def main(_): net_weights, net_biases, net_layer_types = read_weights.read_weights( FLAGS.checkpoint, FLAGS.model_json) nn_params = neural_net_params.NeuralNetParams(net_weights, net_biases, net_layer_types) print(nn_params.sizes) dual_var = utils.initialize_dual(nn_params, FLAGS.init_dual_file, init_nu=FLAGS.init_nu) # Reading test input and reshaping with tf.gfile.Open(FLAGS.test_input) as f: test_input = np.load(f) test_input = np.reshape(test_input, [np.size(test_input), 1]) if FLAGS.adv_class == -1: start_class = 0 end_class = FLAGS.num_classes else: start_class = FLAGS.adv_class end_class = FLAGS.adv_class + 1 for adv_class in range(start_class, end_class): print('Adv class', adv_class) if adv_class == FLAGS.true_class: continue dual = dual_formulation.DualFormulation(dual_var, nn_params, test_input, FLAGS.true_class, adv_class, FLAGS.input_minval, FLAGS.input_maxval, FLAGS.epsilon) dual.set_differentiable_objective() dual.get_full_psd_matrix() optimization_params = { 'init_penalty': FLAGS.init_penalty, 'large_eig_num_steps': FLAGS.large_eig_num_steps, 'small_eig_num_steps': FLAGS.small_eig_num_steps, 'inner_num_steps': FLAGS.inner_num_steps, 'outer_num_steps': FLAGS.outer_num_steps, 'beta': FLAGS.beta, 'smoothness_parameter': FLAGS.smoothness_parameter, 'eig_learning_rate': FLAGS.eig_learning_rate, 'optimizer': FLAGS.optimizer, 'init_learning_rate': FLAGS.init_learning_rate, 'learning_rate_decay': FLAGS.learning_rate_decay, 'momentum_parameter': FLAGS.momentum_parameter, 'print_stats_steps': FLAGS.print_stats_steps, 'stats_folder': FLAGS.stats_folder, 'projection_steps': FLAGS.projection_steps } with tf.Session() as sess: sess.run(tf.global_variables_initializer()) optimization_object = optimization.Optimization( dual, sess, optimization_params) optimization_object.prepare_one_step() is_cert_found = optimization_object.run_optimization() if not is_cert_found: print('Current example could not be verified') exit() print('Example successfully verified')
def test_get_psd_product(self): # Function to test implicit product with PSD matrix. net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]] net_biases = [ np.transpose(np.matrix([0, 0, 0])), np.transpose(np.matrix([0, 0])), ] net_layer_types = ["ff_relu", "ff"] nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types) test_input = np.transpose(np.matrix([0, 0])) true_class = 0 adv_class = 1 input_minval = 0 input_maxval = 0 epsilon = 0.1 three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32) two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32) scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32) lambda_pos = [two_dim_tensor, three_dim_tensor] lambda_neg = lambda_pos lambda_quad = lambda_pos lambda_lu = lambda_pos nu = scalar dual_var = { "lambda_pos": lambda_pos, "lambda_neg": lambda_neg, "lambda_quad": lambda_quad, "lambda_lu": lambda_lu, "nu": nu, } with tf.Session() as sess: dual_formulation_object = dual_formulation.DualFormulation( sess, dual_var, nn_params1, test_input, true_class, adv_class, input_minval, input_maxval, epsilon, ) _, matrix_m = dual_formulation_object.get_full_psd_matrix() # Testing if the values match six_dim_tensor = tf.random_uniform(shape=(6, 1), dtype=tf.float32) implicit_product = dual_formulation_object.get_psd_product( six_dim_tensor) explicit_product = tf.matmul(matrix_m, six_dim_tensor) [implicit_product_value, explicit_product_value ] = sess.run([implicit_product, explicit_product]) self.assertEqual(np.shape(implicit_product_value), np.shape(explicit_product_value)) self.assertLess( np.max(np.abs(implicit_product_value - explicit_product_value)), 1e-5)
