def main(_):
net_weights, net_biases, net_layer_types = read_weights.read_weights(
FLAGS.checkpoint, FLAGS.model_json)
nn_params = neural_net_params.NeuralNetParams(net_weights, net_biases,
net_layer_types)
print(nn_params.sizes)
dual_var = utils.initialize_dual(nn_params,
FLAGS.init_dual_file,
init_nu=FLAGS.init_nu)
# Reading test input and reshaping
with tf.gfile.Open(FLAGS.test_input) as f:
test_input = np.load(f)
test_input = np.reshape(test_input, [np.size(test_input), 1])
if FLAGS.adv_class == -1:
start_class = 0
end_class = FLAGS.num_classes
else:
start_class = FLAGS.adv_class
end_class = FLAGS.adv_class + 1
for adv_class in range(start_class, end_class):
print('Adv class', adv_class)
if adv_class == FLAGS.true_class:
continue
dual = dual_formulation.DualFormulation(dual_var, nn_params,
test_input, FLAGS.true_class,
adv_class, FLAGS.input_minval,
FLAGS.input_maxval,
FLAGS.epsilon)
dual.set_differentiable_objective()
dual.get_full_psd_matrix()
optimization_params = {
'init_penalty': FLAGS.init_penalty,
'large_eig_num_steps': FLAGS.large_eig_num_steps,
'small_eig_num_steps': FLAGS.small_eig_num_steps,
'inner_num_steps': FLAGS.inner_num_steps,
'outer_num_steps': FLAGS.outer_num_steps,
'beta': FLAGS.beta,
'smoothness_parameter': FLAGS.smoothness_parameter,
'eig_learning_rate': FLAGS.eig_learning_rate,
'optimizer': FLAGS.optimizer,
'init_learning_rate': FLAGS.init_learning_rate,
'learning_rate_decay': FLAGS.learning_rate_decay,
'momentum_parameter': FLAGS.momentum_parameter,
'print_stats_steps': FLAGS.print_stats_steps,
'stats_folder': FLAGS.stats_folder,
'projection_steps': FLAGS.projection_steps
}
with tf.Session() as sess:
sess.run(tf.global_variables_initializer())
optimization_object = optimization.Optimization(
dual, sess, optimization_params)
optimization_object.prepare_one_step()
is_cert_found = optimization_object.run_optimization()
if not is_cert_found:
print('Current example could not be verified')
exit()
print('Example successfully verified')
def test_get_psd_product(self):
# Function to test implicit product with PSD matrix.
net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]]
net_biases = [
np.transpose(np.matrix([0, 0, 0])),
np.transpose(np.matrix([0, 0])),
]
net_layer_types = ["ff_relu", "ff"]
nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types)
test_input = np.transpose(np.matrix([0, 0]))
true_class = 0
adv_class = 1
input_minval = 0
input_maxval = 0
epsilon = 0.1
three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32)
two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32)
scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32)
lambda_pos = [two_dim_tensor, three_dim_tensor]
lambda_neg = lambda_pos
lambda_quad = lambda_pos
lambda_lu = lambda_pos
nu = scalar
dual_var = {
"lambda_pos": lambda_pos,
"lambda_neg": lambda_neg,
"lambda_quad": lambda_quad,
"lambda_lu": lambda_lu,
"nu": nu,
}
with tf.Session() as sess:
dual_formulation_object = dual_formulation.DualFormulation(
sess,
dual_var,
nn_params1,
test_input,
true_class,
adv_class,
input_minval,
input_maxval,
epsilon,
)
_, matrix_m = dual_formulation_object.get_full_psd_matrix()
# Testing if the values match
six_dim_tensor = tf.random_uniform(shape=(6, 1), dtype=tf.float32)
implicit_product = dual_formulation_object.get_psd_product(
six_dim_tensor)
explicit_product = tf.matmul(matrix_m, six_dim_tensor)
[implicit_product_value, explicit_product_value
] = sess.run([implicit_product, explicit_product])
self.assertEqual(np.shape(implicit_product_value),
np.shape(explicit_product_value))
self.assertLess(
np.max(np.abs(implicit_product_value -
explicit_product_value)), 1e-5)
def prepare_dual_object(self):
