
+  - python -m unittest discover src/ -p '*_unittest.py'

README.md

@@ -1,4 +1,6 @@
-# Nemesis (v1.0.0)
+# Nemesis (v0.1)
+[![Build Status](https://travis.ibm.com/Maria-Irina-Nicolae/nemesis.svg?token=gRzs7KGtxQXDzQo1SRTx&branch=master)](https://travis.ibm.com/Maria-Irina-Nicolae/nemesis)
+
 This is a library dedicated to **adversarial machine learning**. Its purpose is to allow rapid crafting and analysis of attacks and defense methods for machine learning models. Nemesis provides an implementation for many state-of-the-art methods for attacking and defending classifiers.
 
 The library is still under development. Feedback, bug reports and extension requests are highly appreciated.
@@ -12,51 +14,47 @@ Nemesis contains implementations of the following attacks:
 * Universal Perturbation ([Moosavi-Dezfooli et al., 2016](https://arxiv.org/abs/1610.08401))
 * Virtual Adversarial Method ([Moosavi-Dezfooli et al., 2015](https://arxiv.org/abs/1507.00677))
 * C&W Attack ([Carlini and Wagner, 2016](https://arxiv.org/abs/1608.04644))
+* NewtonFool ([Jang et al., 2017](http://doi.acm.org/10.1145/3134600.3134635))
 
 The following defense methods are also supported:
 * Feature squeezing ([Xu et al., 2017](http://arxiv.org/abs/1704.01155))
+* Spatial smoothing ([Xu et al., 2017](http://arxiv.org/abs/1704.01155))
 * Label smoothing (Warde-Farley and Goodfellow, 2016)
 * Adversarial training ([Szegedy et al., 2013](http://arxiv.org/abs/1312.6199))
 * Virtual adversarial training ([Miyato et al., 2017](https://arxiv.org/abs/1704.03976))
 
 ## Setup
 
-### Requirements
-
 Nemesis is designed to run with Python 3 (and most likely Python 2 with small changes). You can either download the source code of Nemesis or clone the repository in your directory of choice:
 ```bash
 git clone https://github.ibm.com/Maria-Irina-Nicolae/nemesis
 ```
 
 To install the project dependencies, use the requirements file:
 ```bash
-pip install -r requirements.txt
+pip install .
 ```
 
-You will additionally need to download [Cleverhans](https://github.com/tensorflow/cleverhans).
-
-### Installation
+The library comes with a basic set of unit tests. To check your install, you can run all the unit tests by calling in the Nemesis folder:
+```bash
+bash run_tests.sh
+```
 
-Nemesis is linked against Cleverhans through the configuration file `config/config.ini`. When installing Nemesis on your local machine, you need to set the appropriate paths and the `LOCAL` configuration profile as follows:
+The configuration file `config/config.ini` allows to set custom paths for data. By default, data is downloaded in the `nemesis/data` folder as follows:
 
 ```text
 [DEFAULT]
 profile=LOCAL
 
 [LOCAL]
-data_path=/local/path/here
-mnist_path=/local/path/here
-cifar10_path=/local/path/here
-stl10_path=/local/path/here
-cleverhans_path=/local/path/here
+data_path=./data
+mnist_path=./data/mnist
+cifar10_path=./data/cifar-10
+stl10_path=./data/stl-10
 ```
 
 If the datasets are not present at the indicated path, loading them will also download the data.
 
-The library comes with a basic set of unit tests. To check that the installation has succeeded, you can run all the unit tests by calling in the Nemesis folder:
-```bash
-bash run_tests.sh
-```
 
 ## Running Nemesis
 
@@ -66,11 +64,11 @@ The library contains three main scripts for:
 * testing model accuracy on different test sets using (`test_accuracies.py`)
 
 Detailed instructions for each script are available by typing
-```python
+```bash
 python3 <script_name> -h
 ```
 
 Some examples of how to use Nemesis when writing your own code can be found in the `examples` folder. See `examples/README.md` for more information about what each example does. To run an example, use the following command:
 ```bash
 python3 examples/<example_name>.py
-```
+```

config/__init__.py

@@ -3,24 +3,50 @@
 from os.path import abspath, dirname, expanduser, join
 import sys
 
-import configparser
+# Ensure compatibility with Python 2 and 3 when using ConfigParser
+if sys.version_info >= (3, 0):
+    import configparser as cp
+else:
+    import ConfigParser as cp
+
+
+def config_to_dict(section):
+    dict = {}
+    options = parser.options(section)
+    for option in options:
+        try:
+            dict[option] = parser.get(section, option)
+        except:
+            print('Exception on configuration option %s!' % option)
+            dict[option] = None
+    return dict
+
 
 __all__ = ['config_dict', 'MNIST_PATH', 'CIFAR10_PATH', 'IMAGENET_PATH', 'STL10_PATH', 'DATA_PATH']
 
 config_file = join(dirname(__file__), 'config.ini')
-parser = configparser.ConfigParser()
-with open(config_file, mode='rt') as f:
-    parser.read_file(f)
+parser = cp.ConfigParser()
+if sys.version_info >= (3, 0):
+    with open(config_file, mode='rt') as f:
+        parser.read_file(f)
+else:
+    parser.read(config_file)
 
