# AdvProp
Leveraging adversarial examples.

TODO:
* ~~Create auxillery batchnorm layer~~
* Create function to convert network. Note: Does this make a shallow copy of weights, or do we need a function to transfer weights?
* Create function to update batch index
* 

In [1]:
import torch as t
import torch.nn as nn
import torchvision.datasets as datasets
import matplotlib.pylab as plt
from torchvision.transforms import Compose, Normalize, ToTensor
from math import sqrt, exp
from numpy import linspace
from time import time

from torchvision.transforms.functional import to_pil_image

In [2]:
batch_size = 125

#Choose data set and batch size
means = [0.49139967861519745, 0.4821584083946076, 0.44653091444546616]
stdevs = [0.2470322324632823, 0.24348512800005553, 0.2615878417279641]
transforms = Compose([ToTensor(), Normalize(means, stdevs)])
training_set = datasets.CIFAR10(root='./data/', train=True, download=False, transform=transforms)
testing_set = datasets.CIFAR10(root='./data/', train=False, download=False, transform=transforms)

training_loader = t.utils.data.DataLoader(dataset=training_set, batch_size=batch_size, shuffle=True, pin_memory=True)
testing_loader = t.utils.data.DataLoader(dataset=testing_set, batch_size=batch_size, shuffle=True, pin_memory=True)

#Set image size. This is done for convenience when changing data.
image_shape = (3, 32, 32)
image_size = image_shape[0]*image_shape[1]*image_shape[2]
out_size = 10

In [4]:
def print_progress(intro_dict, progress_dict):
    '''
    Prints information from two dictionaries. The first dictionary is printed verbatim,
    while the second dictionary is rounded to 4 decimals. The values of the second
    dictionary must be floats.
    
    :param intro_dict: (dict) Information about the current time. The {key: value}
        pair can have any value that can be used in a str format.
    :param progress_dict: (dict) Information about current progress. The {key: value}
        pair must have a float for the value.
    '''
    intro_text = '{}: {:4}'
    intros = [intro_text.format(key, value) for key, value in intro_dict.items()]
    update_text = '{}: {:.4f}'
    updates = [update_text.format(key, value) for key, value in progress_dict.items()]
    print(*intros, *updates, sep=' - ')

In [94]:
class MultiBatchNorm(nn.Module):
    def __init__(self, BatchNorm, n_copies=1):
        super(MultiBatchNorm, self).__init__()
        assert type(BatchNorm) in [nn.BatchNorm1d, nn.BatchNorm2d, nn.BatchNorm3d], \
            'Requires BatchNorm to be a torch.nn.BatchNorm object instead of {}'.format(type(BatchNorm))
        
#         self.main_bn = BatchNorm
        self.bn_idx = 0
        self.register_parameter('main_bn', BatchNorm)
        #Get proper layer
        if type(BatchNorm) is nn.BatchNorm1d:
            module = nn.BatchNorm1d
        elif type(BatchNorm) is nn.BatchNorm2d:
            module = nn.BatchNorm2d
        elif type(BatchNorm) is nn.BatchNorm3d:
            module = nn.BatchNorm3d
            
        #Collect parameters
        params = [
            BatchNorm.num_features,
            BatchNorm.eps,
            BatchNorm.momentum,
            BatchNorm.affine,
            BatchNorm.track_running_stats
        ]
        #Create auxillery batch norm layers
        for _ in range(n_copies):
            self.register_parameter('aux_bn', )
        self.aux_bn = nn.ModuleList([module(*params) for _ in range(n_copies)])
        #Store number of auxillery batch norms
        self.n_aux_bn = n_copies
        
    def forward(self, input):
        assert 0 <= self.bn_idx <= self.n_aux_bn, \
            'Batch norm index {0} is out of out of range. Must be between 0 and {1}'.format(bn_idx, self.n_aux_bn)
        #Select which batch norm to use.
        if self.bn_idx == 0: 
            # 0 selects main batch norm.
            return self.main_bn(input)
        else:
            # 1 to n_copies selects auxillery batch norms.
            return self.aux_bn[self.bn_idx-1](input)
        
    def zero_grad(self):
        self.main_bn.zero_grad()
        for aux_bn in self.aux_bn:
            aux_bn.zero_grad()
        
def switch_bn(idx=0):
    '''
    Returns function to switch batch norms. For use with nn.Sequential.
    '''
    def _idx_switcher(module):
        if type(module) is MultiBatchNorm:
            assert 0 <= idx <= module.n_aux_bn, \
            'Index {0} out of range. Expected between 0 and {1}'.format(idx, module.n_aux_bn)
            module.bn_idx = idx
    return _idx_switcher

