def __init__(self,
model,
config,
method=None,
worstofk=None,
attack_limits=None,
fo_epsilon=2.0,
fo_step_size=2.,
fo_num_steps=5):
self.model = model
self.grid_store = []
self.simple_train = config.simple_train
if config.use_linf:
self.linf_attack = LinfPGDAttack(model, config, fo_epsilon,
fo_step_size, fo_num_steps)
else:
self.linf_attack = None
self.use_spatial = config.use_spatial
if config.use_spatial:
# Attack method
if method == None:
self.method = config.spatial_method
else:
self.method = method
# Attack parameters
if attack_limits == None:
self.limits = config.spatial_limits
else:
self.limits = attack_limits
if config.only_rotation:
self.limits = [0, 0, self.limits[2]]
if config.only_translation:
self.limits = [self.limits[0], self.limits[1], 0]
# Attack method parameters
if self.method == 'grid':
self.granularity = config.grid_granularity
elif self.method == 'random':
if worstofk == None:
self.random_tries = config.random_tries
else:
self.random_tries = worstofk
elif self.method == 'fo':
self.fo_attack = SpatialPGDAttack(model, config, fo_epsilon,
fo_step_size, fo_num_steps)
else:
raise NotImplementedError
def __init__(self, model, config):
self.model = model
self.grid_store = []
if config.use_linf:
self.linf_attack = LinfPGDAttack(model, config)
else:
self.linf_attack = None
self.use_spatial = config.use_spatial
if config.use_spatial:
self.method = config.spatial_method
self.limits = config.spatial_limits
if self.method == 'grid':
self.granularity = config.grid_granularity
elif self.method == 'random':
self.random_tries = config.random_tries
class SpatialAttack:
def __init__(self, model, config):
self.model = model
self.grid_store = []
if config.use_linf:
self.linf_attack = LinfPGDAttack(model, config)
else:
self.linf_attack = None
self.use_spatial = config.use_spatial
self.attack_method = config.attack_method
if config.use_spatial:
self.method = config.spatial_method
self.limits = config.spatial_limits
if self.method == 'grid':
self.granularity = config.grid_granularity
elif self.method == 'random':
self.random_tries = config.random_tries
elif self.method == 'max':
self.random_tries = config.random_tries
def perturb(self, x_nat, y, sess):
if not self.use_spatial:
t = np.zeros([len(x_nat), 3])
if self.linf_attack:
x = self.linf_attack.perturb(x_nat, y, sess, trans=t)
else:
x = x_nat
return x, t
if self.method == 'grid':
return self.perturb_grid(x_nat, y, sess, -1)
else: # random
return self.perturb_grid(x_nat, y, sess, self.random_tries)
def perturb_grid(self, x_nat, y, sess, random_tries=-1):
n = len(x_nat)
if random_tries > 0:
# subsampling this list from the grid is a bad idea, instead we
# will randomize each example from the full continuous range
grid = [(42, 42, 42) for _ in range(random_tries)] # dummy list
else: # exhaustive grid
grid = product(*list(np.linspace(-l, l, num=g)
for l, g in zip(self.limits, self.granularity)))
worst_x = np.copy(x_nat)
worst_t = np.zeros([n, 3])
max_xent = np.zeros(n)
all_correct = np.ones(n).astype(bool)
for tx, ty, r in grid:
if random_tries > 0:
if self.method == 'max':
#In config, specify limits as [0 0 90] for 0 translation,
#but 90 rotation (either 0 or 90 is selected, nothing in between)
t = np.stack((np.random.randint(0, 1+1, n)*l for l in self.limits),
axis=1)
else:
# Allows to set spatial limits in different ways like:
# limits = [3,3,30] - original [low, high) for each element
# limits = [[-3,3],[0,3],[20,30]] - within range
# limits = [3,[3],[20,30]] - mix, if list_len == 1 do original
temp = []
for l in self.limits:
if isinstance(l, list):
if len(l) == 2:
temp.append(np.random.uniform(l[0], l[1], n))
elif len(l) == 1:
temp.append(np.random.uniform(-l[0], l[0], n))
else:
raise ValueError
else:
temp.append(np.random.uniform(-l, l, n))
t = np.stack(temp, axis=1)
else:
t = np.stack(repeat([tx, ty, r], n))
if self.linf_attack:
x = self.linf_attack.perturb(x_nat, y, sess, trans=t)
else:
if self.attack_method == 'invert':
# IPython.embed()
x = v_invert_image(x_nat)
elif self.attack_method == 'edge':
x = canny_image(x_nat)
else:
x = x_nat
curr_dict = {self.model.x_input: x,
self.model.y_input: y,
self.model.is_training: False,
self.model.transform: t}
cur_xent, cur_correct = sess.run([self.model.y_xent,
self.model.correct_prediction],
feed_dict = curr_dict) # shape (bsize,)
cur_xent = np.asarray(cur_xent)
cur_correct = np.asarray(cur_correct)
