def RMSProp(loss,parameter_list): opt = GradientDescentOptimizer(1e-3) grads_and_vars = opt.compute_gradients(loss, parameter_list) capped_grads_and_vars = [] for i in range(len(grads_and_vars)): gradient = grads_and_vars[i][0] variable = grads_and_vars[i][1] if len(last_n2) != 0: n = 0.8 * tf.multiply(gradient, gradient) + 0.2 * last_n2[i] momentum = gradient/(tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) else: n = tf.multiply(gradient, gradient) momentum = gradient / (tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) if len(last_n2) != 0: for i in range(len(grads_and_vars)): last_n2[i] = capped_grads_and_vars[i][0] else: for i in range(len(grads_and_vars)): last_n2.append(capped_grads_and_vars[i][0]) return opt.apply_gradients(grads_and_vars)
def testTraining(self): """Tests a gradient descent step for a simple model.""" with self.session() as session: with self.test_scope(): with variable_scope.variable_scope("ascope", use_resource=True): w = variable_scope.get_variable( "w", shape=[4, 2], dtype=dtypes.float32, initializer=init_ops.constant_initializer( np.array([[1, 2], [3, 4], [5, 6], [7, 8]], dtype=np.float32))) b = variable_scope.get_variable( "b", shape=[2], dtype=dtypes.float32, initializer=init_ops.constant_initializer( np.array([2, 3], dtype=np.float32))) x = array_ops.placeholder(dtypes.float32, shape=[1, 4]) y = math_ops.matmul(x, w) + b loss = math_ops.reduce_sum(y) optimizer = GradientDescentOptimizer(0.1) train = optimizer.minimize(loss) session.run(variables.global_variables_initializer()) session.run(train, {x: np.array([[7, 3, 5, 9]], dtype=np.float32)}) vw, vb = session.run([w, b]) self.assertAllClose( np.array( [[0.3, 1.3], [2.7, 3.7], [4.5, 5.5], [6.1, 7.1]], dtype=np.float32), vw, rtol=1e-4) self.assertAllClose(np.array([1.9, 2.9], dtype=np.float32), vb, rtol=1e-4)
def testTraining(self): """Tests a gradient descent step for a simple model.""" with self.test_session() as session: with self.test_scope(): with variable_scope.variable_scope("ascope", use_resource=True): w = variable_scope.get_variable( "w", shape=[4, 2], dtype=dtypes.float32, initializer=init_ops.constant_initializer( np.array([[1, 2], [3, 4], [5, 6], [7, 8]], dtype=np.float32))) b = variable_scope.get_variable( "b", shape=[2], dtype=dtypes.float32, initializer=init_ops.constant_initializer( np.array([2, 3], dtype=np.float32))) x = array_ops.placeholder(dtypes.float32, shape=[1, 4]) y = math_ops.matmul(x, w) + b loss = math_ops.reduce_sum(y) optimizer = GradientDescentOptimizer(0.1) train = optimizer.minimize(loss) session.run(variables.global_variables_initializer()) session.run(train, {x: np.array([[7, 3, 5, 9]], dtype=np.float32)}) vw, vb = session.run([w, b]) self.assertAllClose( np.array( [[0.3, 1.3], [2.7, 3.7], [4.5, 5.5], [6.1, 7.1]], dtype=np.float32), vw, rtol=1e-4) self.assertAllClose(np.array([1.9, 2.9], dtype=np.float32), vb, rtol=1e-4)
def Ada_Mom(loss, parameter_list): mu = 0.9 # the parameter of the momentum, always be 0.9 opt = GradientDescentOptimizer(1e-3) grads_and_vars = opt.compute_gradients(loss, parameter_list) capped_grads_and_vars = [] for i in range(len(grads_and_vars)): gradient = grads_and_vars[i][0] variable = grads_and_vars[i][1] if len(last_n1) != 0: n = tf.multiply(gradient, gradient) + last_n1[i] momentum = 0.9 * last_momentum1[i] + gradient/(tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) else: n = tf.multiply(gradient, gradient) momentum = gradient / (tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) if len(last_momentum1) != 0: for i in range(len(grads_and_vars)): last_momentum1[i] = capped_grads_and_vars[i][0] else: for i in range(len(grads_and_vars)): last_momentum1.append(capped_grads_and_vars[i][0]) if len(last_n1) != 0: for i in range(len(grads_and_vars)): last_n1[i] = capped_grads_and_vars[i][0] else: for i in range(len(grads_and_vars)): last_n1.append(capped_grads_and_vars[i][0]) return opt.apply_gradients(grads_and_vars)
def RMSProp_BB2(loss, parameter_list, learning_rate2): opt = GradientDescentOptimizer(learning_rate2) grads_and_vars = opt.compute_gradients(loss, parameter_list) capped_grads_and_vars = [] middle = [] for i in range(len(grads_and_vars)): gradient = grads_and_vars[i][0] variable = grads_and_vars[i][1] if len(last_n4) != 0: n = 0.8 * tf.multiply(gradient, gradient) + 0.2 * last_n4[i - 1] middle.append(n) momentum = gradient / (tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) else: n = tf.multiply(gradient, gradient) middle.append(n) momentum = gradient / (tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) if len(last_n4) != 0: for i in range(len(capped_grads_and_vars)): last_n4[i] = middle[i] else: for i in range(len(capped_grads_and_vars)): last_n4.append(middle[i]) return opt.apply_gradients(capped_grads_and_vars)
def test_TF_LearningRateScheduler_GradientDescent(self): with self.test_session(): with context.eager_mode(): np.random.seed(1337) (x_train, y_train), (x_test, y_test) = testing_utils.get_test_data( train_samples=TRAIN_SAMPLES, test_samples=TEST_SAMPLES, input_shape=(INPUT_DIM,), num_classes=NUM_CLASSES) y_test = keras.utils.to_categorical(y_test) y_train = keras.utils.to_categorical(y_train) model = keras.models.Sequential() model.add( keras.layers.Dense( NUM_HIDDEN, input_dim=INPUT_DIM, activation='relu')) model.add(keras.layers.Dense(NUM_CLASSES, activation='softmax')) model.compile( loss='categorical_crossentropy', optimizer=GradientDescentOptimizer(1e-3), metrics=['accuracy']) cbks = [keras.callbacks.LearningRateScheduler(lambda x: 1. / (1. + x))] model.fit( x_train, y_train, batch_size=BATCH_SIZE, validation_data=(x_test, y_test), callbacks=cbks, epochs=5, verbose=0) opt_lr = model.optimizer.optimizer._learning_rate self.assertLess( float(keras.backend.get_value( Variable(opt_lr))) - 0.2, keras.backend.epsilon())
def __init__(self, params, learner, dataset): print('Using Federated prox to Train (npSGD)') self.inner_opt = GradientDescentOptimizer( learning_rate=params['learning_rate']) super(Server, self).__init__(params, learner, dataset) if self.rate > 1: self.topk = int((self.dim_model + self.dim_y) / self.rate) print("Topk selecting {} dimensions".format(self.topk))
def __init__(self, params, learner, dataset): print('Using Federated prox to Train (dpSGD)') self.inner_opt = GradientDescentOptimizer( learning_rate=params['learning_rate']) super(Server, self).__init__(params, learner, dataset) self.sigma = (2 * self.norm / self.epsilon) * math.sqrt( 2 * math.log(1.25 / self.delta)) print("global sigma for gaussian is {}".format(self.sigma))
def __init__(self, params, learner, dataset): print('Using Federated prox to Train (LDP-FL)') self.inner_opt = GradientDescentOptimizer( learning_rate=params['learning_rate']) super(Server, self).__init__(params, learner, dataset) self.clip_C = self.norm self.sample = int((self.dim_model + self.dim_y) / self.rate) self.eps_ld = self.epsilon / self.sample
def __init__(self, params, learner, dataset): print('Using Federated prox to Train (SS-Double)') self.inner_opt = GradientDescentOptimizer( learning_rate=params['learning_rate']) super(Server, self).__init__(params, learner, dataset) self.clip_C = self.norm self.m_p = self.clients_per_round / self.mp_rate print("Setting the padding size for each dimension with ", self.m_p) self.em_s = self.clients_per_round / self.rate self.sample = int((self.dim_model + self.dim_y) / self.rate) print("Randomly sampling {} dimensions".format(self.sample)) self.choice_list = []
def RMSProp_Mom(loss, parameter_list): mu = 0.9 # the parameter of the momentum, always be 0.9 opt = GradientDescentOptimizer(1e-3) grads_and_vars = opt.compute_gradients(loss, parameter_list) capped_grads_and_vars = [] middle = [] for i in range(len(grads_and_vars)): gradient = grads_and_vars[i][0] variable = grads_and_vars[i][1] if len(last_n2) != 0: n = 0.8 * tf.multiply(gradient, gradient) + 0.2 * last_n2[i - 1] middle.append(n) momentum = 0.9 * last_momentum2[i - 1] + gradient / (tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) else: n = tf.multiply(gradient, gradient) middle.append(n) momentum = gradient / (tf.sqrt(n) + 0.001) capped_grads_and_vars.append((momentum, variable)) if len(last_momentum2) != 0: for i in range(len(capped_grads_and_vars)): last_momentum2[i] = capped_grads_and_vars[i][0] else: for i in range(len(capped_grads_and_vars)): last_momentum2.append(capped_grads_and_vars[i][0]) if len(last_n2) != 0: for i in range(len(capped_grads_and_vars)): last_n2[i] = middle[i] else: for i in range(len(capped_grads_and_vars)): last_n2.append(middle[i]) return opt.apply_gradients(capped_grads_and_vars)
def add_training_op(self, loss): """Sets up the training Ops. Creates an optimizer and applies the gradients to all trainable variables. The Op returned by this function is what must be passed to the `sess.run()` call to cause the model to train. See https://www.tensorflow.org/versions/r0.7/api_docs/python/train.html#Optimizer for more information. Hint: Use tf.train.GradientDescentOptimizer to get an optimizer object. Calling optimizer.minimize() will return a train_op object. Args: loss: Loss tensor, from cross_entropy_loss. Returns: train_op: The Op for training. """ ### YOUR CODE HERE op = GradientDescentOptimizer(self.config.lr) train_op = op.minimize(loss) ### END YOUR CODE return train_op
def carlini_wagner(classifier, data_sample, target_class, optimizer=GradientDescentOptimizer(1e-2), optimization_iter=10000, binary_iter=20, c_high=1000.0, c_low=0.0, kappa=0.0): """ Args: classifier: A classifier model that we want to attack data_sample (): A tuple of tensors of structure (image_tensor, label_tensor) against wich attack is run target_class: One hot encoded target class for the attack optimizer: Optimizer used in algorithm optimization_iter: Number of steps take in optimization for given parameter binary_iter: Number of steps take in binary search for parameter C c_high: Upper limit of range used in binary search for parameter C c_low: lower limit of range used in binary search for parameter C Returns: A tuple of structure (adversarial_example, classifier output for examples) """ image, label = data_sample perturbation = tf.Variable(np.random.uniform(0.0, 1.0, tf.shape(image)), dtype=tf.float32) cw = tf.function(_c_and_w) # cw = _c_and_w return_image = cw(image, classifier, target_class, perturbation, optimizer, optimization_iter, binary_iter, c_high, c_low, kappa) parameters = { # OPTIMIZATION_ITER:optimizer.__class__.__name__, # "learning_rate":optimizer._learning_rate, OPTIMIZATION_ITER: optimization_iter, BINARY_ITER: binary_iter, C_HIGH: c_high, C_LOW: c_low, KAPPA: kappa } return (return_image, classifier(return_image), parameters)
