class BIMAttack(AdversarialAttack): def __init__(self, model, step_size_iter=0.05, max_perturbation=0.3, n_iterations=10, targeted=False, norm_order=np.inf, rand_init=None, rand_minmax=0.3, clip_min=None, clip_max=None, sanity_checks=True): super().__init__(model=model, clip_min=clip_min, clip_max=clip_max) self._targeted = targeted self._step_size_iter = step_size_iter self._max_perturbation = max_perturbation self._n_iterations = n_iterations self._norm_order = norm_order self._rand_init = rand_init self._rand_minmax = rand_minmax self._sanity_checks = sanity_checks with self.graph.as_default(): self._method = BasicIterativeMethod( self._model, sess=self.session, eps=self._max_perturbation, eps_iter=self._step_size_iter, nb_iter=self._n_iterations, ord=self._norm_order, clip_min=self._clip_min, clip_max=self._clip_max, rand_init=self._rand_init, sanity_checks=self._sanity_checks) def attack_method(self, labels): if labels is not None: if self._targeted: return self._method.generate(x=self._x_clean, y_target=labels, rand_minmax=self._rand_minmax) else: return self._method.generate(x=self._x_clean, y=labels, rand_minmax=self._rand_minmax) return self._method.generate(x=self._x_clean, rand_minmax=self._rand_minmax)
def backtracking(sess, x, y, model, x_test, y_test, params, batch_size=128): tf.set_random_seed(1822) set_log_level(logging.DEBUG) from cleverhans.attacks import BasicIterativeMethod method = BasicIterativeMethod(model, sess=sess) adv_x = method.generate(x, **params) num_batch = x_test.shape[0] // batch_size adv_imgs = [] for i in range(num_batch): if (i + 1) * batch_size >= x_test.shape[0]: adv_imgs.append( sess.run(adv_x, feed_dict={ x: x_test[i * batch_size:], y: y_test[i * batch_size:] })) else: adv_imgs.append( sess.run(adv_x, feed_dict={ x: x_test[i * batch_size:(i + 1) * batch_size], y: y_test[i * batch_size:(i + 1) * batch_size] })) adv_imgs = np.concatenate(adv_imgs, axis=0) return adv_imgs
def main(_): # Images for inception classifier are normalized to be in [-1, 1] interval, # eps is a difference between pixels so it should be in [0, 2] interval. # Renormalizing epsilon from [0, 255] to [0, 2]. eps = 2.0 * FLAGS.max_epsilon / 255.0 batch_shape = [FLAGS.batch_size, FLAGS.image_height, FLAGS.image_width, 3] num_classes = 1001 tf.logging.set_verbosity(tf.logging.INFO) with tf.Graph().as_default(): # Prepare graph x_input = tf.placeholder(tf.float32, shape=batch_shape) model = InceptionModel(num_classes) fgsm = BasicIterativeMethod(model) x_adv = fgsm.generate(x_input, eps=eps, clip_min=-1., clip_max=1.) # Run computation saver = tf.train.Saver(slim.get_model_variables()) session_creator = tf.train.ChiefSessionCreator( scaffold=tf.train.Scaffold(saver=saver), checkpoint_filename_with_path=FLAGS.checkpoint_path, master=FLAGS.master) with tf.train.MonitoredSession( session_creator=session_creator) as sess: for filenames, images in load_images(FLAGS.input_dir, batch_shape): adv_images = sess.run(x_adv, feed_dict={x_input: images}) save_images(adv_images, filenames, FLAGS.output_dir)
def fgsm_combo(): acc = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_par) print('Test accuracy on legitimate examples: %0.4f\n' % acc) fgsm = FastGradientMethod(model, sess=sess) #initialize_uninitialized_global_variables(sess) adv_x = fgsm.generate(x, **fgsm_params) preds_adv = model.get_probs(adv_x) acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print( 'Test accuracy on adversarial examples generated by fgsm: %0.4f\n' % acc) bim = BasicIterativeMethod(model, sess=sess) adv_x = bim.generate(x) preds_adv = model.get_probs(adv_x) acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print( 'Test accuracy on adversarial examples generated by IterativeMethod: %0.4f\n' % acc)
def main(argv): checkpoint = tf.train.latest_checkpoint(FLAGS.checkpoint_dir) if checkpoint is None: raise ValueError("Couldn't find latest checkpoint in " + FLAGS.checkpoint_dir) train_start = 0 train_end = 60000 test_start = 0 test_end = 10000 X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) assert Y_train.shape[1] == 10 # NOTE: for compatibility with Madry Lab downloadable checkpoints, # we cannot enclose this in a scope or do anything else that would # change the automatic naming of the variables. model = MadryMNIST() x_input = tf.placeholder(tf.float32, shape=[None, 784]) x_image = tf.placeholder(tf.float32, shape=[None, 28, 28, 1]) y = tf.placeholder(tf.float32, shape=[None, 10]) if FLAGS.attack_type == 'fgsm': fgsm = FastGradientMethod(model) fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} adv_x = fgsm.generate(x_image, **fgsm_params) elif FLAGS.attack_type == 'bim': bim = BasicIterativeMethod(model) bim_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1., 'nb_iter': 50, 'eps_iter': .01} adv_x = bim.generate(x_image, **bim_params) else: raise ValueError(FLAGS.attack_type) preds_adv = model.get_probs(adv_x) saver = tf.train.Saver() with tf.Session() as sess: # Restore the checkpoint saver.restore(sess, checkpoint) # Evaluate the accuracy of the MNIST model on adversarial examples eval_par = {'batch_size': FLAGS.batch_size} t1 = time.time() acc = model_eval( sess, x_image, y, preds_adv, X_test, Y_test, args=eval_par) t2 = time.time() print("Took", t2 - t1, "seconds") print('Test accuracy on adversarial examples: %0.4f\n' % acc)
def main(argv): checkpoint = tf.train.latest_checkpoint(FLAGS.checkpoint_dir) if checkpoint is None: raise ValueError("Couldn't load checkpoint") train_start = 0 train_end = 60000 test_start = 0 test_end = 10000 X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) assert Y_train.shape[1] == 10 # NOTE: for compatibility with Madry Lab downloadable checkpoints, # we cannot enclose this in a scope or do anything else that would # change the automatic naming of the variables. model = MadryMNIST() x_input = tf.placeholder(tf.float32, shape=[None, 784]) x_image = tf.placeholder(tf.float32, shape=[None, 28, 28, 1]) y = tf.placeholder(tf.float32, shape=[None, 10]) if FLAGS.attack_type == 'fgsm': fgsm = FastGradientMethod(model) fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} adv_x = fgsm.generate(x_image, **fgsm_params) elif FLAGS.attack_type == 'bim': bim = BasicIterativeMethod(model) bim_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1., 'nb_iter': 50, 'eps_iter': .01} adv_x = bim.generate(x_image, **bim_params) else: raise ValueError(FLAGS.attack_type) preds_adv = model.get_probs(adv_x) saver = tf.train.Saver() with tf.Session() as sess: # Restore the checkpoint saver.restore(sess, checkpoint) # Evaluate the accuracy of the MNIST model on adversarial examples eval_par = {'batch_size': FLAGS.batch_size} t1 = time.time() acc = model_eval( sess, x_image, y, preds_adv, X_test, Y_test, args=eval_par) t2 = time.time() print("Took", t2 - t1, "seconds") print('Test accuracy on adversarial examples: %0.4f\n' % acc)
def _BIM(self): bim_attack = BasicIterativeMethod(self.wrapped_model, sess=self.sess) eps = 0 if self.dataset == 'MNIST': for _ in range(5): eps = eps + 0.1 params = { 'eps': eps, 'eps_iter': eps / 10, 'nb_iter': 10, 'y': self.y, 'clip_min': 0., 'clip_max': 1. } adv_x = bim_attack.generate(self.x, **params) adv_x = tf.stop_gradient(adv_x) print(f'Epsilon: {eps}') self.out_file.write(f'Epsilon: {eps}\n') self.save_images(adv_x, self.save_loc + f'_e{eps}') if self.dataset == 'CIFAR10': for _ in range(10): eps = eps + 1 params = { 'eps': eps / 255, 'eps_iter': eps / 255 / 10, 'nb_iter': 10, 'y': self.y, 'clip_min': 0., 'clip_max': 1. } adv_x = bim_attack.generate(self.x, **params) adv_x = tf.stop_gradient(adv_x) print(f'Epsilon: {eps}') self.out_file.write(f'Epsilon: {eps}\n') self.save_images(adv_x, self.save_loc + f'_e{eps}')
def backtracking(sess, x, model, x_test, params, batch_size=128): from cleverhans.attacks import BasicIterativeMethod method = BasicIterativeMethod(model, sess=sess) adv_x = method.generate(x, **params) num_batch = x_test.shape[0] // batch_size adv_imgs = [] for i in range(num_batch): if i + 1 == num_batch: x_feed = x_test[i*batch_size:] else: x_feed = x_test[i*batch_size:(i+1)*batch_size] adv_img = sess.run(adv_x, feed_dict={x: x_feed}) adv_imgs.append(adv_img) adv_imgs = np.concatenate(adv_imgs, axis=0) return adv_imgs
def evaluate_checkpoint(filename): if attack_method == 'BIM': bim = BasicIterativeMethod(model) bim_params = { 'eps': 0.3, 'clip_min': 0., 'clip_max': 1., 'nb_iter': 50, 'eps_iter': .01 } adv_x = bim.generate(x_image, **bim_params) elif attack_method == 'FGM': FGM_attack = FastGradientMethod(model) FGM_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} adv_x = FGM_attack.generate(x_image, **FGM_params) elif attack_method == 'PGD': pgd = ProjectedGradientDescent(model) pgd_params = { 'eps': 0.09, 'clip_min': 0., 'clip_max': 1., 'nb_iter': 40, 'eps_iter': .01 } adv_x = pgd.generate(x_image, **pgd_params) preds_adv = model.get_probs(adv_x) with tf.Session() as sess: # Restore the checkpoint saver = tf.train.Saver(var_list=model.all_variables) saver.restore(sess, filename) eval_par = {'batch_size': batch_size} t1 = time.time() acc = model_eval(sess, x_image, y, preds_adv, X_test, Y_test, args=eval_par) t2 = time.time() print("Took", t2 - t1, "seconds") print('Test accuracy on adversarial examples: %0.4f\n' % acc)
def adversarial_training(epsilon=0.3, eps_iter=0.05, nb_iter=10, order=np.inf): bim2 = BasicIterativeMethod(wrap_2, sess=sess) preds_2_adv = model_2(bim2.generate(x, **fgsm_params)) def evaluate_2(): # Accuracy of adversarially trained model on legitimate test inputs eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds_2, X_test, Y_test, args=eval_params) print('Test accuracy on legitimate examples: %0.4f' % accuracy) report.adv_train_clean_eval = accuracy # Accuracy of the adversarially trained model on adversarial examples accuracy = model_eval(sess, x, y, preds_2_adv, X_test, Y_test, args=eval_params) print('Test accuracy on adversarial examples: %0.4f' % accuracy) report.adv_train_adv_eval = accuracy # Perform and evaluate adversarial training model_train(sess, x, y, preds_2, X_train, Y_train, predictions_adv=preds_2_adv, evaluate=evaluate_2, args=train_params, save=False, rng=rng)
def test(): """ """ tf.reset_default_graph() g = tf.get_default_graph() with g.as_default(): # Placeholder nodes. images_holder = tf.placeholder( tf.float32, [None, FLAGS.IMAGE_ROWS, FLAGS.IMAGE_COLS, FLAGS.NUM_CHANNELS]) label_holder = tf.placeholder(tf.float32, [None, FLAGS.NUM_CLASSES]) is_training = tf.placeholder(tf.bool, ()) # model model = model_cifar100.RDPCNN(images_holder, label_holder, FLAGS.INPUT_SIGMA, is_training) # for adv examples model_loss = model.loss() model_acc = model.cnn_accuracy # robust def inference(x): logits, _ = model.cnn.prediction(x) return logits def inference_prob(x): _, probs = model.cnn.prediction(x) return probs graph_dict = {} graph_dict["images_holder"] = images_holder graph_dict["label_holder"] = label_holder graph_dict["is_training"] = is_training config = tf.ConfigProto() config.gpu_options.allow_growth = True with tf.Session(config=config, graph=g) as sess: sess.run(tf.global_variables_initializer()) # load model model.tf_load(sess, name=FLAGS.CNN_CKPT_RESTORE_NAME) # adv test #################################################################################################### x_advs = {} ch_model_logits = CallableModelWrapper(callable_fn=inference, output_layer='logits') ch_model_probs = CallableModelWrapper(callable_fn=inference_prob, output_layer='probs') # FastGradientMethod fgsm_obj = FastGradientMethod(model=ch_model_probs, sess=sess) x_advs["fgsm"] = fgsm_obj.generate(x=images_holder, eps=FLAGS.ATTACK_SIZE, clip_min=0.0, clip_max=1.0) # testing now # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) # default: eps_iter=0.05, nb_iter=10 ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) x_advs["ifgsm"] = ifgsm_obj.generate(x=images_holder, eps=FLAGS.ATTACK_SIZE, eps_iter=FLAGS.ATTACK_SIZE / 10, nb_iter=10, clip_min=0.0, clip_max=1.0) # MomentumIterativeMethod # default: eps_iter=0.06, nb_iter=10 mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) x_advs["mim"] = mim_obj.generate(x=images_holder, eps=FLAGS.ATTACK_SIZE, eps_iter=FLAGS.ATTACK_SIZE / 10, nb_iter=10, decay_factor=1.0, clip_min=0.0, clip_max=1.0) # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) # default: eps_iter=0.01, nb_iter=40 madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) x_advs["madry"] = madry_obj.generate(x=images_holder, eps=FLAGS.ATTACK_SIZE, eps_iter=FLAGS.ATTACK_SIZE / 10, nb_iter=10, clip_min=0.0, clip_max=1.0) graph_dict["x_advs"] = x_advs #################################################################################################### # tensorboard writer #test_writer = model_utils.init_writer(FLAGS.TEST_LOG_PATH, g) print("\nTest") if FLAGS.local: total_test_batch = 2 else: total_test_batch = None dp_info = np.load(FLAGS.DP_INFO_NPY, allow_pickle=True).item() test_info(sess, model, True, graph_dict, dp_info, FLAGS.TEST_LOG_FILENAME, total_batch=total_test_batch) robust_info(sess, model, graph_dict, FLAGS.ROBUST_LOG_FILENAME)
def b_dcgan(dataset, args): z_dim = args.z_dim x_dim = dataset.x_dim batch_size = args.batch_size dataset_size = dataset.dataset_size session = get_session() test_x = tf.placeholder(tf.float32, shape=(batch_size, 28, 28, 1)) x = tf.placeholder(tf.float32, shape=(batch_size, 28, 28, 1)) y = tf.placeholder(tf.float32, shape=(batch_size, 10)) unlabeled_batch_ph = tf.placeholder(tf.float32, shape=(batch_size, 28, 28, 1)) labeled_image_ph = tf.placeholder(tf.float32, shape=(batch_size, 28, 28, 1)) if args.random_seed is not None: tf.set_random_seed(args.random_seed) # due to how much the TF code sucks all functions take fixed batch_size at all times dcgan = BDCGAN( x_dim, z_dim, dataset_size, batch_size=batch_size, J=args.J, M=args.M, lr=args.lr, optimizer=args.optimizer, gen_observed=args.gen_observed, adv_train=args.adv_train, num_classes=dataset.num_classes if args.semi_supervised else 1) if args.adv_test and args.semi_supervised: if args.basic_iterative: fgsm = BasicIterativeMethod(dcgan, sess=session) dcgan.adv_constructor = fgsm fgsm_params = { 'eps': args.eps, 'eps_iter': float(args.eps / 4), 'nb_iter': 4, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1. } #,'y_target': None} else: fgsm = FastGradientMethod(dcgan, sess=session) dcgan.adv_constructor = fgsm eval_params = {'batch_size': batch_size} fgsm_params = {'eps': args.eps, 'clip_min': 0., 'clip_max': 1.} adv_x = fgsm.generate(x, **fgsm_params) adv_test_x = fgsm.generate(test_x, **fgsm_params) preds = dcgan.get_probs(adv_x) if args.adv_train: unlabeled_targets = np.zeros([batch_size, dcgan.K + 1]) unlabeled_targets[:, 0] = 1 fgsm_targeted_params = { 'eps': args.eps, 'clip_min': 0., 'clip_max': 1., 'y_target': unlabeled_targets } saver = tf.train.Saver() print("Starting session") session.run(tf.global_variables_initializer()) prev_iters = 0 if args.load_chkpt: saver.restore(session, args.chkpt) # Assume checkpoint is of the form "model_300" prev_iters = int(args.chkpt.split('/')[-1].split('_')[1]) print("Model restored from iteration:", prev_iters) print("Starting training loop") num_train_iter = args.train_iter if hasattr(dataset, "supervised_batches"): # implement own data feeder if data doesnt fit in memory supervised_batches = dataset.supervised_batches(args.N, batch_size) else: supervised_batches = get_supervised_batches( dataset, args.N, batch_size, list(range(dataset.num_classes))) if args.semi_supervised: test_image_batches, test_label_batches = get_test_batches( dataset, batch_size) optimizer_dict = { "semi_d": dcgan.d_optim_semi_adam, "sup_d": dcgan.s_optim_adam, "adv_d": dcgan.d_optim_adam, "gen": dcgan.g_optims_adam } else: optimizer_dict = { "adv_d": dcgan.d_optim_adam, "gen": dcgan.g_optims_adam } base_learning_rate = args.lr # for now we use same learning rate for Ds and Gs lr_decay_rate = args.lr_decay for train_iter in range(1 + prev_iters, 1 + num_train_iter): if train_iter == 5000: print("Switching to user-specified optimizer") if args.semi_supervised: optimizer_dict = { "semi_d": dcgan.d_optim_semi, "sup_d": dcgan.s_optim, "adv_d": dcgan.d_optim, "gen": dcgan.g_optims } else: optimizer_dict = { "adv_d": dcgan.d_optim, "gen": dcgan.g_optims } learning_rate = base_learning_rate * np.exp(-lr_decay_rate * min( 1.0, (train_iter * batch_size) / float(dataset_size))) batch_z = np.random.uniform(-1, 1, [batch_size, z_dim]) image_batch, batch_label = dataset.next_batch(batch_size, class_id=None) batch_targets = np.zeros([batch_size, 11]) batch_targets[:, 0] = 1 if args.semi_supervised: labeled_image_batch, labels = next(supervised_batches) if args.adv_train: adv_labeled = session.run( fgsm.generate(labeled_image_ph, **fgsm_targeted_params), feed_dict={labeled_image_ph: labeled_image_batch}) adv_unlabeled = session.run( fgsm.generate(unlabeled_batch_ph, **fgsm_params), feed_dict={unlabeled_batch_ph: image_batch}) _, d_loss = session.run( [optimizer_dict["semi_d"], dcgan.d_loss_semi], feed_dict={ dcgan.labeled_inputs: labeled_image_batch, dcgan.labels: get_gan_labels(labels), dcgan.inputs: image_batch, dcgan.z: batch_z, dcgan.d_semi_learning_rate: learning_rate, dcgan.adv_unlab: adv_unlabeled, dcgan.adv_labeled: adv_labeled }) else: _, d_loss = session.run( [optimizer_dict["semi_d"], dcgan.d_loss_semi], feed_dict={ dcgan.labeled_inputs: labeled_image_batch, dcgan.labels: get_gan_labels(labels), dcgan.inputs: image_batch, dcgan.z: batch_z, dcgan.d_semi_learning_rate: learning_rate }) _, s_loss = session.run([optimizer_dict["sup_d"], dcgan.s_loss], feed_dict={ dcgan.inputs: labeled_image_batch, dcgan.lbls: labels }) else: # regular GAN _, d_loss = session.run( [optimizer_dict["adv_d"], dcgan.d_loss], feed_dict={ dcgan.inputs: image_batch, dcgan.z: batch_z, dcgan.d_learning_rate: learning_rate }) if args.wasserstein: session.run(dcgan.clip_d, feed_dict={}) g_losses = [] for gi in range(dcgan.num_gen): # compute g_sample loss batch_z = np.random.uniform(-1, 1, [batch_size, z_dim]) for m in range(dcgan.num_mcmc): _, g_loss = session.run([ optimizer_dict["gen"][gi * dcgan.num_mcmc + m], dcgan.generation["g_losses"][gi * dcgan.num_mcmc + m] ], feed_dict={ dcgan.z: batch_z, dcgan.g_learning_rate: learning_rate }) g_losses.append(g_loss) # if args.adv_test: # probs, logits = dcgan.discriminator(adv_x,dcgan.K+1,reuse = True) # labels = tf.placeholder(tf.float32, # [args.batch_size, dcgan.K+1], name='real_targets') # compare_labels = tf.convert_to_tensor(np.array([np.append(0,i) for i in batch_label])) # print(session.run(model_loss(compare_labels,probs), feed_dict = {x:image_batch})) # if args.adv_test: # #preds = dcgan.get_probs(adv_x) # #eval_preds = session.run(preds, feed_dict = {x:image_batch}) # #print(eval_preds[0]) # #adv_exs = session.run(adv_test_x, feed_dict = {x:test_image_batches}) # # adv_acc = model_eval( # # session, x, y, preds, image_batch, batch_label, args=eval_params) # # #print(session.run(model_loss(compare_labels,probs), feed_dict = {x:image_batch})) # # print("Adversarial loss = %2.f" % (1-adv_acc)) # print(get_test_accuracy(session,dcgan,adv_set,test_label_batches)) if train_iter > 0 and train_iter % args.n_save == 0: print("Iter %i" % train_iter) # collect samples if args.save_samples: # saving samples all_sampled_imgs = [] for gi in range(dcgan.num_gen): _imgs, _ps = [], [] for _ in range(10): sample_z = np.random.uniform(-1, 1, size=(batch_size, z_dim)) sampled_imgs, sampled_probs = session.run([ dcgan.generation["gen_samplers"][gi * dcgan.num_mcmc], dcgan.generation["d_probs"][gi * dcgan.num_mcmc] ], feed_dict={ dcgan.z: sample_z }) _imgs.append(sampled_imgs) _ps.append(sampled_probs) sampled_imgs = np.concatenate(_imgs) sampled_probs = np.concatenate(_ps) all_sampled_imgs.append( [sampled_imgs, sampled_probs[:, 1:].sum(1)]) print("Disc loss = %.2f, Gen loss = %s" % (d_loss, ", ".join(["%.2f" % gl for gl in g_losses]))) #if args.adv_test: #preds = dcgan.get_probs(adv_x) #eval_preds = session.run(preds, feed_dict = {x:image_batch}) #print(eval_preds[0]) #adv_exs = session.run(adv_test_x, feed_dict = {x:test_image_batches}) # adv_acc = model_eval( # session, x, y, preds, image_batch, batch_label, args=eval_params) # #print(session.run(model_loss(compare_labels,probs), feed_dict = {x:image_batch})) # print("Adversarial loss = %2.f" % (1-adv_acc)) #print(get_test_accuracy(session,dcgan,adv_set,test_label_batches)) # adv_x = fgsm.generate(x,**fgsm_params) # preds = dcgan.get_probs(adv_x) # acc = model_eval( # session, x, y, preds, image_batch, batch_label, args=eval_params) # print("Adversarial loss = %2.f" % (1-acc)) if args.semi_supervised: # get test set performance on real labels only for both GAN-based classifier and standard one s_acc, ss_acc, non_adv_acc, ex_prob = get_test_accuracy( session, dcgan, test_image_batches, test_label_batches) if args.adv_test: adv_set = [] for test_images in test_image_batches: adv_set.append( session.run(adv_x, feed_dict={x: test_images})) adv_sup_acc, adv_ss_acc, correct_uncertainty, incorrect_uncertainty, adv_acc, adv_ex_prob = get_adv_test_accuracy( session, dcgan, adv_set, test_label_batches) print("Adversarial semi-sup accuracy with filter: %.2f" % adv_sup_acc) print("Adverarial semi-sup accuracy: %.2f" % adv_ss_acc) print("Uncertainty for correct predictions: %.2f" % correct_uncertainty) print("Uncertainty for incorrect predictions: %.2f" % incorrect_uncertainty) print("non_adversarial_classification_accuracy: %.2f" % non_adv_acc) print("adversarial_classification_accuracy: %.2f" % adv_acc) if args.save_samples: print("saving adversarial test images and test images") i = 0 for x, y in zip(adv_set[-1], test_image_batches[-1]): np.save( args.out_dir + '/adv_test' + str(train_iter) + '_' + str(i), x) np.save( args.out_dir + '/test' + str(train_iter) + '_' + str(i), y) i = i + 1 if i == 5: #save 5 adversarial images break print("Supervised acc: %.2f" % (s_acc)) print("Semi-sup acc: %.2f" % (ss_acc)) print("saving results and samples") results = { "disc_loss": float(d_loss), "gen_losses": list(map(float, g_losses)) } if args.semi_supervised: #results["example_non_adversarial_probs"] = list(ex_prob.flatten()) #results["example_adversarial_probs"] = list(adv_ex_prob.flatten()) results["non_adversarial_classification_accuracy"] = float( non_adv_acc) results["adversarial_classification_accuracy"] = float(adv_acc) results["adversarial_uncertainty_correct"] = float( correct_uncertainty) results["adversarial_uncertainty_incorrect"] = float( incorrect_uncertainty) results["supervised_acc"] = float(s_acc) results['adversarial_filtered_semi_supervised_acc'] = float( adv_sup_acc) results["adversarial_unfilted_semi_supervised_acc"] = float( adv_ss_acc) results["semi_supervised_acc"] = float(ss_acc) results["timestamp"] = time.time() results["previous_chkpt"] = args.chkpt with open( os.path.join(args.out_dir, 'results_%i.json' % train_iter), 'w') as fp: json.dump(results, fp) if args.save_samples: for gi in range(dcgan.num_gen): print_images(all_sampled_imgs[gi], "B_DCGAN_%i_%.2f" % (gi, g_losses[gi * dcgan.num_mcmc]), train_iter, directory=args.out_dir) print_images(image_batch, "RAW", train_iter, directory=args.out_dir) if args.save_weights: var_dict = {} for var in tf.trainable_variables(): var_dict[var.name] = session.run(var.name) np.savez_compressed( os.path.join(args.out_dir, "weights_%i.npz" % train_iter), **var_dict) print("Done saving weights") if train_iter > 0 and train_iter % args.save_chkpt == 0: save_path = saver.save( session, os.path.join(args.out_dir, "model_%i" % train_iter)) print("Model checkpointed in file: %s" % save_path) session.close()
