secml.adv.attacks.evasion

CAttackEvasion

class secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion(classifier, y_target=None, attack_classes='all')[source]

Bases: secml.adv.attacks.c_attack.CAttack

Interface class for evasion and poisoning attacks.

Parameters
classifierCClassifier

Target classifier (trained).

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.

Attributes
attack_classes
class_type

Defines class type.

classifier

Returns classifier

f_eval

Returns the number of function evaluations made during the attack.

f_opt

Returns the value of the objective function evaluated on the optimal point founded by the attack.

f_seq

Returns a CArray containing the values of the objective function evaluations made by the attack.

grad_eval

Returns the number of gradient evaluations made during the attack.

logger

Logger for current object.

verbose

Verbosity level of logger output.

x_opt

Returns the optimal point founded by the attack.

x_seq

Returns a CArray (number of iteration * number of features) containing the values of the attack point path.

y_target

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class hyperparameters.

get_state(self, **kwargs)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Objective function.

objective_function_gradient(self, x)

Gradient of the objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path, **kwargs)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

property attack_classes
is_attack_class(self, y)[source]

Returns True/False if the input class can be attacked.

Parameters
yint or CArray

CArray or single label of the class to to be checked.

Returns
bool or CArray
True if class y can be manipulated by the attacker,

False otherwise. If CArray, a True/False value for each input label will be returned.

abstract objective_function(self, x)[source]

Objective function.

Parameters
xCArray or CDataset
Returns
f_objfloat or CArray of floats
abstract objective_function_gradient(self, x)[source]

Gradient of the objective function.

run(self, x, y, ds_init=None)[source]

Runs evasion on a dataset.

Parameters
xCArray

Data points.

yCArray

True labels.

ds_initCDataset

Dataset for warm starts.

Returns
y_predCArray

Predicted labels for all ds samples by target classifier.

scoresCArray

Scores for all ds samples by target classifier.

adv_dsCDataset

Dataset of manipulated samples.

f_objfloat

Mean value of the objective function computed on each data point.

property y_target

CAttackEvasionPGD

class secml.adv.attacks.evasion.c_attack_evasion_pgd.CAttackEvasionPGD(classifier, double_init_ds=None, double_init=True, distance='l1', dmax=0, lb=0, ub=1, y_target=None, attack_classes='all', solver_params=None)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS

Evasion attacks using Projected Gradient Descent.

This class implements the maximum-confidence evasion attacks proposed in:

This is the multi-class extension of our original work in:

It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:

For more on evasion attacks, see also:

Parameters
classifierCClassifier

Target classifier.

double_init_dsCDataset or None, optional

Dataset used to initialize an alternative init point (double init).

double_initbool, optional

If True (default), use double initialization point. Needs double_init_ds not to be None.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used. See COptimizerPGD for more information.

Attributes
class_type‘e-pgd’

Defines class type.

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class hyperparameters.

get_state(self, **kwargs)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Compute the objective function of the evasion attack.

objective_function_gradient(self, x)

Compute the gradient of the evasion objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path, **kwargs)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

CAttackEvasionPGDLS

class secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS(classifier, double_init_ds=None, double_init=True, distance='l1', dmax=0, lb=0, ub=1, y_target=None, attack_classes='all', solver_params=None)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion, secml.adv.attacks.c_attack_mixin.CAttackMixin

Evasion attacks using Projected Gradient Descent with Line Search.

This class implements the maximum-confidence evasion attacks proposed in:

This is the multi-class extension of our original work in:

implemented using a custom projected gradient solver that uses line search in each iteration to save gradient computations and speed up the attack.

It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:

For more on evasion attacks, see also:

Parameters
classifierCClassifier

Target classifier.

double_init_dsCDataset or None, optional

Dataset used to initialize an alternative init point (double init).

double_initbool, optional

If True (default), use double initialization point. Needs double_init_ds not to be None.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used. See COptimizerPGDLS for more information.

Attributes
class_type‘e-pgd-ls’

Defines class type.

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class hyperparameters.

get_state(self, **kwargs)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Compute the objective function of the evasion attack.

objective_function_gradient(self, x)

Compute the gradient of the evasion objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path, **kwargs)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

property double_init
property double_init_ds

Returns the CDataset used for the double initialization

objective_function(self, x)[source]

Compute the objective function of the evasion attack.

The objective function is:

  • for error-generic attack:

    min f_obj(x) = f_{k|o (if the sample is rejected) }(x) argmax_{(c != k) and (c != o)} f_c(x), where k is the true class, o is the reject class and c is the competing class, which is the class with the maximum score, and can be neither k nor c

-for error-specific attack:

min -f_obj(x) = -f_k(x) + argmax_{c != k} f_c(x), where k is the target class and c is the competing class, which is the class with the maximum score except for the target class

Parameters
xCArray

Array containing the data points (one or more than one).

Returns
f_objCArray

Values of objective function at x.

objective_function_gradient(self, x)[source]

Compute the gradient of the evasion objective function.

