If the convolution neural network is the former actor, then the formation of confrontation has become a deep study of the field of a new bright star, it will radically change the way we perceive the world. The Confrontation Learning training provides a new idea to instruct the artificial intelligence to complete the complex task, and it is a very important research topic how to improve the robustness of the system by using the generation against the picture.
It is easy to be surprised by the combination of neural networks, because small, carefully crafted disturbances of input can cause neural networks to incorrectly classify input in any way they choose. This is a security issue that deserves attention, given the fact that it can be made very powerful by shifting the sample to the physical world. For example, face recognition, if a confrontation image is also recognized as a real person, there will be some security risks and the huge loss after. Readers interested in generating a confrontation image can focus on the recent Kaggle challenge nips.
In this article, you will lead the reader through the use of TensorFlow to implement a simple algorithm to synthesize the adversarial sample, and then use this technique to build a robust adversarial example.
Import TensorFlow as TF
import Tensorflow.contrib.slim as slim
import tensorflow.contrib.slim.nets as Nets
Tf.logging.set_verbosity (Tf.logging.ERROR)
sess = tf. InteractiveSession ()
First, set the input image. Use TF. Variable instead of using Tf.placeholder, this is because to make sure it is available for training. When we need it, we can still enter it.
Image = TF. Variable (Tf.zeros (299, 299, 3))
Next, load the inception V3 model.
def inception (image, Reuse):
preprocessed = tf.multiply (tf.subtract (image, 0), tf.expand_dims), 0.5)
2.0 Scope = Nets.inception.inception_v3_arg_scope (weight_decay=0.0)
with Slim.arg_scope (arg_scope):
logits, _ = Nets.inception.inception_v3 (
preprocessed, 1001, Is_training=false, reuse=reuse)
logits = logits[:,1:] # Ignore Background class
probs = Tf.nn.softmax (logits) # probabilities return
logits, probs
logits, probs = in Ception (image, Reuse=false)
Next, load the pre training weights. The accuracy rate of the top-5 of this inception V3 is 93.9%.
Import tempfile from
urllib.request import urlretrieve import
tarfile
import os
data_dir = Tempfile.mkdtemp ()
Inception_tarball, _ = Urlretrieve (
' Http://download.tensorflow.org/models/inception_ V3_2016_08_28.tar.gz ')
tarfile.open (Inception_tarball, ' R:gz '). Extractall (data_dir)
restore_vars = [
var for var in tf.global_variables ()
if Var.name.startswith (' inceptionv3/')
]
saver = tf.train.Saver ( Restore_vars)
Saver.restore (Sess, Os.path.join (Data_dir, ' inception_v3.ckpt '))
Next, write some code to display the image, classify it, and display the results of the classification.
Import JSON
import matplotlib.pyplot as Plt
Imagenet_json, _ = Urlretrieve (
' http://www.anishathalye.com/ Media/2017/07/25/imagenet.json ') with
Open (Imagenet_json) as f:
imagenet_labels = Json.load (f)
def Classify (IMG, Correct_class=none, target_class=none):
Fig, (ax1, ax2) = Plt.subplots (1, 2, figsize= (8))
Fig.sca (ax1)
p = sess.run (probs, feed_dict={image:img}) [0]
ax1.imshow (IMG)
Fig.sca (ax1)
TOPK = List (P.argsort () [ -10:][::-1])
topprobs = p[topk]
barlist = Ax2.bar (range (), topprobs)
if target_ Class in TOPK:
barlist[topk.index (Target_class)].set_color (' R ')
if correct_class in TOPK:
barlist[ Topk.index (Correct_class)].set_color (' G ')
Plt.sca (ax2)
Plt.ylim ([0, 1.1])
plt.xticks (range (10),
[imagenet_labels[i][:15] for I in TOPK],
rotation= ' vertical ')
fig.subplots_adjust (bottom=0.2)
Plt.show ()
Sample image
Load the sample image and make sure it is sorted correctly.
