hummingbird
/
mindarmour
Not watched
2
0
Fork 0
Code
Releases 17 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: dd93d2d008
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dd93d2d008'
${ noResults }
mindarmour/mindarmour/detectors/mag_net.py

229 lines
8.2 kB
Raw Blame History 

  1. # Copyright 2019 Huawei Technologies Co., Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. # http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. """

  15. Error-Based detector.

  16. """

  17. import numpy as np

  18. from scipy import stats

  19. from scipy.special import softmax

  20. 

  21. from mindspore import Tensor

  22. from mindspore import Model

  23. 

  24. from mindarmour.detectors.detector import Detector

  25. from mindarmour.utils.logger import LogUtil

  26. from mindarmour.utils._check_param import check_numpy_param, check_model, \

  27.     check_param_in_range, check_param_multi_types, check_int_positive, \

  28.     check_value_positive

  29. 

  30. LOGGER = LogUtil.get_instance()

  31. TAG = 'MagNet'

  32. 

  33. 

  34. class ErrorBasedDetector(Detector):

  35.     """

  36.     The detector reconstructs input samples, measures reconstruction errors and

  37.     rejects samples with large reconstruction errors.

  38. 

  39.     Reference: `MagNet: a Two-Pronged Defense against Adversarial Examples,

  40.     by Dongyu Meng and Hao Chen, at CCS 2017.

  41.     <https://arxiv.org/abs/1705.09064>`_

  42. 

  43.     Args:

  44.         auto_encoder (Model): An (trained) auto encoder which

  45.             represents the input by reduced encoding.

  46.         false_positive_rate (float): Detector's false positive rate.

  47.             Default: 0.01.

  48.         bounds (tuple): (clip_min, clip_max). Default: (0.0, 1.0).

  49. 

  50.     """

  51. 

  52.     def __init__(self, auto_encoder, false_positive_rate=0.01,

  53.                  bounds=(0.0, 1.0)):

  54.         super(ErrorBasedDetector, self).__init__()

  55.         self._auto_encoder = check_model('auto_encoder', auto_encoder, Model)

  56.         self._false_positive_rate = check_param_in_range('false_positive_rate',

  57.                                                          false_positive_rate,

  58.                                                          0, 1)

  59.         self._threshold = 0.0

  60.         self._bounds = check_param_multi_types('bounds', bounds, [list, tuple])

  61.         for b in self._bounds:

  62.             _ = check_param_multi_types('bound', b, [int, float])

  63. 

  64.     def fit(self, inputs, labels=None):

  65.         """

  66.         Find a threshold for a given dataset to distinguish adversarial examples.

  67. 

  68.         Args:

  69.             inputs (numpy.ndarray): Input samples.

  70.             labels (numpy.ndarray): Labels of input samples. Default: None.

  71. 

  72.         Returns:

  73.             float, threshold to distinguish adversarial samples from benign ones.

  74.         """

  75.         inputs = check_numpy_param('inputs', inputs)

  76. 

  77.         marks = self.detect_diff(inputs)

  78.         num = int(inputs.shape[0]*self._false_positive_rate)

  79.         marks = np.sort(marks)

  80.         if num <= len(marks):

  81.             self._threshold = marks[-num]

  82.         return self._threshold

  83. 

  84.     def detect(self, inputs):

  85.         """

  86.         Detect if input samples are adversarial or not.

  87. 

  88.         Args:

  89.             inputs (numpy.ndarray): Suspicious samples to be judged.

  90. 

  91.         Returns:

  92.             list[int], whether a sample is adversarial. if res[i]=1, then the

  93.             input sample with index i is adversarial.

  94.         """

  95.         inputs = check_numpy_param('inputs', inputs)

  96.         dist = self.detect_diff(inputs)

  97.         res = [0]*len(dist)

  98.         for i, elem in enumerate(dist):

  99.             if elem > self._threshold:

  100.                 res[i] = 1

  101.         return res

  102. 

  103.     def detect_diff(self, inputs):

  104.         """

  105.         Detect the distance between the original samples and reconstructed samples.

  106. 

  107.         Args:

  108.             inputs (numpy.ndarray): Input samples.

  109. 

  110.         Returns:

  111.             float, the distance between reconstructed and original samples.

  112.         """

  113.         inputs = check_numpy_param('inputs', inputs)

  114.         x_trans = self._auto_encoder.predict(Tensor(inputs))

  115.         diff = np.abs(inputs - x_trans.asnumpy())

  116.         dims = tuple(np.arange(len(inputs.shape))[1:])

  117.         marks = np.mean(np.power(diff, 2), axis=dims)

  118.         return marks

  119. 

  120.     def transform(self, inputs):

  121.         """

  122.         Reconstruct input samples.

  123. 

  124.         Args:

  125.             inputs (numpy.ndarray): Input samples.