def main(_): # Images for inception classifier are normalized to be in [-1, 1] interval, # eps is a difference between pixels so it should be in [0, 2] interval. # Renormalizing epsilon from [0, 255] to [0, 2]. print('this line #1') eps = 2.0 * FLAGS.max_epsilon / 255.0 slim_model = False # For AlexNet and SqueezeNet: False, For Inception and MobileNet: True batch_shape = [FLAGS.batch_size, FLAGS.image_height, FLAGS.image_width, 3] num_classes = 1001 tf.logging.set_verbosity(tf.logging.INFO) print('this line #2') with tf.Graph().as_default(): # Prepare graph x_input = tf.placeholder(tf.float32, shape=batch_shape) # model = InceptionModel(num_classes) # model = MobileNetModel(num_classes) model = KaffeModel(num_classes, 'AlexNet') # Use AlexNet model for DeepCompression, INQ, and Proposed # model = KaffeModel(num_classes, 'Squeezenet') print('this line #3') # # FGSM # fgsm = FastGradientMethod(model) # x_adv = fgsm.generate(x_input, eps=eps, clip_min=-1., clip_max=1.) # # BIM bim = BasicIterativeMethod(model) x_adv = bim.generate(x_input, eps=eps, clip_min=-1., clip_max=1.) # # VAT # vat = VirtualAdversarialMethod(model) # x_adv = vat.generate(x_input, eps=eps, clip_min=-1., clip_max=1.) # # PGD # pgd = MadryEtAl(model) # pgd_params = {'clip_min':-1., 'clip_max':1.} # x_adv = pgd.generate(x_input, clip_min=-1., clip_max=1.)#, **pgd_params) # # JSMA # sess = tf.Session() # jsma = SaliencyMapMethod(model) # # target = np.zeros((1,1000),dtype=np.float32) # # target[0,50] = 1 #here, we suppose that the target label is 50 # # jsma_params = {'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1., 'y_target': target} # jsma_params = {'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1.} # x_adv = jsma.generate(x_input,**jsma_params) # sess = tf.Session() # sess.run(tf.global_variables_initializer()) # jsma = SaliencyMapMethod(model, back='tf', sess=sess) # jsma_params = {'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1.} # x_adv = jsma.generate(x_input,**jsma_params) # # DeepFool # deepfool = DeepFool(model, back='tf', sess=sess) # # # deepfool_params = {'over_shoot', 'max_iter':1000, 'clip_max':1., 'clip_min':0., 'nb_candidate} # deepfool_params = {'max_iter':1000, 'clip_max':1., 'clip_min':0.} # x_adv = deepfool.generate(x_input,**deepfool_params) # # sess = tf.Session() # # with tf.Session() as sess: # # # # # CarliniWagner L2 # # # # sess = tf.train.MonitoredSession() # # # sess = tf.Session() # cwl2 = CarliniWagnerL2(model, back='tf', sess=sess) # # cwl2 = CarliniWagnerL2(model, back='tf') # # # cwl2_params = {'batch_size':9, 'confidence':0, 'max_iterations':1000, 'clip_min':0., 'clip_max':1.} # cwl2_params = {'clip_min':-1.0, 'clip_max':1.0} # # cwl2_params = {'batch_size':9, 'confidence':0,'learning_rate':1e-2,'binary_search_steps':9, 'max_iterations':1000,'abort_early':True, 'initial_const': 1e-3,'clip_min': 0.0, 'clip_max': 1.0} # x_adv = cwl2.generate(x_input,**cwl2_params) # with tf.Session() as sess: # cwl2 = CarliniWagnerL2(sess, model, batch_size=1, confidence=0, targeted=True, learning_rate=5e-3, binary_search_steps=5, max_iterations=1000, abort_early=True, initial_const=1e-2, clip_min=0, clip_max=1, num_labels=3, shape=x_input.get_shape().as_list()[1:]) # # x_adv = cwl2. # def cw_wrap(x_val, y_val): # return np.array(cwl2.attack(x_val, y_val), dtype=np.float32) # x_adv = tf.py_func(cw_wrap, [x, labels], tf.float32) # (self, sess, model, batch_size, confidence, # targeted, learning_rate, # binary_search_steps, max_iterations, # abort_early, initial_const, # clip_min, clip_max, num_labels, shape) # attack = CWL2(self.sess, self.model, self.batch_size, # self.confidence, 'y_target' in kwargs, # self.learning_rate, self.binary_search_steps, # self.max_iterations, self.abort_early, # self.initial_const, self.clip_min, self.clip_max, # nb_classes, x_input.get_shape().as_list()[1:]) # sess = tf.Session() # cw = CarliniWagnerL2(model, back='tf', sess=sess) # cw_params = {'binary_search_steps': 1, 'y': None, 'max_iterations': 1000, 'learning_rate': 5e-3, 'batch_size': 1, 'initial_const': 1e-2} # # x_adv = cw.generate_np(x_input,**cw_params) # x_adv = cw.generate(x_input,**cw_params) # (self, model, back='tf', sess=None) print('this line #4') # Run computation if slim_model: saver = tf.train.Saver(slim.get_model_variables()) session_creator = tf.train.ChiefSessionCreator( scaffold=tf.train.Scaffold(saver=saver), checkpoint_filename_with_path=FLAGS.checkpoint_path, master=FLAGS.master) with tf.train.MonitoredSession(session_creator=session_creator) as sess: for filenames, images in load_images(FLAGS.input_dir, batch_shape): adv_images = sess.run(x_adv, feed_dict={x_input: images}) save_images(adv_images, filenames, FLAGS.output_dir) else: with tf.Session() as sess: model.load_model(model_path=FLAGS.checkpoint_path, session=sess) for filenames, images in load_images(FLAGS.input_dir, batch_shape): adv_images = sess.run(x_adv, feed_dict={x_input: images}) save_images(adv_images, filenames, FLAGS.output_dir)
output_dir = './fgsm_images_{}'.format(epsilon) os.mkdir(output_dir) except: pass if IFGSM: ifgsm = BasicIterativeMethod(model) ifgsm_params = {'eps': epsilon, 'eps_iter': epsilon / 5, 'nb_iter': 5, 'clip_min': -1., 'clip_max': 1., } x_adv = ifgsm.generate(x_input, **ifgsm_params) try: output_dir = './ifgsm_images_{}'.format(epsilon) os.mkdir(output_dir) except: pass saver = tf.train.Saver(tf.contrib.slim.get_model_variables()) session_creator = tf.train.ChiefSessionCreator( scaffold=tf.train.Scaffold(saver=saver), checkpoint_filename_with_path=checkpoint_path, master="") print('Attacking with epsilon {}'.format(epsilon)) with tf.train.MonitoredSession(session_creator=session_creator) as sess: for filenames, images in load_imagefiles('./images', batch_shape): nontargeted_images = sess.run(x_adv, feed_dict={x_input: images}) for filename, nontargeted_image in zip(filenames, nontargeted_images):
def train(cifar10_data, logfile): """Train CIFAR-10 for a number of steps.""" logfile.write("fgsm_eps \t %g, epsilon \t %d \n" % (fgsm_eps, target_eps[0])) with tf.Graph().as_default(): global_step = tf.Variable(0, trainable=False) # Parameters Declarification #with tf.variable_scope('conv1') as scope: kernel1 = _variable_with_weight_decay( 'kernel1', shape=[3, 3, 3, 128], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0) biases1 = cifar10._variable_on_cpu('biases1', [128], tf.constant_initializer(0.0)) #with tf.variable_scope('conv2') as scope: kernel2 = _variable_with_weight_decay( 'kernel2', shape=[5, 5, 128, 128], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0) biases2 = cifar10._variable_on_cpu('biases2', [128], tf.constant_initializer(0.1)) #with tf.variable_scope('conv3') as scope: kernel3 = _variable_with_weight_decay( 'kernel3', shape=[5, 5, 256, 256], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0) biases3 = cifar10._variable_on_cpu('biases3', [256], tf.constant_initializer(0.1)) #with tf.variable_scope('local4') as scope: kernel4 = cifar10._variable_with_weight_decay( 'kernel4', shape=[int(image_size / 4)**2 * 256, hk], stddev=0.04, wd=0.004) biases4 = cifar10._variable_on_cpu('biases4', [hk], tf.constant_initializer(0.1)) #with tf.variable_scope('local5') as scope: kernel5 = cifar10._variable_with_weight_decay( 'kernel5', [hk, 10], stddev=np.sqrt(2.0 / (int(image_size / 4)**2 * 256)) / math.ceil(5 / 2), wd=0.0) biases5 = cifar10._variable_on_cpu('biases5', [10], tf.constant_initializer(0.1)) scale2 = tf.Variable(tf.ones([hk])) beta2 = tf.Variable(tf.zeros([hk])) params = [ kernel1, biases1, kernel2, biases2, kernel3, biases3, kernel4, biases4, kernel5, biases5, scale2, beta2 ] ######## # Build a Graph that computes the logits predictions from the # inference model. shape = kernel1.get_shape().as_list() w_t = tf.reshape(kernel1, [-1, shape[-1]]) w = tf.transpose(w_t) sing_vals = tf.svd(w, compute_uv=False) sensitivityW = tf.reduce_max(sing_vals) dp_delta = 0.05 #dp_mult = attack_norm_bound * math.sqrt(2 * math.log(1.25 / dp_delta)) / dp_epsilon noise = tf.placeholder(tf.float32, [None, 28, 28, 32]) dp_mult = attack_norm_bound * math.sqrt( 2 * math.log(1.25 / dp_delta)) / dp_epsilon noise = tf.placeholder(tf.float32, [None, 14, 14, 128]) sigma = tf.placeholder(tf.float32) x = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) #y_conv, h_conv1 = inference(x, params, dp_mult**2 * noise); y_conv, h_conv1 = inference(x, params, attack_norm_bound * noise) softmax_y_conv = tf.nn.softmax(y_conv) y_ = tf.placeholder(tf.float32, [None, 10]) #logits = inference(images) # Calculate loss. Apply Taylor Expansion for the output layer loss = cifar10.lossDPSGD(y_conv, y_) # noise redistribution # grad, = tf.gradients(loss, h_conv1) normalized_grad = tf.sign(grad) normalized_grad = tf.stop_gradient(normalized_grad) normalized_grad_r = tf.abs(tf.reduce_mean(normalized_grad, axis=(0)))**2 sum_r = tf.reduce_sum(normalized_grad_r, axis=(0, 1, 2), keepdims=False) normalized_grad_r = 14 * 14 * 128 * normalized_grad_r / sum_r print(normalized_grad_r) shape_grad = normalized_grad_r.get_shape().as_list() grad_t = tf.reshape(normalized_grad_r, [-1, shape_grad[-1]]) g = tf.transpose(grad_t) sing_g_vals = tf.svd(g, compute_uv=False) sensitivity_2 = tf.reduce_max(sing_g_vals) ######################## opt = tf.train.GradientDescentOptimizer(lr) gw_K1 = tf.gradients(loss, kernel1)[0] gb1 = tf.gradients(loss, biases1)[0] gw_K2 = tf.gradients(loss, kernel2)[0] gb2 = tf.gradients(loss, biases2)[0] gw_K3 = tf.gradients(loss, kernel3)[0] gb3 = tf.gradients(loss, biases3)[0] gw_K4 = tf.gradients(loss, kernel4)[0] gb4 = tf.gradients(loss, biases4)[0] gw_K5 = tf.gradients(loss, kernel5)[0] gb5 = tf.gradients(loss, biases5)[0] #clip gradient gw_K1 = tf.clip_by_norm(gw_K1, clip_bound) gw_K2 = tf.clip_by_norm(gw_K2, clip_bound) gw_K3 = tf.clip_by_norm(gw_K3, clip_bound) gw_K4 = tf.clip_by_norm(gw_K4, clip_bound) gw_K5 = tf.clip_by_norm(gw_K5, clip_bound) #perturb gw_K1 += tf.random_normal(shape=tf.shape(gw_K1), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gw_K2 += tf.random_normal(shape=tf.shape(gw_K2), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gw_K3 += tf.random_normal(shape=tf.shape(gw_K3), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gw_K4 += tf.random_normal(shape=tf.shape(gw_K4), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gw_K5 += tf.random_normal(shape=tf.shape(gw_K5), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gb1 += tf.random_normal(shape=tf.shape(gb1), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gb2 += tf.random_normal(shape=tf.shape(gb2), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gb3 += tf.random_normal(shape=tf.shape(gb3), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gb4 += tf.random_normal(shape=tf.shape(gb4), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size gb5 += tf.random_normal(shape=tf.shape(gb5), mean=0.0, stddev=(sigma * sensitivity), dtype=tf.float32) / batch_size # apply gradients and keep tracking moving average of the parameters apply_gradient_op = opt.apply_gradients([(gw_K1, kernel1), (gb1, biases1), (gw_K2, kernel2), (gb2, biases2), (gw_K3, kernel3), (gb3, biases3), (gw_K4, kernel4), (gb4, biases4), (gw_K5, kernel5), (gb5, biases5)], global_step=global_step) variable_averages = tf.train.ExponentialMovingAverage( MOVING_AVERAGE_DECAY, global_step) variables_averages_op = variable_averages.apply( tf.trainable_variables()) with tf.control_dependencies( [apply_gradient_op, variables_averages_op]): train_op = tf.no_op(name='train') # Build a Graph that trains the model with one batch of examples and # updates the model parameters. #train_op = cifar10.trainDPSGD(loss, global_step, clip_bound, sigma, sensitivity) sess = tf.Session(config=tf.ConfigProto(log_device_placement=False)) attack_switch = { 'fgsm': True, 'ifgsm': True, 'deepfool': False, 'mim': True, 'spsa': False, 'cwl2': False, 'madry': True, 'stm': False } ch_model_probs = CustomCallableModelWrapper( callable_fn=inference_test_input_probs, output_layer='probs', params=params, image_size=image_size) # define each attack method's tensor attack_tensor_dict = {} # FastGradientMethod if attack_switch['fgsm']: print('creating attack tensor of FastGradientMethod') fgsm_obj = FastGradientMethod(model=ch_model_probs, sess=sess) #x_adv_test_fgsm = fgsm_obj.generate(x=x, eps=fgsm_eps, clip_min=-1.0, clip_max=1.0, ord=2) # testing now x_adv_test_fgsm = fgsm_obj.generate(x=x, eps=fgsm_eps, clip_min=-1.0, clip_max=1.0) # testing now attack_tensor_dict['fgsm'] = x_adv_test_fgsm # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) # default: eps_iter=0.05, nb_iter=10 if attack_switch['ifgsm']: print('creating attack tensor of BasicIterativeMethod') ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) #x_adv_test_ifgsm = ifgsm_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps/10, nb_iter=10, clip_min=-1.0, clip_max=1.0, ord=2) x_adv_test_ifgsm = ifgsm_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 3, nb_iter=3, clip_min=-1.0, clip_max=1.0) attack_tensor_dict['ifgsm'] = x_adv_test_ifgsm # MomentumIterativeMethod # default: eps_iter=0.06, nb_iter=10 if attack_switch['mim']: print('creating attack tensor of MomentumIterativeMethod') mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) #x_adv_test_mim = mim_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps/10, nb_iter=10, decay_factor=1.0, clip_min=-1.0, clip_max=1.0, ord=2) x_adv_test_mim = mim_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 3, nb_iter=3, decay_factor=1.0, clip_min=-1.0, clip_max=1.0) attack_tensor_dict['mim'] = x_adv_test_mim # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) # default: eps_iter=0.01, nb_iter=40 if attack_switch['madry']: print('creating attack tensor of MadryEtAl') madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) #x_adv_test_madry = madry_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps/10, nb_iter=10, clip_min=-1.0, clip_max=1.0, ord=2) x_adv_test_madry = madry_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 3, nb_iter=3, clip_min=-1.0, clip_max=1.0) attack_tensor_dict['madry'] = x_adv_test_madry #====================== attack ========================= correct_prediction = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1)) accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32)) # Create a saver. saver = tf.train.Saver(tf.all_variables()) # Privacy accountant priv_accountant = accountant.GaussianMomentsAccountant(D) privacy_accum_op = priv_accountant.accumulate_privacy_spending( [None, None], sigma, batch_size) # Build the summary operation based on the TF collection of Summaries. #summary_op = tf.summary.merge_all() # Build an initialization operation to run below. init = tf.initialize_all_variables() # Start running operations on the Graph. sess.run(init) # Start the queue runners. tf.train.start_queue_runners(sess=sess) summary_writer = tf.summary.FileWriter(os.getcwd() + path, sess.graph) # load the most recent models _global_step = 0 ckpt = tf.train.get_checkpoint_state(FLAGS.checkpoint_dir) if ckpt and ckpt.model_checkpoint_path: print(ckpt.model_checkpoint_path) saver.restore(sess, ckpt.model_checkpoint_path) _global_step = int( ckpt.model_checkpoint_path.split('/')[-1].split('-')[-1]) else: print('No checkpoint file found') T = int(int(math.ceil(D / batch_size)) * epochs + 1) # number of steps step_for_epoch = int(math.ceil(D / batch_size)) #number of steps for one epoch s = math.log(sqrt(2.0 / math.pi) * 1e+5) sigmaEGM = sqrt(2.0) * 1.0 * (sqrt(s) + sqrt(s + dp_epsilon)) / ( 2.0 * dp_epsilon) #print(sigmaEGM) __noiseE = np.random.normal(0.0, sigmaEGM, 14 * 14 * 128).astype(np.float32) __noiseE = np.reshape(__noiseE, [-1, 14, 14, 128]) print("Compute The Noise Redistribution Vector") for step in xrange(_global_step, 100 * step_for_epoch): batch = cifar10_data.train.next_batch(batch_size) #Get a random batch. _, loss_value = sess.run( [train_op, loss], feed_dict={ x: batch[0], y_: batch[1], noise: __noiseE * 0, sigma: sigma_value * 0 }) if step % (5 * step_for_epoch) == 0: print(loss_value) batch = cifar10_data.train.next_batch(40 * batch_size) grad_redis = sess.run([normalized_grad_r], feed_dict={ x: batch[0], y_: batch[1], noise: __noiseE * 0 }) _sensitivity_2 = sess.run([sensitivity_2], feed_dict={ x: batch[0], y_: batch[1], noise: __noiseE * 0 }) #print(_sensitivity_2) _sensitivityW = sess.run(sensitivityW) #print(_sensitivityW) Delta_redis = _sensitivityW / sqrt(_sensitivity_2[0]) #print(Delta_redis) sigmaHGM = sqrt(2.0) * Delta_redis * ( sqrt(s) + sqrt(s + dp_epsilon)) / (2.0 * dp_epsilon) #print(sigmaHGM) __noiseH = np.random.normal(0.0, sigmaHGM, 14 * 14 * 128).astype(np.float32) __noiseH = np.reshape(__noiseH, [-1, 14, 14, 128]) * grad_redis sess.run(init) print("Training") for step in xrange(_global_step, _global_step + T): start_time = time.time() batch = cifar10_data.train.next_batch(batch_size) #Get a random batch. #grad_redis = sess.run([normalized_grad_r], feed_dict = {x: batch[0], y_: batch[1], noise: (__noise + grad_redis)/2}) _, loss_value = sess.run( [train_op, loss], feed_dict={ x: batch[0], y_: batch[1], noise: (__noiseE + __noiseH) / 2, sigma: sigma_value }) duration = time.time() - start_time assert not np.isnan(loss_value), 'Model diverged with loss = NaN' sess.run([privacy_accum_op]) spent_eps_deltas = priv_accountant.get_privacy_spent( sess, target_eps=target_eps) if step % (5 * step_for_epoch) == 0: print(loss_value) print(spent_eps_deltas) _break = False for _eps, _delta in spent_eps_deltas: if _delta >= delta: _break = True break if _break == True: break ## Robustness print("Testing") adv_acc_dict = {} robust_adv_acc_dict = {} robust_adv_utility_dict = {} test_bach_size = 5000 for atk in attack_switch.keys(): if atk not in adv_acc_dict: adv_acc_dict[atk] = -1 robust_adv_acc_dict[atk] = -1 robust_adv_utility_dict[atk] = -1 if attack_switch[atk]: test_bach = cifar10_data.test.next_batch(test_bach_size) adv_images_dict = sess.run(attack_tensor_dict[atk], feed_dict={x: test_bach[0]}) ### PixelDP Robustness ### predictions_form_argmax = np.zeros([test_bach_size, 10]) softmax_predictions = sess.run(softmax_y_conv, feed_dict={ x: adv_images_dict, noise: (__noiseE + __noiseH) / 2 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) for n_draws in range(0, 1000): _noiseE = np.random.normal(0.0, sigmaEGM, 14 * 14 * 128).astype(np.float32) _noiseE = np.reshape(_noiseE, [-1, 14, 14, 128]) _noise = np.random.normal(0.0, sigmaHGM, 14 * 14 * 128).astype(np.float32) _noise = np.reshape(_noise, [-1, 14, 14, 128]) * grad_redis for j in range(test_bach_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 1 softmax_predictions = sess.run( softmax_y_conv, feed_dict={ x: adv_images_dict, noise: (__noiseE + __noiseH) / 2 + (_noiseE + _noise) / 4 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) final_predictions = predictions_form_argmax is_correct = [] is_robust = [] for j in range(test_bach_size): is_correct.append( np.argmax(test_bach[1][j]) == np.argmax( final_predictions[j])) robustness_from_argmax = robustnessGGaussian.robustness_size_argmax( counts=predictions_form_argmax[j], eta=0.05, dp_attack_size=fgsm_eps, dp_epsilon=dp_epsilon, dp_delta=0.05, dp_mechanism='gaussian') / dp_mult is_robust.append(robustness_from_argmax >= fgsm_eps) adv_acc_dict[atk] = np.sum(is_correct) * 1.0 / test_bach_size robust_adv_acc_dict[atk] = np.sum([ a and b for a, b in zip(is_robust, is_correct) ]) * 1.0 / np.sum(is_robust) robust_adv_utility_dict[atk] = np.sum( is_robust) * 1.0 / test_bach_size ############################## log_str = "" for atk in attack_switch.keys(): if attack_switch[atk]: # added robust prediction log_str += " {}: {:.4f} {:.4f} {:.4f} {:.4f}".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]) print(log_str) logfile.write(log_str + '\n')
def main(_): tf.logging.set_verbosity(tf.logging.DEBUG) # Images for inception classifier are normalized to be in [-1, 1] interval, num_classes = 1001 batch_shape = [FLAGS.batch_size, FLAGS.image_height, FLAGS.image_width, 3] # Load ImageNet Class Labels with open('labels.json') as f: labels = json.load(f) # Prepare Graph with tf.Graph().as_default(): # Build Model if FLAGS.model_arch.lower() == 'resnet_v2_101': model = models.Resnet_V2_101_Model(num_classes) exceptions = [] elif FLAGS.model_arch.lower() == 'inception_v3': model = models.Inception_V3_Model(num_classes) exceptions = ['InceptionV3/AuxLogits.*'] else: raise ValueError('Invalid model architecture specified: {}'.format( FLAGS.model_arch)) # Define Model Variables x_input = tf.placeholder(tf.float32, shape=batch_shape) FastGradientMethod(model).generate(x_input) model_variables = tf.contrib.framework.filter_variables( slim.get_model_variables(), exclude_patterns=exceptions) # Load Session saver = tf.train.Saver(model_variables) with tf.train.SessionManager().prepare_session( master=FLAGS.master, checkpoint_filename_with_path=FLAGS.checkpoint_path, saver=saver) as sess: # For Targeted Attacks target_idx = 0 # This will vary target = tf.constant(0, shape=[FLAGS.batch_size, num_classes]) # target = np.zeros((FLAGS.batch_size, num_classes), dtype=np.uint32) # target[:, target] = 1 # Build Attack if FLAGS.attack_type.lower() == 'fgsm': fgsm_opts = { 'eps': 0.3, 'clip_min': 0, 'clip_max': 1., 'y_target': None } fgsm = FastGradientMethod(model) x_adv = fgsm.generate(x_input, **fgsm_opts) elif FLAGS.attack_type.lower() == 'bim': bim_opts = { 'eps': 0.3, 'clip_min': 0., 'clip_max': 1., 'y_target': None } bim = BasicIterativeMethod(model) x_adv = bim.generate(x_input, **bim_opts) elif FLAGS.attack_type.lower() == 'mim': mim_opts = {'eps': 0.3, 'clip_min': 0, 'clip_max': 1.} mim = MomentumIterativeMethod(model) x_adv = mim.generate(x_input, **mim_opts) elif FLAGS.attack_type.lower() == 'pgd': pgd_opts = {'eps': 0.3, 'clip_min': 0, 'clip_max': 1.} pgd = MadryEtAl(model) x_adv = pgd.generate(x_input, **pgd_opts) # Broken elif FLAGS.attack_type.lower() == 'jsma': jsma_opts = { 'theta': 1., 'gamma': 0.1, 'clip-min': 0., 'clip-max': 1., 'y_target': None } jsma = SaliencyMapMethod(model) x_adv = jsma.generate(x_input, **jsma_opts) elif FLAGS.attack_type.lower() == 'lbfgs': lbfgs_opts = {'y_target': target} lbfgs = LBFGS(model) x_adv = lbfgs.generate(x_input, **lbfgs_opts) else: raise ValueError('Invalid attack type specified: {}'.format( FLAGS.attack_type)) start_time, batch_time, num_processed = time.time(), time.time(), 0 for filenames, images in load_images(FLAGS.input_dir, batch_shape): adv_images = sess.run(x_adv, feed_dict={x_input: images}) save_images(adv_images, filenames, FLAGS.output_dir) if FLAGS.show_predictions: preds = sess.run(model(np.float32(images))) probs = np.amax(preds, axis=1) classes = np.argmax(preds, axis=1) adv_preds = sess.run(model(adv_images)) adv_probs = np.amax(adv_preds, axis=1) adv_classes = np.argmax(adv_preds, axis=1) for i, _ in enumerate(filenames): print('\nOriginal: {:.2f}% ({})\nAdversarial: {:.2f}% ({})'.format( \ probs[i]*100, labels[str(classes[i])], adv_probs[i]*100, labels[str(adv_classes[i])])) time_delta = time.time() - batch_time batch_time = time.time() num_processed += len(filenames) print('[SPEED ESTIMATION] BatchRate={:.4f} Hz; AverageRate={:.4f} Hz'.format( \ (len(filenames) / time_delta * 1.0), ((num_processed * 1.0) / (batch_time - start_time))))
