secml.adv.attacks.poisoning¶
CAttackPoisoning¶
-
class
secml.adv.attacks.poisoning.c_attack_poisoning.
CAttackPoisoning
(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l2', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type='random', random_seed=None)[source]¶ Bases:
secml.adv.attacks.c_attack.CAttack
Interface for poisoning attacks.
- Parameters
- classifierCClassifier
Target classifier.
- training_dataCDataset
Dataset on which the the classifier has been trained on.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- valCDataset
Validation set.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
- Array with the classes that can be manipulated by the attacker or
‘all’ (default) if all classes can be manipulated.
- solver_typestr or None, optional
Identifier of the solver to be used. Default ‘pgd-ls’.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used.
- init_type{‘random’, ‘loss_based’}, optional
Strategy used to chose the initial random samples. Default ‘random’.
- random_seedint or None, optional
If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
discrete
Returns True if feature space is discrete, False if continuous.
distance
todo
dmax
Returns dmax
- f_eval
- f_opt
- f_seq
- grad_eval
- issparse
lb
Returns lb
logger
Logger for current object.
- n_dim
n_points
Returns the number of poisoning points.
random_seed
Returns the attacker’s validation data
- solver_params
- solver_type
surrogate_classifier
Returns surrogate classifier
surrogate_data
Returns surrogate data
training_data
Returns the training set used to learn the targeted classifier
ub
Returns ub
val
Returns the attacker’s validation data
verbose
Verbosity level of logger output.
- x_opt
- x_seq
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads class from pickle object.
run
(self, x, y[, ds_init, max_iter])Runs poisoning on multiple points.
save
(self, path)Save class object using pickle.
set
(self, param_name, param_value[, copy])Set a parameter that has a specific name to a specific value.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
timed
([msg])Timer decorator.
add_discrete_perturbation
-
property
n_points
¶ Returns the number of poisoning points.
-
property
random_seed
¶ Returns the attacker’s validation data
-
run
(self, x, y, ds_init=None, max_iter=1)[source]¶ Runs poisoning on multiple points.
It reads n_points (previously set), initializes xc, yc at random, and then optimizes the poisoning points xc.
- Parameters
- xCArray
Validation set for evaluating classifier performance. Note that this is not the validation data used by the attacker, which should be passed instead to CAttackPoisoning init.
- yCArray
Corresponding true labels for samples in x.
- ds_initCDataset or None, optional.
Dataset for warm start.
- max_iterint, optional
Number of iterations to re-optimize poisoning data. Default 1.
- Returns
- y_predpredicted labels for all val samples by targeted classifier
- scoresscores for all val samples by targeted classifier
- adv_xcmanipulated poisoning points xc (for subsequents warm starts)
- f_optfinal value of the objective function
-
property
training_data
¶ Returns the training set used to learn the targeted classifier
-
property
val
¶ Returns the attacker’s validation data
CAttackPoisoningLogisticRegression¶
-
class
secml.adv.attacks.poisoning.c_attack_poisoning_logistic_regression.
CAttackPoisoningLogisticRegression
(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type='random', random_seed=None)[source]¶ Bases:
secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning
Poisoning attacks against logistic regression.
This is an implementation of the attack developed in Sect. 3.3 in https://www.usenix.org/conference/usenixsecurity19/presentation/demontis:
A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli. Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In 28th USENIX Security Symposium. USENIX Association, 2019.
- For more details on poisoning attacks, see also:
https://arxiv.org/abs/1804.00308, IEEE Symp. SP 2018
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
https://arxiv.org/abs/1708.08689, AISec 2017
https://arxiv.org/abs/1804.07933, ICML 2015
https://arxiv.org/pdf/1206.6389, ICML 2012
- Parameters
- classifierCClassifierLogistic
Target classifier.
- training_dataCDataset
Dataset on which the the classifier has been trained on.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- valCDataset
Validation set.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
- Array with the classes that can be manipulated by the attacker or
‘all’ (default) if all classes can be manipulated.
- solver_typestr or None, optional
Identifier of the solver to be used. Default ‘pgd-ls’.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used.
