def RMSProp(loss,parameter_list):
opt = GradientDescentOptimizer(1e-3)
grads_and_vars = opt.compute_gradients(loss, parameter_list)
capped_grads_and_vars = []
for i in range(len(grads_and_vars)):
gradient = grads_and_vars[i][0]
variable = grads_and_vars[i][1]
if len(last_n2) != 0:
n = 0.8 * tf.multiply(gradient, gradient) + 0.2 * last_n2[i]
momentum = gradient/(tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
else:
n = tf.multiply(gradient, gradient)
momentum = gradient / (tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
if len(last_n2) != 0:
for i in range(len(grads_and_vars)):
last_n2[i] = capped_grads_and_vars[i][0]
else:
for i in range(len(grads_and_vars)):
last_n2.append(capped_grads_and_vars[i][0])
return opt.apply_gradients(grads_and_vars)
def testTraining(self):
"""Tests a gradient descent step for a simple model."""
with self.session() as session:
with self.test_scope():
with variable_scope.variable_scope("ascope", use_resource=True):
w = variable_scope.get_variable(
"w",
shape=[4, 2],
dtype=dtypes.float32,
initializer=init_ops.constant_initializer(
np.array([[1, 2], [3, 4], [5, 6], [7, 8]], dtype=np.float32)))
b = variable_scope.get_variable(
"b",
shape=[2],
dtype=dtypes.float32,
initializer=init_ops.constant_initializer(
np.array([2, 3], dtype=np.float32)))
x = array_ops.placeholder(dtypes.float32, shape=[1, 4])
y = math_ops.matmul(x, w) + b
loss = math_ops.reduce_sum(y)
optimizer = GradientDescentOptimizer(0.1)
train = optimizer.minimize(loss)
session.run(variables.global_variables_initializer())
session.run(train, {x: np.array([[7, 3, 5, 9]], dtype=np.float32)})
vw, vb = session.run([w, b])
self.assertAllClose(
np.array(
[[0.3, 1.3], [2.7, 3.7], [4.5, 5.5], [6.1, 7.1]],
dtype=np.float32),
vw,
rtol=1e-4)
self.assertAllClose(np.array([1.9, 2.9], dtype=np.float32), vb, rtol=1e-4)
def testTraining(self):
"""Tests a gradient descent step for a simple model."""
with self.test_session() as session:
with self.test_scope():
with variable_scope.variable_scope("ascope", use_resource=True):
w = variable_scope.get_variable(
"w",
shape=[4, 2],
dtype=dtypes.float32,
initializer=init_ops.constant_initializer(
np.array([[1, 2], [3, 4], [5, 6], [7, 8]], dtype=np.float32)))
b = variable_scope.get_variable(
"b",
shape=[2],
dtype=dtypes.float32,
initializer=init_ops.constant_initializer(
np.array([2, 3], dtype=np.float32)))
x = array_ops.placeholder(dtypes.float32, shape=[1, 4])
y = math_ops.matmul(x, w) + b
loss = math_ops.reduce_sum(y)
optimizer = GradientDescentOptimizer(0.1)
train = optimizer.minimize(loss)
session.run(variables.global_variables_initializer())
session.run(train, {x: np.array([[7, 3, 5, 9]], dtype=np.float32)})
vw, vb = session.run([w, b])
self.assertAllClose(
np.array(
[[0.3, 1.3], [2.7, 3.7], [4.5, 5.5], [6.1, 7.1]],
dtype=np.float32),
vw,
rtol=1e-4)
self.assertAllClose(np.array([1.9, 2.9], dtype=np.float32), vb, rtol=1e-4)
def Ada_Mom(loss, parameter_list):
mu = 0.9 # the parameter of the momentum, always be 0.9
opt = GradientDescentOptimizer(1e-3)
grads_and_vars = opt.compute_gradients(loss, parameter_list)
capped_grads_and_vars = []
for i in range(len(grads_and_vars)):
gradient = grads_and_vars[i][0]
variable = grads_and_vars[i][1]
if len(last_n1) != 0:
n = tf.multiply(gradient, gradient) + last_n1[i]
momentum = 0.9 * last_momentum1[i] + gradient/(tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
else:
n = tf.multiply(gradient, gradient)
momentum = gradient / (tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
if len(last_momentum1) != 0:
for i in range(len(grads_and_vars)):
last_momentum1[i] = capped_grads_and_vars[i][0]
else:
for i in range(len(grads_and_vars)):
last_momentum1.append(capped_grads_and_vars[i][0])
if len(last_n1) != 0:
for i in range(len(grads_and_vars)):
last_n1[i] = capped_grads_and_vars[i][0]
else:
for i in range(len(grads_and_vars)):
last_n1.append(capped_grads_and_vars[i][0])
return opt.apply_gradients(grads_and_vars)
def RMSProp_BB2(loss, parameter_list, learning_rate2):
opt = GradientDescentOptimizer(learning_rate2)
grads_and_vars = opt.compute_gradients(loss, parameter_list)
capped_grads_and_vars = []
middle = []
for i in range(len(grads_and_vars)):
gradient = grads_and_vars[i][0]
variable = grads_and_vars[i][1]
if len(last_n4) != 0:
n = 0.8 * tf.multiply(gradient, gradient) + 0.2 * last_n4[i - 1]
middle.append(n)
momentum = gradient / (tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
else:
n = tf.multiply(gradient, gradient)
middle.append(n)
momentum = gradient / (tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
if len(last_n4) != 0:
for i in range(len(capped_grads_and_vars)):
last_n4[i] = middle[i]
else:
for i in range(len(capped_grads_and_vars)):
last_n4.append(middle[i])
return opt.apply_gradients(capped_grads_and_vars)
def test_TF_LearningRateScheduler_GradientDescent(self):
with self.test_session():
with context.eager_mode():
np.random.seed(1337)
(x_train, y_train), (x_test, y_test) = testing_utils.get_test_data(
train_samples=TRAIN_SAMPLES,
test_samples=TEST_SAMPLES,
input_shape=(INPUT_DIM,),
num_classes=NUM_CLASSES)
y_test = keras.utils.to_categorical(y_test)
y_train = keras.utils.to_categorical(y_train)
model = keras.models.Sequential()
model.add(
keras.layers.Dense(
NUM_HIDDEN, input_dim=INPUT_DIM, activation='relu'))
model.add(keras.layers.Dense(NUM_CLASSES, activation='softmax'))
model.compile(
loss='categorical_crossentropy',
optimizer=GradientDescentOptimizer(1e-3),
metrics=['accuracy'])
cbks = [keras.callbacks.LearningRateScheduler(lambda x: 1. / (1. + x))]
model.fit(
x_train,
y_train,
batch_size=BATCH_SIZE,
validation_data=(x_test, y_test),
callbacks=cbks,
epochs=5,
verbose=0)
opt_lr = model.optimizer.optimizer._learning_rate
self.assertLess(
float(keras.backend.get_value(
Variable(opt_lr))) - 0.2, keras.backend.epsilon())
def __init__(self, params, learner, dataset):
print('Using Federated prox to Train (npSGD)')
self.inner_opt = GradientDescentOptimizer(
learning_rate=params['learning_rate'])
super(Server, self).__init__(params, learner, dataset)
if self.rate > 1:
self.topk = int((self.dim_model + self.dim_y) / self.rate)
print("Topk selecting {} dimensions".format(self.topk))
def __init__(self, params, learner, dataset):
print('Using Federated prox to Train (dpSGD)')
self.inner_opt = GradientDescentOptimizer(
learning_rate=params['learning_rate'])
super(Server, self).__init__(params, learner, dataset)
self.sigma = (2 * self.norm / self.epsilon) * math.sqrt(
2 * math.log(1.25 / self.delta))
print("global sigma for gaussian is {}".format(self.sigma))
def __init__(self, params, learner, dataset):
print('Using Federated prox to Train (LDP-FL)')
self.inner_opt = GradientDescentOptimizer(
learning_rate=params['learning_rate'])
super(Server, self).__init__(params, learner, dataset)
self.clip_C = self.norm
self.sample = int((self.dim_model + self.dim_y) / self.rate)
self.eps_ld = self.epsilon / self.sample
def __init__(self, params, learner, dataset):
print('Using Federated prox to Train (SS-Double)')
self.inner_opt = GradientDescentOptimizer(
learning_rate=params['learning_rate'])
super(Server, self).__init__(params, learner, dataset)
self.clip_C = self.norm
self.m_p = self.clients_per_round / self.mp_rate
print("Setting the padding size for each dimension with ", self.m_p)
self.em_s = self.clients_per_round / self.rate
self.sample = int((self.dim_model + self.dim_y) / self.rate)
print("Randomly sampling {} dimensions".format(self.sample))
self.choice_list = []
def RMSProp_Mom(loss, parameter_list):
mu = 0.9 # the parameter of the momentum, always be 0.9
opt = GradientDescentOptimizer(1e-3)
grads_and_vars = opt.compute_gradients(loss, parameter_list)
capped_grads_and_vars = []
middle = []
for i in range(len(grads_and_vars)):
gradient = grads_and_vars[i][0]
variable = grads_and_vars[i][1]
if len(last_n2) != 0:
n = 0.8 * tf.multiply(gradient, gradient) + 0.2 * last_n2[i - 1]
middle.append(n)
momentum = 0.9 * last_momentum2[i - 1] + gradient / (tf.sqrt(n) +
0.001)
capped_grads_and_vars.append((momentum, variable))
else:
n = tf.multiply(gradient, gradient)
middle.append(n)
momentum = gradient / (tf.sqrt(n) + 0.001)
capped_grads_and_vars.append((momentum, variable))
if len(last_momentum2) != 0:
for i in range(len(capped_grads_and_vars)):
last_momentum2[i] = capped_grads_and_vars[i][0]
else:
for i in range(len(capped_grads_and_vars)):
last_momentum2.append(capped_grads_and_vars[i][0])
if len(last_n2) != 0:
for i in range(len(capped_grads_and_vars)):
last_n2[i] = middle[i]
else:
for i in range(len(capped_grads_and_vars)):
last_n2.append(middle[i])
return opt.apply_gradients(capped_grads_and_vars)
def add_training_op(self, loss):
"""Sets up the training Ops.
Creates an optimizer and applies the gradients to all trainable variables.
The Op returned by this function is what must be passed to the
`sess.run()` call to cause the model to train. See
https://www.tensorflow.org/versions/r0.7/api_docs/python/train.html#Optimizer
for more information.
Hint: Use tf.train.GradientDescentOptimizer to get an optimizer object.
Calling optimizer.minimize() will return a train_op object.
Args:
loss: Loss tensor, from cross_entropy_loss.
Returns:
train_op: The Op for training.
