secml.adv.attacks.poisoning¶

CAttackPoisoning¶

class secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l2', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type='random', random_seed=None)[source]¶

Bases: secml.adv.attacks.c_attack.CAttack

Interface for poisoning attacks.

Parameters

classifierCClassifier

Target classifier.

training_dataCDataset

Dataset on which the the classifier has been trained on.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

valCDataset

Validation set.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or: ‘all’ (default) if all classes can be manipulated.

solver_typestr or None, optional

Identifier of the solver to be used. Default ‘pgd-ls’.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used.

init_type{‘random’, ‘loss_based’}, optional

Strategy used to chose the initial random samples. Default ‘random’.

random_seedint or None, optional

If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.

Attributes

attack_classes
class_type: Defines class type.
classifier: Returns classifier
discrete: Returns True if feature space is discrete, False if continuous.
distance: todo
dmax: Returns dmax
f_eval: Returns the number of function evaluations made during the attack.
f_opt: Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq: Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval: Returns the number of function evaluations made during the attack.
issparse
lb: Returns lb
logger: Logger for current object.
n_dim
n_points: Returns the number of poisoning points.
random_seed: Returns the attacker’s validation data
solver_params
solver_type
surrogate_classifier: Returns surrogate classifier
surrogate_data: Returns surrogate data
training_data: Returns the training set used to learn the targeted classifier
ub: Returns ub
val: Returns the attacker’s validation data
verbose: Verbosity level of logger output.
x_opt: Returns the optimal point founded by the attack.
x_seq: Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
y_target

Methods

`copy`(self)	Returns a shallow copy of current class.
`create`([class_item])	This method creates an instance of a class with given type.
`deepcopy`(self)	Returns a deep copy of current class.
`get_class_from_type`(class_type)	Return the class associated with input type.
`get_params`(self)	Returns the dictionary of class parameters.
`get_state`(self)	Returns the object state dictionary.
`get_subclasses`()	Get all the subclasses of the calling class.
`is_attack_class`(self, y)	Returns True/False if the input class can be attacked.
`list_class_types`()	This method lists all types of available subclasses of calling one.
`load`(path)	Loads object from file.
`load_state`(self, path)	Sets the object state from file.
`run`(self, x, y[, ds_init, max_iter])	Runs poisoning on multiple points.
`save`(self, path)	Save class object to file.
`save_state`(self, path)	Store the object state to file.
`set`(self, param_name, param_value[, copy])	Set a parameter of the class.
`set_params`(self, params_dict[, copy])	Set all parameters passed as a dictionary {key: value}.
`set_state`(self, state_dict[, copy])	Sets the object state using input dictionary.
`timed`([msg])	Timer decorator.

add_discrete_perturbation

add_discrete_perturbation(self, xc)[source]¶

property n_points¶: Returns the number of poisoning points.

property random_seed¶: Returns the attacker’s validation data

run(self, x, y, ds_init=None, max_iter=1)[source]¶

Runs poisoning on multiple points.

It reads n_points (previously set), initializes xc, yc at random, and then optimizes the poisoning points xc.

Parameters

xCArray: Validation set for evaluating classifier performance. Note that this is not the validation data used by the attacker, which should be passed instead to CAttackPoisoning init.
yCArray: Corresponding true labels for samples in x.
ds_initCDataset or None, optional.: Dataset for warm start.
max_iterint, optional: Number of iterations to re-optimize poisoning data. Default 1.

Returns

y_predpredicted labels for all val samples by targeted classifier
scoresscores for all val samples by targeted classifier
adv_xcmanipulated poisoning points xc (for subsequents warm starts)
f_optfinal value of the objective function

property training_data¶: Returns the training set used to learn the targeted classifier

property val¶: Returns the attacker’s validation data

CAttackPoisoningLogisticRegression¶

class secml.adv.attacks.poisoning.c_attack_poisoning_logistic_regression.CAttackPoisoningLogisticRegression(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type='random', random_seed=None)[source]¶

Bases: secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning

Poisoning attacks against logistic regression.

This is an implementation of the attack developed in Sect. 3.3 in https://www.usenix.org/conference/usenixsecurity19/presentation/demontis:

A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli. Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In 28th USENIX Security Symposium. USENIX Association, 2019.

For more details on poisoning attacks, see also:

https://arxiv.org/abs/1804.00308, IEEE Symp. SP 2018

https://arxiv.org/abs/1712.03141, Patt. Rec. 2018

https://arxiv.org/abs/1708.08689, AISec 2017

https://arxiv.org/abs/1804.07933, ICML 2015

https://arxiv.org/pdf/1206.6389, ICML 2012

Parameters

classifierCClassifierLogistic

Target classifier.

training_dataCDataset

Dataset on which the the classifier has been trained on.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

valCDataset

Validation set.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or: ‘all’ (default) if all classes can be manipulated.

solver_typestr or None, optional

Identifier of the solver to be used. Default ‘pgd-ls’.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used.

init_type{‘random’, ‘loss_based’}, optional

Strategy used to chose the initial random samples. Default ‘random’.

random_seedint or None, optional

If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.