def prepare_dual_object(self): # Function to prepare dual object to be used for testing optimization. net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]] net_biases = [ np.transpose(np.matrix([0, 0, 0])), np.transpose(np.matrix([0, 0])) ] net_layer_types = ['ff_relu', 'ff'] nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types) test_input = np.transpose(np.matrix([0, 0])) true_class = 0 adv_class = 1 input_minval = 0 input_maxval = 0 epsilon = 0.1 # Creating dual variables to use for optimization lambda_pos = [tf.get_variable('lambda_pos0', initializer=np.random.uniform( 0, 0.1, size=(2, 1)).astype(np.float32)), tf.get_variable('lambda_pos1', initializer=np.random.uniform( 0, 0.1, size=(3, 1)).astype(np.float32))] lambda_neg = [tf.get_variable('lambda_neg0', initializer=np.random.uniform( 0, 0.1, size=(2, 1)).astype(np.float32)), tf.get_variable('lambda_neg1', initializer=np.random.uniform( 0, 0.1, size=(3, 1)).astype(np.float32))] lambda_quad = [tf.get_variable('lambda_quad0', initializer=np.random.uniform( 0, 0.1, size=(2, 1)).astype(np.float32)), tf.get_variable('lambda_quad1', initializer=np.random.uniform( 0, 0.1, size=(3, 1)).astype(np.float32))] lambda_lu = [tf.get_variable('lambda_lu0', initializer=np.random.uniform( 0, 0.1, size=(2, 1)).astype(np.float32)), tf.get_variable('lambda_lu1', initializer=np.random.uniform( 0, 0.1, size=(3, 1)).astype(np.float32))] nu = tf.reshape(tf.get_variable('nu', initializer=200.0, dtype=tf.float32), shape=(1, 1)) dual_var = {'lambda_pos': lambda_pos, 'lambda_neg': lambda_neg, 'lambda_quad': lambda_quad, 'lambda_lu': lambda_lu, 'nu': nu} sess = tf.Session() dual_formulation_object = dual_formulation.DualFormulation(sess, dual_var, nn_params1, test_input, true_class, adv_class, input_minval, input_maxval, epsilon) return sess, dual_formulation_object
def test_set_differentiable_objective(self): # Function to test the function that sets the differentiable objective. net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]] net_biases = [ np.transpose(np.matrix([0, 0, 0])), np.transpose(np.matrix([0, 0])), ] net_layer_types = ["ff_relu", "ff"] nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types) test_input = np.transpose(np.matrix([0, 0])) true_class = 0 adv_class = 1 input_minval = 0 input_maxval = 0 epsilon = 0.1 three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32) two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32) scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32) lambda_pos = [two_dim_tensor, three_dim_tensor] lambda_neg = lambda_pos lambda_quad = lambda_pos lambda_lu = lambda_pos nu = scalar dual_var = { "lambda_pos": lambda_pos, "lambda_neg": lambda_neg, "lambda_quad": lambda_quad, "lambda_lu": lambda_lu, "nu": nu, } with tf.Session() as sess: dual_formulation_object = dual_formulation.DualFormulation( sess, dual_var, nn_params1, test_input, true_class, adv_class, input_minval, input_maxval, epsilon, ) dual_formulation_object.set_differentiable_objective() self.assertEqual(dual_formulation_object.scalar_f.shape.as_list(), [1]) self.assertEqual( dual_formulation_object.unconstrained_objective.shape.as_list(), [1, 1]) self.assertEqual(dual_formulation_object.vector_g.shape.as_list(), [5, 1])
def test_get_full_psd_matrix(self): # Function to test product with PSD matrix. net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]] net_biases = [ np.transpose(np.matrix([0, 0, 0])), np.transpose(np.matrix([0, 0])), ] net_layer_types = ["ff_relu", "ff"] nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types) test_input = np.transpose(np.matrix([0, 0])) true_class = 0 adv_class = 1 input_minval = 0 input_maxval = 0 epsilon = 0.1 three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32) two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32) scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32) lambda_pos = [two_dim_tensor, three_dim_tensor] lambda_neg = lambda_pos lambda_quad = lambda_pos lambda_lu = lambda_pos nu = scalar dual_var = { "lambda_pos": lambda_pos, "lambda_neg": lambda_neg, "lambda_quad": lambda_quad, "lambda_lu": lambda_lu, "nu": nu, } with tf.Session() as sess: dual_formulation_object = dual_formulation.DualFormulation( sess, dual_var, nn_params1, test_input, true_class, adv_class, input_minval, input_maxval, epsilon, ) matrix_h, matrix_m = dual_formulation_object.get_full_psd_matrix() self.assertEqual(matrix_h.shape.as_list(), [5, 5]) self.assertEqual(matrix_m.shape.as_list(), [6, 6])