"""
### YOUR CODE HERE
op = GradientDescentOptimizer(self.config.lr)
train_op = op.minimize(loss)
### END YOUR CODE
return train_op
def carlini_wagner(classifier,
data_sample,
target_class,
optimizer=GradientDescentOptimizer(1e-2),
optimization_iter=10000,
binary_iter=20,
c_high=1000.0,
c_low=0.0,
kappa=0.0):
"""
Args:
classifier: A classifier model that we want to attack
data_sample (): A tuple of tensors of structure (image_tensor, label_tensor) against wich attack is run
target_class: One hot encoded target class for the attack
optimizer: Optimizer used in algorithm
optimization_iter: Number of steps take in optimization for given parameter
binary_iter: Number of steps take in binary search for parameter C
c_high: Upper limit of range used in binary search for parameter C
c_low: lower limit of range used in binary search for parameter C
Returns: A tuple of structure (adversarial_example, classifier output for examples)
"""
image, label = data_sample
perturbation = tf.Variable(np.random.uniform(0.0, 1.0, tf.shape(image)),
dtype=tf.float32)
cw = tf.function(_c_and_w)
# cw = _c_and_w
return_image = cw(image, classifier, target_class, perturbation, optimizer,
optimization_iter, binary_iter, c_high, c_low, kappa)
parameters = {
# OPTIMIZATION_ITER:optimizer.__class__.__name__,
# "learning_rate":optimizer._learning_rate,
OPTIMIZATION_ITER: optimization_iter,
BINARY_ITER: binary_iter,
C_HIGH: c_high,
C_LOW: c_low,
KAPPA: kappa
}
return (return_image, classifier(return_image), parameters)
x = tf.placeholder(tf.float32, [None, 784])
y = classifier(x)
label = tf.placeholder(tf.float32, [None, 10]) # true label
noise = tf.placeholder(tf.float32, [None, 100]) # noise vector
x_fake = generator(noise, label)
y_fake = classifier(x_fake)
loss_cls = softmax_cross_entropy(label, y)
loss_gan = softmax_cross_entropy(label, y_fake)
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
g_vars = [var for var in all_vars if 'generator' in var.name]
train_op_cls = GradientDescentOptimizer(learning_rate = lr) \
.minimize(loss_cls, var_list = c_vars, global_step = global_step)
train_op_gan = GradientDescentOptimizer(learning_rate = lr) \
.minimize(loss_gan, var_list = g_vars, global_step = global_step)
def main():
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
sess.run(tf.global_variables_initializer())
with sess.as_default():
print('train classifier')
for t in range(1, epochs * 550 + 1):
batch = mnist.train.next_batch(batch_size)
f_dict = {x: batch[0], label: batch[1]}
sess.run(train_op_cls, feed_dict=f_dict)
def model_train(para):
sess = tf.Session()
tf.set_random_seed(random_seed)
n = len(layers)
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
std = para['std']
w, b = [0 for i in range(n)], [0 for i in range(n)]
for i in range(1, n):
w[i] = weight_variable([layers[i - 1], layers[i]])
b[i] = bias_variable([layers[i]])
# model with noise
z, h = [0 for i in range(n)], [0 for i in range(n)]
for i in range(n):
if i == 0:
z[i] = x
z[i] += tf.random_normal(shape=tf.shape(z[i]),
mean=0.0,
stddev=std[i],
dtype=tf.float32)
z[i] = tf.clip_by_value(z[i], 0, 1)
h[i] = z[i]
if i > 0 and i < n - 1:
z[i] = tf.matmul(h[i - 1], w[i]) + b[i]
#z[i] = tf.clip_by_norm(z[i], 1, axes = 1)
z[i] += tf.random_normal(shape=tf.shape(z[i]),
mean=0.0,
stddev=std[i],
dtype=tf.float32)
h[i] = tf.nn.relu(z[i])
if i == n - 1:
z[i] = tf.matmul(h[i - 1], w[i]) + b[i]
#z[i] = tf.clip_by_norm(z[i], 1000, axes = 1)
z[i] += tf.random_normal(shape=tf.shape(z[i]),
mean=0.0,
stddev=std[i],
dtype=tf.float32)
h[i] = z[i]
y = h[n - 1]
w_sum = tf.constant(0, dtype='float32')
for i in range(1, n):
w_sum += tf.reduce_sum(tf.square(w[i]))
# gradient descent
loss = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=label, logits=y))
gw, gb = [0 for i in range(n)], [0 for i in range(n)]
for i in range(1, n):
gw[i] = tf.gradients(loss, w[i])[0]
gb[i] = tf.gradients(loss, b[i])[0]
opt = GradientDescentOptimizer(learning_rate=learning_rate)
gradients = []
for i in range(1, n):
gradients.append((gw[i], w[i]))
gradients.append((gb[i], b[i]))
train_step = opt.apply_gradients(gradients)
# model without noise
z2, h2 = [0 for i in range(n)], [0 for i in range(n)]
for i in range(n):
if i == 0:
z2[i] = x
h2[i] = z2[i]
if i > 0 and i < n - 1:
z2[i] = tf.matmul(h2[i - 1], w[i]) + b[i]
h2[i] = tf.nn.relu(z2[i])
if i == n - 1:
z2[i] = tf.matmul(h2[i - 1], w[i]) + b[i]
h2[i] = z2[i]
y2 = h2[n - 1]
# attack
x_adv = attack.fgsm(x, y2, eps=0.3, clip_min=0, clip_max=1)
#evaluation
acc = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(y2, 1), tf.argmax(label, 1)), tf.float32))
# data
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_adv_mnist_fsgm = np.load(os.path.join('data', 'x_adv_mnist_fsgm.npy'))
sess.run(tf.global_variables_initializer())
with sess.as_default():
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
sess.run(train_step, feed_dict={x: batch[0], label: batch[1]})
if t % int(1 / sample_rate) == 0:
epoch = int(t / int(1 / sample_rate))
x_adv_sample = sess.run(x_adv,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc_benign = sess.run(acc,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc_adv = sess.run(acc,
feed_dict={
x: x_adv_sample,
label: mnist.test.labels
})
acc_pre_adv = sess.run(acc,
feed_dict={
x: x_adv_mnist_fsgm,
label: mnist.test.labels
})
print(epoch, acc_benign, acc_adv, acc_pre_adv)
check = tf.reduce_mean(tf.norm(y2, axis=1))
print(
sess.run([check],
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
}))
def main():
train_size, test_size = 55000, 10000
batch_size = 100
learning_rate = 0.05
epochs = 40
steps = epochs * int(train_size / batch_size)
global_step = tf.Variable(0, name='global_step', trainable=False)
x = tf.placeholder(tf.float32, [None, 784]) # input for real images
noise = tf.placeholder(tf.float32, [None, 100])
y = tf.placeholder(tf.float32, [None, 10])
d_label_real = tf.ones(
shape=[tf.shape(x)[0],
1]) # groundtruth discriminator label for real images
d_label_fake = tf.zeros(
shape=[tf.shape(x)[0],
1]) # groundtruth discriminator label for fake images
x_fake = generator(noise, y)
d_real = discriminator(x, y)
d_fake = discriminator(x_fake, y)
d_real_mean = tf.reduce_mean(d_real)
d_fake_mean = tf.reduce_mean(d_fake)
loss = {}
loss['discriminator'] = -tf.reduce_mean(
tf.log(d_real) + tf.log(1. - d_fake))
loss['generator'] = -tf.reduce_mean(tf.log(d_fake))
t_vars = tf.trainable_variables()
g_vars = [var for var in t_vars if 'generator' in var.name]
d_vars = [var for var in t_vars if 'discriminator' in var.name]
train_op = {}
train_op['generator'] = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss['generator'], var_list = g_vars, global_step = global_step)
train_op['discriminator'] = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss['discriminator'], var_list = d_vars, global_step = global_step)
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
tf.set_random_seed(1024)
sess = tf.Session()
sess.run(tf.global_variables_initializer())
with sess.as_default():
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
sess.run(train_op['discriminator'],
feed_dict={
x: batch[0],
y: batch[1],
noise: sample_Z(batch_size, 100)
})
for j in range(5):
sess.run(train_op['generator'],
feed_dict={
x: batch[0],
y: batch[1],
noise: sample_Z(batch_size, 100)
})
if t % int(train_size / batch_size) == 0:
epoch = int(t / int(train_size / batch_size))
var_list = [d_real_mean, d_fake_mean]
res = sess.run(var_list,
feed_dict={
x: batch[0],
y: batch[1],
noise: sample_Z(batch_size, 100)
})
print(epoch)
for r in res:
print(r)
if epoch == epochs:
img_real = batch[0].reshape([batch_size, 28, 28])
save_images(img_real, [10, 10],
os.path.join('img', 'real.png'))
img_fake = sess.run(x_fake,
feed_dict={
x: batch[0],
y: batch[1],
noise: sample_Z(batch_size, 100)
})
img_fake = img_fake.reshape([batch_size, 28, 28])
save_images(img_fake, [10, 10],
os.path.join('img', 'fake.png'))
def main():
sess = tf.Session()
global_step = tf.Variable(0, name='global_step', trainable=False)
tf.set_random_seed(random_seed)
saver = tf.train.Saver()
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
y_target = tf.placeholder(tf.float32, [None, 10]) # noise vector
x1 = tf.placeholder(tf.float32, [None, 784])
x2 = tf.placeholder(tf.float32, [None, 784])
y_1 = model_1(x)
y_2 = model_2(x)
y_3 = model_3(x)
loss_1 = softmax_loss(label, y_1)
loss_2 = softmax_loss(label, y_2)
loss_3 = softmax_loss(label, y_3)
all_vars = tf.trainable_variables()
model_1_vars = [var for var in all_vars if 'model_1' in var.name]
model_2_vars = [var for var in all_vars if 'model_2' in var.name]
model_3_vars = [var for var in all_vars if 'model_3' in var.name]
train_op_1 = GradientDescentOptimizer(
learning_rate=learning_rate).minimize(loss_1,
var_list=model_1_vars,
global_step=global_step)
train_op_2 = GradientDescentOptimizer(
learning_rate=learning_rate).minimize(loss_2,
var_list=model_2_vars,
global_step=global_step)
train_op_3 = GradientDescentOptimizer(
learning_rate=learning_rate).minimize(loss_3,
var_list=model_3_vars,
global_step=global_step)
x_fgsm_1 = attack.fgsm(x, y_1, eps=0.3, clip_min=0, clip_max=1)
x_fgsm_2 = attack.fgsm(x, y_2, eps=0.3, clip_min=0, clip_max=1)
x_fgsm_3 = attack.fgsm(x, y_3, eps=0.3, clip_min=0, clip_max=1)
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
y_target = np.zeros((10000, 10), dtype=np.float32)
y_target[:, 0] = 1.0
sess.run(tf.global_variables_initializer())
with sess.as_default():
print('train models')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
sess.run(train_op_1, feed_dict={x: batch[0], label: batch[1]})
sess.run(train_op_2, feed_dict={x: batch[0], label: batch[1]})
sess.run(train_op_3, feed_dict={x: batch[0], label: batch[1]})
if t % 550 == 0:
epoch = int(t / 550)
acc_1 = sess.run(accuracy(label, y_1),
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc_2 = sess.run(accuracy(label, y_2),
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc_3 = sess.run(accuracy(label, y_3),
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
