-
Notifications
You must be signed in to change notification settings - Fork 155
Basic Use
After starting Counterfit you will be greeted with a simple interface,
[[email protected]] -> counterfit 1 β΅ gary@red-team-shared-vm
__ _____ __
_________ __ ______ / /____ _____/ __(_) /_
/ ___/ __ \/ / / / __ \/ __/ _ \/ ___/ /_/ / __/
/ /__/ /_/ / /_/ / / / / /_/ __/ / / __/ / /
\___/\____/\__,_/_/ /_/\__/\___/_/ /_/ /_/\__/
Version: 1.1.0
counterfit>
To view the available targets execute the list targets command. Targets are user created classes that represent a prediction endpoint. Learn more about Targets.
counterfit> list targets
βββββββββββββββββββββββ³βββββββββββββ³ββββββββββββ³ββββββββββββββββ³ββββββββββββ³βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Name β Model Type β Data Type β Input Shape β # Samples β Endpoint β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β cart_pole β closed-box β tabular β (1080000,) β 0 β cartpole_dqn_10000.pt.gz β
β cart_pole_initstate β closed-box β tabular β (4,) β 0 β cartpole_dqn_10000.pt.gz β
β creditfraud β closed-box β tabular β (30,) β 0 β creditfraud/creditfraud_sklearn_pipeline.pkl β
β digits_keras β closed-box β image β (28, 28, 1) β 0 β digits_keras/mnist_model.h5 β
β digits_mlp β closed-box β image β (1, 28, 28) β 0 β digits_mlp/mnist_sklearn_pipeline.pkl β
β movie_reviews β closed-box β text β (1,) β 0 β movie_reviews/movie_reviews_sentiment_analysis.pt β
β satellite β closed-box β image β (3, 256, 256) β 0 β satellite/satellite-image-params-airplane-stadium.h5 β
βββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββ΄ββββββββββββββββ΄ββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
counterfit>
To view the available attacks execute the list attacks command. Internally, Counterfit will load the framework automatically. Learn more about Frameworks.
counterfit> list attacks
ββββββββββββββββββββββββββββββββββββββ³ββββββββββββββββββββ³βββββββββββββ³βββββββββββββββββ³βββββββββββββ
β Name β Category β Type β Tags β Framework β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β black_box_rule_based β inference β closed-box β β art β
β boundary β evasion β closed-box β image, tabular β art β
β carlini β evasion β open-box β image, tabular β art β
β copycat_cnn β inversion β closed-box β image β art β
β deepfool β evasion β open-box β image, tabular β art β
β elastic_net β evasion β open-box β image, tabular β art β
β functionally_equivalent_extraction β inversion β closed-box β image, tabular β art β
β hop_skip_jump β evasion β closed-box β image, tabular β art β
β knockoff_nets β inversion β closed-box β image, tabular β art β
β label_only_boundary_distance β inference β open-box β image, tabular β art β
β mi_face β inference β open-box β image, tabular β art β
β newtonfool β evasion β open-box β image, tabular β art β
β pixel_threshold β evasion β unknown β image β art β
β projected_gradient_descent_numpy β evasion β open-box β image, tabular β art β
β saliency_map β evasion β open-box β image, tabular β art β
β simba β evasion β open-box β image β art β
β spatial_transformation β evasion β open-box β image, tabular β art β
β universal_perturbation β evasion β open-box β image β art β
β virtual_adversarial β evasion β open-box β image β art β
β wasserstein β evasion β open-box β image β art β
β white_box_decision_tree β inference β unknown β β art β
β ApplyLambda β common-corruption β closed-box β image β augly β
β Blur β common-corruption β closed-box β image β augly β
β Brightness β common-corruption β closed-box β image β augly β
β ChangeAspectRatio β common-corruption β closed-box β image β augly β
β ClipImageSize β common-corruption β closed-box β image β augly β
β ColorJitter β common-corruption β closed-box β image β augly β
β Contrast β common-corruption β closed-box β image β augly β
β ConvertColor β common-corruption β closed-box β image β augly β
β Crop β common-corruption β closed-box β image β augly β
β EncodingQuality β common-corruption β closed-box β image β augly β
β Grayscale β common-corruption β closed-box β image β augly β
β HFlip β common-corruption β closed-box β image β augly β
β MemeFormat β common-corruption β closed-box β image β augly β
β Opacity β common-corruption β closed-box β image β augly β
β OverlayEmoji β common-corruption β closed-box β image β augly β
β OverlayOntoScreenshot β common-corruption β closed-box β image β augly β
β OverlayStripes β common-corruption β closed-box β image β augly β
