Added DeepDefend main files.

Infinitode · Infinitode · commit 13d3bc98ec1a · 2023-07-27T21:30:55.000+02:00
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,7 @@
+MIT License (Modified)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to make derivative works based on the Software, provided that any substantial changes to the Software are clearly distinguished from the original work and are distributed under a different name.
+
+The original copyright notice and disclaimer must be retained in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/deepdefend/__init__.py b/deepdefend/__init__.py
@@ -0,0 +1,3 @@
+import deepdefend
+from .attacks import fgsm, pgd, bim
+from .defenses import adversarial_training, feature_squeezing
diff --git a/deepdefend/attacks.py b/deepdefend/attacks.py
@@ -0,0 +1,103 @@
+"""
+Functions to run adversarial attacks on deep learning models.
+
+Available functions:
+- `fgsm(model, x, y, epsilon=0.01)`: Fast Gradient Sign Method (FGSM) attack.
+- `pgd(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10)`: Projected Gradient Descent (PGD) attack.
+- `bim(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10)`: Basic Iterative Method (BIM) attack.
+
+"""
+
+import numpy as np
+import tensorflow as tf
+
+def fgsm(model, x, y, epsilon=0.01):
+    """
+    Fast Gradient Sign Method (FGSM) attack.
+    
+    Parameters:
+        model (tensorflow.keras.Model): The target model to attack.
+        x (numpy.ndarray): The input example to attack.
+        y (numpy.ndarray): The true labels of the input example.
+        epsilon (float): The magnitude of the perturbation (default: 0.01).
+
+    Returns:
+        adversarial_example (numpy.ndarray): The perturbed input example.
+    """
+    # Determine the loss function based on the number of classes
+    if y.shape[-1] == 1 or len(y.shape) == 1:
+        loss_object = tf.keras.losses.BinaryCrossentropy()
+    else:
+        loss_object = tf.keras.losses.CategoricalCrossentropy()
+
+    with tf.GradientTape() as tape:
+        tape.watch(x)
+        prediction = model(x)
+        loss = loss_object(y, prediction)
+        
+    gradient = tape.gradient(loss, x)
+
+    # Generate adversarial example
+    perturbation = epsilon * tf.sign(gradient)
+    adversarial_example = x + perturbation
+    return adversarial_example.numpy()
+
+def pgd(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10):
+    """
+    Projected Gradient Descent (PGD) attack.
+    
+    Parameters:
+        model (tensorflow.keras.Model): The target model to attack.
+        x (numpy.ndarray): The input example to attack.
+        y (numpy.ndarray): The true labels of the input example.
+        epsilon (float): The maximum magnitude of the perturbation (default: 0.01).
+        alpha (float): The step size for each iteration (default: 0.01).
+        num_steps (int): The number of PGD iterations (default: 10).
+
+    Returns:
+        adversarial_example (numpy.ndarray): The perturbed input example.
+    """
+    adversarial_example = tf.identity(x)
+
+    for _ in range(num_steps):
+        with tf.GradientTape() as tape:
+            tape.watch(adversarial_example)
+            prediction = model(adversarial_example)
+            loss = tf.keras.losses.CategoricalCrossentropy()(y, prediction)
+
+        gradient = tape.gradient(loss, adversarial_example)
+        perturbation = alpha * tf.sign(gradient)
+        adversarial_example = tf.clip_by_value(adversarial_example + perturbation, 0, 1)
+        adversarial_example = tf.clip_by_value(adversarial_example, x - epsilon, x + epsilon)
+
+    return adversarial_example.numpy()
+
+def bim(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10):
+    """
+    Basic Iterative Method (BIM) attack.
+    
+    Parameters:
+        model (tensorflow.keras.Model): The target model to attack.
+        x (numpy.ndarray): The input example to attack.
+        y (numpy.ndarray): The true labels of the input example.
+        epsilon (float): The maximum magnitude of the perturbation (default: 0.01).
+        alpha (float): The step size for each iteration (default: 0.01).
+        num_steps (int): The number of BIM iterations (default: 10).
+
+    Returns:
+        adversarial_example (numpy.ndarray): The perturbed input example.
