Merge remote-tracking branch 'upstream/dev' into dev

Author: minhitbk

art/attacks/carlini.py

@@ -12,7 +12,7 @@
 class CarliniL2Method(Attack):
     """
     The L_2 optimized attack of Carlini and Wagner (2016). This attack is the most efficient and should be used as the
-    primary attack to evaluate potential defenses (wrt the L_0 and L_inf attacks). This implementation is inspired by
+    primary attack to evaluate potential defences (wrt the L_0 and L_inf attacks). This implementation is inspired by
     the one in Cleverhans, which reproduces the authors' original code (https://github.com/carlini/nn_robust_attacks).
     Paper link: https://arxiv.org/pdf/1608.04644.pdf
     """
@@ -160,7 +160,7 @@ def generate(self, x, **kwargs):
 
         # No labels provided, use model prediction as correct class
         if y is None:
-            y = np.argmax(self.classifier.predict(inputs=x, logits=False), axis=1)
+            y = np.argmax(self.classifier.predict(x, logits=False), axis=1)
             y = to_categorical(y, self.classifier.nb_classes)
 
         # Images to be attacked:

art/attacks/carlini_unittest.py

@@ -31,7 +31,7 @@ def forward(self, x):
         logit_output = self.fc(x)
         output = F.softmax(logit_output, dim=1)
 
-        return (logit_output, output)
+        return logit_output, output
 
 
 class TestCarliniL2(unittest.TestCase):
@@ -113,7 +113,7 @@ def test_tfclassifier(self):
         self._sess.run(tf.global_variables_initializer())
 
         # Get MNIST
-        batch_size, nb_train, nb_test = 100, 1000, 10
+        batch_size, nb_train, nb_test = 100, 500, 5
         (x_train, y_train), (x_test, y_test), _, _ = load_mnist()
         x_train, y_train = x_train[:nb_train], y_train[:nb_train]
         x_test, y_test = x_test[:nb_test], y_test[:nb_test]
@@ -124,7 +124,7 @@ def test_tfclassifier(self):
         tfc.fit(x_train, y_train, batch_size=batch_size, nb_epochs=2)
 
         # First attack
-        cl2m = CarliniL2Method(classifier=tfc, targeted=True, max_iter=100, binary_search_steps=10,
+        cl2m = CarliniL2Method(classifier=tfc, targeted=True, max_iter=10, binary_search_steps=10,
                                learning_rate=2e-2, initial_const=3, decay=1e-2)
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
@@ -137,7 +137,7 @@ def test_tfclassifier(self):
         self.assertTrue((target == y_pred_adv).all())
 
         # Second attack
-        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=100, binary_search_steps=10,
+        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=10, binary_search_steps=10,
                                learning_rate=2e-2, initial_const=3, decay=1e-2)
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
@@ -149,7 +149,7 @@ def test_tfclassifier(self):
         self.assertTrue((target != y_pred_adv).all())
 
         # Third attack
-        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=100, binary_search_steps=10,
+        cl2m = CarliniL2Method(classifier=tfc, targeted=False, max_iter=10, binary_search_steps=10,
                                learning_rate=2e-2, initial_const=3, decay=1e-2)
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
@@ -170,7 +170,7 @@ def test_krclassifier(self):
         k.set_session(session)
 
         # Get MNIST
-        batch_size, nb_train, nb_test = 100, 1000, 10
+        batch_size, nb_train, nb_test = 100, 500, 5
         (x_train, y_train), (x_test, y_test), _, _ = load_mnist()
         x_train, y_train = x_train[:nb_train], y_train[:nb_train]
         x_test, y_test = x_test[:nb_test], y_test[:nb_test]
@@ -190,7 +190,7 @@ def test_krclassifier(self):
         krc.fit(x_train, y_train, batch_size=batch_size, nb_epochs=2)
 
         # First attack
-        cl2m = CarliniL2Method(classifier=krc, targeted=True, max_iter=100, binary_search_steps=10,
+        cl2m = CarliniL2Method(classifier=krc, targeted=True, max_iter=10, binary_search_steps=10,
                                learning_rate=2e-2, initial_const=3, decay=1e-2)
         params = {'y': random_targets(y_test, krc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
@@ -202,7 +202,7 @@ def test_krclassifier(self):
         self.assertTrue((target == y_pred_adv).any())
 