# Select indices to update: we choose the misclassified transformation
# of maximum xent (or just highest xent if everything else if correct).
idx = (cur_xent > max_xent) & (cur_correct == all_correct)
idx = idx | (cur_correct < all_correct)
max_xent = np.maximum(cur_xent, max_xent)
all_correct = cur_correct & all_correct
idx = np.expand_dims(idx, axis=-1) # shape (bsize, 1)
worst_t = np.where(idx, t, worst_t) # shape (bsize, 3)
idx = np.expand_dims(idx, axis=-1)
idx = np.expand_dims(idx, axis=-1) # shape (bsize, 1, 1, 1)
worst_x = np.where(idx, x, worst_x,) # shape (bsize, 32, 32, 3)
return worst_x, worst_t
var_list=var_main_encoder)
train_step_m_encoder = encoder_opt.apply_gradients(grads1)
new_global_step = tf.add(global_step, 1, name='global_step/add')
increment_global_step_op = tf.assign(global_step,
new_global_step,
name='global_step/assign')
from pgd_attack_GPU import LinfPGDAttackGPUImg
model_VarList = x_Aadv, x_Aadv_attack, y_Ainput, is_training
attack_gpu = LinfPGDAttackGPUImg(model_VarList, model, config['epsilon'],
config['num_steps'], config['step_size'],
config['random_start'], dataset_type, config)
attack_mild = LinfPGDAttack(model_var_attack, config['epsilon'],
config['num_steps'], config['step_size'],
config['random_start'], config['loss_func'],
dataset_type) # TODO: without momentum
attack_strong = LinfPGDAttack(model_var_attack, config['epsilon'],
strong_attack_config[0], strong_attack_config[1],
config['random_start'], 'xent',
dataset_type) # TODO: without momentum
#
FGSM = LinfPGDAttack(model_var_attack, config['epsilon'], 1, config['epsilon'],
config['random_start'], 'xent',
dataset_type) # TODO: without momentum
if Use_B_Bp_A:
targeted_gen = TargetedGen(model_var_B_Bp_A, config['random_start'],
gen_loss_type, dataset_type)
tf.summary.scalar('pred gen accuracy', a_Baccuracy)
parser.add_argument('--gpu_id',
type=str,
nargs='?',
default='0',
help="device id to run")
parser.add_argument('--eps', default=8 / 255, type=float, help='eps')
args = parser.parse_args()
os.environ["CUDA_VISIBLE_DEVICES"] = args.gpu_id
attacker = LinfPGDAttack(model,
eps=args.eps,
nb_iter=100,
eps_iter=0.01,
rand_init=True,
clip_min=0.,
clip_max=1.,
targeted=False,
num_classes=10,
elementwise_best=True)
adv_data_save_path = os.path.join('dataset', 'adv_mnistm')
os.makedirs(adv_data_save_path, exist_ok=True)
########### generating train
train_adv_data, train_adv_labels = train()
np.save(adv_data_save_path + '/train_eps' + str(args.eps),
[train_adv_data, train_adv_labels])
########### generating test
num_summary_steps = config['num_summary_steps']
num_checkpoint_steps = config['num_checkpoint_steps']
fea_dim = config['fea_dim']
batch_size = config['training_batch_size']
# Setting up the data and the model
mnist = input_data.read_data_sets('MNIST_data', one_hot=False)
global_step = tf.contrib.framework.get_or_create_global_step()
model = Model(fea_dim)
# Setting up the optimizer
train_step = tf.train.AdamOptimizer(1e-4).minimize(model.xent,
global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model, config['epsilon'], config['k'], config['a'],
config['random_start'], config['loss_func'])
fea_matching = FEA_MATCHING(model.x_input, model.fea, model.fea_variables)
# Setting up the Tensorboard and checkpoint outputs
model_dir = config['model_dir']
if not os.path.exists(model_dir):
os.makedirs(model_dir)
# We add accuracy and xent twice so we can easily make three types of
# comparisons in Tensorboard:
# - train vs eval (for a single run)
# - train of different runs
# - eval of different runs
saver = tf.train.Saver(max_to_keep=3)
tf.summary.scalar('accuracy adv train', model.accuracy)
config = json.load(config_file)
eval_batch_size = config['eval_batch_size']
eval_on_cpu = config['eval_on_cpu']
data_path = config['data_path']
model_dir = config['model_dir']
# Set upd the data, hyperparameters, and the model
cifar = cifar10_input.CIFAR10Data(data_path)
model = Model(config, mode='eval')
from pgd_attack import LinfPGDAttack
attack = LinfPGDAttack(model,
epsilon=8 / 255.,
num_steps=7,
step_size=2 / 255.,
random_start=True,
loss_func='xent')
global_step = tf.contrib.framework.get_or_create_global_step()
# Setting up the Tensorboard and checkpoint outputs
if not os.path.exists(model_dir):
os.makedirs(model_dir)
eval_dir = os.path.join(model_dir, 'eval')
if not os.path.exists(eval_dir):
os.makedirs(eval_dir)
last_checkpoint_filename = ''
already_seen_state = False
print("acc_5", np.mean(np_acc_5_arr))
print("acc_1", np.mean(np_acc_arr))
print("adv_acc_5", np.mean(np_acc_attack_5_arr))
print("adv_acc", np.mean(np_acc_attack_arr))
print("decode_acc_5", np.mean(np_decode_acc_5_arr))
print("decode_acc", np.mean(np_decode_acc_arr))
print("linf acc", np.mean(l_inf_acc))
print("linf acc5", np.mean(l_inf_acc_5))
elif tid == 1:
for attack_method in ["linf", "l2"]:
if attack_method == "linf":
pgd_attack = LinfPGDAttack(normal_loss,
content,
label,
epsilon=8.0,
num_steps=50,
step_size=2.0,
random_start=True)
atk_func = pgd_attack.perturb
suffix = "_pgd_linf"
elif attack_method == "l2":
pgd_attack = LinfPGDAttack(normal_loss,
content,
label,
epsilon=7.0 * 255,
num_steps=50,
step_size=64,
random_start=True) # 255 normally
atk_func = pgd_attack.perturb_l2
suffix = "_pgd_l2"
def main():
os.environ['CUDA_VISIBLE_DEVICES'] = args.gpu
use_cuda = torch.cuda.is_available()
torch.manual_seed(1)
np.random.seed(1)
# Load datasets
# train_transform = transforms.Compose(
# [transforms.RandomHorizontalFlip(),
# transforms.RandomCrop(32, padding=4)])
train_transform = transforms.Compose([
transforms.RandomHorizontalFlip(),
transforms.RandomCrop(32, padding=4),
transforms.ToTensor(),
transforms.Normalize([0.5] * 3, [0.5] * 3)
])
preprocess = transforms.Compose(
[transforms.ToTensor(),
transforms.Normalize([0.5] * 3, [0.5] * 3)])
test_transform = preprocess
# rescale perturbation size according to normalization
args.a = args.a / 0.5
args.epsilon = args.epsilon / 0.5
if args.dataset == 'cifar10':
train_data = datasets.CIFAR10('/nvdatasets/cifar10',
train=True,
