# ***This is a simple implement of basic 1st attack introduced in ML-leak article on CIFAR10***

## ***General setting code***

### ***Install all independency here***

In [None]:
!pip3 install torch==1.10.2+cpu torchvision==0.11.3+cpu torchaudio==0.10.2+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
!pip3 install ipywidgets
!jupyter nbextension enable --py widgetsnbextension

### ***Import all dependency here***

In [None]:
# to monitor the progress
from tqdm import tqdm
import time
# basic dependency
import numpy as np
import random
# pytorch related
import torch
from torch.utils.data import Dataset
from torchvision import datasets
from torch import nn
from torch.utils.data import DataLoader
from torch.utils.data import random_split
from torch import optim
import torch.nn.functional as F
import torchvision.transforms as T
# for visulization
import matplotlib.pyplot as plt
from random import shuffle
# sklearn
from sklearn.metrics import precision_score, recall_score, f1_score, accuracy_score
from sklearn.metrics import precision_recall_fscore_support, accuracy_score
# other classifier
import lightgbm as lgb
# for mount from Colab to my drive
from google.colab import drive
drive.mount('/content/drive')
import os
os.chdir('/content/drive/My Drive')

Mounted at /content/drive


## ***Target and shadow model code***

### ***Define a Neural Network class for shadow and target model***

In [None]:
# reuse the NN in badnet
class basicNet(nn.Module):

    def __init__(self,inputchannels,outputclasses):
        super().__init__()
        self.conv1 = nn.Conv2d(inputchannels, 16, 5)
        self.conv2 = nn.Conv2d(16, 32, 5)
        self.pool = nn.AvgPool2d(2)
        if inputchannels == 3:
          inputfeatures = 800
        else:
          inputfeatures = 512
        self.fc1 = nn.Linear(inputfeatures, 512)
        self.fc2 = nn.Linear(512, outputclasses)

    def forward(self, x):
        # conv block1
        x = self.conv1(x)
        x = F.relu(x)
        x = self.pool(x)
        # conv block2
        x = self.conv2(x)
        x = F.relu(x)
        x = self.pool(x)
        # reshape(flat) the feature to be the input of full connect layer
        x = x.view(-1, self.num_features(x))
        # fc block1
        x = self.fc1(x)
        x = F.relu(x)
        # fc block2
        x = self.fc2(x)
        x = F.softmax(x,dim=-1)
        return x

    def num_features(self, x):
        # size of different dimensions
        size_D = x.size()[1:]
        total = 1
        for i in size_D:
            total = total*i
        return total

### ***Functions for training and evaluating(target/shadow model)***

In [None]:
def train(model, dataloader, criterion, opt):
    running_loss = 0
    # switch to model:train
    # no difference here since no dropout and BN
    model.train()
    count = 0
    for i, data in tqdm(enumerate(dataloader)):
        opt.zero_grad()
        imgs, labels = data
        imgs = imgs.to(device)
        labels = labels.to(device)
        predict = model(imgs)
        #print(predict.dtype)
        #print(labels.dtype)
        loss = criterion(predict, labels)
        loss.backward()
        opt.step()
        count = i
        running_loss += loss
    return running_loss / count


def evaluation(model, dataloader, batch_size=64):
    # switch to model:eval
    # no difference here since no dropout and BN    
    model.eval()
    # y_tensorlist is a list consists of some tensors
    y_true_tensorlist = []
    y_predict_tensorlist = []
    for step, (batch_x, batch_y) in enumerate(dataloader):
        batch_x,batch_y = batch_x.to(device),batch_y.to(device)
        output = model(batch_x)
        #print(output.shape)
        batch_y_predict = torch.argmax(output, dim=1)
        
        y_predict_tensorlist.append(batch_y_predict)
        
        y_true_tensorlist.append(batch_y)
        
    # combine the tensors in the list into one
    y_true = torch.cat(y_true_tensorlist,0)
    y_predict = torch.cat(y_predict_tensorlist,0)

    # compute accuracy
    length = len(y_true)
    right_length = torch.sum(y_true == y_predict)
    #print(right_length/length)
    
    return right_length/length

## ***Attack model's dataset code***

### ***Functions used to create attack model's dataset***

In [None]:
def attackdataset_x_1_batch(shadow,batch_x,device):
    shadow.eval()
    # Aim to get features(x)
    # output of model shadow is probabilities
    batch_y = shadow(batch_x.to(device))
    sorted_prob,_ = torch.sort(batch_y,descending=True)
    #print(sorted_prob.shape)

