def train_substitute(sess, x, y, bbox_preds, X_sub, Y_sub):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model()
preds_sub = model_sub(x)
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes)
# Train the substitute and augment dataset alternatively
for rho in range(FLAGS.data_aug):
print("Epoch #" + str(rho))
train_params = {
'nb_epochs': FLAGS.nb_epochs_s,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub),
init_all=False, verbose=False, args=train_params)
# If we are not at last substitute training iteration, augment dataset
if rho < FLAGS.data_aug - 1:
# Perform the Jacobian augmentation
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
FLAGS.lmbda)
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub)/2):]
# First feed forward a denoising autoencoder.
if args.ae:
print("Denoising...")
num_data = X_sub_prev.shape[0]
autoencoder.visualize(sess, X_sub_prev.reshape(num_data, -1), "sub{}".format(rho))
filtered_data = autoencoder.run(sess, X_sub_prev.reshape(num_data, -1))
X_sub_prev = filtered_data.reshape(num_data, 28, 28, 1)
if args.alg == "cnn":
eval_params = {'batch_size': FLAGS.batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub_prev = np.argmax(bbox_val, axis=1)
elif is_not_nn():
x_sub_prev = X_sub_prev.reshape(X_sub_prev.shape[0], -1)
Y_sub_prev = bbox_preds.predict(x_sub_prev)
Y_sub[int(len(X_sub)/2):] = Y_sub_prev
return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
rng):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model()
preds_sub = model_sub(x)
log_raw.info("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
log_raw.info("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub),
init_all=False, verbose=False, args=train_params,
rng=rng)
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
log_raw.info("Augmenting substitute training data.")
# Perform the Jacobian augmentation
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda)
log_raw.info("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub)/2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model()
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(FLAGS.data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': FLAGS.nb_epochs_s,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub),
init_all=False,
verbose=False,
args=train_params)
# If we are not at last substitute training iteration, augment dataset
if rho < FLAGS.data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
FLAGS.lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': FLAGS.batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess, x, y, bb_model, X_sub, Y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
rng):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model(img_cols=X_sub.shape[1])
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
model_train(sess, x, y, preds_sub, X_sub,
to_categorical(Y_sub, nb_classes),
init_all=False, args=train_params, rng=rng)
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
lmbda_coef * lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = numpy.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub)/2):] #on a double le dataset donc prev = ce qu'il y a de nouveau = la moitie
eval_params = {'batch_size': batch_size}
bbox_val = bb_model.predict(X_sub_prev)
Y_sub[int(len(X_sub)/2):] = numpy.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess, x, y, bbox, X_sub, Y_sub):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox: black-box model
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model()
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes)
# Train the substitute and augment dataset alternatively
for rho in range(FLAGS.data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': FLAGS.nb_epochs_s,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub),
init_all=False,
verbose=False,
args=train_params)
# If we are not at last substitute training iteration, augment dataset
if rho < FLAGS.data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
FLAGS.lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': FLAGS.batch_size}
x_sub_prev = X_sub_prev.reshape(X_sub_prev.shape[0], -1)
xg_sub = xgb.DMatrix(x_sub_prev)
Y_sub_prev = bbox.predict(xg_sub)
Y_sub[int(len(X_sub) / 2):] = Y_sub_prev
return model_sub, preds_sub
def train_sub(data_aug, sess,
x_sub, lmbda, target_model, aug_batch_size=AUG_BATCH_SIZE):
placeholder_sub = tf.placeholder(tf.float32, shape=(None, SUB_IMAGE_SIZE, SUB_IMAGE_SIZE, NUM_OF_CHANNELS))
placeholder_bbox = tf.placeholder(tf.float32, shape=(None, BBOX_IMAGE_SIZE, BBOX_IMAGE_SIZE, NUM_OF_CHANNELS))
print("Loading substitute model...")
model = get_model_category_by_id(SUBSTITUTE_MODEL_ID, NB_SUB_CLASSES, metric='accuracy')
# simple vanilla cnn
if SUBSTITUTE_MODEL_ID == '-1':
model = get_simple_model(NB_SUB_CLASSES, SUB_IMAGE_SIZE)
model.compile(optimizer=Adam(lr=0.1, decay=1e-6), loss="categorical_crossentropy", metrics=['accuracy'])
model_sub = KerasModelWrapper(model)
preds_sub = model_sub.get_logits(placeholder_sub)
print("Subsitute model loaded.")