transform=train_transform,
download=True)
test_data = datasets.CIFAR10('/nvdatasets/cifar10',
train=False,
transform=test_transform,
download=True)
# base_c_path = './data/cifar/CIFAR-10-C/'
base_c_path = '/cnnfworkspace/Sophie'
num_classes = 10
else:
train_data = datasets.CIFAR100('./data/cifar',
train=True,
transform=train_transform,
download=True)
test_data = datasets.CIFAR100('./data/cifar',
train=False,
transform=test_transform,
download=True)
base_c_path = './data/cifar/CIFAR-100-C/'
num_classes = 100
# train_data = AugMixDataset(train_data, preprocess, args.no_jsd)
train_loader = torch.utils.data.DataLoader(train_data,
batch_size=args.batch_size,
shuffle=True,
num_workers=args.num_workers,
pin_memory=True)
test_loader = torch.utils.data.DataLoader(test_data,
batch_size=args.eval_batch_size,
shuffle=False,
num_workers=args.num_workers,
pin_memory=True)
# Create model
if args.model == 'densenet':
net = densenet(num_classes=num_classes)
elif args.model == 'wrn':
net = WideResNet(args.layers, num_classes, args.widen_factor,
args.droprate)
elif args.model == 'allconv':
net = AllConvNet(num_classes)
elif args.model == 'resnext':
net = resnext29(num_classes=num_classes)
optimizer = torch.optim.SGD(net.parameters(),
args.learning_rate,
momentum=args.momentum,
weight_decay=args.decay,
nesterov=True)
# Distribute model across all visible GPUs
net = torch.nn.DataParallel(net).cuda()
cudnn.benchmark = True
start_epoch = 0
if args.resume:
if os.path.isfile(args.resume):
checkpoint = torch.load(args.resume)
start_epoch = checkpoint['epoch'] + 1
best_acc = checkpoint['best_acc']
net.load_state_dict(checkpoint['state_dict'])
optimizer.load_state_dict(checkpoint['optimizer'])
print('Model restored from epoch:', start_epoch)
if args.adversarial:
adversary = LinfPGDAttack(net, args.epsilon, args.k, args.a,
args.random_start, args.adv_loss)
if args.evaluate:
# Evaluate clean accuracy first because test_c mutates underlying data
test_loss, test_acc = test(net, test_loader)
print('Clean\n\tTest Loss {:.3f} | Test Error {:.2f}'.format(
test_loss, 100 - 100. * test_acc))
test_c_acc = test_c(net, test_data, base_c_path)
print('Mean Corruption Error: {:.3f}'.format(100 - 100. * test_c_acc))
return
scheduler = torch.optim.lr_scheduler.LambdaLR(
optimizer,
lr_lambda=lambda step: get_lr( # pylint: disable=g-long-lambda
step,
args.epochs * len(train_loader),
1, # lr_lambda computes multiplicative factor
1e-6 / args.learning_rate))
if not os.path.exists(args.save):
os.makedirs(args.save)
if not os.path.isdir(args.save):
raise Exception('%s is not a dir' % args.save)
log_path = os.path.join(
args.save, args.dataset + '_' + args.model + '_training_log.csv')
with open(log_path, 'w') as f:
f.write('epoch,time(s),train_loss,test_loss,test_error(%)\n')
best_acc = 0
print('Beginning training from epoch:', start_epoch + 1)
for epoch in range(start_epoch, args.epochs):
begin_time = time.time()
if args.adversarial:
train_loss_ema, train_acc = train(net, train_loader, optimizer,
scheduler, adversary)
else:
train_loss_ema, train_acc = train(net, train_loader, optimizer,
scheduler)
test_loss, test_acc = test(net, test_loader)
is_best = test_acc > best_acc
best_acc = max(test_acc, best_acc)
checkpoint = {
'epoch': epoch,
'dataset': args.dataset,
'model': args.model,
'state_dict': net.state_dict(),
'best_acc': best_acc,
'optimizer': optimizer.state_dict(),
}
save_path = os.path.join(args.save, 'checkpoint.pth.tar')
torch.save(checkpoint, save_path)
if is_best:
shutil.copyfile(save_path,
os.path.join(args.save, 'model_best.pth.tar'))
with open(log_path, 'a') as f:
f.write('%03d,%05d,%0.6f,%0.5f,%0.2f\n' % (
(epoch + 1),
time.time() - begin_time,
train_loss_ema,
test_loss,
100 - 100. * test_acc,
))
print(
'Epoch {0:3d} | Time {1:5d} | Train Loss {2:.4f} {2:.4f} | Test Loss {3:.3f} |'
' Test Error {4:.2f}'.format((epoch + 1),
int(time.time() - begin_time),
train_loss_ema, test_loss,
100 - 100. * test_acc))
test_c_acc = test_c(net, test_data, base_c_path)
print('Mean Corruption Error: {:.3f}'.format(100 - 100. * test_c_acc))
with open(log_path, 'a') as f:
f.write('%03d,%05d,%0.6f,%0.5f,%0.2f\n' %
(args.epochs + 1, 0, 0, 0, 100 - 100 * test_c_acc))
def advs_train(dataset='cifar-10',
loss_name='ce',
epochs=120,
dynamic_epoch=100,
batch_size=128,
fosc_max=0.5,
epsilon=0.031):
"""
Adversarial training with PGD attack.
"""
print(
'DynamicAdvsTrain - Data set: %s, loss: %s, epochs: %s, dynamic_epoch: %s, batch: %s, epsilon: %s'
% (dataset, loss_name, epochs, dynamic_epoch, batch_size, epsilon))
X_train, Y_train, X_test, Y_test = get_data(dataset,
clip_min=0.,
clip_max=1.,
onehot=True)
n_images = X_train.shape[0]
image_shape = X_train.shape[1:]
n_class = Y_train.shape[1]
print("n_images:", n_images, "n_class:", n_class, "image_shape:",
image_shape)
model = get_model(dataset,
input_shape=image_shape,
n_class=n_class,
softmax=True)
# model.summary()
# create loss
if loss_name == 'ce':
loss = cross_entropy
else:
print("New loss function should be defined first.")
return
optimizer = SGD(lr=0.01, decay=1e-4, momentum=0.9)
model.compile(loss=loss, optimizer=optimizer, metrics=['accuracy'])
# data augmentation
if dataset in ['mnist']:
datagen = ImageDataGenerator()
elif dataset in ['cifar-10']:
datagen = ImageDataGenerator(rotation_range=10,
width_shift_range=0.2,
height_shift_range=0.2,
horizontal_flip=True)
else:
datagen = ImageDataGenerator(width_shift_range=0.2,
height_shift_range=0.2,
horizontal_flip=True)
datagen.fit(X_train)
# pgd attack for training
attack = LinfPGDAttack(model,
epsilon=epsilon,
eps_iter=epsilon / 4,
nb_iter=10,
random_start=True,
loss_func='xent',
clip_min=np.min(X_train),
clip_max=np.max(X_train))
# initialize logger
mylogger = Logger(K.get_session(),
model,
X_train,
Y_train,
X_test,
Y_test,
dataset,
loss_name,
epochs,
suffix='%s' % epsilon)
batch_iterator = datagen.flow(X_train, Y_train, batch_size=batch_size)
start_time = time.time()
for ep in range(epochs):
# learning rate decay
if (ep + 1) == 60:
lr = float(K.get_value(model.optimizer.lr))