# Function to prepare dual object to be used for testing optimization.
net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]]
net_biases = [
np.transpose(np.matrix([0, 0, 0])),
np.transpose(np.matrix([0, 0]))
]
net_layer_types = ['ff_relu', 'ff']
nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types)
test_input = np.transpose(np.matrix([0, 0]))
true_class = 0
adv_class = 1
input_minval = 0
input_maxval = 0
epsilon = 0.1
# Creating dual variables to use for optimization
lambda_pos = [tf.get_variable('lambda_pos0',
initializer=np.random.uniform(
0, 0.1, size=(2, 1)).astype(np.float32)),
tf.get_variable('lambda_pos1',
initializer=np.random.uniform(
0, 0.1, size=(3, 1)).astype(np.float32))]
lambda_neg = [tf.get_variable('lambda_neg0',
initializer=np.random.uniform(
0, 0.1, size=(2, 1)).astype(np.float32)),
tf.get_variable('lambda_neg1',
initializer=np.random.uniform(
0, 0.1, size=(3, 1)).astype(np.float32))]
lambda_quad = [tf.get_variable('lambda_quad0',
initializer=np.random.uniform(
0, 0.1, size=(2, 1)).astype(np.float32)),
tf.get_variable('lambda_quad1',
initializer=np.random.uniform(
0, 0.1, size=(3, 1)).astype(np.float32))]
lambda_lu = [tf.get_variable('lambda_lu0',
initializer=np.random.uniform(
0, 0.1, size=(2, 1)).astype(np.float32)),
tf.get_variable('lambda_lu1',
initializer=np.random.uniform(
0, 0.1, size=(3, 1)).astype(np.float32))]
nu = tf.reshape(tf.get_variable('nu', initializer=200.0,
dtype=tf.float32), shape=(1, 1))
dual_var = {'lambda_pos': lambda_pos, 'lambda_neg': lambda_neg,
'lambda_quad': lambda_quad, 'lambda_lu': lambda_lu, 'nu': nu}
sess = tf.Session()
dual_formulation_object = dual_formulation.DualFormulation(sess,
dual_var,
nn_params1,
test_input,
true_class,
adv_class,
input_minval,
input_maxval,
epsilon)
return sess, dual_formulation_object
def test_set_differentiable_objective(self):
# Function to test the function that sets the differentiable objective.
net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]]
net_biases = [
np.transpose(np.matrix([0, 0, 0])),
np.transpose(np.matrix([0, 0])),
]
net_layer_types = ["ff_relu", "ff"]
nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types)
test_input = np.transpose(np.matrix([0, 0]))
true_class = 0
adv_class = 1
input_minval = 0
input_maxval = 0
epsilon = 0.1
three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32)
two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32)
scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32)
lambda_pos = [two_dim_tensor, three_dim_tensor]
lambda_neg = lambda_pos
lambda_quad = lambda_pos
lambda_lu = lambda_pos
nu = scalar
dual_var = {
"lambda_pos": lambda_pos,
"lambda_neg": lambda_neg,
"lambda_quad": lambda_quad,
"lambda_lu": lambda_lu,
"nu": nu,
}
with tf.Session() as sess:
dual_formulation_object = dual_formulation.DualFormulation(
sess,
dual_var,
nn_params1,
test_input,
true_class,
adv_class,
input_minval,
input_maxval,
epsilon,
)
dual_formulation_object.set_differentiable_objective()
self.assertEqual(dual_formulation_object.scalar_f.shape.as_list(), [1])
self.assertEqual(
dual_formulation_object.unconstrained_objective.shape.as_list(),
[1, 1])
self.assertEqual(dual_formulation_object.vector_g.shape.as_list(),
[5, 1])
def test_get_full_psd_matrix(self):
# Function to test product with PSD matrix.
net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]]
net_biases = [
np.transpose(np.matrix([0, 0, 0])),
np.transpose(np.matrix([0, 0])),
]
net_layer_types = ["ff_relu", "ff"]
nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types)
test_input = np.transpose(np.matrix([0, 0]))
true_class = 0
adv_class = 1
input_minval = 0
input_maxval = 0
epsilon = 0.1
three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32)
two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32)
scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32)
lambda_pos = [two_dim_tensor, three_dim_tensor]
lambda_neg = lambda_pos
lambda_quad = lambda_pos
lambda_lu = lambda_pos
nu = scalar
dual_var = {
"lambda_pos": lambda_pos,
"lambda_neg": lambda_neg,
"lambda_quad": lambda_quad,
"lambda_lu": lambda_lu,
"nu": nu,
}
with tf.Session() as sess:
dual_formulation_object = dual_formulation.DualFormulation(
sess,
dual_var,
nn_params1,
test_input,
true_class,
adv_class,
input_minval,
input_maxval,
epsilon,
)
matrix_h, matrix_m = dual_formulation_object.get_full_psd_matrix()
self.assertEqual(matrix_h.shape.as_list(), [5, 5])
self.assertEqual(matrix_m.shape.as_list(), [6, 6])
def test_init(self):