         # Second attack
-        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=100, binary_search_steps=10,
+        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=10, binary_search_steps=10,
                                learning_rate=2e-2, initial_const=3, decay=1e-2)
         params = {'y': random_targets(y_test, krc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
@@ -214,7 +214,7 @@ def test_krclassifier(self):
         self.assertTrue((target != y_pred_adv).all())
 
         # Third attack
-        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=100, binary_search_steps=10,
+        cl2m = CarliniL2Method(classifier=krc, targeted=False, max_iter=10, binary_search_steps=10,
                                learning_rate=2e-2, initial_const=3, decay=1e-2)
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
@@ -289,7 +289,3 @@ def test_ptclassifier(self):
 
 if __name__ == '__main__':
     unittest.main()
-
-
-
-

art/attacks/newtonfool_unittest.py

@@ -31,7 +31,7 @@ def forward(self, x):
         logit_output = self.fc(x)
         output = F.softmax(logit_output, dim=1)
 
-        return (logit_output, output)
+        return logit_output, output
 
 
 class TestNewtonFool(unittest.TestCase):
@@ -168,5 +168,3 @@ def test_ptclassifier(self):
 
 if __name__ == '__main__':
     unittest.main()
-
-

art/attacks/saliency_map.py

@@ -12,6 +12,7 @@ class SaliencyMapMethod(Attack):
     """
     attack_params = ['theta', 'gamma']
 
+    # TODO Add parameter logits?
     def __init__(self, classifier, theta=0.1, gamma=1.):
         """
         Create a SaliencyMapMethod instance.
@@ -46,7 +47,7 @@ def generate(self, x, **kwargs):
         :rtype: `np.ndarray`
         """
         # Parse and save attack-specific parameters
-        assert self.set_params(**kwargs)
+        self.set_params(**kwargs)
         clip_min, clip_max = self.classifier.clip_values
 
         # Initialize variables
@@ -118,7 +119,7 @@ def set_params(self, **kwargs):
         # Save attack-specific parameters
         super(SaliencyMapMethod, self).set_params(**kwargs)
 
-        if self.gamma < 0 or self.gamma > 1:
+        if self.gamma <= 0 or self.gamma > 1:
             raise ValueError("The total perturbation percentage `gamma` must be between 0 and 1.")
 
         return True

art/attacks/universal_perturbation.py

@@ -18,10 +18,10 @@ class UniversalPerturbation(Attack):
                     'jsma': 'art.attacks.saliency_map.SaliencyMapMethod',
                     'vat': 'art.attacks.virtual_adversarial.VirtualAdversarialMethod'
                     }
-    attack_params = ['attacker', 'attacker_params', 'delta', 'max_iter', 'eps', 'p']
+    attack_params = ['attacker', 'attacker_params', 'delta', 'max_iter', 'eps', 'norm']
 
     def __init__(self, classifier, attacker='deepfool', attacker_params=None, delta=0.2, max_iter=20, eps=10.0,
-                 p=np.inf):
+                 norm=np.inf):
         """
         :param classifier: A trained model.
         :type classifier: :class:`Classifier`
@@ -36,16 +36,16 @@ def __init__(self, classifier, attacker='deepfool', attacker_params=None, delta=
         :type max_iter: `int`
         :param eps: Attack step size (input variation)
         :type eps: `float`
-        :param p: Order of the norm. Possible values: np.inf, 2 (default is np.inf)
-        :type p: `int`
+        :param norm: Order of the norm. Possible values: np.inf, 2 (default is np.inf)
+        :type norm: `int`
         """
         super(UniversalPerturbation, self).__init__(classifier)
         kwargs = {'attacker': attacker,
                   'attacker_params': attacker_params,
                   'delta': delta,
                   'max_iter': max_iter,
                   'eps': eps,
-                  'p': p
+                  'norm': norm
                   }
         self.set_params(**kwargs)
 