+    """
+    adversarial_example = tf.identity(x)
+
+    for _ in range(num_steps):
+        with tf.GradientTape() as tape:
+            tape.watch(adversarial_example)
+            prediction = model(adversarial_example)
+            loss = tf.keras.losses.CategoricalCrossentropy()(y, prediction)
+
+        gradient = tape.gradient(loss, adversarial_example)
+        perturbation = alpha * tf.sign(gradient)
+        adversarial_example = tf.clip_by_value(adversarial_example + perturbation, 0, 1)
+        adversarial_example = tf.clip_by_value(adversarial_example, x - epsilon, x + epsilon)
+
+    return adversarial_example.numpy()
diff --git a/deepdefend/defenses.py b/deepdefend/defenses.py
@@ -0,0 +1,71 @@
+"""
+Functions to apply adversarial defense mechanisms to deep learning models.
+
+Available functions:
+- `adversarial_training(model, x, y, epsilon=0.01)`: Adversarial Training defense.
+- `feature_squeezing(model, bit_depth=4)`: Feature Squeezing defense.
+
+"""
+
+import numpy as np
+import tensorflow as tf
+from deepdefend import attacks
+
+def adversarial_training(model, x, y, epsilon=0.01):
+    """
+    Adversarial Training defense.
+
+    Adversarial training is a method where the model is trained on both the original
+    and adversarial examples, aiming to make the model more robust to adversarial attacks.
+
+    Parameters:
+        model (tensorflow.keras.Model): The model to defend.
+        x (numpy.ndarray): The input training examples.
+        y (numpy.ndarray): The true labels of the training examples.
+        epsilon (float): The magnitude of the perturbation (default: 0.01).
+
+    Returns:
+        defended_model (tensorflow.keras.Model): The adversarially trained model.
+    """
+    defended_model = tf.keras.models.clone_model(model)
+    defended_model.set_weights(model.get_weights())
+
+    adversarial_examples = []
+    for i in range(len(x)):
+        adversarial_example = attacks.fgsm(model, x[i:i+1], y[i:i+1], epsilon)
+        adversarial_examples.append(adversarial_example)
+        
+    x_adversarial = np.concatenate(adversarial_examples, axis=0)
+    y_adversarial = np.copy(y)
+    x_train = np.concatenate([x, x_adversarial], axis=0)
+    y_train = np.concatenate([y, y_adversarial], axis=0)
+    
+    defended_model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])
+    defended_model.fit(x_train, y_train, epochs=10, batch_size=32)
+    
+    return defended_model
+
+def feature_squeezing(model, bit_depth=4):
+    """
+    Feature Squeezing defense.
+
+    Feature squeezing reduces the number of bits used to represent the input features,
+    which can remove certain adversarial perturbations.
+
+    Parameters:
+        model (tensorflow.keras.Model): The model to defend.
+        bit_depth (int): The number of bits per feature (default: 4).
+
+    Returns:
+        defended_model (tensorflow.keras.Model): The model with feature squeezing defense.
+    """
+    defended_model = tf.keras.models.clone_model(model)
+    defended_model.set_weights(model.get_weights())
+
+    for layer in defended_model.layers:
+        if isinstance(layer, tf.keras.layers.Conv2D) or isinstance(layer, tf.keras.layers.Dense):
+            layer_weights = layer.get_weights()
+            squeezed_weights = [np.clip(np.round(w * (2**bit_depth) / np.max(np.abs(w))), -2**(bit_depth - 1), 2**(bit_depth - 1) - 1) / (2**(bit_depth) / np.max(np.abs(w))) for w in layer_weights]
+            layer.set_weights(squeezed_weights)
+    
+    return defended_model
diff --git a/readme.md b/readme.md
@@ -0,0 +1,100 @@
+# DeepDefend 0.1.0
+![Python Version](https://img.shields.io/badge/python-3.11-blue.svg)
+![Code Size](https://img.shields.io/github/languages/code-size/infinitode/deepdefend)
+![Downloads](https://pepy.tech/badge/deepdefend)
+![License Compliance](https://img.shields.io/badge/license-compliance-brightgreen.svg)
+![PyPI Version](https://img.shields.io/pypi/v/deepdefend)
+
+An open-source Python library for adversarial attacks and defenses in deep learning models, enhancing the security and robustness of AI systems.