# Define the Jacobian symbolically using TensorFlow
print("Defining jacobian graph...")
grads = jacobian_graph(preds_sub, placeholder_sub, NB_SUB_CLASSES)
print("Jacobian graph defined.")
y_sub = bbox_predict(target_model, x_sub, sess, placeholder_bbox, batch_size=1)
train_gen = TransferGenerator(x_sub, labels=y_sub, num_classes=NB_SUB_CLASSES, batch_size=BATCH_SIZE, image_size=SUB_IMAGE_SIZE)
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_gen.reinitialize(x_sub, y_sub, BATCH_SIZE, SUB_IMAGE_SIZE)
print("Fitting the generator with the labels: ")
print(train_gen.labels)
model_sub.model.fit_generator(generator=train_gen, epochs=NUM_EPOCHS)
# print("Saving substitute model that is trained so far")
# path = Path(__file__).resolve().parent.parent.joinpath("resources/models")
# save_model(str(path) + "sub_model_after_epoch" + str(rho) + ".h5", model_sub.model)
# input_sample = np.empty(shape=(1, IMAGE_SIZE_SUB, IMAGE_SIZE_SUB, NUM_OF_CHANNELS), dtype=np.float32)
if rho < data_aug - 1:
print("Augmenting substitute training data...")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
x_sub = jacobian_augmentation(sess, placeholder_sub, x_sub, y_sub, grads,
lmbda_coef * lmbda, aug_batch_size)
print("Substitute training data augmented.")
print("Labeling substitute training data using bbox...")
y_sub = np.hstack([y_sub, y_sub])
x_sub_new = x_sub[int(len(x_sub) / 2):]
y_sub[int(len(x_sub)/2):] = bbox_predict(target_model, x_sub_new, sess, placeholder_bbox)
return model_sub
def train_sub(sess, model, x, y, denoise_model, X_sub, Y_sub):
# model_sub = substitute_model()
model_sub = substitute_model_D_on_paper()
preds_sub = model_sub(x)
print("Train substitute model")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes)
# Train the substitute and augment dataset alternatively
for rho in range(FLAGS.data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': FLAGS.nb_epochs_s,
'batch_size': FLAGS.batch_size,
'learning_rate': FLAGS.learning_rate
}
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub, num_classes=FLAGS.nb_classes),
init_all=False,
verbose=False,
args=train_params)
# If we are not at last substitute training iteration, augment dataset
if rho < FLAGS.data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
FLAGS.lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
if DENOISE:
X_sub_prev = denoise_model.predict(X_sub_prev,
verbose=1,
batch_size=FLAGS.batch_size)
bbox_val = model.predict(X_sub_prev)
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def augmentSubstituteData(self,
X,
Y,
dqn,
batchSize,
lmbdas,
verbose=False):
grads = jacobian_graph(self.logits, self.inputs,
self.env.action_space.n)
epNum = len(lmbdas)
Xa = X
Ya = Y
for ep in range(epNum):
mbInds = utils.getMinibatchInds(batchSize, np.arange(X.shape[0]))
lmbda = lmbdas[ep]
for i, mbi in enumerate(mbInds):
mbX = X[mbi]
mbY = Y[mbi]
mbXa = jacobian_augmentation(self.sess, self.inputs, mbX, mbY,
grads, lmbda)
mbXa = mbXa[mbX.shape[0]:]
mbYa = dqn.run(mbXa)
mbYa = np.argmax(mbYa, axis=1)
Xa = np.vstack([Xa, mbXa])
Ya = np.hstack([Ya, mbYa])
del mbXa
del mbYa
if verbose:
print("Finished minibatch " + str(i) + " / " +
str(len(mbInds)) + " in epoch " + str(ep) +
". Num examples = " + str(Xa.shape[0]))
if verbose:
print("Finished epoch " + str(ep))
return Xa, Ya
def train_sub(data_aug,
sess,
x_sub,
y_sub,
lmbda,
target_model,
aug_batch_size=1):
x = tf.placeholder(tf.float32,
shape=(None, IMAGE_SIZE, IMAGE_SIZE, NUM_OF_CHANNELS))
print("Loading substitute model...")
model = get_model("InceptionResNetV2")
# model = get_simple_model(num_classes=NB_CLASSES, image_size=IMAGE_SIZE)
model.compile(optimizer=Adam(),
loss="categorical_crossentropy",
metrics=[age_mae])
model_sub = KerasModelWrapper(model)
preds_sub = model_sub.get_logits(x)
print("Subsitute model loaded.")