def train(cifar10_data, epochs, L, learning_rate, scale3, Delta2, epsilon2, eps2_ratio, alpha, perturbFM, fgsm_eps, total_eps, logfile, parameter_dict): logfile.write("fgsm_eps \t %g, LR \t %g, alpha \t %d , epsilon \t %d \n" % (fgsm_eps, learning_rate, alpha, total_eps)) """Train CIFAR-10 for a number of steps.""" # make sure variables are placed on cpu # TODO: for AWS version, check if put variables on GPU will be better with tf.Graph().as_default(), tf.device('/cpu:0'): global_step = tf.Variable(0, trainable=False) attacks = ['ifgsm', 'mim', 'madry'] # manually create all scopes with tf.variable_scope('conv1', reuse=tf.AUTO_REUSE) as scope: scope_conv1 = scope with tf.variable_scope('conv2', reuse=tf.AUTO_REUSE) as scope: scope_conv2 = scope with tf.variable_scope('conv3', reuse=tf.AUTO_REUSE) as scope: scope_conv3 = scope with tf.variable_scope('local4', reuse=tf.AUTO_REUSE) as scope: scope_local4 = scope with tf.variable_scope('local5', reuse=tf.AUTO_REUSE) as scope: scope_local5 = scope # Parameters Declarification #with tf.variable_scope('conv1') as scope: # with tf.device('/gpu:{}'.format(AUX_GPU_IDX[0])): with tf.variable_scope(scope_conv1) as scope: kernel1 = _variable_with_weight_decay( 'kernel1', shape=[4, 4, 3, 128], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[AECODER_VARIABLES]) biases1 = _bias_on_cpu('biases1', [128], tf.constant_initializer(0.0), collect=[AECODER_VARIABLES]) # shape = kernel1.get_shape().as_list() w_t = tf.reshape(kernel1, [-1, shape[-1]]) w = tf.transpose(w_t) sing_vals = tf.svd(w, compute_uv=False) sensitivity = tf.reduce_max(sing_vals) gamma = 2 * Delta2 / (L * sensitivity) with tf.variable_scope(scope_conv2) as scope: kernel2 = _variable_with_weight_decay( 'kernel2', shape=[5, 5, 128, 128], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[CONV_VARIABLES]) biases2 = _bias_on_cpu('biases2', [128], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) with tf.variable_scope(scope_conv3) as scope: kernel3 = _variable_with_weight_decay( 'kernel3', shape=[5, 5, 256, 256], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[CONV_VARIABLES]) biases3 = _bias_on_cpu('biases3', [256], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) with tf.variable_scope(scope_local4) as scope: kernel4 = _variable_with_weight_decay( 'kernel4', shape=[int(image_size / 4)**2 * 256, hk], stddev=0.04, wd=0.004, collect=[CONV_VARIABLES]) biases4 = _bias_on_cpu('biases4', [hk], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) with tf.variable_scope(scope_local5) as scope: kernel5 = _variable_with_weight_decay( 'kernel5', [hk, 10], stddev=np.sqrt(2.0 / (int(image_size / 4)**2 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[CONV_VARIABLES]) biases5 = _bias_on_cpu('biases5', [10], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) # group these for use as parameters params = [ kernel1, biases1, kernel2, biases2, kernel3, biases3, kernel4, biases4, kernel5, biases5 ] scopes = [ scope_conv1, scope_conv2, scope_conv3, scope_local4, scope_local5 ] # placeholders for input values FM_h = tf.placeholder(tf.float32, [None, 14, 14, 128]) # one time noise = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) # one time adv_noise = tf.placeholder( tf.float32, [None, image_size, image_size, 3]) # one time x_sb = tf.placeholder(tf.float32, [None, image_size, image_size, 3 ]) # input is the bunch of n_batchs x_list = tf.split(x_sb, N_GPUS, axis=0) # split it into each batch adv_x_sb = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) adv_x_list = tf.split(adv_x_sb, N_GPUS, axis=0) x_test = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) y_sb = tf.placeholder(tf.float32, [None, 10]) # input is the bunch of n_batchs y_list = tf.split(y_sb, N_GPUS, axis=0) # split it into each batch adv_y_sb = tf.placeholder(tf.float32, [None, 10]) # input is the bunch of n_batchs # adv_y_list = tf.split(adv_y_sb, N_GPUS, axis=0) # split it into each batch y_test = tf.placeholder(tf.float32, [None, 10]) # re-arrange the input samples _split_adv_y_sb = tf.split(adv_y_sb, N_AUX_GPUS, axis=0) reorder_adv_y_sb = [] for i in range(N_GPUS): reorder_adv_y_sb.append( tf.concat([ _split_adv_y_sb[i + N_GPUS * atk_index] for atk_index in range(len(attacks)) ], axis=0)) tower_pretrain_grads = [] tower_train_grads = [] all_train_loss = [] pretrain_opt = tf.train.AdamOptimizer(learning_rate) train_opt = tf.train.GradientDescentOptimizer(learning_rate) # batch index bi = 0 for gpu in GPU_IDX: # putting ops on each tower (GPU) with tf.device('/gpu:{}'.format(gpu)): print('Train inference GPU placement') print('/gpu:{}'.format(gpu)) # Auto-Encoder # # pretrain_adv and pretrain_benign are cost tensor of the encoding layer with tf.variable_scope(scope_conv1) as scope: Enc_Layer2 = EncLayer(inpt=adv_x_list[bi], n_filter_in=3, n_filter_out=128, filter_size=3, W=kernel1, b=biases1, activation=tf.nn.relu) pretrain_adv = Enc_Layer2.get_train_ops2( xShape=tf.shape(adv_x_list[bi])[0], Delta=Delta2, epsilon=epsilon2, batch_size=L, learning_rate=learning_rate, W=kernel1, b=biases1, perturbFMx=adv_noise, perturbFM_h=FM_h, bn_index=bi) Enc_Layer3 = EncLayer(inpt=x_list[bi], n_filter_in=3, n_filter_out=128, filter_size=3, W=kernel1, b=biases1, activation=tf.nn.relu) pretrain_benign = Enc_Layer3.get_train_ops2( xShape=tf.shape(x_list[bi])[0], Delta=Delta2, epsilon=epsilon2, batch_size=L, learning_rate=learning_rate, W=kernel1, b=biases1, perturbFMx=noise, perturbFM_h=FM_h, bn_index=bi) pretrain_cost = pretrain_adv + pretrain_benign # this cost is not used # cost = tf.reduce_sum((Enc_Layer2.cost + Enc_Layer3.cost)/2.0); # benign conv output x_image = x_list[bi] + noise y_conv = inference(x_image, FM_h, params, scopes, training=True, bn_index=bi) # softmax_y_conv = tf.nn.softmax(y_conv) # adv conv output adv_x_image = adv_x_list[bi] + adv_noise y_adv_conv = inference(adv_x_image, FM_h, params, scopes, training=True, bn_index=bi) # Calculate loss. Apply Taylor Expansion for the output layer perturbW = perturbFM * params[8] train_loss = cifar10.TaylorExp(y_conv, y_list[bi], y_adv_conv, reorder_adv_y_sb[bi], L, alpha, perturbW) all_train_loss.append(train_loss) # list of variables to train pretrain_var_list = tf.get_collection(AECODER_VARIABLES) train_var_list = tf.get_collection(CONV_VARIABLES) # compute tower gradients pretrain_grads = pretrain_opt.compute_gradients( pretrain_cost, var_list=pretrain_var_list) train_grads = train_opt.compute_gradients( train_loss, var_list=train_var_list) # get_pretrain_grads(pretrain_cost, global_step, learning_rate, pretrain_var_list) # train_grads = get_train_grads(train_loss, global_step, learning_rate, train_var_list) # note this list contains grads and variables tower_pretrain_grads.append(pretrain_grads) tower_train_grads.append(train_grads) # batch index bi += 1 # average the gradient from each tower pretrain_var_dict = {} all_pretrain_grads = {} avg_pretrain_grads = [] for var in tf.get_collection(AECODER_VARIABLES): if var.name not in all_pretrain_grads: all_pretrain_grads[var.name] = [] pretrain_var_dict[var.name] = var for tower in tower_pretrain_grads: for var_grad in tower: all_pretrain_grads[var_grad[1].name].append(var_grad[0]) for var_name in all_pretrain_grads: # expand dim 0, then concat on dim 0, then reduce mean on dim 0 expand_pretrain_grads = [ tf.expand_dims(g, 0) for g in all_pretrain_grads[var_name] ] concat_pretrain_grads = tf.concat(expand_pretrain_grads, axis=0) reduce_pretrain_grads = tf.reduce_mean(concat_pretrain_grads, 0) # rebuild (grad, var) list avg_pretrain_grads.append( (reduce_pretrain_grads, pretrain_var_dict[var_name])) print('*****************************') print("avg_pretrain_grads:") for avg_pretrain_grad in avg_pretrain_grads: print('grads') print((avg_pretrain_grad[0].name, avg_pretrain_grad[0].shape)) print('var') print((avg_pretrain_grad[1].name, avg_pretrain_grad[1].shape)) print('------') train_var_dict = {} all_train_grads = {} avg_train_grads = [] for var in tf.get_collection(CONV_VARIABLES): if var.name not in all_train_grads: all_train_grads[var.name] = [] train_var_dict[var.name] = var for tower in tower_train_grads: for var_grad in tower: all_train_grads[var_grad[1].name].append(var_grad[0]) for var_name in all_train_grads: # expand dim 0, then concat on dim 0, then reduce mean on dim 0 expand_train_grads = [ tf.expand_dims(g, 0) for g in all_train_grads[var_name] ] concat_train_grads = tf.concat(expand_train_grads, axis=0) reduce_train_grads = tf.reduce_mean(concat_train_grads, 0) # rebuild (grad, var) list avg_train_grads.append( (reduce_train_grads, train_var_dict[var_name])) print('*****************************') print("avg_train_grads:") for avg_train_grad in avg_train_grads: print('grads') print((avg_train_grad[0].name, avg_train_grad[0].shape)) print('var') print((avg_train_grad[1].name, avg_train_grad[1].shape)) print('------') print('*****************************') # get averaged loss tensor avg_loss = tf.reduce_mean(tf.stack(all_train_loss), axis=0) # TODO: take the average of the bn variables from each tower/training GPU # currently, testing is using the bn variables on bn_index 0 (tower/training GPU 0) # build train op (apply average gradient to variables) # according to 1.13 doc, updates need to be manually applied _update_ops = tf.get_collection(tf.GraphKeys.UPDATE_OPS) print('update ops:') print(_update_ops) with tf.control_dependencies(_update_ops): pretrain_op = pretrain_opt.apply_gradients(avg_pretrain_grads, global_step=global_step) train_op = train_opt.apply_gradients(avg_train_grads, global_step=global_step) # start a session with memory growth config = tf.ConfigProto(log_device_placement=False) config.gpu_options.allow_growth = True sess = tf.Session(config=config) print("session created") # init kernel 1 and get some values from it sess.run(kernel1.initializer) dp_epsilon = 0.005 parameter_dict['dp_epsilon'] = dp_epsilon _gamma = sess.run(gamma) _gamma_x = Delta2 / L epsilon2_update = epsilon2 / (1.0 + 1.0 / _gamma + 1 / _gamma_x) parameter_dict['epsilon2_update'] = epsilon2_update print(epsilon2_update / _gamma + epsilon2_update / _gamma_x) print(epsilon2_update) # NOTE: these values needs to be calculated in testing delta_r = fgsm_eps * (image_size**2) parameter_dict['delta_r'] = delta_r _sensitivityW = sess.run(sensitivity) parameter_dict['_sensitivityW'] = _sensitivityW delta_h = _sensitivityW * (14**2) parameter_dict['delta_h'] = delta_h #dp_mult = (Delta2/(L*epsilon2_update))/(delta_r / dp_epsilon) + (2*Delta2/(L*epsilon2_update))/(delta_h / dp_epsilon) dp_mult = (Delta2) / (L * epsilon2_update * (delta_h / 2 + delta_r)) parameter_dict['dp_mult'] = dp_mult # place test-time inference into CPU with tf.device('/cpu:0'): # testing pipeline test_x_image = x_test + noise test_y_conv = inference(test_x_image, FM_h, params, scopes, training=True, bn_index=0) test_softmax_y_conv = tf.nn.softmax(test_y_conv) # ============== attacks ================ iter_step_training = 3 parameter_dict['iter_step_training'] = iter_step_training # iter_step_testing = 1000 aux_dup_count = N_GPUS # split input x_super_batch into N_AUX_GPUS parts x_attacks = tf.split(x_sb, N_AUX_GPUS, axis=0) # split input x_test into aux_dup_count parts x_test_split = tf.split(x_test, aux_dup_count, axis=0) # setup all attacks # attack_switch = {'fgsm':False, 'ifgsm':True, 'deepfool':False, 'mim':True, 'spsa':False, 'cwl2':False, 'madry':True, 'stm':False} ch_model_probs = CustomCallableModelWrapper( callable_fn=inference_test_input_probs, output_layer='probs', params=params, scopes=scopes, image_size=image_size, adv_noise=adv_noise) attack_tensor_training_dict = {} attack_tensor_testing_dict = {} # define each attack method's tensor mu_alpha = tf.placeholder(tf.float32, [1]) # build each attack for atk_idx in range(len(attacks)): atk = attacks[atk_idx] print('building attack {} tensors'.format(atk)) # for each gpu assign to each attack attack_tensor_training_dict[atk] = [] attack_tensor_testing_dict[atk] = [] for i in range(aux_dup_count): if atk == 'ifgsm': with tf.device('/gpu:{}'.format(AUX_GPU_IDX[i])): print('ifgsm GPU placement: /gpu:{}'.format( AUX_GPU_IDX[i])) # ifgsm tensors for training ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) attack_tensor_training_dict[atk].append( ifgsm_obj.generate(x=x_attacks[i], eps=mu_alpha, eps_iter=mu_alpha / iter_step_training, nb_iter=iter_step_training, clip_min=-1.0, clip_max=1.0)) elif atk == 'mim': with tf.device('/gpu:{}'.format( AUX_GPU_IDX[i + 1 * aux_dup_count])): print('mim GPU placement: /gpu:{}'.format( AUX_GPU_IDX[i + 1 * aux_dup_count])) # mim tensors for training mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) attack_tensor_training_dict[atk].append( mim_obj.generate( x=x_attacks[i + 1 * aux_dup_count], eps=mu_alpha, eps_iter=mu_alpha / iter_step_training, nb_iter=iter_step_training, decay_factor=1.0, clip_min=-1.0, clip_max=1.0)) elif atk == 'madry': with tf.device('/gpu:{}'.format( AUX_GPU_IDX[i + 2 * aux_dup_count])): print('madry GPU placement: /gpu:{}'.format( AUX_GPU_IDX[i + 2 * aux_dup_count])) # madry tensors for training madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) attack_tensor_training_dict[atk].append( madry_obj.generate( x=x_attacks[i + 2 * aux_dup_count], eps=mu_alpha, eps_iter=mu_alpha / iter_step_training, nb_iter=iter_step_training, clip_min=-1.0, clip_max=1.0)) # combine all attack tensors adv_concat_list = [] for i in range(aux_dup_count): adv_concat_list.append( tf.concat( [attack_tensor_training_dict[atk][i] for atk in attacks], axis=0)) # the tensor that contains each batch of adv samples for training # has same sample order as the labels adv_super_batch_tensor = tf.concat(adv_concat_list, axis=0) #====================== attack ========================= #adv_logits, _ = inference(c_x_adv + W_conv1Noise, perturbFM, params) print('******************** debug info **********************') # list of variables to train pretrain_var_list = tf.get_collection(AECODER_VARIABLES) print('pretrain var list') for v in pretrain_var_list: print((v.name, v.shape)) print('**********************************') train_var_list = tf.get_collection(CONV_VARIABLES) print('train var list') for v in train_var_list: print((v.name, v.shape)) print('**********************************') # all variables print('all variables') vl = tf.global_variables() for v in vl: print((v.name, v.shape)) print('**********************************') # all ops ops = [n.name for n in tf.get_default_graph().as_graph_def().node] print('total number of ops') print(len(ops)) # for op in ops: # print(op) print('******************** debug info **********************') # exit() # Create a saver. saver = tf.train.Saver(var_list=tf.all_variables(), max_to_keep=1000) # Build an initialization operation to run below. init = tf.initialize_all_variables() sess.run(init) # load the most recent models _global_step = 0 ckpt = tf.train.get_checkpoint_state(FLAGS.checkpoint_dir) if ckpt and ckpt.model_checkpoint_path: print(ckpt.model_checkpoint_path) saver.restore(sess, ckpt.model_checkpoint_path) _global_step = int( ckpt.model_checkpoint_path.split('/')[-1].split('-')[-1]) else: print('No checkpoint file found') T = int(int(math.ceil(D / L)) * epochs + 1) # number of steps print('total number of steps: {}'.format(T)) step_for_epoch = int(math.ceil(D / L)) #number of steps for one epoch parameter_dict['step_for_epoch'] = step_for_epoch print('step_for_epoch: {}'.format(step_for_epoch)) # generate some fixed noise perturbH_test = np.random.laplace(0.0, 0, 14 * 14 * 128) # one time perturbH_test = np.reshape(perturbH_test, [-1, 14, 14, 128]) # one time parameter_dict['perturbH_test'] = perturbH_test print('perturbH_test') print(perturbH_test.shape) perturbFM_h = np.random.laplace(0.0, 2 * Delta2 / (epsilon2_update * L), 14 * 14 * 128) # one time perturbFM_h = np.reshape(perturbFM_h, [-1, 14, 14, 128]) # one time parameter_dict['perturbFM_h'] = perturbFM_h print('perturbFM_h') print(perturbFM_h.shape) Noise = generateIdLMNoise(image_size, Delta2, epsilon2_update, L) # one time parameter_dict['Noise'] = Noise Noise_test = generateIdLMNoise(image_size, 0, epsilon2_update, L) # one time parameter_dict['Noise_test'] = Noise_test print('Noise and Noise_test') print(Noise.shape) print(Noise_test.shape) # exit() # some timing variables adv_duration_total = 0.0 adv_duration_count = 0 train_duration_total = 0.0 train_duration_count = 0 # some debug flag adv_batch_flag = True batch_flag = True L_flag = True parameter_flag = True _global_step = 0 for step in xrange(_global_step, _global_step + T): start_time = time.time() # TODO: fix this d_eps = random.random() * 0.5 # d_eps = 0.25 print('d_eps: {}'.format(d_eps)) # version with 3 AUX GPU # get two super batchs, one for benign training, one for adv training super_batch_images, super_batch_labels = cifar10_data.train.next_super_batch( N_GPUS, random=True) super_batch_images_for_adv, super_batch_adv_labels = cifar10_data.train.next_super_batch_premix_ensemble( N_GPUS, random=True) # TODO: re-arrange the adv labels to match the adv samples # run adv_tensors_batch_concat to generate adv samples super_batch_adv_images = sess.run(adv_super_batch_tensor, feed_dict={ x_sb: super_batch_images_for_adv, adv_noise: Noise, mu_alpha: [d_eps] }) adv_finish_time = time.time() adv_duration = adv_finish_time - start_time adv_duration_total += adv_duration adv_duration_count += 1 if adv_batch_flag: print(super_batch_images.shape) print(super_batch_labels.shape) print(super_batch_adv_images.shape) print(super_batch_adv_labels.shape) adv_batch_flag = False if batch_flag: print(super_batch_images.shape) print(super_batch_labels.shape) batch_flag = False if L_flag: print("L: {}".format(L)) L_flag = False if parameter_flag: print('*=*=*=*=*') print(parameter_dict) print('*=*=*=*=*', flush=True) logfile.write('*=*=*=*=*\n') logfile.write(str(parameter_dict)) logfile.write('*=*=*=*=*\n') parameter_flag = False _, _, avg_loss_value = sess.run( [pretrain_op, train_op, avg_loss], feed_dict={ x_sb: super_batch_images, y_sb: super_batch_labels, adv_x_sb: super_batch_adv_images, adv_y_sb: super_batch_adv_labels, noise: Noise, adv_noise: Noise_test, FM_h: perturbFM_h }) assert not np.isnan( avg_loss_value), 'Model diverged with loss = NaN' train_finish_time = time.time() train_duration = train_finish_time - adv_finish_time train_duration_total += train_duration train_duration_count += 1 # save model every 50 epochs if step % (50 * step_for_epoch) == 0 and (step >= 50 * step_for_epoch): print('saving model') checkpoint_path = os.path.join(os.getcwd() + dirCheckpoint, 'model.ckpt') saver.save(sess, checkpoint_path, global_step=step) # Save the model checkpoint periodically. # if step % (10*step_for_epoch) == 0 and (step > _global_step): if step % 10 == 0 and (step > _global_step): # print n steps and time print("current epoch: {:.2f}".format(step / step_for_epoch)) num_examples_per_step = L * N_GPUS * 2 avg_adv_duration = adv_duration_total / adv_duration_count avg_train_duration = train_duration_total / train_duration_count avg_total_duration = avg_adv_duration + avg_train_duration examples_per_sec = num_examples_per_step / avg_total_duration sec_per_step = avg_total_duration # sec_per_batch = sec_per_step / (N_GPUS * 2) format_str = ( '%s: step %d, loss = %.2f (%.1f examples/sec; %.2f ' 'sec/step; %.2f sec/adv_gen_op; %.2f sec/train_op)') actual_str = format_str % ( datetime.now(), step, avg_loss_value, examples_per_sec, sec_per_step, avg_adv_duration, avg_train_duration) print(actual_str, flush=True) logfile.write(actual_str + '\n')
def ml_dcgan(dataset, args): z_dim = args.z_dim x_dim = dataset.x_dim batch_size = args.batch_size base_learning_rate = args.lr # for now we use same learning rate for Ds and Gs lr_decay_rate = args.lr_decay dataset_size = dataset.dataset_size print("Starting session") session = get_session() dcgan = BDCGAN(x_dim, z_dim, dataset_size=dataset_size, batch_size=batch_size, J=1, ml=True, num_classes=dataset.num_classes) tf.global_variables_initializer().run() print("Starting training loop") test_image_batches, test_label_batches = get_test_batches( dataset, batch_size) supervised_batches = get_supervised_batches( dataset, args.N, batch_size, list(range(dataset.num_classes))) if args.adv_test: x = tf.placeholder(tf.float32, shape=(batch_size, 28, 28, 1)) # Hardcoded for MNIST if args.basic_iterative: fgsm = BasicIterativeMethod(dcgan, sess=session) dcgan.adv_constructor = fgsm fgsm_params = { 'eps': args.eps, 'eps_iter': float(args.eps / 4), 'nb_iter': 4, 'ord': np.inf, 'clip_min': 0., 'clip_max': 1. } #,'y_target': None} else: fgsm = FastGradientMethod(dcgan, sess=session) dcgan.adv_constructor = fgsm eval_params = {'batch_size': batch_size} fgsm_params = {'eps': args.eps, 'clip_min': 0., 'clip_max': 1.} adv_x = fgsm.generate(x, **fgsm_params) preds = dcgan.get_probs(adv_x) for train_iter in range(args.train_iter): batch_z = np.random.uniform(-1, 1, [batch_size, z_dim]) image_batch, _ = dataset.next_batch(batch_size, class_id=None) labeled_image_batches, label_batches = next(supervised_batches) learning_rate = base_learning_rate * np.exp(-lr_decay_rate * min( 1.0, (train_iter * batch_size) / float(dataset_size))) if args.adv_train: adv_labeled = session.run( fgsm.generate(labeled_image_ph, **fgsm_targeted_params), feed_dict={labeled_image_ph: labeled_image_batch}) adv_unlabeled = session.run( fgsm.generate(unlabeled_batch_ph, **fgsm_params), feed_dict={unlabeled_batch_ph: image_batch}) _, d_loss = session.run( [dcgan.d_optim_semi, dcgan.d_loss_semi], feed_dict={ dcgan.labeled_inputs: labeled_image_batch, dcgan.labels: get_gan_labels(labels), dcgan.inputs: image_batch, dcgan.z: batch_z, dcgan.d_semi_learning_rate: learning_rate, dcgan.adv_unlab: adv_unlabeled, dcgan.adv_labeled: adv_labeled }) else: _, d_loss = session.run( [dcgan.d_optim_semi, dcgan.d_loss_semi], feed_dict={ dcgan.labeled_inputs: labeled_image_batches, dcgan.labels: get_gan_labels(label_batches), dcgan.inputs: image_batch, dcgan.z: batch_z, dcgan.d_semi_learning_rate: learning_rate, }) _, s_loss = session.run([dcgan.s_optim, dcgan.s_loss], feed_dict={ dcgan.inputs: labeled_image_batches, dcgan.lbls: label_batches }) # compute g_sample loss batch_z = np.random.uniform(-1, 1, [batch_size, z_dim]) _, g_loss = session.run( [dcgan.g_optims[0], dcgan.generation["g_losses"][0]], feed_dict={ dcgan.z: batch_z, dcgan.g_learning_rate: learning_rate }) if train_iter % args.n_save == 0: # get test set performance on real labels only for both GAN-based classifier and standard one d_logits, s_logits, lbls = get_test_stats(session, dcgan, test_image_batches, test_label_batches) if args.adv_test: adv_set = [] for test_images in test_image_batches: adv_set.append( session.run(adv_x, feed_dict={x: test_images})) adv_sup_acc, adv_ss_acc, correct_uncertainty, incorrect_uncertainty, adv_acc, adv_ex_prob = get_adv_test_accuracy( session, dcgan, adv_set, test_label_batches) print("saving results") np.savez_compressed(os.path.join(args.out_dir, 'results_%i.npz' % train_iter), d_logits=d_logits, s_logits=s_logits, lbls=lbls, adv_sup_acc=adv_sup_acc, adv_sup_acc_unf=adv_ss_acc, correct_uncertainty=correct_uncertainty, incorrect_uncertainty=incorrect_uncertainty, adv_acc=adv_acc) var_dict = {} for var in tf.trainable_variables(): var_dict[var.name] = session.run(var.name) np.savez_compressed( os.path.join(args.out_dir, "weights_%i.npz" % train_iter), **var_dict) print("done") print("closing session") session.close() tf.reset_default_graph()