# Function to test initialization of dual formulation class.
net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]]
net_biases = [
np.transpose(np.matrix([0, 0, 0])),
np.transpose(np.matrix([0, 0])),
]
net_layer_types = ["ff_relu", "ff"]
nn_params1 = nn.NeuralNetwork(net_weights, net_biases, net_layer_types)
test_input = np.transpose(np.matrix([0, 0]))
true_class = 0
adv_class = 1
input_minval = 0
input_maxval = 0
epsilon = 0.1
three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32)
two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32)
scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32)
lambda_pos = [two_dim_tensor, three_dim_tensor]
lambda_neg = lambda_pos
lambda_quad = lambda_pos
lambda_lu = lambda_pos
nu = scalar
dual_var = {
"lambda_pos": lambda_pos,
"lambda_neg": lambda_neg,
"lambda_quad": lambda_quad,
"lambda_lu": lambda_lu,
"nu": nu,
}
with tf.Session() as sess:
dual_formulation_object = dual_formulation.DualFormulation(
sess,
dual_var,
nn_params1,
test_input,
true_class,
adv_class,
input_minval,
input_maxval,
epsilon,
)
self.assertIsNotNone(dual_formulation_object)
def test_init(self):
# Function to test initialization of dual formulation class.
net_weights = [[[2, 2], [3, 3], [4, 4]], [[1, 1, 1], [-1, -1, -1]]]
net_biases = [
np.transpose(np.matrix([0, 0, 0])),
np.transpose(np.matrix([0, 0]))
]
net_layer_types = ['ff_relu', 'ff']
nn_params1 = neural_net_params.NeuralNetParams(net_weights, net_biases,
net_layer_types)
test_input = np.transpose(np.matrix([0, 0]))
true_class = 0
adv_class = 1
input_minval = 0
input_maxval = 0
epsilon = 0.1
three_dim_tensor = tf.random_uniform(shape=(3, 1), dtype=tf.float32)
two_dim_tensor = tf.random_uniform(shape=(2, 1), dtype=tf.float32)
scalar = tf.random_uniform(shape=(1, 1), dtype=tf.float32)
lambda_pos = [two_dim_tensor, three_dim_tensor]
lambda_neg = lambda_pos
lambda_quad = lambda_pos
lambda_lu = lambda_pos
nu = scalar
dual_var = {
'lambda_pos': lambda_pos,
'lambda_neg': lambda_neg,
'lambda_quad': lambda_quad,
'lambda_lu': lambda_lu,
'nu': nu
}
dual_formulation_object = dual_formulation.DualFormulation(
dual_var, nn_params1, test_input, true_class, adv_class,
input_minval, input_maxval, epsilon)
self.assertIsNotNone(dual_formulation_object)
def project_dual(self):
"""Function to create variables for the projected dual object.
Function that projects the input dual variables onto the feasible set.
Returns:
projected_dual: Feasible dual solution corresponding to current dual
"""
# TODO: consider whether we can use shallow copy of the lists without
# using tf.identity
projected_lambda_pos = [
tf.identity(x) for x in self.dual_object.lambda_pos
]
projected_lambda_neg = [
tf.identity(x) for x in self.dual_object.lambda_neg
]
projected_lambda_quad = [
tf.identity(x) for x in self.dual_object.lambda_quad
]
projected_lambda_lu = [
tf.identity(x) for x in self.dual_object.lambda_lu
]
projected_nu = tf.identity(self.dual_object.nu)
# TODO: get rid of the special case for one hidden layer
# Different projection for 1 hidden layer
if self.dual_object.nn_params.num_hidden_layers == 1:
# Creating equivalent PSD matrix for H by Schur complements
diag_entries = 0.5 * tf.divide(
tf.square(self.dual_object.lambda_quad[
self.dual_object.nn_params.num_hidden_layers]),
(self.dual_object.lambda_quad[
self.dual_object.nn_params.num_hidden_layers] +
self.dual_object.lambda_lu[
self.dual_object.nn_params.num_hidden_layers]))
# If lambda_quad[i], lambda_lu[i] are 0, entry is NaN currently,
# but we want to set that to 0
diag_entries = tf.where(tf.is_nan(diag_entries),
tf.zeros_like(diag_entries), diag_entries)
last_layer_weights = self.dual_object.nn_params.weights[
self.dual_object.nn_params.num_hidden_layers - 1]
matrix = tf.matmul(
tf.matmul(tf.transpose(last_layer_weights),
utils.diag(diag_entries)), last_layer_weights)
new_matrix = utils.diag(2 * self.dual_object.lambda_lu[
self.dual_object.nn_params.num_hidden_layers - 1]) - matrix
# Making symmetric
new_matrix = 0.5 * (new_matrix + tf.transpose(new_matrix))
eig_vals = tf.self_adjoint_eigvals(new_matrix)
min_eig = tf.reduce_min(eig_vals)
# If min_eig is positive, already feasible, so don't add
# Otherwise add to make PSD [1E-6 is for ensuring strictly PSD (useful
# while inverting)
projected_lambda_lu[0] = (projected_lambda_lu[0] +
0.5 * tf.maximum(-min_eig, 0) + 1E-6)
else:
# Minimum eigen value of H
# TODO: Write this in terms of matrix multiply
# matrix H is a submatrix of M, thus we just need to extend existing code
# for computing matrix-vector product (see get_psd_product function).
# Then use the same trick to compute smallest eigenvalue.
eig_vals = tf.self_adjoint_eigvals(self.dual_object.matrix_h)
min_eig = tf.reduce_min(eig_vals)
for i in range(self.dual_object.nn_params.num_hidden_layers + 1):
# Since lambda_lu appears only in diagonal terms, can subtract to
# make PSD and feasible
projected_lambda_lu[i] = (projected_lambda_lu[i] +
0.5 * tf.maximum(-min_eig, 0) + 1E-6)
# Adjusting lambda_neg wherever possible so that lambda_neg + lambda_lu
# remains close to unchanged
# projected_lambda_neg[i] = tf.maximum(0.0, projected_lambda_neg[i] +
# (0.5*min_eig - 1E-6)*
# (self.lower[i] + self.upper[i]))
projected_dual_var = {
'lambda_pos': projected_lambda_pos,
'lambda_neg': projected_lambda_neg,
'lambda_lu': projected_lambda_lu,
'lambda_quad': projected_lambda_quad,
'nu': projected_nu
}
projected_dual_object = dual_formulation.DualFormulation(
projected_dual_var, self.dual_object.nn_params,
self.dual_object.test_input, self.dual_object.true_class,
self.dual_object.adv_class, self.dual_object.input_minval,
self.dual_object.input_maxval, self.dual_object.epsilon)
return projected_dual_object
def main(_):
# pylint: disable=missing-docstring
tf.logging.set_verbosity(FLAGS.verbosity)
start_time = time.time()
# Initialize neural network based on config files
input_shape = [FLAGS.num_rows, FLAGS.num_columns, FLAGS.num_channels]
nn_params = nn.load_network_from_checkpoint(FLAGS.checkpoint,
FLAGS.model_json, input_shape)
tf.logging.info('Loaded neural network with size of layers: %s',
nn_params.sizes)
tf.logging.info('Loaded neural network with input shapes: %s',
nn_params.input_shapes)
tf.logging.info('Loaded neural network with output shapes: %s',
nn_params.output_shapes)
dual_var = utils.initialize_dual(nn_params,
FLAGS.init_dual_file,
init_nu=FLAGS.init_nu)
# Reading test input and reshaping
with tf.gfile.Open(FLAGS.test_input) as f:
test_input = np.load(f)
test_input = np.reshape(test_input, [np.size(test_input), 1])
if FLAGS.adv_class == -1:
start_class = 0
end_class = FLAGS.num_classes
else:
start_class = FLAGS.adv_class
end_class = FLAGS.adv_class + 1
for adv_class in range(start_class, end_class):
tf.logging.info('Running certification for adversarial class %d',
adv_class)
if adv_class == FLAGS.true_class:
continue
optimization_params = {
'init_penalty': FLAGS.init_penalty,
'large_eig_num_steps': FLAGS.large_eig_num_steps,
'small_eig_num_steps': FLAGS.small_eig_num_steps,
'inner_num_steps': FLAGS.inner_num_steps,
'outer_num_steps': FLAGS.outer_num_steps,
'beta': FLAGS.beta,
'smoothness_parameter': FLAGS.smoothness_parameter,
'eig_learning_rate': FLAGS.eig_learning_rate,
'optimizer': FLAGS.optimizer,
'init_learning_rate': FLAGS.init_learning_rate,
'learning_rate_decay': FLAGS.learning_rate_decay,
'momentum_parameter': FLAGS.momentum_parameter,
'print_stats_steps': FLAGS.print_stats_steps,
'stats_folder': FLAGS.stats_folder,
'projection_steps': FLAGS.projection_steps,
'eig_type': FLAGS.eig_type,
'has_conv': nn_params.has_conv,
'lanczos_steps': FLAGS.lanczos_steps
}
lzs_params = {
'min_iter': MIN_LANCZOS_ITER,
'max_iter': FLAGS.lanczos_steps
}
with tf.Session() as sess:
dual = dual_formulation.DualFormulation(
sess, dual_var, nn_params, test_input, FLAGS.true_class,
adv_class, FLAGS.input_minval, FLAGS.input_maxval,
FLAGS.epsilon, lzs_params)
optimization_object = optimization.Optimization(
dual, sess, optimization_params)
is_cert_found = optimization_object.run_optimization()
if not is_cert_found:
print('Example could not be verified')
exit()
print('Example successfully verified')
print('Elapsed time: ' + str(time.time() - start_time))