# Define the Jacobian symbolically using TensorFlow
print("Defining jacobian graph...")
grads = jacobian_graph(preds_sub, x, NB_CLASSES)
print("Jacobian graph defined.")
train_gen = TransferGenerator(x_sub,
y_sub,
num_classes=101,
batch_size=BATCH_SIZE,
image_size=IMAGE_SIZE)
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_gen.reinitialize(data=x_sub,
labels=y_sub,
batch_size=BATCH_SIZE,
image_size=IMAGE_SIZE)
model_sub.model.fit_generator(generator=train_gen, epochs=1)
input_sample = np.empty(shape=(1, IMAGE_SIZE, IMAGE_SIZE,
NUM_OF_CHANNELS),
dtype=np.float32)
if rho < data_aug - 1:
print("Augmenting substitute training data...")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
x_sub_tmp = np.vstack([x_sub, x_sub])
for i in range(0, len(y_sub)):
input_sample[0, :, :, :] = x_sub[i]
adv = jacobian_augmentation(sess=sess,
x=x,
X_sub_prev=input_sample,
Y_sub=[y_sub[i]],
grads=grads,
lmbda=lmbda_coef * lmbda,
aug_batch_size=aug_batch_size)
x_sub_tmp[2 * i] = adv[0, :, :, :]
x_sub_tmp[2 * i + 1] = adv[1, :, :, :]
x_sub = x_sub_tmp
print("Substitute training data augmented.")
print("Labeling substitute training data using bbox...")
y_sub = np.hstack([y_sub, y_sub])
x_sub_prev = x_sub[int(len(x_sub) / 2):]
predictions = bbox_predict(target_model, x_sub_prev, sess, x)
y_sub[int(len(x_sub) / 2):] = predictions
return model_sub
def train_sub(sess, x, y, bbox_preds, x_sub, y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
aug_batch_size, rng, img_rows=48, img_cols=48,
nchannels=3):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param x_sub: initial substitute training data
:param y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:return:
"""
assert(y_sub.shape[1]>1)
try:
saver.restore(sess, "./model.ckpt")
model_sub = tf.get_variable("logits", shape=[1])
preds_sub = tf.get_variable("probs", shape=[1])
return model_sub, preds_sub
except:
print("Model ckpt is not found. Retrain substitute starts.")
# Define TF model graph (for the black-box model)
model_sub = ModelSubstitute('model_s',nb_classes, session=sess, istrain=True)
logits = model_sub.get_logits(x)
loss = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits_v2(logits=logits, labels=y))
optimiser = tf.train.AdamOptimizer().minimize(loss)
preds_sub = tf.nn.softmax(logits=logits)
saver = tf.train.Saver()
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
sess.run(tf.global_variables_initializer())
def evaluate():
acc = model_eval(sess, x, y, preds_sub, x_sub, y_sub, args=eval_params)
print('Test accuracy on test examples: %0.4f' % (acc))
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
for s in range(batch_size):
batch_xs = x_sub[s*batch_size: (s+1)*batch_size]
batch_ys = y_sub[s*batch_size: (s+1)*batch_size]
feed_dict = {x:batch_xs, y:batch_ys}
op, lval,pre = sess.run([optimiser, loss, preds_sub], feed_dict=feed_dict)
print("rho = {0}. loss : {1}".format(rho, sess.run(loss, feed_dict={x:batch_xs, y:batch_ys})))
# If we are not at last substitute training iteration, augment dataset
if 0: # rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
y_sub_labels = np.argmax(y_sub, axis=1).reshape(-1,1)
x_sub = jacobian_augmentation(sess, x, x_sub, y_sub_labels, grads,
lmbda_coef * lmbda, aug_batch_size)
# Label the newly generated synthetic points using the black-box
new_y_sub_labels = np.vstack((y_sub_labels, y_sub_labels))
x_sub_prev = x_sub[int(len(x_sub)/2):]
eval_params = {'batch_size': batch_size}
tmp = batch_eval(sess,[x],[bbox_preds],[x_sub_prev],batch_size=batch_size)
bbox_val = tmp[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
tmp1 = np.argmax(bbox_val, axis=1)
tmp2 = y_sub_labels[int(len(x_sub)/2):]
new_y_sub_labels[int(len(x_sub)/2):] = np.argmax(bbox_val, axis=1).reshape(-1,1)
y_sub = to_categorical(new_y_sub_labels, nb_classes)
save_path = saver.save(sess, "./model.ckpt")
print("Model saved in path: %s" % save_path)
print(preds_sub.shape)
print(model_sub.shape)
return model_sub, preds_sub
def train_sub(sess,
x,
y,
bbox_preds,
X_sub,
Y_sub,
nb_classes,
nb_epochs_s,
batch_size,
learning_rate,
data_aug,
lmbda,
rng,
substitute_model=None):
"""This function trains the substitute model as described in
arxiv.org/abs/1602.02697
Args:
sess: TF session
x: input TF placeholder
y: output TF placeholder
bbox_preds: output of black-box model predictions
X_sub: initial substitute training data
Y_sub: initial substitute training labels
nb_classes: number of output classes
nb_epochs_s: number of epochs to train substitute model
batch_size: size of training batches
learning_rate: learning rate for training
data_aug: number of times substitute training data is augmented
lmbda: lambda from arxiv.org/abs/1602.02697
