secml.adv.attacks.evasion

CAttackEvasion

class secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion(classifier, surrogate_classifier, surrogate_data=None, y_target=None)[source]

Bases: secml.adv.attacks.c_attack.CAttack

Interface for Evasion attacks.

Parameters
classifierCClassifier

Target classifier.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

Attributes
attack_classes
class_type

Defines class type.

classifier

Returns classifier

discrete

Returns True if feature space is discrete, False if continuous.

distance

todo

dmax

Returns dmax

f_eval

Returns the number of function evaluations made during the attack.

f_opt

Returns the value of the objective function evaluated on the optimal point founded by the attack.

f_seq

Returns a CArray containing the values of the objective function evaluations made by the attack.

grad_eval

Returns the number of function evaluations made during the attack.

issparse
lb

Returns lb

logger

Logger for current object.

n_dim
solver_params
solver_type
surrogate_classifier

Returns surrogate classifier

surrogate_data

Returns surrogate data

ub

Returns ub

verbose

Verbosity level of logger output.

x_opt

Returns the optimal point founded by the attack.

x_seq

Returns a CArray (number of iteration * number of features) containing the values of the attack point path.

y_target

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class parameters.

get_state(self)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

objective_function(self, x)[source]

Objective function.

Parameters
xCArray

Array with points on which the objective function should be computed.

Returns
CArray

Value of the objective function on each point.

run(self, x, y, ds_init=None, *args, **kargs)[source]

Runs evasion on a dataset.

Parameters
xCArray

Data points.

yCArray

True labels.

ds_initCDataset

Dataset for warm starts.

Returns
y_predCArray

Predicted labels for all ds samples by target classifier.

scoresCArray

Scores for all ds samples by target classifier.

adv_dsCDataset

Dataset of manipulated samples.

f_objfloat

Mean value of the objective function computed on each data point.

CAttackEvasionPGD

class secml.adv.attacks.evasion.c_attack_evasion_pgd.CAttackEvasionPGD(classifier, surrogate_classifier, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=<no value>, y_target=None, attack_classes='all', solver_params=None)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS

Evasion attacks using Projected Gradient Descent.

This class implements the maximum-confidence evasion attacks proposed in:

This is the multi-class extension of our original work in:

It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:

For more on evasion attacks, see also:

Parameters
classifierCClassifier

Target classifier.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional
Array with the classes that can be manipulated by the attacker or

‘all’ (default) if all classes can be manipulated.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used.

Attributes
class_type‘e-pgd-ls’

Defines class type.

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class parameters.

get_state(self)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

CAttackEvasionPGDLS

class secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS(classifier, surrogate_classifier, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_params=None)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion

Evasion attacks using Projected Gradient Descent with Line Search.

This class implements the maximum-confidence evasion attacks proposed in:

This is the multi-class extension of our original work in:

implemented using a custom projected gradient solver that uses line search in each iteration to save gradient computations and speed up the attack.

It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:

For more on evasion attacks, see also:

Parameters
classifierCClassifier

Target classifier.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

discrete: True/False (default: false).

If True, input space is considered discrete (integer-valued), otherwise continuous.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional
Array with the classes that can be manipulated by the attacker or

‘all’ (default) if all classes can be manipulated.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used.

Attributes
class_type‘e-pgd-ls’

Defines class type.

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class parameters.

get_state(self)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

property y_target

CAttackEvasionCleverhans

class secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans.CAttackEvasionCleverhans(classifier, surrogate_classifier, surrogate_data=None, y_target=None, clvh_attack_class=cleverhans.attacks.CarliniWagnerL2, store_var_list=None, **kwargs)[source]

Bases: secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion, secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans_losses.CAttackEvasionCleverhansLossesMixin

This class is a wrapper of the attacks implemented in the Cleverhans library.

Credits: https://github.com/tensorflow/cleverhans.

Parameters
classifierCClassifier

Target classifier on which the efficacy of the computed attack points is evaluates

surrogate_classifierCClassifier

Surrogate classifier against which the attack is computed. This is assumed to be already trained on surrogate_data.

surrogate_data: CDataset

Used to train the surrogate classifier.

y_targetint or None, optional

If None an indiscriminate attack will be performed, else a targeted attack to have the samples misclassified as belonging to the y_target class.

clvh_attack_class:

The CleverHans class that implement the attack

store_var_list: list

list of variables to store from the graph during attack run. The variables will be stored as key-value dictionary and can be retrieved through the property stored_vars.

**kwargs

Any other parameter for the cleverhans attack.

Notes

The current Tensorflow default graph will be used.

Attributes
attack_classes
class_type

Defines class type.

classifier

Returns classifier

discrete

Returns True if feature space is discrete, False if continuous.

distance

todo

dmax

Returns dmax

f_eval

Returns the number of function evaluations made during the attack.

f_opt

Returns the value of the objective function evaluated on the optimal point founded by the attack.

f_seq

Returns a CArray containing the values of the objective function evaluations made by the attack.

grad_eval

Returns the number of function evaluations made during the attack.

issparse
lb

Returns lb

logger

Logger for current object.

n_dim
solver_params
solver_type
stored_vars

Variables extracted from the graph during execution of the attack.

surrogate_classifier

Returns surrogate classifier

surrogate_data

Returns surrogate data

ub

Returns ub

verbose

Verbosity level of logger output.

x_opt

Returns the optimal point founded by the attack.

x_seq

Returns a CArray (number of iteration * number of features) containing the values of the attack point path.

y_target

Methods

copy(self)

Returns a shallow copy of current class.

create([class_item])

This method creates an instance of a class with given type.

deepcopy(self)

Returns a deep copy of current class.

get_class_from_type(class_type)

Return the class associated with input type.

get_params(self)

Returns the dictionary of class parameters.

get_state(self)

Returns the object state dictionary.

get_subclasses()

Get all the subclasses of the calling class.

is_attack_class(self, y)

Returns True/False if the input class can be attacked.

list_class_types()

This method lists all types of available subclasses of calling one.

load(path)

Loads object from file.

load_state(self, path)

Sets the object state from file.

objective_function(self, x)

Objective function.

run(self, x, y[, ds_init])

Runs evasion on a dataset.

save(self, path)

Save class object to file.

save_state(self, path)

Store the object state to file.

set(self, param_name, param_value[, copy])

Set a parameter of the class.

set_params(self, params_dict[, copy])

Set all parameters passed as a dictionary {key: value}.

set_state(self, state_dict[, copy])

Sets the object state using input dictionary.

timed([msg])

Timer decorator.

property f_eval

Returns the number of function evaluations made during the attack.

Warning

Due to a known issue, if more then one sample is passed to .run(), this property will only return the data relative to the last optimized one. This behavior will change in a future version.

property grad_eval

Returns the number of function evaluations made during the attack.

Warning

Due to a known issue, if more then one sample is passed to .run(), this property will only return the data relative to the last optimized one. This behavior will change in a future version.

run(self, x, y, ds_init=None, *args, **kargs)[source]

Runs evasion on a dataset.

Parameters
xCArray

Data points.

yCArray

True labels.

ds_initCDataset

Dataset for warm starts.

Returns
y_predCArray

Predicted labels for all ds samples by target classifier.

scoresCArray

Scores for all ds samples by target classifier.

adv_dsCDataset

Dataset of manipulated samples.

f_objfloat

Mean value of the objective function computed on each data point.

property stored_vars

Variables extracted from the graph during execution of the attack.