  126. 

  127.         Returns:

  128.             numpy.ndarray, reconstructed images.

  129.         """

  130.         inputs = check_numpy_param('inputs', inputs)

  131.         x_trans = self._auto_encoder.predict(Tensor(inputs))

  132.         if self._bounds is not None:

  133.             clip_min, clip_max = self._bounds

  134.             x_trans = np.clip(x_trans.asnumpy(), clip_min, clip_max)

  135.         return x_trans

  136. 

  137.     def set_threshold(self, threshold):

  138.         """

  139.         Set the parameters threshold.

  140. 

  141.         Args:

  142.             threshold (float): Detection threshold. Default: None.

  143.         """

  144.         self._threshold = check_value_positive('threshold', threshold)

  145. 

  146. 

  147. class DivergenceBasedDetector(ErrorBasedDetector):

  148.     """

  149.     This class implement a divergence-based detector.

  150. 

  151.     Reference: `MagNet: a Two-Pronged Defense against Adversarial Examples,

  152.     by Dongyu Meng and Hao Chen, at CCS 2017.

  153.     <https://arxiv.org/abs/1705.09064>`_

  154. 

  155.     Args:

  156.         auto_encoder (Model): Encoder model.

  157.         model (Model): Targeted model.

  158.         option (str): Method used to calculate Divergence. Default: "jsd".

  159.         t (int): Temperature used to overcome numerical problem. Default: 1.

  160.         bounds (tuple): Upper and lower bounds of data.

  161.             In form of (clip_min, clip_max). Default: (0.0, 1.0).

  162.     """

  163. 

  164.     def __init__(self, auto_encoder, model, option="jsd",

  165.                  t=1, bounds=(0.0, 1.0)):

  166.         super(DivergenceBasedDetector, self).__init__(auto_encoder,

  167.                                                       bounds=bounds)

  168.         self._auto_encoder = auto_encoder

  169.         self._model = check_model('targeted model', model, Model)

  170.         self._threshold = 0.0

  171.         self._option = option

  172.         self._t = check_int_positive('t', t)

  173.         self._bounds = check_param_multi_types('bounds', bounds, [tuple, list])

  174.         for b in self._bounds:

  175.             _ = check_param_multi_types('bound', b, [int, float])

  176. 

  177.     def detect_diff(self, inputs):

  178.         """

  179.         Detect the distance between original samples and reconstructed samples.

  180. 

  181.         The distance is calculated by JSD.

  182. 

  183.         Args:

  184.             inputs (numpy.ndarray): Input samples.

  185. 

  186.         Returns:

  187.              float, the distance.

  188. 

  189.         Raises:

  190.             NotImplementedError: If the param `option` is not supported.

  191.         """

  192.         inputs = check_numpy_param('inputs', inputs)

  193.         x_len = inputs.shape[0]

  194.         x_transformed = self._auto_encoder.predict(Tensor(inputs))

  195.         x_origin = self._model.predict(Tensor(inputs))

  196.         x_trans = self._model.predict(x_transformed)

  197. 

  198.         y_pred = softmax(x_origin.asnumpy() / self._t, axis=1)

  199.         y_trans_pred = softmax(x_trans.asnumpy() / self._t, axis=1)

  200. 

  201.         if self._option == 'jsd':

  202.             marks = [_jsd(y_pred[i], y_trans_pred[i]) for i in range(x_len)]

  203.         else:

  204.             msg = '{} is not implemented.'.format(self._option)

  205.             LOGGER.error(TAG, msg)

  206.             raise NotImplementedError(msg)

  207.         return np.array(marks)

  208. 

  209. 

  210. def _jsd(prob_dist_p, prob_dist_q):

  211.     """

  212.     Compute the Jensen-Shannon Divergence between two probability distributions

  213.         with equal weights.

  214. 

  215.     Args:

  216.         prob_dist_p (numpy.ndarray): Probability distribution p.

  217.         prob_dist_q (numpy.ndarray): Probability distribution q.

  218. 

  219.     Returns:

  220.         float, the Jensen-Shannon Divergence.

  221.     """

  222.     prob_dist_p = check_numpy_param('prob_dist_p', prob_dist_p)

  223.     prob_dist_q = check_numpy_param('prob_dist_q', prob_dist_q)

  224.     norm_dist_p = prob_dist_p / (np.linalg.norm(prob_dist_p, ord=1) + 1e-12)

  225.     norm_dist_q = prob_dist_q / (np.linalg.norm(prob_dist_q, ord=1) + 1e-12)

  226.     norm_mean = 0.5*(norm_dist_p + norm_dist_q)

  227.     return 0.5*(stats.entropy(norm_dist_p, norm_mean)

  228.                 + stats.entropy(norm_dist_q, norm_mean))