def get_data_params(X, Y, percentile): num_classes = len(set(Y)) num_features = X.shape[1] centroids = np.zeros((num_classes, num_features)) class_map = get_class_map() centroids = get_centroids(X, Y, class_map) # Get radii for sphere sphere_radii = np.zeros(2) dists = defenses.compute_dists_under_Q(X, Y, Q=None, centroids=centroids, class_map=class_map, norm=2) for y in set(Y): sphere_radii[class_map[y]] = np.percentile(dists[Y == y], percentile) # Get vector between centroids centroid_vec = get_centroid_vec(centroids) # Get radii for slab slab_radii = np.zeros(2) for y in set(Y): dists = np.abs((X[Y == y, :].dot(centroid_vec.T) - centroids[class_map[y], :].dot(centroid_vec.T))) slab_radii[class_map[y]] = np.percentile(dists, percentile) return class_map, centroids, centroid_vec, sphere_radii, slab_radii
def get_feasible_flipped_mask(X_train, Y_train, centroids, centroid_vec, sphere_radii, slab_radii, class_map, use_slab=False): sphere_dists_flip = defenses.compute_dists_under_Q(X_train, -Y_train, Q=None, subtract_from_l2=False, centroids=centroids, class_map=class_map, norm=2) if use_slab: slab_dists_flip = defenses.compute_dists_under_Q( X_train, -Y_train, Q=centroid_vec, subtract_from_l2=False, centroids=centroids, class_map=class_map, norm=2) feasible_flipped_mask = np.zeros(X_train.shape[0], dtype=bool) for y in set(Y_train): class_idx_flip = class_map[-y] sphere_radius_flip = sphere_radii[class_idx_flip] feasible_flipped_mask[Y_train == y] = (sphere_dists_flip[Y_train == y] <= sphere_radius_flip) if use_slab: slab_radius_flip = slab_radii[class_idx_flip] feasible_flipped_mask[Y_train == y] = ( feasible_flipped_mask[Y_train == y] & (slab_dists_flip[Y_train == y] <= slab_radius_flip)) return feasible_flipped_mask
def filter_points_outside_feasible_set(X, Y, centroids, centroid_vec, sphere_radii, slab_radii, class_map): sphere_dists = defenses.compute_dists_under_Q(X, Y, Q=None, centroids=centroids, class_map=class_map) slab_dists = defenses.compute_dists_under_Q(X, Y, Q=centroid_vec, centroids=centroids, class_map=class_map) idx_to_keep = np.array([True] * X.shape[0]) for y in set(Y): idx_to_keep[np.where(Y == y)[0][ sphere_dists[Y == y] > sphere_radii[class_map[y]]]] = False idx_to_keep[np.where( Y == y)[0][slab_dists[Y == y] > slab_radii[class_map[y]]]] = False print(np.sum(idx_to_keep)) return X[idx_to_keep, :], Y[idx_to_keep]
frac_increment=frac_increment, num_folds=num_folds, dists=dists) results['num_neighbors'] = num_neighbors ## l2 grad defense defense_label = 'grad-l2-ball' if ((defense_to_test is None) or (defense_to_test == defense_label)): print(' Computing L2 norm of gradients...') losses = datadef.get_losses(params_modified, bias_modified) sv_indices = losses > 0 sv_centroids = data.get_centroids(X_modified[sv_indices, :], Y_modified[sv_indices], class_map) dists = defenses.compute_dists_under_Q(X_modified, Y_modified, Q=None, subtract_from_l2=None, centroids=sv_centroids, class_map=class_map) dists[~sv_indices] = 0 dists = dists.reshape(-1, 1) all_dists, results = defense_testers.process_defense( datadef, Q=None, all_dists=all_dists, model=svm_model, weight_decay=best_weight_decay_modified, results=results, use_emp=None, use_emp_label=None, defense_label=defense_label, max_frac_to_remove=max_frac_to_remove,
assert dataset_name in ['imdb', 'enron', 'dogfish', 'mnist_17'] print('=== Dataset: %s ===' % dataset_name) epsilons = datasets.DATASET_EPSILONS[dataset_name] X_train, Y_train, X_test, Y_test = datasets.load_dataset(dataset_name) random_seed = 1 class_map, centroids, centroid_vec, sphere_radii, slab_radii = data.get_data_params( X_train, Y_train, percentile=70) sphere_dists_flip = defenses.compute_dists_under_Q(X_train, -Y_train, Q=None, subtract_from_l2=False, centroids=centroids, class_map=class_map, norm=2) slab_dists_flip = defenses.compute_dists_under_Q(X_train, -Y_train, Q=centroid_vec, subtract_from_l2=False, centroids=centroids, class_map=class_map, norm=2) feasible_flipped_mask = np.zeros(X_train.shape[0], dtype=bool) for y in set(Y_train):