In [1]:
from membership_inference import DataSet, ShadowModel, AttackerModel

In [2]:
import numpy as np
import random
import matplotlib.pyplot as plt
import torch
import torchvision
import torchvision.transforms as transforms
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim

from torch.utils.data.dataset import Dataset
from torch.utils.data import DataLoader

from sklearn.model_selection import train_test_split
from sklearn.metrics import accuracy_score

# Markdown

In [3]:
# トレーニングデータをダウンロード
trainset = torchvision.datasets.CIFAR10(root='./data', train=True, download=True)
# テストデータをダウンロード
testset = torchvision.datasets.CIFAR10(root='./data', train=False, download=True)

Files already downloaded and verified
Files already downloaded and verified


In [4]:
X_train = trainset.data
y_train = np.array(trainset.targets)

X_test = testset.data
y_test = np.array(testset.targets)

print(X_train.shape, y_train.shape)
print(X_test.shape, y_test.shape)

(50000, 32, 32, 3) (50000,)
(10000, 32, 32, 3) (10000,)


In [10]:


victim_idx = random.sample(range(X_train.shape[0]), k=2000)
attack_idx = random.sample(range(X_test.shape[0]), k=2000)
shadow_idx = attack_idx[:1000]
eval_idx = attack_idx[1000:]

X_victim = X_train[victim_idx]
y_victim = y_train[victim_idx]

X_shadow = X_test[shadow_idx]
y_shadow = y_test[shadow_idx]

X_eval = X_test[eval_idx]
y_eval = y_test[eval_idx]

print(X_victim.shape, y_victim.shape)
print(X_shadow.shape, y_shadow.shape)
print(X_eval.shape, y_eval.shape)

(2000, 32, 32, 3) (2000,)
(1000, 32, 32, 3) (1000,)
(1000, 32, 32, 3) (1000,)


In [11]:
# ToTensor：画像のグレースケール化（RGBの0~255を0~1の範囲に正規化）、Normalize：Z値化（RGBの平均と標準偏差を0.5で決め打ちして正規化）
transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.5, 0.5, 0.5), (0.5, 0.5, 0.5))])

victimset = DataSet(X_victim, y_victim, transform=transform)
victimloader = torch.utils.data.DataLoader(victimset, batch_size=4, shuffle=True, num_workers=2)

valset = DataSet(X_eval, y_eval, transform=transform)
valloader = torch.utils.data.DataLoader(valset, batch_size=4, shuffle=True, num_workers=2)

In [12]:
X_victim.shape

(2000, 32, 32, 3)

# Define and Train a victim Model

In [13]:
# CNNを実装する
class Net(nn.Module):
    def __init__(self):
        super(Net, self).__init__()
        self.conv1 = nn.Conv2d(in_channels=3, out_channels=64, kernel_size=3, padding=1, stride=1)
        self.bn1 = nn.BatchNorm2d(64)
        self.conv2 = nn.Conv2d(64, 128, 3, padding=1) 
        self.bn2 = nn.BatchNorm2d(128)
        self.conv3 = nn.Conv2d(128, 256, 3, padding=1)
        self.bn3 = nn.BatchNorm2d(256)
        self.conv4 = nn.Conv2d(256, 512, 3, padding=1)
        self.bn4 = nn.BatchNorm2d(512)
        self.L1 = nn.Linear(2048, 10) # 10クラス分類

    def forward(self, x):
        # 3ch > 64ch, shape 32 x 32 > 16 x 16
        x = self.conv1(x) # [64,32,32]
        x = self.bn1(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [64,16,16]
        
        # 64ch > 128ch, shape 16 x 16 > 8 x 8
        x = self.conv2(x) # [128,16,16]
        x = self.bn2(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [128,8,8]
        
        # 128ch > 256ch, shape 8 x 8 > 4 x 4
        x = self.conv3(x) # [256,8,8]
        x = self.bn3(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [256,4,4]   

        # 256ch > 512ch, shape 4 x 4 > 2 x 2
        x = self.conv4(x) # [512,4,4]
        x = self.bn4(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [512,2,2]   
        
        # 全結合層
        x = x.view( -1, 2048) # [256,2048]
        x = self.L1(x)
        #x = F.softmax(x, dim=0)
        return x

victim_net = Net()

In [14]:
# 交差エントロピー
criterion = nn.CrossEntropyLoss()
# 確率的勾配降下法
optimizer = optim.SGD(victim_net.parameters(), lr=0.005, momentum=0.9)

for epoch in range(10):  # loop over the dataset multiple times

    running_loss = 0.0
    for i, data in enumerate(victimloader, 0):
        # get the inputs; data is a list of [inputs, labels]
        inputs, labels = data

