def train_substitute(sess, x, y, bbox_preds, X_sub, Y_sub): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :return: """ # Define TF model graph (for the black-box model) model_sub = substitute_model() preds_sub = model_sub(x) # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes) # Train the substitute and augment dataset alternatively for rho in range(FLAGS.data_aug): print("Epoch #" + str(rho)) train_params = { 'nb_epochs': FLAGS.nb_epochs_s, 'batch_size': FLAGS.batch_size, 'learning_rate': FLAGS.learning_rate } model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), init_all=False, verbose=False, args=train_params) # If we are not at last substitute training iteration, augment dataset if rho < FLAGS.data_aug - 1: # Perform the Jacobian augmentation X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, FLAGS.lmbda) # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub)/2):] # First feed forward a denoising autoencoder. if args.ae: print("Denoising...") num_data = X_sub_prev.shape[0] autoencoder.visualize(sess, X_sub_prev.reshape(num_data, -1), "sub{}".format(rho)) filtered_data = autoencoder.run(sess, X_sub_prev.reshape(num_data, -1)) X_sub_prev = filtered_data.reshape(num_data, 28, 28, 1) if args.alg == "cnn": eval_params = {'batch_size': FLAGS.batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub_prev = np.argmax(bbox_val, axis=1) elif is_not_nn(): x_sub_prev = X_sub_prev.reshape(X_sub_prev.shape[0], -1) Y_sub_prev = bbox_preds.predict(x_sub_prev) Y_sub[int(len(X_sub)/2):] = Y_sub_prev return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, rng): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :return: """ # Define TF model graph (for the black-box model) model_sub = substitute_model() preds_sub = model_sub(x) log_raw.info("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): log_raw.info("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), init_all=False, verbose=False, args=train_params, rng=rng) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: log_raw.info("Augmenting substitute training data.") # Perform the Jacobian augmentation X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda) log_raw.info("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub)/2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :return: """ # Define TF model graph (for the black-box model) model_sub = substitute_model() preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(FLAGS.data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': FLAGS.nb_epochs_s, 'batch_size': FLAGS.batch_size, 'learning_rate': FLAGS.learning_rate } model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), init_all=False, verbose=False, args=train_params) # If we are not at last substitute training iteration, augment dataset if rho < FLAGS.data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, FLAGS.lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': FLAGS.batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bb_model, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, rng): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :return: """ # Define TF model graph (for the black-box model) model_sub = substitute_model(img_cols=X_sub.shape[1]) preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"): model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub, nb_classes), init_all=False, args=train_params, rng=rng) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda_coef * lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = numpy.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub)/2):] #on a double le dataset donc prev = ce qu'il y a de nouveau = la moitie eval_params = {'batch_size': batch_size} bbox_val = bb_model.predict(X_sub_prev) Y_sub[int(len(X_sub)/2):] = numpy.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bbox, X_sub, Y_sub): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox: black-box model :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :return: """ # Define TF model graph (for the black-box model) model_sub = substitute_model() preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes) # Train the substitute and augment dataset alternatively for rho in range(FLAGS.data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': FLAGS.nb_epochs_s, 'batch_size': FLAGS.batch_size, 'learning_rate': FLAGS.learning_rate } model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), init_all=False, verbose=False, args=train_params) # If we are not at last substitute training iteration, augment dataset if rho < FLAGS.data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, FLAGS.lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': FLAGS.batch_size} x_sub_prev = X_sub_prev.reshape(X_sub_prev.shape[0], -1) xg_sub = xgb.DMatrix(x_sub_prev) Y_sub_prev = bbox.predict(xg_sub) Y_sub[int(len(X_sub) / 2):] = Y_sub_prev return model_sub, preds_sub
