### Install DeepDefend using pip Source: https://github.com/infinitode/deepdefend/blob/master/readme.md This command installs the DeepDefend library using pip, making its functionalities available for use in Python projects. Ensure you have Python 3.6 or later installed. ```bash pip install deepdefend ``` -------------------------------- ### Perform Adversarial Attacks with DeepDefend (Python) Source: https://github.com/infinitode/deepdefend/blob/master/readme.md Demonstrates how to use various adversarial attack functions from the DeepDefend library. It requires a pre-trained TensorFlow model and example data. The functions generate adversarial examples by applying different attack algorithms like FGSM, PGD, BIM, CW, Deepfool, JSMA, and SPSA. ```python import tensorflow as tf from deepdefend.attacks import fgsm, pgd, bim, cw, deepfool, jsma, spsa # Load a pre-trained TensorFlow model model = ... # Load example input and label data (replace this with your own data loading code) x_example = ... # example input data y_example = ... # true label # Perform FGSM attack on the example data adversarial_example_fgsm = fgsm(model, x_example, y_example, epsilon=0.01) # Perform PGD attack on the example data adversarial_example_pgd = pgd(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10) # Perform BIM attack on the example data adversarial_example_bim = bim(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10) # Perform CW attack on the example data adversarial_example_cw = cw(model, x_example, y_example, epsilon=0.01, c=1, kappa=0, num_steps=10, alpha=0.01) # Perform Deepfool attack on the example data adversarial_example_deepfool = deepfool(model, x_example, y_example, num_steps=10) # Perform JSMA attack on the example data adversarial_example_jsma = jsma(model, x_example, y_example, theta=0.1, gamma=0.1, num_steps=10) # Perform SPSA attack on the example data adversarial_example_spsa = spsa(model, x_example, y_example, epsilon=0.01, num_steps=10) ``` -------------------------------- ### Execute FGSM Attack Source: https://context7.com/infinitode/deepdefend/llms.txt Demonstrates the Fast Gradient Sign Method (FGSM) to generate adversarial examples by perturbing input data in the direction of the loss function gradient. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import fgsm model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.zeros((1, 1000), dtype=np.float32) y_example[0, 0] = 1.0 adversarial_example = fgsm(model, x_example, y_example, epsilon=0.01) original_pred = np.argmax(model.predict(x_example)) adversarial_pred = np.argmax(model.predict(adversarial_example)) print(f"Original prediction: {original_pred}") print(f"Adversarial prediction: {adversarial_pred}") ``` -------------------------------- ### Implement Adversarial Logit Pairing (ALP) Source: https://context7.com/infinitode/deepdefend/llms.txt ALP improves model robustness by training the model to produce consistent logits for both clean and adversarial examples. This requires a main model and a paired model for comparison. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import adversarial_logit_pairing model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) paired_model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) defended_model = adversarial_logit_pairing(model, paired_model) print("Adversarial Logit Pairing applied. Model encourages similar logits for clean/adversarial pairs.") ``` -------------------------------- ### Adversarial Training Defense (Python) Source: https://context7.com/infinitode/deepdefend/llms.txt Implements adversarial training by augmenting training data with adversarial examples (e.g., FGSM). This defense enhances model robustness by training it to correctly classify both clean and perturbed inputs. It requires a model, training data, and a perturbation magnitude. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import adversarial_training # Create a simple CNN model model = tf.keras.Sequential([ tf.keras.layers.Conv2D(32, (3, 3), activation='relu', input_shape=(28, 28, 1)), tf.keras.layers.MaxPooling2D((2, 2)), tf.keras.layers.Flatten(), tf.keras.layers.Dense(10, activation='softmax') ]) model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy']) # Generate training data x_train = np.random.rand(100, 28, 28, 1).astype(np.float32) y_train = tf.keras.utils.to_categorical(np.random.randint(0, 10, 100), 10) # Apply adversarial training defense # This generates FGSM adversarial examples and trains on both clean and adversarial data defended_model = adversarial_training( model, x_train, y_train, epsilon=0.01 # FGSM perturbation magnitude ) # The defended model is now more robust to FGSM attacks print("Adversarial training complete. Model trained on augmented dataset.") ``` -------------------------------- ### C&W Attack with L2 Optimization (Python) Source: https://context7.com/infinitode/deepdefend/llms.txt Performs the Carlini & Wagner (C&W) attack with L2 optimization to