x = tf.placeholder(tf.float32, [None, 784]) y = classifier(x) label = tf.placeholder(tf.float32, [None, 10]) # true label noise = tf.placeholder(tf.float32, [None, 100]) # noise vector x_fake = generator(noise, label) y_fake = classifier(x_fake) loss_cls = softmax_cross_entropy(label, y) loss_gan = softmax_cross_entropy(label, y_fake) all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] g_vars = [var for var in all_vars if 'generator' in var.name] train_op_cls = GradientDescentOptimizer(learning_rate = lr) \ .minimize(loss_cls, var_list = c_vars, global_step = global_step) train_op_gan = GradientDescentOptimizer(learning_rate = lr) \ .minimize(loss_gan, var_list = g_vars, global_step = global_step) def main(): mnist = input_data.read_data_sets('MNIST_data', one_hot=True) sess.run(tf.global_variables_initializer()) with sess.as_default(): print('train classifier') for t in range(1, epochs * 550 + 1): batch = mnist.train.next_batch(batch_size) f_dict = {x: batch[0], label: batch[1]} sess.run(train_op_cls, feed_dict=f_dict)
def model_train(para): sess = tf.Session() tf.set_random_seed(random_seed) n = len(layers) x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label std = para['std'] w, b = [0 for i in range(n)], [0 for i in range(n)] for i in range(1, n): w[i] = weight_variable([layers[i - 1], layers[i]]) b[i] = bias_variable([layers[i]]) # model with noise z, h = [0 for i in range(n)], [0 for i in range(n)] for i in range(n): if i == 0: z[i] = x z[i] += tf.random_normal(shape=tf.shape(z[i]), mean=0.0, stddev=std[i], dtype=tf.float32) z[i] = tf.clip_by_value(z[i], 0, 1) h[i] = z[i] if i > 0 and i < n - 1: z[i] = tf.matmul(h[i - 1], w[i]) + b[i] #z[i] = tf.clip_by_norm(z[i], 1, axes = 1) z[i] += tf.random_normal(shape=tf.shape(z[i]), mean=0.0, stddev=std[i], dtype=tf.float32) h[i] = tf.nn.relu(z[i]) if i == n - 1: z[i] = tf.matmul(h[i - 1], w[i]) + b[i] #z[i] = tf.clip_by_norm(z[i], 1000, axes = 1) z[i] += tf.random_normal(shape=tf.shape(z[i]), mean=0.0, stddev=std[i], dtype=tf.float32) h[i] = z[i] y = h[n - 1] w_sum = tf.constant(0, dtype='float32') for i in range(1, n): w_sum += tf.reduce_sum(tf.square(w[i])) # gradient descent loss = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=label, logits=y)) gw, gb = [0 for i in range(n)], [0 for i in range(n)] for i in range(1, n): gw[i] = tf.gradients(loss, w[i])[0] gb[i] = tf.gradients(loss, b[i])[0] opt = GradientDescentOptimizer(learning_rate=learning_rate) gradients = [] for i in range(1, n): gradients.append((gw[i], w[i])) gradients.append((gb[i], b[i])) train_step = opt.apply_gradients(gradients) # model without noise z2, h2 = [0 for i in range(n)], [0 for i in range(n)] for i in range(n): if i == 0: z2[i] = x h2[i] = z2[i] if i > 0 and i < n - 1: z2[i] = tf.matmul(h2[i - 1], w[i]) + b[i] h2[i] = tf.nn.relu(z2[i]) if i == n - 1: z2[i] = tf.matmul(h2[i - 1], w[i]) + b[i] h2[i] = z2[i] y2 = h2[n - 1] # attack x_adv = attack.fgsm(x, y2, eps=0.3, clip_min=0, clip_max=1) #evaluation acc = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(y2, 1), tf.argmax(label, 1)), tf.float32)) # data mnist = input_data.read_data_sets('MNIST_data', one_hot=True) x_adv_mnist_fsgm = np.load(os.path.join('data', 'x_adv_mnist_fsgm.npy')) sess.run(tf.global_variables_initializer()) with sess.as_default(): for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) sess.run(train_step, feed_dict={x: batch[0], label: batch[1]}) if t % int(1 / sample_rate) == 0: epoch = int(t / int(1 / sample_rate)) x_adv_sample = sess.run(x_adv, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc_benign = sess.run(acc, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc_adv = sess.run(acc, feed_dict={ x: x_adv_sample, label: mnist.test.labels }) acc_pre_adv = sess.run(acc, feed_dict={ x: x_adv_mnist_fsgm, label: mnist.test.labels }) print(epoch, acc_benign, acc_adv, acc_pre_adv) check = tf.reduce_mean(tf.norm(y2, axis=1)) print( sess.run([check], feed_dict={ x: mnist.test.images, label: mnist.test.labels }))
def main(): train_size, test_size = 55000, 10000 batch_size = 100 learning_rate = 0.05 epochs = 40 steps = epochs * int(train_size / batch_size) global_step = tf.Variable(0, name='global_step', trainable=False) x = tf.placeholder(tf.float32, [None, 784]) # input for real images noise = tf.placeholder(tf.float32, [None, 100]) y = tf.placeholder(tf.float32, [None, 10]) d_label_real = tf.ones( shape=[tf.shape(x)[0], 1]) # groundtruth discriminator label for real images d_label_fake = tf.zeros( shape=[tf.shape(x)[0], 1]) # groundtruth discriminator label for fake images x_fake = generator(noise, y) d_real = discriminator(x, y) d_fake = discriminator(x_fake, y) d_real_mean = tf.reduce_mean(d_real) d_fake_mean = tf.reduce_mean(d_fake) loss = {} loss['discriminator'] = -tf.reduce_mean( tf.log(d_real) + tf.log(1. - d_fake)) loss['generator'] = -tf.reduce_mean(tf.log(d_fake)) t_vars = tf.trainable_variables() g_vars = [var for var in t_vars if 'generator' in var.name] d_vars = [var for var in t_vars if 'discriminator' in var.name] train_op = {} train_op['generator'] = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss['generator'], var_list = g_vars, global_step = global_step) train_op['discriminator'] = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss['discriminator'], var_list = d_vars, global_step = global_step) mnist = input_data.read_data_sets('MNIST_data', one_hot=True) tf.set_random_seed(1024) sess = tf.Session() sess.run(tf.global_variables_initializer()) with sess.as_default(): for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) sess.run(train_op['discriminator'], feed_dict={ x: batch[0], y: batch[1], noise: sample_Z(batch_size, 100) }) for j in range(5): sess.run(train_op['generator'], feed_dict={ x: batch[0], y: batch[1], noise: sample_Z(batch_size, 100) }) if t % int(train_size / batch_size) == 0: epoch = int(t / int(train_size / batch_size)) var_list = [d_real_mean, d_fake_mean] res = sess.run(var_list, feed_dict={ x: batch[0], y: batch[1], noise: sample_Z(batch_size, 100) }) print(epoch) for r in res: print(r) if epoch == epochs: img_real = batch[0].reshape([batch_size, 28, 28]) save_images(img_real, [10, 10], os.path.join('img', 'real.png')) img_fake = sess.run(x_fake, feed_dict={ x: batch[0], y: batch[1], noise: sample_Z(batch_size, 100) }) img_fake = img_fake.reshape([batch_size, 28, 28]) save_images(img_fake, [10, 10], os.path.join('img', 'fake.png'))
def main(): sess = tf.Session() global_step = tf.Variable(0, name='global_step', trainable=False) tf.set_random_seed(random_seed) saver = tf.train.Saver() x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label y_target = tf.placeholder(tf.float32, [None, 10]) # noise vector x1 = tf.placeholder(tf.float32, [None, 784]) x2 = tf.placeholder(tf.float32, [None, 784]) y_1 = model_1(x) y_2 = model_2(x) y_3 = model_3(x) loss_1 = softmax_loss(label, y_1) loss_2 = softmax_loss(label, y_2) loss_3 = softmax_loss(label, y_3) all_vars = tf.trainable_variables() model_1_vars = [var for var in all_vars if 'model_1' in var.name] model_2_vars = [var for var in all_vars if 'model_2' in var.name] model_3_vars = [var for var in all_vars if 'model_3' in var.name] train_op_1 = GradientDescentOptimizer( learning_rate=learning_rate).minimize(loss_1, var_list=model_1_vars, global_step=global_step) train_op_2 = GradientDescentOptimizer( learning_rate=learning_rate).minimize(loss_2, var_list=model_2_vars, global_step=global_step) train_op_3 = GradientDescentOptimizer( learning_rate=learning_rate).minimize(loss_3, var_list=model_3_vars, global_step=global_step) x_fgsm_1 = attack.fgsm(x, y_1, eps=0.3, clip_min=0, clip_max=1) x_fgsm_2 = attack.fgsm(x, y_2, eps=0.3, clip_min=0, clip_max=1) x_fgsm_3 = attack.fgsm(x, y_3, eps=0.3, clip_min=0, clip_max=1) mnist = input_data.read_data_sets('MNIST_data', one_hot=True) y_target = np.zeros((10000, 10), dtype=np.float32) y_target[:, 0] = 1.0 sess.run(tf.global_variables_initializer()) with sess.as_default(): print('train models') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) sess.run(train_op_1, feed_dict={x: batch[0], label: batch[1]}) sess.run(train_op_2, feed_dict={x: batch[0], label: batch[1]}) sess.run(train_op_3, feed_dict={x: batch[0], label: batch[1]}) if t % 550 == 0: epoch = int(t / 550) acc_1 = sess.run(accuracy(label, y_1), feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc_2 = sess.run(accuracy(label, y_2), feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc_3 = sess.run(accuracy(label, y_3), feed_dict={ x: mnist.test.images, label: mnist.test.labels }) print(epoch, acc_1, acc_2, acc_3) print('generate adv samples') # fgsm x_fgsm_1_data = sess.run(x_fgsm_1, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_1_data.npy'), x_fgsm_1_data) acc_fgsm_1 = sess.run(accuracy(label, y_1), feed_dict={ x: x_fgsm_1_data, label: mnist.test.labels }) x_fgsm_2_data = sess.run(x_fgsm_2, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_2_data.npy'), x_fgsm_2_data) acc_fgsm_2 = sess.run(accuracy(label, y_2), feed_dict={ x: x_fgsm_2_data, label: mnist.test.labels }) x_fgsm_3_data = sess.run(x_fgsm_3, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_3_data.npy'), x_fgsm_3_data) acc_fgsm_3 = sess.run(accuracy(label, y_3), feed_dict={ x: x_fgsm_3_data, label: mnist.test.labels }) x_data = mnist.test.images x_perturb_data = x_data + np.random.normal( loc=0.0, scale=0.1, size=[10000, 784]) x_perturb_data = np.clip(x_perturb_data, 0, 1) x_fgsm_rd_1_data = sess.run(x_fgsm_1, feed_dict={ x: x_perturb_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_rd_1_data.npy'), x_fgsm_rd_1_data) acc_fgsm_rd_1 = sess.run(accuracy(label, y_1), feed_dict={ x: x_fgsm_rd_1_data, label: mnist.test.labels }) x_fgsm_rd_2_data = sess.run(x_fgsm_2, feed_dict={ x: x_perturb_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_rd_2_data.npy'), x_fgsm_rd_2_data) acc_fgsm_rd_2 = sess.run(accuracy(label, y_2), feed_dict={ x: x_fgsm_rd_2_data, label: mnist.test.labels }) x_fgsm_rd_3_data = sess.run(x_fgsm_3, feed_dict={ x: x_perturb_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_rd_3_data.npy'), x_fgsm_rd_3_data) acc_fgsm_rd_3 = sess.run(accuracy(label, y_3), feed_dict={ x: x_fgsm_rd_3_data, label: mnist.test.labels }) x_fgsm_it_1_data = np.copy(mnist.test.images) x_fgsm_it_2_data = np.copy(mnist.test.images) x_fgsm_it_3_data = np.copy(mnist.test.images) for _ in range(10): grad_1 = sess.run(tf.gradients(loss_1, x)[0], feed_dict={ x: x_fgsm_it_1_data, label: mnist.test.labels }) x_fgsm_it_1_data += np.sign(grad_1) * 0.01 x_fgsm_it_1_data = np.clip(x_fgsm_it_1_data, 0, 1) grad_2 = sess.run(tf.gradients(loss_2, x)[0], feed_dict={ x: x_fgsm_it_2_data, label: mnist.test.labels }) x_fgsm_it_2_data += np.sign(grad_2) * 0.01 x_fgsm_it_2_data = np.clip(x_fgsm_it_2_data, 0, 1) grad_3 = sess.run(tf.gradients(loss_3, x)[0], feed_dict={ x: x_fgsm_it_3_data, label: mnist.test.labels }) x_fgsm_it_3_data += np.sign(grad_3) * 0.01 x_fgsm_it_3_data = np.clip(x_fgsm_it_3_data, 0, 1) np.save(os.path.join('data', 'mnist', 'x_fgsm_it_1_data.npy'), x_fgsm_it_1_data) acc_fgsm_it_1 = sess.run(accuracy(label, y_1), feed_dict={ x: x_fgsm_it_1_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_it_2_data.npy'), x_fgsm_it_2_data) acc_fgsm_it_2 = sess.run(accuracy(label, y_2), feed_dict={ x: x_fgsm_it_2_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_it_3_data.npy'), x_fgsm_it_3_data) acc_fgsm_it_3 = sess.run(accuracy(label, y_3), feed_dict={ x: x_fgsm_it_3_data, label: mnist.test.labels }) grad_tg_1 = sess.run(tf.gradients(loss_1, x)[0], feed_dict={ x: mnist.test.images, label: y_target }) x_fgsm_tg_1_data = mnist.test.images - np.sign(grad_tg_1) * 0.3 x_fgsm_tg_1_data = np.clip(x_fgsm_tg_1_data, 0, 1) grad_tg_2 = sess.run(tf.gradients(loss_2, x)[0], feed_dict={ x: mnist.test.images, label: y_target }) x_fgsm_tg_2_data = mnist.test.images - np.sign(grad_tg_2) * 0.3 x_fgsm_tg_2_data = np.clip(x_fgsm_tg_2_data, 0, 1) grad_tg_3 = sess.run(tf.gradients(loss_3, x)[0], feed_dict={ x: mnist.test.images, label: y_target }) x_fgsm_tg_3_data = mnist.test.images - np.sign(grad_tg_3) * 0.3 x_fgsm_tg_3_data = np.clip(x_fgsm_tg_3_data, 0, 1) np.save(os.path.join('data', 'mnist', 'x_fgsm_tg_1_data.npy'), x_fgsm_tg_1_data) acc_fgsm_tg_1 = sess.run(accuracy(label, y_1), feed_dict={ x: x_fgsm_tg_1_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_tg_2_data.npy'), x_fgsm_tg_2_data) acc_fgsm_tg_2 = sess.run(accuracy(label, y_2), feed_dict={ x: x_fgsm_tg_2_data, label: mnist.test.labels }) np.save(os.path.join('data', 'mnist', 'x_fgsm_tg_3_data.npy'), x_fgsm_tg_3_data) acc_fgsm_tg_3 = sess.run(accuracy(label, y_3), feed_dict={ x: x_fgsm_tg_3_data, label: mnist.test.labels }) print('Accuracy fgsm bl: {:.4f}, {:.4f}, {:.4f}'.format( acc_fgsm_1, acc_fgsm_2, acc_fgsm_3)) print('Accuracy fgsm rd: {:.4f}, {:.4f}, {:.4f}'.format( acc_fgsm_rd_1, acc_fgsm_rd_2, acc_fgsm_rd_3)) print('Accuracy fgsm it: {:.4f}, {:.4f}, {:.4f}'.format( acc_fgsm_it_1, acc_fgsm_it_2, acc_fgsm_it_3)) print('Accuracy fgsm tg: {:.4f}, {:.4f}, {:.4f}'.format( acc_fgsm_tg_1, acc_fgsm_tg_2, acc_fgsm_tg_3)) return
def main(_): clip_bound = 0.01 # 'the clip bound of the gradients' clip_bound_2 = 1 / 1.5 #'the clip bound for r_kM' small_num = 1e-5 # 'a small number' large_num = 1e5 # a large number' num_images = 60000 # 'number of images N' batch_size = 600 # 'batch_size L' sample_rate = 600 / 60000 # 'sample rate q = L / N' num_steps = 160000 # 'number of steps T = E * N / L = E / q' num_epoch = 24 # 'number of epoches E' sigma = 5 # 'sigma' delta = 1e-5 # 'delta' lambd = 1e3 # 'exponential distribution parameter' iterative_clip_step = 2 # 'iterative_clip_step' clip = 1 # 'whether to clip the gradient' noise = 0 # 'whether to add noise' redistribute = 0 # 'whether to redistribute the noise' D = 60000 '''from tensorflow.examples.tutorials.mnist import input_data; mnist = input_data.read_data_sets(FLAGS.data_dir, one_hot=True);''' sess = tf.InteractiveSession() # Create the model x = tf.placeholder(tf.float32, [None, 784]) x_image = tf.reshape(x, [-1, 28, 28, 1]) W_conv1 = weight_variable([5, 5, 1, 32]) b_conv1 = bias_variable([32]) h_conv1 = tf.nn.relu(conv2d(x_image, W_conv1) + b_conv1) h_pool1 = max_pool_2x2(h_conv1) W_conv2 = weight_variable([5, 5, 32, 64]) b_conv2 = bias_variable([64]) h_conv2 = tf.nn.relu(conv2d(h_pool1, W_conv2) + b_conv2) h_pool2 = max_pool_2x2(h_conv2) W_fc1 = weight_variable([7 * 7 * 64, 25]) b_fc1 = bias_variable([25]) h_pool2_flat = tf.reshape(h_pool2, [-1, 7 * 7 * 64]) h_fc1 = tf.nn.relu(tf.matmul(h_pool2_flat, W_fc1) + b_fc1) keep_prob = tf.placeholder(tf.float32) h_fc1_drop = tf.nn.dropout(h_fc1, keep_prob) W_fc2 = weight_variable([25, 10]) b_fc2 = bias_variable([10]) y_conv = tf.matmul(h_fc1_drop, W_fc2) + b_fc2 # Define loss and optimizer y_ = tf.placeholder(tf.float32, [None, 10]) d = 25 * 10 + 25 * 7 * 7 * 64 + 5 * 5 * 32 * 64 + 5 * 5 * 32 # number of parameters M = d priv_accountant = accountant.GaussianMomentsAccountant(D) privacy_accum_op = priv_accountant.accumulate_privacy_spending( [None, None], sigma, batch_size) #sess.run(tf.initialize_all_variables()) sess.run(tf.global_variables_initializer()) cross_entropy = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=y_conv)) #train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy); #train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy) opt = GradientDescentOptimizer(learning_rate=1e-2) #compute gradient gw_W1 = tf.gradients(cross_entropy, W_conv1)[0] # gradient of W1 gb1 = tf.gradients(cross_entropy, b_conv1)[0] # gradient of b1 gw_W2 = tf.gradients(cross_entropy, W_conv2)[0] # gradient of W2 gb2 = tf.gradients(cross_entropy, b_conv2)[0] # gradient of b2 gw_Wf1 = tf.gradients(cross_entropy, W_fc1)[0] # gradient of W_fc1 gbf1 = tf.gradients(cross_entropy, b_fc1)[0] # gradient of b_fc1 gw_Wf2 = tf.gradients(cross_entropy, W_fc2)[0] # gradient of W_fc2 gbf2 = tf.gradients(cross_entropy, b_fc2)[0] # gradient of b_fc2 #clip gradient gw_W1 = tf.clip_by_norm(gw_W1, clip_bound) gw_W2 = tf.clip_by_norm(gw_W2, clip_bound) gw_Wf1 = tf.clip_by_norm(gw_Wf1, clip_bound) gw_Wf2 = tf.clip_by_norm(gw_Wf2, clip_bound) #sigma = FLAGS.sigma # when comp_eps(lmbda,q,sigma,T,delta)==epsilon #sensitivity = 2 * FLAGS.clip_bound #adjacency matrix with one tuple different sensitivity = clip_bound #adjacency matrix with one more tuple gw_W1 += tf.random_normal(shape=tf.shape(gw_W1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gb1 += tf.random_normal(shape=tf.shape(gb1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_W2 += tf.random_normal(shape=tf.shape(gw_W2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gb2 += tf.random_normal(shape=tf.shape(gb2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_Wf1 += tf.random_normal(shape=tf.shape(gw_Wf1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gbf1 += tf.random_normal(shape=tf.shape(gbf1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_Wf2 += tf.random_normal(shape=tf.shape(gw_Wf2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gbf2 += tf.random_normal(shape=tf.shape(gbf2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) train_step = opt.apply_gradients([(gw_W1, W_conv1), (gb1, b_conv1), (gw_W2, W_conv2), (gb2, b_conv2), (gw_Wf1, W_fc1), (gbf1, b_fc1), (gw_Wf2, W_fc2), (gbf2, b_fc2)]) correct_prediction = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1)) accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32)) start_time = time.time() for i in range(num_steps): batch = mnist.train.next_batch(batch_size) train_step.run(feed_dict={ x: batch[0], y_: batch[1], keep_prob: 0.5 }) if i % 100 == 0: #train_accuracy = accuracy.eval(feed_dict={x:batch[0], y_: batch[1], keep_prob: 1.0}); #print("step \t %d \t training accuracy \t %g"%(i, train_accuracy)); print("step \t %d \t test accuracy \t %g" % (i, accuracy.eval(feed_dict={ x: mnist.test.images, y_: mnist.test.labels, keep_prob: 1.0 }))) #epsilon = comp_eps(32, sample_rate, sigma, i, delta) #print("epsilon: {}".format(epsilon)) sess.run([privacy_accum_op]) spent_eps_deltas = priv_accountant.get_privacy_spent( sess, target_eps=target_eps) #print(i, spent_eps_deltas) _break = False for _eps, _delta in spent_eps_deltas: if _delta >= delta: _break = True break if _break == True: break duration = time.time() - start_time print("test accuracy %g" % accuracy.eval(feed_dict={ x: mnist.test.images, y_: mnist.test.labels, keep_prob: 1.0 })) print(float(duration))
def train(fgsm_eps, _dp_epsilon, _attack_norm_bound, log_filename, ratio): FLAGS = None #ratio = 16 #target_eps = [0.125,0.25,0.5,1,2,4,8] #target_eps = [0.25 + 0.25*ratio] target_eps = [0.2 + 0.2 * ratio] #print(target_eps[0]) #fgsm_eps = 0.1 dp_epsilon = _dp_epsilon image_size = 28 _log_filename = log_filename + str(target_eps[0]) + '_fgsm_' + str( fgsm_eps) + '_dpeps_' + str(dp_epsilon) + '_attack_norm_bound_' + str( _attack_norm_bound) + '.txt' clip_bound = 0.001 # 'the clip bound of the gradients' clip_bound_2 = 1 / 1.5 # 'the clip bound for r_kM' small_num = 1e-5 # 'a small number' large_num = 1e5 # a large number' num_images = 50000 # 'number of images N' batch_size = 125 # 'batch_size L' sample_rate = batch_size / 50000 # 'sample rate q = L / N' # 900 epochs num_steps = 1800000 # 'number of steps T = E * N / L = E / q' num_epoch = 24 # 'number of epoches E' sigma = 5 # 'sigma' delta = 1e-5 # 'delta' lambd = 1e3 # 'exponential distribution parameter' iterative_clip_step = 2 # 'iterative_clip_step' clip = 1 # 'whether to clip the gradient' noise = 0 # 'whether to add noise' redistribute = 0 # 'whether to redistribute the noise' D = 50000 sess = tf.InteractiveSession() # Create the model x = tf.placeholder(tf.float32, [None, 784]) y_ = tf.placeholder(tf.float32, [None, 10]) keep_prob = tf.placeholder(tf.float32) W_conv1 = weight_variable([5, 5, 1, 32]) b_conv1 = bias_variable([32]) W_conv2 = weight_variable([5, 5, 32, 64]) b_conv2 = bias_variable([64]) W_fc1 = weight_variable([7 * 7 * 64, 25]) b_fc1 = bias_variable([25]) W_fc2 = weight_variable([25, 10]) b_fc2 = bias_variable([10]) def inference(x, dp_mult): x_image = tf.reshape(x, [-1, 28, 28, 1]) h_conv1 = tf.nn.relu((conv2d(x_image, W_conv1) + b_conv1) + dp_mult) h_pool1 = max_pool_2x2(h_conv1) h_conv2 = tf.nn.relu(conv2d(h_pool1, W_conv2) + b_conv2) h_pool2 = max_pool_2x2(h_conv2) h_pool2_flat = tf.reshape(h_pool2, [-1, 7 * 7 * 64]) h_fc1 = tf.nn.relu(tf.matmul(h_pool2_flat, W_fc1) + b_fc1) h_fc1_drop = tf.nn.dropout(h_fc1, keep_prob) y_conv = tf.matmul(h_fc1_drop, W_fc2) + b_fc2 return y_conv, h_conv1 def inference_prob(x): logits, _ = inference(x, 0) y_prob = tf.nn.softmax(logits) return y_prob shape = W_conv1.get_shape().as_list() w_t = tf.reshape(W_conv1, [-1, shape[-1]]) w = tf.transpose(w_t) sing_vals = tf.svd(w, compute_uv=False) sensitivityW = tf.reduce_max(sing_vals) dp_delta = 0.05 attack_norm_bound = _attack_norm_bound dp_mult = attack_norm_bound * math.sqrt( 2 * math.log(1.25 / dp_delta)) / dp_epsilon noise = tf.placeholder(tf.float32, [None, 28, 28, 32]) #y_conv, h_conv1 = inference(x, dp_mult * noise) y_conv, h_conv1 = inference(x, attack_norm_bound * noise) softmax_y = tf.nn.softmax(y_conv) # Define loss and optimizer priv_accountant = accountant.GaussianMomentsAccountant(D) privacy_accum_op = priv_accountant.accumulate_privacy_spending( [None, None], sigma, batch_size) # sess.run(tf.initialize_all_variables()) sess.run(tf.global_variables_initializer()) cross_entropy = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=y_conv)) #train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy); #train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy) # noise redistribution # grad, = tf.gradients(cross_entropy, h_conv1) normalized_grad = tf.sign(grad) normalized_grad = tf.stop_gradient(normalized_grad) normalized_grad_r = tf.abs(tf.reduce_mean(normalized_grad, axis=(0))) #print(normalized_grad_r) sum_r = tf.reduce_sum(normalized_grad_r, axis=(0, 1, 2), keepdims=False) #print(sum_r) normalized_grad_r = 256 * 32 * normalized_grad_r / sum_r print(normalized_grad_r) shape_grad = normalized_grad_r.get_shape().as_list() grad_t = tf.reshape(normalized_grad_r, [-1, shape_grad[-1]]) g = tf.transpose(grad_t) sing_g_vals = tf.svd(g, compute_uv=False) sensitivity_2 = tf.reduce_max(sing_g_vals) ######################## opt = GradientDescentOptimizer(learning_rate=1e-1) # compute gradient gw_W1 = tf.gradients(cross_entropy, W_conv1)[0] # gradient of W1 gb1 = tf.gradients(cross_entropy, b_conv1)[0] # gradient of b1 gw_W2 = tf.gradients(cross_entropy, W_conv2)[0] # gradient of W2 gb2 = tf.gradients(cross_entropy, b_conv2)[0] # gradient of b2 gw_Wf1 = tf.gradients(cross_entropy, W_fc1)[0] # gradient of W_fc1 gbf1 = tf.gradients(cross_entropy, b_fc1)[0] # gradient of b_fc1 gw_Wf2 = tf.gradients(cross_entropy, W_fc2)[0] # gradient of W_fc2 gbf2 = tf.gradients(cross_entropy, b_fc2)[0] # gradient of b_fc2 # clip gradient gw_W1 = tf.clip_by_norm(gw_W1, clip_bound) gw_W2 = tf.clip_by_norm(gw_W2, clip_bound) gw_Wf1 = tf.clip_by_norm(gw_Wf1, clip_bound) gw_Wf2 = tf.clip_by_norm(gw_Wf2, clip_bound) # sigma = FLAGS.sigma # when comp_eps(lmbda,q,sigma,T,delta)==epsilon # sensitivity = 2 * FLAGS.clip_bound #adjacency matrix with one tuple different sensitivity = clip_bound # adjacency matrix with one more tuple gw_W1 += tf.random_normal(shape=tf.shape(gw_W1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gb1 += tf.random_normal(shape=tf.shape(gb1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_W2 += tf.random_normal(shape=tf.shape(gw_W2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gb2 += tf.random_normal(shape=tf.shape(gb2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_Wf1 += tf.random_normal(shape=tf.shape(gw_Wf1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gbf1 += tf.random_normal(shape=tf.shape(gbf1), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gw_Wf2 += tf.random_normal(shape=tf.shape(gw_Wf2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) gbf2 += tf.random_normal(shape=tf.shape(gbf2), mean=0.0, stddev=(sigma * sensitivity)**2, dtype=tf.float32) train_step = opt.apply_gradients([(gw_W1, W_conv1), (gb1, b_conv1), (gw_W2, W_conv2), (gb2, b_conv2), (gw_Wf1, W_fc1), (gbf1, b_fc1), (gw_Wf2, W_fc2), (gbf2, b_fc2)]) # craft adversarial samples from x for testing #softmax_y_test = tf.nn.softmax(y_conv) #====================== attack ========================= attack_switch = { 'fgsm': True, 'ifgsm': True, 'deepfool': False, 'mim': True, 'spsa': False, 'cwl2': False, 'madry': True, 'stm': False } # define cleverhans abstract models for using cleverhans attacks ch_model_logits = CallableModelWrapper(callable_fn=inference, output_layer='logits') ch_model_probs = CallableModelWrapper(callable_fn=inference_prob, output_layer='probs') # define each attack method's tensor attack_tensor_dict = {} # FastGradientMethod if attack_switch['fgsm']: print('creating attack tensor of FastGradientMethod') fgsm_obj = FastGradientMethod(model=ch_model_probs, sess=sess) x_adv_test_fgsm = fgsm_obj.generate(x=x, eps=fgsm_eps, clip_min=0.0, clip_max=1.0) # testing now attack_tensor_dict['fgsm'] = x_adv_test_fgsm # Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init) # default: eps_iter=0.05, nb_iter=10 if attack_switch['ifgsm']: print('creating attack tensor of BasicIterativeMethod') ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess) x_adv_test_ifgsm = ifgsm_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 10, nb_iter=10, clip_min=0.0, clip_max=1.0) attack_tensor_dict['ifgsm'] = x_adv_test_ifgsm # MomentumIterativeMethod # default: eps_iter=0.06, nb_iter=10 if attack_switch['mim']: print('creating attack tensor of MomentumIterativeMethod') mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess) x_adv_test_mim = mim_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 10, nb_iter=10, decay_factor=1.0, clip_min=0.0, clip_max=1.0) attack_tensor_dict['mim'] = x_adv_test_mim # MadryEtAl (Projected Grdient with random init, same as rand+fgsm) # default: eps_iter=0.01, nb_iter=40 if attack_switch['madry']: print('creating attack tensor of MadryEtAl') madry_obj = MadryEtAl(model=ch_model_probs, sess=sess) x_adv_test_madry = madry_obj.generate(x=x, eps=fgsm_eps, eps_iter=fgsm_eps / 10, nb_iter=10, clip_min=0.0, clip_max=1.0) attack_tensor_dict['madry'] = x_adv_test_madry #====================== attack ========================= #Define the correct prediction and accuracy# correct_prediction_x = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1)) accuracy_x = tf.reduce_mean(tf.cast(correct_prediction_x, tf.float32)) correct_prediction = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1)) accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32)) s = math.log(sqrt(2.0 / math.pi) * 1e+5) sigmaEGM = sqrt(2.0) * 1.0 * (sqrt(s) + sqrt(s + dp_epsilon)) / (2.0 * dp_epsilon) print(sigmaEGM) __noiseE = np.random.normal(0.0, sigmaEGM**2, 28 * 28 * 32).astype(np.float32) __noiseE = np.reshape(__noiseE, [-1, 28, 28, 32]) start_time = time.time() logfile = open(_log_filename, 'w') last_eval_time = -1 accum_time = 0 accum_epoch = 0 max_benign_acc = -1 max_adv_acc_dict = {} test_size = len(mnist.test.images) print("Computing The Noise Redistribution Vector") for i in range(4000): batch = mnist.train.next_batch(batch_size) sess.run([train_step], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 0.5, noise: __noiseE * 0 }) batch = mnist.train.next_batch(batch_size * 10) grad_redis = sess.run([normalized_grad_r], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 1.0, noise: __noiseE * 0 }) #print(grad_redis) _sensitivity_2 = sess.run([sensitivity_2], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 1.0, noise: __noiseE * 0 }) #print(_sensitivity_2) _sensitivityW = sess.run(sensitivityW) #print(_sensitivityW) Delta_redis = _sensitivityW / sqrt(_sensitivity_2[0]) #print(Delta_redis) sigmaHGM = sqrt(2.0) * Delta_redis * (sqrt(s) + sqrt(s + dp_epsilon)) / ( 2.0 * dp_epsilon) #print(sigmaHGM) __noiseH = np.random.normal(0.0, sigmaHGM**2, 28 * 28 * 32).astype(np.float32) __noiseH = np.reshape(__noiseH, [-1, 28, 28, 32]) * grad_redis sess.run(tf.global_variables_initializer()) print("Training") for i in range(num_steps): batch = mnist.train.next_batch(batch_size) sess.run( [train_step], feed_dict={ x: batch[0], y_: batch[1], keep_prob: 0.5, noise: (__noiseE + __noiseH) / 2 }) sess.run([privacy_accum_op]) spent_eps_deltas = priv_accountant.get_privacy_spent( sess, target_eps=target_eps) if i % 1000 == 0: print(i, spent_eps_deltas) _break = False for _eps, _delta in spent_eps_deltas: if _delta >= delta: _break = True break if _break == True: break print("Testing") benign_acc = accuracy_x.eval( feed_dict={ x: mnist.test.images, y_: mnist.test.labels, keep_prob: 1.0, noise: (__noiseE + __noiseH) / 2 }) ### PixelDP Robustness ### adv_acc_dict = {} robust_adv_acc_dict = {} robust_adv_utility_dict = {} for atk in attack_switch.keys(): if atk not in adv_acc_dict: adv_acc_dict[atk] = -1 robust_adv_acc_dict[atk] = -1 robust_adv_utility_dict[atk] = -1 if attack_switch[atk]: adv_images_dict = sess.run(attack_tensor_dict[atk], feed_dict={ x: mnist.test.images, y_: mnist.test.labels, keep_prob: 1.0 }) #grad_redis = sess.run([normalized_grad_r], feed_dict={x: adv_images_dict, y_: mnist.test.labels, keep_prob: 1.0, noise:__noise}) ### Robustness ### predictions_form_argmax = np.zeros([test_size, 10]) softmax_predictions = softmax_y.eval( feed_dict={ x: adv_images_dict, keep_prob: 1.0, noise: (__noiseE + __noiseH) / 2 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) for n_draws in range(0, 2000): if n_draws % 1000 == 0: print(n_draws) _noiseE = np.random.normal(0.0, sigmaEGM**2, 28 * 28 * 32).astype(np.float32) _noiseE = np.reshape(_noiseE, [-1, 28, 28, 32]) _noise = np.random.normal(0.0, sigmaHGM**2, 28 * 28 * 32).astype(np.float32) _noise = np.reshape(_noise, [-1, 28, 28, 32]) * grad_redis for j in range(test_size): pred = argmax_predictions[j] predictions_form_argmax[j, pred] += 1 softmax_predictions = softmax_y.eval( feed_dict={ x: adv_images_dict, keep_prob: 1.0, noise: (__noiseE + __noiseH) / 2 + (_noiseE + _noise) / 4 }) argmax_predictions = np.argmax(softmax_predictions, axis=1) final_predictions = predictions_form_argmax is_correct = [] is_robust = [] for j in range(test_size): is_correct.append( np.argmax(mnist.test.labels[j]) == np.argmax( final_predictions[j])) robustness_from_argmax = robustnessGGaussian.robustness_size_argmax( counts=predictions_form_argmax[j], eta=0.05, dp_attack_size=fgsm_eps, dp_epsilon=dp_epsilon, dp_delta=1e-5, dp_mechanism='gaussian') / dp_mult is_robust.append(robustness_from_argmax >= fgsm_eps) adv_acc_dict[atk] = np.sum(is_correct) * 1.0 / test_size robust_adv_acc_dict[atk] = np.sum([ a and b for a, b in zip(is_robust, is_correct) ]) * 1.0 / np.sum(is_robust) robust_adv_utility_dict[atk] = np.sum(is_robust) * 1.0 / test_size print(" {}: {:.4f} {:.4f} {:.4f} {:.4f}".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk])) ############################## log_str = "step: {}\t target_epsilon: {}\t dp_epsilon: {:.1f}\t attack_norm_bound: {:.1f}\t benign_acc: {:.4f}\t".format( i, target_eps, dp_epsilon, attack_norm_bound, benign_acc) for atk in attack_switch.keys(): if attack_switch[atk]: log_str += " {}: {:.4f} {:.4f} {:.4f} {:.4f}".format( atk, adv_acc_dict[atk], robust_adv_acc_dict[atk], robust_adv_utility_dict[atk], robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]) print(log_str) logfile.write(log_str + '\n') ############################## duration = time.time() - start_time logfile.write(str(duration) + '\n') logfile.flush() logfile.close()