def train_zero_knowledge_gandef_model(train_start=0, train_end=60000, test_start=0, test_end=10000, smoke_test=True, save=False, testing=False, backprop_through_attack=False, num_threads=None): """ MNIST cleverhans tutorial :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param train_batch_size: size of training batches :param test_batch_size: size of testing batches :param learning_rate: learning rate for training :param save: if true, the final model will be saved :param testing: if true, complete an AccuracyReport for unit tests to verify that performance is adequate :param backprop_through_attack: If True, backprop through adversarial example construction process during adversarial training. :return: an AccuracyReport object """ # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Set logging level to see debug information set_log_level(logging.DEBUG) # Create TF session if num_threads: config_args = dict(intra_op_parallelism_threads=1) else: config_args = {} sess = tf.Session(config=tf.ConfigProto(**config_args)) # Get MNIST test data X_train, Y_train, X_test, Y_test = data_fashion_mnist() if smoke_test: X_train, Y_train, X_test, Y_test = X_train[: 256], Y_train[: 256], X_test[: 256], Y_test[: 256] # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1)) y_soft = tf.placeholder(tf.float32, shape=(None, 10)) # Prepare optimizer learning_rate = 1e-4 clf_opt = tf.train.AdamOptimizer(learning_rate) dic_opt = tf.train.AdamOptimizer(learning_rate * 10) # Train an MNIST model train_params = { 'nb_epochs': 80, 'batch_size': 128, 'trade_off': 2, 'inner_epochs': 1 } rng = np.random.RandomState([2017, 8, 30]) # Adversarial training print("Start adversarial training") zero_knowledge_gandef_model = make_zero_knowledge_gandef_model( name="model_zero_knowledge_gandef") aug_x = gaussian_augment(x, std=1) preds_clean = zero_knowledge_gandef_model(x) preds_aug = zero_knowledge_gandef_model(aug_x) def cross_entropy(truth, preds, mean=True): # Get the logits operator op = preds.op if op.type == "Softmax": logits, = op.inputs else: logits = preds # Calculate cross entropy loss out = tf.nn.softmax_cross_entropy_with_logits(logits=logits, labels=truth) # Take average loss and return if mean: out = tf.reduce_mean(out) return out def sigmoid_entropy(truth, preds, mean=True): # Get the logits operator op = preds.op if op.type == "Softmax": logits, = op.inputs else: logits = preds # Calculate cross entropy loss out = tf.nn.sigmoid_cross_entropy_with_logits(logits=logits, labels=truth) # Take average loss and return if mean: out = tf.reduce_mean(out) return out # Perform and evaluate adversarial training gan_train_v2(sess, x, y_soft, preds_clean, X_train, Y_train, loss_func=[cross_entropy, sigmoid_entropy], optimizer=[clf_opt, dic_opt], predictions_adv=preds_aug, evaluate=None, args=train_params, rng=rng, var_list=zero_knowledge_gandef_model.get_gan_params()) # Evaluate the accuracy of the MNIST model on Clean examples preds_clean = zero_knowledge_gandef_model(x) eval_params = { 'batch_size': 128, 'use_dic': False, 'is_clean': True, 'reject_threshold': 0.5 } clean_acc = confident_model_eval(sess, x, y_soft, preds_clean, X_test, Y_test, args=eval_params) print('Test accuracy on Clean test examples: %0.4f\n' % clean_acc) report.adv_train_clean_eval = clean_acc # Evaluate the accuracy of the MNIST model on FGSM examples fgsm_params = {'eps': 0.6, 'clip_min': -1., 'clip_max': 1.} fgsm_att = FastGradientMethod(zero_knowledge_gandef_model, sess=sess) fgsm_adv = fgsm_att.generate(x, **fgsm_params) preds_fgsm_adv = zero_knowledge_gandef_model(fgsm_adv) eval_params = { 'batch_size': 128, 'use_dic': False, 'is_clean': False, 'reject_threshold': 0.5 } fgsm_acc = confident_model_eval(sess, x, y_soft, preds_fgsm_adv, X_test, Y_test, args=eval_params) print('Test accuracy on FGSM test examples: %0.4f\n' % fgsm_acc) report.adv_train_adv_eval = fgsm_acc # Evaluate the accuracy of the MNIST model on BIM examples bim_params = {'eps': 0.6, 'eps_iter': 0.1, 'clip_min': -1., 'clip_max': 1.} bim_att = BasicIterativeMethod(zero_knowledge_gandef_model, sess=sess) bim_adv = bim_att.generate(x, **bim_params) preds_bim_adv = zero_knowledge_gandef_model(bim_adv) eval_params = { 'batch_size': 128, 'use_dic': False, 'is_clean': False, 'reject_threshold': 0.5 } bim_acc = confident_model_eval(sess, x, y_soft, preds_bim_adv, X_test, Y_test, args=eval_params) print('Test accuracy on BIM test examples: %0.4f\n' % bim_acc) report.adv_train_adv_eval = bim_acc # Evaluate the accuracy of the MNIST model on PGD examples pgd_params = { 'eps': 0.6, 'eps_iter': 0.02, 'nb_iter': 40, 'clip_min': -1., 'clip_max': 1., 'rand_init': True } pgd_att = MadryEtAl(zero_knowledge_gandef_model, sess=sess) pgd_adv = pgd_att.generate(x, **bim_params) preds_pgd_adv = zero_knowledge_gandef_model(pgd_adv) eval_params = { 'batch_size': 128, 'use_dic': False, 'is_clean': False, 'reject_threshold': 0.5 } pgd_acc = confident_model_eval(sess, x, y_soft, preds_pgd_adv, X_test, Y_test, args=eval_params) print('Test accuracy on PGD test examples: %0.4f\n' % pgd_acc) report.adv_train_adv_eval = pgd_acc # Save model if save: model_path = "models/zero_knowledge_gandef" vars_to_save = tf.get_collection(tf.GraphKeys.GLOBAL_VARIABLES, scope='model_zero_knowledge_gandef*') assert len(vars_to_save) > 0 saver = tf.train.Saver(var_list=vars_to_save) saver.save(sess, model_path) print('Model saved\n') else: print('Model not saved\n')
def main(argv): report = AccuracyReport() print("Start Main") tf.logging.set_verbosity(tf.logging.INFO) input_shape = (32, 32, 3) num_classes = 10 x_train = np.load( '/work/cse496dl/shared/hackathon/05/cifar10_train_data.npy') y_train = np.load( '/work/cse496dl/shared/hackathon/05/cifar10_train_labels.npy') x_test = np.load( '/work/cse496dl/shared/hackathon/05/cifar10_test_data.npy') y_test = np.load( '/work/cse496dl/shared/hackathon/05/cifar10_test_labels.npy') train_data = imgs #original_train_data = imgs_large/255. test_data = test_data / 255. #input_shape = train_data.shape[0] input_shape = (64, 64, 3) num_classes = 201 print("image load complete") def model_arch(): model = Sequential() model.add(Conv2D(32, (3, 3), padding='same', input_shape=input_shape)) model.add(Activation('relu')) model.add(Conv2D(32, (3, 3))) model.add(Activation('relu')) model.add(MaxPooling2D(pool_size=(2, 2))) model.add(Dropout(0.25)) model.add(Conv2D(64, (3, 3), padding='same')) model.add(Activation('relu')) model.add(Conv2D(64, (3, 3))) model.add(Activation('relu')) model.add(MaxPooling2D(pool_size=(2, 2))) model.add(Dropout(0.25)) model.add(Flatten()) model.add(Dense(512)) model.add(Activation('relu')) model.add(Dropout(0.5)) model.add(Dense(10)) model.add(Activation('softmax')) model.compile(loss=keras.losses.categorical_crossentropy, optimizer=keras.optimizers.Adadelta(), metrics=['accuracy']) return model sess = tf.Session() keras.backend.set_session(sess) model_2 = model_arch() X_train = train_data Y_train = labels X_test = test_data Y_test = test_labels Y_train = keras.utils.to_categorical(Y_train, 10) Y_test = keras.utils.to_categorical(Y_test, 10) x = tf.placeholder(tf.float32, shape=(None, 32, 32, 3)) y = tf.placeholder(tf.float32, shape=(None, 10)) preds_2 = model_2(x) bim_params = { 'eps_iter': 0.03, 'nb_iter': 8, 'clip_min': 0., 'clip_max': 1. } fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} fgsm2 = BasicIterativeMethod(model_2, sess=sess) adv_x_2 = fgsm2.generate(x, **bim_params) if not backprop_through_attack: # For the fgsm attack used in this tutorial, the attack has zero # gradient so enabling this flag does not change the gradient. # For some other attacks, enabling this flag increases the cost of # training, but gives the defender the ability to anticipate how # the atacker will change their strategy in response to updates to # the defender's parameters. adv_x_2 = tf.stop_gradient(adv_x_2) preds_2_adv = model_2(adv_x_2) print("model and fgsm created successfully") def evaluate_2(): # Accuracy of adversarially trained model on legitimate test inputs eval_params = {'batch_size': 128} accuracy = model_eval(sess, x, y, preds_2, X_test, Y_test, args=eval_params) print('Test accuracy on legitimate examples: %0.4f' % accuracy) report.adv_train_clean_eval = accuracy # Accuracy of the adversarially trained model on adversarial examples accuracy = model_eval(sess, x, y, preds_2_adv, X_test, Y_test, args=eval_params) print('Test accuracy on adversarial examples: %0.4f' % accuracy) report.adv_train_adv_eval = accuracy train_params = {'nb_epochs': 30, 'batch_size': 20, 'learning_rate': 0.01} print("train start") rng = np.random.RandomState([2017, 8, 30]) # Perform and evaluate adversarial training model_train(sess, x, y, preds_2, X_train / 255., Y_train, predictions_adv=preds_2_adv, evaluate=evaluate_2, args=train_params, rng=rng) model_2.save('bim_retrained_cifar.h5') print("train_end")
def SSGD_resnet_testing(TIN_data, resnet_params, train_params, test_params, all_params): # dict for encoding layer variables and output layer variables pre_define_vars = {} # list of variables to train train_vars = [] with tf.Graph().as_default(), tf.device('/cpu:0'): global_step = tf.Variable(0, trainable=False) # Parameters Declarification ###################################### # encoding (pretrain) layer variables with tf.variable_scope('enc_layer', reuse=tf.AUTO_REUSE) as scope: kernel1 = tf.get_variable( 'kernel1', shape=[ train_params.enc_kernel_size, train_params.enc_kernel_size, 3, train_params.enc_filters ], dtype=tf.float32, initializer=tf.contrib.layers.xavier_initializer_conv2d()) biases1 = tf.get_variable('biases1', shape=[train_params.enc_filters], dtype=tf.float32, initializer=tf.constant_initializer(0.0)) pre_define_vars['kernel1'] = kernel1 pre_define_vars['biases1'] = biases1 train_vars.append(kernel1) train_vars.append(biases1) dp_mult = all_params['dp_mult'] # output layer variables with tf.variable_scope('fc2', reuse=tf.AUTO_REUSE) as scope: stdv = 1.0 / math.sqrt(train_params.hk) final_w = tf.get_variable( 'kernel', shape=[train_params.hk, train_params.num_classes], dtype=tf.float32, initializer=tf.random_uniform_initializer(-stdv, stdv)) final_b = tf.get_variable('bias', shape=[train_params.num_classes], dtype=tf.float32, initializer=tf.constant_initializer(0.0)) pre_define_vars['final_w'] = final_w pre_define_vars['final_b'] = final_b train_vars.append(final_w) train_vars.append(final_b) ###################################### # Build a Graph that computes the logits predictions from the inputs ###################################### # input placeholders x_sb = tf.placeholder( tf.float32, [None, train_params.image_size, train_params.image_size, 3], name='x_sb') # input is the bunch of n_batchs x_test = tf.placeholder( tf.float32, [None, train_params.image_size, train_params.image_size, 3], name='x_test') y_sb = tf.placeholder( tf.float32, [None, train_params.num_classes], name='y_sb') # input is the bunch of n_batchs (super batch) y_test = tf.placeholder(tf.float32, [None, train_params.num_classes], name='y_test') noise = tf.placeholder(tf.float32, [ None, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters ], name='noise') # one time keep_prob = tf.placeholder(tf.float32, shape=(), name='keep_prob') with tf.device('/gpu:0'): # the model for testing y_logits_test, _ = test_inference( x_sb, train_params.attack_norm_bound * noise, keep_prob, pre_define_vars, resnet_params, train_params) y_softmax_test = tf.nn.softmax(y_logits_test) correct_prediction = tf.equal(tf.argmax(y_logits_test, 1), tf.argmax(y_sb, 1)) accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32)) # print all variables print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') all_vars = tf.global_variables() print_var_list('all vars', all_vars) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') # add selected vars into list # ('res4' in var.name and ('gamma' in var.name or 'beta' in var.name)) or for var in tf.global_variables(): if 'resnet_model' in var.name and \ ('conv0' in var.name or 'fc' in var.name or 'res3' in var.name or 'res4' in var.name or 'res1' in var.name or 'res2' in var.name) and \ ('gamma' in var.name or 'beta' in var.name or 'kernel' in var.name or 'bias' in var.name): if var not in train_vars: train_vars.append(var) elif 'enc_layer' in var.name and \ ('kernel' in var.name or 'bias' in var.name or 'gamma' in var.name or 'beta' in var.name): if var not in train_vars: train_vars.append(var) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') print_var_list('train_vars', train_vars) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') ###################################### # Create a saver. saver = tf.train.Saver(var_list=tf.all_variables(), max_to_keep=1000) # start a session with memory growth config = tf.ConfigProto(log_device_placement=False) config.gpu_options.allow_growth = True sess = tf.Session(config=config) print("session created") # list all checkpoints in ckpt_path checkpoint_path_read = os.path.join(os.getcwd() + test_params.check_point_dir) ckpts = tf.train.get_checkpoint_state(checkpoint_path_read) print(ckpts) # find the ckpt we need to load and load it for ckpt in ckpts.all_model_checkpoint_paths: # print(ckpt) ckpt_step = int(ckpt.split('-')[-1]) if ckpt_step == test_params.step_to_load: saver.restore(sess, ckpt) print('model loaded from {}'.format(ckpt)) # ####################################### # # setup all attacks attack_switch = { 'fgsm': False, 'ifgsm': True, 'deepfool': False, 'mim': True, 'spsa': False, 'cwl2': False, 'madry': True, 'stm': False } ch_model_probs = CustomCallableModelWrapper( callable_fn=inference_test_output_probs, output_layer='probs', keep_prob=keep_prob, pre_define_vars=pre_define_vars, resnet_params=resnet_params, train_params=train_params) attack_tensor_testing_dict = {} # define each attack method's tensor mu_alpha = tf.placeholder(tf.float32, [1]) # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) with tf.device('/gpu:0'): if attack_switch['ifgsm']: print('creating attack tensor of BasicIterativeMethod') ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) attack_tensor_testing_dict['ifgsm'] = ifgsm_obj.generate( x=x_sb, eps=mu_alpha, eps_iter=mu_alpha / train_params.iter_step_testing, nb_iter=train_params.iter_step_testing, clip_min=-1.0, clip_max=1.0) # MomentumIterativeMethod with tf.device('/gpu:0'): if attack_switch['mim']: print('creating attack tensor of MomentumIterativeMethod') mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) attack_tensor_testing_dict['mim'] = mim_obj.generate( x=x_sb, eps=mu_alpha, eps_iter=mu_alpha / train_params.iter_step_testing, nb_iter=train_params.iter_step_testing, decay_factor=1.0, clip_min=-1.0, clip_max=1.0) # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) with tf.device('/gpu:0'): if attack_switch['madry']: print('creating attack tensor of MadryEtAl') madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) attack_tensor_testing_dict['madry'] = madry_obj.generate( x=x_sb, eps=mu_alpha, eps_iter=mu_alpha / train_params.iter_step_testing, nb_iter=train_params.iter_step_testing, clip_min=-1.0, clip_max=1.0) # ####################################### sigmaEGM = all_params['sigmaEGM'] __noiseE = all_params['__noiseE'] grad_redis = all_params['grad_redis'] _sensitivity_2 = all_params['_sensitivity_2'] _sensitivityW = all_params['_sensitivityW'] Delta_redis = all_params['Delta_redis'] sigmaHGM = all_params['sigmaHGM'] __noiseH = all_params['__noiseH'] __noise_zero = all_params['__noise_zero'] #################################### #################################### print('start testing') start_time = time.time() log_file_path = os.getcwd() + test_params.log_file_path log_file = open(log_file_path, 'a', encoding='utf-8') attacks_and_benign = test_params.attacks + ['benign'] #===================adv samples===================== # for each eps setting for fgsm_eps in test_params.fgsm_eps_list: adv_acc_dict = {} robust_adv_acc_dict = {} robust_adv_utility_dict = {} log_str = '' eps_start_time = time.time() # cover all test data for i in range(test_params.test_epochs): test_batch = TIN_data.test.next_batch( test_params.test_batch_size) adv_images_dict = {} # test for each attack for atk in attacks_and_benign: start_time = time.time() if atk not in adv_acc_dict: adv_acc_dict[atk] = 0.0 robust_adv_acc_dict[atk] = 0.0 robust_adv_utility_dict[atk] = 0.0 if atk == 'benign': testing_img = test_batch[0] elif attack_switch[atk]: # if only one gpu available, generate adv samples in-place if atk not in adv_images_dict: adv_images_dict[atk] = sess.run( attack_tensor_testing_dict[atk], feed_dict={ x_sb: test_batch[0], mu_alpha: [fgsm_eps], keep_prob: 1.0 }) testing_img = adv_images_dict[atk] else: continue print('adv gen time: {}s'.format(time.time() - start_time)) start_time = time.time() ### PixelDP Robustness ### predictions_form_argmax = np.zeros([ test_params.test_batch_size, train_params.num_classes ]) softmax_predictions = sess.run( y_softmax_test, feed_dict={ x_sb: testing_img, noise: (__noiseE + __noiseH) / 2, keep_prob: 1.0 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) for n_draws in range(1, test_params.num_samples + 1): if n_draws % 100 == 0: print( 'current draws: {}, avg draw time: {}s'.format( n_draws, (time.time() - start_time) / n_draws)) _noiseE = np.random.normal( 0.0, sigmaEGM**2, train_params.enc_h_size * train_params.enc_h_size * train_params.enc_filters).astype(np.float32) _noiseE = np.reshape(_noiseE, [ -1, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters ]) _noise = np.random.normal( 0.0, sigmaHGM**2, train_params.enc_h_size * train_params.enc_h_size * train_params.enc_filters).astype(np.float32) _noise = np.reshape(_noise, [ -1, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters ]) * grad_redis for j in range(test_params.test_batch_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 1 softmax_predictions = sess.run( y_softmax_test, feed_dict={ x_sb: testing_img, noise: (__noiseE + __noiseH) / 2 + (_noiseE + _noise) / 4, keep_prob: 1.0 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) final_predictions = predictions_form_argmax is_correct = [] is_robust = [] for j in range(test_params.test_batch_size): is_correct.append( np.argmax(test_batch[1][j]) == np.argmax( final_predictions[j])) robustness_from_argmax = robustnessGGaussian.robustness_size_argmax( counts=predictions_form_argmax[j], eta=0.05, dp_attack_size=fgsm_eps, dp_epsilon=train_params.dp_epsilon, dp_delta=0.05, dp_mechanism='gaussian') / dp_mult is_robust.append(robustness_from_argmax >= fgsm_eps) adv_acc_dict[atk] += np.sum( is_correct) * 1.0 / test_params.test_batch_size robust_adv_acc_dict[atk] += np.sum([ a and b for a, b in zip(is_robust, is_correct) ]) * 1.0 / np.sum(is_robust) robust_adv_utility_dict[atk] += np.sum( is_robust) * 1.0 / test_params.test_batch_size dt = time.time() - start_time print('atk test time: {}s'.format(dt), flush=True) ############################## # average all acc for whole test data log_str += datetime.now().strftime("%Y-%m-%d_%H:%M:%S\n") log_str += 'model trained epoch: {}\n'.format( test_params.epoch_to_test) log_str += 'fgsm_eps: {}\n'.format(fgsm_eps) log_str += 'iter_step_testing: {}\n'.format( test_params.iter_step_testing) log_str += 'num_samples: {}\n'.format(test_params.num_samples) for atk in attacks_and_benign: adv_acc_dict[atk] = adv_acc_dict[atk] / test_params.test_epochs robust_adv_acc_dict[ atk] = robust_adv_acc_dict[atk] / test_params.test_epochs robust_adv_utility_dict[atk] = robust_adv_utility_dict[ atk] / test_params.test_epochs # added robust prediction log_str += " {}: {:.6f} {:.6f} {:.6f} {:.6f}\n".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]) dt = time.time() - eps_start_time print('total test time: {}s'.format(dt), flush=True) print(log_str, flush=True) print('*******************') log_file.write(log_str) log_file.write('*******************\n') log_file.flush() dt = time.time() - start_time log_file.close()
def PDP_resnet_with_pretrain_adv(TIN_data, resnet_params, train_params, params_to_save): # dict for encoding layer variables and output layer variables pre_define_vars = {} # list of variables to train train_vars = [] pretrain_vars = [] with tf.Graph().as_default(), tf.device('/cpu:0'): global_step = tf.Variable(0, trainable=False) # Parameters Declarification ###################################### # encoding (pretrain) layer variables with tf.variable_scope('enc_layer', reuse=tf.AUTO_REUSE) as scope: kernel1 = tf.get_variable('kernel1', shape=[train_params.enc_kernel_size, train_params.enc_kernel_size, 3, train_params.enc_filters], dtype=tf.float32, initializer=tf.contrib.layers.xavier_initializer_conv2d()) biases1 = tf.get_variable('biases1', shape=[train_params.enc_filters], dtype=tf.float32, initializer=tf.constant_initializer(0.0)) pre_define_vars['kernel1'] = kernel1 pre_define_vars['biases1'] = biases1 train_vars.append(kernel1) train_vars.append(biases1) pretrain_vars.append(kernel1) pretrain_vars.append(biases1) shape = kernel1.get_shape().as_list() w_t = tf.reshape(kernel1, [-1, shape[-1]]) w = tf.transpose(w_t) sing_vals = tf.svd(w, compute_uv=False) sensitivity = tf.reduce_max(sing_vals) gamma = 2*train_params.Delta2/(train_params.effective_batch_size * sensitivity) print('gamma: {}'.format(gamma)) # output layer variables with tf.variable_scope('fc2', reuse=tf.AUTO_REUSE) as scope: stdv = 1.0 / math.sqrt(train_params.hk) final_w = tf.get_variable('kernel', shape=[train_params.hk, train_params.num_classes], dtype=tf.float32, initializer=tf.random_uniform_initializer(-stdv, stdv)) final_b = tf.get_variable('bias', shape=[train_params.num_classes], dtype=tf.float32, initializer=tf.constant_initializer(0.0)) pre_define_vars['final_w'] = final_w pre_define_vars['final_b'] = final_b train_vars.append(final_w) train_vars.append(final_b) ###################################### # Build a Graph that computes the logits predictions from the inputs ###################################### # input placeholders x_sb = tf.placeholder(tf.float32, [None,train_params.image_size,train_params.image_size,3], name='x_sb') # input is the bunch of n_batchs x_sb_adv = tf.placeholder(tf.float32, [None,train_params.image_size,train_params.image_size,3], name='x_sb_adv') x_test = tf.placeholder(tf.float32, [None,train_params.image_size,train_params.image_size,3], name='x_test') y_sb = tf.placeholder(tf.float32, [None, train_params.num_classes], name='y_sb') # input is the bunch of n_batchs (super batch) y_sb_adv = tf.placeholder(tf.float32, [None, train_params.num_classes], name='y_sb_adv') y_test = tf.placeholder(tf.float32, [None, train_params.num_classes], name='y_test') FM_h = tf.placeholder(tf.float32, [None, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters], name='FM_h') # one time noise = tf.placeholder(tf.float32, [None, train_params.image_size, train_params.image_size, 3], name='noise') # one time adv_noise = tf.placeholder(tf.float32, [None, train_params.image_size, train_params.image_size, 3], name='adv_noise') # one time learning_rate = tf.placeholder(tf.float32, shape=(), name='learning_rate') keep_prob = tf.placeholder(tf.float32, shape=(), name='keep_prob') # list of grads for each GPU tower_pretrain_grads = [] tower_train_grads = [] all_train_loss = [] # optimizers pretrain_opt = tf.train.AdamOptimizer(learning_rate) train_opt = tf.train.AdamOptimizer(learning_rate) # model and loss on one GPU with tf.device('/gpu:{}'.format(GPU_IDX[0])): # setup encoding layer training with tf.variable_scope('enc_layer', reuse=tf.AUTO_REUSE) as scope: Enc_Layer2 = EncLayer(inpt=x_sb, n_filter_in=None, n_filter_out=None, filter_size=None, W=kernel1, b=biases1, activation=tf.nn.relu) pretrain_adv = Enc_Layer2.get_train_ops2(xShape=tf.shape(x_sb_adv)[0], Delta=train_params.Delta2, epsilon=train_params.epsilon2, batch_size=None, learning_rate=None, W=kernel1, b=biases1, perturbFMx=adv_noise, perturbFM_h=FM_h) Enc_Layer3 = EncLayer(inpt=x_sb, n_filter_in=None, n_filter_out=None, filter_size=None, W=kernel1, b=biases1, activation=tf.nn.relu) pretrain_benign = Enc_Layer3.get_train_ops2(xShape=tf.shape(x_sb)[0], Delta=train_params.Delta2, epsilon=train_params.epsilon2, batch_size=None, learning_rate=None, W=kernel1, b=biases1, perturbFMx=noise, perturbFM_h=FM_h) pretrain_cost = tf.reduce_mean(pretrain_adv + pretrain_benign) print_var('pretrain_cost', pretrain_cost) # use standard loss first y_logits = inference(x_sb + noise, FM_h, keep_prob, pre_define_vars, resnet_params, train_params) y_softmax = tf.nn.softmax(y_logits) y_logits_adv = inference(x_sb_adv + adv_noise, FM_h, keep_prob, pre_define_vars, resnet_params, train_params) y_softmax_adv = tf.nn.softmax(y_logits_adv) # taylor exp # TODO: use noise here perturbW = train_params.perturbFM * final_w # train_loss = TaylorExp_no_noise(y_softmax, y_sb, y_softmax_adv, y_sb_adv, # train_params.effective_batch_size, train_params.alpha) train_loss = TaylorExp(y_softmax, y_sb, y_softmax_adv, y_sb_adv, train_params.effective_batch_size, train_params.alpha, perturbW) print_var('train_loss', train_loss) all_train_loss.append(train_loss) # split testing in each gpu x_sb_tests = tf.split(x_sb, N_ALL_GPUS, axis=0) y_softmax_test_list = [] for gpu in range(N_ALL_GPUS): with tf.device('/gpu:{}'.format(gpu)): # testing graph now in each gpu y_logits_test = test_inference(x_sb_tests[gpu] + noise, FM_h, keep_prob, pre_define_vars, resnet_params, train_params) y_softmax_test_list.append(tf.nn.softmax(y_logits_test)) y_softmax_test_concat = tf.concat(y_softmax_test_list, axis=0) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') all_vars = tf.global_variables() print_var_list('all vars', all_vars) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') # add selected vars into trainable variable list # ('res4' in var.name and ('gamma' in var.name or 'beta' in var.name)) or for var in tf.global_variables(): if 'resnet_model' in var.name and \ ('conv0' in var.name or 'fc' in var.name or 'res3' in var.name or 'res4' in var.name or 'res1' in var.name or 'res2' in var.name) and \ ('gamma' in var.name or 'beta' in var.name or 'kernel' in var.name or 'bias' in var.name): if var not in train_vars: train_vars.append(var) elif 'enc_layer' in var.name and \ ('kernel' in var.name or 'bias' in var.name): if var not in pretrain_vars: pretrain_vars.append(var) if var not in train_vars: train_vars.append(var) elif 'enc_layer' in var.name and \ ('gamma' in var.name or 'beta' in var.name): if var not in pretrain_vars: pretrain_vars.append(var) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') print_var_list('train_vars', train_vars) print_var_list('pretrain_vars', pretrain_vars) print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$') # op for compute grads on one gpu with tf.device('/gpu:{}'.format(GPU_IDX[0])): # get all update_ops (updates of moving averageand std) for batch normalizations update_ops = tf.get_collection(tf.GraphKeys.UPDATE_OPS) print_op_list('update ops', update_ops) enc_update_ops = [op for op in update_ops if 'enc_layer' in op.name] print_op_list('enc layer update ops', enc_update_ops) # when the gradients are computed, update the batch_norm with tf.control_dependencies(enc_update_ops): pretrain_grads = pretrain_opt.compute_gradients(pretrain_cost, var_list=pretrain_vars) print('*********** pretrain_grads ***********') for x in pretrain_grads: print(x) print('**********************') with tf.control_dependencies(update_ops): train_grads = train_opt.compute_gradients(train_loss, var_list=train_vars) print('*********** train_grads ***********') for x in train_grads: print(x) print('**********************') avg_pretrain_grads = pretrain_grads avg_train_grads = train_grads # get averaged loss tensor for pretrain and train ops total_loss = tf.reduce_sum(tf.stack(all_train_loss)) total_pretrain_loss = tf.reduce_mean(pretrain_cost) # prepare to save gradients for large batch pretrain_grads_save = [g for g,v in pretrain_grads] # print('*********** pretrain_grads_save ***********' + str(pretrain_grads_save) + '**********************') train_grads_save = [g for g,v in train_grads] # print('*********** train_grads_save ***********' + str(train_grads_save) + '**********************') pretrain_grads_shapes = [g.shape.as_list() for g in pretrain_grads_save] train_grads_shapes = [g.shape.as_list() for g in train_grads_save] # placeholders for importing saved gradients pretrain_grads_placeholders = [] for g,v in pretrain_grads: pretrain_grads_placeholders.append(tf.placeholder(tf.float32, v.shape)) train_grads_placeholders = [] for g,v in train_grads: train_grads_placeholders.append(tf.placeholder(tf.float32, v.shape)) # construct the (grad, var) list assemble_pretrain_grads = [] for i in range(len(pretrain_vars)): assemble_pretrain_grads.append((pretrain_grads_placeholders[i], pretrain_vars[i])) assemble_train_grads = [] for i in range(len(train_grads)): assemble_train_grads.append((train_grads_placeholders[i], train_vars[i])) # apply the saved gradients pretrain_op = pretrain_opt.apply_gradients(assemble_pretrain_grads, global_step=global_step) train_op = train_opt.apply_gradients(assemble_train_grads, global_step=global_step) ###################################### # Create a saver. saver = tf.train.Saver(var_list=tf.all_variables(), max_to_keep=1000) # start a session with memory growth config = tf.ConfigProto(log_device_placement=False) config.gpu_options.allow_growth=True sess = tf.Session(config=config) print("session created") # get some initial values sess.run(kernel1.initializer) _gamma = sess.run(gamma) _gamma_x = train_params.Delta2 / train_params.effective_batch_size epsilon2_update = train_params.epsilon2/(1.0 + 1.0/_gamma + 1/_gamma_x) delta_r = train_params.fgsm_eps * (train_params.image_size ** 2) _sensitivityW = sess.run(sensitivity) delta_h = _sensitivityW*(train_params.enc_h_size ** 2) #dp_mult = (train_params.Delta2 / (train_params.effective_batch_size * epsilon2_update)) / (delta_r / train_params.dp_epsilon) + \ # (2 * train_params.Delta2 / (train_params.effective_batch_size * epsilon2_update))/(delta_h / train_params.dp_epsilon) dp_mult = (train_params.Delta2*train_params.dp_epsilon) / (train_params.effective_batch_size*epsilon2_update * (delta_h / 2 + delta_r)) # save some valus for testing params_to_save['epsilon2_update'] = epsilon2_update params_to_save['dp_mult'] = dp_mult ####################################### # ADV attacks ####################################### # split input for attacks x_attacks = tf.split(x_sb, 3, axis=0) # split it into each batch # currently only ifgsm, mim, and madry attacks are available attack_switch = {'fgsm':False, 'ifgsm':True, 'deepfool':False, 'mim':True, 'spsa':False, 'cwl2':False, 'madry':True, 'stm':False} # wrap the inference ch_model_probs = CustomCallableModelWrapper(callable_fn=inference_test_output_probs, output_layer='probs', adv_noise=adv_noise, keep_prob=keep_prob, pre_define_vars=pre_define_vars, resnet_params=resnet_params, train_params=train_params) # to save the reference to the attack tensors attack_tensor_training_dict = {} attack_tensor_testing_dict = {} # placeholder for eps parameter mu_alpha = tf.placeholder(tf.float32, [1]) # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) # place on specific GPU with tf.device('/gpu:{}'.format(AUX_GPU_IDX[0])): print('ifgsm GPU placement') print('/gpu:{}'.format(AUX_GPU_IDX[0])) if attack_switch['ifgsm']: print('creating attack tensor of BasicIterativeMethod') ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) attack_tensor_training_dict['ifgsm'] = ifgsm_obj.generate(x=x_attacks[0], eps=mu_alpha, eps_iter=mu_alpha/train_params.iter_step_training, nb_iter=train_params.iter_step_training, clip_min=-1.0, clip_max=1.0) attack_tensor_testing_dict['ifgsm'] = ifgsm_obj.generate(x=x_sb, eps=mu_alpha, eps_iter=mu_alpha/train_params.iter_step_testing, nb_iter=train_params.iter_step_testing, clip_min=-1.0, clip_max=1.0) # MomentumIterativeMethod # place on specific GPU with tf.device('/gpu:{}'.format(AUX_GPU_IDX[1])): print('mim GPU placement') print('/gpu:{}'.format(AUX_GPU_IDX[1])) if attack_switch['mim']: print('creating attack tensor of MomentumIterativeMethod') mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) attack_tensor_training_dict['mim'] = mim_obj.generate(x=x_attacks[1], eps=mu_alpha, eps_iter=mu_alpha/train_params.iter_step_training, nb_iter=train_params.iter_step_training, decay_factor=1.0, clip_min=-1.0, clip_max=1.0) attack_tensor_testing_dict['mim'] = mim_obj.generate(x=x_sb, eps=mu_alpha, eps_iter=mu_alpha/train_params.iter_step_testing, nb_iter=train_params.iter_step_testing, decay_factor=1.0, clip_min=-1.0, clip_max=1.0) # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) # place on specific GPU with tf.device('/gpu:{}'.format(AUX_GPU_IDX[2])): print('madry GPU placement') print('/gpu:{}'.format(AUX_GPU_IDX[2])) if attack_switch['madry']: print('creating attack tensor of MadryEtAl') madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) attack_tensor_training_dict['madry'] = madry_obj.generate(x=x_attacks[2], eps=mu_alpha, eps_iter=mu_alpha/train_params.iter_step_training, nb_iter=train_params.iter_step_training, clip_min=-1.0, clip_max=1.0) attack_tensor_testing_dict['madry'] = madry_obj.generate(x=x_sb, eps=mu_alpha, eps_iter=mu_alpha/train_params.iter_step_testing, nb_iter=train_params.iter_step_testing, clip_min=-1.0, clip_max=1.0) # combine the tensors adv_tensors_concat = tf.concat([attack_tensor_training_dict[x] for x in train_params.attacks], axis=0) ####################################### # init op print('initialize_all_variables') init = tf.initialize_all_variables() sess.run(init) # load pretrained variables of RESNET if train_params.load_weights: # first we need to load variable name convert table tgt_var_name_dict = {} with open(train_params.weight_table_path, 'r', encoding='utf-8') as inf: lines = inf.readlines() for line in lines: var_names = line.strip().split(' ') if var_names[1] == 'NONE': continue else: tgt_var_name_dict[var_names[0]] = var_names[1] # load variables dict from checkpoint pretrained_var_dict = load_pretrained_vars() # load pre-trained vars using name convert table for var in tf.global_variables(): if var.name in tgt_var_name_dict: # print('var \"{}\" found'.format(var.name)) try: var.load(pretrained_var_dict[tgt_var_name_dict[var.name]], session=sess) print('{} loaded'.format(var.name)) except: print('var {} not loaded since shape changed'.format(var.name)) else: if 'Adam' not in var.name: print('var \"{}\" NOT FOUND'.format(var.name)) else: print('Training model from scratch') ##################################### # init noise and save for testing perturbH_test = np.random.laplace(0.0, 0, train_params.enc_h_size*train_params.enc_h_size*train_params.enc_filters) perturbH_test = np.reshape(perturbH_test, [-1, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters]) params_to_save['perturbH_test'] = perturbH_test perturbFM_h = np.random.laplace(0.0, 2*train_params.Delta2/(epsilon2_update*train_params.effective_batch_size), train_params.enc_h_size*train_params.enc_h_size*train_params.enc_filters) perturbFM_h = np.reshape(perturbFM_h, [-1, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters]) params_to_save['perturbFM_h'] = perturbFM_h Noise = generateIdLMNoise(train_params.image_size, train_params.Delta2, epsilon2_update, train_params.effective_batch_size) params_to_save['Noise'] = Noise Noise_test = generateIdLMNoise(train_params.image_size, 0, epsilon2_update, train_params.effective_batch_size) params_to_save['Noise_test'] = Noise_test # save params for testing with open(os.getcwd() + train_params.params_save_path, 'wb') as outf: pickle.dump(params_to_save, outf) print('params saved') #################################### print('start pretrain') start_time = time.time() lr_schedule_list = sorted(train_params.lr_schedule_pretrain.keys()) attacks_and_benign = train_params.attacks + ['benign'] # build zeros numpy arrays for accumulate grads accumu_pretrain_grads = [np.zeros(g_shape, dtype=np.float32) for g_shape in pretrain_grads_shapes] total_pretrain_loss_value = 0.0 step = 0 # pretrain loop while True: # if enough steps, break if step > train_params.pretrain_steps: break # add steps here so not forgot else: step += 1 # manual schedule learning rate current_epoch = step // (train_params.epoch_steps) current_lr = train_params.lr_schedule_pretrain[get_lr(current_epoch, lr_schedule_list)] # benign and adv batch super_batch = TIN_data.train.next_super_batch(N_GPUS, ensemble=False, random=True) adv_super_batch = TIN_data.train.next_super_batch(N_GPUS, ensemble=False, random=True) # get pretrain grads pretrain_grads_save_np, _pretain_loss_value = sess.run([pretrain_grads_save, total_pretrain_loss], feed_dict={x_sb: super_batch[0], x_sb_adv: adv_super_batch[0], learning_rate: current_lr, adv_noise: Noise_test, noise: Noise, FM_h: perturbFM_h}) # accumulate grads for i in range(len(accumu_pretrain_grads)): accumu_pretrain_grads[i] = accumu_pretrain_grads[i] + pretrain_grads_save_np[i] # accumulate loss values total_pretrain_loss_value = total_pretrain_loss_value + _pretain_loss_value # use accumulated gradients to update variables if step % train_params.batch_multi == 0 and step > 0: # print('effective batch reached at step: {}, epoch: {}'.format(step, step / train_params.epoch_steps)) # compute the average grads and build the feed dict pretrain_feed_dict = {} for i in range(len(accumu_pretrain_grads)): pretrain_feed_dict[pretrain_grads_placeholders[i]] = accumu_pretrain_grads[i] / train_params.batch_multi pretrain_feed_dict[learning_rate] = current_lr # run train ops by feeding the gradients sess.run(pretrain_op, feed_dict=pretrain_feed_dict) # get loss value avg_pretrain_loss_value = total_pretrain_loss_value / train_params.batch_multi # reset the average grads accumu_pretrain_grads = [np.zeros(g_shape, dtype=np.float32) for g_shape in pretrain_grads_shapes] total_pretrain_loss_value = 0.0 # print loss if step % (1*train_params.epoch_steps) == 0 and step >= (1*train_params.epoch_steps): print('pretrain report at step: {}, epoch: {}'.format(step, step / train_params.epoch_steps)) dt = time.time() - start_time avg_epoch_time = dt / (step / train_params.epoch_steps) print('epoch: {:.4f}, avg epoch time: {:.4f}, current_lr: {}'.format(step/train_params.epoch_steps, avg_epoch_time, current_lr), flush=True) print('pretrain_loss: {:.6f}'.format(avg_pretrain_loss_value)) #################################### print('start train') start_time = time.time() lr_schedule_list = sorted(train_params.lr_schedule.keys()) # train whole model # build zeros numpy arrays for accumulate grads accumu_pretrain_grads = [np.zeros(g_shape, dtype=np.float32) for g_shape in pretrain_grads_shapes] accumu_train_grads = [np.zeros(g_shape, dtype=np.float32) for g_shape in train_grads_shapes] total_pretrain_loss_value = 0.0 total_train_loss_value = 0.0 step = 0 # train loop while True: # if enough steps, break if step > train_params.train_steps: break # add steps here so not forgot else: step += 1 # compute the grads every step # random eps value for trianing d_eps = random.random()*train_params.random_eps_range # manual schedule learning rate current_epoch = step // (train_params.epoch_steps) current_lr = train_params.lr_schedule[get_lr(current_epoch, lr_schedule_list)] # benign and adv batch super_batch = TIN_data.train.next_super_batch(N_GPUS, ensemble=False, random=True) adv_super_batch = TIN_data.train.next_super_batch(N_GPUS, ensemble=False, random=True) # create adv samples super_batch_adv_images = sess.run(adv_tensors_concat, feed_dict={x_sb:adv_super_batch[0], keep_prob:1.0, adv_noise: Noise, mu_alpha:[d_eps]}) # get pretrain and train grads pretrain_grads_save_np, _pretain_loss_value = sess.run([pretrain_grads_save, total_pretrain_loss], feed_dict={x_sb: super_batch[0], x_sb_adv: super_batch_adv_images, learning_rate: current_lr, adv_noise: Noise_test, noise: Noise, FM_h: perturbFM_h}) train_grads_save_np, _train_loss_value = sess.run([train_grads_save, total_loss], feed_dict = {x_sb: super_batch[0], y_sb: super_batch[1], x_sb_adv: super_batch_adv_images, y_sb_adv: adv_super_batch[1], keep_prob: train_params.keep_prob, learning_rate: current_lr, noise: Noise, adv_noise: Noise_test, FM_h: perturbFM_h}) # accumulate grads for i in range(len(accumu_pretrain_grads)): accumu_pretrain_grads[i] = accumu_pretrain_grads[i] + pretrain_grads_save_np[i] for i in range(len(accumu_train_grads)): accumu_train_grads[i] = accumu_train_grads[i] + train_grads_save_np[i] # accumulate loss values total_pretrain_loss_value = total_pretrain_loss_value + _pretain_loss_value total_train_loss_value = total_train_loss_value + _train_loss_value # use accumulated gradients to update variables if step % train_params.batch_multi == 0 and step > 0: # compute the average grads and build the feed dict pretrain_feed_dict = {} for i in range(len(accumu_pretrain_grads)): pretrain_feed_dict[pretrain_grads_placeholders[i]] = accumu_pretrain_grads[i] / train_params.batch_multi pretrain_feed_dict[learning_rate] = current_lr # pretrain_feed_dict[keep_prob] = 0.5 train_feed_dict = {} for i in range(len(accumu_train_grads)): train_feed_dict[train_grads_placeholders[i]] = accumu_train_grads[i] / train_params.batch_multi train_feed_dict[learning_rate] = current_lr # train_feed_dict[keep_prob] = 0.5 # run train ops sess.run(pretrain_op, feed_dict=pretrain_feed_dict) sess.run(train_op, feed_dict=train_feed_dict) # get loss value avg_pretrain_loss_value = total_pretrain_loss_value / train_params.batch_multi avg_train_loss_value = total_train_loss_value / train_params.batch_multi # reset the average grads accumu_pretrain_grads = [np.zeros(g_shape, dtype=np.float32) for g_shape in pretrain_grads_shapes] accumu_train_grads = [np.zeros(g_shape, dtype=np.float32) for g_shape in train_grads_shapes] total_pretrain_loss_value = 0.0 total_train_loss_value = 0.0 # print status every epoch if step % int(train_params.epoch_steps) == 0: dt = time.time() - start_time avg_epoch_time = dt / (step / train_params.epoch_steps) print('epoch: {:.4f}, avg epoch time: {:.4f}s, current_lr: {}'.format(step/train_params.epoch_steps, avg_epoch_time, current_lr), flush=True) # save model if step % int(train_params.epoch_steps) == 0 and int(step / train_params.epoch_steps) in train_params.epochs_to_save: print('saving model at epoch {}'.format(step / train_params.epoch_steps)) checkpoint_path = os.path.join(os.getcwd() + train_params.check_point_dir, 'model.ckpt') saver.save(sess, checkpoint_path, global_step=step) # testing during training if step % int(train_params.epoch_steps) == 0 and int(step / train_params.epoch_steps) in train_params.epochs_to_test: test_start = time.time() print('train test reported at step: {}, epoch: {}'.format(step, step / train_params.epoch_steps)) dt = time.time() - start_time avg_epoch_time = dt / (step / train_params.epoch_steps) print('epoch: {:.4f}, avg epoch time: {:.4f}s, current_lr: {}'.format(step/train_params.epoch_steps, avg_epoch_time, current_lr), flush=True) print('pretrain_loss: {:.6f}, train_loss: {:.6f}'.format(avg_pretrain_loss_value, avg_train_loss_value)) # print('output layer: \n\t{}'.format(output_layer_value)) #===================adv samples===================== adv_acc_dict = {} robust_adv_acc_dict = {} robust_adv_utility_dict = {} log_str = '' # cover all test data for i in range(train_params.test_epochs): test_batch = TIN_data.test.next_batch(train_params.test_batch_size) # if more GPUs available, generate testing adv samples at once if N_AUX_GPUS > 1: adv_images_dict = sess.run(attack_tensor_testing_dict, feed_dict ={x_sb: test_batch[0], adv_noise: Noise_test, mu_alpha: [train_params.fgsm_eps], keep_prob: 1.0}) else: adv_images_dict = {} # test for each attack for atk in attacks_and_benign: if atk not in adv_acc_dict: adv_acc_dict[atk] = 0.0 robust_adv_acc_dict[atk] = 0.0 robust_adv_utility_dict[atk] = 0.0 if atk == 'benign': testing_img = test_batch[0] elif attack_switch[atk]: # if only one gpu available, generate adv samples in-place if atk not in adv_images_dict: adv_images_dict[atk] = sess.run(attack_tensor_testing_dict[atk], feed_dict ={x_sb:test_batch[0], adv_noise: Noise_test, mu_alpha:[train_params.fgsm_eps], keep_prob: 1.0}) testing_img = adv_images_dict[atk] else: continue ### PixelDP Robustness ### predictions_form_argmax = np.zeros([train_params.test_batch_size, train_params.num_classes]) softmax_predictions = sess.run(y_softmax_test_concat, feed_dict={x_sb: testing_img, noise: Noise, FM_h: perturbFM_h, keep_prob: 1.0}) argmax_predictions = np.argmax(softmax_predictions, axis=1) for n_draws in range(0, train_params.num_samples): _BenignLNoise = generateIdLMNoise(train_params.image_size, train_params.Delta2, epsilon2_update, train_params.effective_batch_size) _perturbFM_h = np.random.laplace(0.0, 2*train_params.Delta2/(epsilon2_update*train_params.effective_batch_size), train_params.enc_h_size*train_params.enc_h_size*train_params.enc_filters) _perturbFM_h = np.reshape(_perturbFM_h, [-1, train_params.enc_h_size, train_params.enc_h_size, train_params.enc_filters]) for j in range(train_params.test_batch_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 1 softmax_predictions = sess.run(y_softmax_test_concat, feed_dict={x_sb: testing_img, noise: (_BenignLNoise/10 + Noise), FM_h: perturbFM_h, keep_prob: 1.0}) * \ sess.run(y_softmax_test_concat, feed_dict={x_sb: testing_img, noise: Noise, FM_h: (_perturbFM_h/10 + perturbFM_h), keep_prob: 1.0}) argmax_predictions = np.argmax(softmax_predictions, axis=1) final_predictions = predictions_form_argmax is_correct = [] is_robust = [] for j in range(train_params.test_batch_size): is_correct.append(np.argmax(test_batch[1][j]) == np.argmax(final_predictions[j])) robustness_from_argmax = robustness.robustness_size_argmax(counts=predictions_form_argmax[j], eta=0.05, dp_attack_size=train_params.fgsm_eps, dp_epsilon=train_params.dp_epsilon, dp_delta=0.05, dp_mechanism='laplace') / dp_mult is_robust.append(robustness_from_argmax >= train_params.fgsm_eps) adv_acc_dict[atk] += np.sum(is_correct)*1.0/train_params.test_batch_size robust_adv_acc_dict[atk] += np.sum([a and b for a,b in zip(is_robust, is_correct)])*1.0/np.sum(is_robust) robust_adv_utility_dict[atk] += np.sum(is_robust)*1.0/train_params.test_batch_size ############################## # average all acc for whole test data for atk in attacks_and_benign: adv_acc_dict[atk] = adv_acc_dict[atk] / train_params.test_epochs robust_adv_acc_dict[atk] = robust_adv_acc_dict[atk] / train_params.test_epochs robust_adv_utility_dict[atk] = robust_adv_utility_dict[atk] / train_params.test_epochs # added robust prediction log_str += " {}: {:.6f} {:.6f} {:.6f} {:.6f}\n".format(atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]) dt = time.time() - test_start print('testing time: {}'.format(dt)) print(log_str, flush=True) print('*******************')