In [5]:
class ReLU_Block(nn.Module):
    '''
    Creates a RELU block.
    '''
    def __init__(self, in_features, out_features, dropout=True, dropout_prob=.1, batch_norm=True, bias=True):
        super(ReLU_Block, self).__init__()
        self.linear = nn.Linear(in_features, out_features, bias)
        
        if batch_norm:
            self.batch_norm = nn.BatchNorm1d(out_features)
        else:
            self.register_parameter('batch_norm', None)
            
        if dropout:
            self.dropout = nn.Dropout(dropout_prob)
        else:
            self.register_parameter('dropout', None)
        
    def forward(self, input):
        if self.dropout is not None:
            input = self.dropout(input)
        x = self.linear(input)
        if self.batch_norm is not None:
            x = self.batch_norm(x)

        return nn.functional.relu(x)

In [6]:
class classifier(nn.Module):
    def __init__(self, image_size, classes, depth, block_type, block_kws={}, name='default'):
        super(classifier, self).__init__()
        self.classes = classes
        if block_type == 'serlu':
            block = SERLU_Block
        elif block_type == 'selu':
            block = SELU_Block
        else:
            block = ReLU_Block
            
        layer_sizes = linspace(image_size, classes, depth, dtype=int)
        in_sizes, out_sizes = layer_sizes[:-1], layer_sizes[1:]
        
        net = [nn.Flatten()]
        assert depth >= 1, 'Depth must be at least 1. Recieved {0}'.format(depth)
        for in_size, out_size in zip(in_sizes[:-1], out_sizes[:-1]):
            net.append(block(in_size, out_size, **block_kws))
            
        if 'bias' in block_kws:
            bias = block_kws['bias']
        else:
            bias = True
        net.append(nn.Linear(in_sizes[-1], out_sizes[-1], bias))
        self.net = nn.Sequential(*net)
        
        self.name = name

    def forward(self, input):
        return self.net(input)
    
    def classify(self, input):
        _, classes = t.max(self.net(input), 1)
        return classes

In [7]:
def train_classifier(classifier, optimizer, epochs, device, verbose=True):
    history = []
    cum_time = 0.0
    for epoch in range(epochs):
        classifier.train()
        for batch_nb, batch in enumerate(training_loader):
            images, labels = batch[0].to(device), batch[1].to(device)

            start = time()
            #Assign nats
            x = classifier(images)

            #Compute loss
            loss = nn.functional.cross_entropy(x, labels)
            
            #Update network
            loss.backward()
            optimizer.step()
            optimizer.zero_grad()
            
            cum_time += time()-start

        #Validate after training
        score = test_classifier(classifier, device)
        if verbose:
            print_progress({'epoch': epoch}, {'Portion correct': score})
        history.append(score)
    return history, cum_time

def test_classifier(classifier, device):
    correct = 0
    nb_samples = len(testing_set)
    with t.no_grad():
        classifier.eval()
        for batch in testing_loader:
            images, labels = batch[0].to(device), batch[1].to(device)

            #Assign classes
            assigned = classifier.classify(images)

            #Compute correct assigned
            correct += float(t.sum(assigned==labels))

    return correct/nb_samples

def attack_classifier(classifier, device):
    correct = 0
    nb_samples = len(testing_set)
    with t.no_grad():
        classifier.eval()
        for batch in testing_loader:
            images, labels = batch[0].to(device), batch[1].to(device)

            #Assign classes
            assigned = classifier.classify(images)

            #Compute correct assigned
            correct += float(t.sum(assigned==labels))

    return correct/nb_samples

In [8]:
#Choose training device (cpu vs gpu/cuda) based on availability
device = 'cuda' if t.cuda.is_available() else 'cpu'

out_size = 10
epochs = 15
depths = [4, 8, 12]