K.set_value(model.optimizer.lr, lr / 10.0)
if (ep + 1) == 100:
lr = float(K.get_value(model.optimizer.lr))
K.set_value(model.optimizer.lr, lr / 10.0)
lr = float(K.get_value(model.optimizer.lr))
# a simple linear decreasing of fosc
fosc = fosc_max - fosc_max * (ep * 1.0 / dynamic_epoch)
fosc = np.max([fosc, 0.0])
steps_per_epoch = int(X_train.shape[0] / batch_size)
pbar = tqdm(range(steps_per_epoch))
for it in pbar:
batch_x, batch_y = batch_iterator.next()
batch_advs, fosc_batch = attack.perturb(K.get_session(), batch_x,
batch_y, batch_size, ep,
fosc)
probs = model.predict(batch_advs)
loss_weight = np.max(-batch_y * np.log(probs + 1e-12), axis=1)
if it == 0:
fosc_all = fosc_batch
else:
fosc_all = np.concatenate((fosc_all, fosc_batch), axis=0)
if ep == 0:
loss, acc = model.train_on_batch(batch_advs, batch_y)
else:
loss, acc = model.train_on_batch(batch_advs,
batch_y,
sample_weight=loss_weight)
pbar.set_postfix(acc='%.4f' % acc, loss='%.4f' % loss)
print('All time:', time.time() - start_time)
log_path = './log'
file_name = os.path.join(
log_path, 'BatchSize_{}_Epoch_{}_fosc.npy'.format(batch_size, ep))
np.save(file_name, fosc_all)
val_loss, val_acc = model.evaluate(X_test,
Y_test,
batch_size=batch_size,
verbose=0)
logs = {
'acc': acc,
'loss': loss,
'val_acc': val_acc,
'val_loss': val_loss
}
print(
"Epoch %s - loss: %.4f - acc: %.4f - val_loss: %.4f - val_acc: %.4f"
% (ep, loss, acc, val_loss, val_acc))
# save the log and model every epoch
mylogger.on_epoch_end(epoch=ep, logs=logs)
model.save_weights("model/advs_%s_%s_%s_%s.hdf5" %
(dataset, loss_name, epsilon, ep))
raw_train_y = np.array(train_Y).astype(int)
#将训练集label转换成one hot 形式
train_Y = np.zeros((len(raw_train_y), 2))
train_Y[np.arange(len(raw_train_y)), raw_train_y] = 1
#打散训练数据的顺序
shuffle_indices = np.random.permutation(np.arange(len(train_X)))
train_X = train_X[shuffle_indices]
train_Y = train_Y[shuffle_indices]
batch_size = 16 #每次训练时样本批次大小
model_path = '/home/zrs/Desktop/adversarial_attacks/cnn_model_defence/model' #模型保存地址
epoch = int(len(train_X) / batch_size) #总的训练次数
print(epoch)
model = Model()
attack = LinfPGDAttack(model, config['epsilon'], config['k'], config['a'],
config['random_start'], config['loss_func'])
#模型训练
saver = tf.train.Saver(max_to_keep=10)
sess = tf.InteractiveSession()
tf.summary.scalar('adv loss', model.total_loss)
merged_summaries = tf.summary.merge_all()
loss_path = '/home/zrs/Desktop/adversarial_attacks/loss_sum'
summary_writer = tf.summary.FileWriter(loss_path, sess.graph)
retrain = False
if retrain:
sess.run(tf.global_variables_initializer())
else:
sess.run(tf.global_variables_initializer())
# 讀取經過對抗訓練的神經網絡
grads1 = encoder_opt.compute_gradients(total_loss,
var_list=var_main_encoder)
train_step_m_encoder = encoder_opt.apply_gradients(grads1)
new_global_step = tf.add(global_step, 1, name='global_step/add')
increment_global_step_op = tf.assign(global_step,
new_global_step,
name='global_step/assign')
attack = LinfPGDAttack(model_var_attack,
config['epsilon'],
config['num_steps'],
config['step_size'],
config['random_start'],
config['loss_func'],
dataset_type,
attack_suc_ratio=config['attack_suc_ratio'],
max_multi=config['max_multi'])
attack_test = LinfPGDAttack(
model_var_attack,
config['epsilon'],
strong_attack_config[0], #num steps
strong_attack_config[1], #step size
config['random_start'],
config['loss_func'],
dataset_type,
attack_suc_ratio=config['attack_suc_ratio'],
max_multi=config['max_multi'])
trainloader = torch.utils.data.DataLoader(traindata, batch_size=batch_size, shuffle=True)
testdata = torchvision.datasets.MNIST(root="./mnist", train=False, download=True, transform=transform)
testloader = torch.utils.data.DataLoader(testdata, batch_size=batch_size, shuffle=False)
net = CNN(10)
natural_net = CNN(10)
# Setting up the optimizer
optimizer = optim.Adam(net.parameters(), lr=1e-4)
natural_optimizer = optim.Adam(natural_net.parameters(), lr=1e-4)
criterion = nn.CrossEntropyLoss()
# Set up adversary
attack = LinfPGDAttack(net,
config['epsilon'],
config['k'],
config['a'],
config['random_start'])
fgsattack = FGSAttack(net, config['epsilon'])
model_dir = config['model_dir']
if not os.path.exists(model_dir):
os.makedirs(model_dir)
shutil.copy('config.json', model_dir)
training_time = 0.0
for epoch in range(max_num_training_steps):
print("Epoch: {}".format(epoch))
running_loss = 0.0
for data in tqdm(trainloader):
model = Model()
optimizer = torch.optim.Adam(model.parameters(),
lr=cfg.lr,
weight_decay=0.0005,
amsgrad=False)
is_cuda = False
if torch.cuda.device_count() > 1:
model = nn.DataParallel(model)
if torch.cuda.is_available():
model = model.cuda()
is_cuda = True
attack = LinfPGDAttack(model=model,
epsilon=cfg.epsilon,
k=cfg.k,
alpha=cfg.alpha,
random_start=cfg.random_start)
trainer = Trainer(model=model,
attack=attack,
optimizer=optimizer,
summary_writer=summary_writer,
is_cuda=True,
output_freq=cfg.output_freq,
print_freq=cfg.print_freq)
trainer.reset()
for epoch in range(cfg.max_epoch):
trainer.train(epoch, train_loader)
if cfg.save_freq < 1:
save_current = False
def main(cfg):
img_size = cfg['img_size']
batch_size = cfg['batch_size']
num_glimpse = cfg['num_glimpse']
glimpse_size = cfg['glimpse_size']
lr = cfg['lr']
input_images = tf.placeholder(tf.float32,
shape=(batch_size, img_size, img_size, 1))
input_label = tf.placeholder(tf.int64, shape=(batch_size))
# build classifier
#model = Model_att(input_images, input_label, glimpse_size, num_glimpse)
# model = Model_madry(input_images, input_label)
model = Model_crop(input_images, input_label)
# setup attacker
attack = LinfPGDAttack(model,
epsilon=0.3,
k=40,
a=0.01,
random_start=True,
loss_func='xent')
## OPTIMIZER ##
learning_rate = tf.Variable(lr) # learning rate for optimizer
optimizer = tf.train.AdamOptimizer(learning_rate, beta1=0.5)
grads = optimizer.compute_gradients(model.xent)
train_op = optimizer.apply_gradients(grads)
saver = tf.train.Saver()
## training starts ###
FLAGS = tf.app.flags.FLAGS
tfconfig = tf.ConfigProto(
allow_soft_placement=True,
log_device_placement=True,
)
