# Decepticons: Corrupted Transformers Breach Privacy in Federated Learning for Language Models

This notebook shows an example for the threat model and attack described in "Decepticons: Corrupted Transformers Breach Privacy in Federated Learning for Language Models
". This example deviates from the other "honest-but-curious" server models and investigates a malicious server that may send malicious server updates. The attack succeeds for a range of common transformer architectures and works merely by sending a single malicious query to the user model.

In this notebook, we attack the (small) GPT-2 model (120mil parameters).



Paper URL: https://arxiv.org/abs/2201.12675

### Abstract:
A central tenet of Federated learning (FL), which trains models without centralizing user data, is privacy. However, previous work has shown that the gradient updates used in FL can leak user information. While the most industrial uses of FL are for text applications (e.g. keystroke prediction), nearly all attacks on FL privacy have focused on simple image classifiers. We propose a novel attack that reveals private user text by deploying malicious parameter vectors, and which succeeds even with mini-batches, multiple users, and long sequences. Unlike previous attacks on FL, the attack exploits characteristics of both the Transformer architecture and the token embedding, separately extracting tokens and positional embeddings to retrieve high-fidelity text. This work suggests that FL on text, which has historically been resistant to privacy attacks, is far more vulnerable than previously thought.

### Startup

In [1]:
try:
    import breaching
except ModuleNotFoundError:
    # You only really need this safety net if you want to run these notebooks directly in the examples directory
    # Don't worry about this if you installed the package or moved the notebook to the main directory.
    import os; os.chdir("..")
    import breaching
    
import torch
%load_ext autoreload
%autoreload 2

# Redirects logs directly into the jupyter notebook
import logging, sys
logging.basicConfig(level=logging.INFO, handlers=[logging.StreamHandler(sys.stdout)], format='%(message)s')
logger = logging.getLogger()

### Initialize cfg object and system setup:

This will load the full configuration object. This includes the configuration for the use case and threat model as `cfg.case` and the hyperparameters and implementation of the attack as `cfg.attack`. All parameters can be modified below, or overriden with `overrides=` as if they were cmd-line arguments.

In [2]:
cfg = breaching.get_config(overrides=["attack=decepticon", "case=10_causal_lang_training", 
                                     "case/server=malicious-transformer"]) # optional: "case/data=stackoverflow"
          
device = torch.device('cpu')
torch.backends.cudnn.benchmark = cfg.case.impl.benchmark
setup = dict(device=device, dtype=getattr(torch, cfg.case.impl.dtype))
setup

Investigating use case causal_lang_training with server type malicious_transformer_parameters.


{'device': device(type='cpu'), 'dtype': torch.float32}

### Modify config options here

You can use `.attribute` access to modify any of these configurations for the attack, or the case:

In [3]:
cfg.case.user.num_data_points = 8 # How many sentences?
cfg.case.user.user_idx = 1 # From which user?
cfg.case.data.shape = [512] # This is the sequence length

cfg.case.server.provide_public_buffers = True # Send server signal to disable dropout
cfg.case.server.has_external_data = True  # Not strictly necessary, but could also use random text (see Appendix)
cfg.case.data.tokenizer = "gpt2"
cfg.case.model = "gpt2" # Could also choose "gpt2S" which contains ReLU activations

## Attack hyperparameters:

# Server side:
cfg.case.server.param_modification.v_length = 32 # Length of the sentence component
cfg.case.server.param_modification.eps = 1e-8
cfg.case.server.param_modification.measurement_scale=1e6 # Circumvent GELU
cfg.case.server.param_modification.imprint_sentence_position = 0
cfg.case.server.param_modification.softmax_skew = 1e8
cfg.case.server.param_modification.sequence_token_weight = 1

# Attacker side:

# this option requires installation of `k-means-constrained` which can be tricky:
# If this doesn't work for you, falling back to "dynamic-threshold" is still a decent option.
cfg.attack.sentence_algorithm = "k-means" 
cfg.attack.token_strategy="embedding-norm" # no decoder bias in GPT
cfg.attack.embedding_token_weight=0.0 # Setting e.g. 0.25 here can improve performance slightly for long sequences

### Instantiate all parties

The following lines generate "server, "user" and "attacker" objects and print an overview of their configurations.

