Adversarial-Machine-Learning-Clinic/Filter_Analysis/fgsm.py

import torch
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
from torchvision import datasets, transforms
import numpy as np
from scipy import stats
import matplotlib.pyplot as plt
import cv2
from mnist import Net
from pykuwahara import kuwahara

epsilons = np.arange(0.0,0.35,0.05)
pretrained_model = "mnist_cnn_unfiltered.pt"
use_cuda=False

torch.manual_seed(69)


test_loader = torch.utils.data.DataLoader(
        datasets.MNIST('data/', train=False, download=True, transform=transforms.Compose([
            transforms.ToTensor(),
            transforms.Normalize((0.1307,), (0.3081,)),
            ])),
        batch_size=1, shuffle=True)

print("CUDA Available: ", torch.cuda.is_available())
device = torch.device("cuda" if use_cuda and torch.cuda.is_available() else "cpu")

model = Net().to(device)
print(type(model))

model.load_state_dict(torch.load(pretrained_model, map_location=device))

model.eval()

def fgsm_attack(image, epsilon, data_grad):
    # Collect the element-wise sign of the data gradient
    sign_data_grad = data_grad.sign()
    
    # Create the perturbed image by adjusting each pixel of the input image
    perturbed_image = image + epsilon*sign_data_grad

    # Adding clipping to maintain [0, 1] range
    perturbed_image = torch.clamp(perturbed_image, 0, 1)
    
    return perturbed_image

def denorm(batch, mean=[0.1307], std=[0.3081]):
    """
    Convert a batch of tensors to their original scale.

    Args:
        batch (torch.Tensor): Batch of normalized tensors.
        mean (torch.Tensor or list): Man used for normalization.
        std (torch.Tensor or list): Standard deviation used for normalization.

    Returns:
        torch.Tensor: batch of tensors without normalization applied to them.
    """

    if isinstance(mean, list):
        mean = torch.tensor(mean).to(device)
    if isinstance(std, list):
        std = torch.tensor(std).to(device)

    return batch * std.view(1, -1, 1, 1) + mean.view(1, -1, 1, 1)

def test(model, device, test_loader, epsilon):
    # Original dataset correct classifications
    orig_correct = 0
    # Attacked dataset correct classifications
    unfiltered_correct = 0
    kuwahara_correct = 0
    bilateral_correct = 0
    gaussian_blur_correct = 0
    random_noise_correct = 0
    snap_color_correct = 0
    one_bit_correct = 0
    plurality_correct = 0

    adv_examples = []

    for data, target in test_loader:
        data, target = data.to(device), target.to(device)
        data.requires_grad = True

        output_orig = model(data)
        orig_pred = output_orig.max(1, keepdim=True)[1]

        # Calculate the loss
        loss = F.nll_loss(output_orig, target)

        # Zero all existing gradients
        model.zero_grad()

        # Calculate gradients of model in backward pass
        loss.backward()

        # Collect ''datagrad''
        data_grad = data.grad.data

        # Restore the data to its original scale
        data_denorm = denorm(data)

        # Apply the FGSM attack
        perturbed_data = fgsm_attack(data_denorm, epsilon, data_grad)

        # Reapply normalization
        perturbed_data_normalized = transforms.Normalize((0.1307,), (0.3081,))(perturbed_data)

        # Filter the attacked image
        kuwahara_data = filtered(perturbed_data_normalized, len(perturbed_data_normalized), filter="kuwahara")
        bilateral_data = filtered(perturbed_data_normalized, len(perturbed_data_normalized), filter="bilateral")
        gaussian_blur_data = filtered(perturbed_data_normalized, len(perturbed_data_normalized), filter="gaussian_blur")
        random_noise_data = filtered(perturbed_data_normalized, len(perturbed_data_normalized), filter="noise")
        snap_color_data = filtered(perturbed_data_normalized, len(perturbed_data_normalized), filter="snap_color")
        one_bit_data = filtered(perturbed_data_normalized, len(perturbed_data_normalized), filter="1-bit")

        # evaluate the model on the attacked and filtered images
        output_unfiltered = model(perturbed_data_normalized)
        output_kuwahara = model(kuwahara_data)
        output_bilateral = model(bilateral_data)
        output_gaussian_blur = model(gaussian_blur_data)
        output_random_noise = model(random_noise_data)
        output_snap_color = model(snap_color_data)
        output_one_bit = model(one_bit_data)