        # zero the parameter gradients
        optimizer.zero_grad()

        # forward + backward + optimize
        outputs = victim_net(inputs)
        loss = criterion(outputs, labels)
        loss.backward()
        optimizer.step()

        # print statistics
        running_loss += loss.item()
        if i % 2000 == 1999:    # print every 2000 mini-batches
            print('[%d, %5d] loss: %.3f' %
                  (epoch + 1, i + 1, running_loss / 2000))
            running_loss = 0.0

    test_preds = []
    test_label = []
    with torch.no_grad():
        for data in valloader:
            inputs, labels = data
            outputs = victim_net(inputs)
            test_preds.append(outputs)
            test_label.append(labels)  
        test_preds = torch.cat(test_preds)
        test_label = torch.cat(test_label)  

    print(accuracy_score(np.array(torch.argmax(test_preds, axis=1)), np.array(test_label)))

print('Finished Training')


in_preds = []
in_label = []
with torch.no_grad():
        for data in victimloader:
            inputs, labels = data
            outputs = victim_net(inputs)
            in_preds.append(outputs)
            in_label.append(labels)  
        in_preds = torch.cat(in_preds)
        in_label = torch.cat(in_label)  
print(accuracy_score(np.array(torch.argmax(in_preds, axis=1)),
                     np.array(in_label)))

out_preds = []
out_label = []
with torch.no_grad():
        for data in valloader:
            inputs, labels = data
            outputs = victim_net(inputs)
            out_preds.append(outputs)
            out_label.append(labels)  
        out_preds = torch.cat(out_preds)
        out_label = torch.cat(out_label)  
print(accuracy_score(np.array(torch.argmax(out_preds, axis=1)),
                     np.array(out_label)))

0.264
0.36
0.373
0.385
0.483
0.509
0.468
0.467
0.484
0.518
Finished Training
0.79
0.522


# Define and Train ShadowModels

In [15]:
# CNNを実装する
class Net(nn.Module):
    def __init__(self):
        super(Net, self).__init__()
        self.conv1 = nn.Conv2d(in_channels=3, out_channels=64, kernel_size=3, padding=1, stride=1)
        self.bn1 = nn.BatchNorm2d(64)
        self.conv2 = nn.Conv2d(64, 128, 3, padding=1) 
        self.bn2 = nn.BatchNorm2d(128)
        self.conv3 = nn.Conv2d(128, 256, 3, padding=1)
        self.bn3 = nn.BatchNorm2d(256)
        self.conv4 = nn.Conv2d(256, 512, 3, padding=1)
        self.bn4 = nn.BatchNorm2d(512)
        self.L1 = nn.Linear(2048, 10) # 10クラス分類

    def forward(self, x):
        # 3ch > 64ch, shape 32 x 32 > 16 x 16
        x = self.conv1(x) # [64,32,32]
        x = self.bn1(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [64,16,16]
        
        # 64ch > 128ch, shape 16 x 16 > 8 x 8
        x = self.conv2(x) # [128,16,16]
        x = self.bn2(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [128,8,8]
        
        # 128ch > 256ch, shape 8 x 8 > 4 x 4
        x = self.conv3(x) # [256,8,8]
        x = self.bn3(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [256,4,4]   

        # 256ch > 512ch, shape 4 x 4 > 2 x 2
        x = self.conv4(x) # [512,4,4]
        x = self.bn4(x)
        x = F.relu(x)
        x = F.max_pool2d(x, 2, 2) # [512,2,2]   
        
        # 全結合層
        x = x.view( -1, 2048) # [256,2048]
        x = self.L1(x)
        #x = F.softmax(x, dim=0)
        return x

In [16]:
sm = ShadowModel([Net(), Net(),Net(), Net(), Net()], 400, shadow_transform=transform)
y_test = np.array(y_test)
result = sm.fit_transform(X_test, y_test, num_itr=10)

Finished Training
Finished Training
Finished Training
Finished Training
Finished Training


# Attacker model

In [17]:
from sklearn.svm import SVC
models = [SVC(probability=True) for i in range(len(result.keys()))]
am = AttackerModel(models)
am.fit(result)

attack_pred_in = am.predict(in_preds, in_label)
attack_pred_out = am.predict(out_preds, out_label)

In [24]:
attack_pred_in_prob = am.predict_proba(in_preds, in_label)
attack_pred_out_prob = am.predict_proba(out_preds, out_label)

In [33]:
roc_auc_score(np.concatenate([np.ones_like(attack_pred_in_prob),
                              np.zeros_like(attack_pred_out_prob)]),
              np.concatenate([attack_pred_in_prob, attack_pred_out_prob])
              )

0.6391530000000001