def get_data_params(X, Y, percentile):
num_classes = len(set(Y))
num_features = X.shape[1]
centroids = np.zeros((num_classes, num_features))
class_map = get_class_map()
centroids = get_centroids(X, Y, class_map)
# Get radii for sphere
sphere_radii = np.zeros(2)
dists = defenses.compute_dists_under_Q(X,
Y,
Q=None,
centroids=centroids,
class_map=class_map,
norm=2)
for y in set(Y):
sphere_radii[class_map[y]] = np.percentile(dists[Y == y], percentile)
# Get vector between centroids
centroid_vec = get_centroid_vec(centroids)
# Get radii for slab
slab_radii = np.zeros(2)
for y in set(Y):
dists = np.abs((X[Y == y, :].dot(centroid_vec.T) -
centroids[class_map[y], :].dot(centroid_vec.T)))
slab_radii[class_map[y]] = np.percentile(dists, percentile)
return class_map, centroids, centroid_vec, sphere_radii, slab_radii
def get_feasible_flipped_mask(X_train,
Y_train,
centroids,
centroid_vec,
sphere_radii,
slab_radii,
class_map,
use_slab=False):
sphere_dists_flip = defenses.compute_dists_under_Q(X_train,
-Y_train,
Q=None,
subtract_from_l2=False,
centroids=centroids,
class_map=class_map,
norm=2)
if use_slab:
slab_dists_flip = defenses.compute_dists_under_Q(
X_train,
-Y_train,
Q=centroid_vec,
subtract_from_l2=False,
centroids=centroids,
class_map=class_map,
norm=2)
feasible_flipped_mask = np.zeros(X_train.shape[0], dtype=bool)
for y in set(Y_train):
class_idx_flip = class_map[-y]
sphere_radius_flip = sphere_radii[class_idx_flip]
feasible_flipped_mask[Y_train == y] = (sphere_dists_flip[Y_train == y]
<= sphere_radius_flip)
if use_slab:
slab_radius_flip = slab_radii[class_idx_flip]
feasible_flipped_mask[Y_train == y] = (
feasible_flipped_mask[Y_train == y] &
(slab_dists_flip[Y_train == y] <= slab_radius_flip))
return feasible_flipped_mask
def filter_points_outside_feasible_set(X, Y, centroids, centroid_vec,
sphere_radii, slab_radii, class_map):
sphere_dists = defenses.compute_dists_under_Q(X,
Y,
Q=None,
centroids=centroids,
class_map=class_map)
slab_dists = defenses.compute_dists_under_Q(X,
Y,
Q=centroid_vec,
centroids=centroids,
class_map=class_map)
idx_to_keep = np.array([True] * X.shape[0])
for y in set(Y):
idx_to_keep[np.where(Y == y)[0][
sphere_dists[Y == y] > sphere_radii[class_map[y]]]] = False
idx_to_keep[np.where(
Y == y)[0][slab_dists[Y == y] > slab_radii[class_map[y]]]] = False
print(np.sum(idx_to_keep))
return X[idx_to_keep, :], Y[idx_to_keep]
frac_increment=frac_increment,
num_folds=num_folds,
dists=dists)
results['num_neighbors'] = num_neighbors
## l2 grad defense
defense_label = 'grad-l2-ball'
if ((defense_to_test is None) or (defense_to_test == defense_label)):
print(' Computing L2 norm of gradients...')
losses = datadef.get_losses(params_modified, bias_modified)
sv_indices = losses > 0
sv_centroids = data.get_centroids(X_modified[sv_indices, :],
Y_modified[sv_indices], class_map)
dists = defenses.compute_dists_under_Q(X_modified,
Y_modified,
Q=None,
subtract_from_l2=None,
centroids=sv_centroids,
class_map=class_map)
dists[~sv_indices] = 0
dists = dists.reshape(-1, 1)
all_dists, results = defense_testers.process_defense(
datadef,
Q=None,
all_dists=all_dists,
model=svm_model,
weight_decay=best_weight_decay_modified,
results=results,
use_emp=None,
use_emp_label=None,
defense_label=defense_label,
max_frac_to_remove=max_frac_to_remove,
assert dataset_name in ['imdb', 'enron', 'dogfish', 'mnist_17']
print('=== Dataset: %s ===' % dataset_name)
epsilons = datasets.DATASET_EPSILONS[dataset_name]
X_train, Y_train, X_test, Y_test = datasets.load_dataset(dataset_name)
random_seed = 1
class_map, centroids, centroid_vec, sphere_radii, slab_radii = data.get_data_params(
X_train, Y_train, percentile=70)
sphere_dists_flip = defenses.compute_dists_under_Q(X_train,
-Y_train,
Q=None,
subtract_from_l2=False,
centroids=centroids,
class_map=class_map,
norm=2)
slab_dists_flip = defenses.compute_dists_under_Q(X_train,
-Y_train,
Q=centroid_vec,
subtract_from_l2=False,
centroids=centroids,
class_map=class_map,
norm=2)
feasible_flipped_mask = np.zeros(X_train.shape[0], dtype=bool)
for y in set(Y_train):