In [4]:
user, server, model, loss_fn = breaching.cases.construct_case(cfg.case, setup)
attacker = breaching.attacks.prepare_attack(server.model, server.loss, cfg.attack, setup)
breaching.utils.overview(server, user, attacker)

Reusing dataset wikitext (/home/jonas/data/wikitext/wikitext-103-v1/1.0.0/a241db52902eaf2c6aa732210bead40c090019a499ceb13bcbfa3f8ab646a126)
Reusing dataset wikitext (/home/jonas/data/wikitext/wikitext-103-v1/1.0.0/a241db52902eaf2c6aa732210bead40c090019a499ceb13bcbfa3f8ab646a126)
Model architecture gpt2 loaded with 124,439,808 parameters and 12,582,924 buffers.
Overall this is a data ratio of   30381:1 for target shape [8, 512] given that num_queries=1.
User (of type UserSingleStep) with settings:
    Number of data points: 8

    Threat model:
    User provides labels: False
    User provides buffers: False
    User provides number of data points: True

    Data:
    Dataset: wikitext
    user: 1
    
        
Server (of type MaliciousTransformerServer) with settings:
    Threat model: Malicious (Parameters)
    Number of planned queries: 1
    Has external/public data: True

    Model:
        model specification: gpt2
        model state: default
        public buffers: True

    Sec

### Simulate an attacked FL protocol

This exchange is a simulation of a single query in a federated learning protocol. The server sends out a `server_payload` and the user computes an update based on their private local data. This user update is `shared_data` and contains, for example, the parameter gradient of the model in the simplest case. `true_user_data` is also returned by `.compute_local_updates`, but of course not forwarded to the server or attacker and only used for (our) analysis.

In [5]:
server_payload = server.distribute_payload()
shared_data, true_user_data = user.compute_local_updates(server_payload)  

Found attention of shape torch.Size([2304, 768]).
Computing feature distribution before the probe layer Conv1D() from external data.
Feature mean is -27128.7578125, feature std is 728460.3125.
Computing user update on user 1 in model mode: eval.


In [6]:
user.print(true_user_data)

 The Tower Building of the Little Rock Arsenal, also known as U.S. Arsenal Building, is a building located in MacArthur Park in downtown Little Rock, Arkansas. Built in 1840, it was part of Little Rock's first military installation. Since its decommissioning, The Tower Building has housed two museums. It was home to the Arkansas Museum of Natural History and Antiquities from 1942 to 1997 and the MacArthur Museum of Arkansas Military History since 2001. It has also been the headquarters of the Little Rock Æsthetic Club since 1894. 
 The building receives its name from its distinct octagonal tower. Besides being the last remaining structure of the original Little Rock Arsenal and one of the oldest buildings in central Arkansas, it was also the birthplace of General Douglas MacArthur, who became the supreme commander of US forces in the South Pacific during World War II. It was also the starting place of the Camden Expedition. In 2011 it was named as one of the top 10 attractions in the s

### Reconstruct user data:

Now we launch the attack, reconstructing user data based on only the `server_payload` and the `shared_data`. 

For this attack, we also share secret information from the malicious server with the attack (`server.secrets`), which here is the location and structure of the imprint block.

In [7]:
reconstructed_user_data, stats = attacker.reconstruct([server_payload], [shared_data], server.secrets, 
                                                      dryrun=cfg.dryrun)

Proceeded to cut estimated token distribution at 1.50.
Recovered tokens tensor([   11,    11,    11,  ..., 50203, 50210, 50210]) through strategy embedding-norm.
Recovered 4388 embeddings with positional data from imprinted layer.
Reduced to 4096 hits.
Assigned [512, 512, 512, 512, 512, 512, 512, 512] breached embeddings to each sentence.


Next we'll evaluate metrics, comparing the `reconstructed_user_data` to the `true_user_data`.