    # choose 3 highest probabilities as feature vector
    # This is a batch's output, not single image.
    # feature: x, x is already a tensor
    feature_vectors = torch.narrow(sorted_prob,dim=1,start=0,length=3)

    return feature_vectors

def get_attackdataset(shadow,train_loader,out_loader,device):
    shadow.eval()
    # 1. get a tensor list of x
    # 2. combine all tensors in tensor list x into a tensor X
    # 3. generate label tensor Y, the length is the same as X
    attack_set=[]

    attack_X_train_list = []
    for i, (batch_x, batch_y) in enumerate(train_loader):
        batch_x = batch_x.to(device)
        batch_y = batch_y.to(device)
        feature_vectors = attackdataset_x_1_batch(shadow,batch_x,device=device)
        attack_X_train_list.append(feature_vectors)
    attack_X_train = torch.cat(attack_X_train_list,0)
    print(len(attack_X_train))
    for i in attack_X_train:
      attack_set.append((i.detach(),torch.ones(1)))

    # train:label = 1
    #attack_Y_train = torch.ones(attack_X_train.shape[0])
    #print('attack Y train shape: ',attack_Y_train.shape)

    attack_X_out_list = []
    for i, (batch_x, batch_y) in enumerate(out_loader):
        feature_vectors = attackdataset_x_1_batch(shadow,batch_x,device=device)
        attack_X_out_list.append(feature_vectors)
    attack_X_out = torch.cat(attack_X_out_list,0)
    print(len(attack_X_out))
    for i in attack_X_out:
      attack_set.append((i.detach(),torch.zeros(1)))
    # out: label = 0
    #attack_Y_out = torch.zeros(attack_X_out.shape[0])
    #print('attack Y out shape: ',attack_Y_out.shape)

    # combine train and out to get the whole dataset's X and Y
    #attack_X = torch.cat([attack_X_train,attack_X_out],0)
    #attack_Y = torch.cat([attack_Y_train,attack_Y_out],0)
    #print('attack X total shape: ',attack_X.shape)
    #return attack_X.detach(),attack_Y
    shuffle(attack_set)
    # check first 10 elements
    print('- - - - - - - - - ')
    print('num of data ')
    print(len(attack_set))
    print('- - - - - - - - - ')
    print('first 10 elements ')
    print(attack_set[0:9])
    return attack_set

### ***Define attack model's dataset class***

In [None]:
class attack_dataset(Dataset):
    # N data points, features include N top 3 probabilities, labels include N labels(1/0)
    # elements in features and labels are already tensor.
    def __init__(self, attack_set, transform = None, device=torch.device("cpu")):
        self.attack_set = attack_set
        self.device = device
        self.transform = transform

    def __getitem__(self, item):
        # extract x,y , x,y are all tensors
        x = self.attack_set[item][0]
        y = self.attack_set[item][1]
        # send x,y to device
        x = x.to(self.device)
        y = y.to(self.device)
        
        return x, y

    def __len__(self):
        return len(self.attack_set)

## ***Main part***

### ***CIFAR10***

#### *Download, split and load data*

In [None]:
# prepare original data
transforms = T.Compose([T.ToTensor(),T.Normalize((0.4914, 0.4822, 0.4465), (0.247, 0.243, 0.261))])
train_data_CIFAR10 = datasets.CIFAR10(root="./data_1/", train=True,transform=transforms, download=True)
test_data_CIFAR10 = datasets.CIFAR10(root="./data_1/",train=False,transform=transforms, download=True)

Downloading https://www.cs.toronto.edu/~kriz/cifar-10-python.tar.gz to ./data_1/cifar-10-python.tar.gz


  0%|          | 0/170498071 [00:00<?, ?it/s]

Extracting ./data_1/cifar-10-python.tar.gz to ./data_1/
Files already downloaded and verified


In [None]:
# set the length of each split
length_train_data_CIFAR10 = len(train_data_CIFAR10)
lengthlist = [int(0.25*length_train_data_CIFAR10),int(0.25*length_train_data_CIFAR10),int(0.25*length_train_data_CIFAR10),int(0.25*length_train_data_CIFAR10)]
print(length_train_data_CIFAR10)
print(lengthlist)

50000
[12500, 12500, 12500, 12500]