 # Generate config dictionary
 config_dict = dict()
-config_dict.update(parser['DEFAULT'])
+if sys.version_info >= (3, 0):
+    config_dict.update(parser['DEFAULT'])
+else:
+    config_dict['profile'] = parser.get('DEFAULT', 'profile')
 
-profile = config_dict['profile'] = config_dict.get('profile', 'profile1')
+profile = config_dict['profile'] = config_dict.get('profile')
 
 # Load the configuration for the current profile
 if parser.has_section(profile):
-    config_dict.update(parser[profile])
+    if sys.version_info >= (3, 0):
+        config_dict.update(parser[profile])
+    else:
+        config_dict.update(config_to_dict(profile))
 
 # Add configured paths to PYTHONPATH
 for key in config_dict:

config/config.ini

@@ -1,18 +1,16 @@
 [DEFAULT]
-profile=CLUSTER
+profile=LOCAL
 
 [LOCAL]
-data_path=/local/path/here
-mnist_path=/local/path/here
-cifar10_path=/local/path/here
-stl10_path=/local/path/here
-imagenet_path=/local/path/here
-cleverhans_path=/local/path/here
+data_path=./data
+mnist_path=./data/mnist
+cifar10_path=./data/cifar-10
+stl10_path=./data/stl-10
+imagenet_path=./data/imagenet
 
 [CLUSTER]
 data_path=/dccstor/dlw/data/adversarial_learning
 mnist_path=/dccstor/dlw/data/adversarial_learning/mnist
 cifar10_path=/dccstor/dlw/data/adversarial_learning/cifar-10
 stl10_path=/dccstor/dlw/data/adversarial_learning/stl-10
 imagenet_path=/dccstor/dlw/data/kg_completion/images/jpegs_ILSVRC/n02119789
-cleverhans_path=/u/nicolae/cleverhans

requirements.txt

@@ -1,4 +1,5 @@
-Keras==2.0.4
-matplotlib==2.0.1
-scipy==0.19.0
-tensorflow==1.1.0
+h5py
+Keras
+matplotlib
+scipy
+tensorflow

setup.py

@@ -0,0 +1,36 @@
+from setuptools import setup
+from setuptools import find_packages
+
+
+setup(name='Adversarial Robustness Toolbox',
+      version='0.1',
+      description='IBM Adversarial machine learning toolbox',
+      author='Irina Nicolae',
+      author_email='[email protected]',
+      url='https://github.com/ririnicolae/adversarial-robustness-toolbox',
+      license='MIT',
+      install_requires=['h5py',
+                        'Keras',
+                        'scipy',
+                        'matplotlib',
+                        'tensorflow',
+                        'setuptools'],
+      # extras_require={
+          # 'tests': ['pytest',
+          #           'pytest-pep8',
+          #           'pytest-xdist',
+          #           'pytest-cov'],
+      # },
+      classifiers=[
+            'Development Status :: 3 - Alpha',
+            'Intended Audience :: Developers',
+            'Intended Audience :: Education',
+            'Intended Audience :: Science/Research',
+            'License :: OSI Approved :: MIT License',
+            'Programming Language :: Python :: 2',
+            'Programming Language :: Python :: 3',
+            'Topic :: Software Development :: Libraries',
+            'Topic :: Software Development :: Libraries :: Python Modules',
+            'Topic :: Scientific/Engineering :: Artificial Intelligence',
+      ],
+      packages=find_packages())

src/attacks/deepfool.py

@@ -38,6 +38,8 @@ def generate(self, x_val, **kwargs):
         :return: A Numpy array holding the adversarial examples.
         """
         assert self.set_params(**kwargs)
+        k.set_learning_phase(0)
+
         dims = list(x_val.shape)
         nb_instances = dims[0]
         dims[0] = None
@@ -54,9 +56,8 @@ def generate(self, x_val, **kwargs):
         for j, x in enumerate(x_adv):
             xi = x[None, ...]
 
-            f = self.sess.run(self.model(xi_op), feed_dict={xi_op: xi, k.learning_phase(): 0})[0]
-            grd = self.sess.run(grads, feed_dict={xi_op: xi, k.learning_phase(): 0})
-            grd = [g[0] for g in grd]
+            f, grd = self.sess.run([self.model(xi_op), grads], {xi_op: xi})
+            f, grd = f[0], [g[0] for g in grd]
             fk_hat = np.argmax(f)
             fk_i_hat = fk_hat
             nb_iter = 0
@@ -79,9 +80,9 @@ def generate(self, x_val, **kwargs):
                     xi = np.clip(xi, self.clip_min, self.clip_max)
 