def train_sub(data_aug, sess, x_sub, lmbda, target_model, aug_batch_size=AUG_BATCH_SIZE): placeholder_sub = tf.placeholder(tf.float32, shape=(None, SUB_IMAGE_SIZE, SUB_IMAGE_SIZE, NUM_OF_CHANNELS)) placeholder_bbox = tf.placeholder(tf.float32, shape=(None, BBOX_IMAGE_SIZE, BBOX_IMAGE_SIZE, NUM_OF_CHANNELS)) print("Loading substitute model...") model = get_model_category_by_id(SUBSTITUTE_MODEL_ID, NB_SUB_CLASSES, metric='accuracy') # simple vanilla cnn if SUBSTITUTE_MODEL_ID == '-1': model = get_simple_model(NB_SUB_CLASSES, SUB_IMAGE_SIZE) model.compile(optimizer=Adam(lr=0.1, decay=1e-6), loss="categorical_crossentropy", metrics=['accuracy']) model_sub = KerasModelWrapper(model) preds_sub = model_sub.get_logits(placeholder_sub) print("Subsitute model loaded.") # Define the Jacobian symbolically using TensorFlow print("Defining jacobian graph...") grads = jacobian_graph(preds_sub, placeholder_sub, NB_SUB_CLASSES) print("Jacobian graph defined.") y_sub = bbox_predict(target_model, x_sub, sess, placeholder_bbox, batch_size=1) train_gen = TransferGenerator(x_sub, labels=y_sub, num_classes=NB_SUB_CLASSES, batch_size=BATCH_SIZE, image_size=SUB_IMAGE_SIZE) for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_gen.reinitialize(x_sub, y_sub, BATCH_SIZE, SUB_IMAGE_SIZE) print("Fitting the generator with the labels: ") print(train_gen.labels) model_sub.model.fit_generator(generator=train_gen, epochs=NUM_EPOCHS) # print("Saving substitute model that is trained so far") # path = Path(__file__).resolve().parent.parent.joinpath("resources/models") # save_model(str(path) + "sub_model_after_epoch" + str(rho) + ".h5", model_sub.model) # input_sample = np.empty(shape=(1, IMAGE_SIZE_SUB, IMAGE_SIZE_SUB, NUM_OF_CHANNELS), dtype=np.float32) if rho < data_aug - 1: print("Augmenting substitute training data...") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 x_sub = jacobian_augmentation(sess, placeholder_sub, x_sub, y_sub, grads, lmbda_coef * lmbda, aug_batch_size) print("Substitute training data augmented.") print("Labeling substitute training data using bbox...") y_sub = np.hstack([y_sub, y_sub]) x_sub_new = x_sub[int(len(x_sub) / 2):] y_sub[int(len(x_sub)/2):] = bbox_predict(target_model, x_sub_new, sess, placeholder_bbox) return model_sub
def train_sub(sess, model, x, y, denoise_model, X_sub, Y_sub): # model_sub = substitute_model() model_sub = substitute_model_D_on_paper() preds_sub = model_sub(x) print("Train substitute model") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, FLAGS.nb_classes) # Train the substitute and augment dataset alternatively for rho in range(FLAGS.data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': FLAGS.nb_epochs_s, 'batch_size': FLAGS.batch_size, 'learning_rate': FLAGS.learning_rate } model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub, num_classes=FLAGS.nb_classes), init_all=False, verbose=False, args=train_params) # If we are not at last substitute training iteration, augment dataset if rho < FLAGS.data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, FLAGS.lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] if DENOISE: X_sub_prev = denoise_model.predict(X_sub_prev, verbose=1, batch_size=FLAGS.batch_size) bbox_val = model.predict(X_sub_prev) Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def augmentSubstituteData(self, X, Y, dqn, batchSize, lmbdas, verbose=False): grads = jacobian_graph(self.logits, self.inputs, self.env.action_space.n) epNum = len(lmbdas) Xa = X Ya = Y for ep in range(epNum): mbInds = utils.getMinibatchInds(batchSize, np.arange(X.shape[0])) lmbda = lmbdas[ep] for i, mbi in enumerate(mbInds): mbX = X[mbi] mbY = Y[mbi] mbXa = jacobian_augmentation(self.sess, self.inputs, mbX, mbY, grads, lmbda) mbXa = mbXa[mbX.shape[0]:] mbYa = dqn.run(mbXa) mbYa = np.argmax(mbYa, axis=1) Xa = np.vstack([Xa, mbXa]) Ya = np.hstack([Ya, mbYa]) del mbXa del mbYa if verbose: print("Finished minibatch " + str(i) + " / " + str(len(mbInds)) + " in epoch " + str(ep) + ". Num examples = " + str(Xa.shape[0])) if verbose: print("Finished epoch " + str(ep)) return Xa, Ya