In [None]:
# CIFAR10
# split the dataset into 4 part: target train/out, shadow train/out
train_target_dataset_CIFAR10,out_target_dataset_CIFAR10,train_shadow_dataset_CIFAR10,out_shadow_dataset_CIFAR10 = random_split(
    dataset=train_data_CIFAR10,
    lengths=lengthlist,
    generator=torch.Generator().manual_seed(19260817)
)
# This is the main dataloader with the total dataset
target_train_loader = DataLoader(dataset=train_target_dataset_CIFAR10, batch_size=64, shuffle = True)
target_out_loader = DataLoader(dataset=out_target_dataset_CIFAR10, batch_size=64, shuffle = True)

shadow_train_loader = DataLoader(dataset=train_shadow_dataset_CIFAR10, batch_size=64, shuffle = True)
shadow_out_loader = DataLoader(dataset=out_shadow_dataset_CIFAR10, batch_size=64, shuffle = True)

testloader = DataLoader(dataset=test_data_CIFAR10, batch_size=64, shuffle = True)


#### *Pretrain target and shadow models*

In [None]:
# use train_target to train target model
# no gpu, thus device is only cpu
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
# Train target
# load model
# if use MNIST, inputchannels=1, if use CIFAR10, inputchannels=3, both output classes = 10
# related info could be get by using input_channels=train_data_loader.dataset.channels, output_num=train_data_loader.dataset.class_num
target = basicNet(inputchannels=3, outputclasses=10).to(device)
# settings
criterion = nn.CrossEntropyLoss()
sgd = optim.SGD(target.parameters(), lr=0.01, momentum=0.9)
epoch = 50

# train
print("start training: ")
for i in range(epoch):
    loss_train = train(target, target_train_loader, criterion, sgd)
    # Acc
    acc_train = evaluation(target, target_train_loader, batch_size=64)
    acc_test = evaluation(target, testloader, batch_size=64)
    print("epoch%d   loss: %.5f  training accuracy: %.5f  testing accuracy: %.5f"\
      % (i, loss_train, acc_train, acc_test))
torch.save(target.state_dict(), "./models/target_CIFAR10.pth")

start training: 


196it [00:04, 44.47it/s]


epoch0   loss: 2.30894  training accuracy: 0.11344  testing accuracy: 0.11660


196it [00:04, 44.99it/s]


epoch1   loss: 2.24300  training accuracy: 0.26384  testing accuracy: 0.26410


196it [00:04, 44.70it/s]


epoch2   loss: 2.17662  training accuracy: 0.31312  testing accuracy: 0.31880


196it [00:04, 44.23it/s]


epoch3   loss: 2.15221  training accuracy: 0.32512  testing accuracy: 0.32150


196it [00:04, 44.65it/s]


epoch4   loss: 2.13250  training accuracy: 0.34776  testing accuracy: 0.33840


196it [00:04, 45.37it/s]


epoch5   loss: 2.11276  training accuracy: 0.36648  testing accuracy: 0.35830


196it [00:04, 45.40it/s]


epoch6   loss: 2.09500  training accuracy: 0.40312  testing accuracy: 0.39010


196it [00:04, 45.20it/s]


epoch7   loss: 2.07693  training accuracy: 0.41144  testing accuracy: 0.38890


196it [00:04, 45.09it/s]


epoch8   loss: 2.05741  training accuracy: 0.41920  testing accuracy: 0.39690


196it [00:04, 45.22it/s]


epoch9   loss: 2.04613  training accuracy: 0.43952  testing accuracy: 0.41280


196it [00:04, 39.99it/s]


epoch10   loss: 2.02839  training accuracy: 0.46664  testing accuracy: 0.43720


196it [00:04, 44.54it/s]


epoch11   loss: 2.01311  training accuracy: 0.46792  testing accuracy: 0.44040


196it [00:04, 45.14it/s]


epoch12   loss: 2.00394  training accuracy: 0.49168  testing accuracy: 0.45600


196it [00:04, 44.81it/s]


epoch13   loss: 1.98647  training accuracy: 0.50032  testing accuracy: 0.45020


196it [00:04, 44.86it/s]


epoch14   loss: 1.97280  training accuracy: 0.51880  testing accuracy: 0.46140


196it [00:04, 45.46it/s]


epoch15   loss: 1.96752  training accuracy: 0.50672  testing accuracy: 0.45310


196it [00:04, 45.09it/s]


epoch16   loss: 1.95141  training accuracy: 0.51840  testing accuracy: 0.45200


196it [00:04, 45.26it/s]


epoch17   loss: 1.94426  training accuracy: 0.56016  testing accuracy: 0.48350


196it [00:04, 45.63it/s]


epoch18   loss: 1.93371  training accuracy: 0.55808  testing accuracy: 0.48740


196it [00:04, 45.48it/s]


epoch19   loss: 1.92202  training accuracy: 0.55416  testing accuracy: 0.47550


196it [00:04, 44.80it/s]


epoch20   loss: 1.91286  training accuracy: 0.58936  testing accuracy: 0.49150


196it [00:04, 45.33it/s]