tfconfig.gpu_options.allow_growth = True
sess = tf.Session(config=tfconfig)
init = tf.global_variables_initializer()
sess.run(init)
mnist = input_data.read_data_sets('MNIST_data', one_hot=False)
hist = {
'train_acc': [],
'train_adv_acc': [],
'test_acc': [],
'test_adv_acc': [],
'train_loss': [],
'test_loss': [],
'train_adv_loss': [],
'test_adv_loss': []
}
train_iters = 500000
for itr in tqdm(range(train_iters)):
x_batch_train, y_batch_train = mnist.train.next_batch(batch_size)
if 1: # adv train
x_batch_train_adv = attack.perturb(
x_batch_train.reshape(batch_size, img_size, img_size, 1),
y_batch_train, sess)
adv_dict_train = {
input_images:
x_batch_train_adv.reshape(batch_size, img_size, img_size, 1),
input_label:
y_batch_train
}
nat_dict_train = {
input_images:
x_batch_train.reshape(batch_size, img_size, img_size, 1),
input_label:
y_batch_train
}
sess.run(train_op, feed_dict=adv_dict_train)
else: # nat train
nat_dict_train = {
input_images:
x_batch_train.reshape(batch_size, img_size, img_size, 1),
input_label:
y_batch_train
}
sess.run(train_op, feed_dict=nat_dict_train)
if itr % 100 == 0:
y_pred, train_loss_i = sess.run([model.y_pred, model.xent],
feed_dict=nat_dict_train)
counts = np.asarray([
np.argmax(np.bincount(y_pred[:, i])) for i in range(batch_size)
])
train_acc_i = np.mean(counts == nat_dict_train[input_label])
x_batch_test, y_batch_test = mnist.test.next_batch(batch_size)
nat_dict_test = {
input_images:
x_batch_test.reshape(batch_size, img_size, img_size, 1),
input_label:
y_batch_test
}
y_pred, test_loss_i = sess.run([model.y_pred, model.xent],
feed_dict=nat_dict_test)
counts = np.asarray([
np.argmax(np.bincount(y_pred[:, i])) for i in range(batch_size)
])
test_acc_i = np.mean(counts == nat_dict_test[input_label])
print(
"iter: {}, train_acc:{} test_acc:{} train_loss:{} test_loss:{} "
.format(itr, train_acc_i, test_acc_i, train_loss_i,
test_loss_i))
x_batch_train_adv = attack.perturb(
x_batch_train.reshape(batch_size, img_size, img_size, 1),
y_batch_train, sess)
adv_dict_train = {
input_images:
x_batch_train_adv.reshape(batch_size, img_size, img_size, 1),
input_label:
y_batch_train
}
y_pred, train_adv_loss_i = sess.run([model.y_pred, model.xent],
feed_dict=adv_dict_train)
counts = np.asarray([
np.argmax(np.bincount(y_pred[:, i])) for i in range(batch_size)
])
train_adv_acc_i = np.mean(counts == adv_dict_train[input_label])
x_batch_test_adv = attack.perturb(
x_batch_test.reshape(batch_size, img_size, img_size, 1),
y_batch_test, sess)
adv_dict_test = {
input_images:
x_batch_test_adv.reshape(batch_size, img_size, img_size, 1),
input_label:
y_batch_test
}
y_pred, test_adv_loss_i = sess.run([model.y_pred, model.xent],
feed_dict=adv_dict_test)
counts = np.asarray([
np.argmax(np.bincount(y_pred[:, i])) for i in range(batch_size)
])
test_adv_acc_i = np.mean(counts == adv_dict_test[input_label])
print(
"iter: {}, train_adv_acc:{} test_adv_acc:{} train_adv_loss:{} test_adv_loss:{} "
.format(itr, train_adv_acc_i, test_adv_acc_i, train_adv_loss_i,
test_adv_loss_i))
hist['train_acc'] += [train_acc_i]
hist['train_adv_acc'] += [train_adv_acc_i]
hist['test_acc'] += [test_acc_i]
hist['test_adv_acc'] += [test_adv_acc_i]
hist['train_loss'] += [train_loss_i]
hist['test_loss'] += [test_loss_i]
hist['train_adv_loss'] += [train_adv_loss_i]
hist['test_adv_loss'] += [test_adv_loss_i]
np.save('hist', hist)
saver.save(sess, 'crop_ckpt')
print('done')
class SpatialAttack:
def __init__(self, model, config, method=None, worstofk=None,
attack_limits=None, fo_epsilon=2.0, fo_step_size=2.,
fo_num_steps=5):
self.model = model
self.grid_store = []
if config.use_linf:
self.linf_attack = LinfPGDAttack(
model, config, fo_epsilon, fo_step_size, fo_num_steps)
else:
self.linf_attack = None
self.use_spatial = config.use_spatial
if config.use_spatial:
# Attack method
if method == None:
self.method = config.spatial_method
else:
self.method = method
# Attack parameters
if attack_limits == None:
self.limits = config.spatial_limits
else:
self.limits = attack_limits
if config.only_rotation:
self.limits = [0,0,self.limits[2]]
if config.only_translation:
self.limits = [self.limits[0],self.limits[1],0]
# Attack method parameters
if self.method == 'grid':
self.granularity = config.grid_granularity
elif self.method == 'random':
if worstofk == None:
self.random_tries = config.random_tries
else:
self.random_tries = worstofk
elif self.method == 'fo':
self.fo_attack = SpatialPGDAttack(
model, config, fo_epsilon, fo_step_size, fo_num_steps)
else:
raise NotImplementedError
def perturb(self, x_nat, y, sess):
if not self.use_spatial:
t = np.zeros([len(x_nat), 3])
if self.linf_attack:
x = self.linf_attack.perturb(x_nat, y, sess, trans=t)
else:
x = x_nat
return x, t
if self.method == 'grid':
return self.perturb_grid(x_nat, y, sess, -1)
elif self.method == 'fo':
return self.fo_attack.perturb(x_nat, y, sess)
else: # random
return self.perturb_grid(x_nat, y, sess, self.random_tries)
def perturb_grid(self, x_nat, y, sess, random_tries=-1):
n = len(x_nat)
if random_tries > 0:
# subsampling this list from the grid is a bad idea, instead we
# will randomize each example from the full continuous range
grid = [(42, 42, 42) for _ in range(random_tries)] # dummy list
else: # exhaustive grid
grid = product(*list(np.linspace(-l, l, num=g)
for l, g in zip(self.limits, self.granularity)))
worst_x = np.copy(x_nat)
worst_t = np.zeros([n, 3])
max_xent = np.zeros(n)
all_correct = np.ones(n).astype(bool)
for tx, ty, r in grid:
if random_tries > 0:
# randomize each example separately
t = np.stack((np.random.uniform(-l, l, n) for l in self.limits),
axis=1)
else:
t = np.stack(repeat([tx, ty, r], n))
if self.linf_attack:
x = self.linf_attack.perturb(x_nat, y, sess, trans=t)
else:
x = x_nat
curr_dict = {self.model.x_input: x,
self.model.y_input: y,
self.model.is_training: False,
self.model.transform: t}
cur_xent, cur_correct = sess.run([self.model.y_xent,
self.model.correct_prediction],
feed_dict = curr_dict) # shape (bsize,)
cur_xent = np.asarray(cur_xent)
cur_correct = np.asarray(cur_correct)