print(epoch, acc_1, acc_2, acc_3)
print('generate adv samples')
# fgsm
x_fgsm_1_data = sess.run(x_fgsm_1,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_1_data.npy'),
x_fgsm_1_data)
acc_fgsm_1 = sess.run(accuracy(label, y_1),
feed_dict={
x: x_fgsm_1_data,
label: mnist.test.labels
})
x_fgsm_2_data = sess.run(x_fgsm_2,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_2_data.npy'),
x_fgsm_2_data)
acc_fgsm_2 = sess.run(accuracy(label, y_2),
feed_dict={
x: x_fgsm_2_data,
label: mnist.test.labels
})
x_fgsm_3_data = sess.run(x_fgsm_3,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_3_data.npy'),
x_fgsm_3_data)
acc_fgsm_3 = sess.run(accuracy(label, y_3),
feed_dict={
x: x_fgsm_3_data,
label: mnist.test.labels
})
x_data = mnist.test.images
x_perturb_data = x_data + np.random.normal(
loc=0.0, scale=0.1, size=[10000, 784])
x_perturb_data = np.clip(x_perturb_data, 0, 1)
x_fgsm_rd_1_data = sess.run(x_fgsm_1,
feed_dict={
x: x_perturb_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_rd_1_data.npy'),
x_fgsm_rd_1_data)
acc_fgsm_rd_1 = sess.run(accuracy(label, y_1),
feed_dict={
x: x_fgsm_rd_1_data,
label: mnist.test.labels
})
x_fgsm_rd_2_data = sess.run(x_fgsm_2,
feed_dict={
x: x_perturb_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_rd_2_data.npy'),
x_fgsm_rd_2_data)
acc_fgsm_rd_2 = sess.run(accuracy(label, y_2),
feed_dict={
x: x_fgsm_rd_2_data,
label: mnist.test.labels
})
x_fgsm_rd_3_data = sess.run(x_fgsm_3,
feed_dict={
x: x_perturb_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_rd_3_data.npy'),
x_fgsm_rd_3_data)
acc_fgsm_rd_3 = sess.run(accuracy(label, y_3),
feed_dict={
x: x_fgsm_rd_3_data,
label: mnist.test.labels
})
x_fgsm_it_1_data = np.copy(mnist.test.images)
x_fgsm_it_2_data = np.copy(mnist.test.images)
x_fgsm_it_3_data = np.copy(mnist.test.images)
for _ in range(10):
grad_1 = sess.run(tf.gradients(loss_1, x)[0],
feed_dict={
x: x_fgsm_it_1_data,
label: mnist.test.labels
})
x_fgsm_it_1_data += np.sign(grad_1) * 0.01
x_fgsm_it_1_data = np.clip(x_fgsm_it_1_data, 0, 1)
grad_2 = sess.run(tf.gradients(loss_2, x)[0],
feed_dict={
x: x_fgsm_it_2_data,
label: mnist.test.labels
})
x_fgsm_it_2_data += np.sign(grad_2) * 0.01
x_fgsm_it_2_data = np.clip(x_fgsm_it_2_data, 0, 1)
grad_3 = sess.run(tf.gradients(loss_3, x)[0],
feed_dict={
x: x_fgsm_it_3_data,
label: mnist.test.labels
})
x_fgsm_it_3_data += np.sign(grad_3) * 0.01
x_fgsm_it_3_data = np.clip(x_fgsm_it_3_data, 0, 1)
np.save(os.path.join('data', 'mnist', 'x_fgsm_it_1_data.npy'),
x_fgsm_it_1_data)
acc_fgsm_it_1 = sess.run(accuracy(label, y_1),
feed_dict={
x: x_fgsm_it_1_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_it_2_data.npy'),
x_fgsm_it_2_data)
acc_fgsm_it_2 = sess.run(accuracy(label, y_2),
feed_dict={
x: x_fgsm_it_2_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_it_3_data.npy'),
x_fgsm_it_3_data)
acc_fgsm_it_3 = sess.run(accuracy(label, y_3),
feed_dict={
x: x_fgsm_it_3_data,
label: mnist.test.labels
})
grad_tg_1 = sess.run(tf.gradients(loss_1, x)[0],
feed_dict={
x: mnist.test.images,
label: y_target
})
x_fgsm_tg_1_data = mnist.test.images - np.sign(grad_tg_1) * 0.3
x_fgsm_tg_1_data = np.clip(x_fgsm_tg_1_data, 0, 1)
grad_tg_2 = sess.run(tf.gradients(loss_2, x)[0],
feed_dict={
x: mnist.test.images,
label: y_target
})
x_fgsm_tg_2_data = mnist.test.images - np.sign(grad_tg_2) * 0.3
x_fgsm_tg_2_data = np.clip(x_fgsm_tg_2_data, 0, 1)
grad_tg_3 = sess.run(tf.gradients(loss_3, x)[0],
feed_dict={
x: mnist.test.images,
label: y_target
})
x_fgsm_tg_3_data = mnist.test.images - np.sign(grad_tg_3) * 0.3
x_fgsm_tg_3_data = np.clip(x_fgsm_tg_3_data, 0, 1)
np.save(os.path.join('data', 'mnist', 'x_fgsm_tg_1_data.npy'),
x_fgsm_tg_1_data)
acc_fgsm_tg_1 = sess.run(accuracy(label, y_1),
feed_dict={
x: x_fgsm_tg_1_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_tg_2_data.npy'),
x_fgsm_tg_2_data)
acc_fgsm_tg_2 = sess.run(accuracy(label, y_2),
feed_dict={
x: x_fgsm_tg_2_data,
label: mnist.test.labels
})
np.save(os.path.join('data', 'mnist', 'x_fgsm_tg_3_data.npy'),
x_fgsm_tg_3_data)
acc_fgsm_tg_3 = sess.run(accuracy(label, y_3),
feed_dict={
x: x_fgsm_tg_3_data,
label: mnist.test.labels
})
print('Accuracy fgsm bl: {:.4f}, {:.4f}, {:.4f}'.format(
acc_fgsm_1, acc_fgsm_2, acc_fgsm_3))
print('Accuracy fgsm rd: {:.4f}, {:.4f}, {:.4f}'.format(
acc_fgsm_rd_1, acc_fgsm_rd_2, acc_fgsm_rd_3))
print('Accuracy fgsm it: {:.4f}, {:.4f}, {:.4f}'.format(
acc_fgsm_it_1, acc_fgsm_it_2, acc_fgsm_it_3))
print('Accuracy fgsm tg: {:.4f}, {:.4f}, {:.4f}'.format(
acc_fgsm_tg_1, acc_fgsm_tg_2, acc_fgsm_tg_3))
return
def main(_):
clip_bound = 0.01 # 'the clip bound of the gradients'
clip_bound_2 = 1 / 1.5 #'the clip bound for r_kM'
small_num = 1e-5 # 'a small number'
large_num = 1e5 # a large number'
num_images = 60000 # 'number of images N'
batch_size = 600 # 'batch_size L'
sample_rate = 600 / 60000 # 'sample rate q = L / N'
num_steps = 160000 # 'number of steps T = E * N / L = E / q'
num_epoch = 24 # 'number of epoches E'
sigma = 5 # 'sigma'
delta = 1e-5 # 'delta'
lambd = 1e3 # 'exponential distribution parameter'
iterative_clip_step = 2 # 'iterative_clip_step'
clip = 1 # 'whether to clip the gradient'
noise = 0 # 'whether to add noise'
redistribute = 0 # 'whether to redistribute the noise'
D = 60000
'''from tensorflow.examples.tutorials.mnist import input_data;
mnist = input_data.read_data_sets(FLAGS.data_dir, one_hot=True);'''
sess = tf.InteractiveSession()
# Create the model
x = tf.placeholder(tf.float32, [None, 784])
x_image = tf.reshape(x, [-1, 28, 28, 1])
W_conv1 = weight_variable([5, 5, 1, 32])
b_conv1 = bias_variable([32])
h_conv1 = tf.nn.relu(conv2d(x_image, W_conv1) + b_conv1)
h_pool1 = max_pool_2x2(h_conv1)
W_conv2 = weight_variable([5, 5, 32, 64])
b_conv2 = bias_variable([64])
h_conv2 = tf.nn.relu(conv2d(h_pool1, W_conv2) + b_conv2)
h_pool2 = max_pool_2x2(h_conv2)
W_fc1 = weight_variable([7 * 7 * 64, 25])
b_fc1 = bias_variable([25])
h_pool2_flat = tf.reshape(h_pool2, [-1, 7 * 7 * 64])
h_fc1 = tf.nn.relu(tf.matmul(h_pool2_flat, W_fc1) + b_fc1)
keep_prob = tf.placeholder(tf.float32)
h_fc1_drop = tf.nn.dropout(h_fc1, keep_prob)
W_fc2 = weight_variable([25, 10])
b_fc2 = bias_variable([10])
y_conv = tf.matmul(h_fc1_drop, W_fc2) + b_fc2
# Define loss and optimizer
y_ = tf.placeholder(tf.float32, [None, 10])
d = 25 * 10 + 25 * 7 * 7 * 64 + 5 * 5 * 32 * 64 + 5 * 5 * 32
# number of parameters
M = d
priv_accountant = accountant.GaussianMomentsAccountant(D)
privacy_accum_op = priv_accountant.accumulate_privacy_spending(
[None, None], sigma, batch_size)
#sess.run(tf.initialize_all_variables())
sess.run(tf.global_variables_initializer())
cross_entropy = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=y_conv))
#train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy);
#train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy)
opt = GradientDescentOptimizer(learning_rate=1e-2)
#compute gradient
gw_W1 = tf.gradients(cross_entropy, W_conv1)[0] # gradient of W1
gb1 = tf.gradients(cross_entropy, b_conv1)[0] # gradient of b1
gw_W2 = tf.gradients(cross_entropy, W_conv2)[0] # gradient of W2
gb2 = tf.gradients(cross_entropy, b_conv2)[0] # gradient of b2
gw_Wf1 = tf.gradients(cross_entropy, W_fc1)[0] # gradient of W_fc1
gbf1 = tf.gradients(cross_entropy, b_fc1)[0] # gradient of b_fc1
gw_Wf2 = tf.gradients(cross_entropy, W_fc2)[0] # gradient of W_fc2
gbf2 = tf.gradients(cross_entropy, b_fc2)[0] # gradient of b_fc2
#clip gradient
gw_W1 = tf.clip_by_norm(gw_W1, clip_bound)
gw_W2 = tf.clip_by_norm(gw_W2, clip_bound)
gw_Wf1 = tf.clip_by_norm(gw_Wf1, clip_bound)
gw_Wf2 = tf.clip_by_norm(gw_Wf2, clip_bound)
#sigma = FLAGS.sigma # when comp_eps(lmbda,q,sigma,T,delta)==epsilon
#sensitivity = 2 * FLAGS.clip_bound #adjacency matrix with one tuple different
sensitivity = clip_bound #adjacency matrix with one more tuple
gw_W1 += tf.random_normal(shape=tf.shape(gw_W1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gb1 += tf.random_normal(shape=tf.shape(gb1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gw_W2 += tf.random_normal(shape=tf.shape(gw_W2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gb2 += tf.random_normal(shape=tf.shape(gb2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gw_Wf1 += tf.random_normal(shape=tf.shape(gw_Wf1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gbf1 += tf.random_normal(shape=tf.shape(gbf1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gw_Wf2 += tf.random_normal(shape=tf.shape(gw_Wf2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gbf2 += tf.random_normal(shape=tf.shape(gbf2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
train_step = opt.apply_gradients([(gw_W1, W_conv1), (gb1, b_conv1),
(gw_W2, W_conv2), (gb2, b_conv2),
(gw_Wf1, W_fc1), (gbf1, b_fc1),
(gw_Wf2, W_fc2), (gbf2, b_fc2)])
correct_prediction = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1))
accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32))
start_time = time.time()
for i in range(num_steps):
batch = mnist.train.next_batch(batch_size)
train_step.run(feed_dict={
x: batch[0],
y_: batch[1],
keep_prob: 0.5
})
if i % 100 == 0:
#train_accuracy = accuracy.eval(feed_dict={x:batch[0], y_: batch[1], keep_prob: 1.0});
#print("step \t %d \t training accuracy \t %g"%(i, train_accuracy));
print("step \t %d \t test accuracy \t %g" %
(i,
accuracy.eval(feed_dict={
x: mnist.test.images,
y_: mnist.test.labels,
keep_prob: 1.0
})))
#epsilon = comp_eps(32, sample_rate, sigma, i, delta)
#print("epsilon: {}".format(epsilon))
sess.run([privacy_accum_op])
spent_eps_deltas = priv_accountant.get_privacy_spent(
sess, target_eps=target_eps)
#print(i, spent_eps_deltas)
_break = False
for _eps, _delta in spent_eps_deltas:
if _delta >= delta:
_break = True
break
if _break == True:
break
duration = time.time() - start_time
print("test accuracy %g" % accuracy.eval(feed_dict={
x: mnist.test.images,
y_: mnist.test.labels,
keep_prob: 1.0
}))
print(float(duration))
def train(fgsm_eps, _dp_epsilon, _attack_norm_bound, log_filename, ratio):
FLAGS = None
#ratio = 16
