Fix bug in CW attack

minhitbk · minhitbk · commit cea5a0251523 · 2018-05-30T13:03:09.000+01:00
diff --git a/art/attacks/carlini.py b/art/attacks/carlini.py
@@ -240,7 +240,11 @@ def generate(self, x, **kwargs):
                 # Abort binary search if c exceeds upper bound:
                 if c > self._c_upper_bound:
                     break
-            
+
+            # Transform best_adv_image back into tanh space if attack is failed
+            if (best_adv_image == ex).all():
+                best_adv_image = (np.tanh(best_adv_image) / self._tanh_smoother + 1) / 2
+
             x_adv[j] = best_adv_image
 
         return x_adv
diff --git a/art/attacks/carlini_unittest.py b/art/attacks/carlini_unittest.py
@@ -38,6 +38,53 @@ class TestCarliniL2(unittest.TestCase):
     """
     A unittest class for testing the Carlini2 attack.
     """
+    def test_failure_attack(self):
+        """
+        Test the corner case when attack is failed.
+        :return:
+        """
+        # Build a TFClassifier
+        # Define input and output placeholders
+        self._input_ph = tf.placeholder(tf.float32, shape=[None, 28, 28, 1])
+        self._output_ph = tf.placeholder(tf.int32, shape=[None, 10])
+
+        # Define the tensorflow graph
+        conv = tf.layers.conv2d(self._input_ph, 4, 5, activation=tf.nn.relu)
+        conv = tf.layers.max_pooling2d(conv, 2, 2)
+        fc = tf.contrib.layers.flatten(conv)
+
+        # Logits layer
+        self._logits = tf.layers.dense(fc, 10)
+
+        # Train operator
+        self._loss = tf.reduce_mean(tf.losses.softmax_cross_entropy(logits=self._logits, onehot_labels=self._output_ph))
+        optimizer = tf.train.AdamOptimizer(learning_rate=0.01)
+        self._train = optimizer.minimize(self._loss)
+
+        # Tensorflow session and initialization
+        self._sess = tf.Session()
+        self._sess.run(tf.global_variables_initializer())
+
+        # Get MNIST
+        batch_size, nb_train, nb_test = 100, 1000, 10
+        (x_train, y_train), (x_test, y_test), _, _ = load_mnist()
+        x_train, y_train = x_train[:nb_train], y_train[:nb_train]
+        x_test, y_test = x_test[:nb_test], y_test[:nb_test]
+
+        # Train the classifier
+        tfc = TFClassifier((0, 1), self._input_ph, self._logits, self._output_ph,
+                           self._train, self._loss, None, self._sess)
+        tfc.fit(x_train, y_train, batch_size=batch_size, nb_epochs=2)
+
+        # Failure attack
+        cl2m = CarliniL2Method(classifier=tfc, targeted=True, max_iter=0, binary_search_steps=0,
+                               learning_rate=2e-2, initial_const=3, decay=1e-2)
+        params = {'y': random_targets(y_test, tfc.nb_classes)}
+        x_test_adv = cl2m.generate(x_test, **params)
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
+        np.testing.assert_almost_equal(x_test, x_test_adv, 3)
+
     def test_tfclassifier(self):
         """
         First test with the TFClassifier.
@@ -82,6 +129,8 @@ def test_tfclassifier(self):
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
         self.assertTrue((target == y_pred_adv).all())
@@ -92,6 +141,8 @@ def test_tfclassifier(self):
         params = {'y': random_targets(y_test, tfc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
         self.assertTrue((target != y_pred_adv).all())
@@ -102,6 +153,8 @@ def test_tfclassifier(self):
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         y_pred = np.argmax(tfc.predict(x_test), axis=1)
         y_pred_adv = np.argmax(tfc.predict(x_test_adv), axis=1)
         self.assertTrue((y_pred != y_pred_adv).all())
@@ -141,6 +194,8 @@ def test_krclassifier(self):
         params = {'y': random_targets(y_test, krc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
         self.assertTrue((target == y_pred_adv).any())
@@ -151,6 +206,8 @@ def test_krclassifier(self):
         params = {'y': random_targets(y_test, krc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
         self.assertTrue((target != y_pred_adv).all())
@@ -161,6 +218,8 @@ def test_krclassifier(self):
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         y_pred = np.argmax(krc.predict(x_test), axis=1)
         y_pred_adv = np.argmax(krc.predict(x_test_adv), axis=1)
         self.assertTrue((y_pred != y_pred_adv).any())
@@ -196,6 +255,8 @@ def test_ptclassifier(self):
         params = {'y': random_targets(y_test, ptc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
         self.assertTrue((target == y_pred_adv).any())
@@ -206,6 +267,8 @@ def test_ptclassifier(self):
         params = {'y': random_targets(y_test, ptc.nb_classes)}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         target = np.argmax(params['y'], axis=1)
         y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
         self.assertTrue((target != y_pred_adv).all())
@@ -216,6 +279,8 @@ def test_ptclassifier(self):
         params = {}
         x_test_adv = cl2m.generate(x_test, **params)
         self.assertFalse((x_test == x_test_adv).all())
+        self.assertTrue((x_test_adv <= 1).all())
+        self.assertTrue((x_test_adv >= 0).all())
         y_pred = np.argmax(ptc.predict(x_test), axis=1)
         y_pred_adv = np.argmax(ptc.predict(x_test_adv), axis=1)
         self.assertTrue((y_pred != y_pred_adv).any())