epoch21   loss: 1.89764  training accuracy: 0.60064  testing accuracy: 0.49140


196it [00:04, 44.95it/s]


epoch22   loss: 1.89034  training accuracy: 0.60176  testing accuracy: 0.49580


196it [00:04, 44.82it/s]


epoch23   loss: 1.88122  training accuracy: 0.60584  testing accuracy: 0.50080


196it [00:04, 45.25it/s]


epoch24   loss: 1.86893  training accuracy: 0.62864  testing accuracy: 0.50580


196it [00:04, 45.58it/s]


epoch25   loss: 1.85483  training accuracy: 0.63648  testing accuracy: 0.49970


196it [00:04, 45.27it/s]


epoch26   loss: 1.85217  training accuracy: 0.64360  testing accuracy: 0.50270


196it [00:04, 45.68it/s]


epoch27   loss: 1.83590  training accuracy: 0.66072  testing accuracy: 0.50400


196it [00:04, 44.85it/s]


epoch28   loss: 1.82907  training accuracy: 0.65888  testing accuracy: 0.50400


196it [00:04, 45.36it/s]


epoch29   loss: 1.81507  training accuracy: 0.67688  testing accuracy: 0.51200


196it [00:04, 45.28it/s]


epoch30   loss: 1.80915  training accuracy: 0.65872  testing accuracy: 0.49800


196it [00:04, 45.01it/s]


epoch31   loss: 1.79908  training accuracy: 0.70392  testing accuracy: 0.51440


196it [00:04, 44.96it/s]


epoch32   loss: 1.78585  training accuracy: 0.71040  testing accuracy: 0.51170


196it [00:04, 45.74it/s]


epoch33   loss: 1.77536  training accuracy: 0.69568  testing accuracy: 0.50550


196it [00:04, 45.64it/s]


epoch34   loss: 1.76820  training accuracy: 0.71840  testing accuracy: 0.51070


196it [00:04, 45.08it/s]


epoch35   loss: 1.75589  training accuracy: 0.71736  testing accuracy: 0.50540


196it [00:04, 45.66it/s]


epoch36   loss: 1.75601  training accuracy: 0.73112  testing accuracy: 0.51060


196it [00:04, 45.94it/s]


epoch37   loss: 1.74123  training accuracy: 0.74464  testing accuracy: 0.51040


196it [00:04, 45.04it/s]


epoch38   loss: 1.73298  training accuracy: 0.75800  testing accuracy: 0.51680


196it [00:04, 45.58it/s]


epoch39   loss: 1.73184  training accuracy: 0.76152  testing accuracy: 0.51950


196it [00:04, 45.87it/s]


epoch40   loss: 1.72442  training accuracy: 0.75840  testing accuracy: 0.51700


196it [00:04, 45.76it/s]


epoch41   loss: 1.71502  training accuracy: 0.77448  testing accuracy: 0.50960


196it [00:04, 45.69it/s]


epoch42   loss: 1.71092  training accuracy: 0.77208  testing accuracy: 0.51680


196it [00:04, 45.45it/s]


epoch43   loss: 1.69994  training accuracy: 0.77632  testing accuracy: 0.51910


196it [00:04, 45.62it/s]


epoch44   loss: 1.69589  training accuracy: 0.78696  testing accuracy: 0.51460


196it [00:04, 44.90it/s]


epoch45   loss: 1.69324  training accuracy: 0.78712  testing accuracy: 0.51000


196it [00:04, 44.43it/s]


epoch46   loss: 1.68947  training accuracy: 0.78568  testing accuracy: 0.51860


196it [00:04, 44.74it/s]


epoch47   loss: 1.69022  training accuracy: 0.79344  testing accuracy: 0.51840


196it [00:04, 44.31it/s]


epoch48   loss: 1.68164  training accuracy: 0.80072  testing accuracy: 0.51970


196it [00:04, 43.76it/s]


epoch49   loss: 1.67669  training accuracy: 0.79688  testing accuracy: 0.52370


In [None]:
# use train_shadow to train shadow model
# no gpu, thus device is only cpu
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
# Train shadow
# load model
# if use MNIST, inputchannels=1, if use CIFAR10, inputchannels=3, both output classes = 10
# related info could be get by using input_channels=train_data_loader.dataset.channels, output_num=train_data_loader.dataset.class_num
shadow = basicNet(inputchannels=3, outputclasses=10).to(device)
# settings
criterion = nn.CrossEntropyLoss()
sgd = optim.SGD(shadow.parameters(), lr=0.01, momentum=0.9)
epoch = 50