@@ -66,8 +66,8 @@ def generate(self, x, **kwargs):
         :type max_iter: `int`
         :param eps: Attack step size (input variation)
         :type eps: `float`
-        :param p: Order of the norm. Possible values: np.inf, 2 (default is np.inf)
-        :type p: `int`
+        :param norm: Order of the norm. Possible values: np.inf, 2 (default is np.inf)
+        :type norm: `int`
         :return: An array holding the adversarial examples.
         :rtype: `np.ndarray`
         """
@@ -108,7 +108,7 @@ def generate(self, x, **kwargs):
                         v += adv_xi - xi
 
                         # Project on L_p ball
-                        v = self._clip_perturbation(v, self.eps, self.p)
+                        v = self._clip_perturbation(v, self.eps, self.norm)
             nb_iter += 1
 
             # Compute the error rate
@@ -137,8 +137,8 @@ def set_params(self, **kwargs):
         :type max_iter: `int`
         :param eps: Attack step size (input variation)
         :type eps: `float`
-        :param p: Order of the norm. Possible values: np.inf, 2 (default is np.inf)
-        :type p: `int`
+        :param norm: Order of the norm. Possible values: np.inf, 2 (default is np.inf)
+        :type norm: `int`
         """
         super(UniversalPerturbation, self).set_params(**kwargs)
 
@@ -153,25 +153,25 @@ def set_params(self, **kwargs):
 
         return True
 
-    def _clip_perturbation(self, v, eps, p):
+    def _clip_perturbation(self, v, eps, norm):
         """
         Clip the values in v if their L_p norm is larger than eps.
 
         :param v: array of perturbations to clip.
         :type v: `np.ndarray`
         :param eps: maximum norm allowed.
         :type eps: `float`
-        :param p: L_p norm to use for clipping. Only p = 2 and p = Inf supported for now.
-        :type p: `int`
+        :param norm: L_p norm to use for clipping. Only `norm == 2` and `norm == np.inf` supported for now.
+        :type norm: `int`
         :return: clipped values of v
         :rtype: `np.ndarray`
         """
-        if p == 2:
+        if norm == 2:
             v *= min(1., eps/np.linalg.norm(v, axis=(1, 2)))
-        elif p == np.inf:
+        elif norm == np.inf:
             v = np.sign(v) * np.minimum(abs(v), eps)
         else:
-            raise NotImplementedError('Values of p different from 2 and Inf are currently not supported.')
+            raise NotImplementedError('Values of `norm` different from 2 and `np.inf` are currently not supported.')
 
         return v
 

art/attacks/universal_perturbation_unittest.py

@@ -31,7 +31,7 @@ def forward(self, x):
         logit_output = self.fc(x)
         output = F.softmax(logit_output, dim=1)
 
-        return (logit_output, output)
+        return logit_output, output
 
 
 class TestUniversalPerturbation(unittest.TestCase):
@@ -178,7 +178,3 @@ def test_ptclassifier(self):
 
 if __name__ == '__main__':
     unittest.main()
-
-
-
-

art/classifiers/classifier.py

@@ -16,24 +16,27 @@ class Classifier(ABC):
     """
     Base class for all classifiers.
     """
-    def __init__(self, clip_values, defences=None):
+    def __init__(self, clip_values, channel_index, defences=None):
         """
         Initialize a `Classifier` object.
         :param clip_values: Tuple of the form `(min, max)` representing the minimum and maximum values allowed
                for features.
         :type clip_values: `tuple`
+        :param channel_index: Index of the axis in data containing the color channels or features.
+        :type channel_index: `int`
         :param defences: Defences to be activated with the classifier.
         :type defences: `str` or `list(str)`
         """
         self._clip_values = clip_values
+        self._channel_index = channel_index
         self._parse_defences(defences)
 
-    def predict(self, inputs, logits=False):
+    def predict(self, x, logits=False):
         """
         Perform prediction for a batch of inputs.
 