def main(): random_seed = 1024 train_size, test_size = 55000, 10000 batch_size = 100 learning_rate = 0.05 epochs = 20 steps = epochs * 550 sess = tf.Session() global_step = tf.Variable(0, name = 'global_step', trainable = False) tf.set_random_seed(random_seed) saver = tf.train.Saver() x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label noise = tf.placeholder(tf.float32, [None, 100]) # noise vector y_target = tf.placeholder(tf.float32, [None, 10]) # target label x1 = tf.placeholder(tf.float32, [None, 784]) x2 = tf.placeholder(tf.float32, [None, 784]) y = classifier(x) # gan x_gan = generator(x, noise, 4) y_gan = classifier(x_gan) loss = softmax_loss(label, y) loss_gan = - softmax_loss(label, y_gan) all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] g_vars = [var for var in all_vars if 'generator' in var.name] train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss, var_list = c_vars, global_step = global_step) train_op_generator = GradientDescentOptimizer(learning_rate = 0.05) \ .minimize(loss_gan, var_list = g_vars, global_step = global_step) #fgsm x_fgsm = attack.fgsm(x, y, eps = 0.2, clip_min=0, clip_max=1) y_fgsm = classifier(x_fgsm) # jsma jsma = SaliencyMapMethod(classifier, back='tf', sess=sess) # train mnist = input_data.read_data_sets('MNIST_data', one_hot=True) y_target_batch = np.zeros((100, 10), dtype=np.float32) y_target_batch[:, 0] = 1.0 y_target_test = np.zeros((10000, 10), dtype=np.float32) y_target_test[:, 0] = 1.0 sess.run(tf.global_variables_initializer()) with sess.as_default(): print('train classifier') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) sess.run(train_op_classifier, feed_dict={x: batch[0], label: batch[1]}) if t % 550 == 0: epoch = int(t / 550) acc_benign = sess.run(get_acc(x, label), feed_dict={x: mnist.test.images, label: mnist.test.labels}) print(epoch, acc_benign) print('train gan') for t in range(1, 550 * 5 + 1): batch = mnist.train.next_batch(batch_size) f_dict = {x: batch[0], label: batch[1], noise: sample_Z(batch_size, 100), y_target: y_target_batch} sess.run(train_op_generator, feed_dict=f_dict) if t % 550 == 0: epoch = int(t / 550) f_dict = {x: mnist.test.images, label: mnist.test.labels, noise: sample_Z(10000, 100), y_target: y_target_batch} x_gan_d = sess.run(x_gan, feed_dict=f_dict) f_dict = {x: x_gan_d, label: mnist.test.labels} acc_gan = sess.run(get_acc(x, label), feed_dict=f_dict) print(epoch, acc_gan) checkpoint_path = os.path.join('model', 'basic_model.ckpt') #saver.save(sess, checkpoint_path, global_step = 1) print('generate adv samples for the first batch of the testing set') # real x_real_mnist_1 = mnist.test.images[0:100,] np.save(os.path.join('data','x_real_mnist_1.npy'), x_real_mnist_1) x_real_mnist_1_r = x_real_mnist_1.reshape([100, 28, 28]) save_images(x_real_mnist_1_r, [10, 10], os.path.join('img', 'x_real_mnist_1.png')) # fgsm x_fgsm_mnist_1 = sess.run(x_fgsm, feed_dict = {x: mnist.test.images[0:100,], label: mnist.test.labels[0:100,]}) np.save(os.path.join('data','x_fgsm_mnist_1.npy'), x_fgsm_mnist_1) x_fgsm_mnist_1_r = x_fgsm_mnist_1.reshape([100, 28, 28]) save_images(x_fgsm_mnist_1_r, [10, 10], os.path.join('img', 'x_fgsm_mnist_1.png')) #jsma jsma_params = {'theta': 1., 'gamma': 0.1,'nb_classes': 10, 'clip_min': 0.,'clip_max': 1., 'targets': y,\ 'y_val': y_target_batch} x_jsma_mnist_1 = jsma.generate_np(mnist.test.images[0:100,], **jsma_params) np.save(os.path.join('data','x_jsma_mnist_1.npy'), x_jsma_mnist_1) acc_jsma_1 = sess.run(get_acc(x, label), feed_dict={x: x_jsma_mnist_1, label: mnist.test.labels[0:100,]}) x_jsma_mnist_1_r = x_jsma_mnist_1.reshape([100, 28, 28]) save_images(x_jsma_mnist_1_r, [10, 10], os.path.join('img', 'x_jsma_mnist_1.png')) x_gan_mnist_1 = sess.run(x_gan, feed_dict={x: mnist.test.images[0:100,] ,label: mnist.test.labels[0:100,]\ , noise: sample_Z(batch_size, 100), y_target: y_target_batch}) np.save(os.path.join('data','x_gan_mnist_1.npy'), x_gan_mnist_1) x_gan_mnist_1_r = x_gan_mnist_1.reshape([100, 28, 28]) save_images(x_gan_mnist_1_r, [10, 10], os.path.join('img', 'x_gan_mnist_1.png')) diff_fgsm = sess.run(diff(x1, x2), feed_dict={x1: x_real_mnist_1, x2: x_fgsm_mnist_1}) diff_jsma = sess.run(diff(x1, x2), feed_dict={x1: x_real_mnist_1, x2: x_jsma_mnist_1}) diff_gan = sess.run(diff(x1, x2), feed_dict={x1: x_real_mnist_1, x2: x_gan_mnist_1}) print('perturb: fgsm: {:.3f}, jsma: {:.3f}, gan: {:.3f}'.format(diff_fgsm, diff_jsma, diff_gan)) acc_benign = sess.run(get_acc(x, label), feed_dict={x: mnist.test.images, label: mnist.test.labels}) print('generate adv samples for the entire testing set') # fgsm x_fgsm_mnist = sess.run(x_fgsm, feed_dict = {x: mnist.test.images, label: mnist.test.labels}) np.save(os.path.join('data','x_fgsm_mnist.npy'), x_fgsm_mnist) acc_fgsm = sess.run(get_acc(x, label), feed_dict={x: x_fgsm_mnist, label: mnist.test.labels}) # gan x_gan_mnist = sess.run(x_gan, feed_dict={x: mnist.test.images ,label: mnist.test.labels\ , noise: sample_Z(10000, 100), y_target: y_target_test}) np.save(os.path.join('data','x_gan_mnist.npy'), x_gan_mnist) acc_gan = sess.run(get_acc(x, label), feed_dict={x: x_gan_mnist ,label: mnist.test.labels\ , noise: sample_Z(10000, 100), y_target: y_target_test}) print('accuracy: benign: {:.3f}, fgsm: {:.3f}, jsma: {:.3f}, gan: {:.3f}'.format(acc_benign, acc_fgsm, acc_jsma_1, acc_gan)) ''' x_fgsm_mnist = np.load(os.path.join('data','x_fgsm_mnist.npy')) x_gan_mnist = np.load(os.path.join('data','x_gan_mnist.npy')) x_jsma_mnist_1 = np.load(os.path.join('data','x_jsma_mnist_1.npy')) sess.run(tf.global_variables_initializer()) print('train classifier') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) sess.run(train_op_classifier, feed_dict={x: batch[0], label: batch[1]}) if t % 550 == 0: epoch = int(t / 550) acc = {} acc['benign'] = sess.run(get_acc(x, label), feed_dict = {x: mnist.test.images, label: mnist.test.labels}) acc['pre fgsm'] = sess.run(get_acc(x, label), feed_dict={x: x_fgsm_mnist, label: mnist.test.labels}) acc['pre gan'] = sess.run(get_acc(x, label), feed_dict={x: x_gan_mnist, label: mnist.test.labels}) acc['pre jsma 1'] = sess.run(get_acc(x, label), feed_dict={x: x_jsma_mnist_1, label: mnist.test.labels[0:100,]}) print(epoch, acc) ''' sess.close() return # jsma jsma_params = {'theta': 1., 'gamma': 0.1,'nb_classes': 10, 'clip_min': 0.,'clip_max': 1., 'targets': y,\ 'y_val': y_target_test} x_jsma_mnist = jsma.generate_np(mnist.test.images, **jsma_params) np.save(os.path.join('data','x_jsma_mnist.npy'), x_jsma_mnist)
def training_embedding(reverse_dictionary, with_dp=False): """ # training with DP :param with_dp: :return: """ batch_size = 128 embedding_size = 300 # Dimension of the embedding vector. skip_window = 1 # How many words to consider left and right. num_skips = 2 # How many times to reuse an input to generate a label. # We pick a random validation set to sample nearest neighbors. here we limit the # validation samples to the words that have a low numeric ID, which by # construction are also the most frequent. valid_size = 16 # Random set of words to evaluate similarity on. valid_window = 100 # Only pick dev samples in the head of the distribution. valid_examples = np.array(random.sample(range(valid_window), valid_size)) num_sampled = 64 # Number of negative examples to sample. learning_rate = 1 # DP parameters clip_bound = 0.01 # 'the clip bound of the gradients' # num_steps = 160000 # 'number of steps T = E * N / L = E / q' sigma = 5 # 'sigma' delta = 1e-5 # 'delta' sess = tf.InteractiveSession() graph = tf.Graph() avg_loss_arr = [] loss_arr = [] # with graph.as_default(), tf.device('/cpu:0'): # Input data. with tf.device('/gpu:0'): train_dataset = tf.placeholder(tf.int32, shape=[batch_size]) train_labels = tf.placeholder(tf.int32, shape=[batch_size, 1]) valid_dataset = tf.constant(valid_examples, dtype=tf.int32) # Variables. embeddings = tf.Variable( tf.random_uniform([vocabulary_size, embedding_size], -1.0, 1.0)) # Model. # Look up embeddings for inputs. embed = tf.nn.embedding_lookup(embeddings, train_dataset) if FLAGS.with_nce_loss: nce_weights = tf.Variable( tf.truncated_normal([vocabulary_size, embedding_size], stddev=1.0 / math.sqrt(embedding_size))) nce_biases = tf.Variable(tf.zeros([vocabulary_size])) cross_entropy = tf.reduce_mean( tf.nn.nce_loss(weights=nce_weights, biases=nce_biases, labels=train_labels, inputs=embed, num_sampled=num_sampled, num_classes=vocabulary_size)) else: with tf.device('/gpu:0'): softmax_weights = tf.Variable( tf.truncated_normal([vocabulary_size, embedding_size], stddev=1.0 / math.sqrt(embedding_size))) softmax_biases = tf.Variable(tf.zeros([vocabulary_size])) # Compute the softmax loss, using a sample of the negative labels each time. # Read more: https://stackoverflow.com/questions/37671974/tensorflow-negative-sampling # When we want to compute the softmax probability for your true label, # we compute: logits[true_label] / sum(logits[negative_sampled_labels] # Other candidate sampling: https://www.tensorflow.org/extras/candidate_sampling.pdf cross_entropy = tf.reduce_mean( tf.nn.sampled_softmax_loss(weights=softmax_weights, biases=softmax_biases, inputs=embed, labels=train_labels, num_sampled=num_sampled, num_classes=vocabulary_size)) priv_accountant = accountant.GaussianMomentsAccountant(vocabulary_size) privacy_accum_op = priv_accountant.accumulate_privacy_spending( [None, None], sigma, batch_size) # Optimizer. # Note: The optimizer will optimize the softmax_weights AND the embeddings. # This is because the embeddings are defined as a variable quantity and the # optimizer's `minimize` method will by default modify all variable quantities # that contribute to the tensor it is passed. # See docs on `tf.train.Optimizer.minimize()` for more details. # optimizer = tf.train.AdagradOptimizer(learning_rate).minimize(loss) # optimizer = tf.train.GradientDescentOptimizer(learning_rate).minimize(cross_entropy) optimizer = GradientDescentOptimizer(learning_rate) if FLAGS.optimizer == "adam": # cannot use adam so far. Tested and the model couldn't converge. optimizer = AdamOptimizer(learning_rate) print("##INFO: Using adam optimizer") if FLAGS.optimizer == "adagrad": # cannot use adam so far. Tested and the model couldn't converge. optimizer = AdagradOptimizer(learning_rate) print("##INFO: Using adagrad optimizer") log_dir = os.path.join(FLAGS.trained_models, "logs") # compute gradient if FLAGS.with_nce_loss: gw_Embeddings = tf.gradients(cross_entropy, embeddings)[0] # gradient of embeddings gw_softmax_weights = tf.gradients( cross_entropy, nce_weights)[0] # gradient of nce_weights gb_softmax_biases = tf.gradients( cross_entropy, nce_biases)[0] # gradient of nce_biases else: with tf.device('/gpu:0'): gw_Embeddings = tf.gradients( cross_entropy, embeddings)[0] # gradient of embeddings gw_softmax_weights = tf.gradients( cross_entropy, softmax_weights)[0] # gradient of softmax_weights gb_softmax_biases = tf.gradients( cross_entropy, softmax_biases)[0] # gradient of softmax_biases # clip gradient if FLAGS.clip_by_norm: # faster but takes more epochs to train with tf.device('/gpu:0'): gw_Embeddings = tf.clip_by_norm(gw_Embeddings, clip_bound) gw_softmax_weights = tf.clip_by_norm(gw_softmax_weights, clip_bound) gb_softmax_biases = tf.clip_by_norm(gb_softmax_biases, clip_bound) else: # dp-sgd: slow and require more memory but converge faster, take less epochs. gw_Embeddings = utils.BatchClipByL2norm(gw_Embeddings, clip_bound) gw_softmax_weights = utils.BatchClipByL2norm(gw_softmax_weights, clip_bound) gb_softmax_biases = utils.BatchClipByL2norm(gb_softmax_biases, clip_bound) sensitivity = clip_bound # adjacency matrix with one more tuple # Add noise if FLAGS.with_dp: gw_Embeddings += tf.random_normal(shape=tf.shape(gw_Embeddings), mean=0.0, stddev=sigma * (sensitivity**2), dtype=tf.float32) gw_softmax_weights += tf.random_normal( shape=tf.shape(gw_softmax_weights), mean=0.0, stddev=sigma * (sensitivity**2), dtype=tf.float32) gb_softmax_biases += tf.random_normal( shape=tf.shape(gb_softmax_biases), mean=0.0, stddev=sigma * (sensitivity**2), dtype=tf.float32) if FLAGS.with_nce_loss: train_step = optimizer.apply_gradients([ (gw_Embeddings, embeddings), (gw_softmax_weights, nce_weights), (gb_softmax_biases, nce_biases) ]) else: train_step = optimizer.apply_gradients([ (gw_Embeddings, embeddings), (gw_softmax_weights, softmax_weights), (gb_softmax_biases, softmax_biases) ]) # Compute the similarity between minibatch examples and all embeddings. # We use the cosine distance: with tf.device('/gpu:0'): norm = tf.sqrt(tf.reduce_sum(tf.square(embeddings), 1, keep_dims=True)) normalized_embeddings = embeddings / norm valid_embeddings = tf.nn.embedding_lookup(normalized_embeddings, valid_dataset) similarity = tf.matmul(valid_embeddings, tf.transpose(normalized_embeddings)) min_loss = 10**4 per_dec_count = 0 print('Initialized') average_loss = 0 running = True step = 0 average_loss_arr = [] saving_pointer_idx = 0 # put it here because Adam has its own variables. sess.run(tf.global_variables_initializer()) # saver must be used after global_variables_initializer saver = tf.train.Saver() # Save the variables to disk. save_path = os.path.join(FLAGS.trained_models, "initialized_model.ckpt") # Sonvx: we need to make sure initialized variables are all the same for different tests. print("Checking on path: ", save_path) if not os.path.isfile(save_path + ".index"): saved_info = saver.save(sess, save_path) print("Global initialized model saved in file: %s" % saved_info) else: saver.restore(sess, save_path) print("Restored the global initialized model.") if FLAGS.DEBUG: input( "Double check whether or not the initialized model got restored then <Press enter>" ) print('###INFO: Initialized in run(graph)') if FLAGS.RESTORE_LAST_CHECK_POINT: checkpoint_path = os.path.join(log_dir, "model.ckpt") if os.path.isfile(checkpoint_path + ".index"): saver.restore(sess, checkpoint_path) print("Restored the latest checkpoint at %s." % (checkpoint_path)) while running: # for step in range(num_steps): batch_data, batch_labels = generate_batch(batch_size, num_skips, skip_window) print("Global data_index = ", data_index) # feed_dict = {train_dataset: batch_data, train_labels: batch_labels} # old: sess.run([optimizer, cross_entropy], feed_dict=feed_dict) # template: train_step.run(feed_dict={x: batch[0], y_: batch[1], keep_prob: 0.5}); train_step.run(feed_dict={ train_dataset: batch_data, train_labels: batch_labels }) loss = cross_entropy.eval(feed_dict={ train_dataset: batch_data, train_labels: batch_labels }) # loss_arr.append(l) # average_loss += l # current_avg_loss = average_loss/step # avg_loss_arr.append(current_avg_loss) sess.run([privacy_accum_op]) # print(step, spent_eps_deltas) average_loss += loss if step == 0: step_dev = 0.1 * 5 else: step_dev = step current_avg_loss = np.mean(average_loss) / step_dev average_loss_arr.append(current_avg_loss) if step % 200 == 0: # if step > 0: # average_loss = average_loss / 2000 # The average loss is an estimate of the loss over the last 2000 batches. print('Average loss at step %d: %f' % (step, current_avg_loss)) # TODO: turns this back on if not sure how average_loss influences training process print("Embedding: ") em_val = tf.reduce_mean(tf.abs(embeddings)) print(sess.run(em_val)) # average_loss = 0 # note that this is expensive (~20% slowdown if computed every 500 steps) check_step = (FLAGS.NUM_STEPS * 0.2) if step % check_step == 0: # gw_emb = tf.reduce_mean(tf.abs(gw_Embeddings)) # print("Embedding gradients: ") # print(sess.run(gw_emb)) sim = similarity.eval() for i in range(valid_size): valid_word = reverse_dictionary[valid_examples[i]] top_k = 8 # number of nearest neighbors nearest = (-sim[i, :]).argsort()[1:top_k + 1] log = 'Nearest to %s:' % valid_word for k in range(top_k): close_word = reverse_dictionary[nearest[k]] log = '%s %s,' % (log, close_word) print(log) current_saving_dir = os.path.join( FLAGS.trained_models, "_%sepoch" % (saving_pointers[saving_pointer_idx])) # EARLY STOPPING if min_loss >= current_avg_loss: min_loss = current_avg_loss per_dec_count = 0 if FLAGS.save_best_model_alltime: best_of_saving_point_dir = os.path.join( current_saving_dir, "_best_one") if not os.path.exists(best_of_saving_point_dir): os.makedirs(best_of_saving_point_dir) temp_embeddings = normalized_embeddings.eval() spent_eps_deltas = priv_accountant.get_privacy_spent( sess, target_eps=target_eps) saving_state(best_of_saving_point_dir, spent_eps_deltas, temp_embeddings, saver, sess) msg = ("Got best model so far at step %s , avg loss = %s" % (step, current_avg_loss)) logging.info(msg) print(msg) else: per_dec_count += 1 step += 1 if per_dec_count == max_early_stopping or step == num_steps: running = False if (step + 1) in saving_pointers: spent_eps_deltas = priv_accountant.get_privacy_spent( sess, target_eps=target_eps) folder_path = os.path.join(FLAGS.trained_models, "_%sepoch" % (step + 1)) temp_embeddings = normalized_embeddings.eval() saving_state(folder_path, spent_eps_deltas, temp_embeddings, saver, sess) # Make sure we don't increase saving_pointer_idx larger than what the total number of pointers we set. if saving_pointer_idx < len(saving_pointers) - 1: saving_pointer_idx += 1 msg = "##INFO: STEP %s: avg_loss history: avg_loss_arr = %s" % ( step, average_loss_arr) logging.info(msg) if step % (num_steps - 1) == 0: print("Final privacy spent: ", step, spent_eps_deltas) print("Stopped at %s, \nFinal avg_loss = %s" % (step, avg_loss_arr)) print("loss = %s" % (loss_arr)) # final_embeddings = normalized_embeddings.eval() sess.close()
def optimizer_function(lr, loss): optimizer = GradientDescentOptimizer(lr) return pipelining_ops.OptimizerFunctionOutput(optimizer, loss)
def main(): train_size, test_size = 55000, 10000 batch_size = 100 lr = {} lr['c'] = 0.05 lr['d'] = 0.05 lr['g'] = 0.05 lr['t'] = 0.05 epochs = 30 steps = epochs * int(train_size / batch_size) global_step = tf.Variable(0, name='global_step', trainable=False) x = tf.placeholder(tf.float32, [None, 784]) # input for real images y_ = tf.placeholder(tf.float32, [None, 10]) # groundtruth class label y_target = tf.placeholder(tf.float32, [None, 10]) noise = tf.placeholder(tf.float32, [None, 100]) tx = transformer(x, noise) gx = generator(noise, y_) yx = classifier(x) ytx = classifier(tx) ygx = classifier(gx) dx = discriminator(x, y_) dtx = discriminator(tx, y_) dgx = discriminator(gx, y_) d_mean = {} d_mean['x'] = tf.reduce_mean(dx) d_mean['tx'] = tf.reduce_mean(dtx) d_mean['gx'] = tf.reduce_mean(dgx) #x_fgsm = attack.fgsm(x, y_real, eps = 0.1, clip_min = 0, clip_max = 1) #c_x_fgsm = classifier(x_fgsm) #d_fg = discriminator(x_fg) perturb = {} perturb['tx'] = tf.reduce_mean(tf.norm(tx - x, axis=1)) perturb['gx'] = tf.reduce_mean(tf.norm(gx - x, axis=1)) #perturb['fg'] = tf.reduce_mean(tf.norm(x_fg - x, axis = 1)) loss = {} loss['cx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=yx)) loss['ctx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=ytx)) loss['cgx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=ygx)) loss['ctgx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_target, logits=ygx)) loss['cttx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_target, logits=ytx)) #loss['classifier_fgsm'] = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits(labels=label, logits=y_fg)) loss['dx'] = tf.reduce_mean(-tf.log(dx)) loss['dtx'] = tf.reduce_mean(-tf.log(1. - dtx)) loss['dgx'] = tf.reduce_mean(-tf.log(1. - dgx)) loss['t'] = tf.reduce_mean(-tf.log(dtx)) loss['g'] = tf.reduce_mean(-tf.log(dgx)) loss['classifier'] = loss['cx'] loss['transformer'] = loss['t'] + loss['cttx'] loss['generator'] = loss['g'] loss['discriminator'] = loss['dx'] + loss['dtx'] all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] g_vars = [var for var in all_vars if 'generator' in var.name] d_vars = [var for var in all_vars if 'discriminator' in var.name] t_vars = [var for var in all_vars if 'transformer' in var.name] train_op = {} train_op['classifier'] = GradientDescentOptimizer(learning_rate = lr['c']) \ .minimize(loss['classifier'], var_list = c_vars, global_step = global_step) train_op['generator'] = GradientDescentOptimizer(learning_rate = lr['g']) \ .minimize(loss['generator'], var_list = g_vars, global_step = global_step) train_op['discriminator'] = GradientDescentOptimizer(learning_rate = lr['d']) \ .minimize(loss['discriminator'], var_list = d_vars, global_step = global_step) train_op['transformer'] = GradientDescentOptimizer(learning_rate = lr['t']) \ .minimize(loss['transformer'], var_list = t_vars, global_step = global_step) acc = {} acc['x'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(yx, 1), tf.argmax(y_, 1)), tf.float32)) acc['tx'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(ytx, 1), tf.argmax(y_, 1)), tf.float32)) acc['gx'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(ygx, 1), tf.argmax(y_, 1)), tf.float32)) #acc['classifier_fgsm'] = tf.reduce_mean(tf.cast(tf.equal(tf.argmax(y_fg, 1), tf.argmax(label, 1)),tf.float32)) mnist = input_data.read_data_sets('MNIST_data', one_hot=True) tf.set_random_seed(1024) sess = tf.Session() sess.run(tf.global_variables_initializer()) with sess.as_default(): for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) y_tar = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0] for i in range(batch_size)] y_tar = np.array(y_tar, dtype='float32') noise_sample = sample_Z(batch_size, 100) sess.run(train_op['classifier'], feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample, y_target: y_tar }) sess.run(train_op['discriminator'], feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample, y_target: y_tar }) for j in range(5): sess.run(train_op['transformer'], feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample, y_target: y_tar }) #for j in range(5): #sess.run(train_op['generator'], feed_dict={x: batch[0], y_: batch[1], noise : sample_Z(batch_size, 100), y_target: y_tar}) if t % int(train_size / batch_size) == 0: epoch = int(t / int(train_size / batch_size)) noise_sample3 = sample_Z(batch_size, 100) batch = mnist.test.next_batch(100) img_real = batch[0].reshape([100, 28, 28]) save_images(img_real, [10, 10], os.path.join('img', 'real' + str(epoch) + '.png')) img_trans = sess.run(tx, feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample3, y_target: y_tar }) img_trans = img_trans.reshape([100, 28, 28]) save_images(img_trans, [10, 10], os.path.join('img', 'trans' + str(epoch) + '.png')) img_fake = sess.run(gx, feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample3, y_target: y_tar }) img_fake = img_fake.reshape([100, 28, 28]) save_images(img_fake, [10, 10], os.path.join('img', 'fake' + str(epoch) + '.png')) noise_sample2 = sample_Z(10000, 100) var_list = [acc, perturb, d_mean] res = sess.run(var_list, feed_dict={ x: mnist.test.images, y_: mnist.test.labels, noise: noise_sample2, y_target: y_tar }) print(epoch) for r in res: print(r)
def model_train(para): sigma = compute_sigma(para['eps'], para['delta']) std = sigma * para['sens'] sess = tf.Session() tf.set_random_seed(random_seed) n = len(layers) x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label w, b = [0 for i in range(n)], [0 for i in range(n)] for i in range(1, n): w[i] = weight_variable([layers[i - 1], layers[i]]) b[i] = bias_variable([layers[i]]) # noisy model z, h = [0 for i in range(n)], [0 for i in range(n)] h[0] = x h[0] = h[0] + tf.random_normal( shape=tf.shape(h[0]), mean=0.0, stddev=std, dtype=tf.float32) for i in range(1, n): z[i] = tf.matmul(h[i - 1], w[i]) + b[i] if i < n - 1: h[i] = tf.nn.relu(z[i]) else: h[i] = z[i] y = h[n - 1] loss = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=label, logits=y)) # noiseless model z2, h2 = [0 for i in range(n)], [0 for i in range(n)] h2[0] = x for i in range(1, n): z2[i] = tf.matmul(h2[i - 1], w[i]) + b[i] if i < n - 1: h2[i] = tf.nn.relu(z2[i]) else: h2[i] = z2[i] y2 = h2[n - 1] x_adv = attack.fgsm(x, y, eps=0.3, clip_min=0, clip_max=1) # gradient descent gw, gb = [0 for i in range(n)], [0 for i in range(n)] for i in range(1, n): gw[i] = tf.gradients(loss, w[i])[0] gb[i] = tf.gradients(loss, b[i])[0] opt = GradientDescentOptimizer(learning_rate=learning_rate) gradients = [] for i in range(1, n): gradients.append((gw[i], w[i])) gradients.append((gb[i], b[i])) train_step = opt.apply_gradients(gradients) #evaluation acc = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(y, 1), tf.argmax(label, 1)), tf.float32)) # data mnist = input_data.read_data_sets('MNIST_data', one_hot=True) x_adv_mnist_fsgm = np.load(os.path.join('data', 'x_adv_mnist_fsgm.npy')) print('sigma: {:.3f}, std: {:.3f}'.format(sigma, std)) sess.run(tf.global_variables_initializer()) with sess.as_default(): for t in range(steps): batch = mnist.train.next_batch(batch_size) sess.run(train_step, feed_dict={x: batch[0], label: batch[1]}) if t % int(1 / sample_rate) == 0 or t == steps - 1: if t < steps - 1: epoch = int(t / int(1 / sample_rate)) else: epoch = epochs x_adv_sample = sess.run(x_adv, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc_benign = sess.run(acc, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc_adv = sess.run(acc, feed_dict={ x: x_adv_sample, label: mnist.test.labels }) acc_pre_adv = sess.run(acc, feed_dict={ x: x_adv_mnist_fsgm, label: mnist.test.labels }) print(epoch, acc_benign, acc_adv, acc_pre_adv)
def main(): random_seed = 1024 train_size, test_size = 55000, 10000 batch_size = 100 learning_rate = 0.05 epochs = 5 steps = epochs * 550 config = tf.ConfigProto() config.gpu_options.per_process_gpu_memory_fraction = 1 sess = tf.InteractiveSession(config=config) global_step = tf.Variable(0, name='global_step', trainable=False) tf.set_random_seed(random_seed) x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label noise = tf.placeholder(tf.float32, [None, 100]) # noise vector y_target = tf.placeholder(tf.float32, [None, 10]) # target label x_perturb = x + tf.random_normal( shape=tf.shape(x), mean=0.0, stddev=0.5, dtype=tf.float32) x_perturb = tf.clip_by_value(x_perturb, 0, 1) x1 = tf.placeholder(tf.float32, [None, 784]) x2 = tf.placeholder(tf.float32, [None, 784]) y_n = classifier_n(x) y = classifier(x) y_perturb = classifier(x_perturb) # gan x_gan = generator(x, noise) y_gan = classifier(x_gan) loss_cls = softmax_loss(label, y_n) #+ softmax_loss(label, y_gan) loss_gan = -softmax_loss(label, y_gan) all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] g_vars = [var for var in all_vars if 'generator' in var.name] train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss_cls, var_list = c_vars, global_step = global_step) train_op_generator = GradientDescentOptimizer(learning_rate = 0.05) \ .minimize(loss_gan, var_list = g_vars, global_step = global_step) #fgsm x_fgsm = attack.fgsm(x, y, eps=0.2, clip_min=0, clip_max=1) y_fgsm = classifier(x_fgsm) # random fgsm x_fgsm_rd = attack.fgsm(x_perturb, y_perturb, eps=0.2, clip_min=0, clip_max=1) y_fgsm_rd = classifier(x_fgsm_rd) # jsma jsma = SaliencyMapMethod(classifier, back='tf', sess=sess) # train saver = tf.train.Saver() mnist = input_data.read_data_sets('MNIST_data', one_hot=True) x_fgsm_mnist = np.load(os.path.join('data', 'x_fgsm_mnist.npy')) x_gan_mnist = np.load(os.path.join('data', 'x_gan_mnist.npy')) x_jsma_mnist_1 = np.load(os.path.join('data', 'x_jsma_mnist_1.npy')) y_target_batch = np.zeros((100, 10), dtype=np.float32) y_target_batch[:, 0] = 1.0 y_target_test = np.zeros((10000, 10), dtype=np.float32) y_target_test[:, 0] = 1.0 sess.run(tf.global_variables_initializer()) with sess.as_default(): acc = {} print('train classifier') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) noise_d = sample_Z(batch_size, 100) f_dict = { x: batch[0], label: batch[1], noise: noise_d, y_target: y_target_batch } sess.run(train_op_classifier, feed_dict=f_dict) #for j in range(1): #sess.run(train_op_generator, feed_dict=f_dict) if t % 550 == 0: epoch = int(t / 550) acc['benign'] = sess.run(get_acc(x, label), feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc['pre fgsm'] = sess.run(get_acc(x, label), feed_dict={ x: x_fgsm_mnist, label: mnist.test.labels }) acc['pre gan'] = sess.run(get_acc(x, label), feed_dict={ x: x_gan_mnist, label: mnist.test.labels }) acc['pre jsma 1'] = sess.run(get_acc(x, label), feed_dict={ x: x_jsma_mnist_1, label: mnist.test.labels[0:100, ] }) x_fgsm_d = sess.run(x_fgsm, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc['fgsm'] = sess.run(get_acc(x, label), feed_dict={ x: x_fgsm_d, label: mnist.test.labels }) x_fgsm_rd_d = sess.run(x_fgsm_rd, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc['fgsm_rd'] = sess.run(get_acc(x, label), feed_dict={ x: x_fgsm_rd_d, label: mnist.test.labels }) print(epoch, acc) ''' print('train gan') for t in range(1, 550 * 10 + 1): batch = mnist.train.next_batch(batch_size) f_dict = {x: batch[0], label: batch[1], noise: sample_Z(batch_size, 100), y_target: y_target_batch} sess.run(train_op_generator, feed_dict=f_dict) if t % 550 == 0: epoch = int(t / 550) batch = mnist.test.next_batch(batch_size) f_dict = {x: batch[0], label: batch[1], noise: sample_Z(batch_size, 100), y_target: y_target_batch} x_gan_data = sess.run(x_gan, feed_dict=f_dict) acc_gan = sess.run(get_acc(x, label), feed_dict={x: x_gan_data, label: batch[1]}) print(epoch, acc_gan) x_fgsm_d = sess.run(x_fgsm, feed_dict = {x: mnist.test.images, label: mnist.test.labels}) acc['fgsm'] = sess.run(get_acc(x, label), feed_dict={x: x_fgsm_d, label: mnist.test.labels}) x_gan_d = sess.run(x_gan, feed_dict={x: mnist.test.images ,label: mnist.test.labels\ , noise: sample_Z(10000, 100), y_target: y_target_test}) acc['gan'] = sess.run(get_acc(x, label), feed_dict={x: x_gan_d ,label: mnist.test.labels\ , noise: sample_Z(10000, 100), y_target: y_target_test}) ''' jsma_params = {'theta': 1., 'gamma': 0.1,'nb_classes': 10, 'clip_min': 0.,'clip_max': 1., 'targets': y,\ 'y_val': y_target_batch} x_jsma_1_d = jsma.generate_np(mnist.test.images[0:100, ], **jsma_params) acc['jsma 1'] = sess.run(get_acc(x, label), feed_dict={ x: x_jsma_1_d, label: mnist.test.labels[0:100, ] }) print(acc['jsma 1'])