# train
print("start training: ")
for i in range(epoch):
    loss_train = train(shadow, shadow_train_loader, criterion, sgd)
# Acc
acc_train = evaluation(shadow, shadow_train_loader, batch_size=64)
acc_test = evaluation(shadow, testloader, batch_size=64)
print("epoch%d   loss: %.5f  training accuracy: %.5f  testing accuracy: %.5f"\
      % (epoch, loss_train, acc_train, acc_test))
torch.save(shadow.state_dict(), "./models/shadow_CIFAR10.pth")

start training: 


196it [00:04, 44.19it/s]
196it [00:04, 43.58it/s]
196it [00:04, 45.03it/s]
196it [00:04, 44.42it/s]
196it [00:04, 45.00it/s]
196it [00:04, 45.05it/s]
196it [00:04, 45.05it/s]
196it [00:04, 45.52it/s]
196it [00:04, 44.96it/s]
196it [00:04, 44.66it/s]
196it [00:04, 45.12it/s]
196it [00:04, 44.40it/s]
196it [00:04, 45.22it/s]
196it [00:04, 44.90it/s]
196it [00:04, 45.25it/s]
196it [00:04, 43.88it/s]
196it [00:04, 44.68it/s]
196it [00:04, 44.04it/s]
196it [00:04, 44.75it/s]
196it [00:04, 44.66it/s]
196it [00:04, 43.79it/s]
196it [00:04, 44.82it/s]
196it [00:04, 43.51it/s]
196it [00:04, 44.52it/s]
196it [00:04, 43.63it/s]
196it [00:04, 44.51it/s]
196it [00:04, 44.24it/s]
196it [00:04, 44.55it/s]
196it [00:04, 44.76it/s]
196it [00:04, 44.47it/s]
196it [00:04, 43.85it/s]
196it [00:04, 45.20it/s]
196it [00:04, 45.58it/s]
196it [00:04, 45.55it/s]
196it [00:04, 45.46it/s]
196it [00:04, 45.08it/s]
196it [00:04, 45.60it/s]
196it [00:04, 45.32it/s]
196it [00:04, 45.21it/s]
196it [00:04, 44.56it/s]


epoch50   loss: 1.66223  training accuracy: 0.81624  testing accuracy: 0.52080


#### *Load pretrained target and shadow models (to save time)*

In [None]:
# no gpu, thus device is only cpu
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
# load pretrained model
target_pre = basicNet(inputchannels=3, outputclasses=10).to(device)
# if gpu, remove map_location=torch.device('cpu')
target_pre.load_state_dict(torch.load("./models/target_CIFAR10.pth",map_location=torch.device('cpu')))
target_pre.eval()
shadow_pre = basicNet(inputchannels=3, outputclasses=10).to(device)
# if gpu, remove map_location=torch.device('cpu')
shadow_pre.load_state_dict(torch.load("./models/shadow_CIFAR10.pth",map_location=torch.device('cpu')))
shadow_pre.eval()

In [None]:
# test if these models are loaded
acc_test1 = evaluation(target_pre, testloader, batch_size=64)
print(acc_test1)
acc_test2 = evaluation(shadow_pre, testloader, batch_size=4)
print(acc_test2)

tensor(0.9778)
tensor(0.9750)


In [None]:
shadow = shadow_pre
target = target_pre

#### *Create dataset for attack model*

In [None]:
# 1. create train dataset for attack model
# use shadow model and dataset: out_shadow, train_shadow
print('Creating training dataset for attack model:')
train_attack_set = get_attackdataset(shadow,shadow_train_loader,shadow_out_loader,device=device)
train_attack = attack_dataset(attack_set=train_attack_set,device=device)
print('- - - - - - - - - - - - - - - - - - ')
print('Creating test dataset for attack model:')
# 2. create test dataset for attack model
# use target model and dataset: out_target, train_target
test_attack_set = get_attackdataset(target,target_train_loader,target_out_loader,device=device)
test_attack = attack_dataset(attack_set=test_attack_set,device=device)

Creating training dataset for attack model:
12500
12500
- - - - - - - - - 
num of data 
25000
- - - - - - - - - 
first 10 elements 
[(tensor([9.9998e-01, 2.1753e-05, 1.4423e-07], device='cuda:0'), tensor([1.])), (tensor([9.9976e-01, 2.3604e-04, 4.8778e-08], device='cuda:0'), tensor([1.])), (tensor([0.8653, 0.1309, 0.0037], device='cuda:0'), tensor([0.])), (tensor([0.5144, 0.3852, 0.1004], device='cuda:0'), tensor([0.])), (tensor([9.9018e-01, 9.1317e-03, 6.8850e-04], device='cuda:0'), tensor([0.])), (tensor([9.9923e-01, 5.6915e-04, 9.7401e-05], device='cuda:0'), tensor([1.])), (tensor([1.0000e+00, 9.0939e-11, 1.6704e-12], device='cuda:0'), tensor([1.])), (tensor([0.4690, 0.3400, 0.1558], device='cuda:0'), tensor([1.])), (tensor([9.9980e-01, 1.9650e-04, 1.5284e-06], device='cuda:0'), tensor([1.]))]
- - - - - - - - - - - - - - - - - - 
Creating test dataset for attack model:
12500
12500
- - - - - - - - - 
num of data 
25000
- - - - - - - - - 
first 10 elements 
[(tensor([1.0000e+00, 1.967