rng: numpy.random.RandomState instance
Returns:
model_sub: The substitute model function.
preds_sub: The substitute prediction tensor.
"""
# Define TF model graph (for the black-box model).
model_sub = substitute_model
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow.
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively.
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub),
init_all=False,
args=train_params,
rng=rng,
feed={K.learning_phase(): 1})
# If we are not at last substitute training iteration, augment dataset.
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation.
X_sub = jacobian_augmentation(sess,
x,
X_sub,
Y_sub,
grads,
lmbda,
feed={K.learning_phase(): 0})
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box.
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': batch_size}
# To initialize the local variables of Defense-GAN.
sess.run(tf.local_variables_initializer())
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params,
feed={K.learning_phase(): 0})[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model.
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess,
logits_scalar,
x,
y,
bbox_preds,
X_sub,
Y_sub,
nb_classes,
nb_epochs_s,
batch_size,
learning_rate,
data_aug,
lmbda,
rng,
binary=False,
phase=None,
model_path=None):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:param phase: placeholder for batch_norm phase (training or testing)
:param phase_val: True if training, False if testing
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model()
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
train_params = {
'binary': False,
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate,
'filename': 'sub_model',
'train_scope': 'sub_model',
'reuse_global_step': False,
'is_training': True
}
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
if rho > 0:
train_params.update({'reuse_global_step': True})
if model_path is not None:
train_params.update({'log_dir': model_path})
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub),
phase=phase,
save=True,
init_all=False,
args=train_params,
rng=rng)
else:
model_train(sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub),
phase=phase,
init_all=False,
args=train_params,
rng=rng)
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
feed={phase: False},
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
aug_batch_size, rng, img_rows=28, img_cols=28,
nchannels=1):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = ModelSubstitute('model_s', nb_classes)
preds_sub = model_sub.get_logits(x)
loss_sub = LossCrossEntropy(model_sub, smoothing=0)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
train(sess, loss_sub, x, y, X_sub,
to_categorical(Y_sub, nb_classes),
init_all=False, args=train_params, rng=rng,
var_list=model_sub.get_params())
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
lmbda_coef * lmbda, aug_batch_size)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub)/2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes=10,
nb_epochs_s=250, batch_size=128, learning_rate=0.001, data_aug=6, lmbda=0.1,
rng=None):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param X_sub: initial substitute training data
:param Y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:return:
"""
# Define TF model graph (for the black-box model)
model_wrapper = cifar10vgg(empty_model=True)
model_sub = model_wrapper.model
preds_sub = model_sub(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in range(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
with TemporaryLogLevel(tf.logging.WARNING, "cleverhans.utils.tf"):
model_train(sess, x, y, preds_sub, X_sub, Y_sub,
init_all=False, args=train_params)
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
lmbda_coef * lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub)/2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes,
nb_epochs_s, batch_size, learning_rate, data_aug, lmbda,
rng, substitute_model=None, dataset_name=None):
"""This function trains the substitute model as described in
arxiv.org/abs/1602.02697
Args:
sess: TF session
x: input TF placeholder
y: output TF placeholder
bbox_preds: output of black-box model predictions
X_sub: initial substitute training data
Y_sub: initial substitute training labels
nb_classes: number of output classes
nb_epochs_s: number of epochs to train substitute model
batch_size: size of training batches
learning_rate: learning rate for training
data_aug: number of times substitute training data is augmented
lmbda: lambda from arxiv.org/abs/1602.02697
rng: numpy.random.RandomState instance
Returns:
model_sub: The substitute model function.
preds_sub: The substitute prediction tensor.