+
+## Notice
+
+DeepDefend has not yet been fully tested. Please report any issues you may encounter when using DeepDefend.
+
+## Installation
+
+You can install DeepDefend using pip:
+
+```bash
+pip install deepdefend
+```
+
+## Supported Python Versions
+
+DeepDefend supports the following Python versions:
+
+- Python 3.6
+- Python 3.7
+- Python 3.8
+- Python 3.9
+- Python 3.10
+- Python 3.11
+
+Please ensure that you have one of these Python versions installed before using DeepDefend. DeepDefend may not work as expected on lower versions of Python than the supported.
+
+## Features
+
+- Adversarial Attacks: Generate adversarial examples to evaluate model vulnerabilities.
+- Adversarial Defenses: Employ various methods to protect models against adversarial attacks.
+
+## Usage
+
+### Adversarial Attacks
+
+```python
+import tensorflow as tf
+from deepdefend.attacks import fgsm, pgd, bim
+
+# Load a pre-trained TensorFlow model
+model = ...
+
+# Load example input and label data (replace this with your own data loading code)
+x_example = ...  # example input data
+y_example = ...  # true label
+
+# Perform FGSM attack on the example data
+adversarial_example_fgsm = fgsm(model, x_example, y_example, epsilon=0.01)
+
+# Perform PGD attack on the example data
+adversarial_example_pgd = pgd(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10)
+
+# Perfrom BIM attack on the example data
+adversarial_example_bim = bim(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10)
+```
+
+### Adversarial Defenses
+
+```python
+import tensorflow as tf
+from deepdefend.defenses import adversarial_training, feature_squeezing
+
+# Load a pre-trained TensorFlow model
+model = ...
+
+# Load training data
+x_train, y_train = ...  # training data and labels
+
+# Adversarial training to defend against attacks
+defended_model = adversarial_training(model, x_train, y_train, epsilon=0.01)
+
+# Feature squeezing defense
+defended_model_squeezed = feature_squeezing(model, bit_depth=4)
+```
+
+## Contributing
+
+Contributions are welcome! If you encounter any issues, have suggestions, or want to contribute to DeepDefend, please open an issue or submit a pull request on [GitHub](https://github.com/infinitode/deepdefend).
+
+## License
+
+DeepDefend is released under the terms of the **MIT License (Modified)**. Please see the [LICENSE](https://github.com/infinitode/deepdefend/blob/main/LICENSE) file for the full text.
+
+**Modified License Clause**
+
+
+
+The modified license clause grants users the permission to make derivative works based on the DeepDefend software. However, it requires any substantial changes to the software to be clearly distinguished from the original work and distributed under a different name.
+
+By enforcing this distinction, it aims to prevent direct publishing of the source code without changes while allowing users to create derivative works that incorporate the code but are not exactly the same.
+
+Please read the full license terms in the [LICENSE](https://github.com/infinitode/deepdefend/blob/main/LICENSE) file for complete details.
diff --git a/setup.py b/setup.py
@@ -0,0 +1,30 @@
+from setuptools import setup, find_packages
+
+setup(
+    name='deepdefend',
+    version='0.1.0',
+    author='Infinitode Pty Ltd',
+    author_email='infinitode.ltd@gmail.com',
+    description='An open-source Python library for adversarial attacks and defenses in deep learning models.',
+    long_description='An open-source Python library for adversarial attacks and defenses in deep learning models, enhancing the security and robustness of AI systems.',
+    long_description_content_type='text/markdown',
+    url='https://github.com/infinitode/deepdefend',
+    packages=find_packages(),
+    install_requires=[
+        'numpy',
+        'tensorflow',
+    ],
+    classifiers=[
+        'Development Status :: 3 - Alpha',
+        'Intended Audience :: Developers',
+        'License :: OSI Approved :: MIT License',
+        'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.6',
+        'Programming Language :: Python :: 3.7',
+        'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
+        'Programming Language :: Python :: 3.10',
+        'Programming Language :: Python :: 3.11',
+    ],
+    python_requires='>=3.6',
+)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+import deepdefend`
	`2`	`+from .attacks import fgsm, pgd, bim`
	`3`	`+from .defenses import adversarial_training, feature_squeezing`