#### *Attack model 1*

##### *Prepare dataset for attack model 1: LGBMClassifier*

In [None]:
train_feature = []
train_label = []
for i in train_attack_set:
  train_feature.append(i[0].cpu().numpy())
  train_label.append(int(i[1]))

test_feature = []
test_label = []
for i in test_attack_set:
  test_feature.append(i[0].cpu().numpy())
  test_label.append(int(i[1]))

##### *Attack model 1: LGBMClassifier and output*

In [None]:
attack_model = lgb.LGBMClassifier(objective='binary', reg_lambda=10, n_estimators=10000)
attack_model.fit(train_feature, train_label)
predict = attack_model.predict(test_feature)
precision_general, recall_general, _, _ = precision_recall_fscore_support(y_pred=predict,y_true=test_label,average="binary")
print('End fitting and predicting')
print('- - - - - - - - - - - - - - - ')

print('result')
print('- - - - - - - - - - - - - - - ')
print('precision: {:.5f}'.format(precision_general))
print('recall: {:.5f}'.format(recall_general))

End fitting and predicting
- - - - - - - - - - - - - - - 
result
- - - - - - - - - - - - - - - 
precision: 0.54766
recall: 0.58232


#### *Attack model 2*

Result is not good. Need more tuning or trick. Guess one possible way is to do some transforms on feature vectors such as log.

##### *Define a MLP class for attack model 2*

In [None]:
class MLP(nn.Module):
        # 3 features, thus input size=3
        # Yes or no, and use sigmoid thus output size=1
        # If use softmax, output size = 2
        # Loss: cross entropy has contained softmax 
    def __init__(self, num_of_features=3):
        super().__init__()
        self.fc1 = nn.Linear(num_of_features, 64)
        self.fc2 = nn.Linear(64, 2)
        #self.sigmoid = nn.Sigmoid()

    def forward(self, x):
        # Hidden layer
        x = self.fc1(x)
        x = self.fc2(x)
        x = F.softmax(x,dim=-1)
        return x

##### *Functions for training and evaluating (attack model 2)*

In [None]:
def attack_train(model, dataloader, criterion, opt):
    running_loss = 0
    # switch to model:train
    # no difference here since no dropout and BN
    model.train()
    count = 0
    for i, data in tqdm(enumerate(dataloader)):
        opt.zero_grad()
        imgs, labels = data
        imgs = imgs.to(device)
        labels = labels.to(device)
        predict = model(imgs)
        #print(predict.dtype)
        #print(labels.dtype)
        labels = torch.flatten(labels.long())
        #print(predict.shape,labels.shape)
        #print(predict)
        #print(labels)
        loss = criterion(predict, labels)
        loss.backward()
        opt.step()
        count = i
        running_loss += loss
    return running_loss / count

def attack_evaluation(model, dataloader, batch_size=64):
    # switch to model:eval
    # no difference here since no dropout and BN    
    model.eval()
    # y_tensorlist is a list consists of some tensors
    y_true_tensorlist = []
    y_predict_tensorlist = []
    for step, (batch_x, batch_y) in enumerate(dataloader):
        batch_x,batch_y = batch_x.to(device),batch_y.to(device)
        batch_y = torch.flatten(batch_y)
        output = model(batch_x)
        #output = F.softmax(output,dim=-1)
        #print(output)
        # compare cols
        batch_y_predict = torch.argmax(output, dim=1)
        #print(output)        
        #zero = torch.zeros_like(output)
        #one = torch.ones_like(output)
        #batch_y_predict = torch.where(output > 0.5, one, zero)
        #print(batch_y_predict)
        #print(batch_y_predict)
        y_predict_tensorlist.append(batch_y_predict)        
        y_true_tensorlist.append(batch_y)
        
    # combine the tensors in the list into one
    y_true = torch.cat(y_true_tensorlist,0)
    y_predict = torch.cat(y_predict_tensorlist,0)