Attributes

attack_classes
class_type: Defines class type.
classifier: Returns classifier
discrete: Returns True if feature space is discrete, False if continuous.
distance: todo
dmax: Returns dmax
f_eval: Returns the number of function evaluations made during the attack.
f_opt: Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq: Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval: Returns the number of function evaluations made during the attack.
issparse
lb: Returns lb
logger: Logger for current object.
n_dim
n_points: Returns the number of poisoning points.
random_seed: Returns the attacker’s validation data
solver_params
solver_type
surrogate_classifier: Returns surrogate classifier
surrogate_data: Returns surrogate data
training_data: Returns the training set used to learn the targeted classifier
ub: Returns ub
val: Returns the attacker’s validation data
verbose: Verbosity level of logger output.
x_opt: Returns the optimal point founded by the attack.
x_seq: Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
y_target

Methods

`copy`(self)	Returns a shallow copy of current class.
`create`([class_item])	This method creates an instance of a class with given type.
`deepcopy`(self)	Returns a deep copy of current class.
`get_class_from_type`(class_type)	Return the class associated with input type.
`get_params`(self)	Returns the dictionary of class parameters.
`get_state`(self)	Returns the object state dictionary.
`get_subclasses`()	Get all the subclasses of the calling class.
`is_attack_class`(self, y)	Returns True/False if the input class can be attacked.
`list_class_types`()	This method lists all types of available subclasses of calling one.
`load`(path)	Loads object from file.
`load_state`(self, path)	Sets the object state from file.
`run`(self, x, y[, ds_init, max_iter])	Runs poisoning on multiple points.
`save`(self, path)	Save class object to file.
`save_state`(self, path)	Store the object state to file.
`set`(self, param_name, param_value[, copy])	Set a parameter of the class.
`set_params`(self, params_dict[, copy])	Set all parameters passed as a dictionary {key: value}.
`set_state`(self, state_dict[, copy])	Sets the object state using input dictionary.
`timed`([msg])	Timer decorator.

add_discrete_perturbation

CAttackPoisoningRidge¶

class secml.adv.attacks.poisoning.c_attack_poisoning_ridge.CAttackPoisoningRidge(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l2', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type=None, random_seed=None)[source]¶

Bases: secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning

Poisoning attacks against ridge regression.

This is an implementation of the attack developed in https://arxiv.org/abs/1804.07933:

H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli. Is feature selection secure against training data poisoning? In F. Bach and D. Blei, editors, JMLR W&CP, Proc. 32nd Int’l Conf. Mach. Learning (ICML), volume 37, pp. 1689-1698, 2015.

For more details on poisoning attacks, see also:

https://arxiv.org/abs/1809.02861, USENIX Sec. 2019

https://arxiv.org/abs/1804.00308, IEEE Symp. SP 2018

https://arxiv.org/abs/1712.03141, Patt. Rec. 2018

https://arxiv.org/abs/1708.08689, AISec 2017

https://arxiv.org/pdf/1206.6389, ICML 2012

Parameters

classifierCClassifierRidge

Target classifier.

training_dataCDataset

Dataset on which the the classifier has been trained on.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

valCDataset

Validation set.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or: ‘all’ (default) if all classes can be manipulated.

solver_typestr or None, optional

Identifier of the solver to be used. Default ‘pgd-ls’.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used.

init_type{‘random’, ‘loss_based’}, optional

Strategy used to chose the initial random samples. Default ‘random’.

random_seedint or None, optional

If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.

Attributes

attack_classes
class_type: Defines class type.
classifier: Returns classifier
discrete: Returns True if feature space is discrete, False if continuous.
distance: todo
dmax: Returns dmax
f_eval: Returns the number of function evaluations made during the attack.
f_opt: Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq: Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval: Returns the number of function evaluations made during the attack.
issparse
lb: Returns lb
logger: Logger for current object.
n_dim
n_points: Returns the number of poisoning points.
random_seed: Returns the attacker’s validation data
solver_params
solver_type
surrogate_classifier: Returns surrogate classifier
surrogate_data: Returns surrogate data
training_data: Returns the training set used to learn the targeted classifier
ub: Returns ub
val: Returns the attacker’s validation data
verbose: Verbosity level of logger output.
x_opt: Returns the optimal point founded by the attack.
x_seq: Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
y_target

Methods

`copy`(self)	Returns a shallow copy of current class.
`create`([class_item])	This method creates an instance of a class with given type.
`deepcopy`(self)	Returns a deep copy of current class.
`get_class_from_type`(class_type)	Return the class associated with input type.
`get_params`(self)	Returns the dictionary of class parameters.
`get_state`(self)	Returns the object state dictionary.
`get_subclasses`()	Get all the subclasses of the calling class.
`is_attack_class`(self, y)	Returns True/False if the input class can be attacked.
`list_class_types`()	This method lists all types of available subclasses of calling one.
`load`(path)	Loads object from file.
`load_state`(self, path)	Sets the object state from file.
`run`(self, x, y[, ds_init, max_iter])	Runs poisoning on multiple points.
`save`(self, path)	Save class object to file.
`save_state`(self, path)	Store the object state to file.
`set`(self, param_name, param_value[, copy])	Set a parameter of the class.
`set_params`(self, params_dict[, copy])	Set all parameters passed as a dictionary {key: value}.
`set_state`(self, state_dict[, copy])	Sets the object state using input dictionary.
`timed`([msg])	Timer decorator.

add_discrete_perturbation

CAttackPoisoningSVM¶

class secml.adv.attacks.poisoning.c_attack_poisoning_svm.CAttackPoisoningSVM(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type='random', random_seed=None)[source]¶

Bases: secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning

Poisoning attacks against Support Vector Machines (SVMs).