#target_eps = [0.125,0.25,0.5,1,2,4,8]
#target_eps = [0.25 + 0.25*ratio]
target_eps = [0.2 + 0.2 * ratio]
#print(target_eps[0])
#fgsm_eps = 0.1
dp_epsilon = _dp_epsilon
image_size = 28
_log_filename = log_filename + str(target_eps[0]) + '_fgsm_' + str(
fgsm_eps) + '_dpeps_' + str(dp_epsilon) + '_attack_norm_bound_' + str(
_attack_norm_bound) + '.txt'
clip_bound = 0.001 # 'the clip bound of the gradients'
clip_bound_2 = 1 / 1.5 # 'the clip bound for r_kM'
small_num = 1e-5 # 'a small number'
large_num = 1e5 # a large number'
num_images = 50000 # 'number of images N'
batch_size = 125 # 'batch_size L'
sample_rate = batch_size / 50000 # 'sample rate q = L / N'
# 900 epochs
num_steps = 1800000 # 'number of steps T = E * N / L = E / q'
num_epoch = 24 # 'number of epoches E'
sigma = 5 # 'sigma'
delta = 1e-5 # 'delta'
lambd = 1e3 # 'exponential distribution parameter'
iterative_clip_step = 2 # 'iterative_clip_step'
clip = 1 # 'whether to clip the gradient'
noise = 0 # 'whether to add noise'
redistribute = 0 # 'whether to redistribute the noise'
D = 50000
sess = tf.InteractiveSession()
# Create the model
x = tf.placeholder(tf.float32, [None, 784])
y_ = tf.placeholder(tf.float32, [None, 10])
keep_prob = tf.placeholder(tf.float32)
W_conv1 = weight_variable([5, 5, 1, 32])
b_conv1 = bias_variable([32])
W_conv2 = weight_variable([5, 5, 32, 64])
b_conv2 = bias_variable([64])
W_fc1 = weight_variable([7 * 7 * 64, 25])
b_fc1 = bias_variable([25])
W_fc2 = weight_variable([25, 10])
b_fc2 = bias_variable([10])
def inference(x, dp_mult):
x_image = tf.reshape(x, [-1, 28, 28, 1])
h_conv1 = tf.nn.relu((conv2d(x_image, W_conv1) + b_conv1) + dp_mult)
h_pool1 = max_pool_2x2(h_conv1)
h_conv2 = tf.nn.relu(conv2d(h_pool1, W_conv2) + b_conv2)
h_pool2 = max_pool_2x2(h_conv2)
h_pool2_flat = tf.reshape(h_pool2, [-1, 7 * 7 * 64])
h_fc1 = tf.nn.relu(tf.matmul(h_pool2_flat, W_fc1) + b_fc1)
h_fc1_drop = tf.nn.dropout(h_fc1, keep_prob)
y_conv = tf.matmul(h_fc1_drop, W_fc2) + b_fc2
return y_conv, h_conv1
def inference_prob(x):
logits, _ = inference(x, 0)
y_prob = tf.nn.softmax(logits)
return y_prob
shape = W_conv1.get_shape().as_list()
w_t = tf.reshape(W_conv1, [-1, shape[-1]])
w = tf.transpose(w_t)
sing_vals = tf.svd(w, compute_uv=False)
sensitivityW = tf.reduce_max(sing_vals)
dp_delta = 0.05
attack_norm_bound = _attack_norm_bound
dp_mult = attack_norm_bound * math.sqrt(
2 * math.log(1.25 / dp_delta)) / dp_epsilon
noise = tf.placeholder(tf.float32, [None, 28, 28, 32])
#y_conv, h_conv1 = inference(x, dp_mult * noise)
y_conv, h_conv1 = inference(x, attack_norm_bound * noise)
softmax_y = tf.nn.softmax(y_conv)
# Define loss and optimizer
priv_accountant = accountant.GaussianMomentsAccountant(D)
privacy_accum_op = priv_accountant.accumulate_privacy_spending(
[None, None], sigma, batch_size)
# sess.run(tf.initialize_all_variables())
sess.run(tf.global_variables_initializer())
cross_entropy = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=y_conv))
#train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy);
#train_step = tf.train.AdamOptimizer(1e-5).minimize(cross_entropy)
# noise redistribution #
grad, = tf.gradients(cross_entropy, h_conv1)
normalized_grad = tf.sign(grad)
normalized_grad = tf.stop_gradient(normalized_grad)
normalized_grad_r = tf.abs(tf.reduce_mean(normalized_grad, axis=(0)))
#print(normalized_grad_r)
sum_r = tf.reduce_sum(normalized_grad_r, axis=(0, 1, 2), keepdims=False)
#print(sum_r)
normalized_grad_r = 256 * 32 * normalized_grad_r / sum_r
print(normalized_grad_r)
shape_grad = normalized_grad_r.get_shape().as_list()
grad_t = tf.reshape(normalized_grad_r, [-1, shape_grad[-1]])
g = tf.transpose(grad_t)
sing_g_vals = tf.svd(g, compute_uv=False)
sensitivity_2 = tf.reduce_max(sing_g_vals)
########################
opt = GradientDescentOptimizer(learning_rate=1e-1)
# compute gradient
gw_W1 = tf.gradients(cross_entropy, W_conv1)[0] # gradient of W1
gb1 = tf.gradients(cross_entropy, b_conv1)[0] # gradient of b1
gw_W2 = tf.gradients(cross_entropy, W_conv2)[0] # gradient of W2
gb2 = tf.gradients(cross_entropy, b_conv2)[0] # gradient of b2
gw_Wf1 = tf.gradients(cross_entropy, W_fc1)[0] # gradient of W_fc1
gbf1 = tf.gradients(cross_entropy, b_fc1)[0] # gradient of b_fc1
gw_Wf2 = tf.gradients(cross_entropy, W_fc2)[0] # gradient of W_fc2
gbf2 = tf.gradients(cross_entropy, b_fc2)[0] # gradient of b_fc2
# clip gradient
gw_W1 = tf.clip_by_norm(gw_W1, clip_bound)
gw_W2 = tf.clip_by_norm(gw_W2, clip_bound)
gw_Wf1 = tf.clip_by_norm(gw_Wf1, clip_bound)
gw_Wf2 = tf.clip_by_norm(gw_Wf2, clip_bound)
# sigma = FLAGS.sigma # when comp_eps(lmbda,q,sigma,T,delta)==epsilon
# sensitivity = 2 * FLAGS.clip_bound #adjacency matrix with one tuple different
sensitivity = clip_bound # adjacency matrix with one more tuple
gw_W1 += tf.random_normal(shape=tf.shape(gw_W1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gb1 += tf.random_normal(shape=tf.shape(gb1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gw_W2 += tf.random_normal(shape=tf.shape(gw_W2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gb2 += tf.random_normal(shape=tf.shape(gb2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gw_Wf1 += tf.random_normal(shape=tf.shape(gw_Wf1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gbf1 += tf.random_normal(shape=tf.shape(gbf1),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gw_Wf2 += tf.random_normal(shape=tf.shape(gw_Wf2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
gbf2 += tf.random_normal(shape=tf.shape(gbf2),
mean=0.0,
stddev=(sigma * sensitivity)**2,
dtype=tf.float32)
train_step = opt.apply_gradients([(gw_W1, W_conv1), (gb1, b_conv1),
(gw_W2, W_conv2), (gb2, b_conv2),
(gw_Wf1, W_fc1), (gbf1, b_fc1),
(gw_Wf2, W_fc2), (gbf2, b_fc2)])
# craft adversarial samples from x for testing
#softmax_y_test = tf.nn.softmax(y_conv)
#====================== attack =========================
attack_switch = {
'fgsm': True,
'ifgsm': True,
'deepfool': False,
'mim': True,
'spsa': False,
'cwl2': False,
'madry': True,
'stm': False
}
# define cleverhans abstract models for using cleverhans attacks
ch_model_logits = CallableModelWrapper(callable_fn=inference,
output_layer='logits')
ch_model_probs = CallableModelWrapper(callable_fn=inference_prob,
output_layer='probs')
# define each attack method's tensor
attack_tensor_dict = {}
# FastGradientMethod
if attack_switch['fgsm']:
print('creating attack tensor of FastGradientMethod')
fgsm_obj = FastGradientMethod(model=ch_model_probs, sess=sess)
x_adv_test_fgsm = fgsm_obj.generate(x=x,
eps=fgsm_eps,
clip_min=0.0,
clip_max=1.0) # testing now
attack_tensor_dict['fgsm'] = x_adv_test_fgsm
# Iterative FGSM (BasicIterativeMethod/ProjectedGradientMethod with no random init)
# default: eps_iter=0.05, nb_iter=10
if attack_switch['ifgsm']:
print('creating attack tensor of BasicIterativeMethod')
ifgsm_obj = BasicIterativeMethod(model=ch_model_probs, sess=sess)
x_adv_test_ifgsm = ifgsm_obj.generate(x=x,
eps=fgsm_eps,
eps_iter=fgsm_eps / 10,
nb_iter=10,
clip_min=0.0,
clip_max=1.0)
attack_tensor_dict['ifgsm'] = x_adv_test_ifgsm
# MomentumIterativeMethod
# default: eps_iter=0.06, nb_iter=10
if attack_switch['mim']:
print('creating attack tensor of MomentumIterativeMethod')
mim_obj = MomentumIterativeMethod(model=ch_model_probs, sess=sess)
x_adv_test_mim = mim_obj.generate(x=x,
eps=fgsm_eps,
eps_iter=fgsm_eps / 10,
nb_iter=10,
decay_factor=1.0,
clip_min=0.0,
clip_max=1.0)
attack_tensor_dict['mim'] = x_adv_test_mim
# MadryEtAl (Projected Grdient with random init, same as rand+fgsm)
# default: eps_iter=0.01, nb_iter=40
if attack_switch['madry']:
print('creating attack tensor of MadryEtAl')
madry_obj = MadryEtAl(model=ch_model_probs, sess=sess)
x_adv_test_madry = madry_obj.generate(x=x,
eps=fgsm_eps,
eps_iter=fgsm_eps / 10,
nb_iter=10,
clip_min=0.0,
clip_max=1.0)
attack_tensor_dict['madry'] = x_adv_test_madry
#====================== attack =========================
#Define the correct prediction and accuracy#
correct_prediction_x = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1))
accuracy_x = tf.reduce_mean(tf.cast(correct_prediction_x, tf.float32))
correct_prediction = tf.equal(tf.argmax(y_conv, 1), tf.argmax(y_, 1))
accuracy = tf.reduce_mean(tf.cast(correct_prediction, tf.float32))
s = math.log(sqrt(2.0 / math.pi) * 1e+5)
sigmaEGM = sqrt(2.0) * 1.0 * (sqrt(s) +
sqrt(s + dp_epsilon)) / (2.0 * dp_epsilon)
print(sigmaEGM)
__noiseE = np.random.normal(0.0, sigmaEGM**2,
28 * 28 * 32).astype(np.float32)
__noiseE = np.reshape(__noiseE, [-1, 28, 28, 32])
start_time = time.time()
logfile = open(_log_filename, 'w')
last_eval_time = -1
accum_time = 0
accum_epoch = 0
max_benign_acc = -1
max_adv_acc_dict = {}
test_size = len(mnist.test.images)
print("Computing The Noise Redistribution Vector")
for i in range(4000):
batch = mnist.train.next_batch(batch_size)
sess.run([train_step],
feed_dict={
x: batch[0],
y_: batch[1],
keep_prob: 0.5,
noise: __noiseE * 0
})
batch = mnist.train.next_batch(batch_size * 10)
grad_redis = sess.run([normalized_grad_r],
feed_dict={
x: batch[0],
y_: batch[1],
keep_prob: 1.0,
noise: __noiseE * 0
})
#print(grad_redis)
_sensitivity_2 = sess.run([sensitivity_2],
feed_dict={
x: batch[0],
y_: batch[1],
keep_prob: 1.0,
noise: __noiseE * 0
})
#print(_sensitivity_2)
_sensitivityW = sess.run(sensitivityW)
#print(_sensitivityW)
Delta_redis = _sensitivityW / sqrt(_sensitivity_2[0])
#print(Delta_redis)
sigmaHGM = sqrt(2.0) * Delta_redis * (sqrt(s) + sqrt(s + dp_epsilon)) / (
2.0 * dp_epsilon)
#print(sigmaHGM)
__noiseH = np.random.normal(0.0, sigmaHGM**2,
28 * 28 * 32).astype(np.float32)
__noiseH = np.reshape(__noiseH, [-1, 28, 28, 32]) * grad_redis
sess.run(tf.global_variables_initializer())
print("Training")
for i in range(num_steps):
batch = mnist.train.next_batch(batch_size)
sess.run(
[train_step],
feed_dict={
x: batch[0],
y_: batch[1],
keep_prob: 0.5,
noise: (__noiseE + __noiseH) / 2
})
sess.run([privacy_accum_op])
spent_eps_deltas = priv_accountant.get_privacy_spent(
sess, target_eps=target_eps)
if i % 1000 == 0:
print(i, spent_eps_deltas)
