def test_acc(model_indicator, split, dataset):
# get block definitions
blocks_definition = get_split(split, dataset)
# construct model
keras.backend.set_learning_phase(0)
model = construct_hrs_model(dataset=dataset,
model_indicator=model_indicator,
blocks_definition=blocks_definition)
# get data
[X_train, X_test, Y_train, Y_test] = get_data(dataset=dataset,
scale1=True,
one_hot=False,
percentage=0.01)
# note: it is more accurate to feed data points one by one, because of the randomness of the model
# PS: you don't want to get the acc just for a single model realization
score = []
for i in range(X_test.shape[0]):
x = X_test[i:i + 1]
y = Y_test[i]
# pred = keras_model.predict(x)
pred = np.argmax(model.predict(x)[0])
if np.array_equal(y, pred):
score.append(1)
else:
score.append(0)
acc = np.mean(np.array(score))
print('Test Acc. of Model: %s is %.2f' % (model_indicator, acc))
return acc
def load_test(gv):
test_path = filedialog.askopenfilename(initialdir='../ranking_files')
# test_path = filedialog.askopenfilename(initialdir='/home/gabi/PycharmProjects/testhings/viper')
test_name = test_path.strip().split('/')[-1]
dataset = get_dataset(test_name)
gv.test, gv.all_truth = pu.get_data(test_path, dataset, gv.number_of_data, euclidean=True, shuf=True)
print(np.shape(gv.test))
if gv.number_of_data > len(list(np.genfromtxt(test_path, dtype=str))):
gv.max_position = len(list(np.genfromtxt(test_path, dtype=str)))
else:
gv.max_position = gv.number_of_data
gv.loaded_test_text.config(text='Test set loaded: %s' % (test_name))
gv.is_test_loaded = True
set_run_possible(gv)
def defend_adversarial_attack(dataset, split, model_indicator, attack, epsilon, test_samples, num_steps, step_size,
attack_setting, gradient_samples):
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# get block definitions
blocks_definition = get_split(split, dataset)
# construct model
keras.backend.set_learning_phase(0)
model = construct_hrs_model(dataset=dataset, model_indicator=model_indicator, blocks_definition=blocks_definition)
# get data
[X_train, X_test, Y_train, Y_test] = get_data(dataset=dataset, scale1=True, one_hot=False, percentage=0.01)
# make attack object
if attack == 'FGSM':
from attack_utils import FGSM
attack = FGSM(model=model, epsilon=epsilon, dataset=dataset)
elif attack == 'PGD':
from attack_utils import PGD
attack = PGD(model=model, num_steps=num_steps, step_size=step_size, epsilon=epsilon, dataset=dataset)
elif attack == 'CWPGD':
from attack_utils import CW_PGD
attack = CW_PGD(model=model, num_steps=num_steps, step_size=step_size, epsilon=epsilon, dataset=dataset)
else:
raise ValueError('%s is not a valid attack name!' % attack)
# perform attack
result = []
distortion = []
for test_sample_idx in range(test_samples):
print('generating adv sample for test sample ' + str(test_sample_idx))
image = X_test[test_sample_idx:test_sample_idx + 1]
label = Y_test[test_sample_idx:test_sample_idx + 1]
for target in range(10):
if target == label:
continue
target_input = np.array([target])
if attack_setting == 'normal':
adversarial = attack.perturb(image, target_input, sess)
elif attack_setting == 'EOT':
adversarial = attack.perturb_gm(image, target_input, sess, gradient_samples=gradient_samples)
else:
raise ValueError('%s is not a valid attack setting!' % attack_setting)
output = model.predict(adversarial)
adv_pred = np.argmax(list(output)[0])
result.append((adv_pred == target).astype(int))
l_inf = np.amax(adversarial - image)
distortion.append(l_inf)
# compute attack success rate (ASR) and average distortion(L_inf)
succ_rate = np.array(result).mean()
mean_distortion = np.array(distortion).mean()
print('Perform %s attack to model %s' % (attack, model_indicator))
print('Attack succ rate (ASR) = %.4f' % succ_rate)
print('Average distortion = %.2f' % mean_distortion)
def train_dropout_model(dataset,