def train_sub(data_aug, sess, x_sub, y_sub, lmbda, target_model, aug_batch_size=1): x = tf.placeholder(tf.float32, shape=(None, IMAGE_SIZE, IMAGE_SIZE, NUM_OF_CHANNELS)) print("Loading substitute model...") model = get_model("InceptionResNetV2") # model = get_simple_model(num_classes=NB_CLASSES, image_size=IMAGE_SIZE) model.compile(optimizer=Adam(), loss="categorical_crossentropy", metrics=[age_mae]) model_sub = KerasModelWrapper(model) preds_sub = model_sub.get_logits(x) print("Subsitute model loaded.") # Define the Jacobian symbolically using TensorFlow print("Defining jacobian graph...") grads = jacobian_graph(preds_sub, x, NB_CLASSES) print("Jacobian graph defined.") train_gen = TransferGenerator(x_sub, y_sub, num_classes=101, batch_size=BATCH_SIZE, image_size=IMAGE_SIZE) for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_gen.reinitialize(data=x_sub, labels=y_sub, batch_size=BATCH_SIZE, image_size=IMAGE_SIZE) model_sub.model.fit_generator(generator=train_gen, epochs=1) input_sample = np.empty(shape=(1, IMAGE_SIZE, IMAGE_SIZE, NUM_OF_CHANNELS), dtype=np.float32) if rho < data_aug - 1: print("Augmenting substitute training data...") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 x_sub_tmp = np.vstack([x_sub, x_sub]) for i in range(0, len(y_sub)): input_sample[0, :, :, :] = x_sub[i] adv = jacobian_augmentation(sess=sess, x=x, X_sub_prev=input_sample, Y_sub=[y_sub[i]], grads=grads, lmbda=lmbda_coef * lmbda, aug_batch_size=aug_batch_size) x_sub_tmp[2 * i] = adv[0, :, :, :] x_sub_tmp[2 * i + 1] = adv[1, :, :, :] x_sub = x_sub_tmp print("Substitute training data augmented.") print("Labeling substitute training data using bbox...") y_sub = np.hstack([y_sub, y_sub]) x_sub_prev = x_sub[int(len(x_sub) / 2):] predictions = bbox_predict(target_model, x_sub_prev, sess, x) y_sub[int(len(x_sub) / 2):] = predictions return model_sub
def train_sub(sess, x, y, bbox_preds, x_sub, y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, aug_batch_size, rng, img_rows=48, img_cols=48, nchannels=3): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param x_sub: initial substitute training data :param y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :return: """ assert(y_sub.shape[1]>1) try: saver.restore(sess, "./model.ckpt") model_sub = tf.get_variable("logits", shape=[1]) preds_sub = tf.get_variable("probs", shape=[1]) return model_sub, preds_sub except: print("Model ckpt is not found. Retrain substitute starts.") # Define TF model graph (for the black-box model) model_sub = ModelSubstitute('model_s',nb_classes, session=sess, istrain=True) logits = model_sub.get_logits(x) loss = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits_v2(logits=logits, labels=y)) optimiser = tf.train.AdamOptimizer().minimize(loss) preds_sub = tf.nn.softmax(logits=logits) saver = tf.train.Saver() print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) sess.run(tf.global_variables_initializer()) def evaluate(): acc = model_eval(sess, x, y, preds_sub, x_sub, y_sub, args=eval_params) print('Test accuracy on test examples: %0.4f' % (acc)) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) for s in range(batch_size): batch_xs = x_sub[s*batch_size: (s+1)*batch_size] batch_ys = y_sub[s*batch_size: (s+1)*batch_size] feed_dict = {x:batch_xs, y:batch_ys} op, lval,pre = sess.run([optimiser, loss, preds_sub], feed_dict=feed_dict) print("rho = {0}. loss : {1}".format(rho, sess.run(loss, feed_dict={x:batch_xs, y:batch_ys}))) # If we are not at last substitute training iteration, augment dataset if 0: # rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 y_sub_labels = np.argmax(y_sub, axis=1).reshape(-1,1) x_sub = jacobian_augmentation(sess, x, x_sub, y_sub_labels, grads, lmbda_coef * lmbda, aug_batch_size) # Label the newly generated synthetic points using the black-box new_y_sub_labels = np.vstack((y_sub_labels, y_sub_labels)) x_sub_prev = x_sub[int(len(x_sub)/2):] eval_params = {'batch_size': batch_size} tmp = batch_eval(sess,[x],[bbox_preds],[x_sub_prev],batch_size=batch_size) bbox_val = tmp[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model tmp1 = np.argmax(bbox_val, axis=1) tmp2 = y_sub_labels[int(len(x_sub)/2):] new_y_sub_labels[int(len(x_sub)/2):] = np.argmax(bbox_val, axis=1).reshape(-1,1) y_sub = to_categorical(new_y_sub_labels, nb_classes) save_path = saver.save(sess, "./model.ckpt") print("Model saved in path: %s" % save_path) print(preds_sub.shape) print(model_sub.shape) return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, rng, substitute_model=None): """This function trains the substitute model as described in arxiv.org/abs/1602.02697 Args: sess: TF session x: input TF placeholder y: output TF placeholder bbox_preds: output of black-box model predictions X_sub: initial substitute training data Y_sub: initial substitute training labels nb_classes: number of output classes nb_epochs_s: number of epochs to train substitute model batch_size: size of training batches learning_rate: learning rate for training data_aug: number of times substitute training data is augmented lmbda: lambda from arxiv.org/abs/1602.02697 rng: numpy.random.RandomState instance Returns: model_sub: The substitute model function. preds_sub: The substitute prediction tensor. """ # Define TF model graph (for the black-box model). model_sub = substitute_model preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow. grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively. for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), init_all=False, args=train_params, rng=rng, feed={K.learning_phase(): 1}) # If we are not at last substitute training iteration, augment dataset. if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation. X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda, feed={K.learning_phase(): 0}) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box. Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': batch_size} # To initialize the local variables of Defense-GAN. sess.run(tf.local_variables_initializer()) bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params, feed={K.learning_phase(): 0})[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model. Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, logits_scalar, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, rng, binary=False, phase=None, model_path=None): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :param phase: placeholder for batch_norm phase (training or testing) :param phase_val: True if training, False if testing :return: """ # Define TF model graph (for the black-box model) model_sub = substitute_model() preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) train_params = { 'binary': False, 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate, 'filename': 'sub_model', 'train_scope': 'sub_model', 'reuse_global_step': False, 'is_training': True } # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) if rho > 0: train_params.update({'reuse_global_step': True}) if model_path is not None: train_params.update({'log_dir': model_path}) model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), phase=phase, save=True, init_all=False, args=train_params, rng=rng) else: model_train(sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), phase=phase, init_all=False, args=train_params, rng=rng) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], feed={phase: False}, args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, aug_batch_size, rng, img_rows=28, img_cols=28, nchannels=1): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :return: """ # Define TF model graph (for the black-box model) model_sub = ModelSubstitute('model_s', nb_classes) preds_sub = model_sub.get_logits(x) loss_sub = LossCrossEntropy(model_sub, smoothing=0) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"): train(sess, loss_sub, x, y, X_sub, to_categorical(Y_sub, nb_classes), init_all=False, args=train_params, rng=rng, var_list=model_sub.get_params()) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda_coef * lmbda, aug_batch_size) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub)/2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes=10, nb_epochs_s=250, batch_size=128, learning_rate=0.001, data_aug=6, lmbda=0.1, rng=None): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param X_sub: initial substitute training data :param Y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :return: """ # Define TF model graph (for the black-box model) model_wrapper = cifar10vgg(empty_model=True) model_sub = model_wrapper.model preds_sub = model_sub(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in range(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } with TemporaryLogLevel(tf.logging.WARNING, "cleverhans.utils.tf"): model_train(sess, x, y, preds_sub, X_sub, Y_sub, init_all=False, args=train_params) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda_coef * lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub)/2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub)/2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, rng, substitute_model=None, dataset_name=None): """This function trains the substitute model as described in arxiv.org/abs/1602.02697 Args: sess: TF session x: input TF placeholder y: output TF placeholder bbox_preds: output of black-box model predictions X_sub: initial substitute training data Y_sub: initial substitute training labels nb_classes: number of output classes nb_epochs_s: number of epochs to train substitute model batch_size: size of training batches learning_rate: learning rate for training data_aug: number of times substitute training data is augmented lmbda: lambda from arxiv.org/abs/1602.02697 rng: numpy.random.RandomState instance Returns: model_sub: The substitute model function. preds_sub: The substitute prediction tensor. """ model_sub = substitute_model used_vars = model_sub.get_params() if FLAGS.load_sub_model: try: path = tf.train.latest_checkpoint('classifiers/sub_model/{}'.format(dataset_name)) saver = tf.train.Saver(var_list=used_vars) saver.restore(sess, path) print('[+] Sub model loaded successfully ...') pred_eval = model_sub.get_logits(x) return model_sub, pred_eval except: pass pred_train = model_sub.get_logits(x, dropout=True) pred_eval = model_sub.get_logits(x) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow. grads = jacobian_graph(pred_eval, x, nb_classes) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate, 'train_dir': 'classifiers/sub_model/{}'.format(dataset_name), 'filename': 'model_{}'.format(FLAGS.sub_model) } # Train the substitute and augment dataset alternatively. for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) model_train(sess, x, y, pred_train, X_sub, convert_to_onehot(Y_sub), init_all=False, args=train_params, rng=rng, save=True) # If we are not at last substitute training iteration, augment dataset. if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation. X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box. Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': batch_size} # To initialize the local variables of Defense-GAN. sess.run(tf.local_variables_initializer()) bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model. Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, pred_eval
def train_sub(sess, x, y, bbox_preds, X_sub, Y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, rng, model_arch_sub, merged, opt_type, blocking_option): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. """ # Define TF model graph (for the black-box model) model_sub = substitute_model(model_arch_sub=model_arch_sub, blocking_option=blocking_option) preds_sub = model_sub(x) #return model_sub, preds_sub print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } model_train( sess, x, y, preds_sub, X_sub, to_categorical(Y_sub), init_all=False, args=train_params, rng=rng, opt_type=opt_type, #summary=merged ) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 X_sub = jacobian_augmentation(sess, x, X_sub, Y_sub, grads, lmbda_coef * lmbda) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box Y_sub = np.hstack([Y_sub, Y_sub]) X_sub_prev = X_sub[int(len(X_sub) / 2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [X_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model Y_sub[int(len(X_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_sub(sess, x, y, bbox_preds, x_sub, y_sub, nb_classes, nb_epochs_s, batch_size, learning_rate, data_aug, lmbda, aug_batch_size, rng, img_rows=28, img_cols=28, nchannels=1): """ This function creates the substitute by alternatively augmenting the training data and training the substitute. :param sess: TF session :param x: input TF placeholder :param y: output TF placeholder :param bbox_preds: output of black-box model predictions :param x_sub: initial substitute training data :param y_sub: initial substitute training labels :param nb_classes: number of output classes :param nb_epochs_s: number of epochs to train substitute model :param batch_size: size of training batches :param learning_rate: learning rate for training :param data_aug: number of times substitute training data is augmented :param lmbda: lambda from arxiv.org/abs/1602.02697 :param rng: numpy.random.RandomState instance :return: """ # Define TF model graph (for the black-box model) model_sub = ModelSubstitute('model_s', nb_classes) preds_sub = model_sub.get_logits(x) loss_sub = CrossEntropy(model_sub, smoothing=0) print("Defined TensorFlow model graph for the substitute.") # Define the Jacobian symbolically using TensorFlow grads = jacobian_graph(preds_sub, x, nb_classes) # Train the substitute and augment dataset alternatively for rho in xrange(data_aug): print("Substitute training epoch #" + str(rho)) train_params = { 'nb_epochs': nb_epochs_s, 'batch_size': batch_size, 'learning_rate': learning_rate } with TemporaryLogLevel(logging.WARNING, "cleverhans.utils.tf"): train(sess, loss_sub, x, y, x_sub, to_categorical(y_sub, nb_classes), init_all=False, args=train_params, rng=rng, var_list=model_sub.get_params()) # If we are not at last substitute training iteration, augment dataset if rho < data_aug - 1: print("Augmenting substitute training data.") # Perform the Jacobian augmentation lmbda_coef = 2 * int(int(rho / 3) != 0) - 1 x_sub = jacobian_augmentation(sess, x, x_sub, y_sub, grads, lmbda_coef * lmbda, aug_batch_size) print("Labeling substitute training data.") # Label the newly generated synthetic points using the black-box y_sub = np.hstack([y_sub, y_sub]) x_sub_prev = x_sub[int(len(x_sub) / 2):] eval_params = {'batch_size': batch_size} bbox_val = batch_eval(sess, [x], [bbox_preds], [x_sub_prev], args=eval_params)[0] # Note here that we take the argmax because the adversary # only has access to the label (not the probabilities) output # by the black-box model y_sub[int(len(x_sub) / 2):] = np.argmax(bbox_val, axis=1) return model_sub, preds_sub
def train_substitute(modelname='testmodel', lmbda=0.1, tau=2, n_jac_iteration=5, modeltype='cnn_model', n_per_class=1, batch_size=64, descent_only=False): print("initializing training") if not modeltype in MODEL_TYPES: raise RuntimeError("Unknown model type: " + str(modeltype)) modeltype = MODEL_TYPES[modeltype] modeldir = init_modeldir() modelpath = os.path.join(modeldir, modelname + '.h5') set_log_level(logging.DEBUG) gpu_options = tf.GPUOptions(per_process_gpu_memory_fraction=0.95) sess_kwargs = dict(gpu_options=gpu_options) gtsrb = GTSRB(random_seed=42) n_classes = int(len(remote_map) / 2) # (0) init constants LMBDA = 0.1 TAU = 2 N_JAC_ITERATION = 4 cache = {} # (1) select initial training set if descent_only: # we select only a few images per class but these should be classified # with high confidence by the remote model X, _ = get_initial_set(gtsrb, hot_encoded=False, n_per_class=n_per_class, confidence_threshold=0.95) else: X, _ = get_initial_set(gtsrb, hot_encoded=False, n_per_class=n_per_class, confidence_threshold=0) def lr_schedule(epoch): return 0.01 * (0.1**int(epoch / 25)) for rho in range(N_JAC_ITERATION): print("=" * 5, "jacobian iteration: ", rho, "training set size: ", len(X)) # for memory reasons, we must reinitialize the session in each iteration sess = tf.Session(config=tf.ConfigProto(**sess_kwargs)) K.set_session(sess) wrap = KerasModelWrapper(modeltype(gtsrb.img_size, n_classes)) op = SGD(lr=1e-2, decay=1e-6, momentum=0.9, nesterov=True) wrap.model.compile(loss='categorical_crossentropy', optimizer=op, metrics=['accuracy']) # (2) specify architecture (already specified) x = tf.placeholder(tf.float32, shape=(None, *X.shape[1:])) initial_weights = wrap.model.get_weights() if descent_only: # own approach lmbda_coef = -1 else: # lambda as described in the paper lmbda_coef = (-1)**(rho % TAU) # (3) label data Y = np.zeros(shape=(len(X), n_classes)) for i in range(len(X)): # take known labels from cache if i in cache: Y[i] = cache[i] else: pred = fetch_single_prediction(X[i], remote_map, n_classes, delay=1) cache[i] = pred Y[i] = pred # (4) fit model on current set wrap.model.set_weights(initial_weights) wrap.model.fit(X, Y, batch_size=64, epochs=(rho + 1) * 20, validation_split=0.2 if len(X) > 64 * 5 else 0, verbose=2, callbacks=[ LearningRateScheduler(lr_schedule), ModelCheckpoint(modelpath, save_best_only=True) ]) # (5) augment data logits = wrap.get_logits(x) jacobian = jacobian_graph(logits, x, n_classes) Y_sub = np.array([np.argmax(row) for row in Y]) X = jacobian_augmentation(sess, x, X, Y_sub, jacobian, lmbda=(LMBDA * lmbda_coef)) if os.path.exists(modelpath): os.remove(modelpath) wrap.model.save(modelpath) K.clear_session() del sess # free as much memory as we can gc.collect()