_break = False
for _eps, _delta in spent_eps_deltas:
if _delta >= delta:
_break = True
break
if _break == True:
break
print("Testing")
benign_acc = accuracy_x.eval(
feed_dict={
x: mnist.test.images,
y_: mnist.test.labels,
keep_prob: 1.0,
noise: (__noiseE + __noiseH) / 2
})
### PixelDP Robustness ###
adv_acc_dict = {}
robust_adv_acc_dict = {}
robust_adv_utility_dict = {}
for atk in attack_switch.keys():
if atk not in adv_acc_dict:
adv_acc_dict[atk] = -1
robust_adv_acc_dict[atk] = -1
robust_adv_utility_dict[atk] = -1
if attack_switch[atk]:
adv_images_dict = sess.run(attack_tensor_dict[atk],
feed_dict={
x: mnist.test.images,
y_: mnist.test.labels,
keep_prob: 1.0
})
#grad_redis = sess.run([normalized_grad_r], feed_dict={x: adv_images_dict, y_: mnist.test.labels, keep_prob: 1.0, noise:__noise})
### Robustness ###
predictions_form_argmax = np.zeros([test_size, 10])
softmax_predictions = softmax_y.eval(
feed_dict={
x: adv_images_dict,
keep_prob: 1.0,
noise: (__noiseE + __noiseH) / 2
})
argmax_predictions = np.argmax(softmax_predictions, axis=1)
for n_draws in range(0, 2000):
if n_draws % 1000 == 0:
print(n_draws)
_noiseE = np.random.normal(0.0, sigmaEGM**2,
28 * 28 * 32).astype(np.float32)
_noiseE = np.reshape(_noiseE, [-1, 28, 28, 32])
_noise = np.random.normal(0.0, sigmaHGM**2,
28 * 28 * 32).astype(np.float32)
_noise = np.reshape(_noise, [-1, 28, 28, 32]) * grad_redis
for j in range(test_size):
pred = argmax_predictions[j]
predictions_form_argmax[j, pred] += 1
softmax_predictions = softmax_y.eval(
feed_dict={
x: adv_images_dict,
keep_prob: 1.0,
noise: (__noiseE + __noiseH) / 2 +
(_noiseE + _noise) / 4
})
argmax_predictions = np.argmax(softmax_predictions, axis=1)
final_predictions = predictions_form_argmax
is_correct = []
is_robust = []
for j in range(test_size):
is_correct.append(
np.argmax(mnist.test.labels[j]) == np.argmax(
final_predictions[j]))
robustness_from_argmax = robustnessGGaussian.robustness_size_argmax(
counts=predictions_form_argmax[j],
eta=0.05,
dp_attack_size=fgsm_eps,
dp_epsilon=dp_epsilon,
dp_delta=1e-5,
dp_mechanism='gaussian') / dp_mult
is_robust.append(robustness_from_argmax >= fgsm_eps)
adv_acc_dict[atk] = np.sum(is_correct) * 1.0 / test_size
robust_adv_acc_dict[atk] = np.sum([
a and b for a, b in zip(is_robust, is_correct)
]) * 1.0 / np.sum(is_robust)
robust_adv_utility_dict[atk] = np.sum(is_robust) * 1.0 / test_size
print(" {}: {:.4f} {:.4f} {:.4f} {:.4f}".format(
atk, adv_acc_dict[atk], robust_adv_acc_dict[atk],
robust_adv_utility_dict[atk],
robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk]))
##############################
log_str = "step: {}\t target_epsilon: {}\t dp_epsilon: {:.1f}\t attack_norm_bound: {:.1f}\t benign_acc: {:.4f}\t".format(
i, target_eps, dp_epsilon, attack_norm_bound, benign_acc)
for atk in attack_switch.keys():
if attack_switch[atk]:
log_str += " {}: {:.4f} {:.4f} {:.4f} {:.4f}".format(
atk, adv_acc_dict[atk], robust_adv_acc_dict[atk],
robust_adv_utility_dict[atk],
robust_adv_acc_dict[atk] * robust_adv_utility_dict[atk])
print(log_str)
logfile.write(log_str + '\n')
##############################
duration = time.time() - start_time
logfile.write(str(duration) + '\n')
logfile.flush()
logfile.close()
def main():
random_seed = 1024
train_size, test_size = 55000, 10000
batch_size = 100
learning_rate = 0.05
epochs = 20
steps = epochs * 550
sess = tf.Session()
global_step = tf.Variable(0, name = 'global_step', trainable = False)
tf.set_random_seed(random_seed)
saver = tf.train.Saver()
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
noise = tf.placeholder(tf.float32, [None, 100]) # noise vector
y_target = tf.placeholder(tf.float32, [None, 10]) # target label
x1 = tf.placeholder(tf.float32, [None, 784])
x2 = tf.placeholder(tf.float32, [None, 784])
y = classifier(x)
# gan
x_gan = generator(x, noise, 4)
y_gan = classifier(x_gan)
loss = softmax_loss(label, y)
loss_gan = - softmax_loss(label, y_gan)
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
g_vars = [var for var in all_vars if 'generator' in var.name]
train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss, var_list = c_vars, global_step = global_step)
train_op_generator = GradientDescentOptimizer(learning_rate = 0.05) \
.minimize(loss_gan, var_list = g_vars, global_step = global_step)
#fgsm
x_fgsm = attack.fgsm(x, y, eps = 0.2, clip_min=0, clip_max=1)
y_fgsm = classifier(x_fgsm)
# jsma
jsma = SaliencyMapMethod(classifier, back='tf', sess=sess)
# train
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
y_target_batch = np.zeros((100, 10), dtype=np.float32)
y_target_batch[:, 0] = 1.0
y_target_test = np.zeros((10000, 10), dtype=np.float32)
y_target_test[:, 0] = 1.0
sess.run(tf.global_variables_initializer())
with sess.as_default():
print('train classifier')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
sess.run(train_op_classifier, feed_dict={x: batch[0], label: batch[1]})
if t % 550 == 0:
epoch = int(t / 550)
acc_benign = sess.run(get_acc(x, label), feed_dict={x: mnist.test.images, label: mnist.test.labels})
print(epoch, acc_benign)
print('train gan')
for t in range(1, 550 * 5 + 1):
batch = mnist.train.next_batch(batch_size)
f_dict = {x: batch[0], label: batch[1], noise: sample_Z(batch_size, 100), y_target: y_target_batch}
sess.run(train_op_generator, feed_dict=f_dict)
if t % 550 == 0:
epoch = int(t / 550)
f_dict = {x: mnist.test.images, label: mnist.test.labels, noise: sample_Z(10000, 100), y_target: y_target_batch}
x_gan_d = sess.run(x_gan, feed_dict=f_dict)
f_dict = {x: x_gan_d, label: mnist.test.labels}
acc_gan = sess.run(get_acc(x, label), feed_dict=f_dict)
print(epoch, acc_gan)
checkpoint_path = os.path.join('model', 'basic_model.ckpt')
#saver.save(sess, checkpoint_path, global_step = 1)
print('generate adv samples for the first batch of the testing set')
# real
x_real_mnist_1 = mnist.test.images[0:100,]
np.save(os.path.join('data','x_real_mnist_1.npy'), x_real_mnist_1)
x_real_mnist_1_r = x_real_mnist_1.reshape([100, 28, 28])
save_images(x_real_mnist_1_r, [10, 10], os.path.join('img', 'x_real_mnist_1.png'))
# fgsm
x_fgsm_mnist_1 = sess.run(x_fgsm, feed_dict = {x: mnist.test.images[0:100,], label: mnist.test.labels[0:100,]})
np.save(os.path.join('data','x_fgsm_mnist_1.npy'), x_fgsm_mnist_1)
x_fgsm_mnist_1_r = x_fgsm_mnist_1.reshape([100, 28, 28])
save_images(x_fgsm_mnist_1_r, [10, 10], os.path.join('img', 'x_fgsm_mnist_1.png'))
#jsma
jsma_params = {'theta': 1., 'gamma': 0.1,'nb_classes': 10, 'clip_min': 0.,'clip_max': 1., 'targets': y,\
'y_val': y_target_batch}
x_jsma_mnist_1 = jsma.generate_np(mnist.test.images[0:100,], **jsma_params)
np.save(os.path.join('data','x_jsma_mnist_1.npy'), x_jsma_mnist_1)
acc_jsma_1 = sess.run(get_acc(x, label), feed_dict={x: x_jsma_mnist_1, label: mnist.test.labels[0:100,]})
x_jsma_mnist_1_r = x_jsma_mnist_1.reshape([100, 28, 28])
save_images(x_jsma_mnist_1_r, [10, 10], os.path.join('img', 'x_jsma_mnist_1.png'))
x_gan_mnist_1 = sess.run(x_gan, feed_dict={x: mnist.test.images[0:100,] ,label: mnist.test.labels[0:100,]\
, noise: sample_Z(batch_size, 100), y_target: y_target_batch})
np.save(os.path.join('data','x_gan_mnist_1.npy'), x_gan_mnist_1)
x_gan_mnist_1_r = x_gan_mnist_1.reshape([100, 28, 28])
save_images(x_gan_mnist_1_r, [10, 10], os.path.join('img', 'x_gan_mnist_1.png'))
diff_fgsm = sess.run(diff(x1, x2), feed_dict={x1: x_real_mnist_1, x2: x_fgsm_mnist_1})
diff_jsma = sess.run(diff(x1, x2), feed_dict={x1: x_real_mnist_1, x2: x_jsma_mnist_1})
diff_gan = sess.run(diff(x1, x2), feed_dict={x1: x_real_mnist_1, x2: x_gan_mnist_1})
print('perturb: fgsm: {:.3f}, jsma: {:.3f}, gan: {:.3f}'.format(diff_fgsm, diff_jsma, diff_gan))
acc_benign = sess.run(get_acc(x, label), feed_dict={x: mnist.test.images, label: mnist.test.labels})
print('generate adv samples for the entire testing set')
# fgsm
x_fgsm_mnist = sess.run(x_fgsm, feed_dict = {x: mnist.test.images, label: mnist.test.labels})
np.save(os.path.join('data','x_fgsm_mnist.npy'), x_fgsm_mnist)
acc_fgsm = sess.run(get_acc(x, label), feed_dict={x: x_fgsm_mnist, label: mnist.test.labels})
# gan
x_gan_mnist = sess.run(x_gan, feed_dict={x: mnist.test.images ,label: mnist.test.labels\
, noise: sample_Z(10000, 100), y_target: y_target_test})
np.save(os.path.join('data','x_gan_mnist.npy'), x_gan_mnist)
acc_gan = sess.run(get_acc(x, label), feed_dict={x: x_gan_mnist ,label: mnist.test.labels\
, noise: sample_Z(10000, 100), y_target: y_target_test})
print('accuracy: benign: {:.3f}, fgsm: {:.3f}, jsma: {:.3f}, gan: {:.3f}'.format(acc_benign, acc_fgsm, acc_jsma_1, acc_gan))
'''
x_fgsm_mnist = np.load(os.path.join('data','x_fgsm_mnist.npy'))
x_gan_mnist = np.load(os.path.join('data','x_gan_mnist.npy'))
x_jsma_mnist_1 = np.load(os.path.join('data','x_jsma_mnist_1.npy'))
sess.run(tf.global_variables_initializer())
print('train classifier')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
sess.run(train_op_classifier, feed_dict={x: batch[0], label: batch[1]})
if t % 550 == 0:
epoch = int(t / 550)
acc = {}
acc['benign'] = sess.run(get_acc(x, label), feed_dict = {x: mnist.test.images, label: mnist.test.labels})
acc['pre fgsm'] = sess.run(get_acc(x, label), feed_dict={x: x_fgsm_mnist, label: mnist.test.labels})
acc['pre gan'] = sess.run(get_acc(x, label), feed_dict={x: x_gan_mnist, label: mnist.test.labels})
acc['pre jsma 1'] = sess.run(get_acc(x, label), feed_dict={x: x_jsma_mnist_1, label: mnist.test.labels[0:100,]})
print(epoch, acc)
'''
sess.close()
return
# jsma
jsma_params = {'theta': 1., 'gamma': 0.1,'nb_classes': 10, 'clip_min': 0.,'clip_max': 1., 'targets': y,\
'y_val': y_target_test}
x_jsma_mnist = jsma.generate_np(mnist.test.images, **jsma_params)
np.save(os.path.join('data','x_jsma_mnist.npy'), x_jsma_mnist)
def training_embedding(reverse_dictionary, with_dp=False):
"""
# training with DP
:param with_dp:
:return:
"""
batch_size = 128
embedding_size = 300 # Dimension of the embedding vector.
skip_window = 1 # How many words to consider left and right.
num_skips = 2 # How many times to reuse an input to generate a label.