- init_type{‘random’, ‘loss_based’}, optional
Strategy used to chose the initial random samples. Default ‘random’.
- random_seedint or None, optional
If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
discrete
Returns True if feature space is discrete, False if continuous.
distance
todo
dmax
Returns dmax
- f_eval
- f_opt
- f_seq
- grad_eval
- issparse
lb
Returns lb
logger
Logger for current object.
- n_dim
n_points
Returns the number of poisoning points.
random_seed
Returns the attacker’s validation data
- solver_params
- solver_type
surrogate_classifier
Returns surrogate classifier
surrogate_data
Returns surrogate data
training_data
Returns the training set used to learn the targeted classifier
ub
Returns ub
val
Returns the attacker’s validation data
verbose
Verbosity level of logger output.
- x_opt
- x_seq
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads class from pickle object.
run
(self, x, y[, ds_init, max_iter])Runs poisoning on multiple points.
save
(self, path)Save class object using pickle.
set
(self, param_name, param_value[, copy])Set a parameter that has a specific name to a specific value.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
timed
([msg])Timer decorator.
add_discrete_perturbation
CAttackPoisoningRidge¶
-
class
secml.adv.attacks.poisoning.c_attack_poisoning_ridge.
CAttackPoisoningRidge
(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l2', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type=None, random_seed=None)[source]¶ Bases:
secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning
Poisoning attacks against ridge regression.
This is an implementation of the attack developed in https://arxiv.org/abs/1804.07933:
H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli. Is feature selection secure against training data poisoning? In F. Bach and D. Blei, editors, JMLR W&CP, Proc. 32nd Int’l Conf. Mach. Learning (ICML), volume 37, pp. 1689-1698, 2015.
- For more details on poisoning attacks, see also:
https://arxiv.org/abs/1809.02861, USENIX Sec. 2019
https://arxiv.org/abs/1804.00308, IEEE Symp. SP 2018
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
https://arxiv.org/abs/1708.08689, AISec 2017
https://arxiv.org/pdf/1206.6389, ICML 2012
- Parameters
- classifierCClassifierRidge
Target classifier.
- training_dataCDataset
Dataset on which the the classifier has been trained on.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- valCDataset
Validation set.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
- Array with the classes that can be manipulated by the attacker or
‘all’ (default) if all classes can be manipulated.
- solver_typestr or None, optional
Identifier of the solver to be used. Default ‘pgd-ls’.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used.
- init_type{‘random’, ‘loss_based’}, optional
Strategy used to chose the initial random samples. Default ‘random’.
- random_seedint or None, optional
If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
discrete
Returns True if feature space is discrete, False if continuous.
distance
todo
dmax
Returns dmax
- f_eval
- f_opt
- f_seq
- grad_eval
- issparse
lb
Returns lb
logger
Logger for current object.
- n_dim
n_points
Returns the number of poisoning points.
random_seed
Returns the attacker’s validation data
- solver_params
- solver_type
surrogate_classifier
Returns surrogate classifier
surrogate_data
Returns surrogate data
training_data
Returns the training set used to learn the targeted classifier
ub
Returns ub
val
Returns the attacker’s validation data
verbose
Verbosity level of logger output.
- x_opt
- x_seq
- y_target
Methods
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads class from pickle object.
run
(self, x, y[, ds_init, max_iter])Runs poisoning on multiple points.
save
(self, path)Save class object using pickle.
set
(self, param_name, param_value[, copy])Set a parameter that has a specific name to a specific value.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
timed
([msg])Timer decorator.
add_discrete_perturbation
CAttackPoisoningSVM¶
-
class
secml.adv.attacks.poisoning.c_attack_poisoning_svm.
CAttackPoisoningSVM
(classifier, training_data, surrogate_classifier, val, surrogate_data=None, distance='l1', dmax=0, lb=0, ub=1, discrete=False, y_target=None, attack_classes='all', solver_type='pgd-ls', solver_params=None, init_type='random', random_seed=None)[source]¶ Bases:
secml.adv.attacks.poisoning.c_attack_poisoning.CAttackPoisoning
Poisoning attacks against Support Vector Machines (SVMs).