        # Get the predicted class from the model for each case
        unfiltered_pred = output_unfiltered.max(1, keepdim=True)[1]
        kuwahara_pred = output_kuwahara.max(1, keepdim=True)[1]
        bilateral_pred = output_bilateral.max(1, keepdim=True)[1]
        gaussian_blur_pred = output_gaussian_blur.max(1, keepdim=True)[1]
        random_noise_pred = output_random_noise.max(1, keepdim=True)[1]
        snap_color_pred = output_snap_color.max(1, keepdim=True)[1]
        one_bit_pred = output_one_bit.max(1, keepdim=True)[1]
        predictions = [unfiltered_pred.item(), kuwahara_pred.item(), bilateral_pred.item(), gaussian_blur_pred.item(), random_noise_pred.item(), snap_color_pred.item(), one_bit_pred.item()]
        plurality_pred = stats.mode(predictions)[0]

        # Count up correct classifications for each case
        if orig_pred.item() == target.item():
            orig_correct += 1

        if unfiltered_pred.item() == target.item():
            unfiltered_correct += 1
        
        if kuwahara_pred.item() == target.item():
            kuwahara_correct += 1

        if bilateral_pred.item() == target.item():
            bilateral_correct += 1
            
        if gaussian_blur_pred.item() == target.item():
            gaussian_blur_correct += 1

        if random_noise_pred.item() == target.item():
            random_noise_correct += 1

        if snap_color_pred.item() == target.item():
            snap_color_correct += 1

        if one_bit_pred.item() == target.item():
            one_bit_correct += 1

        if plurality_pred == target.item():
            plurality_correct += 1

    # Calculate the overall accuracy of each case
    orig_acc = orig_correct/float(len(test_loader))
    unfiltered_acc = unfiltered_correct/float(len(test_loader))
    kuwahara_acc = kuwahara_correct/float(len(test_loader))
    bilateral_acc = bilateral_correct/float(len(test_loader))
    gaussian_blur_acc = gaussian_blur_correct/float(len(test_loader))
    random_noise_acc = random_noise_correct/float(len(test_loader))
    snap_color_acc = snap_color_correct/float(len(test_loader))
    one_bit_acc = one_bit_correct/float(len(test_loader))
    plurality_acc = plurality_correct/float(len(test_loader))

    print(f"====== EPSILON: {epsilon} ======")
    print(f"Clean (No Filter) Accuracy = {orig_correct} / {len(test_loader)} = {orig_acc}")
    print(f"Unfiltered Accuracy = {unfiltered_correct} / {len(test_loader)} = {unfiltered_acc}")
    print(f"Kuwahara Filter Accuracy = {kuwahara_correct} / {len(test_loader)} = {kuwahara_acc}")
    print(f"Bilateral Filter Accuracy = {bilateral_correct} / {len(test_loader)} = {bilateral_acc}")
    print(f"Gaussian Blur Accuracy = {gaussian_blur_correct} / {len(test_loader)} = {gaussian_blur_acc}")
    print(f"Random Noise Accuracy = {random_noise_correct} / {len(test_loader)} = {random_noise_acc}")
    print(f"Snapped Color Accuracy = {snap_color_correct} / {len(test_loader)} = {snap_color_acc}")
    print(f"1 Bit Accuracy = {one_bit_correct} / {len(test_loader)} = {one_bit_acc}")
    print(f"Plurality Vote Accuracy = {plurality_correct} / {len(test_loader)} = {plurality_acc}")

    return unfiltered_acc, kuwahara_acc, bilateral_acc, gaussian_blur_acc, random_noise_acc, snap_color_acc, one_bit_acc, plurality_acc


def filtered(data, batch_size=64, filter="kuwahara"):
    # Turn the tensor into an image
    images = None
    try:
        images = data.numpy().transpose(0,2,3,1)
    except RuntimeError:
        images = data.detach().numpy().transpose(0,2,3,1)
    