def test_init(self): # Function to test initialization of dual formulation class. net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]] net_biases = [ np.transpose(np.matrix([0, 0, 0])), np.transpose(np.matrix([0, 0])), ] net_layer_types = ["ff_relu", "ff"] nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types) test_input = np.transpose(np.matrix([0, 0])) true_class = 0 adv_class = 1 input_minval = 0 input_maxval = 0 epsilon = 0.1 three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32) two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32) scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32) lambda_pos = [two_dim_tensor, three_dim_tensor] lambda_neg = lambda_pos lambda_quad = lambda_pos lambda_lu = lambda_pos nu = scalar dual_var = { "lambda_pos": lambda_pos, "lambda_neg": lambda_neg, "lambda_quad": lambda_quad, "lambda_lu": lambda_lu, "nu": nu, } with tf.Session() as sess: dual_formulation_object = dual_formulation.DualFormulation( sess, dual_var, nn_params1, test_input, true_class, adv_class, input_minval, input_maxval, epsilon, ) self.assertIsNotNone(dual_formulation_object)
def test_init(self): # Function to test initialization of dual formulation class. net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]] net_biases = [ np.transpose(np.matrix([0, 0, 0])), np.transpose(np.matrix([0, 0])) ] net_layer_types = ['ff_relu', 'ff'] nn_params1 = neural_net_params.NeuralNetParams(net_weights, net_biases, net_layer_types) test_input = np.transpose(np.matrix([0, 0])) true_class = 0 adv_class = 1 input_minval = 0 input_maxval = 0 epsilon = 0.1 three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32) two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32) scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32) lambda_pos = [two_dim_tensor, three_dim_tensor] lambda_neg = lambda_pos lambda_quad = lambda_pos lambda_lu = lambda_pos nu = scalar dual_var = { 'lambda_pos': lambda_pos, 'lambda_neg': lambda_neg, 'lambda_quad': lambda_quad, 'lambda_lu': lambda_lu, 'nu': nu } dual_formulation_object = dual_formulation.DualFormulation( dual_var, nn_params1, test_input, true_class, adv_class, input_minval, input_maxval, epsilon) self.assertIsNotNone(dual_formulation_object)
def project_dual(self): """Function to create variables for the projected dual object. Function that projects the input dual variables onto the feasible set. Returns: projected_dual: Feasible dual solution corresponding to current dual """ # TODO: consider whether we can use shallow copy of the lists without # using tf.identity projected_lambda_pos = [ tf.identity(x) for x in self.dual_object.lambda_pos ] projected_lambda_neg = [ tf.identity(x) for x in self.dual_object.lambda_neg ] projected_lambda_quad = [ tf.identity(x) for x in self.dual_object.lambda_quad ] projected_lambda_lu = [ tf.identity(x) for x in self.dual_object.lambda_lu ] projected_nu = tf.identity(self.dual_object.nu) # TODO: get rid of the special case for one hidden layer # Different projection for 1 hidden layer if self.dual_object.nn_params.num_hidden_layers == 1: # Creating equivalent PSD matrix for H by Schur complements diag_entries = 0.5 * tf.divide( tf.square(self.dual_object.lambda_quad[ self.dual_object.nn_params.num_hidden_layers]), (self.dual_object.lambda_quad[ self.dual_object.nn_params.num_hidden_layers] + self.dual_object.lambda_lu[ self.dual_object.nn_params.num_hidden_layers])) # If lambda_quad[i], lambda_lu[i] are 0, entry is NaN currently, # but we want to set that to 0 diag_entries = tf.where(tf.is_nan(diag_entries), tf.zeros_like(diag_entries), diag_entries) last_layer_weights = self.dual_object.nn_params.weights[ self.dual_object.nn_params.num_hidden_layers - 1] matrix = tf.matmul( tf.matmul(tf.transpose(last_layer_weights), utils.diag(diag_entries)), last_layer_weights) new_matrix = utils.diag(2 * self.dual_object.lambda_lu[ self.dual_object.nn_params.num_hidden_layers - 1]) - matrix # Making symmetric new_matrix = 0.5 * (new_matrix + tf.transpose(new_matrix)) eig_vals = tf.self_adjoint_eigvals(new_matrix) min_eig = tf.reduce_min(eig_vals) # If