# Select indices to update: we choose the misclassified transformation
# of maximum xent (or just highest xent if everything else if correct).
idx = (cur_xent > max_xent) & (cur_correct == all_correct)
idx = idx | (cur_correct < all_correct)
max_xent = np.maximum(cur_xent, max_xent)
all_correct = cur_correct & all_correct
idx = np.expand_dims(idx, axis=-1) # shape (bsize, 1)
worst_t = np.where(idx, t, worst_t) # shape (bsize, 3)
idx = np.expand_dims(idx, axis=-1)
idx = np.expand_dims(idx, axis=-1) # shape (bsize, 1, 1, 1)
worst_x = np.where(idx, x, worst_x,) # shape (bsize, 32, 32, 3)
return worst_x, worst_t
# Setting up training parameters
model_dir = args.model_dir
data_path = config['data_path']
num_eval_examples = config['num_eval_examples']
eval_batch_size = config['eval_batch_size']
# Setting up the data and the model
raw_cifar = cifar10_input.CIFAR10Data(data_path)
global_step = tf.contrib.framework.get_or_create_global_step()
model = Model(num_classes=num_classes, n=args.n)
# Set up adversary
attack_xent = LinfPGDAttack(model,
config['epsilon'],
args.steps,
config['step_size'],
config['random_start'],
'xent')
attack_cw = LinfPGDAttack(model,
config['epsilon'],
args.steps,
config['step_size'],
config['random_start'],
'cw')
saver = tf.train.Saver()
import tqdm
def evaluate(sess):
parser.add_argument('--num_step_ODI',
default=2,type=int,
help='number of ODI step')
args = parser.parse_args()
cifar = cifar10_input.CIFAR10Data(args.data_path)
model = Model(mode='eval')
var_all = tf.get_collection(tf.GraphKeys.VARIABLES)
saver = tf.train.Saver(var_all)
if args.num_step_ODI > 0:
init_ODI = LinfPGDAttack(model,
args.eps,
args.num_step_ODI,
args.step_size_ODI,
args.rand_start,
'margin',
args.eval_batch_size,
use_ODI=True)
attack_PGD = LinfPGDAttack(model,
args.eps,
args.num_step,
args.step_size,
False,
'margin',
args.eval_batch_size)
def evaluate_checkpoint(sess):
# Iterate over the samples batch-by-batch
num_batches = int(math.ceil(args.evalSize / args.eval_batch_size))
n=args.n)
# Setting up the optimizer
boundaries = [int(sss[0]) for sss in step_size_schedule]
boundaries = boundaries[1:]
values = [sss[1] for sss in step_size_schedule]
learning_rate = tf.train.piecewise_constant(tf.cast(global_step, tf.int32),
boundaries, values)
total_loss = model.mean_xent_merge + weight_decay * model.weight_decay_loss
update_ops = tf.get_collection(tf.GraphKeys.UPDATE_OPS)
with tf.control_dependencies(update_ops):
train_step = tf.train.MomentumOptimizer(learning_rate, momentum).minimize(
total_loss, global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model, config['epsilon'], config['num_steps'],
config['step_size'], config['random_start'], 'merge')
attack_eval = LinfPGDAttack(model, config['epsilon'], config['num_steps'],
config['step_size'], config['random_start'],
config['loss_func'])
saver = tf.train.Saver(max_to_keep=5)
tf.summary.scalar('primary_accuracy_adv_train', model.accuracy)
tf.summary.scalar('auxiliary_accuracy_adv_train', model.accuracy_aux)
tf.summary.scalar('primary_xent_adv_train', model.xent_pri)
tf.summary.scalar('auxiliary_xent_adv_train', model.xent_aux)
#tf.summary.image('images adv train', model.x_input, max_outputs=128)
merged_summaries = tf.summary.merge_all()
# keep the configuration file with the model for reproducibility
shutil.copy(conf, model_dir)
_, _, _, mean_kl = model.get_trades_values(adv_logits, nat_logits)
grad_reg_loss = model.get_grad_reg_values(x_adv_input, y_input)
if args.trades:
total_loss = nat_mean_xent + mean_kl * beta
elif args.grad_reg:
total_loss = nat_mean_xent + grad_reg_loss * alpha
else:
total_loss = adv_mean_xent
# Setting up the optimizer
train_step = tf.train.AdamOptimizer(1e-4).minimize(total_loss,
global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model, args.epsilon, args.num_steps, args.step_size,
True, args.loss_func)
# Setting up the Tensorboard and checkpoint outputs
model_dir = 'models/' + args.model_dir
if not os.path.exists(model_dir):
os.makedirs(model_dir)
# We add accuracy and xent twice so we can easily make three types of
# comparisons in Tensorboard:
# - train vs eval (for a single run)
# - train of different runs
# - eval of different runs
saver = tf.train.Saver(max_to_keep=3)
tf.summary.scalar('accuracy adv train', adv_acc)
tf.summary.scalar('accuracy adv', adv_acc)
# Setting up the Tensorboard and checkpoint outputs
if not os.path.exists(model_dir):
os.makedirs(model_dir)
eval_dir = os.path.join(model_dir, 'eval')
if not os.path.exists(eval_dir):
os.makedirs(eval_dir)
saver = tf.train.Saver()
summary_writer = tf.summary.FileWriter(eval_dir)
if __name__ == "__main__":
checkpoint = tf.train.latest_checkpoint(model_dir)
with tf.Session() as sess:
attack = LinfPGDAttack(sess, model, config['epsilon'],
config['num_steps'], config['step_size'],
config['random_start'], config['loss_func'])
# Restore the checkpoint
saver.restore(sess, checkpoint)
# Iterate over the samples batch-by-batch
num_batches = int(math.ceil(num_eval_examples / eval_batch_size))
total_xent_nat = 0.
total_xent_adv = 0.