Parameters
xCArray

A single point.

property y_target

CAttackEvasionPGDExp

class secml.adv.attacks.evasion.c_attack_evasion_pgd_exp.CAttackEvasionPGDExp(classifier, double_init_ds=None, double_init=True, distance='l1', dmax=0, lb=0, ub=1, y_target=None, attack_classes='all', solver_params=None)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS

Evasion attacks using Projected Gradient Descent with Exponential line search.

This class implements the maximum-confidence evasion attacks proposed in:

It is the multi-class extension of our original work in:

This attack uses a faster line search than PGD-LS.

In all our attacks, we use a smart double initialization to avoid using the mimicry term from our ECML 2013 paper, as described in: - https://pralab.diee.unica.it/sites/default/files/zhang15-tcyb.pdf, IEEE TCYB, 2015

If the attack is not successful when starting from x0, we initialize the optimization by projecting a point from another class onto the feasible domain and try again.

Parameters
classifierCClassifier

Target classifier.

double_init_dsCDataset or None, optional

Dataset used to initialize an alternative init point (double init).

double_initbool, optional

If True (default), use double initialization point. Needs double_init_ds not to be None.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or ‘all’ (default) if all classes can be manipulated.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used. See COptimizerPGDExp for more information.

Attributes
class_type‘e-pgd-exp’

Defines class type.

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class hyperparameters.

get_state(self, **kwargs)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Compute the objective function of the evasion attack.

objective_function_gradient(self, x)

Compute the gradient of the evasion objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path, **kwargs)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

CAttackEvasionCleverhans

class secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans.CAttackEvasionCleverhans(classifier, y_target=None, clvh_attack_class=cleverhans.attacks.CarliniWagnerL2, store_var_list=None, **kwargs)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion, secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans_losses.CAttackEvasionCleverhansLossesMixin

This class is a wrapper of the attacks implemented in the Cleverhans library.

Credits: https://github.com/tensorflow/cleverhans.

Parameters
classifierCClassifier

Target classifier (trained).

y_targetint or None, optional

If None an indiscriminate attack will be performed, else a targeted attack to have the samples misclassified as belonging to the y_target class.

clvh_attack_class:

The CleverHans class that implement the attack

store_var_list: list

list of variables to store from the graph during attack run. The variables will be stored as key-value dictionary and can be retrieved through the property stored_vars.

**kwargs

Any other parameter for the cleverhans attack.

Notes

The current Tensorflow default graph will be used.

Attributes
attack_classes
attack_params

Object containing all Cleverhans parameters

class_type

Defines class type.

classifier

Returns classifier

f_eval

Returns the number of function evaluations made during the attack.

f_opt

Returns the value of the objective function evaluated on the optimal point founded by the attack.

f_seq

Returns a CArray containing the values of the objective function evaluations made by the attack.

grad_eval

Returns the number of gradient evaluations made during the attack.

logger

Logger for current object.

stored_vars

Variables extracted from the graph during execution of the attack.

verbose

Verbosity level of logger output.

x_opt

Returns the optimal point founded by the attack.

x_seq

Returns a CArray (number of iteration * number of features) containing the values of the attack point path.

y_target

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class hyperparameters.

get_state(self, **kwargs)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Objective function.

objective_function_gradient(self, x)

Gradient of the objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path, **kwargs)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

property attack_params

Object containing all Cleverhans parameters

property f_eval

Returns the number of function evaluations made during the attack.

property grad_eval

Returns the number of gradient evaluations made during the attack.

objective_function(self, x)[source]

Objective function.

Parameters
xCArray or CDataset
Returns
f_objfloat or CArray of floats
objective_function_gradient(self, x)[source]

Gradient of the objective function.

run(self, x, y, ds_init=None)[source]

Runs evasion on a dataset.

Parameters
xCArray

Data points.

yCArray

True labels.

ds_initCDataset

Dataset for warm starts.

Returns
y_predCArray

Predicted labels for all ds samples by target classifier.

scoresCArray

Scores for all ds samples by target classifier.

adv_dsCDataset

Dataset of manipulated samples.

f_objfloat

Mean value of the objective function computed on each data point.

set(self, param_name, param_value, copy=False)[source]

Set a parameter of the class.

Only writable attributes of the class, i.e. PUBLIC or READ/WRITE, can be set.

The following checks are performed before setting:
  • if param_name is an attribute of current class, set directly;

  • else, iterate over __dict__ and look for a class attribute

    having the desired parameter as an attribute;

  • else, if attribute is not found on the 2nd level,

    raise AttributeError.

If possible, a reference to the attribute to set is assigned. Use copy=True to always make a deepcopy before set.

Parameters
param_namestr

Name of the parameter to set.

param_valueany

Value to set for the parameter.

copybool

By default (False) a reference to the parameter to assign is set. If True or a reference cannot be extracted, a deepcopy of the parameter value is done first.

property stored_vars

Variables extracted from the graph during execution of the attack.

secml.adv.attacks.evasion.foolbox