In [10]:
lr = 1e-4
relu_history = []
for depth in depths:
    name = 'relu-{0}'.format(depth)
    ReLU_net = classifier(image_size, out_size, depth, 'relu', name=name)
    ReLU_optim = t.optim.Adam(ReLU_net.parameters(), lr=lr)
    ReLU_net.to(device)
    history, cum_time = train_classifier(ReLU_net, ReLU_optim, epochs, device, verbose=False)
    relu_history.append(history)
    print('Time to train {0}: {1:.0f} m {2:.1f} s.'.format(name, cum_time//60, cum_time%60))
    print('Final validation accuracy: {0:.1%}'.format(history[-1]))

Time to train relu-4: 0 m 58.8 s.
Final validation accuracy: 57.6%
Time to train relu-8: 2 m 19.2 s.
Final validation accuracy: 57.8%
Time to train relu-12: 3 m 38.3 s.
Final validation accuracy: 57.4%


In [11]:
selu_history = []

for depth in depths:
    name = 'selu-{0}'.format(depth)
    SELU_net = classifier(image_size, out_size, depth, 'selu', {'bias': False}, name=name)
    SELU_optim = t.optim.Adadelta(SELU_net.parameters())
    SELU_net.to(device)
    history, cum_time = train_classifier(SELU_net, SELU_optim, epochs, device, verbose=False)
    selu_history.append(history)
    print('Time to train {0}: {1:.0f} m {2:.1f} s.'.format(name, cum_time//60, cum_time%60))
    print('Final validation accuracy: {0:.1%}'.format(history[-1]))

Time to train selu-4: 0 m 31.1 s.
Time to train selu-8: 1 m 10.1 s.
Time to train selu-12: 1 m 54.7 s.


In [None]:
# SERLU_net = classifier(image_size, out_size, depth, h_size, 'serlu')
# #Move networks to selected device
# SERLU_net.to(device)

# #Set up optimizer
# SERLU_optim = t.optim.Adamax(SERLU_net.parameters(), lr=0.0005)

# #Train
# train_classifier(SERLU_net, SERLU_optim, epochs, device)

In [None]:
def create_adversary(classifier, image, desired_label, iterations, scale=1., lr=5e-2):
    classifier.eval()
    noise = t.zeros_like(image, requires_grad=True)
    optim = t.optim.SGD([noise], lr=lr)
    for _ in range(iterations):
        optim.zero_grad()
        new_image = (image+noise)/t.max(image+noise)
        loss = nn.functional.cross_entropy(classifier(new_image), desired_label)+scale*noise.norm()
        loss.backward()
        optim.step()
    return new_image

In [None]:
def FGSA(image, grad_data, eps):
    noise = grad_data.sign()
    new_image = t.clamp(image+eps*noise, 0, 1)
    return new_image

In [None]:
image = image.to(device)
image.requires_grad = True
predictions = SELU_net(image)
loss = nn.functional.cross_entropy(predictions, t.tensor(label).view(1).to(device))
ReLU_net.zero_grad()
loss.backward()
new_image = FGSA(image, image.grad.data, .05)
print(nn.functional.softmax(ReLU_net(new_image), dim=1).tolist())
print(label)
plt.imshow(to_pil_image(new_image.squeeze().cpu()))

In [None]:
def before_and_after(classifier, old_image, old_label, new_image, new_label, class_names):
    old_p = nn.functional.softmax(ReLU_net(image), 1).flatten().tolist()
    new_p = nn.functional.softmax(ReLU_net(new_image), 1).flatten().tolist()
    def _generate_text(label, p):
        return '{0}: {1:.6f}'.format(class_names[label], p[label])
    old_label = int(old_label)
    new_label = int(new_label)
    text = ['Before']
    text += [_generate_text(old_label, old_p)]
    text += [_generate_text(new_label, old_p)]
    text += ['After']
    text += [_generate_text(old_label, new_p)]
    text += [_generate_text(new_label, new_p)]
    print(*text, sep='\n')

In [None]:
image, label = training_set[1]
plt.imshow(to_pil_image(image))