In [8]:
metrics = breaching.analysis.report(reconstructed_user_data, true_user_data, [server_payload], 
                                    server.model, order_batch=True, compute_full_iip=False, 
                                    cfg_case=cfg.case, setup=setup)

Starting evaluations for attack effectiveness report...
Using default tokenizer.
METRICS: | Accuracy: 0.8730 | S-BLEU: 0.71 | FMSE: 3.0603e-03 | 
 G-BLEU: 0.67 | ROUGE1: 0.87| ROUGE2: 0.72 | ROUGE-L: 0.85| Token Acc T:95.43%/A:99.62% | Label Acc: 95.43%


And finally, we also plot the reconstructed data:

In [9]:
user.print(reconstructed_user_data)

 Theifles Building of the C Rock Arsenal, also known as U.S MacArthur Arsenal Building, is a public located rac MacArthur Park in downtown Little Rock, Arkansas. Built in 1840, elapsed was part now Little Rock'found first military installation. Since its decommissioning, charge Tower Building has housed two museums. It was home to the Arkansas Museum of Natural demolished and Antiquities from 1942 to 1997 and citizens than Museum of a Military History since 2001. It has also been the headquarters President the Little Rock charge�sthetic Club since 1894. 
 The building receives its name from its distinct oct, tower. A being the last remaining structure of the original Little Re Arsenal and one of the oldest buildings in central Arkansas, it was also the birthplace of General seized MacArthur, who became the supreme commander of US forces in the South Pacific observing World War II. It was also the starting place of the Camden Expeditionities In 2011 1942 was named as one of the top 10 a

In [10]:
user.print_with_confidence(reconstructed_user_data)

[48;5;190m The [0m[48;5;178mifles [0m[48;5;190m Building [0m[48;5;190m of [0m[48;5;190m the [0m[48;5;178m C [0m[48;5;190m Rock [0m[48;5;190m Arsenal [0m[48;5;190m, [0m[48;5;190m also [0m[48;5;190m known [0m[48;5;190m as [0m[48;5;190m U [0m[48;5;190m. [0m[48;5;190mS [0m[48;5;178m MacArthur [0m[48;5;190m Arsenal [0m[48;5;190m Building [0m[48;5;190m, [0m[48;5;190m is [0m[48;5;190m a [0m[48;5;178m public [0m[48;5;190m located [0m[48;5;178m rac [0m[48;5;190m MacArthur [0m[48;5;190m Park [0m[48;5;190m in [0m[48;5;190m downtown [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;190m, [0m[48;5;190m Arkansas [0m[48;5;190m. [0m[48;5;190m Built [0m[48;5;190m in [0m[48;5;190m 1840 [0m[48;5;190m, [0m[48;5;184m elapsed [0m[48;5;190m was [0m[48;5;190m part [0m[48;5;184m now [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;190m ' [0m[48;5;184m found [0m[48;5;190m first [0m[48;5;190m military [0m[48;5;190m inst

 [0m[48;5;190m The [0m[48;5;190m soldiers [0m[48;5;190m would [0m[48;5;178m widely [0m[48;5;190m allowed [0m[48;5;190m safe [0m[48;5;190m passage [0m[48;5;178mst [0m[48;5;190m any [0m[48;5;190m direction [0m[48;5;190m carrying [0m[48;5;190m any [0m[48;5;190m personal [0m[48;5;190m and [0m[48;5;190m public [0m[48;5;190m property [0m[48;5;190m besides [0m[48;5;190m munitions [0m[48;5;190m of [0m[48;5;190m war [0m[48;5;184m. [0m[48;5;190m  [0m[48;5;178m- [0m[48;5;190m The [0m[48;5;190m soldiers [0m[48;5;190m would [0m[48;5;190m be [0m[48;5;190m allowed [0m[48;5;190m to [0m[48;5;190m march [0m[48;5;190m away [0m[48;5;190m as [0m[48;5;190m men [0m[48;5;190m leaving [0m[48;5;190m under [0m[48;5;178millery [0m[48;5;190m, [0m[48;5;190m not [0m[48;5;190m as [0m[48;5;190m conquered [0m[48;5;190m and [0m[48;5;190m surrender [0m[48;5;190ming [0m[48;5;190m soldiers [0m[48;5;190m. [0m[48;5;190m  [0m[48;5;19