                 # Recompute prediction for new xi
-                f = self.sess.run(self.model(xi_op), feed_dict={xi_op: xi, k.learning_phase(): 0})[0]
-                grd = self.sess.run(grads, feed_dict={xi_op: xi, k.learning_phase(): 0})
-                grd = [g[0] for g in grd]
+
+                f, grd = self.sess.run([self.model(xi_op), grads], {xi_op: xi})
+                f, grd = f[0], [g[0] for g in grd]
                 fk_i_hat = np.argmax(f)
 
                 nb_iter += 1

src/attacks/fast_gradient.py

@@ -31,10 +31,10 @@ def __init__(self, classifier, sess=None, ord=np.inf, y=None, targeted=False, cl
         kwargs = {'ord': ord, 'targeted': targeted, 'clip_min': clip_min, 'clip_max': clip_max, 'y': y}
         self.set_params(**kwargs)
 
-    def generate_graph(self, x, eps=0.3, **kwargs):
+    def generate_graph(self, x, eps, **kwargs):
         """Generate symbolic graph for adversarial examples and return.
         :param x: The model's symbolic inputs.
-        :param eps: (optional float) attack step size (input variation)
+        :param eps: (optional tf.placeholder) The placeholder for input variation (noise amplitude)
         :param ord: (optional) Order of the norm (mimics Numpy). Possible values: np.inf, 1 or 2.
         :param y: (optional) A placeholder for the model labels. Only provide this parameter if you'd like to use true
                   labels when crafting adversarial samples. Otherwise, model predictions are used as labels to avoid the
@@ -89,25 +89,24 @@ def minimal_perturbations(self, x, x_val, eps_step=0.1, eps_max=1., **kwargs):
         :param kwargs: Other parameters to send to generate_graph
         :return: A Numpy array holding the adversarial examples.
         """
+        k.set_learning_phase(0)
         y = np.argmax(self.model.predict(x_val), 1)
         adv_x = x_val.copy()
 
-        curr_indexes = np.arange(len(x_val))
-        eps = eps_step
+        curr_indexes = np.arange(len(adv_x))
+        eps = tf.placeholder(tf.float32, None)
+        adv_x_op = self.generate_graph(x, eps, **kwargs)
+        adv_y = tf.argmax(self.model(adv_x_op), 1)
+        eps_val = eps_step
 
-        while len(curr_indexes) != 0 and eps <= eps_max:
+        while len(curr_indexes) != 0 and eps_val <= eps_max:
             # Adversarial crafting
-            adv_x_op = self.generate_graph(x, eps=eps, **kwargs)
-            adv_y = tf.argmax(self.model(adv_x_op), 1)
-
-            feed_dict = {x: x_val[curr_indexes], k.learning_phase(): 0}
-            new_adv_x, new_y = self.sess.run([adv_x_op, adv_y], feed_dict=feed_dict)
+            new_adv_x, new_y = self.sess.run([adv_x_op, adv_y], {x: x_val[curr_indexes], eps: eps_val})
 
             # Update
             adv_x[curr_indexes] = new_adv_x
             curr_indexes = np.where(y[curr_indexes] == new_y)[0]
-
-            eps += eps_step
+            eps_val += eps_step
 
         return adv_x
 
@@ -125,23 +124,25 @@ def generate(self, x_val, **kwargs):
         :return: A Numpy array holding the adversarial examples.
         """
 
-        input_shape = list(x_val.shape)
-        input_shape[0] = None
+        input_shape = [None] + list(x_val.shape[1:])
         self._x = tf.placeholder(tf.float32, shape=input_shape)
+        k.set_learning_phase(0)
 
+        # Return adversarial examples computed with minimal perturbation if option is active
         if "minimal" in kwargs and kwargs["minimal"]:
             return self.minimal_perturbations(self._x, x_val, **kwargs)
 
+        # Generate computation graph
         self._x_adv = self.generate_graph(self._x, **kwargs)
 
         # Run symbolic graph without or with true labels
         if 'y_val' not in kwargs or kwargs['y_val'] is None:
-            feed_dict = {self._x: x_val, k.learning_phase(): 0}
+            feed_dict = {self._x: x_val}
         else:
             # Verify label placeholder was given in params if using true labels
             if self.y is None:
                 raise Exception("True labels given but label placeholder not given.")
-            feed_dict = {self._x: x_val, self.y: kwargs['y_val'], k.learning_phase(): 0}
+            feed_dict = {self._x: x_val, self.y: kwargs['y_val']}
 
         return self.sess.run(self._x_adv, feed_dict=feed_dict)
 

src/attacks/fast_gradient_unittest.py

@@ -83,10 +83,10 @@ def test_mnist(self):
         self.assertFalse((Y_test == test_y_pred).all())
 
         scores = classifier.evaluate(X_train_adv_min, Y_train)
-        print('\naccuracy on adversarial train examples: %.2f%%' % (scores[1] * 100))
+        print('\naccuracy on adversarial train examples with minimal perturbation: %.2f%%' % (scores[1] * 100))
 
         scores = classifier.evaluate(X_test_adv_min, Y_test)
-        print('\naccuracy on adversarial test examples: %.2f%%' % (scores[1] * 100))
+        print('\naccuracy on adversarial test examples with minimal perturbation: %.2f%%' % (scores[1] * 100))
 
     def test_with_preprocessing(self):