"""
model_sub = substitute_model
used_vars = model_sub.get_params()
if FLAGS.load_sub_model:
try:
path = tf.train.latest_checkpoint('classifiers/sub_model/{}'.format(dataset_name))
saver = tf.train.Saver(var_list=used_vars)
saver.restore(sess, path)
print('[+] Sub model loaded successfully ...')
pred_eval = model_sub.get_logits(x)
return model_sub, pred_eval
except:
pass
pred_train = model_sub.get_logits(x, dropout=True)
pred_eval = model_sub.get_logits(x)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow.
grads = jacobian_graph(pred_eval, x, nb_classes)
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate,
'train_dir': 'classifiers/sub_model/{}'.format(dataset_name),
'filename': 'model_{}'.format(FLAGS.sub_model)
}
# Train the substitute and augment dataset alternatively.
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
model_train(sess, x, y, pred_train, X_sub, convert_to_onehot(Y_sub),
init_all=False, args=train_params,
rng=rng, save=True)
# If we are not at last substitute training iteration, augment dataset.
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation.
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box.
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': batch_size}
# To initialize the local variables of Defense-GAN.
sess.run(tf.local_variables_initializer())
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model.
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, pred_eval
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s,
batch_size, learning_rate, data_aug, lmbda, rng, model_arch_sub,
merged, opt_type, blocking_option):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
"""
# Define TF model graph (for the black-box model)
model_sub = substitute_model(model_arch_sub=model_arch_sub,
blocking_option=blocking_option)
preds_sub = model_sub(x)
#return model_sub, preds_sub
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
model_train(
sess,
x,
y,
preds_sub,
X_sub,
to_categorical(Y_sub),
init_all=False,
args=train_params,
rng=rng,
opt_type=opt_type,
#summary=merged
)
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads,
lmbda_coef * lmbda)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
Y_sub = np.hstack([Y_sub, Y_sub])
X_sub_prev = X_sub[int(len(X_sub) / 2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_sub(sess,
x,
y,
bbox_preds,
x_sub,
y_sub,
nb_classes,
nb_epochs_s,
batch_size,
learning_rate,
data_aug,
lmbda,
aug_batch_size,
rng,
img_rows=28,
img_cols=28,
nchannels=1):
"""
This function creates the substitute by alternatively
augmenting the training data and training the substitute.
:param sess: TF session
:param x: input TF placeholder
:param y: output TF placeholder
:param bbox_preds: output of black-box model predictions
:param x_sub: initial substitute training data
:param y_sub: initial substitute training labels
:param nb_classes: number of output classes
:param nb_epochs_s: number of epochs to train substitute model
:param batch_size: size of training batches
:param learning_rate: learning rate for training
:param data_aug: number of times substitute training data is augmented
:param lmbda: lambda from arxiv.org/abs/1602.02697
:param rng: numpy.random.RandomState instance
:return:
"""
# Define TF model graph (for the black-box model)
model_sub = ModelSubstitute('model_s', nb_classes)
preds_sub = model_sub.get_logits(x)
loss_sub = CrossEntropy(model_sub, smoothing=0)
print("Defined TensorFlow model graph for the substitute.")
# Define the Jacobian symbolically using TensorFlow
grads = jacobian_graph(preds_sub, x, nb_classes)
# Train the substitute and augment dataset alternatively
for rho in xrange(data_aug):
print("Substitute training epoch #" + str(rho))
train_params = {
'nb_epochs': nb_epochs_s,
'batch_size': batch_size,
'learning_rate': learning_rate
}
with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"):
train(sess,
loss_sub,
x,
y,
x_sub,
to_categorical(y_sub, nb_classes),
init_all=False,
args=train_params,
rng=rng,
var_list=model_sub.get_params())
# If we are not at last substitute training iteration, augment dataset
if rho < data_aug - 1:
print("Augmenting substitute training data.")