This is an implementation of the attack in https://arxiv.org/pdf/1206.6389:

B. Biggio, B. Nelson, and P. Laskov. Poisoning attacks against support vector machines. In J. Langford and J. Pineau, editors, 29th Int’l Conf. on Machine Learning, pages 1807-1814. Omnipress, 2012.

where the gradient is computed as described in Eq. (10) in https://www.usenix.org/conference/usenixsecurity19/presentation/demontis:

A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli. Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In 28th USENIX Security Symposium. USENIX Association, 2019.

For more details on poisoning attacks, see also:

https://arxiv.org/abs/1804.00308, IEEE Symp. SP 2018

https://arxiv.org/abs/1712.03141, Patt. Rec. 2018

https://arxiv.org/abs/1708.08689, AISec 2017

https://arxiv.org/abs/1804.07933, ICML 2015

Parameters

classifierCClassifierSVM

Target classifier. If linear, requires store_dual_vars = True.

training_dataCDataset

Dataset on which the the classifier has been trained on.

surrogate_classifierCClassifier

Surrogate classifier, assumed to be already trained.

valCDataset

Validation set.

surrogate_dataCDataset or None, optional

Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.

distance{‘l1’ or ‘l2’}, optional

Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.

dmaxscalar, optional

Maximum value of the perturbation. Default 1.

lb, ubint or CArray, optional

Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.

y_targetint or None, optional

If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.

attack_classes‘all’ or CArray, optional

Array with the classes that can be manipulated by the attacker or: ‘all’ (default) if all classes can be manipulated.

solver_typestr or None, optional

Identifier of the solver to be used. Default ‘pgd-ls’.

solver_paramsdict or None, optional

Parameters for the solver. Default None, meaning that default parameters will be used.

init_type{‘random’, ‘loss_based’}, optional

Strategy used to chose the initial random samples. Default ‘random’.

random_seedint or None, optional

If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.

Attributes

attack_classes
class_type: Defines class type.
classifier: Returns classifier
discrete: Returns True if feature space is discrete, False if continuous.
distance: todo
dmax: Returns dmax
f_eval: Returns the number of function evaluations made during the attack.
f_opt: Returns the value of the objective function evaluated on the optimal point founded by the attack.
f_seq: Returns a CArray containing the values of the objective function evaluations made by the attack.
grad_eval: Returns the number of function evaluations made during the attack.
issparse
lb: Returns lb
logger: Logger for current object.
n_dim
n_points: Returns the number of poisoning points.
random_seed: Returns the attacker’s validation data
solver_params
solver_type
surrogate_classifier: Returns surrogate classifier
surrogate_data: Returns surrogate data
training_data: Returns the training set used to learn the targeted classifier
ub: Returns ub
val: Returns the attacker’s validation data
verbose: Verbosity level of logger output.
x_opt: Returns the optimal point founded by the attack.
x_seq: Returns a CArray (number of iteration * number of features) containing the values of the attack point path.
y_target

Methods

`alpha_xc`(self, xc)	Parameters
`copy`(self)	Returns a shallow copy of current class.
`create`([class_item])	This method creates an instance of a class with given type.
`deepcopy`(self)	Returns a deep copy of current class.
`get_class_from_type`(class_type)	Return the class associated with input type.
`get_params`(self)	Returns the dictionary of class parameters.
`get_state`(self)	Returns the object state dictionary.
`get_subclasses`()	Get all the subclasses of the calling class.
`is_attack_class`(self, y)	Returns True/False if the input class can be attacked.
`list_class_types`()	This method lists all types of available subclasses of calling one.
`load`(path)	Loads object from file.
`load_state`(self, path)	Sets the object state from file.
`run`(self, x, y[, ds_init, max_iter])	Runs poisoning on multiple points.
`save`(self, path)	Save class object to file.
`save_state`(self, path)	Store the object state to file.
`set`(self, param_name, param_value[, copy])	Set a parameter of the class.
`set_params`(self, params_dict[, copy])	Set all parameters passed as a dictionary {key: value}.
`set_state`(self, state_dict[, copy])	Sets the object state using input dictionary.
`timed`([msg])	Timer decorator.

add_discrete_perturbation

alpha_xc(self, xc)[source]¶

Parameters

xc: poisoning point

Returns

f_obj: values of objective function (average hinge loss) at x