Updated DeepDefend, version 0.1.1

Infinitode · Infinitode · commit 308a9e6dd326 · 2024-07-03T10:49:44.000+02:00
diff --git a/.github/workflows/build_and_publish.yml b/.github/workflows/build_and_publish.yml
@@ -0,0 +1,34 @@
+name: Publish Python 🐍 distributions 📦 to PyPI
+
+on:
+  push:
+    tags:
+       - '*'
+
+jobs:
+  build-n-publish:
+    name: Build and publish Python 🐍 distributions 📦 to PyPI
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: Set up Python 3.12
+      uses: actions/setup-python@v3
+      with:
+        python-version: '3.12'
+    - name: Install pypa/setuptools
+      run: >-
+        python -m
+        pip install setuptools wheel
+    - name: Extract tag name
+      id: tag
+      run: echo ::set-output name=TAG_NAME::$(echo $GITHUB_REF | cut -d / -f 3)
+    - name: Update version in setup.py
+      run: >-
+        sed -i "s/{{VERSION_PLACEHOLDER}}/${{ steps.tag.outputs.TAG_NAME }}/g" setup.py
+    - name: Build a binary wheel
+      run: >-
+        python setup.py sdist bdist_wheel
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@master
+      with:
+        password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+__pycache__
+*.pyc
+dist/
+build/
+venv/
diff --git a/deepdefend/__init__.py b/deepdefend/__init__.py
@@ -1,3 +1,3 @@
 import deepdefend
-from .attacks import fgsm, pgd, bim
-from .defenses import adversarial_training, feature_squeezing
+from .attacks import fgsm, pgd, bim, cw, deepfool, jsma
+from .defenses import adversarial_training, feature_squeezing, gradient_masking, input_transformation, defensive_distillation
diff --git a/deepdefend/attacks.py b/deepdefend/attacks.py
@@ -5,7 +5,9 @@
 - `fgsm(model, x, y, epsilon=0.01)`: Fast Gradient Sign Method (FGSM) attack.
 - `pgd(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10)`: Projected Gradient Descent (PGD) attack.
 - `bim(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10)`: Basic Iterative Method (BIM) attack.
-
+- `cw(model, x, y, epsilon=0.01, c=1, kappa=0, num_steps=10, alpha=0.01)`: Carlini & Wagner (C&W) attack.
+- `deepfool(model, x, y, num_steps=10)`: DeepFool attack.
+- `jsma(model, x, y, theta=0.1, gamma=0.1, num_steps=10)`: Jacobian-based Saliency Map Attack (JSMA).
 """
 
 import numpy as np
@@ -100,4 +102,122 @@ def bim(model, x, y, epsilon=0.01, alpha=0.01, num_steps=10):
         adversarial_example = tf.clip_by_value(adversarial_example + perturbation, 0, 1)
         adversarial_example = tf.clip_by_value(adversarial_example, x - epsilon, x + epsilon)
 