# Perform the Jacobian augmentation
lmbda_coef = 2 * int(int(rho / 3) != 0) - 1
x_sub = jacobian_augmentation(sess, x, x_sub, y_sub, grads,
lmbda_coef * lmbda, aug_batch_size)
print("Labeling substitute training data.")
# Label the newly generated synthetic points using the black-box
y_sub = np.hstack([y_sub, y_sub])
x_sub_prev = x_sub[int(len(x_sub) / 2):]
eval_params = {'batch_size': batch_size}
bbox_val = batch_eval(sess, [x], [bbox_preds], [x_sub_prev],
args=eval_params)[0]
# Note here that we take the argmax because the adversary
# only has access to the label (not the probabilities) output
# by the black-box model
y_sub[int(len(x_sub) / 2):] = np.argmax(bbox_val, axis=1)
return model_sub, preds_sub
def train_substitute(modelname='testmodel',
lmbda=0.1,
tau=2,
n_jac_iteration=5,
modeltype='cnn_model',
n_per_class=1,
batch_size=64,
descent_only=False):
print("initializing training")
if not modeltype in MODEL_TYPES:
raise RuntimeError("Unknown model type: " + str(modeltype))
modeltype = MODEL_TYPES[modeltype]
modeldir = init_modeldir()
modelpath = os.path.join(modeldir, modelname + '.h5')
set_log_level(logging.DEBUG)
gpu_options = tf.GPUOptions(per_process_gpu_memory_fraction=0.95)
sess_kwargs = dict(gpu_options=gpu_options)
gtsrb = GTSRB(random_seed=42)
n_classes = int(len(remote_map) / 2)
# (0) init constants
LMBDA = 0.1
TAU = 2
N_JAC_ITERATION = 4
cache = {}
# (1) select initial training set
if descent_only:
# we select only a few images per class but these should be classified
# with high confidence by the remote model
X, _ = get_initial_set(gtsrb,
hot_encoded=False,
n_per_class=n_per_class,
confidence_threshold=0.95)
else:
X, _ = get_initial_set(gtsrb,
hot_encoded=False,
n_per_class=n_per_class,
confidence_threshold=0)
def lr_schedule(epoch):
return 0.01 * (0.1**int(epoch / 25))
for rho in range(N_JAC_ITERATION):
print("=" * 5, "jacobian iteration: ", rho, "training set size: ",
len(X))
# for memory reasons, we must reinitialize the session in each iteration
sess = tf.Session(config=tf.ConfigProto(**sess_kwargs))
K.set_session(sess)
wrap = KerasModelWrapper(modeltype(gtsrb.img_size, n_classes))
op = SGD(lr=1e-2, decay=1e-6, momentum=0.9, nesterov=True)
wrap.model.compile(loss='categorical_crossentropy',
optimizer=op,
metrics=['accuracy'])
# (2) specify architecture (already specified)
x = tf.placeholder(tf.float32, shape=(None, *X.shape[1:]))
initial_weights = wrap.model.get_weights()
if descent_only:
# own approach
lmbda_coef = -1
else:
# lambda as described in the paper
lmbda_coef = (-1)**(rho % TAU)
# (3) label data
Y = np.zeros(shape=(len(X), n_classes))
for i in range(len(X)):
# take known labels from cache
if i in cache:
Y[i] = cache[i]
else:
pred = fetch_single_prediction(X[i],
remote_map,
n_classes,
delay=1)
cache[i] = pred
Y[i] = pred
# (4) fit model on current set
wrap.model.set_weights(initial_weights)
wrap.model.fit(X,
Y,
batch_size=64,
epochs=(rho + 1) * 20,
validation_split=0.2 if len(X) > 64 * 5 else 0,
verbose=2,
callbacks=[
LearningRateScheduler(lr_schedule),
ModelCheckpoint(modelpath, save_best_only=True)
])
# (5) augment data
logits = wrap.get_logits(x)
jacobian = jacobian_graph(logits, x, n_classes)
Y_sub = np.array([np.argmax(row) for row in Y])
X = jacobian_augmentation(sess,
x,
X,
Y_sub,
jacobian,
lmbda=(LMBDA * lmbda_coef))
if os.path.exists(modelpath):
os.remove(modelpath)
wrap.model.save(modelpath)
K.clear_session()
del sess
# free as much memory as we can
gc.collect()