def mnist_tutorial(train_start=0, train_end=60000, test_start=0, test_end=10000, nb_epochs=NB_EPOCHS, batch_size=BATCH_SIZE, learning_rate=LEARNING_RATE, train_dir=TRAIN_DIR, filename=FILENAME, load_model=LOAD_MODEL, testing=True, label_smoothing=0.1): """ MNIST CleverHans tutorial :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param batch_size: size of training batches :param learning_rate: learning rate for training :param train_dir: Directory storing the saved model :param filename: Filename to save model under :param load_model: True for load, False for not load :param testing: if true, test error is calculated :param label_smoothing: float, amount of label smoothing for cross entropy :return: an AccuracyReport object """ tf.keras.backend.set_learning_phase(0) # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) if keras.backend.image_data_format() != 'channels_last': raise NotImplementedError( "this tutorial requires keras to be configured to channels_last format" ) # Create TF session and set as Keras backend session sess = tf.Session() keras.backend.set_session(sess) # Get MNIST test data mnist = MNIST(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) x_train, y_train = mnist.get_set('train') x_test, y_test = mnist.get_set('test') # Obtain Image Parameters img_rows, img_cols, nchannels = x_train.shape[1:4] nb_classes = y_train.shape[1] # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels)) y = tf.placeholder(tf.float32, shape=(None, nb_classes)) # Define TF model graph model = cnn_model(img_rows=img_rows, img_cols=img_cols, channels=nchannels, nb_filters=64, nb_classes=nb_classes) preds = model(x) print("Defined TensorFlow model graph.") def evaluate(): # Evaluate the accuracy of the MNIST model on legitimate test examples eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, x_test, y_test, args=eval_params) report.clean_train_clean_eval = acc print('Test accuracy on legitimate examples: %0.4f' % acc) # Train an MNIST model train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate, 'train_dir': train_dir, 'filename': filename } rng = np.random.RandomState([2017, 8, 30]) if not os.path.exists(train_dir): os.mkdir(train_dir) ckpt = tf.train.get_checkpoint_state(train_dir) print(train_dir, ckpt) ckpt_path = False if ckpt is None else ckpt.model_checkpoint_path wrap = KerasModelWrapper(model) if load_model and ckpt_path: saver = tf.train.Saver() print(ckpt_path) saver.restore(sess, ckpt_path) print("Model loaded from: {}".format(ckpt_path)) evaluate() else: print("Model was not loaded, training from scratch.") loss = CrossEntropy(wrap, smoothing=label_smoothing) train(sess, loss, x_train, y_train, evaluate=evaluate, args=train_params, rng=rng) # Calculate training error if testing: eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, x_train, y_train, args=eval_params) report.train_clean_train_clean_eval = acc bim = BasicIterativeMethod(wrap, sess=sess) bim_params = { 'eps': 0.3, 'clip_min': 0., 'clip_max': 1., 'nb_iter': 50, 'eps_iter': .01 } adv_x = bim.generate(x, **bim_params) x_adv_test = sess.run(adv_x, feed_dict={x: x_test}) x_adv_train = sess.run(adv_x, feed_dict={x: x_train}) def evaluate_adv(): # Evaluate the accuracy of the MNIST model on legitimate test examples eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, x_adv_test, y_test, args=eval_params) report.clean_train_clean_eval = acc print('Test accuracy on legitimate examples: %0.4f' % acc) evaluate_adv() save_list = [x_adv_train, x_adv_test] print(x_adv_train.shape) print(x_adv_test.shape) pickle.dump(save_list, open("./bim.pkl", 'wb'))
def train(cifar10_data, epochs, L, learning_rate, scale3, Delta2, epsilon2, eps2_ratio, alpha, perturbFM, fgsm_eps, total_eps, logfile): logfile.write("fgsm_eps \t %g, LR \t %g, alpha \t %d , epsilon \t %d \n" % (fgsm_eps, learning_rate, alpha, total_eps)) """Train CIFAR-10 for a number of steps.""" with tf.Graph().as_default(): global_step = tf.Variable(0, trainable=False) eps_benign = 1 / (1 + eps2_ratio) * (epsilon2) eps_adv = eps2_ratio / (1 + eps2_ratio) * (epsilon2) # Parameters Declarification #with tf.variable_scope('conv1') as scope: kernel1 = _variable_with_weight_decay( 'kernel1', shape=[4, 4, 3, 128], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[AECODER_VARIABLES]) biases1 = _bias_on_cpu('biases1', [128], tf.constant_initializer(0.0), collect=[AECODER_VARIABLES]) shape = kernel1.get_shape().as_list() w_t = tf.reshape(kernel1, [-1, shape[-1]]) w = tf.transpose(w_t) sing_vals = tf.svd(w, compute_uv=False) sensitivity = tf.reduce_max(sing_vals) gamma = 2 * Delta2 / (L * sensitivity ) #2*3*(14*14 + 2)*16/(L*sensitivity) #with tf.variable_scope('conv2') as scope: kernel2 = _variable_with_weight_decay( 'kernel2', shape=[5, 5, 128, 128], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[CONV_VARIABLES]) biases2 = _bias_on_cpu('biases2', [128], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) #with tf.variable_scope('conv3') as scope: kernel3 = _variable_with_weight_decay( 'kernel3', shape=[5, 5, 256, 256], stddev=np.sqrt(2.0 / (5 * 5 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[CONV_VARIABLES]) biases3 = _bias_on_cpu('biases3', [256], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) #with tf.variable_scope('local4') as scope: kernel4 = _variable_with_weight_decay( 'kernel4', shape=[int(image_size / 4)**2 * 256, hk], stddev=0.04, wd=0.004, collect=[CONV_VARIABLES]) biases4 = _bias_on_cpu('biases4', [hk], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) #with tf.variable_scope('local5') as scope: kernel5 = _variable_with_weight_decay( 'kernel5', [hk, 10], stddev=np.sqrt(2.0 / (int(image_size / 4)**2 * 256)) / math.ceil(5 / 2), wd=0.0, collect=[CONV_VARIABLES]) biases5 = _bias_on_cpu('biases5', [10], tf.constant_initializer(0.1), collect=[CONV_VARIABLES]) #scale2 = tf.Variable(tf.ones([hk])) #beta2 = tf.Variable(tf.zeros([hk])) params = [ kernel1, biases1, kernel2, biases2, kernel3, biases3, kernel4, biases4, kernel5, biases5 ] ######## # Build a Graph that computes the logits predictions from the # inference model. FM_h = tf.placeholder(tf.float32, [None, 14, 14, 128]) noise = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) adv_noise = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) x = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) adv_x = tf.placeholder(tf.float32, [None, image_size, image_size, 3]) # Auto-Encoder # Enc_Layer2 = EncLayer(inpt=adv_x, n_filter_in=3, n_filter_out=128, filter_size=3, W=kernel1, b=biases1, activation=tf.nn.relu) pretrain_adv = Enc_Layer2.get_train_ops2(xShape=tf.shape(adv_x)[0], Delta=Delta2, epsilon=epsilon2, batch_size=L, learning_rate=learning_rate, W=kernel1, b=biases1, perturbFMx=adv_noise, perturbFM_h=FM_h) Enc_Layer3 = EncLayer(inpt=x, n_filter_in=3, n_filter_out=128, filter_size=3, W=kernel1, b=biases1, activation=tf.nn.relu) pretrain_benign = Enc_Layer3.get_train_ops2( xShape=tf.shape(x)[0], Delta=Delta2, epsilon=epsilon2, batch_size=L, learning_rate=learning_rate, W=kernel1, b=biases1, perturbFMx=noise, perturbFM_h=FM_h) cost = tf.reduce_sum((Enc_Layer2.cost + Enc_Layer3.cost) / 2.0) ### x_image = x + noise y_conv = inference(x_image, FM_h, params) softmax_y_conv = tf.nn.softmax(y_conv) y_ = tf.placeholder(tf.float32, [None, 10]) adv_x += adv_noise y_adv_conv = inference(adv_x, FM_h, params) adv_y_ = tf.placeholder(tf.float32, [None, 10]) # Calculate loss. Apply Taylor Expansion for the output layer perturbW = perturbFM * params[8] loss = cifar10.TaylorExp(y_conv, y_, y_adv_conv, adv_y_, L, alpha, perturbW) # Build a Graph that trains the model with one batch of examples and # updates the model parameters. #pretrain_step = tf.train.AdamOptimizer(1e-4).minimize(pretrain_adv, global_step=global_step, var_list=[kernel1, biases1]); pretrain_var_list = tf.get_collection(AECODER_VARIABLES) train_var_list = tf.get_collection(CONV_VARIABLES) #print(pretrain_var_list) #print(train_var_list) update_ops = tf.get_collection(tf.GraphKeys.UPDATE_OPS) with tf.control_dependencies(update_ops): pretrain_step = tf.train.AdamOptimizer(learning_rate).minimize( pretrain_adv + pretrain_benign, global_step=global_step, var_list=pretrain_var_list) train_op = cifar10.train(loss, global_step, learning_rate, _var_list=train_var_list) sess = tf.Session(config=tf.ConfigProto(log_device_placement=False)) sess.run(kernel1.initializer) dp_epsilon = 1.0 _gamma = sess.run(gamma) _gamma_x = Delta2 / L epsilon2_update = epsilon2 / (1.0 + 1.0 / _gamma + 1 / _gamma_x) print(epsilon2_update / _gamma + epsilon2_update / _gamma_x) print(epsilon2_update) delta_r = fgsm_eps * (image_size**2) _sensitivityW = sess.run(sensitivity) delta_h = _sensitivityW * (14**2) #delta_h = 1.0 * delta_r; #sensitivity*(14**2) = sensitivity*(\beta**2) can also be used #dp_mult = (Delta2/(L*epsilon2))/(delta_r / dp_epsilon) + (2*Delta2/(L*epsilon2))/(delta_h / dp_epsilon) dp_mult = (Delta2 / (L * epsilon2_update)) / (delta_r / dp_epsilon) + ( 2 * Delta2 / (L * epsilon2_update)) / (delta_h / dp_epsilon) dynamic_eps = tf.placeholder(tf.float32) """y_test = inference(x, FM_h, params) softmax_y = tf.nn.softmax(y_test); c_x_adv = fgsm(x, softmax_y, eps=dynamic_eps/3, clip_min=-1.0, clip_max=1.0) x_adv = tf.reshape(c_x_adv, [L, image_size, image_size, 3])""" attack_switch = { 'fgsm': True, 'ifgsm': True, 'deepfool': False, 'mim': True, 'spsa': False, 'cwl2': False, 'madry': True, 'stm': False } ch_model_probs = CustomCallableModelWrapper( callable_fn=inference_test_input_probs, output_layer='probs', params=params, image_size=image_size, adv_noise=adv_noise) # define each attack method's tensor mu_alpha = tf.placeholder(tf.float32, [1]) attack_tensor_dict = {} # FastGradientMethod if attack_switch['fgsm']: print('creating attack tensor of FastGradientMethod') fgsm_obj = FastGradientMethod(model=ch_model_probs, sess=sess) #x_adv_test_fgsm = fgsm_obj.generate(x=x, eps=fgsm_eps, clip_min=-1.0, clip_max=1.0, ord=2) # testing now x_adv_test_fgsm = fgsm_obj.generate(x=x, eps=mu_alpha, clip_min=-1.0, clip_max=1.0) # testing now attack_tensor_dict['fgsm'] = x_adv_test_fgsm # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) # default: eps_iter=0.05, nb_iter=10 if attack_switch['ifgsm']: print('creating attack tensor of BasicIterativeMethod') ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) #x_adv_test_ifgsm = ifgsm_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps/10, nb_iter=10, clip_min=-1.0, clip_max=1.0, ord=2) x_adv_test_ifgsm = ifgsm_obj.generate(x=x, eps=mu_alpha, eps_iter=fgsm_eps / 3, nb_iter=3, clip_min=-1.0, clip_max=1.0) attack_tensor_dict['ifgsm'] = x_adv_test_ifgsm # MomentumIterativeMethod # default: eps_iter=0.06, nb_iter=10 if attack_switch['mim']: print('creating attack tensor of MomentumIterativeMethod') mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) #x_adv_test_mim = mim_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps/10, nb_iter=10, decay_factor=1.0, clip_min=-1.0, clip_max=1.0, ord=2) x_adv_test_mim = mim_obj.generate(x=x, eps=mu_alpha, eps_iter=fgsm_eps / 3, nb_iter=3, decay_factor=1.0, clip_min=-1.0, clip_max=1.0) attack_tensor_dict['mim'] = x_adv_test_mim # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) # default: eps_iter=0.01, nb_iter=40 if attack_switch['madry']: print('creating attack tensor of MadryEtAl') madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) #x_adv_test_madry = madry_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps/10, nb_iter=10, clip_min=-1.0, clip_max=1.0, ord=2) x_adv_test_madry = madry_obj.generate(x=x, eps=mu_alpha, eps_iter=fgsm_eps / 3, nb_iter=3, clip_min=-1.0, clip_max=1.0) attack_tensor_dict['madry'] = x_adv_test_madry #====================== attack ========================= #adv_logits, _ = inference(c_x_adv + W_conv1Noise, perturbFM, params) # Create a saver. saver = tf.train.Saver(tf.all_variables()) # Build an initialization operation to run below. init = tf.initialize_all_variables() sess.run(init) # Start the queue runners. #tf.train.start_queue_runners(sess=sess) summary_writer = tf.summary.FileWriter(os.getcwd() + dirCheckpoint, sess.graph) # load the most recent models _global_step = 0 ckpt = tf.train.get_checkpoint_state(FLAGS.checkpoint_dir) if ckpt and ckpt.model_checkpoint_path: print(ckpt.model_checkpoint_path) saver.restore(sess, ckpt.model_checkpoint_path) _global_step = int( ckpt.model_checkpoint_path.split('/')[-1].split('-')[-1]) else: print('No checkpoint file found') T = int(int(math.ceil(D / L)) * epochs + 1) # number of steps step_for_epoch = int(math.ceil(D / L)) #number of steps for one epoch perturbH_test = np.random.laplace(0.0, 0, 14 * 14 * 128) perturbH_test = np.reshape(perturbH_test, [-1, 14, 14, 128]) #W_conv1Noise = np.random.laplace(0.0, Delta2/(L*epsilon2), 32 * 32 * 3).astype(np.float32) #W_conv1Noise = np.reshape(_W_conv1Noise, [32, 32, 3]) perturbFM_h = np.random.laplace(0.0, 2 * Delta2 / (epsilon2_update * L), 14 * 14 * 128) perturbFM_h = np.reshape(perturbFM_h, [-1, 14, 14, 128]) #_W_adv = np.random.laplace(0.0, 0, 32 * 32 * 3).astype(np.float32) #_W_adv = np.reshape(_W_adv, [32, 32, 3]) #_perturbFM_h_adv = np.random.laplace(0.0, 0, 10*10*128) #_perturbFM_h_adv = np.reshape(_perturbFM_h_adv, [10, 10, 128]); test_size = len(cifar10_data.test.images) #beta = redistributeNoise(os.getcwd() + '/LRP_0_25_v12.txt') #BenignLNoise = generateIdLMNoise(image_size, Delta2, eps_benign, L) #generateNoise(image_size, Delta2, eps_benign, L, beta); #AdvLnoise = generateIdLMNoise(image_size, Delta2, eps_adv, L) Noise = generateIdLMNoise(image_size, Delta2, epsilon2_update, L) #generateNoise(image_size, Delta2, eps_adv, L, beta); Noise_test = generateIdLMNoise( image_size, 0, epsilon2_update, L) #generateNoise(image_size, 0, 2*epsilon2, test_size, beta); emsemble_L = int(L / 3) preT_epochs = 100 pre_T = int(int(math.ceil(D / L)) * preT_epochs + 1) """logfile.write("pretrain: \n") for step in range(_global_step, _global_step + pre_T): d_eps = random.random()*0.5; batch = cifar10_data.train.next_batch(L); #Get a random batch. adv_images = sess.run(x_adv, feed_dict = {x: batch[0], dynamic_eps: d_eps, FM_h: perturbH_test}) for iter in range(0, 2): adv_images = sess.run(x_adv, feed_dict = {x: adv_images, dynamic_eps: d_eps, FM_h: perturbH_test}) #sess.run(pretrain_step, feed_dict = {x: batch[0], noise: AdvLnoise, FM_h: perturbFM_h}); batch = cifar10_data.train.next_batch(L); sess.run(pretrain_step, feed_dict = {x: np.append(batch[0], adv_images, axis = 0), noise: Noise, FM_h: perturbFM_h}); if step % int(25*step_for_epoch) == 0: cost_value = sess.run(cost, feed_dict={x: cifar10_data.test.images, noise: Noise_test, FM_h: perturbH_test})/(test_size*128) logfile.write("step \t %d \t %g \n"%(step, cost_value)) print(cost_value) print('pre_train finished')""" _global_step = 0 for step in xrange(_global_step, _global_step + T): start_time = time.time() d_eps = random.random() * 0.5 batch = cifar10_data.train.next_batch(emsemble_L) #Get a random batch. y_adv_batch = batch[1] """adv_images = sess.run(x_adv, feed_dict = {x: batch[0], dynamic_eps: d_eps, FM_h: perturbH_test}) for iter in range(0, 2): adv_images = sess.run(x_adv, feed_dict = {x: adv_images, dynamic_eps: d_eps, FM_h: perturbH_test})""" adv_images_ifgsm = sess.run(attack_tensor_dict['ifgsm'], feed_dict={ x: batch[0], adv_noise: Noise, mu_alpha: [d_eps] }) batch = cifar10_data.train.next_batch(emsemble_L) y_adv_batch = np.append(y_adv_batch, batch[1], axis=0) adv_images_mim = sess.run(attack_tensor_dict['mim'], feed_dict={ x: batch[0], adv_noise: Noise, mu_alpha: [d_eps] }) batch = cifar10_data.train.next_batch(emsemble_L) y_adv_batch = np.append(y_adv_batch, batch[1], axis=0) adv_images_madry = sess.run(attack_tensor_dict['madry'], feed_dict={ x: batch[0], adv_noise: Noise, mu_alpha: [d_eps] }) adv_images = np.append(np.append(adv_images_ifgsm, adv_images_mim, axis=0), adv_images_madry, axis=0) batch = cifar10_data.train.next_batch(L) #Get a random batch. sess.run(pretrain_step, feed_dict={ x: batch[0], adv_x: adv_images, adv_noise: Noise_test, noise: Noise, FM_h: perturbFM_h }) _, loss_value = sess.run( [train_op, loss], feed_dict={ x: batch[0], y_: batch[1], adv_x: adv_images, adv_y_: y_adv_batch, noise: Noise, adv_noise: Noise_test, FM_h: perturbFM_h }) duration = time.time() - start_time assert not np.isnan(loss_value), 'Model diverged with loss = NaN' # report the result periodically if step % (50 * step_for_epoch) == 0 and step >= (300 * step_for_epoch): '''predictions_form_argmax = np.zeros([test_size, 10]) softmax_predictions = sess.run(softmax_y_conv, feed_dict={x: cifar10_data.test.images, noise: Noise_test, FM_h: perturbH_test}) argmax_predictions = np.argmax(softmax_predictions, axis=1) """for n_draws in range(0, 2000): _BenignLNoise = generateIdLMNoise(image_size, Delta2, epsilon2, L) _perturbFM_h = np.random.laplace(0.0, 2*Delta2/(epsilon2*L), 14*14*128) _perturbFM_h = np.reshape(_perturbFM_h, [-1, 14, 14, 128]);""" for j in range(test_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 2000; """softmax_predictions = sess.run(softmax_y_conv, feed_dict={x: cifar10_data.test.images, noise: _BenignLNoise, FM_h: _perturbFM_h}) argmax_predictions = np.argmax(softmax_predictions, axis=1)""" final_predictions = predictions_form_argmax; is_correct = [] is_robust = [] for j in range(test_size): is_correct.append(np.argmax(cifar10_data.test.labels[j]) == np.argmax(final_predictions[j])) robustness_from_argmax = robustness.robustness_size_argmax(counts=predictions_form_argmax[j],eta=0.05,dp_attack_size=fgsm_eps, dp_epsilon=1.0, dp_delta=0.05, dp_mechanism='laplace') / dp_mult is_robust.append(robustness_from_argmax >= fgsm_eps) acc = np.sum(is_correct)*1.0/test_size robust_acc = np.sum([a and b for a,b in zip(is_robust, is_correct)])*1.0/np.sum(is_robust) robust_utility = np.sum(is_robust)*1.0/test_size log_str = "step: {:.1f}\t epsilon: {:.1f}\t benign: {:.4f} \t {:.4f} \t {:.4f} \t {:.4f} \t".format(step, total_eps, acc, robust_acc, robust_utility, robust_acc*robust_utility)''' #===================adv samples===================== log_str = "step: {:.1f}\t epsilon: {:.1f}\t".format( step, total_eps) """adv_images_dict = {} for atk in attack_switch.keys(): if attack_switch[atk]: adv_images_dict[atk] = sess.run(attack_tensor_dict[atk], feed_dict ={x:cifar10_data.test.images}) print("Done with the generating of Adversarial samples")""" #===================adv samples===================== adv_acc_dict = {} robust_adv_acc_dict = {} robust_adv_utility_dict = {} test_bach_size = 5000 for atk in attack_switch.keys(): print(atk) if atk not in adv_acc_dict: adv_acc_dict[atk] = -1 robust_adv_acc_dict[atk] = -1 robust_adv_utility_dict[atk] = -1 if attack_switch[atk]: test_bach = cifar10_data.test.next_batch( test_bach_size) adv_images_dict = sess.run(attack_tensor_dict[atk], feed_dict={ x: test_bach[0], adv_noise: Noise_test, mu_alpha: [fgsm_eps] }) print("Done adversarial examples") ### PixelDP Robustness ### predictions_form_argmax = np.zeros( [test_bach_size, 10]) softmax_predictions = sess.run(softmax_y_conv, feed_dict={ x: adv_images_dict, noise: Noise, FM_h: perturbFM_h }) argmax_predictions = np.argmax(softmax_predictions, axis=1) for n_draws in range(0, 1000): _BenignLNoise = generateIdLMNoise( image_size, Delta2, epsilon2_update, L) _perturbFM_h = np.random.laplace( 0.0, 2 * Delta2 / (epsilon2_update * L), 14 * 14 * 128) _perturbFM_h = np.reshape(_perturbFM_h, [-1, 14, 14, 128]) if n_draws == 500: print("n_draws = 500") for j in range(test_bach_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 1 softmax_predictions = sess.run( softmax_y_conv, feed_dict={ x: adv_images_dict, noise: (_BenignLNoise / 10 + Noise), FM_h: perturbFM_h }) * sess.run( softmax_y_conv, feed_dict={ x: adv_images_dict, noise: Noise, FM_h: (_perturbFM_h / 10 + perturbFM_h) }) #softmax_predictions = sess.run(softmax_y_conv, feed_dict={x: adv_images_dict, noise: (_BenignLNoise), FM_h: perturbFM_h}) * sess.run(softmax_y_conv, feed_dict={x: adv_images_dict, noise: Noise, FM_h: (_perturbFM_h)}) argmax_predictions = np.argmax(softmax_predictions, axis=1) final_predictions = predictions_form_argmax is_correct = [] is_robust = [] for j in range(test_bach_size): is_correct.append( np.argmax(test_bach[1][j]) == np.argmax( final_predictions[j])) robustness_from_argmax = robustness.robustness_size_argmax( counts=predictions_form_argmax[j], eta=0.05, dp_attack_size=fgsm_eps, dp_epsilon=dp_epsilon, dp_delta=0.05, dp_mechanism='laplace') / dp_mult is_robust.append( robustness_from_argmax >= fgsm_eps) adv_acc_dict[atk] = np.sum( is_correct) * 1.0 / test_bach_size robust_adv_acc_dict[atk] = np.sum([ a and b for a, b in zip(is_robust, is_correct) ]) * 1.0 / np.sum(is_robust) robust_adv_utility_dict[atk] = np.sum( is_robust) * 1.0 / test_bach_size ############################## for atk in attack_switch.keys(): if attack_switch[atk]: # added robust prediction log_str += " {}: {:.4f} {:.4f} {:.4f} {:.4f}".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]) print(log_str) logfile.write(log_str + '\n') # Save the model checkpoint periodically. if step % (10 * step_for_epoch) == 0 and (step > _global_step): num_examples_per_step = L examples_per_sec = num_examples_per_step / duration sec_per_batch = float(duration) format_str = ( '%s: step %d, loss = %.2f (%.1f examples/sec; %.3f ' 'sec/batch)') print(format_str % (datetime.now(), step, loss_value, examples_per_sec, sec_per_batch)) """if step % (50*step_for_epoch) == 0 and (step >= 900*step_for_epoch):
def mnist_tutorial(train_start=0, train_end=60000, test_start=0, test_end=10000, nb_epochs=6, batch_size=128, epsilon=0.3, learning_rate=0.001, train_dir="/tmp", filename="mnist.ckpt", load_model=False, testing=False): """ MNIST CleverHans tutorial :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param batch_size: size of training batches :param learning_rate: learning rate for training :param train_dir: Directory storing the saved model :param filename: Filename to save model under :param load_model: True for load, False for not load :param testing: if true, test error is calculated :return: an AccuracyReport object """ keras.layers.core.K.set_learning_phase(0) # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) if not hasattr(backend, "tf"): raise RuntimeError("This tutorial requires keras to be configured" " to use the TensorFlow backend.") if keras.backend.image_dim_ordering() != 'tf': keras.backend.set_image_dim_ordering('tf') print("INFO: '~/.keras/keras.json' sets 'image_dim_ordering' to " "'th', temporarily setting to 'tf'") # Create TF session and set as Keras backend session sess = tf.Session() keras.backend.set_session(sess) # Get MNIST test data X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) # Use label smoothing assert Y_train.shape[1] == 10 label_smooth = .1 Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth) # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1)) y = tf.placeholder(tf.float32, shape=(None, 10)) # Define TF model graph model = cnn_model_BIM() preds = model(x) print("Defined TensorFlow model graph.") def evaluate(): # Evaluate the accuracy of the MNIST model on legitimate test examples eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params) report.clean_train_clean_eval = acc assert X_test.shape[0] == test_end - test_start, X_test.shape print('Test accuracy on legitimate examples: %0.4f' % acc) # Train an MNIST model train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate, 'train_dir': train_dir, 'filename': filename } ckpt = tf.train.get_checkpoint_state(train_dir) ckpt_path = False if ckpt is None else ckpt.model_checkpoint_path rng = np.random.RandomState([2017, 8, 30]) if load_model and ckpt_path: saver = tf.train.Saver() saver.restore(sess, ckpt_path) print("Model loaded from: {}".format(ckpt_path)) evaluate() else: print("Model was not loaded, training from scratch.") model_train(sess, x, y, preds, X_train, Y_train, evaluate=evaluate, args=train_params, save=False, rng=rng) # Calculate training error if testing: eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, X_train, Y_train, args=eval_params) report.train_clean_train_clean_eval = acc # Initialize the Fast Gradient Sign Method (FGSM) attack object and graph wrap = KerasModelWrapper(model) print("FastGradientMethod") fgsm1 = FastGradientMethod(wrap, sess=sess) for epsilon in [0.005, 0.01, 0.05, 0.1, 0.5, 1.0]: print("Epsilon =", epsilon), fgsm_params = {'eps': epsilon, 'clip_min': None, 'clip_max': None} adv_x = fgsm1.generate(x, **fgsm_params) # Consider the attack to be constant adv_x = tf.stop_gradient(adv_x) preds_adv = model(adv_x) # Evaluate the accuracy of the MNIST model on adversarial examples eval_par = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Test accuracy on adversarial examples: %0.4f\n' % acc) report.clean_train_adv_eval = acc print("BasicIterativeMethod") bim = BasicIterativeMethod(wrap, sess=sess) for epsilon, order in zip( [0.005, 0.01, 0.05, 0.1, 0.5, 1.0, 0.5, 1.0], [np.inf, np.inf, np.inf, np.inf, np.inf, np.inf, 2, 2]): print("Epsilon =", epsilon), fgsm_params = { 'eps': epsilon, 'clip_min': 0., 'clip_max': 1., 'ord': order } adv_x = bim.generate(x, **fgsm_params) # Consider the attack to be constant adv_x = tf.stop_gradient(adv_x) preds_adv = model(adv_x) # Evaluate the accuracy of the MNIST model on adversarial examples eval_par = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Test accuracy on adversarial examples: %0.4f\n' % acc) report.clean_train_adv_eval = acc # Calculating train error if testing: eval_par = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds_adv, X_train, Y_train, args=eval_par) report.train_clean_train_adv_eval = acc return print("Repeating the process, using adversarial training") # Redefine TF model graph model_2 = cnn_model() preds_2 = model_2(x) wrap_2 = KerasModelWrapper(model_2) #fgsm2 = FastGradientMethod(wrap_2, sess=sess) bim2 = BasicIterativeMethod(wrap_2, sess=sess) preds_2_adv = model_2(bim2.generate(x, **fgsm_params)) def evaluate_2(): # Accuracy of adversarially trained model on legitimate test inputs eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds_2, X_test, Y_test, args=eval_params) print('Test accuracy on legitimate examples: %0.4f' % accuracy) report.adv_train_clean_eval = accuracy # Accuracy of the adversarially trained model on adversarial examples accuracy = model_eval(sess, x, y, preds_2_adv, X_test, Y_test, args=eval_params) print('Test accuracy on adversarial examples: %0.4f' % accuracy) report.adv_train_adv_eval = accuracy # Perform and evaluate adversarial training model_train(sess, x, y, preds_2, X_train, Y_train, predictions_adv=preds_2_adv, evaluate=evaluate_2, args=train_params, save=False, rng=rng) # Calculate training errors if testing: eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds_2, X_train, Y_train, args=eval_params) report.train_adv_train_clean_eval = accuracy accuracy = model_eval(sess, x, y, preds_2_adv, X_train, Y_train, args=eval_params) report.train_adv_train_adv_eval = accuracy return report