Import PiL
import numpy as NP
Img_path, _ = Urlretrieve (' http://www.anishathalye.com/media/2017/07/25/cat.jpg ')
img_class = 281
img = pil. Image.open (img_path)
Big_dim = max (Img.width, img.height)
wide = img.width > img.height new_w
= 299 if not Wide else int (img.width * 299/img.height)
new_h = 299 if wide else int (img.height * 299/img.width)
img = img. Resize ((New_w, New_h)). Crop ((0, 0, 299, 299))
img = (Np.asarray (img)/255.0). Astype (Np.float32)
classify (img , Correct_class=img_class)
Confrontation sample
Given an image x, the probability distribution on the output label of the neural Network is P (y| X). When crafting counter input, we want to find an X ' that makes Logp (y ' | X ') is maximized as the target tag y ', that is, the input will be classified as the target class by mistake. By constraining some ℓ∞ radii to ε-like boxes, requiring ‖x-x ' ‖∞≤ε, we can make sure that X ' is not exactly the same as the original X.
In this framework, the adversarial sample solves a constrained optimization problem, which can be solved using reverse propagation and projection gradient descent, and is basically the same technique as the training network itself. The algorithm is simple:
First, the counter sample is initialized to X ' ←x. Then, repeat the following procedure until it converges:
1. X ' ←x^+α⋅∇logp (y ' | X ')
2. X ' ←clip (x ', x-ε,x+ε)
Class
Start with the simplest part: Write a tensorflow op to initialize accordingly.
x = Tf.placeholder (Tf.float32, (299, 299, 3))
x_hat = image # Our trainable adversarial input
assign_op = Tf.assig N (x_hat, X)
Gradient Descent steps
Next, write a gradient descent step to maximize the logarithmic probability of the target class (or minimize the cross entropy).
Learning_rate = Tf.placeholder (Tf.float32, ())
y_hat = Tf.placeholder (Tf.int32, ())
labels = tf.one_hot (Y_hat, 1000)
loss = Tf.nn.softmax_cross_entropy_with_logits (logits=logits, labels=[labels])
optim_step = Tf.train.GradientDescentOptimizer (
learning_rate). Minimize (loss, var_list=[x_hat])
Projection steps
Finally, the projection steps are written so that the antagonistic samples are visually similar to the original images. In addition, it is limited to an image that remains valid within the [0,1] scope.
Epsilon = Tf.placeholder (Tf.float32, ())
below = X-epsilon above
= x + Epsilon
projected = Tf.clip_by_value ( Tf.clip_by_value (X_hat, below, above), 0, 1) with
tf.control_dependencies ([projected]):
project_step = Tf.assign (X_hat, projected)
Perform
Finally, prepare to synthesize a confrontation sample. We arbitrarily choose "avocado Sauce" (imagenet class 924) as our target class.
Demo_epsilon = 2.0/255.0 # a really small perturbation demo_lr =
1e-1
demo_steps = demo_target
= 924 # "gu Acamole "
# Initialization step
sess.run (Assign_op, feed_dict={x:img})
# projected
gradient descent For I in Range (demo_steps):
# Gradient Descent Step
_, Loss_value = Sess.run (
[Optim_step, loss],
feed_ DICT={LEARNING_RATE:DEMO_LR, Y_hat:demo_target})
# project Step
sess.run (Project_step, Feed_dict={x:img, Epsilon:demo_epsilon})
if (i+1)% = 0:
print (' Step%d, loss=%g '% (i+1, loss_value))
adv = X_hat.eval ( # Retrieve the adversarial example, loss=4.18923 step, loss=0.580237 step, loss=0.0322334<
C19/>step, loss=0.0209522,
loss=0.0159688, loss=0.0134457 step,
loss=0.0117799 Step, loss=0.0105757 step,
loss=0.00962179,
loss=0.00886694
This kind of confrontation image and the original image can not be distinguished visually, there is no visible human processing. But it will be classified as "avocado sauce" at a high probability.
Classify (ADV, Correct_class=img_class, Target_class=demo_target)
Robust confrontation samples.
Now let's look at a more advanced example. Follow our methods to synthesize a robust confrontation sample, in order to find a single disturbance to the cat image, which is antagonistic at the same time under some selected transformation distributions, the distribution of any differentiable transformations can be selected; In this article, we will synthesize a single counter input, set Θ∈[-Π/4,Π/4], which is robust for rotation.
Before continuing with the work below, check to see if the previous example will be able to counter rotation, such as setting the angle to Θ=Π/8.