- This is an implementation of the attack in https://arxiv.org/pdf/1206.6389:
B. Biggio, B. Nelson, and P. Laskov. Poisoning attacks against support vector machines. In J. Langford and J. Pineau, editors, 29th Int’l Conf. on Machine Learning, pages 1807-1814. Omnipress, 2012.
where the gradient is computed as described in Eq. (10) in https://www.usenix.org/conference/usenixsecurity19/presentation/demontis:
A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli. Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In 28th USENIX Security Symposium. USENIX Association, 2019.
- For more details on poisoning attacks, see also:
https://arxiv.org/abs/1804.00308, IEEE Symp. SP 2018
https://arxiv.org/abs/1712.03141, Patt. Rec. 2018
https://arxiv.org/abs/1708.08689, AISec 2017
https://arxiv.org/abs/1804.07933, ICML 2015
- Parameters
- classifierCClassifierSVM
Target classifier. If linear, requires store_dual_vars = True.
- training_dataCDataset
Dataset on which the the classifier has been trained on.
- surrogate_classifierCClassifier
Surrogate classifier, assumed to be already trained.
- valCDataset
Validation set.
- surrogate_dataCDataset or None, optional
Dataset on which the the surrogate classifier has been trained on. Is only required if the classifier is nonlinear.
- distance{‘l1’ or ‘l2’}, optional
Norm to use for computing the distance of the adversarial example from the original sample. Default ‘l2’.
- dmaxscalar, optional
Maximum value of the perturbation. Default 1.
- lb, ubint or CArray, optional
Lower/Upper bounds. If int, the same bound will be applied to all the features. If CArray, a different bound can be specified for each feature. Default lb = 0, ub = 1.
- y_targetint or None, optional
If None an error-generic attack will be performed, else a error-specific attack to have the samples misclassified as belonging to the y_target class.
- attack_classes‘all’ or CArray, optional
- Array with the classes that can be manipulated by the attacker or
‘all’ (default) if all classes can be manipulated.
- solver_typestr or None, optional
Identifier of the solver to be used. Default ‘pgd-ls’.
- solver_paramsdict or None, optional
Parameters for the solver. Default None, meaning that default parameters will be used.
- init_type{‘random’, ‘loss_based’}, optional
Strategy used to chose the initial random samples. Default ‘random’.
- random_seedint or None, optional
If int, random_state is the seed used by the random number generator. If None, no fixed seed will be set.
- Attributes
- attack_classes
class_type
Defines class type.
classifier
Returns classifier
discrete
Returns True if feature space is discrete, False if continuous.
distance
todo
dmax
Returns dmax
- f_eval
- f_opt
- f_seq
- grad_eval
- issparse
lb
Returns lb
logger
Logger for current object.
- n_dim
n_points
Returns the number of poisoning points.
random_seed
Returns the attacker’s validation data
- solver_params
- solver_type
surrogate_classifier
Returns surrogate classifier
surrogate_data
Returns surrogate data
training_data
Returns the training set used to learn the targeted classifier
ub
Returns ub
val
Returns the attacker’s validation data
verbose
Verbosity level of logger output.
- x_opt
- x_seq
- y_target
Methods
alpha_xc
(self, xc)- Parameters
copy
(self)Returns a shallow copy of current class.
create
([class_item])This method creates an instance of a class with given type.
deepcopy
(self)Returns a deep copy of current class.
get_class_from_type
(class_type)Return the class associated with input type.
get_params
(self)Returns the dictionary of class parameters.
get_subclasses
()Get all the subclasses of the calling class.
is_attack_class
(self, y)Returns True/False if the input class can be attacked.
list_class_types
()This method lists all types of available subclasses of calling one.
load
(path)Loads class from pickle object.
run
(self, x, y[, ds_init, max_iter])Runs poisoning on multiple points.
save
(self, path)Save class object using pickle.
set
(self, param_name, param_value[, copy])Set a parameter that has a specific name to a specific value.
set_params
(self, params_dict[, copy])Set all parameters passed as a dictionary {key: value}.
timed
([msg])Timer decorator.
add_discrete_perturbation