算法|Tensorflow实现了四个对抗图像制作算法

2017-05-15 全球人工智能

全球人工智能：专注为AI开发者提供全球最新AI技术动态和社群交流。用户来源包括：北大、清华、中科院、复旦、麻省理工、卡内基梅隆、斯坦福、哈佛、牛津、剑桥等世界名校的AI技术硕士、博士和教授；以及谷歌、腾讯、百度、脸谱、微软、华为、阿里、海康威视、滴滴、英伟达等全球名企的AI开发者和AI科学家。

文章来源：Github

Four adversarial image crafting algorithms are implemented with Tensorflow. The four attacking algorithms can be found in attacks folder. The implementation adheres to the principle tensor-in, tensor-out. They all return a Tensorflow operation which could be run through sess.run(...).

API：

Fast Gradient Sign Method (FGSM) basic/iterative
fgsm(model, x, eps=0.01, epochs=1, clip_min=0.0, clip_max=1.0)

https://arxiv.org/abs/1412.6572/
https://arxiv.org/abs/1607.02533

Target class Gradient Sign Method (TGSM)
tgsm(model, x, y=None, eps=0.01, epochs=1, clip_min=0.0, clip_max=1.0)

When y=None, this implements the least-likely class method.
If y is an integer or a list of integers, the source image is modified towards label y.

https://arxiv.org/abs/1607.02533

Jacobian-based Saliency Map Approach (JSMA)
jsma(model, x, y, epochs=1.0, eps=1., clip_min=0.0, clip_max=1.0, pair=False, min_proba=0.0)
y is the target label, could be an integer or a list. when epochs is a floating number in the range [0, 1], it denotes the maximum percentage distortion allowed and epochs is automatically deduced. min_proba denotes the minimum confidence of target image. If pair=True, then modifies two pixels at a time.

https://arxiv.org/abs/1511.07528

Saliency map difference approach (SMDA)
smda(model, x, y, epochs=1.0, eps=1., clip_min=0.0, clip_max=1.0, min_proba=0.0)
Interface is the same as jsma. This algorithm differs from the JSMA in how the saliency score is calculated. In JSMA, saliency score is calculated as dt/dx * (-do/dx), while in SMDA, the saliency score is dt/dx - do/dx, thus the name “saliency map difference”.

The `model`

Notice that we have model as the first parameter for every method. The model is a wrapper function. It should have the following signature

def model(x, logits=False):
# x is the input to the network, usually a tensorflow placeholder y = your_model(x) logits_ = ... # get the logits before softmax if logits:
return y, logits
return y

We need the logits because some algorithms (FGSM and TGSM) rely on the logits to compute the loss.

How to Use

Implementation of each attacking method is self-contained, and depends only on tensorflow. Copy the attacking method file to the same folder as your source code and import it.

The implementation should work on any framework that is compatible with Tensorflow. I provide example code for Tensorflow and Keras in the folder tf_example and keras_example, respectively. Each code example is also self-contained.

https://github.com/gongzhitaao/tensorflow-adversarial/blob/master/tf_example
https://github.com/gongzhitaao/tensorflow-adversarial/blob/master/keras_example

And example code with the same file name implements the same function. For example, tf_example/ex_00.py and keras_example/ex_00.py implement exactly the same function, the only difference is that the former uses Tensorflow platform while the latter uses Keras platform.

https://github.com/gongzhitaao/tensorflow-adversarial/blob/master/tf_example/ex_00.py
https://github.com/gongzhitaao/tensorflow-adversarial/blob/master/keras_example/ex_00.py

Results

ex_00.py trains a simple CNN on MNIST. Then craft adversarial samples from test data vis FGSM. The original label for the following digits are 0 through 9 originally, and the predicted label with probability are shown below each digit.

ex_01.py creates cross label adversarial images via saliency map approach (JSMA). For each row, the digit in green box is the clean image. Other images on the same row are created from it.

ex_02.py creates cross label adversarial images via target class gradient sign method (TGSM).

ex_03.py creates digits from blank images via saliency different algorithm (SMDA).

These images look weird. And I have no idea why I could not reproduce the result in the original paper. My guess is that
However various experiments seem to suggest that my implementation work properly. I have to try more examples to figure out what is going wrong here.

either my model is too simple to catch the features of the dataset, or
there is a flaw in my implementation.

ex_04.py creates digits from blank images via paired saliency map algorithm, i.e., modify two pixels at one time (refer to the original paper for rational http://arxiv.org/abs/1511.07528).

ex_05.py trains a simple CNN on MNIST and then crafts adversarial samples via LLCM. The original label for the following digits are 0 through 9 originally, and the predicted label with probability are shown below each digit.