# We pick a random validation set to sample nearest neighbors. here we limit the
# validation samples to the words that have a low numeric ID, which by
# construction are also the most frequent.
valid_size = 16 # Random set of words to evaluate similarity on.
valid_window = 100 # Only pick dev samples in the head of the distribution.
valid_examples = np.array(random.sample(range(valid_window), valid_size))
num_sampled = 64 # Number of negative examples to sample.
learning_rate = 1
# DP parameters
clip_bound = 0.01 # 'the clip bound of the gradients'
# num_steps = 160000 # 'number of steps T = E * N / L = E / q'
sigma = 5 # 'sigma'
delta = 1e-5 # 'delta'
sess = tf.InteractiveSession()
graph = tf.Graph()
avg_loss_arr = []
loss_arr = []
# with graph.as_default(), tf.device('/cpu:0'):
# Input data.
with tf.device('/gpu:0'):
train_dataset = tf.placeholder(tf.int32, shape=[batch_size])
train_labels = tf.placeholder(tf.int32, shape=[batch_size, 1])
valid_dataset = tf.constant(valid_examples, dtype=tf.int32)
# Variables.
embeddings = tf.Variable(
tf.random_uniform([vocabulary_size, embedding_size], -1.0, 1.0))
# Model.
# Look up embeddings for inputs.
embed = tf.nn.embedding_lookup(embeddings, train_dataset)
if FLAGS.with_nce_loss:
nce_weights = tf.Variable(
tf.truncated_normal([vocabulary_size, embedding_size],
stddev=1.0 / math.sqrt(embedding_size)))
nce_biases = tf.Variable(tf.zeros([vocabulary_size]))
cross_entropy = tf.reduce_mean(
tf.nn.nce_loss(weights=nce_weights,
biases=nce_biases,
labels=train_labels,
inputs=embed,
num_sampled=num_sampled,
num_classes=vocabulary_size))
else:
with tf.device('/gpu:0'):
softmax_weights = tf.Variable(
tf.truncated_normal([vocabulary_size, embedding_size],
stddev=1.0 / math.sqrt(embedding_size)))
softmax_biases = tf.Variable(tf.zeros([vocabulary_size]))
# Compute the softmax loss, using a sample of the negative labels each time.
# Read more: https://stackoverflow.com/questions/37671974/tensorflow-negative-sampling
# When we want to compute the softmax probability for your true label,
# we compute: logits[true_label] / sum(logits[negative_sampled_labels]
# Other candidate sampling: https://www.tensorflow.org/extras/candidate_sampling.pdf
cross_entropy = tf.reduce_mean(
tf.nn.sampled_softmax_loss(weights=softmax_weights,
biases=softmax_biases,
inputs=embed,
labels=train_labels,
num_sampled=num_sampled,
num_classes=vocabulary_size))
priv_accountant = accountant.GaussianMomentsAccountant(vocabulary_size)
privacy_accum_op = priv_accountant.accumulate_privacy_spending(
[None, None], sigma, batch_size)
# Optimizer.
# Note: The optimizer will optimize the softmax_weights AND the embeddings.
# This is because the embeddings are defined as a variable quantity and the
# optimizer's `minimize` method will by default modify all variable quantities
# that contribute to the tensor it is passed.
# See docs on `tf.train.Optimizer.minimize()` for more details.
# optimizer = tf.train.AdagradOptimizer(learning_rate).minimize(loss)
# optimizer = tf.train.GradientDescentOptimizer(learning_rate).minimize(cross_entropy)
optimizer = GradientDescentOptimizer(learning_rate)
if FLAGS.optimizer == "adam":
# cannot use adam so far. Tested and the model couldn't converge.
optimizer = AdamOptimizer(learning_rate)
print("##INFO: Using adam optimizer")
if FLAGS.optimizer == "adagrad":
# cannot use adam so far. Tested and the model couldn't converge.
optimizer = AdagradOptimizer(learning_rate)
print("##INFO: Using adagrad optimizer")
log_dir = os.path.join(FLAGS.trained_models, "logs")
# compute gradient
if FLAGS.with_nce_loss:
gw_Embeddings = tf.gradients(cross_entropy,
embeddings)[0] # gradient of embeddings
gw_softmax_weights = tf.gradients(
cross_entropy, nce_weights)[0] # gradient of nce_weights
gb_softmax_biases = tf.gradients(
cross_entropy, nce_biases)[0] # gradient of nce_biases
else:
with tf.device('/gpu:0'):
gw_Embeddings = tf.gradients(
cross_entropy, embeddings)[0] # gradient of embeddings
gw_softmax_weights = tf.gradients(
cross_entropy,
softmax_weights)[0] # gradient of softmax_weights
gb_softmax_biases = tf.gradients(
cross_entropy, softmax_biases)[0] # gradient of softmax_biases
# clip gradient
if FLAGS.clip_by_norm:
# faster but takes more epochs to train
with tf.device('/gpu:0'):
gw_Embeddings = tf.clip_by_norm(gw_Embeddings, clip_bound)
gw_softmax_weights = tf.clip_by_norm(gw_softmax_weights,
clip_bound)
gb_softmax_biases = tf.clip_by_norm(gb_softmax_biases, clip_bound)
else:
# dp-sgd: slow and require more memory but converge faster, take less epochs.
gw_Embeddings = utils.BatchClipByL2norm(gw_Embeddings, clip_bound)
gw_softmax_weights = utils.BatchClipByL2norm(gw_softmax_weights,
clip_bound)
gb_softmax_biases = utils.BatchClipByL2norm(gb_softmax_biases,
clip_bound)
sensitivity = clip_bound # adjacency matrix with one more tuple
# Add noise
if FLAGS.with_dp:
gw_Embeddings += tf.random_normal(shape=tf.shape(gw_Embeddings),
mean=0.0,
stddev=sigma * (sensitivity**2),
dtype=tf.float32)
gw_softmax_weights += tf.random_normal(
shape=tf.shape(gw_softmax_weights),
mean=0.0,
stddev=sigma * (sensitivity**2),
dtype=tf.float32)
gb_softmax_biases += tf.random_normal(
shape=tf.shape(gb_softmax_biases),
mean=0.0,
stddev=sigma * (sensitivity**2),
dtype=tf.float32)
if FLAGS.with_nce_loss:
train_step = optimizer.apply_gradients([
(gw_Embeddings, embeddings), (gw_softmax_weights, nce_weights),
(gb_softmax_biases, nce_biases)
])
else:
train_step = optimizer.apply_gradients([
(gw_Embeddings, embeddings), (gw_softmax_weights, softmax_weights),
(gb_softmax_biases, softmax_biases)
])
# Compute the similarity between minibatch examples and all embeddings.
# We use the cosine distance:
with tf.device('/gpu:0'):
norm = tf.sqrt(tf.reduce_sum(tf.square(embeddings), 1, keep_dims=True))
normalized_embeddings = embeddings / norm
valid_embeddings = tf.nn.embedding_lookup(normalized_embeddings,
valid_dataset)
similarity = tf.matmul(valid_embeddings,
tf.transpose(normalized_embeddings))
min_loss = 10**4
per_dec_count = 0
print('Initialized')
average_loss = 0
running = True
step = 0
average_loss_arr = []
saving_pointer_idx = 0
# put it here because Adam has its own variables.
sess.run(tf.global_variables_initializer())
# saver must be used after global_variables_initializer
saver = tf.train.Saver()
# Save the variables to disk.
save_path = os.path.join(FLAGS.trained_models, "initialized_model.ckpt")
# Sonvx: we need to make sure initialized variables are all the same for different tests.
print("Checking on path: ", save_path)
if not os.path.isfile(save_path + ".index"):
saved_info = saver.save(sess, save_path)
print("Global initialized model saved in file: %s" % saved_info)
else:
saver.restore(sess, save_path)
print("Restored the global initialized model.")
if FLAGS.DEBUG:
input(
"Double check whether or not the initialized model got restored then <Press enter>"
)
print('###INFO: Initialized in run(graph)')
if FLAGS.RESTORE_LAST_CHECK_POINT:
checkpoint_path = os.path.join(log_dir, "model.ckpt")
if os.path.isfile(checkpoint_path + ".index"):
saver.restore(sess, checkpoint_path)
print("Restored the latest checkpoint at %s." % (checkpoint_path))
while running:
# for step in range(num_steps):
batch_data, batch_labels = generate_batch(batch_size, num_skips,
skip_window)
print("Global data_index = ", data_index)
# feed_dict = {train_dataset: batch_data, train_labels: batch_labels}
# old: sess.run([optimizer, cross_entropy], feed_dict=feed_dict)
# template: train_step.run(feed_dict={x: batch[0], y_: batch[1], keep_prob: 0.5});
train_step.run(feed_dict={
train_dataset: batch_data,
train_labels: batch_labels
})
loss = cross_entropy.eval(feed_dict={
train_dataset: batch_data,
train_labels: batch_labels
})
# loss_arr.append(l)
# average_loss += l
# current_avg_loss = average_loss/step
# avg_loss_arr.append(current_avg_loss)
sess.run([privacy_accum_op])
# print(step, spent_eps_deltas)
average_loss += loss
if step == 0:
step_dev = 0.1 * 5
else:
step_dev = step
current_avg_loss = np.mean(average_loss) / step_dev
average_loss_arr.append(current_avg_loss)
if step % 200 == 0:
# if step > 0:
# average_loss = average_loss / 2000
# The average loss is an estimate of the loss over the last 2000 batches.
print('Average loss at step %d: %f' % (step, current_avg_loss))
# TODO: turns this back on if not sure how average_loss influences training process
print("Embedding: ")
em_val = tf.reduce_mean(tf.abs(embeddings))
print(sess.run(em_val))
# average_loss = 0
# note that this is expensive (~20% slowdown if computed every 500 steps)
check_step = (FLAGS.NUM_STEPS * 0.2)
if step % check_step == 0:
# gw_emb = tf.reduce_mean(tf.abs(gw_Embeddings))
# print("Embedding gradients: ")
# print(sess.run(gw_emb))
sim = similarity.eval()
for i in range(valid_size):
valid_word = reverse_dictionary[valid_examples[i]]
top_k = 8 # number of nearest neighbors
nearest = (-sim[i, :]).argsort()[1:top_k + 1]
log = 'Nearest to %s:' % valid_word
for k in range(top_k):
close_word = reverse_dictionary[nearest[k]]
log = '%s %s,' % (log, close_word)
print(log)
current_saving_dir = os.path.join(
FLAGS.trained_models,
"_%sepoch" % (saving_pointers[saving_pointer_idx]))
# EARLY STOPPING
if min_loss >= current_avg_loss:
min_loss = current_avg_loss
per_dec_count = 0
if FLAGS.save_best_model_alltime:
best_of_saving_point_dir = os.path.join(
current_saving_dir, "_best_one")
if not os.path.exists(best_of_saving_point_dir):
os.makedirs(best_of_saving_point_dir)
temp_embeddings = normalized_embeddings.eval()
spent_eps_deltas = priv_accountant.get_privacy_spent(
sess, target_eps=target_eps)
saving_state(best_of_saving_point_dir, spent_eps_deltas,
temp_embeddings, saver, sess)
msg = ("Got best model so far at step %s , avg loss = %s" %
(step, current_avg_loss))
logging.info(msg)
print(msg)
else:
per_dec_count += 1
step += 1
if per_dec_count == max_early_stopping or step == num_steps:
running = False
if (step + 1) in saving_pointers:
spent_eps_deltas = priv_accountant.get_privacy_spent(
sess, target_eps=target_eps)
folder_path = os.path.join(FLAGS.trained_models,
"_%sepoch" % (step + 1))
temp_embeddings = normalized_embeddings.eval()
saving_state(folder_path, spent_eps_deltas, temp_embeddings, saver,
sess)