x: x_iterloclin_proj, y: y_test }) print('\nAccuracy: {:.2f}'.format(acc['iterloclin_proj'])) # Iterative FGSM attack if attack_params['fgsm_iter']['run'] is True: fgsm_iter_params = attack_params['fgsm_iter']['params'] batch_size = attack_params['fgsm_iter']['batch_size'] print( '\nStarting iterative FGSM with eps = {:.2f}, delta = {:.2f}, niter = {}' .format(fgsm_iter_params['eps'], fgsm_iter_params['eps_iter'], fgsm_iter_params['nb_iter'])) fgsm_iter = BasicIterativeMethod(model, sess=sess) adv_fgsm_iter = fgsm_iter.generate(x, y=y, **fgsm_iter_params) x_fgsm_iter = np.zeros(x_test.shape) for i in trange(num_images // batch_size): batch = slice(i * batch_size, (i + 1) * batch_size) x_fgsm_iter[batch] = sess.run(adv_fgsm_iter, feed_dict={ x: x_test[batch], y: y_test[batch] }) acc['fgsm_iter'] = sess.run(accuracy, feed_dict={ x: x_fgsm_iter, y: y_test }) print('\nAccuracy: {:.2f}'.format(acc['fgsm_iter']))
def train(fgsm_eps, _dp_epsilon, _attack_norm_bound, log_filename, ratio): FLAGS = None #ratio = 16 #target_eps = [0.125,0.25,0.5,1,2,4,8] #target_eps = [0.25 + 0.25*ratio] target_eps = [0.2 + 0.2 * ratio] #print(target_eps[0]) #fgsm_eps = 0.1 dp_epsilon = _dp_epsilon image_size = 28 _log_filename = log_filename + str(target_eps[0]) + '_fgsm_' + str( fgsm_eps) + '_dpeps_' + str(dp_epsilon) + '_attack_norm_bound_' + str( _attack_norm_bound) + '.txt' clip_bound = 0.001 # 'the clip bound of the gradients' clip_bound_2 = 1 / 1.5 # 'the clip bound for r_kM' small_num = 1e-5 # 'a small number' large_num = 1e5 # a large number' num_images = 50000 # 'number of images N' batch_size = 125 # 'batch_size L' sample_rate = batch_size / 50000 # 'sample rate q = L / N' # 900 epochs num_steps = 1800000 # 'number of steps T = E * N / L = E / q' num_epoch = 24 # 'number of epoches E' sigma = 5 # 'sigma' delta = 1e-5 # 'delta' lambd = 1e3 # 'exponential distribution parameter' iterative_clip_step = 2 # 'iterative_clip_step' clip = 1 # 'whether to clip the gradient' noise = 0 # 'whether to add noise' redistribute = 0 # 'whether to redistribute the noise' D = 50000 sess = tf.InteractiveSession() # Create the model x = tf.placeholder(tf.float32, [None, 784]) y_ = tf.placeholder(tf.float32, [None, 10]) keep_prob = tf.placeholder(tf.float32) W_conv1 = weight_variable([5, 5, 1, 32]) b_conv1 = bias_variable([32]) W_conv2 = weight_variable([5, 5, 32, 64]) b_conv2 = bias_variable([64]) W_fc1 = weight_variable([7 * 7 * 64, 25]) b_fc1 = bias_variable([25]) W_fc2 = weight_variable([25, 10]) b_fc2 = bias_variable([10]) def inference(x, dp_mult): x_image = tf.reshape(x, [-1, 28, 28, 1]) h_conv1 = tf.nn.relu((conv2d(x_image, W_conv1) + b_conv1) + dp_mult) h_pool1 = max_pool_2x2(h_conv1) h_conv2 = tf.nn.relu(conv2d(h_pool1, W_conv2) + b_conv2) h_pool2 = max_pool_2x2(h_conv2) h_pool2_flat = tf.reshape(h_pool2, [-1, 7 * 7 * 64]) h_fc1 = tf.nn.relu(tf.matmul(h_pool2_flat, W_fc1) + b_fc1) h_fc1_drop = tf.nn.dropout(h_fc1, keep_prob) y_conv = tf.matmul(h_fc1_drop, W_fc2) + b_fc2 return y_conv, h_conv1 def inference_prob(x): logits, _ = inference(x, 0) y_prob = tf.nn.softmax(logits) return y_prob shape = W_conv1.get_shape().as_list() w_t = tf.reshape(W_conv1, [-1, shape[-1]]) w = tf.transpose(w_t) sing_vals = tf.svd(w, compute_uv=False) sensitivityW = tf.reduce_max(sing_vals) dp_delta = 0.05 attack_norm_bound = _attack_norm_bound dp_mult = attack_norm_bound * math.sqrt( 2 * math.log(1.25 / dp_delta)) / dp_epsilon noise = tf.placeholder(tf.float32, [None, 28, 28, 32]) #y_conv, h_conv1 = inference(x, dp_mult * noise) y_conv, h_conv1 = inference(x, attack_norm_bound * noise) softmax_y = tf.nn.softmax(y_conv) # Define loss and optimizer priv_accountant = accountant.GaussianMomentsAccountant(D) privacy_accum_op = priv_accountant.accumulate_privacy_spending( [None, None], sigma, batch_size) # sess.run(tf.initialize_all_variables()) sess.run(tf.global_variables_initializer()) cross_entropy = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=y_conv)) #train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy); #train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy) # noise redistribution # grad, = tf.gradients(cross_entropy, h_conv1) normalized_grad = tf.sign(grad) normalized_grad = tf.stop_gradient(normalized_grad) normalized_grad_r = tf.abs(tf.reduce_mean(normalized_grad, axis=(0))) #print(normalized_grad_r) sum_r = tf.reduce_sum(normalized_grad_r, axis=(0, 1, 2), keepdims=False) #print(sum_r) normalized_grad_r = 256 * 32 * normalized_grad_r / sum_r print(normalized_grad_r) shape_grad = normalized_grad_r.get_shape().as_list() grad_t = tf.reshape(normalized_grad_r, [-1, shape_grad[-1]]) g = tf.transpose(grad_t) sing_g_vals = tf.svd(g, compute_uv=False) sensitivity_2 = tf.reduce_max(sing_g_vals) ######################## opt = GradientDescentOptimizer(learning_rate=1e-1) # compute gradient gw_W1 = tf.gradients(cross_entropy, W_conv1)[0] # gradient of W1 gb1 = tf.gradients(cross_entropy, b_conv1)[0] # gradient of b1 gw_W2 = tf.gradients(cross_entropy, W_conv2)[0] # gradient of W2 gb2 = tf.gradients(cross_entropy, b_conv2)[0] # gradient of b2 gw_Wf1 = tf.gradients(cross_entropy, W_fc1)[0] # gradient of W_fc1 gbf1 = tf.gradients(cross_entropy, b_fc1)[0] # gradient of b_fc1 gw_Wf2 = tf.gradients(cross_entropy, W_fc2)[0] # gradient of W_fc2 gbf2 = tf.gradients(cross_entropy, b_fc2)[0] # gradient of b_fc2 # clip gradient gw_W1 = tf.clip_by_norm(gw_W1, clip_bound) gw_W2 = tf.clip_by_norm(gw_W2, clip_bound) gw_Wf1 = tf.clip_by_norm(gw_Wf1, clip_bound) gw_Wf2 = tf.clip_by_norm(gw_Wf2, clip_bound) # sigma = FLAGS.sigma # when comp_eps(lmbda,q,sigma,T,delta)==epsilon # sensitivity = 2 * FLAGS.clip_bound #adjacency matrix with one tuple different sensitivity = clip_bound # adjacency matrix with one more tuple gw_W1 += tf.random_normal(shape=tf.shape(gw_W1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gb1 += tf.random_normal(shape=tf.shape(gb1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_W2 += tf.random_normal(shape=tf.shape(gw_W2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gb2 += tf.random_normal(shape=tf.shape(gb2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_Wf1 += tf.random_normal(shape=tf.shape(gw_Wf1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gbf1 += tf.random_normal(shape=tf.shape(gbf1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_Wf2 += tf.random_normal(shape=tf.shape(gw_Wf2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gbf2 += tf.random_normal(shape=tf.shape(gbf2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) train_step = opt.apply_gradients([(gw_W1, W_conv1), (gb1, b_conv1), (gw_W2, W_conv2), (gb2, b_conv2), (gw_Wf1, W_fc1), (gbf1, b_fc1), (gw_Wf2, W_fc2), (gbf2, b_fc2)]) # craft adversarial samples from x for testing #softmax_y_test = tf.nn.softmax(y_conv) #====================== attack ========================= attack_switch = { 'fgsm': True, 'ifgsm': True, 'deepfool': False, 'mim': True, 'spsa': False, 'cwl2': False, 'madry': True, 'stm': False } # define cleverhans abstract models for using cleverhans attacks ch_model_logits = CallableModelWrapper(callable_fn=inference, output_layer='logits') ch_model_probs = CallableModelWrapper(callable_fn=inference_prob, output_layer='probs') # define each attack method's tensor attack_tensor_dict = {} # FastGradientMethod if attack_switch['fgsm']: print('creating attack tensor of FastGradientMethod') fgsm_obj = FastGradientMethod(model=ch_model_probs, sess=sess) x_adv_test_fgsm = fgsm_obj.generate(x=x, eps=fgsm_eps, clip_min=0.0, clip_max=1.0) # testing now attack_tensor_dict['fgsm'] = x_adv_test_fgsm # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) # default: eps_iter=0.05, nb_iter=10 if attack_switch['ifgsm']: print('creating attack tensor of BasicIterativeMethod') ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) x_adv_test_ifgsm = ifgsm_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 10, nb_iter=10, clip_min=0.0, clip_max=1.0) attack_tensor_dict['ifgsm'] = x_adv_test_ifgsm # MomentumIterativeMethod # default: eps_iter=0.06, nb_iter=10 if attack_switch['mim']: print('creating attack tensor of MomentumIterativeMethod') mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) x_adv_test_mim = mim_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 10, nb_iter=10, decay_factor=1.0, clip_min=0.0, clip_max=1.0) attack_tensor_dict['mim'] = x_adv_test_mim # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) # default: eps_iter=0.01, nb_iter=40 if attack_switch['madry']: print('creating attack tensor of MadryEtAl') madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) x_adv_test_madry = madry_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 10, nb_iter=10, clip_min=0.0, clip_max=1.0) attack_tensor_dict['madry'] = x_adv_test_madry #====================== attack ========================= #Define the correct prediction and accuracy# correct_prediction_x = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1)) accuracy_x = tf.reduce_mean(tf.cast(correct_prediction_x, tf.float32)) correct_prediction = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1)) accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32)) s = math.log(sqrt(2.0 / math.pi) * 1e+5) sigmaEGM = sqrt(2.0) * 1.0 * (sqrt(s) + sqrt(s + dp_epsilon)) / (2.0 * dp_epsilon) print(sigmaEGM) __noiseE = np.random.normal(0.0, sigmaEGM**2, 28 * 28 * 32).astype(np.float32) __noiseE = np.reshape(__noiseE, [-1, 28, 28, 32]) start_time = time.time() logfile = open(_log_filename, 'w') last_eval_time = -1 accum_time = 0 accum_epoch = 0 max_benign_acc = -1 max_adv_acc_dict = {} test_size = len(mnist.test.images) print("Computing The Noise Redistribution Vector") for i in range(4000): batch = mnist.train.next_batch(batch_size) sess.run([train_step], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 0.5, noise: __noiseE * 0 }) batch = mnist.train.next_batch(batch_size * 10) grad_redis = sess.run([normalized_grad_r], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 1.0, noise: __noiseE * 0 }) #print(grad_redis) _sensitivity_2 = sess.run([sensitivity_2], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 1.0, noise: __noiseE * 0 }) #print(_sensitivity_2) _sensitivityW = sess.run(sensitivityW) #print(_sensitivityW) Delta_redis = _sensitivityW / sqrt(_sensitivity_2[0]) #print(Delta_redis) sigmaHGM = sqrt(2.0) * Delta_redis * (sqrt(s) + sqrt(s + dp_epsilon)) / ( 2.0 * dp_epsilon) #print(sigmaHGM) __noiseH = np.random.normal(0.0, sigmaHGM**2, 28 * 28 * 32).astype(np.float32) __noiseH = np.reshape(__noiseH, [-1, 28, 28, 32]) * grad_redis sess.run(tf.global_variables_initializer()) print("Training") for i in range(num_steps): batch = mnist.train.next_batch(batch_size) sess.run( [train_step], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 0.5, noise: (__noiseE + __noiseH) / 2 }) sess.run([privacy_accum_op]) spent_eps_deltas = priv_accountant.get_privacy_spent( sess, target_eps=target_eps) if i % 1000 == 0: print(i, spent_eps_deltas) _break = False for _eps, _delta in spent_eps_deltas: if _delta >= delta: _break = True break if _break == True: break print("Testing") benign_acc = accuracy_x.eval( feed_dict={ x: mnist.test.images, y_: mnist.test.labels, keep_prob: 1.0, noise: (__noiseE + __noiseH) / 2 }) ### PixelDP Robustness ### adv_acc_dict = {} robust_adv_acc_dict = {} robust_adv_utility_dict = {} for atk in attack_switch.keys(): if atk not in adv_acc_dict: adv_acc_dict[atk] = -1 robust_adv_acc_dict[atk] = -1 robust_adv_utility_dict[atk] = -1 if attack_switch[atk]: adv_images_dict = sess.run(attack_tensor_dict[atk], feed_dict={ x: mnist.test.images, y_: mnist.test.labels, keep_prob: 1.0 }) #grad_redis = sess.run([normalized_grad_r], feed_dict={x: adv_images_dict, y_: mnist.test.labels, keep_prob: 1.0, noise:__noise}) ### Robustness ### predictions_form_argmax = np.zeros([test_size, 10]) softmax_predictions = softmax_y.eval( feed_dict={ x: adv_images_dict, keep_prob: 1.0, noise: (__noiseE + __noiseH) / 2 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) for n_draws in range(0, 2000): if n_draws % 1000 == 0: print(n_draws) _noiseE = np.random.normal(0.0, sigmaEGM**2, 28 * 28 * 32).astype(np.float32) _noiseE = np.reshape(_noiseE, [-1, 28, 28, 32]) _noise = np.random.normal(0.0, sigmaHGM**2, 28 * 28 * 32).astype(np.float32) _noise = np.reshape(_noise, [-1, 28, 28, 32]) * grad_redis for j in range(test_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 1 softmax_predictions = softmax_y.eval( feed_dict={ x: adv_images_dict, keep_prob: 1.0, noise: (__noiseE + __noiseH) / 2 + (_noiseE + _noise) / 4 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) final_predictions = predictions_form_argmax is_correct = [] is_robust = [] for j in range(test_size): is_correct.append( np.argmax(mnist.test.labels[j]) == np.argmax( final_predictions[j])) robustness_from_argmax = robustnessGGaussian.robustness_size_argmax( counts=predictions_form_argmax[j], eta=0.05, dp_attack_size=fgsm_eps, dp_epsilon=dp_epsilon, dp_delta=1e-5, dp_mechanism='gaussian') / dp_mult is_robust.append(robustness_from_argmax >= fgsm_eps) adv_acc_dict[atk] = np.sum(is_correct) * 1.0 / test_size robust_adv_acc_dict[atk] = np.sum([ a and b for a, b in zip(is_robust, is_correct) ]) * 1.0 / np.sum(is_robust) robust_adv_utility_dict[atk] = np.sum(is_robust) * 1.0 / test_size print(" {}: {:.4f} {:.4f} {:.4f} {:.4f}".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk])) ############################## log_str = "step: {}\t target_epsilon: {}\t dp_epsilon: {:.1f}\t attack_norm_bound: {:.1f}\t benign_acc: {:.4f}\t".format( i, target_eps, dp_epsilon, attack_norm_bound, benign_acc) for atk in attack_switch.keys(): if attack_switch[atk]: log_str += " {}: {:.4f} {:.4f} {:.4f} {:.4f}".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]) print(log_str) logfile.write(log_str + '\n') ############################## duration = time.time() - start_time logfile.write(str(duration) + '\n') logfile.flush() logfile.close()
def JSMA_FGSM_BIM(train_start=0, train_end=60000, test_start=0, test_end=10000, nb_epochs=6, batch_size=128, learning_rate=0.001, clean_train=True, testing=False, backprop_through_attack=False, nb_filters=64): """ MNIST cleverhans tutorial :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param batch_size: size of training batches :param learning_rate: learning rate for training :param clean_train: perform normal training on clean examples only before performing adversarial training. :param testing: if true, complete an AccuracyReport for unit tests to verify that performance is adequate :param backprop_through_attack: If True, backprop through adversarial example construction process during adversarial training. :param clean_train: if true, train on clean examples :return: an AccuracyReport object """ # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Set logging level to see debug information set_log_level(logging.DEBUG) # Create TF session sess = tf.Session() # Get MNIST test data X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) source_samples = batch_size # Use label smoothing # Hopefully this doesn't screw up JSMA... assert Y_train.shape[1] == 10 label_smooth = .1 Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth) # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1)) y = tf.placeholder(tf.float32, shape=(None, 10)) model_path = "models/mnist" # Train an MNIST model train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate } eval_par = {'batch_size': batch_size} rng = np.random.RandomState([2017, 8, 30]) if clean_train: model = make_basic_cnn(nb_filters=nb_filters) preds = model.get_probs(x) def evaluate(): # Evaluate the accuracy of the MNIST model on legitimate test # examples eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params) report.clean_train_clean_eval = acc assert X_test.shape[0] == test_end - test_start, X_test.shape print('Test accuracy on legitimate examples: %0.4f' % acc) model_train(sess, x, y, preds, X_train, Y_train, evaluate=evaluate, args=train_params, rng=rng) print("#####Starting attacks on clean model#####") ################################################################# #Clean test against JSMA jsma_params = { 'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1., 'y_target': None } jsma = SaliencyMapMethod(model, back='tf', sess=sess) adv_x = jsma.generate(x, **jsma_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Clean test accuracy on JSMA adversarial examples: %0.4f' % acc) ################################################################ #Clean test against FGSM fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} fgsm = FastGradientMethod(model, sess=sess) adv_x = fgsm.generate(x, **fgsm_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Clean test accuracy on FGSM adversarial examples: %0.4f' % acc) ################################################################ #Clean test against BIM bim_params = { 'eps': 0.3, 'eps_iter': 0.01, 'nb_iter': 100, 'clip_min': 0., 'clip_max': 1. } bim = BasicIterativeMethod(model, sess=sess) adv_x = bim.generate(x, **bim_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Clean test accuracy on BIM adversarial examples: %0.4f' % acc) ################################################################ #Clean test against EN en_params = { 'binary_search_steps': 1, #'y': None, 'max_iterations': 100, 'learning_rate': 0.1, 'batch_size': source_samples, 'initial_const': 10 } en = ElasticNetMethod(model, back='tf', sess=sess) adv_x = en.generate(x, **en_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Clean test accuracy on EN adversarial examples: %0.4f' % acc) ################################################################ #Clean test against DF deepfool_params = { 'nb_candidate': 10, 'overshoot': 0.02, 'max_iter': 50, 'clip_min': 0., 'clip_max': 1. } deepfool = DeepFool(model, sess=sess) adv_x = deepfool.generate(x, **deepfool_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Clean test accuracy on DF adversarial examples: %0.4f' % acc) ################################################################ #Clean test against VAT vat_params = { 'eps': 2.0, 'num_iterations': 1, 'xi': 1e-6, 'clip_min': 0., 'clip_max': 1. } vat = VirtualAdversarialMethod(model, sess=sess) adv_x = vat.generate(x, **vat_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Clean test accuracy on VAT adversarial examples: %0.4f\n' % acc) ################################################################ print("Repeating the process, using adversarial training\n") # Redefine TF model graph model_2 = make_basic_cnn(nb_filters=nb_filters) preds_2 = model_2(x) ################################################################# #Adversarial test against JSMA jsma_params = { 'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1., 'y_target': None } jsma = SaliencyMapMethod(model, back='tf', sess=sess) adv_x = jsma.generate(x, **jsma_params) preds_adv_jsma = model.get_probs(adv_x) ################################################################ #Adversarial test against FGSM fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} fgsm = FastGradientMethod(model, sess=sess) adv_x = fgsm.generate(x, **fgsm_params) preds_adv_fgsm = model.get_probs(adv_x) ################################################################ #Adversarial test against BIM bim_params = { 'eps': 0.3, 'eps_iter': 0.01, 'nb_iter': 100, 'clip_min': 0., 'clip_max': 1. } bim = BasicIterativeMethod(model, sess=sess) adv_x = bim.generate(x, **bim_params) preds_adv_bim = model.get_probs(adv_x) ################################################################ #Adversarial test against EN en_params = { 'binary_search_steps': 5, #'y': None, 'max_iterations': 100, 'learning_rate': 0.1, 'batch_size': source_samples, 'initial_const': 10 } en = ElasticNetMethod(model, back='tf', sess=sess) adv_x = en.generate(x, **en_params) preds_adv_en = model.get_probs(adv_x) ################################################################ #Adversarial test against DF deepfool_params = { 'nb_candidate': 10, 'overshoot': 0.02, 'max_iter': 200, 'clip_min': 0., 'clip_max': 1. } deepfool = DeepFool(model, sess=sess) adv_x = deepfool.generate(x, **deepfool_params) preds_adv_df = model.get_probs(adv_x) ################################################################ #Adversarial test against VAT vat_params = { 'eps': 2.0, 'num_iterations': 1, 'xi': 1e-6, 'clip_min': 0., 'clip_max': 1. } vat = VirtualAdversarialMethod(model, sess=sess) adv_x = vat.generate(x, **vat_params) preds_adv_vat = model.get_probs(adv_x) ################################################################ print("#####Evaluate trained model#####") def evaluate_2(): # Evaluate the accuracy of the MNIST model on JSMA adversarial examples acc = model_eval(sess, x, y, preds_adv_jsma, X_test, Y_test, args=eval_par) print('Test accuracy on JSMA adversarial examples: %0.4f' % acc) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_fgsm, X_test, Y_test, args=eval_par) print('Test accuracy on FGSM adversarial examples: %0.4f' % acc) # Evaluate the accuracy of the MNIST model on BIM adversarial examples acc = model_eval(sess, x, y, preds_adv_bim, X_test, Y_test, args=eval_par) print('Test accuracy on BIM adversarial examples: %0.4f' % acc) # Evaluate the accuracy of the MNIST model on EN adversarial examples acc = model_eval(sess, x, y, preds_adv_en, X_test, Y_test, args=eval_par) print('Test accuracy on EN adversarial examples: %0.4f' % acc) # Evaluate the accuracy of the MNIST model on DF adversarial examples acc = model_eval(sess, x, y, preds_adv_df, X_test, Y_test, args=eval_par) print('Test accuracy on DF adversarial examples: %0.4f' % acc) # Evaluate the accuracy of the MNIST model on VAT adversarial examples acc = model_eval(sess, x, y, preds_adv_vat, X_test, Y_test, args=eval_par) print('Test accuracy on VAT adversarial examples: %0.4f\n' % acc) preds_2_adv = [ preds_adv_jsma, preds_adv_fgsm, preds_adv_bim # ,preds_adv_en # ,preds_adv_df ] model_train(sess, x, y, preds_2, X_train, Y_train, predictions_adv=preds_2_adv, evaluate=evaluate_2, args=train_params, rng=rng)