In [None]:
image = image.to(device)
image = image.reshape((1, *image_shape))
new_label = t.tensor(1, device=device).view(1)
new_image = create_adversary(ReLU_net, image, new_label, 100, scale=1)

p_old = nn.functional.softmax(ReLU_net(image), 1).flatten().tolist()
p_new = nn.functional.softmax(ReLU_net(new_image), 1).flatten().tolist()
before_and_after(ReLU_net, image, label, new_image, new_label, training_set.classes)

new_image = new_image.squeeze()
plt.imshow(to_pil_image(new_image.cpu()))


In [None]:
raw_images = training_set.data/255.
channel_1 = raw_images[:, :, :, 0]
channel_2 = raw_images[:, :, :, 1]
channel_3 = raw_images[:, :, :, 2]

print([channel_1.mean(), channel_2.mean(), channel_3.mean()])
print([channel_1.std(), channel_2.std(), channel_3.std()])

In [95]:
net = nn.Sequential(nn.Linear(30, 30), nn.BatchNorm1d(30), nn.Linear(30, 1), nn.Sigmoid())


In [96]:
new_net = []
for module in net.children():
    if type(module) == nn.BatchNorm1d:
        new_net.append(MultiBatchNorm(module))
    else:
        new_net.append(module)
        
new_net = nn.Sequential(*new_net)

In [102]:
new_net.zero_grad()
new_net.apply(switch_bn(0))
r = t.rand((30, 30))
y = (r.mean(1, keepdim=True)-new_net(r)).pow(2).mean()
y.backward()
print(new_net[1].main_bn.weight.grad)
print(new_net[1].aux_bn[0].weight.grad)

tensor([ 1.3339e-03,  1.9097e-03, -6.0139e-06, -1.2178e-03,  3.2229e-03,
        -9.0382e-04,  3.3276e-03, -3.8931e-04,  1.5262e-03,  8.2239e-04,
         2.3829e-03, -3.2390e-05,  2.8183e-04, -8.9168e-04,  1.8541e-03,
         2.5105e-03, -1.8209e-03,  4.2325e-04, -1.7255e-05, -1.9175e-05,
         4.0801e-03,  3.5153e-03,  3.6646e-03,  1.3210e-03, -1.9340e-04,
        -9.8893e-06,  3.3115e-03,  9.8219e-04,  4.9654e-03, -7.9064e-05])
tensor([-1.2743e-03,  3.1779e-04, -1.5712e-05,  5.7013e-04,  6.6245e-03,
        -4.6573e-04,  4.1493e-03, -2.6825e-04,  3.0782e-03, -8.0361e-04,
         2.6034e-03,  7.3976e-04, -4.7824e-05, -1.1523e-03,  2.6266e-03,
         5.1047e-03, -1.0694e-03,  4.5707e-04, -6.4052e-05, -2.2515e-05,
         3.4765e-03,  2.0829e-03,  3.9389e-03,  3.8660e-03,  4.8316e-04,
         6.2607e-05,  2.4714e-03,  1.1119e-03,  4.3492e-03,  2.1327e-04])


In [105]:
new_net.zero_grad()
new_net.apply(switch_bn(1))
r = t.rand((30, 30))
y = (r.mean(1, keepdim=True)-new_net(r)).pow(2).mean()
y.backward()
print(new_net[1].main_bn.weight.grad)
print(new_net[1].aux_bn[0].weight.grad)

tensor([0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0.,
        0., 0., 0., 0., 0., 0.])
tensor([ 7.4158e-04,  1.1048e-03, -1.9102e-05,  1.2424e-03,  1.0603e-02,
        -4.4003e-03,  8.0027e-03, -7.2566e-04,  7.7528e-03, -3.4236e-04,
         7.4775e-03,  1.4361e-03,  8.6736e-04, -1.0763e-03,  5.9851e-03,
         8.2362e-03, -1.5673e-03,  7.5439e-04, -9.3011e-07, -3.7179e-05,
         8.4422e-03,  2.6506e-03,  6.6694e-03,  6.2466e-03,  1.0359e-04,
         5.6810e-04,  7.1359e-03,  1.9257e-03,  2.7720e-03, -3.9740e-04])


In [107]:
for parameters in new_net[1].parameters():
    print(parameters)

Parameter containing:
tensor([1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1.,
        1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1., 1.], requires_grad=True)
Parameter containing:
tensor([0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0., 0.,
        0., 0., 0., 0., 0., 0.], requires_grad=True)