β OverlayText β common-corruption β closed-box β image β augly β
β Pad β common-corruption β closed-box β image β augly β
β PadSquare β common-corruption β closed-box β image β augly β
β PerspectiveTransform β common-corruption β closed-box β image β augly β
β Pixelization β common-corruption β closed-box β image β augly β
β RandomEmojiOverlay β common-corruption β closed-box β image β augly β
β RandomNoise β common-corruption β closed-box β image β augly β
β Resize β common-corruption β closed-box β image β augly β
β Rotate β common-corruption β closed-box β image β augly β
β Saturation β common-corruption β closed-box β image β augly β
β Scale β common-corruption β closed-box β image β augly β
β Sharpen β common-corruption β closed-box β image β augly β
β ShufflePixels β common-corruption β closed-box β image β augly β
β VFlip β common-corruption β closed-box β image β augly β
β a2t_yoo_2021 β evasion β closed-box β text β textattack β
β bae_garg_2019 β evasion β closed-box β text β textattack β
β bert_attack_li_2020 β evasion β closed-box β text β textattack β
β checklist_ribeiro_2020 β evasion β closed-box β text β textattack β
β clare_li_2020 β evasion β closed-box β text β textattack β
β deepwordbug_gao_2018 β evasion β closed-box β text β textattack β
β faster_genetic_algorithm_jia_2019 β evasion β closed-box β text β textattack β
β genetic_algorithm_alzantot_2018 β evasion β closed-box β text β textattack β
β hotflip_ebrahimi_2017 β evasion β closed-box β text β textattack β
β iga_wang_2019 β evasion β closed-box β text β textattack β
β input_reduction_feng_2018 β evasion β closed-box β text β textattack β
β kuleshov_2017 β evasion β closed-box β text β textattack β
β morpheus_tan_2020 β evasion β closed-box β text β textattack β
β pruthi_2019 β evasion β closed-box β text β textattack β
β pso_zang_2020 β evasion β closed-box β text β textattack β
β pwws_ren_2019 β evasion β closed-box β text β textattack β
β seq2sick_cheng_2018_blackbox β evasion β closed-box β text β textattack β
β textbugger_li_2018 β evasion β closed-box β text β textattack β
β textfooler_jin_2019 β evasion β closed-box β text β textattack β
ββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββ΄βββββββββββββ΄βββββββββββββββββ΄βββββββββββββ
Note: Counterfit is designed for blackbox testing. Most frameworks have whitebox attacks available, but they are not included. The Counterfit scenario for including whitebox attacks would be using them on a stolen model from a model extraction attack.
To interact with a target, execute set_target with the target name as an argument. The terminal prompt will change to reflect the active target. Get information about the active target or attack by executing the show info command.
counterfit> set_target creditfraud
creditfraud>
From an active target there are two ways to run an attack. Either by executing the scan command, or by using the run command. There are some key differences to be aware of, scan is for automation; it has various arguments that control how many iterations of which attacks to execute against a target. scan by default uses random samples and random parameters. The scan function is useful for baselining and testing a target model. After completing all attacks, a scan summary will be printed. For example, when interacting with a target execute the following command scan --iterations 10 --attack hop_skip_jump
creditfraud> creditfraud> scan --num_iters 10 --attack hop_skip_jump
[+] success: Scanning Target: creditfraud (76d996d1)
HopSkipJump: 100%|ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| 1/1 [00:00<00:00, 1.73it/s]
[+] success: Attack completed a54d393a
===============
<SCAN SUMMARY>
===============
ββββββββββββ³βββββββββββ³βββββββββββ³βββββββββββ³βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β β Best β β
β Attack β Total β Successβ¦ β Score β β
β Name β Runs β (%) β (attackβ¦ β Best Parameters β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β art.attβ¦ β 1 β 1 β N/A β null β
β β β (100.0%) β β β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Time (min/avg/max) 0.6/ 0.6/ 0.6
[+] Queries (min/avg/max) 24552/24552/24552
creditfraud>
run on the other hand requires that you add an attack via use. After successfully executing the use command, the terminal prompt will change to reflect the active attack. With run you get control over each parameter and can set them individually.