dropout_rate,
train_epoch,
load_pretrain=None):
[X_train, X_test, Y_train, Y_test] = get_data(dataset=dataset,
scale1=True,
one_hot=True,
percentage=1)
img_rows, img_cols, img_channels = get_dimensions(dataset)
# model
keras.backend.set_learning_phase(1)
if dataset == 'CIFAR':
model = Sequential()
model.add(
Conv2D(64, (3, 3), input_shape=(img_rows, img_cols, img_channels)))
model.add(Activation('relu'))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(128, (3, 3)))
model.add(Activation('relu'))
model.add(Conv2D(128, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(256))
model.add(Activation('relu'))
model.add(Dropout(dropout_rate))
model.add(Dense(256))
model.add(Activation('relu'))
model.add(Dense(10))
elif dataset == 'MNIST':
model = Sequential()
model.add(
Conv2D(32, (3, 3), input_shape=(img_rows, img_cols, img_channels)))
model.add(Activation('relu'))
model.add(Conv2D(32, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(200))
model.add(Activation('relu'))
model.add(Dropout(dropout_rate))
model.add(Dense(200))
model.add(Activation('relu'))
model.add(Dense(10))
else:
raise ValueError("%s is not a supported dataset!" % dataset)
# load pretrained weights if apply
if load_pretrain:
model.load_weights(load_pretrain)
# train
def fn(correct, predicted):
return tf.nn.softmax_cross_entropy_with_logits(labels=correct,
logits=predicted)
sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
model.compile(loss=fn, optimizer=sgd, metrics=['accuracy'])
model.fit(X_train,
Y_train,
batch_size=128,
validation_data=(X_test, Y_test),
nb_epoch=train_epoch,
shuffle=True)
# save weight
if not os.path.exists('Model/%s_models/' % dataset):
os.makedirs('Model/%s_models/' % dataset)
weight_path = 'Model/%s_models/dropout_%.2f' % (dataset, dropout_rate)
model.save_weights(weight_path)
return weight_path
def defend_adversarial_reprogramming(model_indicator, split, epochs):
save_dir = './Adversarial_Reprogramming/' + args.model_indicator + '/'
try:
os.makedirs(save_dir)
except:
pass
# get MNIST data
[X_train, X_test, Y_train, Y_test] = get_data(dataset='MNIST',
scale1=True,
one_hot=False,
percentage=0.01)
# input transfer model
input_transfer = Sequential()
input_transfer.add(ZeroPadding2D(padding=3, input_shape=(28, 28, 1)))
input_transfer.add(LocallyConnected2D(3, (3, 3), activation='relu'))
input_transfer.add(Activation('tanh'))
# get block definitions
blocks_definition = get_split(split, 'CIFAR')
# target model to reprogram
keras.backend.set_learning_phase(0)
model = construct_hrs_model(dataset='CIFAR',
model_indicator=model_indicator,
blocks_definition=blocks_definition)
# set layer untrainable
for layer in model.layers:
layer.trainable = False
# overall model
output = model(input_transfer.output)
adv_model = Model(input_transfer.input, output)
# optimizer and loss
sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
def fn(correct, predicted):
return tf.nn.softmax_cross_entropy_with_logits(labels=correct,
logits=predicted)
# compile
adv_model.compile(loss=fn, optimizer=sgd, metrics=['accuracy'])
# training the input transfer
hist = adv_model.fit(X_train,
Y_train,
batch_size=128,
validation_data=(X_test, Y_test),
nb_epoch=epochs,
shuffle=True)
# save training history
train_acc = hist.history['acc']
test_acc = hist.history['val_acc']
np.save(save_dir + 'hist.npy', np.array(hist.history))
print('Perform adversarial reprogramming to model %s' % model_indicator)
print('Reprogramming Train Acc. after %d epochs of training is %.4f' %
(epochs, train_acc[-1]))
print('Reprogramming Test Acc. after %d epochs of training is %.4f' %
(epochs, test_acc[-1]))
def test_acc(dataset, train_dropout_rate, test_dropout_rate, pretrain_dir):
[_, X_test, _, Y_test] = get_data(dataset=dataset,
scale1=True,
one_hot=False,
percentage=1)
img_rows, img_cols, img_channels = get_dimensions(dataset)