+    return adversarial_example.numpy()
+
+def cw(model, x, y, epsilon=0.01, c=1, kappa=0, num_steps=10, alpha=0.01):
+    """
+    Carlini & Wagner (C&W) attack.
+    
+    Parameters:
+        model (tensorflow.keras.Model): The target model to attack.
+        x (numpy.ndarray): The input example to attack.
+        y (numpy.ndarray): The true labels of the input example.
+        epsilon (float): The maximum magnitude of the perturbation (default: 0.01).
+        c (float): The weight of the L2 norm of the perturbation (default: 1).
+        kappa (float): The confidence parameter (default: 0).
+        num_steps (int): The number of C&W iterations (default: 10).
+        alpha (float): The step size for each iteration (default: 0.01).
+
+    Returns:
+        adversarial_example (numpy.ndarray): The perturbed input example.
+    """
+    # Define the loss function
+    def loss_function(x, y, model, c, kappa):
+        prediction = model(x)
+        loss = tf.keras.losses.CategoricalCrossentropy()(y, prediction)
+        return loss + c * tf.norm(x - tf.clip_by_value(x, 0, 1)) ** 2 - kappa
+
+    # Initialize the adversarial example
+    adversarial_example = tf.identity(x)
+
+    # Perform the C&W attack
+    for _ in range(num_steps):
+        with tf.GradientTape() as tape:
+            tape.watch(adversarial_example)
+            loss = loss_function(adversarial_example, y, model, c, kappa)
+
+        gradient = tape.gradient(loss, adversarial_example)
+        perturbation = alpha * tf.sign(gradient)
+        adversarial_example = tf.clip_by_value(adversarial_example + perturbation, 0, 1)
+        adversarial_example = tf.clip_by_value(adversarial_example, x - epsilon, x + epsilon)
+
+    return adversarial_example.numpy()
+
+def deepfool(model, x, y, num_steps=10):
+    """
+    DeepFool attack.
+    
+    Parameters:
+        model (tensorflow.keras.Model): The target model to attack.
+        x (numpy.ndarray): The input example to attack.
+        y (numpy.ndarray): The true labels of the input example.
+        num_steps (int): The number of DeepFool iterations (default: 10).
+
+    Returns:
+        adversarial_example (numpy.ndarray): The perturbed input example.
+    """
+    # Initialize the adversarial example
+    adversarial_example = tf.identity(x)
+
+    # Perform the DeepFool attack
+    for _ in range(num_steps):
+        with tf.GradientTape() as tape:
+            tape.watch(adversarial_example)
+            prediction = model(adversarial_example)
+            loss = tf.keras.losses.CategoricalCrossentropy()(y, prediction)
+
+        gradient = tape.gradient(loss, adversarial_example)
+        perturbation = gradient / tf.norm(gradient)
+        adversarial_example = adversarial_example + perturbation
+
+    return adversarial_example.numpy()
+
+def jsma(model, x, y, theta=0.1, gamma=0.1, num_steps=10):
+    """
+    Jacobian-based Saliency Map Attack (JSMA) attack.
+
+    Parameters:
+        model (tensorflow.keras.Model): The target model to attack.
+        x (numpy.ndarray): The input example to attack.
+        y (numpy.ndarray): The true labels of the input example.
+        theta (float): The threshold for selecting pixels (default: 0.1).
+        gamma (float): The step size for each iteration (default: 0.1).
+        num_steps (int): The number of JSMA iterations (default: 10).
+
+    Returns:
+        adversarial_example (numpy.ndarray): The perturbed input example.
+    """
+    # Initialize the adversarial example
+    adversarial_example = tf.identity(x)
+
+    # Get the input shape
+    input_shape = x.shape
+
+    # Perform the JSMA attack
+    for _ in range(num_steps):
+        # Calculate the Jacobian matrix
+        with tf.GradientTape() as tape:
+            tape.watch(adversarial_example)
+            prediction = model(adversarial_example)
+            loss = tf.keras.losses.CategoricalCrossentropy()(y, prediction)
+
+        jacobian = tape.jacobian(loss, adversarial_example)
+
+        # Calculate the saliency map
+        saliency_map = np.zeros(input_shape)
+        for i in range(input_shape[1]):
+            for j in range(input_shape[2]):
+                for k in range(input_shape[3]):
+                    saliency_map[0, i, j, k] = np.sum(jacobian[0, i, j, k, :])
+
+        # Select the pixels to perturb
+        perturbed_pixels = np.where(saliency_map > theta)
+        
+        # Perturb the selected pixels
+        for i in range(len(perturbed_pixels[0])):
+            if adversarial_example[0, perturbed_pixels[0][i], perturbed_pixels[1][i], perturbed_pixels[2][i]] < 1:
+                adversarial_example[0, perturbed_pixels[0][i], perturbed_pixels[1][i], perturbed_pixels[2][i]] += gamma
+            else:
+                adversarial_example[0, perturbed_pixels[0][i], perturbed_pixels[1][i], perturbed_pixels[2][i]] -= gamma
+
     return adversarial_example.numpy()
diff --git a/deepdefend/defenses.py b/deepdefend/defenses.py
@@ -1,10 +1,13 @@
+# defenses.py
 """
 Functions to apply adversarial defense mechanisms to deep learning models.
 
