secml.adv.attacks.evasion¶
CAttackEvasion¶
-
class
secml.adv.attacks.evasion.c_attack_evasion.
CAttackEvasion
(classifier, y_target=None, attack_classes='all')[source]¶ Bases:
secml.adv.attacks.c_attack.CAttack
Interface class for evasion and poisoning attacks.
- Parameters
- classifierCClassifier
Target classifier (trained).
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
f_eval
Returns the number of function evaluations made during the attack.
f_opt
Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq
Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval
Returns the number of gradient evaluations made during the attack.
logger
Logger for current object.
verbose
Verbosity level of logger output.
x_opt
Returns the optimal point founded by the attack.
x_seq
Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class hyperparameters.
get_state
(self, **kwargs)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Objective function.
objective_function_gradient
(self, x)Gradient of the objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path, **kwargs)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
-
property
attack_classes
¶
-
is_attack_class
(self, y)[source]¶ Returns True/False if the input class can be attacked.
- Parameters
- yint or CArray
CArray or single label of the class to to be checked.
- Returns
- bool or CArray
- True if class y can be manipulated by the attacker,
False otherwise. If CArray, a True/False value for each input label will be returned.
-
abstract
objective_function
(self, x)[source]¶ Objective function.
- Parameters
- xCArray or CDataset
- Returns
- f_objfloat or CArray of floats
-
run
(self, x, y, ds_init=None)[source]¶ Runs evasion on a dataset.
- Parameters
- xCArray
Data points.
- yCArray
True labels.
- ds_initCDataset
Dataset for warm starts.
- Returns
- y_predCArray
Predicted labels for all ds samples by target classifier.
- scoresCArray
Scores for all ds samples by target classifier.
- adv_dsCDataset
Dataset of manipulated samples.
- f_objfloat
Mean value of the objective function computed on each data point.
-
property
y_target
¶
CAttackEvasionPGD¶
-
class
secml.adv.attacks.evasion.c_attack_evasion_pgd.
CAttackEvasionPGD
(classifier, double_init_ds=None, double_init=True, distance='l1', dmax=0, lb=0, ub=1, y_target=None, attack_classes='all', solver_params=None)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS
Evasion attacks using Projected Gradient Descent.
This class implements the maximum-confidence evasion attacks proposed in:
https://arxiv.org/abs/1708.06939, ICCV W. ViPAR, 2017.
This is the multi-class extension of our original work in:
https://arxiv.org/abs/1708.06131, ECML 2013, implemented using a standard projected gradient solver.
It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:
https://arxiv.org/abs/1704.08996, IEEE TDSC 2017.
For more on evasion attacks, see also:
https://arxiv.org/abs/1809.02861, USENIX Sec. 2019
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
- Parameters
- classifierCClassifier
Target classifier.
- double_init_dsCDataset or None, optional
Dataset used to initialize an alternative init point (double init).
- double_initbool, optional
If True (default), use double initialization point. Needs double_init_ds not to be None.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used. See
COptimizerPGD
for more information.
- Attributes
class_type
‘e-pgd’Defines class type.
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class hyperparameters.
get_state
(self, **kwargs)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Compute the objective function of the evasion attack.
objective_function_gradient
(self, x)Compute the gradient of the evasion objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path, **kwargs)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
CAttackEvasionPGDLS¶
-
class
secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.
CAttackEvasionPGDLS
(classifier, double_init_ds=None, double_init=True, distance='l1', dmax=0, lb=0, ub=1, y_target=None, attack_classes='all', solver_params=None)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion
,secml.adv.attacks.c_attack_mixin.CAttackMixin
Evasion attacks using Projected Gradient Descent with Line Search.
This class implements the maximum-confidence evasion attacks proposed in:
https://arxiv.org/abs/1708.06939, ICCV W. ViPAR, 2017.
This is the multi-class extension of our original work in:
https://arxiv.org/abs/1708.06131, ECML 2013,
implemented using a custom projected gradient solver that uses line search in each iteration to save gradient computations and speed up the attack.
It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:
https://arxiv.org/abs/1704.08996, IEEE TDSC 2017.
For more on evasion attacks, see also:
https://arxiv.org/abs/1809.02861, USENIX Sec. 2019
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
- Parameters
- classifierCClassifier
Target classifier.
- double_init_dsCDataset or None, optional
Dataset used to initialize an alternative init point (double init).
- double_initbool, optional
If True (default), use double initialization point. Needs double_init_ds not to be None.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used. See
COptimizerPGDLS
for more information.
- Attributes
class_type
‘e-pgd-ls’Defines class type.
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class hyperparameters.
get_state
(self, **kwargs)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Compute the objective function of the evasion attack.
objective_function_gradient
(self, x)Compute the gradient of the evasion objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path, **kwargs)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
-
property
double_init
¶
-
property
double_init_ds
¶ Returns the CDataset used for the double initialization
-
objective_function
(self, x)[source]¶ Compute the objective function of the evasion attack.
The objective function is:
- for error-generic attack:
min f_obj(x) = f_{k|o (if the sample is rejected) }(x) argmax_{(c != k) and (c != o)} f_c(x), where k is the true class, o is the reject class and c is the competing class, which is the class with the maximum score, and can be neither k nor c
- -for error-specific attack:
min -f_obj(x) = -f_k(x) + argmax_{c != k} f_c(x), where k is the target class and c is the competing class, which is the class with the maximum score except for the target class
- Parameters
- xCArray
Array containing the data points (one or more than one).