def mnist_tutorial(train_start=0, train_end=60000, test_start=0, test_end=10000, nb_epochs=6, batch_size=128, learning_rate=0.001, clean_train=True, testing=False, backprop_through_attack=False, nb_filters=64): """ MNIST cleverhans tutorial :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param batch_size: size of training batches :param learning_rate: learning rate for training :param clean_train: perform normal training on clean examples only before performing adversarial training. :param testing: if true, complete an AccuracyReport for unit tests to verify that performance is adequate :param backprop_through_attack: If True, backprop through adversarial example construction process during adversarial training. :param clean_train: if true, train on clean examples :return: an AccuracyReport object """ # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Set logging level to see debug information set_log_level(logging.DEBUG) # Create TF session sess = tf.Session() # Get MNIST test data X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) # Use label smoothing assert Y_train.shape[1] == 10 label_smooth = .1 Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth) # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1)) y = tf.placeholder(tf.float32, shape=(None, 10)) model_path = "models/mnist" # Train an MNIST model train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate } fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} bim_params = { 'eps': 0.3, 'eps_iter': 0.01, 'nb_iter': 100, 'clip_min': 0., 'clip_max': 1. } rng = np.random.RandomState([2017, 8, 30]) if clean_train: model = make_basic_cnn(nb_filters=nb_filters) preds = model.get_probs(x) def evaluate(): # Evaluate the accuracy of the MNIST model on legitimate test # examples eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params) report.clean_train_clean_eval = acc assert X_test.shape[0] == test_end - test_start, X_test.shape print('Test accuracy on legitimate examples: %0.4f' % acc) model_train(sess, x, y, preds, X_train, Y_train, evaluate=evaluate, args=train_params, rng=rng) # Calculate training error if testing: eval_params = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds, X_train, Y_train, args=eval_params) report.train_clean_train_clean_eval = acc # Initialize the Fast Gradient Sign Method (FGSM) attack object and # graph fgsm = FastGradientMethod(model, sess=sess) adv_x = fgsm.generate(x, **fgsm_params) preds_adv = model.get_probs(adv_x) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples eval_par = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds_adv, X_test, Y_test, args=eval_par) print('Test accuracy on FGSM adversarial examples: %0.4f\n' % acc) # Calculate training error if testing: eval_par = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds_adv, X_train, Y_train, args=eval_par) report.train_clean_train_adv_eval = acc # Init the Basic Iterative Method attack object and graph bim = BasicIterativeMethod(model, sess=sess) adv_x_2 = bim.generate(x, **bim_params) preds_adv_2 = model.get_probs(adv_x_2) # Evaluate the accuracy of the MNIST model on Basic Iterative Method adversarial examples acc = model_eval(sess, x, y, preds_adv_2, X_test, Y_test, args=eval_par) print( 'Test accuracy on Basic Iterative Method adversarial examples: %0.4f\n' % acc) # Calculate training error if testing: eval_par = {'batch_size': batch_size} acc = model_eval(sess, x, y, preds_adv, X_train, Y_train, args=eval_par) report.train_clean_train_adv_eval = acc print("Repeating the process, using adversarial training") # Redefine TF model graph model_2 = make_basic_cnn(nb_filters=nb_filters) preds_2 = model_2(x) fgsm2 = FastGradientMethod(model_2, sess=sess) adv_x_fgsm = fgsm2.generate(x, **fgsm_params) if not backprop_through_attack: # For the fgsm attack used in this tutorial, the attack has zero # gradient so enabling this flag does not change the gradient. # For some other attacks, enabling this flag increases the cost of # training, but gives the defender the ability to anticipate how # the atacker will change their strategy in response to updates to # the defender's parameters. adv_x_fgsm = tf.stop_gradient(adv_x_fgsm) preds_2_adv_fgsm = model_2(adv_x_fgsm) bim2 = BasicIterativeMethod(model_2, sess=sess) adv_x_bim = bim2.generate(x, **bim_params) preds_2_adv_bim = model_2(adv_x_bim) # X_train_rep = np.tile(X_train, [2, 1, 1, 1]) # Y_train_rep = np.tile(Y_train, [2, 1]) # preds_2_rep = tf.tile(preds_2, [2, 1]) # preds_2_adv = model_2(tf.concat([adv_x_fgsm, adv_x_bim], 0)) # # # Perform and evaluate adversarial training # model_train(sess, x, y, preds_2_rep, X_train_rep, Y_train_rep, # predictions_adv=preds_2_adv, # args=train_params, rng=rng) def evaluate_2(): # evaluate the final result of the model eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds_2, X_test, Y_test, args=eval_params) print('Test accuracy on legitimate examples: %0.4f' % accuracy) # Accuracy of the adversarially trained model on FGSM adversarial examples accuracy = model_eval(sess, x, y, preds_2_adv_fgsm, X_test, Y_test, args=eval_params) print('Test accuracy on FGSM adversarial examples: %0.4f' % accuracy) # Accuracy of the adversarially trained model on Basic Iterative Method adversarial examples accuracy = model_eval(sess, x, y, preds_2_adv_bim, X_test, Y_test, args=eval_params) print('Test accuracy on BIM adversarial examples: %0.4f' % accuracy) preds_2_adv = [preds_2_adv_fgsm, preds_2_adv_bim] model_train(sess, x, y, preds_2, X_train, Y_train, predictions_adv=preds_2_adv, evaluate=evaluate_2, args=train_params, rng=rng) return report
def mnist_tutorial_jsma(train_start=0, train_end=5500, test_start=0, test_end=1000, nb_epochs=8, batch_size=100, nb_classes=10, nb_filters=64, learning_rate=0.001): """ MNIST tutorial for the Jacobian-based saliency map approach (JSMA) :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param batch_size: size of training batches :param nb_classes: number of output classes :param learning_rate: learning rate for training :return: an AccuracyReport object """ # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Create TF session and set as Keras backend session sess = tf.Session() print("Created TensorFlow session.") set_log_level(logging.DEBUG) # Get MNIST test data X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) label_smooth = .1 Y_train = Y_train.clip(label_smooth / 9., 1. - label_smooth) # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1)) y = tf.placeholder(tf.float32, shape=(None, 10)) # Define TF model graph model = make_basic_cnn() preds = model(x) print("Defined TensorFlow model graph.") ########################################################################### # Training the model using TensorFlow ########################################################################### # Train an MNIST model train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate } # sess.run(tf.global_variables_initializer()) rng = np.random.RandomState([2017, 8, 30]) print("x_train shape: ", X_train.shape) print("y_train shape: ", Y_train.shape) # do not log model_train(sess, x, y, preds, X_train, Y_train, args=train_params,verbose=False, rng=rng) f_out_clean = open("Clean_jsma_elastic_against5.log", "w") # Evaluate the accuracy of the MNIST model on legitimate test examples eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params) assert X_test.shape[0] == test_end - test_start, X_test.shape print('Test accuracy on legitimate test examples: {0}'.format(accuracy)) f_out_clean.write('Test accuracy on legitimate test examples: ' + str(accuracy) + '\n') # Clean test against JSMA jsma_params = {'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1., 'y_target': None} jsma = SaliencyMapMethod(model, back='tf', sess=sess) adv_x_jsma = jsma.generate(x, **jsma_params) preds_adv_jsma = model.get_probs(adv_x_jsma) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_jsma, X_test, Y_test, args=eval_params) print('Clean test accuracy on JSMA adversarial examples: %0.4f' % acc) f_out_clean.write('Clean test accuracy on JSMA adversarial examples: ' + str(acc) + '\n') ################################################################ # Clean test against FGSM fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} fgsm = FastGradientMethod(model, sess=sess) adv_x_fgsm = fgsm.generate(x, **fgsm_params) preds_adv_fgsm = model.get_probs(adv_x_fgsm) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_fgsm, X_test, Y_test, args=eval_params) print('Clean test accuracy on FGSM adversarial examples: %0.4f' % acc) f_out_clean.write('Clean test accuracy on FGSM adversarial examples: ' + str(acc) + '\n') ################################################################ # Clean test against BIM bim_params = {'eps': 0.3, 'eps_iter': 0.01, 'nb_iter': 100, 'clip_min': 0., 'clip_max': 1.} bim = BasicIterativeMethod(model, sess=sess) adv_x_bim = bim.generate(x, **bim_params) preds_adv_bim = model.get_probs(adv_x_bim) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_bim, X_test, Y_test, args=eval_params) print('Clean test accuracy on BIM adversarial examples: %0.4f' % acc) f_out_clean.write('Clean test accuracy on BIM adversarial examples: ' + str(acc) + '\n') ################################################################ # Clean test against EN en_params = {'binary_search_steps': 1, # 'y': None, 'max_iterations': 100, 'learning_rate': 0.1, 'batch_size': batch_size, 'initial_const': 10} en = ElasticNetMethod(model, back='tf', sess=sess) adv_x_en = en.generate(x, **en_params) preds_adv_en = model.get_probs(adv_x_en) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_en, X_test, Y_test, args=eval_params) print('Clean test accuracy on EN adversarial examples: %0.4f' % acc) f_out_clean.write('Clean test accuracy on EN adversarial examples: ' + str(acc) + '\n') ################################################################ # Clean test against DF deepfool_params = {'nb_candidate': 10, 'overshoot': 0.02, 'max_iter': 50, 'clip_min': 0., 'clip_max': 1.} deepfool = DeepFool(model, sess=sess) adv_x_df = deepfool.generate(x, **deepfool_params) preds_adv_df = model.get_probs(adv_x_df) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_df, X_test, Y_test, args=eval_params) print('Clean test accuracy on DF adversarial examples: %0.4f' % acc) f_out_clean.write('Clean test accuracy on DF adversarial examples: ' + str(acc) + '\n') ################################################################ # Clean test against VAT vat_params = {'eps': 2.0, 'num_iterations': 1, 'xi': 1e-6, 'clip_min': 0., 'clip_max': 1.} vat = VirtualAdversarialMethod(model, sess=sess) adv_x_vat = vat.generate(x, **vat_params) preds_adv_vat = model.get_probs(adv_x_vat) # Evaluate the accuracy of the MNIST model on FGSM adversarial examples acc = model_eval(sess, x, y, preds_adv_vat, X_test, Y_test, args=eval_params) print('Clean test accuracy on VAT adversarial examples: %0.4f\n' % acc) f_out_clean.write('Clean test accuracy on VAT adversarial examples: ' + str(acc) + '\n') f_out_clean.close() ########################################################################### # Craft adversarial examples using the Jacobian-based saliency map approach ########################################################################### print('Crafting ' + str(X_train.shape[0]) + ' * ' + str(nb_classes-1) + ' adversarial examples') model_2 = make_basic_cnn() preds_2 = model(x) # need this for constructing the array sess.run(tf.global_variables_initializer()) # run this again # sess.run(tf.global_variables_initializer()) # 1. Instantiate a SaliencyMapMethod attack object jsma = SaliencyMapMethod(model_2, back='tf', sess=sess) jsma_params = {'theta': 1., 'gamma': 0.1, 'clip_min': 0., 'clip_max': 1., 'y_target': None} adv_random = jsma.generate(x, **jsma_params) preds_adv_random = model_2.get_probs(adv_random) # 2. Instantiate FGSM attack fgsm_params = {'eps': 0.3, 'clip_min': 0., 'clip_max': 1.} fgsm = FastGradientMethod(model_2, sess=sess) adv_x_fgsm = fgsm.generate(x, **fgsm_params) preds_adv_fgsm = model_2.get_probs(adv_x_fgsm) # 3. Instantiate Elastic net attack en_params = {'binary_search_steps': 5, #'y': None, 'max_iterations': 100, 'learning_rate': 0.1, 'batch_size': batch_size, 'initial_const': 10} enet = ElasticNetMethod(model_2, sess=sess) adv_x_en = enet.generate(x, **en_params) preds_adv_elastic_net = model_2.get_probs(adv_x_en) # 4. Deepfool deepfool_params = {'nb_candidate':10, 'overshoot':0.02, 'max_iter': 50, 'clip_min': 0., 'clip_max': 1.} deepfool = DeepFool(model_2, sess=sess) adv_x_df = deepfool.generate(x, **deepfool_params) preds_adv_deepfool = model_2.get_probs(adv_x_df) # 5. Base Iterative bim_params = {'eps': 0.3, 'eps_iter': 0.01, 'nb_iter': 100, 'clip_min': 0., 'clip_max': 1.} base_iter = BasicIterativeMethod(model_2, sess=sess) adv_x_bi = base_iter.generate(x, **bim_params) preds_adv_base_iter = model_2.get_probs(adv_x_bi) # 6. C & W Attack cw = CarliniWagnerL2(model_2, back='tf', sess=sess) cw_params = {'binary_search_steps': 1, # 'y': None, 'max_iterations': 100, 'learning_rate': 0.1, 'batch_size': batch_size, 'initial_const': 10} adv_x_cw = cw.generate(x, **cw_params) preds_adv_cw = model_2.get_probs(adv_x_cw) #7 vat_params = {'eps': 2.0, 'num_iterations': 1, 'xi': 1e-6, 'clip_min': 0., 'clip_max': 1.} vat = VirtualAdversarialMethod(model_2, sess=sess) adv_x = vat.generate(x, **vat_params) preds_adv_vat = model_2.get_probs(adv_x) # ==> generate 10 targeted classes for every train data regardless # This call runs the Jacobian-based saliency map approach # Loop over the samples we want to perturb into adversarial examples X_train_adv_set = [] Y_train_adv_set = [] for index in range(X_train.shape[0]): print('--------------------------------------') x_val = X_train[index:(index+1)] y_val = Y_train[index] # add normal sample in!!!! X_train_adv_set.append(x_val) Y_train_adv_set.append(y_val) # We want to find an adversarial example for each possible target class # (i.e. all classes that differ from the label given in the dataset) current_class = int(np.argmax(y_val)) target_classes = other_classes(nb_classes, current_class) # Loop over all target classes for target in target_classes: # print('Generating adv. example for target class %i' % target) # This call runs the Jacobian-based saliency map approach one_hot_target = np.zeros((1, nb_classes), dtype=np.float32) one_hot_target[0, target] = 1 jsma_params['y_target'] = one_hot_target adv_x = jsma.generate_np(x_val, **jsma_params) # append to X_train_adv_set and Y_train_adv_set X_train_adv_set.append(adv_x) Y_train_adv_set.append(y_val) # shape is: (1, 28, 28, 1) # print("adv_x shape is: ", adv_x.shape) # check for success rate # res = int(model_argmax(sess, x, preds, adv_x) == target) print('-------------Finished Generating Np Adversarial Data-------------------------') X_train_data = np.concatenate(X_train_adv_set, axis=0) Y_train_data = np.stack(Y_train_adv_set, axis=0) print("X_train_data shape is: ", X_train_data.shape) print("Y_train_data shape is: ", Y_train_data.shape) # saves the output so later no need to re-fun file np.savez("jsma_training_data.npz", x_train=X_train_data , y_train=Y_train_data) # >>> data = np.load('/tmp/123.npz') # >>> data['a'] f_out = open("Adversarial_jsma_elastic_against5.log", "w") # evaluate the function against 5 attacks # fgsm, base iterative, jsma, elastic net, and deepfool def evaluate_against_all(): # 1 Clean Data eval_params = {'batch_size': batch_size} accuracy = model_eval(sess, x, y, preds, X_test, Y_test, args=eval_params) print('Legitimate accuracy: %0.4f' % accuracy) tmp = 'Legitimate accuracy: '+ str(accuracy) + "\n" f_out.write(tmp) # 2 JSMA accuracy = model_eval(sess, x, y, preds_adv_random, X_test, Y_test, args=eval_params) print('JSMA accuracy: %0.4f' % accuracy) tmp = 'JSMA accuracy:'+ str(accuracy) + "\n" f_out.write(tmp) # 3 FGSM accuracy = model_eval(sess, x, y, preds_adv_fgsm, X_test, Y_test, args=eval_params) print('FGSM accuracy: %0.4f' % accuracy) tmp = 'FGSM accuracy:' + str(accuracy) + "\n" f_out.write(tmp) # 4 Base Iterative accuracy = model_eval(sess, x, y, preds_adv_base_iter, X_test, Y_test, args=eval_params) print('Base Iterative accuracy: %0.4f' % accuracy) tmp = 'Base Iterative accuracy:' + str(accuracy) + "\n" f_out.write(tmp) # 5 Elastic Net accuracy = model_eval(sess, x, y, preds_adv_elastic_net, X_test, Y_test, args=eval_params) print('Elastic Net accuracy: %0.4f' % accuracy) tmp = 'Elastic Net accuracy:' + str(accuracy) + "\n" f_out.write(tmp) # 6 DeepFool accuracy = model_eval(sess, x, y, preds_adv_deepfool, X_test, Y_test, args=eval_params) print('DeepFool accuracy: %0.4f' % accuracy) tmp = 'DeepFool accuracy:' + str(accuracy) + "\n" f_out.write(tmp) # 7 C & W Attack accuracy = model_eval(sess, x, y, preds_adv_cw, X_test, Y_test, args=eval_params) print('C & W accuracy: %0.4f' % accuracy) tmp = 'C & W accuracy:' + str(accuracy) + "\n" f_out.write(tmp) f_out.write("*******End of Epoch***********\n\n") # 8 Virtual Adversarial accuracy = model_eval(sess, x, y, preds_adv_vat, X_test, Y_test, args=eval_params) print('VAT accuracy: %0.4f' % accuracy) tmp = 'VAT accuracy:' + str(accuracy) + "\n" f_out.write(tmp) f_out.write("*******End of Epoch***********\n\n") print("*******End of Epoch***********\n\n") # report.adv_train_adv_eval = accuracy print("Now Adversarial Training with Elastic Net + modified X_train and Y_train") # trained_model.out train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate, 'train_dir': '/home/stephen/PycharmProjects/jsma-runall-mac/', 'filename': 'trained_model.out' } model_train(sess, x, y, preds_2, X_train_data, Y_train_data, predictions_adv=preds_adv_elastic_net, evaluate=evaluate_against_all, verbose=False, args=train_params, rng=rng) # Close TF session sess.close() return report
def cifar10_tutorial(train_start=0, train_end=60000, test_start=0, test_end=10000, nb_epochs=NB_EPOCHS, batch_size=BATCH_SIZE, learning_rate=LEARNING_RATE, clean_train=CLEAN_TRAIN, testing=False, backprop_through_attack=BACKPROP_THROUGH_ATTACK, nb_filters=NB_FILTERS, num_threads=None, label_smoothing=0.1, adversarial_training=ADVERSARIAL_TRAINING): """ CIFAR10 cleverhans tutorial :param train_start: index of first training set example :param train_end: index of last training set example :param test_start: index of first test set example :param test_end: index of last test set example :param nb_epochs: number of epochs to train model :param batch_size: size of training batches :param learning_rate: learning rate for training :param clean_train: perform normal training on clean examples only before performing adversarial training. :param testing: if true, complete an AccuracyReport for unit tests to verify that performance is adequate :param backprop_through_attack: If True, backprop through adversarial example construction process during adversarial training. :param label_smoothing: float, amount of label smoothing for cross entropy :param adversarial_training: True means using adversarial training :return: an AccuracyReport object """ # Object used to keep track of (and return) key accuracies report = AccuracyReport() # Set TF random seed to improve reproducibility tf.set_random_seed(1234) # Set logging level to see debug information set_log_level(logging.DEBUG) # Create TF session if num_threads: config_args = dict(intra_op_parallelism_threads=1) else: # put data on cpu and gpu both config_args = dict(allow_soft_placement=True) sess = tf.Session(config=tf.ConfigProto(**config_args)) # Get CIFAR10 data data = CIFAR10(train_start=train_start, train_end=train_end, test_start=test_start, test_end=test_end) dataset_size = data.x_train.shape[0] dataset_train = data.to_tensorflow()[0] dataset_train = dataset_train.map( lambda x, y: (random_shift(random_horizontal_flip(x)), y), 4) dataset_train = dataset_train.batch(batch_size) dataset_train = dataset_train.prefetch(16) x_train, y_train = data.get_set('train') x_test, y_test = data.get_set('test') # Use Image Parameters img_rows, img_cols, nchannels = x_test.shape[1:4] nb_classes = y_test.shape[1] # Define input TF placeholder x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, nchannels)) y = tf.placeholder(tf.float32, shape=(None, nb_classes)) # Train an MNIST model train_params = { 'nb_epochs': nb_epochs, 'batch_size': batch_size, 'learning_rate': learning_rate } eval_params = {'batch_size': batch_size} bim_params = { 'eps': 0.5, 'clip_min': 0., 'eps_iter': 0.002, 'nb_iter': 10, 'clip_max': 1., 'ord': np.inf } rng = np.random.RandomState([2017, 8, 30]) def do_eval(preds, x_set, y_set, report_key, is_adv=None): acc = model_eval(sess, x, y, preds, x_set, y_set, args=eval_params) setattr(report, report_key, acc) if is_adv is None: report_text = None elif is_adv: report_text = 'adversarial' else: report_text = 'legitimate' if report_text: print('Test accuracy on %s examples: %0.4f' % (report_text, acc)) if clean_train: model = ModelAllConvolutional('model1', nb_classes, nb_filters, input_shape=[32, 32, 3]) preds = model.get_logits(x) loss = CrossEntropy(model, smoothing=label_smoothing) def evaluate(): do_eval(preds, x_test, y_test, 'clean_train_clean_eval', False) """ when training, evaluating can be happened """ train(sess, loss, None, None, dataset_train=dataset_train, dataset_size=dataset_size, evaluate=evaluate, args=train_params, rng=rng, var_list=model.get_params()) # save model # Calculate training error if testing: do_eval(preds, x_train, y_train, 'train_clean_train_clean_eval') # Initialize the Basic Iterative Method (BIM) attack object and # graph for i in range(20): bim = BasicIterativeMethod(model, sess=sess) adv_x = bim.generate(x, **bim_params) preds_adv = model.get_logits(adv_x) # Evaluate the accuracy of the MNIST model on adversarial examples print("eps:%0.2f" % (bim_params["eps_iter"] * bim_params['nb_iter'])) do_eval(preds_adv, x_test, y_test, 'clean_train_adv_eval', True) bim_params["eps_iter"] = bim_params["eps_iter"] + 0.002 # Calculate training error if testing: do_eval(preds_adv, x_train, y_train, 'train_clean_train_adv_eval') if not adversarial_training: return report print('Repeating the process, using adversarial training') # Create a new model and train it to be robust to BasicIterativeMethod model2 = ModelAllConvolutional('model2', nb_classes, nb_filters, input_shape=[32, 32, 3]) bim2 = BasicIterativeMethod(model2, sess=sess) def attack(x): return bim2.generate(x, **bim_params) # add attack to loss loss2 = CrossEntropy(model2, smoothing=label_smoothing, attack=attack) preds2 = model2.get_logits(x) adv_x2 = attack(x) if not backprop_through_attack: # For the fgsm attack used in this tutorial, the attack has zero # gradient so enabling this flag does not change the gradient. # For some other attacks, enabling this flag increases the cost of # training, but gives the defender the ability to anticipate how # the attacker will change their strategy in response to updates to # the defender's parameters. adv_x2 = tf.stop_gradient(adv_x2) preds2_adv = model2.get_logits(adv_x2) def evaluate2(): # Accuracy of adversarially trained model on legitimate test inputs do_eval(preds2, x_test, y_test, 'adv_train_clean_eval', False) # Accuracy of the adversarially trained model on adversarial examples do_eval(preds2_adv, x_test, y_test, 'adv_train_adv_eval', True) # Perform and evaluate adversarial training train(sess, loss2, None, None, dataset_train=dataset_train, dataset_size=dataset_size, evaluate=evaluate2, args=train_params, rng=rng, var_list=model2.get_params()) # Calculate training errors if testing: do_eval(preds2, x_train, y_train, 'train_adv_train_clean_eval') do_eval(preds2_adv, x_train, y_train, 'train_adv_train_adv_eval') return report