 Available functions:
 - `adversarial_training(model, x, y, epsilon=0.01)`: Adversarial Training defense.
 - `feature_squeezing(model, bit_depth=4)`: Feature Squeezing defense.
-
+- `gradient_masking(model, mask_threshold=0.1)`: Gradient Masking defense.
+- `input_transformation(model, transformation_function=None)`: Input Transformation defense.
+- `defensive_distillation(model, teacher_model, temperature=2)`: Defensive Distillation defense.
 """
 
 import numpy as np
@@ -68,4 +71,82 @@ def feature_squeezing(model, bit_depth=4):
             squeezed_weights = [np.clip(np.round(w * (2**bit_depth) / np.max(np.abs(w))), -2**(bit_depth - 1), 2**(bit_depth - 1) - 1) / (2**(bit_depth) / np.max(np.abs(w))) for w in layer_weights]
             layer.set_weights(squeezed_weights)
     
+    return defended_model
+
+def gradient_masking(model, mask_threshold=0.1):
+    """
+    Gradient Masking defense.
+
+    Gradient masking modifies the gradients during training to make them less informative
+    for adversarial attackers.
+
+    Parameters:
+        model (tensorflow.keras.Model): The model to defend.
+        mask_threshold (float): The threshold for masking gradients (default: 0.1).
+
+    Returns:
+        defended_model (tensorflow.keras.Model): The model with gradient masking defense.
+    """
+    defended_model = tf.keras.models.clone_model(model)
+    defended_model.set_weights(model.get_weights())
+
+    def masked_loss(y_true, y_pred):
+        loss = tf.keras.losses.CategoricalCrossentropy()(y_true, y_pred)
+        gradients = tf.gradients(loss, defended_model.trainable_variables)
+        masked_gradients = [tf.where(tf.abs(g) > mask_threshold, g, tf.zeros_like(g)) for g in gradients]
+        return loss, masked_gradients
+
+    defended_model.compile(optimizer='adam', loss=masked_loss, metrics=['accuracy'])
+    return defended_model
+
+def input_transformation(model, transformation_function=None):
+    """
+    Input Transformation defense.
+
+    Input transformation applies a transformation to the input data before feeding it
+    to the model, aiming to remove adversarial perturbations.
+
+    Parameters:
+        model (tensorflow.keras.Model): The model to defend.
+        transformation_function (function): The transformation function to apply (default: None).
+
+    Returns:
+        defended_model (tensorflow.keras.Model): The model with input transformation defense.
+    """
+    defended_model = tf.keras.models.clone_model(model)
+    defended_model.set_weights(model.get_weights())
+
+    def transformed_input(x):
+        if transformation_function is not None:
+            return transformation_function(x)
+        else:
+            return x
+
+    defended_model.layers[0].input = tf.keras.Input(shape=model.input_shape[1:])
+    defended_model.layers[0].input = transformed_input(defended_model.layers[0].input)
+    return defended_model
+
+def defensive_distillation(model, teacher_model, temperature=2):
+    """
+    Defensive Distillation defense.
+
+    Defensive distillation trains a student model to mimic the predictions of a
+    teacher model, which is often a more robust model.
+
+    Parameters:
+        model (tensorflow.keras.Model): The student model to defend.
+        teacher_model (tensorflow.keras.Model): The teacher model.
+        temperature (float): The temperature parameter for distillation (default: 2).
+
+    Returns:
+        defended_model (tensorflow.keras.Model): The distilled student model.
+    """
+    defended_model = tf.keras.models.clone_model(model)
+    defended_model.set_weights(model.get_weights())
+
+    def distilled_loss(y_true, y_pred):
+        teacher_predictions = teacher_model(y_true)
+        return tf.keras.losses.CategoricalCrossentropy()(y_true, y_pred) + temperature**2 * tf.keras.losses.CategoricalCrossentropy()(teacher_predictions, y_pred)
+
+    defended_model.compile(optimizer='adam', loss=distilled_loss, metrics=['accuracy'])
     return defended_model
diff --git a/readme.md b/readme.md
@@ -1,5 +1,5 @@
-# DeepDefend 0.1.0
-![Python Version](https://img.shields.io/badge/python-3.11-blue.svg)
+# DeepDefend 0.1.1
+![Python Version](https://img.shields.io/badge/python-3.12-blue.svg)
 ![Code Size](https://img.shields.io/github/languages/code-size/infinitode/deepdefend)
 ![Downloads](https://pepy.tech/badge/deepdefend)
 ![License Compliance](https://img.shields.io/badge/license-compliance-brightgreen.svg)
@@ -28,7 +28,7 @@ DeepDefend supports the following Python versions:
 - Python 3.8
 - Python 3.9
 - Python 3.10
-- Python 3.11
+- Python 3.11 or later
 