# model
keras.backend.set_learning_phase(1)
if dataset == 'CIFAR':
model = Sequential()
model.add(
Conv2D(64, (3, 3), input_shape=(img_rows, img_cols, img_channels)))
model.add(Activation('relu'))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(128, (3, 3)))
model.add(Activation('relu'))
model.add(Conv2D(128, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(256))
model.add(Activation('relu'))
model.add(Dropout(test_dropout_rate))
model.add(Dense(256))
model.add(Activation('relu'))
model.add(Dense(10))
elif dataset == 'MNIST':
model = Sequential()
model.add(
Conv2D(32, (3, 3), input_shape=(img_rows, img_cols, img_channels)))
model.add(Activation('relu'))
model.add(Conv2D(32, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(200))
model.add(Activation('relu'))
model.add(Dropout(test_dropout_rate))
model.add(Dense(200))
model.add(Activation('relu'))
model.add(Dense(10))
else:
raise ValueError("%s is not a supported dataset!" % dataset)
# load pretrained weights of the train_dropout_rate
weight_file = 'dropout_%.2f' % train_dropout_rate
weight_path = pretrain_dir + weight_file
model.load_weights(weight_path)
# test acc
# note: it is more accurate to feed data points one by one, because of the randomness of the model
# PS: you don't want to get the acc just for a single model realization
score = []
for i in range(X_test.shape[0]):
x = X_test[i:i + 1]
y = Y_test[i]
# pred = keras_model.predict(x)
pred = np.argmax(model.predict(x)[0])
if np.array_equal(y, pred):
score.append(1)
else:
score.append(0)
acc = np.mean(np.array(score))
print('Test Acc. of Model[test_dropout=%.2f, train_dropout=%.2f] is %.4f' %
(test_dropout_rate, train_dropout_rate, acc))
return acc
def defend_adversarial_attack(dataset, train_dropout_rate, test_dropout_rate,
pretrain_dir, attack, epsilon, test_samples,
num_steps, step_size):
# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)
# get data and dimensions
img_rows, img_cols, img_channels = get_dimensions(dataset)
[_, X_test, _, Y_test] = get_data(dataset=dataset,
scale1=True,
one_hot=False,
percentage=1)
# model
keras.backend.set_learning_phase(1)
if dataset == 'CIFAR':
model = Sequential()
model.add(
Conv2D(64, (3, 3), input_shape=(img_rows, img_cols, img_channels)))
model.add(Activation('relu'))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(128, (3, 3)))
model.add(Activation('relu'))
model.add(Conv2D(128, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(256))
model.add(Activation('relu'))
model.add(Dropout(test_dropout_rate))
model.add(Dense(256))
model.add(Activation('relu'))
model.add(Dense(10))
elif dataset == 'MNIST':
model = Sequential()
model.add(
Conv2D(32, (3, 3), input_shape=(img_rows, img_cols, img_channels)))
model.add(Activation('relu'))
model.add(Conv2D(32, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(Conv2D(64, (3, 3)))
model.add(Activation('relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Flatten())
model.add(Dense(200))
model.add(Activation('relu'))
model.add(Dropout(test_dropout_rate))
model.add(Dense(200))
model.add(Activation('relu'))
model.add(Dense(10))
else:
raise ValueError("%s is not a supported dataset!" % dataset)
# load pretrained weights of the train_dropout_rate
weight_file = 'dropout_%.2f' % train_dropout_rate
weight_path = pretrain_dir + weight_file
model.load_weights(weight_path)
# make attack object
if attack == 'FGSM':
from attack_utils import FGSM
attack = FGSM(model=model, epsilon=epsilon, dataset=dataset)
elif attack == 'PGD':
from attack_utils import PGD
attack = PGD(model=model,
num_steps=num_steps,
step_size=step_size,
epsilon=epsilon,
dataset=dataset)
elif attack == 'CWPGD':
from attack_utils import CW_PGD
attack = CW_PGD(model=model,
num_steps=num_steps,
step_size=step_size,
epsilon=epsilon,
dataset=dataset)
else:
raise ValueError('%s is not a valid attack name!' % attack)