min_eig is positive, already feasible, so don't add # Otherwise add to make PSD [1E-6 is for ensuring strictly PSD (useful # while inverting) projected_lambda_lu[0] = (projected_lambda_lu[0] + 0.5 * tf.maximum(-min_eig, 0) + 1E-6) else: # Minimum eigen value of H # TODO: Write this in terms of matrix multiply # matrix H is a submatrix of M, thus we just need to extend existing code # for computing matrix-vector product (see get_psd_product function). # Then use the same trick to compute smallest eigenvalue. eig_vals = tf.self_adjoint_eigvals(self.dual_object.matrix_h) min_eig = tf.reduce_min(eig_vals) for i in range(self.dual_object.nn_params.num_hidden_layers + 1): # Since lambda_lu appears only in diagonal terms, can subtract to # make PSD and feasible projected_lambda_lu[i] = (projected_lambda_lu[i] + 0.5 * tf.maximum(-min_eig, 0) + 1E-6) # Adjusting lambda_neg wherever possible so that lambda_neg + lambda_lu # remains close to unchanged # projected_lambda_neg[i] = tf.maximum(0.0, projected_lambda_neg[i] + # (0.5*min_eig - 1E-6)* # (self.lower[i] + self.upper[i])) projected_dual_var = { 'lambda_pos': projected_lambda_pos, 'lambda_neg': projected_lambda_neg, 'lambda_lu': projected_lambda_lu, 'lambda_quad': projected_lambda_quad, 'nu': projected_nu } projected_dual_object = dual_formulation.DualFormulation( projected_dual_var, self.dual_object.nn_params, self.dual_object.test_input, self.dual_object.true_class, self.dual_object.adv_class, self.dual_object.input_minval, self.dual_object.input_maxval, self.dual_object.epsilon) return projected_dual_object
def main(_): # pylint: disable=missing-docstring tf.logging.set_verbosity(FLAGS.verbosity) start_time = time.time() # Initialize neural network based on config files input_shape = [FLAGS.num_rows, FLAGS.num_columns, FLAGS.num_channels] nn_params = nn.load_network_from_checkpoint(FLAGS.checkpoint, FLAGS.model_json, input_shape) tf.logging.info('Loaded neural network with size of layers: %s', nn_params.sizes) tf.logging.info('Loaded neural network with input shapes: %s', nn_params.input_shapes) tf.logging.info('Loaded neural network with output shapes: %s', nn_params.output_shapes) dual_var = utils.initialize_dual(nn_params, FLAGS.init_dual_file, init_nu=FLAGS.init_nu) # Reading test input and reshaping with tf.gfile.Open(FLAGS.test_input) as f: test_input = np.load(f) test_input = np.reshape(test_input, [np.size(test_input), 1]) if FLAGS.adv_class == -1: start_class = 0 end_class = FLAGS.num_classes else: start_class = FLAGS.adv_class end_class = FLAGS.adv_class + 1 for adv_class in range(start_class, end_class): tf.logging.info('Running certification for adversarial class %d', adv_class) if adv_class == FLAGS.true_class: continue optimization_params = { 'init_penalty': FLAGS.init_penalty, 'large_eig_num_steps': FLAGS.large_eig_num_steps, 'small_eig_num_steps': FLAGS.small_eig_num_steps, 'inner_num_steps': FLAGS.inner_num_steps, 'outer_num_steps': FLAGS.outer_num_steps, 'beta': FLAGS.beta, 'smoothness_parameter': FLAGS.smoothness_parameter, 'eig_learning_rate': FLAGS.eig_learning_rate, 'optimizer': FLAGS.optimizer, 'init_learning_rate': FLAGS.init_learning_rate, 'learning_rate_decay': FLAGS.learning_rate_decay, 'momentum_parameter': FLAGS.momentum_parameter, 'print_stats_steps': FLAGS.print_stats_steps, 'stats_folder': FLAGS.stats_folder, 'projection_steps': FLAGS.projection_steps, 'eig_type': FLAGS.eig_type, 'has_conv': nn_params.has_conv, 'lanczos_steps': FLAGS.lanczos_steps } lzs_params = { 'min_iter': MIN_LANCZOS_ITER, 'max_iter': FLAGS.lanczos_steps } with tf.Session() as sess: dual = dual_formulation.DualFormulation( sess, dual_var, nn_params, test_input, FLAGS.true_class, adv_class, FLAGS.input_minval, FLAGS.input_maxval, FLAGS.epsilon, lzs_params) optimization_object = optimization.Optimization( dual, sess, optimization_params) is_cert_found = optimization_object.run_optimization() if not is_cert_found: print('Example could not be verified') exit() print('Example successfully verified') print('Elapsed time: ' + str(time.time() - start_time))