total_corr_nat = 0
total_corr_adv = 0
for ibatch in range(num_batches):
bstart = ibatch * eval_batch_size
bend = min(bstart + eval_batch_size, num_eval_examples)
num_checkpoint_steps = config['num_checkpoint_steps']
fea_dim = config['fea_dim']
batch_size = config['training_batch_size']
# Setting up the data and the model
mnist = input_data.read_data_sets('MNIST_data', one_hot=False)
global_step = tf.contrib.framework.get_or_create_global_step()
with tf.name_scope('model_fix') as scope:
model_fix = Model(fea_dim)
# Setting up the optimizer
train_step = tf.train.AdamOptimizer(1e-4).minimize(model_fix.xent,
global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model_fix, config['epsilon'], config['k'], config['a'],
config['random_start'], config['loss_func'])
# Setting up the Tensorboard and checkpoint outputs
model_dir = config['model_dir']
if not os.path.exists(model_dir):
os.makedirs(model_dir)
os.system("cp *.py {}".format(model_dir))
os.system("cp *.json {}".format(model_dir))
# We add accuracy and xent twice so we can easily make three types of
# comparisons in Tensorboard:
# - train vs eval (for a single run)
# - train of different runs
# - eval of different runs
#tf.summary.scalar('accuracy adv train', model.accuracy)
#tf.summary.scalar('accuracy adv', model.accuracy)
if discretize:
codes = np.load(codes_path)
if __name__=='__main__':
mnist = input_data.read_data_sets('data/fashion', source_url='http://fashion-mnist.s3-website.eu-central-1.amazonaws.com/', one_hot=False)
with tf.Session() as sess:
model = Model()
saver = tf.train.Saver()
checkpoint = tf.train.latest_checkpoint(model_dir)
saver.restore(sess, checkpoint)
if discretize:
attack = CWAttack(model, attack_steps, step_size, epsilon, codes, eval_batch_size, alpha)
else:
attack = LinfPGDAttack(model, epsilon, attack_steps, step_size, random_start, loss_func)
# Iterate over the samples batch-by-batch
num_batches = int(math.ceil(num_eval_examples / eval_batch_size))
total_corr_nat = 0
total_corr_adv = 0
rate = []
for ibatch in range(num_batches):
bstart = ibatch * eval_batch_size
bend = min(bstart + eval_batch_size, num_eval_examples)
x_batch = mnist.test.images[bstart:bend, :]
y_batch = mnist.test.labels[bstart:bend]
x_batch_adv = attack.perturb(x_batch, y_batch, sess)
def test_model(model_dir,
model_var_attack,
n_Anum_correct,
var_main_encoder,
attack_steps,
attack_step_size,
config,
dataset_type,
dataset,
n_mask,
x4,
pre_softmax,
loss_func='xent',
rand_start=1,
use_rand=True,
momentum=0.0,
save_filename=None):
num_eval_examples = config['num_eval_examples'] #TODO: for cifar!
eval_batch_size = config['eval_batch_size']
num_batches = int(math.ceil(num_eval_examples / eval_batch_size))
x_Anat, n_Axent, y_Ainput, is_training, n_Aaccuracy = model_var_attack
num_of_classes = 10
if dataset_type == 'imagenet_01':
saver = tf.train.Saver()
num_of_classes = 200
else:
var_main_encoder_var = tf.get_collection(tf.GraphKeys.MODEL_VARIABLES,
scope='main_encoder')
restore_var_list = remove_duplicate_node_from_list(
var_main_encoder, var_main_encoder_var)
saver_restore = tf.train.Saver(restore_var_list)
if dataset_type == 'imagenet':
num_of_classes = 200
print('epsilon', config['epsilon'], 'step size', attack_step_size)
attack = LinfPGDAttack(model_var_attack,
config['epsilon'],
attack_steps,
attack_step_size,
use_rand,
loss_func,
dataset_type,
pre_softmax=pre_softmax,
num_of_classes=num_of_classes,
momentum=momentum) # TODO: without momentum
def compute_pred_rep(dataset_part, save_emb, num_batches):
total_corr_adv = 0
total_xent_adv = 0.
ibatch = 0
save_flag = False
if save_emb != None:
perturbed_img = []
gt_label = []
save_flag = True
with tf.Session(config=tf.ConfigProto(
gpu_options=gpu_options)) as sess:
if dataset_type == 'imagenet_01':
saver.restore(sess, get_latest_checkpoint(model_dir))
else:
model_dir_load = tf.train.latest_checkpoint(model_dir)
print('model_dir_load', model_dir_load)
saver_restore.restore(sess, model_dir_load)
for ibatch in range(num_batches):
bstart = ibatch * eval_batch_size
bend = min(bstart + eval_batch_size, num_eval_examples)
x_batch = dataset_part.xs[bstart:bend, :]
if dataset_type == 'imagenet_01':
x_batch = x_batch.astype(np.float32) / 255.0
y_batch = dataset_part.ys[bstart:bend]
if attack_steps > 0:
if rand_start > 1:
for ii in range(rand_start):
x_batch_adv = attack.perturb(
x_batch, y_batch, False, sess)
if ii == 0:
x_adv_final = np.copy(x_batch_adv)
test_dict_temp = {
x_Anat: x_batch_adv.astype(np.float32),
y_Ainput: y_batch,
is_training: False
}
n_mask_val = sess.run(n_mask,
feed_dict=test_dict_temp)
for ind in range(n_mask_val.shape[0]):
if n_mask_val[ind] < 1e-4:
x_adv_final[ind] = x_batch_adv[ind]
x_batch_adv = x_adv_final
else:
x_batch_adv = attack.perturb(x_batch, y_batch, False,
sess)
else:
x_batch_adv = x_batch
if save_flag:
perturbed_img.append(x_batch_adv)
gt_label.append(y_batch)
# print('range', np.max(x_batch_adv), np.min(x_batch_adv))
test_dict = {
x_Anat: x_batch_adv.astype(np.float32),
y_Ainput: y_batch,
is_training: False
}
cur_corr_adv, cur_xent_adv = sess.run(
[n_Anum_correct, n_Axent], feed_dict=test_dict)
# from utils import visualize_imgs
# # print(x_batch)
# # print(x_batch_adv)
# print(np.max(x_batch_adv), np.min(x_batch_adv), np.sum(np.abs(x_batch_adv-x_batch)))
# visualize_imgs('/home/mcz/AdvPlot/', [x_batch, x_batch_adv, x_batch_adv-x_batch + 0.5], img_ind=ibatch)
total_xent_adv += cur_xent_adv
total_corr_adv += cur_corr_adv
if ibatch % (num_batches // 10) == 0:
print(ibatch, 'finished')
if save_flag:
perturbed_img_all = np.concatenate(perturbed_img, axis=0)
gt_label_all = np.concatenate(gt_label, axis=0)
save_dict = dict()
save_dict['img'] = perturbed_img_all
save_dict['label'] = gt_label_all
np.save(save_emb, save_dict)
print('save successfully')
num_batches = (ibatch + 1)
avg_xent_adv = total_xent_adv / num_eval_examples
acc_adv = total_corr_adv / num_eval_examples
print('***TEST**step={} step_size={} **'.format(
attack_steps, attack_step_size))
print('Accuracy: {:.2f}%'.format(100 * acc_adv))
print('loss: {:.4f}'.format(avg_xent_adv))
print("*****")
compute_pred_rep(dataset.eval_data, save_filename, num_batches)
with open('config.json') as config_file:
config = json.load(config_file)
num_eval_examples = config['num_eval_examples']
eval_batch_size = config['eval_batch_size']
eval_on_cpu = config['eval_on_cpu']
model_dir = config['model_dir']
# Set upd the data, hyperparameters, and the model
mnist = input_data.read_data_sets('MNIST_data', one_hot=False)
if eval_on_cpu:
with tf.device("/cpu:0"):
model = Model()
attack = LinfPGDAttack(model, config['epsilon'], config['k'],
config['a'], config['random_start'],
config['loss_func'])
else:
model = Model()
attack = LinfPGDAttack(model, config['epsilon'], config['k'], config['a'],
config['random_start'], config['loss_func'])
global_step = tf.contrib.framework.get_or_create_global_step()
# Setting up the Tensorboard and checkpoint outputs
if not os.path.exists(model_dir):
os.makedirs(model_dir)
eval_dir = os.path.join(model_dir, 'eval')
if not os.path.exists(eval_dir):
os.makedirs(eval_dir)
#######################################################################################
##########################################################################################
with tf.Session() as sess:
# Initialize the summary writer, global variables, and our time counter.
summary_writer = tf.summary.FileWriter(model_dir, sess.graph)
sess.run(tf.global_variables_initializer())
training_time = 0.0
# Main training loop
for ii in range(max_num_training_steps):
###########################################################################
if ii < config['num_schedule_steps']:
current_eps = eps_step[ii]
attack = LinfPGDAttack(model, current_eps, config['k'],
current_eps * 2.0 / config['k'],
config['random_start'], config['loss_func'])
#else:
# current_eps = config['epsilon']
#print(current_eps)
############################################################################
x_batch, y_batch = YALE_TRAIN.get_next_batch(batch_size)
# Compute Adversarial Perturbations
start = timer()
x_batch_adv = attack.perturb(x_batch, y_batch, sess)
end = timer()
training_time += end - start
nat_dict = {model.x_input: x_batch, model.y_input: y_batch}
# Setting up the data and the model
mnist = input_data.read_data_sets('MNIST_data', one_hot=False)
global_step = tf.contrib.framework.get_or_create_global_step()
#sp_model = md.CompactGSOPwhModel()
#model = md.Model()
sp_model = md.GSOPcModel()
model = md.GSOPwhModel()
# Setting up the optimizer
train_step = tf.train.AdamOptimizer(1e-4).minimize(model.xent,
global_step=global_step)
sp_train_step = tf.train.AdamOptimizer(1e-4).minimize(sp_model.xent,
global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model, config['epsilon'], config['k'], config['a'],
config['random_start'], config['loss_func'])
sp_attack = LinfPGDAttack(sp_model, config['epsilon'], config['k'],
config['a'], config['random_start'],
config['loss_func'])
# Setting up the Tensorboard and checkpoint outputs
model_dir = config['model_dir']
if not os.path.exists(model_dir):
os.makedirs(model_dir)
# We add accuracy and xent twice so we can easily make three types of
# comparisons in Tensorboard:
# - train vs eval (for a single run)
# - train of different runs
# - eval of different runs
boundaries = [int(sss[0]) for sss in step_size_schedule]
boundaries = boundaries[1:]
values = [sss[1] for sss in step_size_schedule]
learning_rate = tf.train.piecewise_constant(tf.cast(global_step, tf.int32),
boundaries, values)
total_loss = tf.add_n(
[model.mean_xent,
tf.multiply(weight_decay, model.weight_decay_loss)])
update_ops = tf.get_collection(tf.GraphKeys.UPDATE_OPS)
with tf.control_dependencies(update_ops):
train_step = tf.train.MomentumOptimizer(learning_rate, momentum).minimize(
total_loss, global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model, config['epsilon'], config['num_steps'],
config['step_size'], config['random_start'],
config['loss_func'])
# Setting up the Tensorboard and checkpoint outputs
model_dir = config['model_dir']
if not os.path.exists(model_dir):
os.makedirs(model_dir)
# We add accuracy and xent twice so we can easily make three types of
# comparisons in Tensorboard:
# - train vs eval (for a single run)
# - train of different runs
# - eval of different runs
saver = tf.train.Saver(max_to_keep=3)
tf.summary.scalar('accuracy adv train', model.accuracy)
config = json.load(config_file)
num_eval_examples = int(config['num_eval_examples'])
eval_batch_size = config['eval_batch_size']
eval_on_cpu = config['eval_on_cpu']
data_path = config['data_path']
model_dir = config['new_model_dir']
# Set upd the data, hyperparameters, and the model
cifar = cifar10_input.CIFAR10Data(data_path)
if eval_on_cpu:
with tf.device("/cpu:0"):
model = Model(mode='eval')
attack = LinfPGDAttack(model, config['epsilon'], config['num_steps'],
config['step_size'], config['random_start'],
config['loss_func'])
else:
model = Model(mode='eval')
attack = LinfPGDAttack(model, config['epsilon'], config['num_steps'],
config['step_size'], config['random_start'],
config['loss_func'])
# global_step = tf.contrib.framework.get_or_create_global_step()
# Setting up the Tensorboard and checkpoint outputs
if not os.path.exists(model_dir):
os.makedirs(model_dir)
eval_dir = os.path.join(model_dir, 'eval')
if not os.path.exists(eval_dir):
os.makedirs(eval_dir)
model = models.MNIST_improved_ia.Model(config)
elif config["estimation_method"] == 'naive_ia':
model = models.MNIST_naive_ia.Model(config)
else:
print("Defaulting to Naive IA for ReLU bound estimation")
model = models.MNIST_naive_ia.Model(config)
# Setting up the optimizer
train_step = tf.train.AdamOptimizer(1e-4).minimize(model.xent + \
w_l1 * model.l1_loss + \
w_rsloss * model.rsloss,
global_step=global_step)
# Set up adversary
attack = LinfPGDAttack(model, config['epsilon'], config['k'], config['a'],
config['random_start'], config['loss_func'],
config['incremental'])
# Set up eval adversary in the case of an incremental training schedule
eval_attack = LinfPGDAttack(model, config['eval_epsilon'], 40,
config['eval_epsilon'] / 10.0,
config['random_start'], config['loss_func'])
# Setting up the Tensorboard and checkpoint outputs
if not os.path.exists(model_dir):
os.makedirs(model_dir)
eval_dir = os.path.join(model_dir, 'eval')
if eval_during_training and not os.path.exists(eval_dir):
os.makedirs(eval_dir)
# Keep track of accuracies in Tensorboard