Ex_angle = np.pi/8
angle = Tf.placeholder (Tf.float32, ())
rotated_image = tf.contrib.image.rotate (image, Angle )
rotated_example = Rotated_image.eval (Feed_dict={image:adv, angle:ex_angle})
classify (rotated_example, Correct_class=img_class, Target_class=demo_target)
It seems that the sample of the confrontation we generated earlier is not spinning.
So, how do you make a counter sample to the distribution of the transformation is robust? Given some transformation distributions T, we can maximize Et~tlogp (y ' |t (X ')) and constrain the condition to ‖x-x ' ‖∞≤ε. This optimization problem can be solved by the projection gradient descent method, noting that ∇et~tlogp (y ' |t (x)) is equal to Et~t∇logp (Y ' |t (x ')) and approximates the sample in each gradient descent step.
You can use a trick to get TensorFlow to do this for us, not by manually implementing gradient sampling: We can simulate gradient descent based on sampling, as a gradient drop in a collection of random classifiers, random classifiers are randomly extracted from the distribution and transformed into input before classification.
Num_samples =
Average_loss = 0 for
i in range (num_samples):
rotated = tf.contrib.image.rotate (
image , Tf.random_uniform ((), MINVAL=-NP.PI/4, Maxval=np.pi/4))
Rotated_logits, _ = Inception (rotated, reuse=true)
Average_loss + + tf.nn.softmax_cross_entropy_with_logits (
logits=rotated_logits, labels=labels)/Num_samples
We can reuse assign_op and project_step, but for this new goal, we have to write a new optim_step.
Optim_step = Tf.train.GradientDescentOptimizer (
learning_rate). Minimize (Average_loss, Var_list=[x_hat])
Finally, we're going to run the PGD to produce a confrontation input. As in the previous example, choose "avocado sauce" as our target class.
Demo_epsilon = 8.0/255.0 # Still a pretty small perturbation demo_lr = 2e-1 Demo_steps = Demo_target =
924 # "Guacamole"
# initialization step
sess.run (Assign_op, feed_dict={x:img})
# projected gradient descent< C6/>for i in range (demo_steps):
# Gradient Descent Step
_, Loss_value = Sess.run (
[Optim_step, Average_loss] ,
FEED_DICT={LEARNING_RATE:DEMO_LR, y_hat:demo_target})
# project Step
sess.run (Project_step, Feed_ Dict={x:img, Epsilon:demo_epsilon})
if (i+1)% = 0:
print (' Step%d, loss=%g '% (i+1, loss_value))
adv _robust = X_hat.eval () # Retrieve the adversarial example step, loss=0.0804289
>step, loss=0.00771527, loss=0.00350717 step, loss=0.00656128 step,
loss= 0.00226182
This counter image is highly trusted to classify as "avocado sauce", even if it is rotated.
Rotated_example = Rotated_image.eval (Feed_dict={image:adv_robust, angle:ex_angle})
classify (rotated_example, Correct_class=img_class, Target_class=demo_target)
Here's a look at the rotation invariance of the robust counter samples generated throughout the range of angles, see p (y ' |x ') in Θ∈[-Π/4,Π/4].
Thetas = Np.linspace (-np.pi/4, Np.pi/4,)
p_naive = []
p_robust = [] for
Theta in Thetas:
rotated = rot Ated_image.eval (Feed_dict={image:adv_robust, Angle:theta})
P_robust.append (Probs.eval (feed_dict={image: rotated}) [0][demo_target])
rotated = Rotated_image.eval (Feed_dict={image:adv, Angle:theta})
P_ Naive.append (Probs.eval (feed_dict={image:rotated}) [0][demo_target])
robust_line, = Plt.plot (Thetas, P_robust, Color= ' B ', linewidth=2, label= ' robust ')
naive_line, = Plt.plot (Thetas, p_naive, color= ' R ', linewidth=2, label= ') Naive ')
Plt.ylim ([0, 1.05])
plt.xlabel (' rotation angle ')
Plt.ylabel (' Target class probability ')
plt.legend (Handles=[robust_line, Naive_line], loc= ' lower right ')
plt.show ()
As you can see from the blue curve in the diagram, the resulting counter samples are super efficient.
Original link:
Http://www.anishathalye.com/2017/07/25/synthesizing-adversarial-examples/?spm=5176.100239.blogcont149583.28.NUZKV8