-        :param inputs: Test set.
-        :type inputs: `np.ndarray`
+        :param x: Test set.
+        :type x: `np.ndarray`
         :param logits: `True` if the prediction should be done at the logits layer.
         :type logits: `bool`
         :return: Array of predictions of shape `(nb_inputs, self.nb_classes)`.
@@ -42,14 +45,14 @@ def predict(self, inputs, logits=False):
         raise NotImplementedError
 
     @abc.abstractmethod
-    def fit(self, inputs, outputs, batch_size=128, nb_epochs=20):
+    def fit(self, x, y, batch_size=128, nb_epochs=20):
         """
-        Fit the classifier on the training set `(inputs, outputs)`.
+        Fit the classifier on the training set `(x, y)`.
 
-        :param inputs: Training data.
-        :type inputs: `np.ndarray`
-        :param outputs: Labels.
-        :type outputs: `np.ndarray`
+        :param x: Training data.
+        :type x: `np.ndarray`
+        :param y: Labels.
+        :type y: `np.ndarray`
         :param batch_size: Size of batches.
         :type batch_size: `int`
         :param nb_epochs: Number of epochs to use for trainings.
@@ -86,13 +89,21 @@ def clip_values(self):
         """
         return self._clip_values
 
+    @property
+    def channel_index(self):
+        """
+        :return: Index of the axis in data containing the color channels or features.
+        :rtype `int`
+        """
+        return self._channel_index
+
     @abc.abstractmethod
-    def class_gradient(self, inputs, logits=False):
+    def class_gradient(self, x, logits=False):
         """
-        Compute per-class derivatives w.r.t. `input`.
+        Compute per-class derivatives w.r.t. `x`.
 
-        :param inputs: Sample input with shape as expected by the model.
-        :type inputs: `np.ndarray`
+        :param x: Sample input with shape as expected by the model.
+        :type x: `np.ndarray`
         :param logits: `True` if the prediction should be done at the logits layer.
         :type logits: `bool`
         :return: Array of gradients of input features w.r.t. each class in the form
@@ -102,15 +113,15 @@ def class_gradient(self, inputs, logits=False):
         raise NotImplementedError
 
     @abc.abstractmethod
-    def loss_gradient(self, inputs, labels):
+    def loss_gradient(self, x, y):
         """
-        Compute the gradient of the loss function w.r.t. `inputs`.
+        Compute the gradient of the loss function w.r.t. `x`.
 
-        :param inputs: Sample input with shape as expected by the model.
-        :type inputs: `np.ndarray`
-        :param labels: Correct labels, one-vs-rest encoding.
-        :type labels: `np.ndarray`
-        :return: Array of gradients of the same shape as the inputs.
+        :param x: Sample input with shape as expected by the model.
+        :type x: `np.ndarray`
+        :param y: Correct labels, one-vs-rest encoding.
+        :type y: `np.ndarray`
+        :return: Array of gradients of the same shape as `x`.
         :rtype: `np.ndarray`
         """
         raise NotImplementedError
@@ -142,26 +153,24 @@ def _parse_defences(self, defences):
                     from art.defences import SpatialSmoothing
                     self.smooth = SpatialSmoothing()
 
-    def _apply_defences_fit(self, inputs, outputs):
+    def _apply_defences_fit(self, x, y):
         # Apply label smoothing if option is set
         if hasattr(self, 'label_smooth'):
-            _, outputs = self.label_smooth(None, outputs)
-        else:
-            outputs = outputs
+            _, y = self.label_smooth(None, y)
 
         # Apply feature squeezing if option is set
         if hasattr(self, 'feature_squeeze'):
-            inputs = self.feature_squeeze(inputs)
+            x = self.feature_squeeze(x)
 
-        return inputs, outputs
+        return x, y
 
-    def _apply_defences_predict(self, inputs):
+    def _apply_defences_predict(self, x):
         # Apply feature squeezing if option is set
         if hasattr(self, 'feature_squeeze'):
-            inputs = self.feature_squeeze(inputs)
+            x = self.feature_squeeze(x)
 
         # Apply inputs smoothing if option is set
         if hasattr(self, 'smooth'):
-            inputs = self.smooth(inputs)
+            x = self.smooth(x)
 
-        return inputs
+        return x