    # compute accuracy
    length = len(y_true)
    right_length = torch.sum(y_true == y_predict)
    #print(right_length/length)
    
    return right_length/length,y_true,y_predict


##### *Train attack model 2*

In [None]:
# no gpu, thus device is only cpu
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
# Train attack
attack = MLP(num_of_features=3).to(device)
# settings
#criterion = nn.BCELoss()
#criterion = nn.NLLLoss()
# crossentropy contains softmax, use other loss
criterion = nn.CrossEntropyLoss()
#opt = optim.SGD(target.parameters(), lr=0.00001, momentum=0.9)
opt = optim.Adam(attack.parameters(), lr=0.001)
epoch = 100
train_attack_dataloader = DataLoader(dataset=train_attack, batch_size=64, shuffle = True)
test_attack_dataloader = DataLoader(dataset=test_attack, batch_size=64, shuffle = True)
# train
print("start training: ")
for i in range(epoch):
    loss_train = attack_train(attack, train_attack_dataloader, criterion, opt)

    print("epoch%d   loss: %.5f "\
      % (i+1, loss_train))
torch.save(target.state_dict(), "./models/attack_MNIST.pth")

start training: 


391it [00:01, 200.94it/s]


epoch1   loss: 0.68153 


391it [00:01, 260.41it/s]


epoch2   loss: 0.66934 


391it [00:01, 266.65it/s]


epoch3   loss: 0.66545 


391it [00:01, 258.30it/s]


epoch4   loss: 0.66350 


391it [00:01, 260.37it/s]


epoch5   loss: 0.66240 


391it [00:01, 265.47it/s]


epoch6   loss: 0.66122 


391it [00:01, 259.49it/s]


epoch7   loss: 0.66066 


391it [00:01, 208.74it/s]


epoch8   loss: 0.66025 


391it [00:01, 256.27it/s]


epoch9   loss: 0.65977 


391it [00:01, 263.27it/s]


epoch10   loss: 0.65940 


391it [00:01, 262.98it/s]


epoch11   loss: 0.65925 


391it [00:01, 260.80it/s]


epoch12   loss: 0.65916 


391it [00:01, 258.66it/s]


epoch13   loss: 0.65872 


391it [00:01, 263.51it/s]


epoch14   loss: 0.65898 


391it [00:01, 266.54it/s]


epoch15   loss: 0.65881 


391it [00:01, 261.79it/s]


epoch16   loss: 0.65906 


391it [00:01, 266.44it/s]


epoch17   loss: 0.65888 


391it [00:01, 260.95it/s]


epoch18   loss: 0.65852 


391it [00:01, 263.95it/s]


epoch19   loss: 0.65858 


391it [00:01, 265.79it/s]


epoch20   loss: 0.65840 


391it [00:01, 261.27it/s]


epoch21   loss: 0.65855 


391it [00:01, 266.11it/s]


epoch22   loss: 0.65840 


391it [00:01, 260.10it/s]


epoch23   loss: 0.65837 


391it [00:01, 265.58it/s]


epoch24   loss: 0.65823 


391it [00:01, 265.16it/s]


epoch25   loss: 0.65854 


391it [00:01, 262.85it/s]


epoch26   loss: 0.65853 


391it [00:01, 264.71it/s]


epoch27   loss: 0.65818 


391it [00:01, 263.28it/s]


epoch28   loss: 0.65810 


391it [00:01, 257.29it/s]


epoch29   loss: 0.65824 


391it [00:01, 264.19it/s]


epoch30   loss: 0.65824 


391it [00:01, 262.36it/s]


epoch31   loss: 0.65843 


391it [00:01, 252.14it/s]


epoch32   loss: 0.65853 


391it [00:01, 258.54it/s]


epoch33   loss: 0.65803 


391it [00:01, 258.89it/s]


epoch34   loss: 0.65808 


391it [00:01, 258.09it/s]


epoch35   loss: 0.65816 


391it [00:01, 260.79it/s]


epoch36   loss: 0.65808 


391it [00:01, 265.54it/s]


epoch37   loss: 0.65837 


391it [00:01, 264.21it/s]


epoch38   loss: 0.65813 


391it [00:01, 261.62it/s]


epoch39   loss: 0.65783 


391it [00:01, 255.77it/s]


epoch40   loss: 0.65830 


391it [00:01, 258.99it/s]


epoch41   loss: 0.65816 


391it [00:01, 259.88it/s]


epoch42   loss: 0.65797 


391it [00:01, 265.85it/s]


epoch43   loss: 0.65819 


391it [00:01, 261.42it/s]


epoch44   loss: 0.65850 


391it [00:01, 262.29it/s]


epoch45   loss: 0.65821 


391it [00:01, 258.59it/s]