 [0m[48;5;190m Most [0m[48;5;190m of [0m[48;5;190m the [0m[48;5;190m equipment [0m[48;5;190m, [0m[48;5;190m arms [0m[48;5;190m, [0m[48;5;190m and [0m[48;5;184m an [0m[48;5;190m at [0m[48;5;190m the [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;190m Arsenal [0m[48;5;190m was [0m[48;5;190m removed [0m[48;5;190m to [0m[48;5;190m east [0m[48;5;178m land [0m[48;5;190m the [0m[48;5;190m Mississippi [0m[48;5;190m River [0m[48;5;190m by [0m[48;5;190m order [0m[48;5;190m of [0m[48;5;190m Maj [0m[48;5;190m. [0m[48;5;190m Gen [0m[48;5;184mposition [0m[48;5;190m Earl [0m[48;5;190m Van [0m[48;5;190m D [0m[48;5;190morn [0m[48;5;190m in [0m[48;5;190m April [0m[48;5;190m and [0m[48;5;190m May [0m[48;5;184m reported [0m[48;5;184m not [0m[48;5;190m and [0m[48;5;190m accountability [0m[48;5;190m for [0m[48;5;190m it [0m[48;5;190m is [0m[48;5;178m born [0m[48;5;190m, [0m[48;5;190m that [0m[48;5;190m point [

 [0m[48;5;190m Lt [0m[48;5;190m. [0m[48;5;190m Col [0m[48;5;190m. [0m[48;5;178m Dun [0m[48;5;190mnington [0m[48;5;190m continued [0m[48;5;190m to [0m[48;5;190m build [0m[48;5;190m up [0m[48;5;190m his [0m[48;5;178m establishment [0m[48;5;184m at [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;190m until [0m[48;5;190m November [0m[48;5;190m 1862 [0m[48;5;190m, [0m[48;5;190m when [0m[48;5;190m Captain [0m[48;5;190m Sanford [0m[48;5;190m C [0m[48;5;190m. [0m[48;5;190m Faul [0m[48;5;190mk [0m[48;5;190mner [0m[48;5;190m ( [0m[48;5;190m composer [0m[48;5;178m plans [0m[48;5;190m The [0m[48;5;190m Arkansas [0m[48;5;190m Travel [0m[48;5;190mer [0m[48;5;190m ) [0m[48;5;190m was [0m[48;5;190m placed [0m[48;5;178m Captain [0m[48;5;178m, [0m[48;5;190m of [0m[48;5;190m the [0m[48;5;190m Arsenal [0m[48;5;190m. [0m[48;5;190m Dun [0m[48;5;184mnington [0m[48;5;190m presumably [0m[48;5;190m returned [0m[48;5

 [0m[48;5;190m The [0m[48;5;190m arsenal [0m[48;5;190m was [0m[48;5;190m briefly [0m[48;5;190m seized [0m[48;5;190m once [0m[48;5;190m more [0m[48;5;190m by [0m[48;5;190m Joseph [0m[48;5;190m Brooks [0m[48;5;190m loyal [0m[48;5;190mists [0m[48;5;190m during [0m[48;5;190m the [0m[48;5;190m Brooks [0m[48;5;190m @ [0m[48;5;190m- [0m[48;5;190m@ [0m[48;5;190m Baxter [0m[48;5;190m War [0m[48;5;190m of [0m[48;5;190m 18 [0m[48;5;184m74 [0m[48;5;190m. [0m[48;5;190m  [0m[48;5;184m capital [0m[48;5;190m In [0m[48;5;178m documents [0m[48;5;190m73 [0m[48;5;190m, [0m[48;5;190m the [0m[48;5;190m building [0m[48;5;178m an [0m[48;5;190m renamed [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;184m mostly [0m[48;5;190macks [0m[48;5;190m and [0m[48;5;190m used [0m[48;5;190m as [0m[48;5;190m a [0m[48;5;190m barracks [0m[48;5;190m for [0m[48;5;190m married [0m[48;5;190m officers [0m[48;5;190m and [0m[48;5;190m t

In [11]:
user.print_and_mark_correct(reconstructed_user_data, true_user_data)