# Make sure we don't increase saving_pointer_idx larger than what the total number of pointers we set.
if saving_pointer_idx < len(saving_pointers) - 1:
saving_pointer_idx += 1
msg = "##INFO: STEP %s: avg_loss history: avg_loss_arr = %s" % (
step, average_loss_arr)
logging.info(msg)
if step % (num_steps - 1) == 0:
print("Final privacy spent: ", step, spent_eps_deltas)
print("Stopped at %s, \nFinal avg_loss = %s" % (step, avg_loss_arr))
print("loss = %s" % (loss_arr))
# final_embeddings = normalized_embeddings.eval()
sess.close()
def optimizer_function(lr, loss):
optimizer = GradientDescentOptimizer(lr)
return pipelining_ops.OptimizerFunctionOutput(optimizer, loss)
def main():
train_size, test_size = 55000, 10000
batch_size = 100
lr = {}
lr['c'] = 0.05
lr['d'] = 0.05
lr['g'] = 0.05
lr['t'] = 0.05
epochs = 30
steps = epochs * int(train_size / batch_size)
global_step = tf.Variable(0, name='global_step', trainable=False)
x = tf.placeholder(tf.float32, [None, 784]) # input for real images
y_ = tf.placeholder(tf.float32, [None, 10]) # groundtruth class label
y_target = tf.placeholder(tf.float32, [None, 10])
noise = tf.placeholder(tf.float32, [None, 100])
tx = transformer(x, noise)
gx = generator(noise, y_)
yx = classifier(x)
ytx = classifier(tx)
ygx = classifier(gx)
dx = discriminator(x, y_)
dtx = discriminator(tx, y_)
dgx = discriminator(gx, y_)
d_mean = {}
d_mean['x'] = tf.reduce_mean(dx)
d_mean['tx'] = tf.reduce_mean(dtx)
d_mean['gx'] = tf.reduce_mean(dgx)
#x_fgsm = attack.fgsm(x, y_real, eps = 0.1, clip_min = 0, clip_max = 1)
#c_x_fgsm = classifier(x_fgsm)
#d_fg = discriminator(x_fg)
perturb = {}
perturb['tx'] = tf.reduce_mean(tf.norm(tx - x, axis=1))
perturb['gx'] = tf.reduce_mean(tf.norm(gx - x, axis=1))
#perturb['fg'] = tf.reduce_mean(tf.norm(x_fg - x, axis = 1))
loss = {}
loss['cx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=yx))
loss['ctx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=ytx))
loss['cgx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=ygx))
loss['ctgx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_target, logits=ygx))
loss['cttx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_target, logits=ytx))
#loss['classifier_fgsm'] = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits(labels=label, logits=y_fg))
loss['dx'] = tf.reduce_mean(-tf.log(dx))
loss['dtx'] = tf.reduce_mean(-tf.log(1. - dtx))
loss['dgx'] = tf.reduce_mean(-tf.log(1. - dgx))
loss['t'] = tf.reduce_mean(-tf.log(dtx))
loss['g'] = tf.reduce_mean(-tf.log(dgx))
loss['classifier'] = loss['cx']
loss['transformer'] = loss['t'] + loss['cttx']
loss['generator'] = loss['g']
loss['discriminator'] = loss['dx'] + loss['dtx']
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
g_vars = [var for var in all_vars if 'generator' in var.name]
d_vars = [var for var in all_vars if 'discriminator' in var.name]
t_vars = [var for var in all_vars if 'transformer' in var.name]
train_op = {}
train_op['classifier'] = GradientDescentOptimizer(learning_rate = lr['c']) \
.minimize(loss['classifier'], var_list = c_vars, global_step = global_step)
train_op['generator'] = GradientDescentOptimizer(learning_rate = lr['g']) \
.minimize(loss['generator'], var_list = g_vars, global_step = global_step)
train_op['discriminator'] = GradientDescentOptimizer(learning_rate = lr['d']) \
.minimize(loss['discriminator'], var_list = d_vars, global_step = global_step)
train_op['transformer'] = GradientDescentOptimizer(learning_rate = lr['t']) \
.minimize(loss['transformer'], var_list = t_vars, global_step = global_step)
acc = {}
acc['x'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(yx, 1), tf.argmax(y_, 1)), tf.float32))
acc['tx'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(ytx, 1), tf.argmax(y_, 1)), tf.float32))
acc['gx'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(ygx, 1), tf.argmax(y_, 1)), tf.float32))
#acc['classifier_fgsm'] = tf.reduce_mean(tf.cast(tf.equal(tf.argmax(y_fg, 1), tf.argmax(label, 1)),tf.float32))
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
tf.set_random_seed(1024)
sess = tf.Session()
sess.run(tf.global_variables_initializer())
with sess.as_default():
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
y_tar = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0] for i in range(batch_size)]
y_tar = np.array(y_tar, dtype='float32')
noise_sample = sample_Z(batch_size, 100)
sess.run(train_op['classifier'],
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample,
y_target: y_tar
})
sess.run(train_op['discriminator'],
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample,
y_target: y_tar
})
for j in range(5):
sess.run(train_op['transformer'],
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample,
y_target: y_tar
})
#for j in range(5):
#sess.run(train_op['generator'], feed_dict={x: batch[0], y_: batch[1], noise : sample_Z(batch_size, 100), y_target: y_tar})
if t % int(train_size / batch_size) == 0:
epoch = int(t / int(train_size / batch_size))
noise_sample3 = sample_Z(batch_size, 100)
batch = mnist.test.next_batch(100)
img_real = batch[0].reshape([100, 28, 28])
save_images(img_real, [10, 10],
os.path.join('img', 'real' + str(epoch) + '.png'))
img_trans = sess.run(tx,
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample3,
y_target: y_tar
})
img_trans = img_trans.reshape([100, 28, 28])
save_images(img_trans, [10, 10],
os.path.join('img', 'trans' + str(epoch) + '.png'))
img_fake = sess.run(gx,
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample3,
y_target: y_tar
})
img_fake = img_fake.reshape([100, 28, 28])
save_images(img_fake, [10, 10],
os.path.join('img', 'fake' + str(epoch) + '.png'))
noise_sample2 = sample_Z(10000, 100)
var_list = [acc, perturb, d_mean]
res = sess.run(var_list,
feed_dict={
x: mnist.test.images,
y_: mnist.test.labels,
noise: noise_sample2,
y_target: y_tar
})
print(epoch)
for r in res:
print(r)
def model_train(para):
sigma = compute_sigma(para['eps'], para['delta'])
std = sigma * para['sens']
sess = tf.Session()
tf.set_random_seed(random_seed)
n = len(layers)
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
w, b = [0 for i in range(n)], [0 for i in range(n)]
for i in range(1, n):
w[i] = weight_variable([layers[i - 1], layers[i]])
b[i] = bias_variable([layers[i]])
# noisy model
z, h = [0 for i in range(n)], [0 for i in range(n)]
h[0] = x
h[0] = h[0] + tf.random_normal(
shape=tf.shape(h[0]), mean=0.0, stddev=std, dtype=tf.float32)
for i in range(1, n):
z[i] = tf.matmul(h[i - 1], w[i]) + b[i]
if i < n - 1:
h[i] = tf.nn.relu(z[i])
else:
h[i] = z[i]
y = h[n - 1]
loss = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=label, logits=y))
# noiseless model
z2, h2 = [0 for i in range(n)], [0 for i in range(n)]
h2[0] = x
for i in range(1, n):
z2[i] = tf.matmul(h2[i - 1], w[i]) + b[i]
if i < n - 1:
h2[i] = tf.nn.relu(z2[i])
else:
h2[i] = z2[i]
y2 = h2[n - 1]
x_adv = attack.fgsm(x, y, eps=0.3, clip_min=0, clip_max=1)
# gradient descent
gw, gb = [0 for i in range(n)], [0 for i in range(n)]
for i in range(1, n):
gw[i] = tf.gradients(loss, w[i])[0]
gb[i] = tf.gradients(loss, b[i])[0]
opt = GradientDescentOptimizer(learning_rate=learning_rate)
gradients = []
for i in range(1, n):
gradients.append((gw[i], w[i]))
gradients.append((gb[i], b[i]))
train_step = opt.apply_gradients(gradients)
#evaluation
acc = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(y, 1), tf.argmax(label, 1)), tf.float32))
# data
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_adv_mnist_fsgm = np.load(os.path.join('data', 'x_adv_mnist_fsgm.npy'))
print('sigma: {:.3f}, std: {:.3f}'.format(sigma, std))
sess.run(tf.global_variables_initializer())
with sess.as_default():
for t in range(steps):
batch = mnist.train.next_batch(batch_size)
sess.run(train_step, feed_dict={x: batch[0], label: batch[1]})
if t % int(1 / sample_rate) == 0 or t == steps - 1:
if t < steps - 1:
epoch = int(t / int(1 / sample_rate))
else:
epoch = epochs
x_adv_sample = sess.run(x_adv,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc_benign = sess.run(acc,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc_adv = sess.run(acc,
feed_dict={
x: x_adv_sample,
label: mnist.test.labels
})
acc_pre_adv = sess.run(acc,
feed_dict={
x: x_adv_mnist_fsgm,
label: mnist.test.labels
})
print(epoch, acc_benign, acc_adv, acc_pre_adv)
def main():
random_seed = 1024
train_size, test_size = 55000, 10000
batch_size = 100
learning_rate = 0.05
epochs = 5
steps = epochs * 550
config = tf.ConfigProto()
config.gpu_options.per_process_gpu_memory_fraction = 1
sess = tf.InteractiveSession(config=config)
global_step = tf.Variable(0, name='global_step', trainable=False)
tf.set_random_seed(random_seed)
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
noise = tf.placeholder(tf.float32, [None, 100]) # noise vector
y_target = tf.placeholder(tf.float32, [None, 10]) # target label
x_perturb = x + tf.random_normal(
shape=tf.shape(x), mean=0.0, stddev=0.5, dtype=tf.float32)
x_perturb = tf.clip_by_value(x_perturb, 0, 1)
x1 = tf.placeholder(tf.float32, [None, 784])
x2 = tf.placeholder(tf.float32, [None, 784])
y_n = classifier_n(x)
y = classifier(x)
y_perturb = classifier(x_perturb)
# gan
x_gan = generator(x, noise)
y_gan = classifier(x_gan)
loss_cls = softmax_loss(label, y_n) #+ softmax_loss(label, y_gan)
loss_gan = -softmax_loss(label, y_gan)
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
g_vars = [var for var in all_vars if 'generator' in var.name]
train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss_cls, var_list = c_vars, global_step = global_step)
train_op_generator = GradientDescentOptimizer(learning_rate = 0.05) \
.minimize(loss_gan, var_list = g_vars, global_step = global_step)
#fgsm
x_fgsm = attack.fgsm(x, y, eps=0.2, clip_min=0, clip_max=1)
y_fgsm = classifier(x_fgsm)
# random fgsm
x_fgsm_rd = attack.fgsm(x_perturb,
y_perturb,
eps=0.2,
clip_min=0,
clip_max=1)
y_fgsm_rd = classifier(x_fgsm_rd)
# jsma
jsma = SaliencyMapMethod(classifier, back='tf', sess=sess)
# train
saver = tf.train.Saver()
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_fgsm_mnist = np.load(os.path.join('data', 'x_fgsm_mnist.npy'))
x_gan_mnist = np.load(os.path.join('data', 'x_gan_mnist.npy'))
x_jsma_mnist_1 = np.load(os.path.join('data', 'x_jsma_mnist_1.npy'))
y_target_batch = np.zeros((100, 10), dtype=np.float32)
y_target_batch[:, 0] = 1.0
y_target_test = np.zeros((10000, 10), dtype=np.float32)
y_target_test[:, 0] = 1.0
sess.run(tf.global_variables_initializer())
with sess.as_default():
acc = {}
print('train classifier')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
noise_d = sample_Z(batch_size, 100)
f_dict = {
x: batch[0],
label: batch[1],
noise: noise_d,
y_target: y_target_batch
}
sess.run(train_op_classifier, feed_dict=f_dict)
#for j in range(1):
#sess.run(train_op_generator, feed_dict=f_dict)
if t % 550 == 0:
epoch = int(t / 550)
acc['benign'] = sess.run(get_acc(x, label),
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc['pre fgsm'] = sess.run(get_acc(x, label),
feed_dict={
x: x_fgsm_mnist,
label: mnist.test.labels
})
acc['pre gan'] = sess.run(get_acc(x, label),
feed_dict={
x: x_gan_mnist,
label: mnist.test.labels
})
acc['pre jsma 1'] = sess.run(get_acc(x, label),
feed_dict={
x: x_jsma_mnist_1,
label:
mnist.test.labels[0:100, ]
})
x_fgsm_d = sess.run(x_fgsm,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc['fgsm'] = sess.run(get_acc(x, label),
feed_dict={
x: x_fgsm_d,
label: mnist.test.labels
})
x_fgsm_rd_d = sess.run(x_fgsm_rd,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc['fgsm_rd'] = sess.run(get_acc(x, label),
feed_dict={
x: x_fgsm_rd_d,
label: mnist.test.labels
})