# perform attack
result = []
distortion = []
for test_sample_idx in range(test_samples):
print('generating adv sample for test sample ' + str(test_sample_idx))
image = X_test[test_sample_idx:test_sample_idx + 1]
label = Y_test[test_sample_idx:test_sample_idx + 1]
for target in range(10):
if target == label:
continue
target_input = np.array([target])
adversarial = attack.perturb(image, target_input, sess)
output = model.predict(adversarial)
adv_pred = np.argmax(list(output)[0])
result.append((adv_pred == target).astype(int))
l_inf = np.amax(adversarial - image)
distortion.append(l_inf)
# compute attack success rate (ASR) and average distortion(L_inf)
succ_rate = np.array(result).mean()
mean_distortion = np.array(distortion).mean()
print(
'Perform %s attack to dropout model[train_dropout=%.2f, test_dropout=%.2f]'
% (attack, train_dropout_rate, test_dropout_rate))
print('Attack succ rate (ASR) = %.4f' % succ_rate)
print('Average distortion = %.2f' % mean_distortion)
def train_hrs(model_indicator,
training_epoch,
split='default',
dataset='CIFAR'):
# get block definitions
blocks_definition = get_split(split, dataset)
# parse structure
structure = [int(ss[:-1]) for ss in model_indicator.split('[')[1:]]
nb_block = len(structure)
# make sure model_indicator, training_epoch and split all have the same number of blocks
assert nb_block == len(training_epoch) == len(blocks_definition), "The number of blocks indicated by " \
"model_indicator, training_epoch and split must " \
"be the same!"
# create weights save dir
save_dir = './Model/%s_models/' % dataset + model_indicator + '/'
try:
os.makedirs('./Model/%s_models/' % dataset + model_indicator + '/')
except:
pass
# dataset and input dimensions
[X_train, X_test, Y_train, Y_test] = get_data(dataset=dataset,
scale1=True,
one_hot=True,
percentage=1)
img_rows, img_cols, img_channels = get_dimensions(dataset)
# loss definition
def fn(correct, predicted):
return tf.nn.softmax_cross_entropy_with_logits(labels=correct,
logits=predicted)
'''
Training HRS
'''
# start the training process
for block_idx in range(nb_block):
print("start training the %d\'s block" % block_idx)
# construct the trained part:
# switching blocks up to the (block_idx - 1)'s block
if block_idx == 0:
model_input = InputLayer(input_shape=(img_rows, img_cols,
img_channels))
# note: for InputLayer the input and output tensors are the same one.
trained_blocks_output = model_input.output
else:
model_input = InputLayer(input_shape=(img_rows, img_cols,
img_channels))
# build switching blocks
block_input = model_input.output
for i in range(block_idx):
weight_dir = save_dir + '%d_' % i + '%d'
block_output = construct_switching_block(
block_input, structure[i], blocks_definition[i],
weight_dir)
block_input = block_output
trained_blocks_output = block_output
# construct the part to train
# normal blocks (with only one channel) from block_idx to the end
for channel_idx in range(structure[block_idx]):
block_input = trained_blocks_output
# the channel to train
channel_to_train = blocks_definition[block_idx]()
block_output = channel_to_train(block_input)
block_input = block_output
# add following blocks in any
for j in range(block_idx + 1, nb_block):
channel = blocks_definition[j]()
block_output = channel(block_input)
block_input = block_output
# construct the model object
model = Model(input=model_input.input, output=block_output)
# optimizer
sgd = SGD(lr=0.01, decay=1e-6, momentum=0.9, nesterov=True)
# training
model.compile(loss=fn, optimizer=sgd, metrics=['accuracy'])
model.fit(X_train,
Y_train,
batch_size=128,
validation_data=(X_test, Y_test),
nb_epoch=training_epoch[block_idx],
shuffle=True)
# save weights of this channel
channel_to_train.save_weights(save_dir + '%d_%d' %
(block_idx, channel_idx))
# after training all channels in this block, reset tf graph
K.clear_session()