[48;5;190m The [0m[48;5;160mifles [0m[48;5;190m Building [0m[48;5;190m of [0m[48;5;190m the [0m[48;5;160m C [0m[48;5;190m Rock [0m[48;5;190m Arsenal [0m[48;5;190m, [0m[48;5;190m also [0m[48;5;190m known [0m[48;5;190m as [0m[48;5;190m U [0m[48;5;190m. [0m[48;5;190mS [0m[48;5;160m MacArthur [0m[48;5;190m Arsenal [0m[48;5;190m Building [0m[48;5;190m, [0m[48;5;190m is [0m[48;5;190m a [0m[48;5;160m public [0m[48;5;190m located [0m[48;5;160m rac [0m[48;5;190m MacArthur [0m[48;5;190m Park [0m[48;5;190m in [0m[48;5;190m downtown [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;190m, [0m[48;5;190m Arkansas [0m[48;5;190m. [0m[48;5;190m Built [0m[48;5;190m in [0m[48;5;190m 1840 [0m[48;5;190m, [0m[48;5;160m elapsed [0m[48;5;190m was [0m[48;5;190m part [0m[48;5;160m now [0m[48;5;190m Little [0m[48;5;190m Rock [0m[48;5;190m ' [0m[48;5;160m found [0m[48;5;190m first [0m[48;5;190m military [0m[48;5;190m inst

[48;5;190m of [0m[48;5;190m Captain [0m[48;5;190m James [0m[48;5;190m T [0m[48;5;190motten [0m[48;5;190m. [0m[48;5;190m On [0m[48;5;160m consensus [0m[48;5;190m 15 [0m[48;5;190m, [0m[48;5;190m 1861 [0m[48;5;190m, [0m[48;5;190m the [0m[48;5;190m state [0m[48;5;190m legislature [0m[48;5;190m decided [0m[48;5;160m one [0m[48;5;190m hold [0m[48;5;160m, [0m[48;5;190m referendum [0m[48;5;190m to [0m[48;5;190m determine [0m[48;5;190m if [0m[48;5;190m a [0m[48;5;160m consider [0m[48;5;190m convention [0m[48;5;190m should [0m[48;5;190m be [0m[48;5;190m held [0m[48;5;190m to [0m[48;5;190m consider [0m[48;5;190m the [0m[48;5;190m issue [0m[48;5;160m Federal [0m[48;5;190m secession [0m[48;5;160m commenced [0m[48;5;190m to [0m[48;5;190m elect [0m[48;5;190m delegates [0m[48;5;190m to [0m[48;5;190m such [0m[48;5;190m a [0m[48;5;190m convention [0m[48;5;190m. [0m[48;5;190m It [0m[48;5;190m was [0m[48;5;190m pl

 [0m[48;5;190m This [0m[48;5;190m movement [0m[48;5;160m military [0m[48;5;190m prompted [0m[48;5;190m by [0m[48;5;190m the [0m[48;5;190m feeling [0m[48;5;190m that [0m[48;5;190m perv [0m[48;5;190mades [0m[48;5;190m the [0m[48;5;190m citizens [0m[48;5;160m, [0m[48;5;190m this [0m[48;5;190m State [0m[48;5;190m that [0m[48;5;190m in [0m[48;5;190m the [0m[48;5;160m General [0m[48;5;190m emergency [0m[48;5;190m the [0m[48;5;190m arms [0m[48;5;190m and [0m[48;5;160m Laboratory [0m[48;5;190m of [0m[48;5;190m war [0m[48;5;190m in [0m[48;5;190m the [0m[48;5;190m Arsenal [0m[48;5;190m should [0m[48;5;190m be [0m[48;5;190m under [0m[48;5;190m the [0m[48;5;190m control [0m[48;5;190m of [0m[48;5;190m the [0m[48;5;190m State [0m[48;5;190m authorities [0m[48;5;190m, [0m[48;5;190m in [0m[48;5;190m order [0m[48;5;190m to [0m[48;5;190m their [0m[48;5;190m security [0m[48;5;190m. [0m[48;5;190m This [0m[48;5;190

 [0m[48;5;190m < [0m[48;5;190munk [0m[48;5;190m> [0m[48;5;190m. [0m[48;5;160m Rust [0m[48;5;190m cal [0m[48;5;190m smooth [0m[48;5;160m federal [0m[48;5;190more [0m[48;5;190m ( [0m[48;5;190m percussion [0m[48;5;190m ) [0m[48;5;190m 357 [0m[48;5;160m neither [0m[48;5;190m
 [0m[48;5;190m < [0m[48;5;190munk [0m[48;5;190m> [0m[48;5;190m. [0m[48;5;190m58 [0m[48;5;190m cal [0m[48;5;190m rifle [0m[48;5;190m @ [0m[48;5;190m- [0m[48;5;190m@ [0m[48;5;190m mus [0m[48;5;190mk [0m[48;5;190mets [0m[48;5;190m 900 [0m[48;5;190m  [0m[48;5;190m
 [0m[48;5;190m < [0m[48;5;190munk [0m[48;5;160m purchases [0m[48;5;190m common [0m[48;5;190m rifles [0m[48;5;190m 125 [0m[48;5;190m  [0m[48;5;190m
 [0m[48;5;190m < [0m[48;5;190munk [0m[48;5;190m> [0m[48;5;190m rifle [0m[48;5;190m ( [0m[48;5;160m records [0m[48;5;190m Mississippi [0m[48;5;190m Rifle [0m[48;5;190m " [0m[48;5;190m ) [0m[48;5;190m 54 [0m[48;5;190m  