epoch46   loss: 0.65803 


391it [00:01, 261.05it/s]


epoch47   loss: 0.65798 


391it [00:01, 256.29it/s]


epoch48   loss: 0.65795 


391it [00:01, 261.48it/s]


epoch49   loss: 0.65818 


391it [00:01, 256.95it/s]


epoch50   loss: 0.65811 


391it [00:01, 254.52it/s]


epoch51   loss: 0.65830 


391it [00:01, 254.02it/s]


epoch52   loss: 0.65838 


391it [00:01, 255.55it/s]


epoch53   loss: 0.65791 


391it [00:01, 262.34it/s]


epoch54   loss: 0.65838 


391it [00:01, 258.39it/s]


epoch55   loss: 0.65853 


391it [00:01, 256.83it/s]


epoch56   loss: 0.65823 


391it [00:01, 265.19it/s]


epoch57   loss: 0.65781 


391it [00:01, 258.58it/s]


epoch58   loss: 0.65824 


391it [00:01, 267.43it/s]


epoch59   loss: 0.65795 


391it [00:01, 267.22it/s]


epoch60   loss: 0.65765 


391it [00:01, 264.22it/s]


epoch61   loss: 0.65786 


391it [00:01, 263.71it/s]


epoch62   loss: 0.65814 


391it [00:01, 263.93it/s]


epoch63   loss: 0.65790 


391it [00:01, 267.06it/s]


epoch64   loss: 0.65838 


391it [00:01, 258.38it/s]


epoch65   loss: 0.65781 


391it [00:01, 263.70it/s]


epoch66   loss: 0.65794 


391it [00:01, 263.94it/s]


epoch67   loss: 0.65822 


391it [00:01, 263.94it/s]


epoch68   loss: 0.65787 


391it [00:01, 262.33it/s]


epoch69   loss: 0.65813 


391it [00:01, 224.44it/s]


epoch70   loss: 0.65789 


391it [00:01, 265.32it/s]


epoch71   loss: 0.65829 


391it [00:01, 262.62it/s]


epoch72   loss: 0.65849 


391it [00:01, 262.65it/s]


epoch73   loss: 0.65821 


391it [00:01, 266.05it/s]


epoch74   loss: 0.65811 


391it [00:01, 258.09it/s]


epoch75   loss: 0.65809 


391it [00:01, 265.07it/s]


epoch76   loss: 0.65798 


391it [00:01, 264.23it/s]


epoch77   loss: 0.65814 


391it [00:01, 263.98it/s]


epoch78   loss: 0.65814 


391it [00:01, 255.68it/s]


epoch79   loss: 0.65811 


391it [00:01, 261.83it/s]


epoch80   loss: 0.65801 


391it [00:01, 255.52it/s]


epoch81   loss: 0.65820 


391it [00:01, 260.61it/s]


epoch82   loss: 0.65788 


391it [00:01, 262.84it/s]


epoch83   loss: 0.65818 


391it [00:01, 265.24it/s]


epoch84   loss: 0.65762 


391it [00:01, 264.27it/s]


epoch85   loss: 0.65823 


391it [00:01, 267.38it/s]


epoch86   loss: 0.65794 


391it [00:01, 259.81it/s]


epoch87   loss: 0.65793 


391it [00:01, 251.76it/s]


epoch88   loss: 0.65809 


391it [00:01, 256.21it/s]


epoch89   loss: 0.65799 


391it [00:01, 254.49it/s]


epoch90   loss: 0.65809 


391it [00:01, 254.71it/s]


epoch91   loss: 0.65791 


391it [00:01, 254.39it/s]


epoch92   loss: 0.65800 


391it [00:01, 258.56it/s]


epoch93   loss: 0.65796 


391it [00:01, 262.43it/s]


epoch94   loss: 0.65797 


391it [00:01, 261.47it/s]


epoch95   loss: 0.65776 


391it [00:01, 257.94it/s]


epoch96   loss: 0.65796 


391it [00:01, 255.29it/s]


epoch97   loss: 0.65794 


391it [00:01, 262.11it/s]


epoch98   loss: 0.65786 


391it [00:01, 254.21it/s]


epoch99   loss: 0.65800 


391it [00:01, 255.79it/s]

epoch100   loss: 0.65801 





In [None]:
_,y_true,y_predict = attack_evaluation(attack, test_attack_dataloader, batch_size=64)

In [None]:
precision_score(y_true.cpu().numpy(), y_predict.cpu().numpy(), average='binary')

0.5682242990654206

In [None]:
recall_score(y_true.cpu().numpy(), y_predict.cpu().numpy(), average='binary')

0.80256