print(epoch, acc)
'''
print('train gan')
for t in range(1, 550 * 10 + 1):
batch = mnist.train.next_batch(batch_size)
f_dict = {x: batch[0], label: batch[1], noise: sample_Z(batch_size, 100), y_target: y_target_batch}
sess.run(train_op_generator, feed_dict=f_dict)
if t % 550 == 0:
epoch = int(t / 550)
batch = mnist.test.next_batch(batch_size)
f_dict = {x: batch[0], label: batch[1], noise: sample_Z(batch_size, 100), y_target: y_target_batch}
x_gan_data = sess.run(x_gan, feed_dict=f_dict)
acc_gan = sess.run(get_acc(x, label), feed_dict={x: x_gan_data, label: batch[1]})
print(epoch, acc_gan)
x_fgsm_d = sess.run(x_fgsm, feed_dict = {x: mnist.test.images, label: mnist.test.labels})
acc['fgsm'] = sess.run(get_acc(x, label), feed_dict={x: x_fgsm_d, label: mnist.test.labels})
x_gan_d = sess.run(x_gan, feed_dict={x: mnist.test.images ,label: mnist.test.labels\
, noise: sample_Z(10000, 100), y_target: y_target_test})
acc['gan'] = sess.run(get_acc(x, label), feed_dict={x: x_gan_d ,label: mnist.test.labels\
, noise: sample_Z(10000, 100), y_target: y_target_test})
'''
jsma_params = {'theta': 1., 'gamma': 0.1,'nb_classes': 10, 'clip_min': 0.,'clip_max': 1., 'targets': y,\
'y_val': y_target_batch}
x_jsma_1_d = jsma.generate_np(mnist.test.images[0:100, ],
**jsma_params)
acc['jsma 1'] = sess.run(get_acc(x, label),
feed_dict={
x: x_jsma_1_d,
label: mnist.test.labels[0:100, ]
})
print(acc['jsma 1'])
def main():
random_seed = 1024
train_size, test_size = 55000, 10000
batch_size = 100
learning_rate = 0.05
epochs = 20
steps = epochs * 550
sess = tf.Session()
global_step = tf.Variable(0, name='global_step', trainable=False)
tf.set_random_seed(random_seed)
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
y = classifier(x)
loss_cls = softmax_loss(label, y)
all_vars = tf.trainable_variables()
print(all_vars)
c_vars = [var for var in all_vars if 'classifier' in var.name]
train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss_cls, var_list = c_vars, global_step = global_step)
# train
saver = tf.train.Saver()
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_fgsm_mnist = np.load(os.path.join('data', 'x_fgsm_mnist.npy'))
x_gan_mnist = np.load(os.path.join('data', 'x_gan_mnist.npy'))
x_jsma_mnist_1 = np.load(os.path.join('data', 'x_jsma_mnist_1.npy'))
sess.run(tf.global_variables_initializer())
with sess.as_default():
print('train classifier')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
sess.run(train_op_classifier,
feed_dict={
x: batch[0],
label: batch[1]
})
if t % 550 == 0:
epoch = int(t / 550)
acc = {}
acc['benign'] = sess.run(get_acc(x, label),
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc['pre fgsm'] = sess.run(get_acc(x, label),
feed_dict={
x: x_fgsm_mnist,
label: mnist.test.labels
})
acc['pre gan'] = sess.run(get_acc(x, label),
feed_dict={
x: x_gan_mnist,
label: mnist.test.labels
})
acc['pre jsma 1'] = sess.run(get_acc(x, label),
feed_dict={
x: x_jsma_mnist_1,
label:
mnist.test.labels[0:100, ]
})
print(epoch, acc)
sess.close()
def main():
sess = tf.Session()
train_size, test_size = 55000, 10000
batch_size = 100
lr = 0.05
epochs = 100
steps = epochs * int(train_size / batch_size)
global_step = tf.Variable(0, name='global_step', trainable=False)
x = tf.placeholder(tf.float32, [None, 784]) # input for real images
x_adv = tf.placeholder(tf.float32, [None, 784])
y_ = tf.placeholder(tf.float32, [None, 10]) # groundtruth class label
y_target = tf.placeholder(tf.float32, [None, 10])
noise = tf.placeholder(tf.float32, [None, 100])
tx = transformer(x, noise, 3)
yx_2, z_norm = classifier_x(x)
yx = classifier(x)
ytx = classifier(tx)
ytx_2, z_norm2 = classifier_x(tx)
y_x_adv = classifier(x_adv)
x_fgsm = attack.fgsm(x, yx_2, eps=0.1, clip_min=0, clip_max=1)
y_x_fgsm = classifier(x_fgsm)
jsma = SaliencyMapMethod(classifier, back='tf', sess=sess)
one_hot_target = np.zeros((100, 10), dtype=np.float32)
one_hot_target[:, 1] = 1
jsma_params = {
'theta': 1.,
'gamma': 0.1,
'nb_classes': 10,
'clip_min': 0.,
'clip_max': 1.,
'targets': yx,
'y_val': one_hot_target
}
perturb = {}
perturb['tx'] = tf.reduce_mean(tf.norm(tx - x, axis=1))
perturb['fgsm'] = tf.reduce_mean(tf.norm(x_fgsm - x, axis=1))
loss = {}
loss['cx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=yx_2))
loss['ctx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_, logits=ytx_2))
loss['cttx'] = tf.reduce_mean(
tf.nn.softmax_cross_entropy_with_logits(labels=y_target, logits=ytx))
loss['classifier'] = loss['cx'] #+ loss['ctx']
#loss['transformer'] = loss['cttx']
loss['transformer'] = -loss['ctx']
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
t_vars = [var for var in all_vars if 'transformer' in var.name]
train_op = {}
train_op['classifier'] = GradientDescentOptimizer(learning_rate = lr) \
.minimize(loss['classifier'], var_list = c_vars, global_step = global_step)
train_op['transformer'] = GradientDescentOptimizer(learning_rate = lr) \
.minimize(loss['transformer'], var_list = t_vars, global_step = global_step)
acc = {}
acc['x'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(yx, 1), tf.argmax(y_, 1)), tf.float32))
acc['tx'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(ytx, 1), tf.argmax(y_, 1)), tf.float32))
acc['x_fgsm'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(y_x_fgsm, 1), tf.argmax(y_, 1)),
tf.float32))
acc['x_adv'] = tf.reduce_mean(
tf.cast(tf.equal(tf.argmax(y_x_adv, 1), tf.argmax(y_, 1)), tf.float32))
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_adv_mnist_fsgm = np.load(os.path.join('data', 'x_fgsm_mnist.npy'))
tf.set_random_seed(1024)
sess.run(tf.global_variables_initializer())
with sess.as_default():
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
y_tar = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0] for i in range(batch_size)]
y_tar = np.array(y_tar, dtype='float32')
noise_sample = sample_Z(batch_size, 100)
sess.run(train_op['classifier'],
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample,
y_target: y_tar
})
sess.run(train_op['transformer'],
feed_dict={
x: batch[0],
y_: batch[1],
noise: noise_sample,
y_target: y_tar
})
if t % int(train_size / batch_size) == 0:
epoch = int(t / int(train_size / batch_size))
noise_sample2 = sample_Z(10000, 100)
test_batch = mnist.test.next_batch(10000)
print(test_batch[0].shape)
var_list = [acc, z_norm]
res = sess.run(var_list, feed_dict = {x: test_batch[0], y_: test_batch[1], noise : noise_sample2, \
x_adv: x_adv_mnist_fsgm, y_target: y_tar})
print(epoch)
for r in res:
print(r)
def __init__(self, params, learner, dataset):
print('Using Federated prox to Train (SS-Simple)')
self.inner_opt = GradientDescentOptimizer(
learning_rate=params['learning_rate'])
super(Server, self).__init__(params, learner, dataset)
self.clip_C = self.norm
if i == 0:
z1[i] = x1
h1[i] = z1[i]
if i > 0 and i < n - 1:
z1[i] = tf.matmul(h1[i - 1], w[i]) + b[i]
h1[i] = tf.nn.relu(z1[i])
if i == n - 1:
z1[i] = tf.matmul(h1[i - 1], w[i]) + b[i]
h1[i] = z1[i]
y = classifier(x)
yn = classifier_n(x)
loss_cls = softmax_loss(label, yn)
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss_cls, var_list = c_vars, global_step = global_step)
jsma = SaliencyMapMethod(classifier, back='tf', sess=sess)
x_fgsm = attack.fgsm(x, y, eps=0.2, clip_min=0, clip_max=1)
def main():
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
sess.run(tf.global_variables_initializer())
with sess.as_default():
acc = {}
print('train classifier')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
f_dict = {x: batch[0], label: batch[1]}
sess.run(train_op_classifier, feed_dict=f_dict)
def main():
random_seed = 1024
train_size, test_size = 55000, 10000
batch_size = 100
learning_rate = 0.05
epochs = 10
steps = epochs * 550
config = tf.ConfigProto()
config.gpu_options.per_process_gpu_memory_fraction = 0.8
sess = tf.InteractiveSession(config=config)
global_step = tf.Variable(0, name='global_step', trainable=False)
tf.set_random_seed(random_seed)
x = tf.placeholder(tf.float32, [None, 784]) # input
label = tf.placeholder(tf.float32, [None, 10]) # true label
x_perturb = x + tf.random_normal(
shape=tf.shape(x), mean=0.0, stddev=0.5, dtype=tf.float32)
x_perturb = tf.clip_by_value(x_perturb, 0, 1)
y = classifier(x)
y_ = classifier(x_perturb)
y_perturb = y_ + tf.random_normal(
shape=tf.shape(y), mean=0.0, stddev=300.0, dtype=tf.float32)
#fgsm
x_fgsm = attack.fgsm(x, y, eps=0.2, clip_min=0, clip_max=1)
y_fgsm = classifier(x_fgsm)
x_perturb2 = x + tf.random_normal(
shape=tf.shape(x), mean=0.0, stddev=0.2, dtype=tf.float32)
y_2 = classifier(x_perturb2)
x_fgsm_rd = attack.fgsm(x_perturb2, y_2, eps=0.2, clip_min=0, clip_max=1)
y_fgsm_rd = classifier(x_fgsm_rd)
loss_cls = softmax_loss(label, y_perturb)
all_vars = tf.trainable_variables()
c_vars = [var for var in all_vars if 'classifier' in var.name]
train_op_classifier = GradientDescentOptimizer(learning_rate = learning_rate) \
.minimize(loss_cls, var_list = c_vars, global_step = global_step)
x1 = tf.placeholder(tf.float32, [None, 784])
x2 = tf.placeholder(tf.float32, [None, 784])
# train
saver = tf.train.Saver()
mnist = input_data.read_data_sets('MNIST_data', one_hot=True)
x_pre_fgsm_data = np.load(os.path.join('data', 'x_fgsm_mnist.npy'))
sess.run(tf.global_variables_initializer())
with sess.as_default():
print('train classifier')
for t in range(1, steps + 1):
batch = mnist.train.next_batch(batch_size)
f_dict = {x: batch[0], label: batch[1]}
sess.run(train_op_classifier, feed_dict=f_dict)
if t % 550 == 0:
epoch = int(t / 550)
acc = {}
dist = {}
x_data = mnist.test.images
label_data = mnist.test.labels
acc['benign'] = sess.run(get_acc(x, label),
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc['pre'] = sess.run(get_acc(x, label),
feed_dict={
x: x_pre_fgsm_data,
label: mnist.test.labels
})
dist['pre'] = sess.run(avg_dist(x1, x2),
feed_dict={
x1: mnist.test.images,
x2: x_pre_fgsm_data
})
x_fgsm_data = sess.run(x_fgsm,
feed_dict={
x: mnist.test.images,
label: mnist.test.labels
})
acc['fgsm'] = sess.run(get_acc(x, label),
feed_dict={
x: x_fgsm_data,
label: mnist.test.labels
})
dist['fgsm'] = sess.run(avg_dist(x1, x2),
feed_dict={
x1: mnist.test.images,
x2: x_fgsm_data
})
x_perturb_data = x_data + np.random.normal(
loc=0.0, scale=0.2, size=[10000, 784])
x_perturb_data = np.clip(x_perturb_data, 0, 1)
x_rd_fgsm_data = sess.run(x_fgsm,
feed_dict={
x: x_perturb_data,
label: mnist.test.labels
})
acc['rd'] = sess.run(get_acc(x, label),
feed_dict={
x: x_rd_fgsm_data,
label: mnist.test.labels
})
dist['rd'] = sess.run(avg_dist(x1, x2),
feed_dict={
x1: mnist.test.images,
x2: x_rd_fgsm_data
})
x_it_fgsm_data = np.copy(mnist.test.images)
for _ in range(10):
grad = sess.run(tf.gradients(loss_cls, x)[0],
feed_dict={
x: x_it_fgsm_data,
label: mnist.test.labels
})
x_it_fgsm_data += np.sign(grad) * 0.01
x_it_fgsm_data = np.clip(x_it_fgsm_data, 0, 1)
acc['it'] = sess.run(get_acc(x, label),
feed_dict={
x: x_it_fgsm_data,
label: mnist.test.labels
})
dist['it'] = sess.run(avg_dist(x1, x2),
feed_dict={
x1: mnist.test.images,
x2: x_it_fgsm_data
})
x_it_rd_fgsm_data = np.copy(
mnist.test.images) + np.random.normal(
loc=0.0, scale=0.2, size=[10000, 784])
x_it_rd_fgsm_data = np.clip(x_it_rd_fgsm_data, 0, 1)
for _ in range(10):
grad = sess.run(tf.gradients(loss_cls, x)[0],
feed_dict={
x: x_it_rd_fgsm_data,
label: mnist.test.labels
})
x_it_rd_fgsm_data += np.sign(grad) * 0.01
x_it_rd_fgsm_data = np.clip(x_it_rd_fgsm_data, 0, 1)
acc['it rd'] = sess.run(get_acc(x, label),
feed_dict={
x: x_it_rd_fgsm_data,
label: mnist.test.labels
})
dist['it rd'] = sess.run(avg_dist(x1, x2),
feed_dict={
x1: mnist.test.images,
x2: x_it_rd_fgsm_data
})
print(epoch)
print(acc)
print(dist)