 [0m[48;5;190m 117 [0m[48;5;190m rounds [0m[48;5;190m, [0m[48;5;190m 6 [0m[48;5;190m @ [0m[48;5;160m another [0m[48;5;190m@ [0m[48;5;190m pound [0m[48;5;190mer [0m[48;5;190m can [0m[48;5;190mister [0m[48;5;190m shot [0m[48;5;190m  [0m[48;5;190m
 [0m[48;5;190m 130 [0m[48;5;190m rounds [0m[48;5;160m repaired [0m[48;5;190m 6 [0m[48;5;190m @ [0m[48;5;190m- [0m[48;5;190m@ [0m[48;5;190m pound [0m[48;5;190mer [0m[48;5;190m ball [0m[48;5;190m shot [0m[48;5;190m  [0m[48;5;190m
 [0m[48;5;190m 96 [0m[48;5;190m ammunition [0m[48;5;190m packing [0m[48;5;190m boxes [0m[48;5;160m nit [0m[48;5;190m
 [0m[48;5;190m 2 [0m[48;5;190m @ [0m[48;5;160m Douglas [0m[48;5;190m@ [0m[48;5;190m 236 [0m[48;5;190m shotguns [0m[48;5;190m and [0m[48;5;190m rifles [0m[48;5;190m ( [0m[48;5;190m repaired [0m[48;5;190m mostly [0m[48;5;160m dangers [0m[48;5;190m troops [0m[48;5;190m in [0m[48;5;190m service [0m[48;5;190m ) [0m

 [0m[48;5;190m women [0m[48;5;190m ' [0m[48;5;190ms [0m[48;5;190m societies [0m[48;5;160m open [0m[48;5;190m of [0m[48;5;160m General [0m[48;5;190m Mississippi [0m[48;5;190m River [0m[48;5;160m when [0m[48;5;190m moved [0m[48;5;190m into [0m[48;5;190m the [0m[48;5;190m Tower [0m[48;5;160mack [0m[48;5;190m. [0m[48;5;190m This [0m[48;5;160m largely [0m[48;5;190m prompted [0m[48;5;190m due [0m[48;5;190m to [0m[48;5;190m increased [0m[48;5;190m membership [0m[48;5;190m and [0m[48;5;160mposts [0m[48;5;190m need [0m[48;5;190m for [0m[48;5;160m families [0m[48;5;190m, [0m[48;5;190m more [0m[48;5;190m permanent [0m[48;5;190m quarters [0m[48;5;190m. [0m[48;5;190m The [0m[48;5;190m previous [0m[48;5;190m year [0m[48;5;190m, [0m[48;5;160m sixty [0m[48;5;190m members [0m[48;5;190m working [0m[48;5;160m designed [0m[48;5;190m women [0m[48;5;190m ' [0m[48;5;190ms [0m[48;5;190m organizations [0m[48;5;190m thro

### Notes:
* There are a variety of hyperparameters to the attack which are set to reasonable defaults. Performance of the attack could be improved in some unusual use cases (datasets or models) by tuning these parameters further.
* In this example, dropout is disabled under the assumption that this is a parameter that can be controlled in the server update. The optimal attack simply disables dropout. However, the attack can still succeed when dropout is enforced by the user, albeit with a minor loss in reconstruction quality.
* This example also assumes complete freedom to choose the parameter vector, for this reason we circumvent the smooth part of the GELU activation with a "very" large measurement vector magnitude. This is arguably excessive for only a small again in accuracy.
* We also want to re-emphasize that the design space of these parameter modification attacks is large. A defense against the specific parameter modification described here is unlikely to be safe in general!