Preprocessing as a step to attacks

Skip to first unread message


Oct 25, 2018, 1:25:18 PM10/25/18
to cleverhans dev

I was wondering if we can hooks that will allow us to preprocess the adversarial patterns generated before running the inference.  I do know that blur filtering helps in defending against FGSM though fails against C&W attacks ( and I was wondering if we can actually take advantage of a myriad of image processing/de-noising procedures.  If we don't have something like that, I'd be happy to contribute to that.

Thank you.

Akash G

Ian Goodfellow

Oct 25, 2018, 6:52:10 PM10/25/18
The easiest way to do this is to just put it in Model.fprop.

You can write Models that wrap other Models and add preprocessing.

Here's an example that does test-time data augmentation with multiple crops and flips:

class Augmentor(Model):

  def __init__(self, raw):
    self.raw = raw

  def get_params(self):
    return self.raw.get_params()

  def fprop(self, x):
    mode = "REFLECT"
    assert mode in 'REFLECT SYMMETRIC CONSTANT'.split()
    pad = [2, 2]

    def _pad(img):
      return tf.pad(img, [[pad[0], pad[0]], [pad[1], pad[1]], [0, 0]], mode)
    xp = tf.map_fn(_pad, x)
    xs = []
    for i in xrange(pad[0] * 2):
      for j in xrange(pad[1] * 2):
        xs.append(tf.slice(xp, [0, i, j, 0], tf.shape(x)))
        with tf.device("/CPU:0"):

    def f(xarg):
      return self.raw.get_logits(xarg)

    logits = [f(e) for e in xs]
    logits = tf.add_n(logits) / len(logits)
    return {'logits': logits}

You received this message because you are subscribed to the Google Groups "cleverhans dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit
Reply all
Reply to author
0 new messages