find minimal adversarial perturbations. It requires a model, input example, and target label, with parameters controlling the optimization process. ```python adversarial_example = cw( model, x_example, y_example, epsilon=0.01, # Max perturbation bound c=1, # Weight of L2 norm penalty kappa=0, # Confidence parameter num_steps=10, # Optimization iterations alpha=0.01 # Step size ) print(f"L2 perturbation: {np.linalg.norm(adversarial_example - x_example)}") ``` -------------------------------- ### DeepFool Attack (Python) Source: https://context7.com/infinitode/deepdefend/llms.txt Implements the DeepFool attack to find the minimal perturbation needed to cross the decision boundary. It takes a model, input, and target, and returns the adversarial example. This method produces smaller perturbations than gradient sign methods. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import deepfool # Load model model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) # Prepare input x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.zeros((1, 1000), dtype=np.float32) y_example[0, 0] = 1.0 # DeepFool attack - finds minimal perturbation adversarial_example = deepfool( model, x_example, y_example, num_steps=10 ) perturbation = adversarial_example - x_example print(f"DeepFool perturbation L2 norm: {np.linalg.norm(perturbation)}") ``` -------------------------------- ### Execute BIM Attack Source: https://context7.com/infinitode/deepdefend/llms.txt Demonstrates the Basic Iterative Method (BIM), which applies FGSM multiple times with smaller steps to achieve stronger adversarial perturbations. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import bim model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.zeros((1, 1000), dtype=np.float32) y_example[0, 0] = 1.0 adversarial_example = bim(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10) print(f"Min value: {adversarial_example.min()}, Max value: {adversarial_example.max()}") ``` -------------------------------- ### Implement Adversarial Defenses with DeepDefend (Python) Source: https://github.com/infinitode/deepdefend/blob/master/readme.md Illustrates how to apply various defense mechanisms to protect deep learning models against adversarial attacks using the DeepDefend library. This requires a TensorFlow model, training data, and potentially a teacher model for distillation. Supported defenses include adversarial training, feature squeezing, gradient masking, input transformation, defensive distillation, and JPEG compression. ```python import tensorflow as tf from deepdefend.defenses import adversarial_training, feature_squeezing, gradient_masking, input_transformation, defensive_distillation, jpeg_compression # Load a pre-trained TensorFlow model model = ... # Teacher model for distillation teacher_model = ... # Load training data x_train, y_train = ... # training data and labels # Adversarial training to defend against attacks defended_model = adversarial_training(model, x_train, y_train, epsilon=0.01) # Feature squeezing defense defended_model_squeezed = feature_squeezing(model, bit_depth=4) # Gradient masking defense defended_model_masking = gradient_masking(model, mask_threshold=0.1) # Input transformation defense defended_model_transformation = input_transformation(model, transformation_function=None) # Defensive distillation defense defended_model_distillation = defensive_distillation(model, teacher_model, temperature=2) # JPEG compression defense defended_model_jpeg = jpeg_compression(model, quality=75) ``` -------------------------------- ### Defensive Distillation: Train with Soft Labels Source: https://context7.com/infinitode/deepdefend/llms.txt Defensive distillation trains a student model using soft labels from a teacher model, producing smoother decision boundaries that are harder to attack. It requires both a student and a teacher model, along with a temperature parameter to control the softness of the probability distribution. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import defensive_distillation # Create teacher model (pre-trained) teacher_model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) teacher_model.compile(optimizer='adam', loss='categorical_crossentropy') # Create student model (same architecture) student_model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) # Apply defensive distillation defended_model = defensive_distillation( student_model, teacher_model, temperature=2 # Higher temperature = softer probability distribution ) print("Defensive distillation applied. Student model uses teacher's soft labels.") ``` -------------------------------- ### Execute PGD Attack Source: https://context7.com/infinitode/deepdefend/llms.txt Demonstrates the Projected Gradient Descent (PGD) attack, which uses iterative perturbations projected onto an epsilon-ball for higher attack efficacy. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import pgd model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.zeros((1, 1000), dtype=np.float32) y_example[0, 0] = 1.0 adversarial_example = pgd(model, x_example, y_example, epsilon=0.01, alpha=0.01, num_steps=10) print(f"Perturbation L-inf norm: {np.max(np.abs(adversarial_example - x_example))}") ``` -------------------------------- ### Apply JPEG Compression Defense Source: https://context7.com/infinitode/deepdefend/llms.txt JPEG compression acts as a defense by applying lossy compression to input images, which often eliminates adversarial perturbations. The quality parameter controls the compression level. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import jpeg_compression model = tf.keras.Sequential([ tf.keras.layers.Conv2D(32, (3, 3), activation='relu', input_shape=(224, 224, 3)), tf.keras.layers.GlobalAveragePooling2D(), tf.keras.layers.Dense(10, activation='softmax') ]) defended_model = jpeg_compression(model, quality=75) x_test = np.random.rand(1, 224, 224, 3).astype(np.float32) prediction = defended_model.predict(x_test) print(f"Prediction with JPEG compression defense: {np.argmax(prediction)}") ``` -------------------------------- ### Execute Carlini & Wagner (C&W) Attack Source: https://context7.com/infinitode/deepdefend/llms.txt Demonstrates the optimization-based Carlini & Wagner attack, designed to find minimal perturbations for effective model misclassification. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import cw model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.zeros((1, 1000), dtype=np.float32) y_example[0, 0] = 1.0 ``` -------------------------------- ### Input Transformation: Apply Custom Preprocessing Source: https://context7.com/infinitode/deepdefend/llms.txt Input transformation applies a custom preprocessing function to inputs, potentially removing adversarial perturbations before classification. It takes a model and a transformation function as input. The transformation function is applied to each input before it is fed to the model. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import input_transformation # Create model model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) # Define custom transformation (e.g., Gaussian blur) def blur_transform(x): kernel = tf.constant([[1, 2, 1], [2, 4, 2], [1, 2, 1]], dtype=tf.float32) / 16.0 kernel = tf.reshape(kernel, [3, 3, 1, 1]) return tf.nn.conv2d(x, kernel, strides=[1, 1, 1, 1], padding='SAME') # Apply input transformation defense defended_model = input_transformation( model, transformation_function=blur_transform ) # Test with sample input x_test = np.random.rand(1, 28, 28, 1).astype(np.float32) prediction = defended_model.predict(x_test) print(f"Prediction shape: {prediction.shape}") ``` -------------------------------- ### Feature Squeezing Defense (Python) Source: https://context7.com/infinitode/deepdefend/llms.txt Applies the feature squeezing defense by reducing the color depth of input features. This technique aims to remove small adversarial perturbations that rely on precise pixel values, thereby increasing model robustness. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import feature_squeezing # Create model model = tf.keras.Sequential([ tf.keras.layers.Conv2D(32, (3, 3), activation='relu', input_shape=(28, 28, 1)), tf.keras.layers.Flatten(), tf.keras.layers.Dense(10, activation='softmax') ]) # Apply feature squeezing defense ``` -------------------------------- ### SPSA Attack (Simultaneous Perturbation Stochastic Approximation) (Python) Source: https://context7.com/infinitode/deepdefend/llms.txt Utilizes the SPSA attack, a gradient-free method that estimates gradients via random perturbations. This is useful when gradients are unavailable. It requires specific input formatting (batch_size of 1) and has parameters for perturbation, learning rate, and sample size. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import spsa # Load model model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) # Prepare input - SPSA requires batch_size of 1 x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.array([0]) # Sparse label format for SPSA # SPSA attack - gradient-free optimization adversarial_example = spsa( model, x_example, y_example, epsilon=0.01, # Perturbation bound num_steps=10, # Optimization iterations learning_rate=0.01, # ADAM learning rate delta=0.01, # SPSA perturbation size spsa_samples=128 # Number of random samples for gradient estimation ) print(f"SPSA adversarial example shape: {adversarial_example.shape}") ``` -------------------------------- ### Thermometer Encoding: Discretize Input Features Source: https://context7.com/infinitode/deepdefend/llms.txt Thermometer encoding discretizes input features into bins, making the model less sensitive to small continuous perturbations. It takes a model and the number of bins for discretization as input. This process transforms continuous feature values into a binary representation. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import thermometer_encoding # Create model model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) # Apply thermometer encoding defense defended_model = thermometer_encoding( model, num_bins=10 # Number of discretization bins ) ``` -------------------------------- ### JSMA Attack (Jacobian-based Saliency Map Attack) (Python) Source: https://context7.com/infinitode/deepdefend/llms.txt Applies the JSMA attack, which selectively perturbs influential pixels based on the Jacobian matrix. It generates sparse perturbations by modifying only a few input features. Parameters include a saliency threshold and perturbation step size. ```python import tensorflow as tf import numpy as np from deepdefend.attacks import jsma # Load model model = tf.keras.applications.MobileNetV2(weights='imagenet', input_shape=(224, 224, 3)) # Prepare input (must be 4D: batch, height, width, channels) x_example = np.random.rand(1, 224, 224, 3).astype(np.float32) y_example = np.zeros((1, 1000), dtype=np.float32) y_example[0, 0] = 1.0 # JSMA attack - perturbs most salient pixels adversarial_example = jsma( model, x_example, y_example, theta=0.1, # Saliency threshold for pixel selection gamma=0.1, # Perturbation step size num_steps=10 # Number of iterations ) # Count perturbed pixels num_perturbed = np.sum(np.abs(adversarial_example - x_example) > 1e-6) print(f"Number of perturbed pixels: {num_perturbed}") ``` -------------------------------- ### Randomized Smoothing: Add Gaussian Noise Source: https://context7.com/infinitode/deepdefend/llms.txt Randomized smoothing adds Gaussian noise to inputs, providing provable robustness guarantees against adversarial perturbations. It takes a model and a noise level (standard deviation) as input. Each prediction involves adding random noise to the input and aggregating results. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import randomized_smoothing # Create model model = tf.keras.Sequential([ tf.keras.layers.Flatten(input_shape=(28, 28, 1)), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(10, activation='softmax') ]) # Apply randomized smoothing defense defended_model = randomized_smoothing( model, noise_level=0.1 # Standard deviation of Gaussian noise ) # Each prediction will have random noise added to the input x_test = np.random.rand(1, 28, 28, 1).astype(np.float32) predictions = [defended_model.predict(x_test) for _ in range(10)] # Aggregate predictions for certified robustness mean_prediction = np.mean(predictions, axis=0) print(f"Mean prediction across 10 noisy samples: {np.argmax(mean_prediction)}") ``` -------------------------------- ### Gradient Masking: Mask Small Gradients Source: https://context7.com/infinitode/deepdefend/llms.txt Gradient masking modifies the training loss to mask small gradients, making it harder for attackers to compute useful gradient information. It takes a model and a mask threshold as input, setting gradients below the threshold to zero during backpropagation. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import gradient_masking # Create model model = tf.keras.Sequential([ tf.keras.layers.Dense(64, activation='relu', input_shape=(784,)), tf.keras.layers.Dense(10, activation='softmax') ]) # Apply gradient masking defense # Gradients below threshold are set to zero during backpropagation defended_model = gradient_masking( model, mask_threshold=0.1 # Mask gradients with magnitude < 0.1 ) print("Gradient masking applied. Small gradients will be masked during training.") ``` -------------------------------- ### Feature Squeezing: Reduce Bit Depth Source: https://context7.com/infinitode/deepdefend/llms.txt Feature squeezing reduces the bit depth of model weights to remove sensitivity to small perturbations. This technique quantifies weights to a lower precision, making the model less susceptible to finely tuned adversarial inputs. It takes a model and a desired bit depth as input. ```python defended_model = feature_squeezing( model, bit_depth=4 # Reduce to 4-bit precision ) # Model weights are now quantized print("Feature squeezing applied. Weights quantized to 4-bit precision.") ``` -------------------------------- ### Apply Spatial Smoothing Defense Source: https://context7.com/infinitode/deepdefend/llms.txt Spatial smoothing uses average pooling to remove high-frequency adversarial noise. This snippet demonstrates wrapping a Keras model with the spatial_smoothing function using a 3x3 kernel. ```python import tensorflow as tf import numpy as np from deepdefend.defenses import spatial_smoothing model = tf.keras.Sequential([ tf.keras.layers.Conv2D(32, (3, 3), activation='relu', input_shape=(28, 28, 1)), tf.keras.layers.Flatten(), tf.keras.layers.Dense(10, activation='softmax') ]) defended_model = spatial_smoothing(model, kernel_size=3) x_test = np.random.rand(1, 28, 28, 1).astype(np.float32) prediction = defended_model.predict(x_test) print(f"Prediction with spatial smoothing: {np.argmax(prediction)}") ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.