To view the possible parameters to change, execute the show options. To change one or more parameters, execute the set_params command with the parameter you want to change as the argument followed by the value. For example, set max_eval=200. The terminal will print the updated parameters, including the default parameters. During manual testing it can be helpful to know where a particular value started.
creditfraud> set_attack hop_skip_jump
[+] success: Using 11d5bc52
creditfraud>HopSkipJump:11d5bc52> show options
βββββββββββββββββββββββββ³βββββββββββββ³βββββββββββββ³βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Attack Options (type) β Default β Current β Docs β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β Algo Parameters β β β β
β -------------------- β -- β -- β -- β
β batch_size (int) β 64 β 64 β The size of the batch used by the estimator during inference. β
β clip_values (list) β [0.0, 1.0] β [0.0, 1.0] β Refer to attack file. β
β curr_iter (int) β 0 β 0 β Refer to attack file. β
β init_eval (int) β 100 β 100 β Initial number of evaluations for estimating gradient. β
β init_size (int) β 100 β 100 β Maximum number of trials for initial generation of adversarial examples. β
β max_eval (int) β 1000 β 1000 β Maximum number of evaluations for estimating gradient. β
β max_iter (int) β 50 β 50 β Maximum number of iterations. β
β norm (int) β 2 β 2 β Order of the norm. Possible values: "inf", np.inf or 2. β
β targeted (bool) β False β False β Should the attack target one specific class. β
β verbose (bool) β True β True β Show progress bars. β
β target_labels (int) β 0 β 0 β target labels for a targeted attack β
β β β β β
β CFAttack Options β β β β
β -------------------- β -- β -- β -- β
β sample_index (int) β 0 β 0 β Sample index to attack β
β optimize (bool) β False β False β Use Optuna to optimize attack parameters β
β logger (str) β basic β basic β Logger to log queries with β
βββββββββββββββββββββββββ΄βββββββββββββ΄βββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
creditfraud>HopSkipJump:11d5bc52> set_params --max_eval=200
ββββββββββββββββββββββββ³βββββββββββββ³βββββββββββββ³βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Parameter (type) β Default β Current β New β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β Algo Parameters β β β β
β -------------------- β -- β -- β -- β
β batch_size (int) β 64 β 64 β The size of the batch used by the estimator during inference. β
β clip_values (list) β [0.0, 1.0] β (0.0, 1.0) β Refer to attack file. β
β curr_iter (int) β 0 β 0 β Refer to attack file. β
β init_eval (int) β 100 β 100 β Initial number of evaluations for estimating gradient. β
β init_size (int) β 100 β 100 β Maximum number of trials for initial generation of adversarial examples. β
β max_eval (int) β 1000 β 200 β Maximum number of evaluations for estimating gradient. β
β max_iter (int) β 50 β 50 β Maximum number of iterations. β
β norm (int) β 2 β 2 β Order of the norm. Possible values: "inf", np.inf or 2. β
β targeted (bool) β False β False β Should the attack target one specific class. β
β verbose (bool) β True β True β Show progress bars. β
β target_labels (int) β 0 β 0 β target labels for a targeted attack β
β β β β β
β CFAttack Options β β β β
β -------------------- β -- β -- β -- β
β sample_index (int) β 0 β 0 β Sample index to attack β
β optimize (bool) β False β False β Use Optuna to optimize attack parameters β
β logger (str) β basic β basic β Logger to log queries with β
ββββββββββββββββββββββββ΄βββββββββββββ΄βββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
creditfraud>HopSkipJump:11d5bc52>
After setting parameters, execute the run command to start the attack. An attack summary is printed on completion.
creditfraud>HopSkipJump:11d5bc52> run
HopSkipJump: 100%|ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| 1/1 [00:00<00:00, 2.47it/s]
[+] success: Attack completed 11d5bc52
For both scan and run, query logging is turned off by default. To enable logging execute run --log. Every query sent to the target will be logged and can be saved to disk. Logs are stored with the target in the attacks property, and they are saved to disk with the save command.
creditfraud>HopSkipJump:11d5bc52> save --results
[+] success: Successfully wrote counterfit/targets/results/11d5bc52/run_summary.json
There are number of reasons logging every query is useful, a functional extraction attack for example, but logging increases file size considerably. Learn more about the available commands.