{
"cells": [
{
"cell_type": "markdown",
"id": "91ad7f83-a8ec-482b-b766-aa9cd2eca117",
"metadata": {
"tags": []
},
"source": [
"# Notebook 5: Adversarial Examples\n",
"\n",
"In this notebook we'll explore __adversarial examples__, an interesting phenomenon in which neural networks can be \"fooled\" with small changes to their inputs. We'll learn how to craft adversarial examples to fool both image-domain and audio-domain models, and explore ways in which models can be made more robust against these types of attacks.\n",
"\n",
"The notebook is broken up as follows:\n",
"\n",
" 1. [Setup](#setup) \n",
" 2. [What Are Adversarial Examples?](#intro) \n",
" 2.1 [A Simple MNIST Classifier](#mnist) \n",
" 2.2 [Crafting an Adversarial Example](#craft) \n",
" 3. [Audio-Domain Attacks](#audio) \n",
" 3.1. [A Simple AudioMNIST Classifier](#audiomnist) \n",
" 3.2 [Crafting an Audio Adversarial Example](#craft-audio) \n",
" 4. [Building Robust Models](#robust) "
]
},
{
"cell_type": "markdown",
"id": "410246cc-3cb0-47a0-8578-d4f808c11611",
"metadata": {
"id": "9857219d-d2b1-4c38-8c7d-66b5bcfdd6a9",
"tags": []
},
"source": [
"## __1.__ Setup\n"
]
},
{
"cell_type": "markdown",
"id": "8fd3440e-b8f0-45cc-8dec-368a72e7cf68",
"metadata": {
"id": "lAHCqJevuxAO"
},
"source": [
"Make sure the needed packages are installed and utility code is in the right place."
]
},
{
"cell_type": "code",
"execution_count": 16,
"id": "f230ca74-ad0f-4adc-aa97-f049223ce54a",
"metadata": {
"colab": {
"base_uri": "https://localhost:8080/"
},
"id": "B06RFVzMuw1S",
"outputId": "9348bd86-e439-48de-e0a3-f9935787cf8e"
},
"outputs": [],
"source": [
"# helper code from the course repository\n",
"!git clone https://github.com/interactiveaudiolab/course-deep-learning.git\n",
"# install common pacakges used for deep learning\n",
"!cd course-deep-learning/ && pip install -r requirements.txt"
]
},
{
"cell_type": "code",
"execution_count": 1,
"id": "28a6a47c-2280-46a4-95c5-df7496acbb67",
"metadata": {
"colab": {
"base_uri": "https://localhost:8080/"
},
"id": "B06RFVzMuw1S",
"outputId": "9348bd86-e439-48de-e0a3-f9935787cf8e"
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"[Errno 2] No such file or directory: 'course-deep-learning/'\n",
"/home/pmo183/course-deep-learning\n"
]
}
],
"source": [
"%matplotlib inline\n",
"%cd course-deep-learning/\n",
"\n",
"import gdown\n",
"import time\n",
"import torch\n",
"import torchvision\n",
"import torchvision.datasets as datasets\n",
"import matplotlib.pyplot as plt\n",
"import numpy as np\n",
"import seaborn as sns\n",
"from torchsummary import summary\n",
"from tqdm import tqdm\n",
"\n",
"from utils.adversarial_examples import *"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "c508d427-eb72-472d-b5c0-475a29b38914",
"metadata": {
"colab": {
"base_uri": "https://localhost:8080/"
},
"id": "B06RFVzMuw1S",
"outputId": "9348bd86-e439-48de-e0a3-f9935787cf8e"
},
"outputs": [],
"source": [
"# download AudioMNIST dataset in tensor format (this will save time)\n",
"!mkdir ./data/\n",
"!cd ./data/ && mkdir AudioMNIST\n",
"\n",
"url_x = 'https://drive.google.com/uc?id=1FdLxBSTaH6TuMvBA-wAs-4_kjbEfRSuj'\n",
"url_y = 'https://drive.google.com/uc?id=1iMkck7iULEll1HUp_iaYX6rm4LV9mkp6'\n",
"out_x = './data/AudioMNIST/audiomnist_tx.pt'\n",
"out_y = './data/AudioMNIST/audiomnist_ty.pt'\n",
"\n",
"gdown.download(url_x, out_x, quiet=False)\n",
"gdown.download(url_y, out_y, quiet=False)\n",
"\n",
"# AudioMNIST dataset raw download - only do this if gdown fails, as it is SLOW\n",
"#%cd ../data\n",
"#!git clone https://github.com/soerenab/AudioMNIST.git\n",
"#%cd ../code"
]
},
{
"cell_type": "markdown",
"id": "eca343cd-c8ed-4e9f-b22b-58ad287e6a42",
"metadata": {
"colab": {
"base_uri": "https://localhost:8080/"
},
"id": "B06RFVzMuw1S",
"outputId": "9348bd86-e439-48de-e0a3-f9935787cf8e",
"tags": []
},
"source": [
"## __2.__ What Are Adversarial Examples?\n",
"\n",
"__Adversarial examples__ are inputs to a machine-learning model that have been __perturbed__ (modified), often imperceptibly, so that the model makes an incorrect prediction. The image below, from [Goodfellow et al. (2015)](https://arxiv.org/pdf/1412.6572.pdf), illustrates how an __adversarial perturbation__ can be added to picture of a panda to fool a vision classifier.\n",
"\n",
"
\n",
"