    # Apply the Kuwahara filter
    filtered_images = np.ndarray((batch_size,28,28,1))

    if filter == "kuwahara":
        for i in range(batch_size):
            filtered_images[i] = kuwahara(images[i], method='gaussian', radius=5, image_2d=images[i])
    elif filter == "aniso_diff":
        for i in range(batch_size):
            img_3ch = np.zeros((np.array(images[i]), np.array(images[i]).shape[1], 3))
            img_3ch[:,:,0] = images[i]
            img_3ch[:,:,1] = images[i]
            img_3ch[:,:,2] = images[i]
            img_3ch_filtered = cv2.ximgproc.anisotropicDiffusion(img2, alpha=0.2, K=0.5, niters=5)
            filtered_images[i] = cv2.cvtColor(img_3ch_filtered, cv2.COLOR_RGB2GRAY)
            plt.imshow(filtered_images[i])
            plt.show()
    elif filter == "noise":
        for i in range(batch_size):
            mean = 0
            stddev = 180
            noise = np.zeros(images[i].shape, images[i].dtype)
            cv2.randn(noise, mean, stddev)
            filtered_images[i] = cv2.addWeighted(images[i], 1.0, noise, 0.001, 0.0).reshape(filtered_images[i].shape)
    elif filter == "gaussian_blur":
        for i in range(batch_size):
            filtered_images[i] = cv2.GaussianBlur(images[i], ksize=(5,5), sigmaX=0).reshape(filtered_images[i].shape)
    elif filter == "bilateral":
        for i in range(batch_size):
            filtered_images[i] = cv2.bilateralFilter(images[i], 5, 50, 50).reshape(filtered_images[i].shape)
    elif filter == "1-bit":
        num_colors = 2
        for i in range(batch_size):
            # If the channel contains any negative values, define the lowest negative value as black
            min_value = np.min(images[i])
            if (min_value < 0):
                filtered_images[i] = images[i] + min_value

            # If the color space extends beyond [0,1], re-scale all of the colors to that range
            max_value = np.max(filtered_images[i])
            if (max_value > 1):
                filtered_images[i] *= (num_colors/max_value)
                filtered_images[i] = filtered_images[i].astype(int).astype(float)*(max_value/num_colors)
            else:
                filtered_images[i] *= num_colors
                filtered_images[i] = filtered_images[i].astype(int).astype(float)/num_colors
            if (min_value < 0):
                filtered_images[i] -= min_value
    elif filter == "snap_color":
        for i in range(batch_size):
            filtered_images[i] = (images[i]*4).astype(int).astype(float) / 4

    # Modify the data with the filtered image
    filtered_images = filtered_images.transpose(0,3,1,2)
    return torch.tensor(filtered_images).float()

unfiltered_accuracies = []
kuwahara_accuracies = []
bilateral_accuracies = []
gaussian_blur_accuracies = []
random_noise_accuracies = []
snap_color_accuracies = []
one_bit_accuracies = []
pluality_vote_accuracies = []

print(f"Model: {pretrained_model}")

for eps in epsilons:
    unfiltered_acc, kuwahara_acc, bilateral_acc, gaussian_blur_acc, random_noise_acc, snap_color_acc, one_bit_acc, plurality_acc = test(model, device, test_loader, eps)
    unfiltered_accuracies.append(unfiltered_acc)
    kuwahara_accuracies.append(kuwahara_acc)
    bilateral_accuracies.append(bilateral_acc)
    gaussian_blur_accuracies.append(gaussian_blur_acc)
    random_noise_accuracies.append(random_noise_acc)
    snap_color_accuracies.append(snap_color_acc)
    one_bit_accuracies.append(one_bit_acc)
    pluality_vote_accuracies.append(plurality_acc)

# Plot the results
plt.plot(epsilons, unfiltered_accuracies, label="Attacked Accuracy")
plt.plot(epsilons, kuwahara_accuracies, label="Kuwahara Accuracy")
plt.plot(epsilons, bilateral_accuracies, label="Bilateral Accuracy")
plt.plot(epsilons, gaussian_blur_accuracies, label="Gaussian Blur Accuracy")
plt.plot(epsilons, random_noise_accuracies, label="Random Noise Accuracy")
plt.plot(epsilons, snap_color_accuracies, label="Snapped Color Accuracy")
plt.plot(epsilons, one_bit_accuracies, label="1-Bit Accuracy")
plt.plot(epsilons, pluality_vote_accuracies, label="Plurality Vote Accuracy")
plt.legend()

plt.show()