 Please ensure that you have one of these Python versions installed before using DeepDefend. DeepDefend may not work as expected on lower versions of Python than the supported.
 
@@ -43,7 +43,7 @@ Please ensure that you have one of these Python versions installed before using
 
 ```python
 import tensorflow as tf
-from deepdefend.attacks import fgsm, pgd, bim
+from deepdefend.attacks import fgsm, pgd, bim, cw, deepfool, jsma
 
 # Load a pre-trained TensorFlow model
 model = ...
@@ -58,19 +58,31 @@ adversarial_example_fgsm = fgsm(model, x_example, y_example, epsilon=0.01)
 # Perform PGD attack on the example data
 adversarial_example_pgd = pgd(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10)
 
-# Perfrom BIM attack on the example data
+# Perform BIM attack on the example data
 adversarial_example_bim = bim(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10)
+
+# Perform CW attack on the example data
+adversarial_example_cw = cw(model, x_example, y_example, epsilon=0.01, c=1, kappa=0, num_steps=10, alpha=0.01)
+
+# Perform Deepfool attack on the example data
+adversarial_example_deepfool = deepfool(model, x_example, y_example, num_steps=10)
+
+# Perform JSMA attack on the example data
+adversarial_example_jsma(model, x_example, y_example, theta=0.1, gamma=0.1, num_steps=10)
 ```
 
 ### Adversarial Defenses
 
 ```python
 import tensorflow as tf
-from deepdefend.defenses import adversarial_training, feature_squeezing
+from deepdefend.defenses import adversarial_training, feature_squeezing, gradient_masking, input_transformation, defensive_distillation
 
 # Load a pre-trained TensorFlow model
 model = ...
 
+# Teacher model for distillation
+teacher_model = ...
+
 # Load training data
 x_train, y_train = ...  # training data and labels
 
@@ -79,6 +91,15 @@ defended_model = adversarial_training(model, x_train, y_train, epsilon=0.01)
 
 # Feature squeezing defense
 defended_model_squeezed = feature_squeezing(model, bit_depth=4)
+
+# Gradient masking defense
+defended_model_masking = gradient_masking(model, mask_threshold=0.1)
+
+# Input transformation defense
+defended_model_transformation = input_transformation(model, transformation_function=None)
+
+# Defensive distillation defense
+defended_model_distillation = defensive_distillation(model, teacher_model, temperature=2)
 ```
 
 ## Contributing
diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 
 setup(
     name='deepdefend',
-    version='0.1.0',
+    version='{{VERSION_PLACEHOLDER}}',
     author='Infinitode Pty Ltd',
     author_email='infinitode.ltd@gmail.com',
     description='An open-source Python library for adversarial attacks and defenses in deep learning models.',
@@ -25,6 +25,7 @@
         'Programming Language :: Python :: 3.9',
         'Programming Language :: Python :: 3.10',
         'Programming Language :: Python :: 3.11',
+        'Programming Language :: Python :: 3.12',
     ],
     python_requires='>=3.6',
 )

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +__pycache__
 +*.pyc
 +dist/
 +build/
 +venv/