secml.adv.attacks.evasion¶
CAttackEvasion¶
-
class
secml.adv.attacks.evasion.c_attack_evasion.
CAttackEvasion
(classifier, surrogate_classifier, surrogate_data=None, y_target=None)[source]¶ Bases:
secml.adv.attacks.c_attack.CAttack
Interface for Evasion attacks.
- Parameters
- classifierCClassifier
Target classifier.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
discrete
Returns True if feature space is discrete, False if continuous.
distance
todo
dmax
Returns dmax
f_eval
Returns the number of function evaluations made during the attack.
f_opt
Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq
Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval
Returns the number of function evaluations made during the attack.
- issparse
lb
Returns lb
logger
Logger for current object.
- n_dim
- solver_params
- solver_type
surrogate_classifier
Returns surrogate classifier
surrogate_data
Returns surrogate data
ub
Returns ub
verbose
Verbosity level of logger output.
x_opt
Returns the optimal point founded by the attack.
x_seq
Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_state
(self)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
-
objective_function
(self, x)[source]¶ Objective function.
- Parameters
- xCArray
Array with points on which the objective function should be computed.
- Returns
- CArray
Value of the objective function on each point.
-
run
(self, x, y, ds_init=None, *args, **kargs)[source]¶ Runs evasion on a dataset.
- Parameters
- xCArray
Data points.
- yCArray
True labels.
- ds_initCDataset
Dataset for warm starts.
- Returns
- y_predCArray
Predicted labels for all ds samples by target classifier.
- scoresCArray
Scores for all ds samples by target classifier.
- adv_dsCDataset
Dataset of manipulated samples.
- f_objfloat
Mean value of the objective function computed on each data point.
CAttackEvasionPGD¶
-
class
secml.adv.attacks.evasion.c_attack_evasion_pgd.
CAttackEvasionPGD
(classifier, surrogate_classifier, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=<no value>, y_target=None, attack_classes='all', solver_params=None)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.CAttackEvasionPGDLS
Evasion attacks using Projected Gradient Descent.
This class implements the maximum-confidence evasion attacks proposed in:
https://arxiv.org/abs/1708.06939, ICCV W. ViPAR, 2017.
This is the multi-class extension of our original work in:
https://arxiv.org/abs/1708.06131, ECML 2013, implemented using a standard projected gradient solver.
It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:
https://arxiv.org/abs/1704.08996, IEEE TDSC 2017.
For more on evasion attacks, see also:
https://arxiv.org/abs/1809.02861, USENIX Sec. 2019
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
- Parameters
- classifierCClassifier
Target classifier.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
- Array with the classes that can be manipulated by the attacker or
‘all’ (default) if all classes can be manipulated.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used.
- Attributes
class_type
‘e-pgd-ls’Defines class type.
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_state
(self)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
CAttackEvasionPGDLS¶
-
class
secml.adv.attacks.evasion.c_attack_evasion_pgd_ls.
CAttackEvasionPGDLS
(classifier, surrogate_classifier, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_params=None)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion
Evasion attacks using Projected Gradient Descent with Line Search.
This class implements the maximum-confidence evasion attacks proposed in:
https://arxiv.org/abs/1708.06939, ICCV W. ViPAR, 2017.
This is the multi-class extension of our original work in:
https://arxiv.org/abs/1708.06131, ECML 2013,
implemented using a custom projected gradient solver that uses line search in each iteration to save gradient computations and speed up the attack.
It can also be used on sparse, high-dimensional feature spaces, using an L1 constraint on the manipulation of samples to preserve sparsity, as we did for crafting adversarial Android malware in:
https://arxiv.org/abs/1704.08996, IEEE TDSC 2017.
For more on evasion attacks, see also:
https://arxiv.org/abs/1809.02861, USENIX Sec. 2019
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
- Parameters
- classifierCClassifier
Target classifier.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- discrete: True/False (default: false).