def main(): random_seed = 1024 train_size, test_size = 55000, 10000 batch_size = 100 learning_rate = 0.05 epochs = 20 steps = epochs * 550 sess = tf.Session() global_step = tf.Variable(0, name='global_step', trainable=False) tf.set_random_seed(random_seed) x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label y = classifier(x) loss_cls = softmax_loss(label, y) all_vars = tf.trainable_variables() print(all_vars) c_vars = [var for var in all_vars if 'classifier' in var.name] train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss_cls, var_list = c_vars, global_step = global_step) # train saver = tf.train.Saver() mnist = input_data.read_data_sets('MNIST_data', one_hot=True) x_fgsm_mnist = np.load(os.path.join('data', 'x_fgsm_mnist.npy')) x_gan_mnist = np.load(os.path.join('data', 'x_gan_mnist.npy')) x_jsma_mnist_1 = np.load(os.path.join('data', 'x_jsma_mnist_1.npy')) sess.run(tf.global_variables_initializer()) with sess.as_default(): print('train classifier') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) sess.run(train_op_classifier, feed_dict={ x: batch[0], label: batch[1] }) if t % 550 == 0: epoch = int(t / 550) acc = {} acc['benign'] = sess.run(get_acc(x, label), feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc['pre fgsm'] = sess.run(get_acc(x, label), feed_dict={ x: x_fgsm_mnist, label: mnist.test.labels }) acc['pre gan'] = sess.run(get_acc(x, label), feed_dict={ x: x_gan_mnist, label: mnist.test.labels }) acc['pre jsma 1'] = sess.run(get_acc(x, label), feed_dict={ x: x_jsma_mnist_1, label: mnist.test.labels[0:100, ] }) print(epoch, acc) sess.close()
def main(): sess = tf.Session() train_size, test_size = 55000, 10000 batch_size = 100 lr = 0.05 epochs = 100 steps = epochs * int(train_size / batch_size) global_step = tf.Variable(0, name='global_step', trainable=False) x = tf.placeholder(tf.float32, [None, 784]) # input for real images x_adv = tf.placeholder(tf.float32, [None, 784]) y_ = tf.placeholder(tf.float32, [None, 10]) # groundtruth class label y_target = tf.placeholder(tf.float32, [None, 10]) noise = tf.placeholder(tf.float32, [None, 100]) tx = transformer(x, noise, 3) yx_2, z_norm = classifier_x(x) yx = classifier(x) ytx = classifier(tx) ytx_2, z_norm2 = classifier_x(tx) y_x_adv = classifier(x_adv) x_fgsm = attack.fgsm(x, yx_2, eps=0.1, clip_min=0, clip_max=1) y_x_fgsm = classifier(x_fgsm) jsma = SaliencyMapMethod(classifier, back='tf', sess=sess) one_hot_target = np.zeros((100, 10), dtype=np.float32) one_hot_target[:, 1] = 1 jsma_params = { 'theta': 1., 'gamma': 0.1, 'nb_classes': 10, 'clip_min': 0., 'clip_max': 1., 'targets': yx, 'y_val': one_hot_target } perturb = {} perturb['tx'] = tf.reduce_mean(tf.norm(tx - x, axis=1)) perturb['fgsm'] = tf.reduce_mean(tf.norm(x_fgsm - x, axis=1)) loss = {} loss['cx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=yx_2)) loss['ctx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=ytx_2)) loss['cttx'] = tf.reduce_mean( tf.nn.softmax_cross_entropy_with_logits(labels=y_target, logits=ytx)) loss['classifier'] = loss['cx'] #+ loss['ctx'] #loss['transformer'] = loss['cttx'] loss['transformer'] = -loss['ctx'] all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] t_vars = [var for var in all_vars if 'transformer' in var.name] train_op = {} train_op['classifier'] = GradientDescentOptimizer(learning_rate = lr) \ .minimize(loss['classifier'], var_list = c_vars, global_step = global_step) train_op['transformer'] = GradientDescentOptimizer(learning_rate = lr) \ .minimize(loss['transformer'], var_list = t_vars, global_step = global_step) acc = {} acc['x'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(yx, 1), tf.argmax(y_, 1)), tf.float32)) acc['tx'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(ytx, 1), tf.argmax(y_, 1)), tf.float32)) acc['x_fgsm'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(y_x_fgsm, 1), tf.argmax(y_, 1)), tf.float32)) acc['x_adv'] = tf.reduce_mean( tf.cast(tf.equal(tf.argmax(y_x_adv, 1), tf.argmax(y_, 1)), tf.float32)) mnist = input_data.read_data_sets('MNIST_data', one_hot=True) x_adv_mnist_fsgm = np.load(os.path.join('data', 'x_fgsm_mnist.npy')) tf.set_random_seed(1024) sess.run(tf.global_variables_initializer()) with sess.as_default(): for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) y_tar = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0] for i in range(batch_size)] y_tar = np.array(y_tar, dtype='float32') noise_sample = sample_Z(batch_size, 100) sess.run(train_op['classifier'], feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample, y_target: y_tar }) sess.run(train_op['transformer'], feed_dict={ x: batch[0], y_: batch[1], noise: noise_sample, y_target: y_tar }) if t % int(train_size / batch_size) == 0: epoch = int(t / int(train_size / batch_size)) noise_sample2 = sample_Z(10000, 100) test_batch = mnist.test.next_batch(10000) print(test_batch[0].shape) var_list = [acc, z_norm] res = sess.run(var_list, feed_dict = {x: test_batch[0], y_: test_batch[1], noise : noise_sample2, \ x_adv: x_adv_mnist_fsgm, y_target: y_tar}) print(epoch) for r in res: print(r)
def __init__(self, params, learner, dataset): print('Using Federated prox to Train (SS-Simple)') self.inner_opt = GradientDescentOptimizer( learning_rate=params['learning_rate']) super(Server, self).__init__(params, learner, dataset) self.clip_C = self.norm
if i == 0: z1[i] = x1 h1[i] = z1[i] if i > 0 and i < n - 1: z1[i] = tf.matmul(h1[i - 1], w[i]) + b[i] h1[i] = tf.nn.relu(z1[i]) if i == n - 1: z1[i] = tf.matmul(h1[i - 1], w[i]) + b[i] h1[i] = z1[i] y = classifier(x) yn = classifier_n(x) loss_cls = softmax_loss(label, yn) all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss_cls, var_list = c_vars, global_step = global_step) jsma = SaliencyMapMethod(classifier, back='tf', sess=sess) x_fgsm = attack.fgsm(x, y, eps=0.2, clip_min=0, clip_max=1) def main(): mnist = input_data.read_data_sets('MNIST_data', one_hot=True) sess.run(tf.global_variables_initializer()) with sess.as_default(): acc = {} print('train classifier') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) f_dict = {x: batch[0], label: batch[1]} sess.run(train_op_classifier, feed_dict=f_dict)
def main(): random_seed = 1024 train_size, test_size = 55000, 10000 batch_size = 100 learning_rate = 0.05 epochs = 10 steps = epochs * 550 config = tf.ConfigProto() config.gpu_options.per_process_gpu_memory_fraction = 0.8 sess = tf.InteractiveSession(config=config) global_step = tf.Variable(0, name='global_step', trainable=False) tf.set_random_seed(random_seed) x = tf.placeholder(tf.float32, [None, 784]) # input label = tf.placeholder(tf.float32, [None, 10]) # true label x_perturb = x + tf.random_normal( shape=tf.shape(x), mean=0.0, stddev=0.5, dtype=tf.float32) x_perturb = tf.clip_by_value(x_perturb, 0, 1) y = classifier(x) y_ = classifier(x_perturb) y_perturb = y_ + tf.random_normal( shape=tf.shape(y), mean=0.0, stddev=300.0, dtype=tf.float32) #fgsm x_fgsm = attack.fgsm(x, y, eps=0.2, clip_min=0, clip_max=1) y_fgsm = classifier(x_fgsm) x_perturb2 = x + tf.random_normal( shape=tf.shape(x), mean=0.0, stddev=0.2, dtype=tf.float32) y_2 = classifier(x_perturb2) x_fgsm_rd = attack.fgsm(x_perturb2, y_2, eps=0.2, clip_min=0, clip_max=1) y_fgsm_rd = classifier(x_fgsm_rd) loss_cls = softmax_loss(label, y_perturb) all_vars = tf.trainable_variables() c_vars = [var for var in all_vars if 'classifier' in var.name] train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \ .minimize(loss_cls, var_list = c_vars, global_step = global_step) x1 = tf.placeholder(tf.float32, [None, 784]) x2 = tf.placeholder(tf.float32, [None, 784]) # train saver = tf.train.Saver() mnist = input_data.read_data_sets('MNIST_data', one_hot=True) x_pre_fgsm_data = np.load(os.path.join('data', 'x_fgsm_mnist.npy')) sess.run(tf.global_variables_initializer()) with sess.as_default(): print('train classifier') for t in range(1, steps + 1): batch = mnist.train.next_batch(batch_size) f_dict = {x: batch[0], label: batch[1]} sess.run(train_op_classifier, feed_dict=f_dict) if t % 550 == 0: epoch = int(t / 550) acc = {} dist = {} x_data = mnist.test.images label_data = mnist.test.labels acc['benign'] = sess.run(get_acc(x, label), feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc['pre'] = sess.run(get_acc(x, label), feed_dict={ x: x_pre_fgsm_data, label: mnist.test.labels }) dist['pre'] = sess.run(avg_dist(x1, x2), feed_dict={ x1: mnist.test.images, x2: x_pre_fgsm_data }) x_fgsm_data = sess.run(x_fgsm, feed_dict={ x: mnist.test.images, label: mnist.test.labels }) acc['fgsm'] = sess.run(get_acc(x, label), feed_dict={ x: x_fgsm_data, label: mnist.test.labels }) dist['fgsm'] = sess.run(avg_dist(x1, x2), feed_dict={ x1: mnist.test.images, x2: x_fgsm_data }) x_perturb_data = x_data + np.random.normal( loc=0.0, scale=0.2, size=[10000, 784]) x_perturb_data = np.clip(x_perturb_data, 0, 1) x_rd_fgsm_data = sess.run(x_fgsm, feed_dict={ x: x_perturb_data, label: mnist.test.labels }) acc['rd'] = sess.run(get_acc(x, label), feed_dict={ x: x_rd_fgsm_data, label: mnist.test.labels }) dist['rd'] = sess.run(avg_dist(x1, x2), feed_dict={ x1: mnist.test.images, x2: x_rd_fgsm_data }) x_it_fgsm_data = np.copy(mnist.test.images) for _ in range(10): grad = sess.run(tf.gradients(loss_cls, x)[0], feed_dict={ x: x_it_fgsm_data, label: mnist.test.labels }) x_it_fgsm_data += np.sign(grad) * 0.01 x_it_fgsm_data = np.clip(x_it_fgsm_data, 0, 1) acc['it'] = sess.run(get_acc(x, label), feed_dict={ x: x_it_fgsm_data, label: mnist.test.labels }) dist['it'] = sess.run(avg_dist(x1, x2), feed_dict={ x1: mnist.test.images, x2: x_it_fgsm_data }) x_it_rd_fgsm_data = np.copy( mnist.test.images) + np.random.normal( loc=0.0, scale=0.2, size=[10000, 784]) x_it_rd_fgsm_data = np.clip(x_it_rd_fgsm_data, 0, 1) for _ in range(10): grad = sess.run(tf.gradients(loss_cls, x)[0], feed_dict={ x: x_it_rd_fgsm_data, label: mnist.test.labels }) x_it_rd_fgsm_data += np.sign(grad) * 0.01 x_it_rd_fgsm_data = np.clip(x_it_rd_fgsm_data, 0, 1) acc['it rd'] = sess.run(get_acc(x, label), feed_dict={ x: x_it_rd_fgsm_data, label: mnist.test.labels }) dist['it rd'] = sess.run(avg_dist(x1, x2), feed_dict={ x1: mnist.test.images, x2: x_it_rd_fgsm_data }) print(epoch) print(acc) print(dist)