- Returns
- f_objCArray
Values of objective function at x.
-
objective_function_gradient
(self, x)[source]¶ Compute the gradient of the evasion objective function.
- Parameters
- xCArray
A single point.
-
property
y_target
¶
CAttackEvasionPGDExp¶
-
class
secml.adv.attacks.evasion.c_attack_evasion_pgd_exp.
CAttackEvasionPGDExp
(classifier, double_init_ds=None, double_init=True, distance='l1', dmax=0, lb=0, ub=1, y_target=None, attack_classes='all', solver_params=None)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS
Evasion attacks using Projected Gradient Descent with Exponential line search.
This class implements the maximum-confidence evasion attacks proposed in:
https://arxiv.org/abs/1910.00470, EURASIP JIS, 2020.
https://arxiv.org/abs/1708.06939, ICCV W. ViPAR, 2017.
It is the multi-class extension of our original work in:
https://arxiv.org/abs/1708.06131, ECML 2013, implemented using a standard projected gradient solver.
This attack uses a faster line search than PGD-LS.
In all our attacks, we use a smart double initialization to avoid using the mimicry term from our ECML 2013 paper, as described in: - https://pralab.diee.unica.it/sites/default/files/zhang15-tcyb.pdf, IEEE TCYB, 2015
If the attack is not successful when starting from x0, we initialize the optimization by projecting a point from another class onto the feasible domain and try again.
- Parameters
- classifierCClassifier
Target classifier.
- double_init_dsCDataset or None, optional
Dataset used to initialize an alternative init point (double init).
- double_initbool, optional
If True (default), use double initialization point. Needs double_init_ds not to be None.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used. See
COptimizerPGDExp
for more information.
- Attributes
class_type
‘e-pgd-exp’Defines class type.
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class hyperparameters.
get_state
(self, **kwargs)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Compute the objective function of the evasion attack.
objective_function_gradient
(self, x)Compute the gradient of the evasion objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path, **kwargs)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
CAttackEvasionCleverhans¶
-
class
secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans.
CAttackEvasionCleverhans
(classifier, y_target=None, clvh_attack_class=cleverhans.attacks.CarliniWagnerL2, store_var_list=None, **kwargs)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion
,secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans_losses.CAttackEvasionCleverhansLossesMixin
This class is a wrapper of the attacks implemented in the Cleverhans library.
Credits: https://github.com/tensorflow/cleverhans.
- Parameters
- classifierCClassifier
Target classifier (trained).
- y_targetint or None, optional
If None an indiscriminate attack will be performed, else a targeted attack to have the samples misclassified as belonging to the y_target class.
- clvh_attack_class:
The CleverHans class that implement the attack
- store_var_list: list
list of variables to store from the graph during attack run. The variables will be stored as key-value dictionary and can be retrieved through the property stored_vars.
- **kwargs
Any other parameter for the cleverhans attack.
Notes
The current Tensorflow default graph will be used.
- Attributes
- attack_classes
attack_params
Object containing all Cleverhans parameters
class_type
Defines class type.
classifier
Returns classifier
f_eval
Returns the number of function evaluations made during the attack.
f_opt
Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq
Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval
Returns the number of gradient evaluations made during the attack.
logger
Logger for current object.
stored_vars
Variables extracted from the graph during execution of the attack.
verbose
Verbosity level of logger output.
x_opt
Returns the optimal point founded by the attack.
x_seq
Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class hyperparameters.
get_state
(self, **kwargs)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Objective function.
objective_function_gradient
(self, x)Gradient of the objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path, **kwargs)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
-
property
attack_params
¶ Object containing all Cleverhans parameters
-
property
f_eval
¶ Returns the number of function evaluations made during the attack.
-
property
grad_eval
¶ Returns the number of gradient evaluations made during the attack.
-
objective_function
(self, x)[source]¶ Objective function.
- Parameters
- xCArray or CDataset
- Returns
- f_objfloat or CArray of floats
-
run
(self, x, y, ds_init=None)[source]¶ Runs evasion on a dataset.
- Parameters
- xCArray
Data points.
- yCArray
True labels.
- ds_initCDataset
Dataset for warm starts.
- Returns
- y_predCArray
Predicted labels for all ds samples by target classifier.
- scoresCArray
Scores for all ds samples by target classifier.
- adv_dsCDataset
Dataset of manipulated samples.
- f_objfloat
Mean value of the objective function computed on each data point.
-
set
(self, param_name, param_value, copy=False)[source]¶ Set a parameter of the class.
Only writable attributes of the class, i.e. PUBLIC or READ/WRITE, can be set.
- The following checks are performed before setting:
if param_name is an attribute of current class, set directly;
- else, iterate over __dict__ and look for a class attribute
having the desired parameter as an attribute;
- else, if attribute is not found on the 2nd level,
raise AttributeError.
If possible, a reference to the attribute to set is assigned. Use copy=True to always make a deepcopy before set.
- Parameters
- param_namestr
Name of the parameter to set.
- param_valueany
Value to set for the parameter.
- copybool
By default (False) a reference to the parameter to assign is set. If True or a reference cannot be extracted, a deepcopy of the parameter value is done first.
-
property
stored_vars
¶ Variables extracted from the graph during execution of the attack.