If True, input space is considered discrete (integer-valued), otherwise continuous.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
- Array with the classes that can be manipulated by the attacker or
‘all’ (default) if all classes can be manipulated.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used.
- Attributes
class_type
‘e-pgd-ls’Defines class type.
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_state
(self)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
-
property
y_target
¶
CAttackEvasionCleverhans¶
-
class
secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans.
CAttackEvasionCleverhans
(classifier, surrogate_classifier, surrogate_data=None, y_target=None, clvh_attack_class=cleverhans.attacks.CarliniWagnerL2, store_var_list=None, **kwargs)[source]¶ Bases:
secml.adv.attacks.evasion.c_attack_evasion.CAttackEvasion
,secml.adv.attacks.evasion.cleverhans.c_attack_evasion_cleverhans_losses.CAttackEvasionCleverhansLossesMixin
This class is a wrapper of the attacks implemented in the Cleverhans library.
Credits: https://github.com/tensorflow/cleverhans.
- Parameters
- classifierCClassifier
Target classifier on which the efficacy of the computed attack points is evaluates
- surrogate_classifierCClassifier
Surrogate classifier against which the attack is computed. This is assumed to be already trained on surrogate_data.
- surrogate_data: CDataset
Used to train the surrogate classifier.
- y_targetint or None, optional
If None an indiscriminate attack will be performed, else a targeted attack to have the samples misclassified as belonging to the y_target class.
- clvh_attack_class:
The CleverHans class that implement the attack
- store_var_list: list
list of variables to store from the graph during attack run. The variables will be stored as key-value dictionary and can be retrieved through the property stored_vars.
- **kwargs
Any other parameter for the cleverhans attack.
Notes
The current Tensorflow default graph will be used.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
discrete
Returns True if feature space is discrete, False if continuous.
distance
todo
dmax
Returns dmax
f_eval
Returns the number of function evaluations made during the attack.
f_opt
Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq
Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval
Returns the number of function evaluations made during the attack.
- issparse
lb
Returns lb
logger
Logger for current object.
- n_dim
- solver_params
- solver_type
stored_vars
Variables extracted from the graph during execution of the attack.
surrogate_classifier
Returns surrogate classifier
surrogate_data
Returns surrogate data
ub
Returns ub
verbose
Verbosity level of logger output.
x_opt
Returns the optimal point founded by the attack.
x_seq
Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_state
(self)Returns the object state dictionary.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads object from file.
load_state
(self, path)Sets the object state from file.
objective_function
(self, x)Objective function.
run
(self, x, y[, ds_init])Runs evasion on a dataset.
save
(self, path)Save class object to file.
save_state
(self, path)Store the object state to file.
set
(self, param_name, param_value[, copy])Set a parameter of the class.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
set_state
(self, state_dict[, copy])Sets the object state using input dictionary.
timed
([msg])Timer decorator.
-
property
f_eval
¶ Returns the number of function evaluations made during the attack.
Warning
Due to a known issue, if more then one sample is passed to
.run()
, this property will only return the data relative to the last optimized one. This behavior will change in a future version.
-
property
grad_eval
¶ Returns the number of function evaluations made during the attack.
Warning
Due to a known issue, if more then one sample is passed to
.run()
, this property will only return the data relative to the last optimized one. This behavior will change in a future version.
-
run
(self, x, y, ds_init=None, *args, **kargs)[source]¶ Runs evasion on a dataset.
- Parameters
- xCArray
Data points.
- yCArray
True labels.
- ds_initCDataset
Dataset for warm starts.
- Returns
- y_predCArray
Predicted labels for all ds samples by target classifier.
- scoresCArray
Scores for all ds samples by target classifier.
- adv_dsCDataset
Dataset of manipulated samples.
- f_objfloat
Mean value of the objective function computed on each data point.
-
property
stored_vars
¶ Variables extracted from the graph during execution of the attack.