In [1]:
import sys
#!{sys.executable} -m pip install matplotlib

In [2]:
%matplotlib inline
import pandas as pd
import numpy as np
import random
import copy
import matplotlib.pyplot as plt
from sklearn.metrics import accuracy_score
from sklearn.model_selection import train_test_split
from sklearn.datasets import load_breast_cancer
from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import accuracy_score
from pprint import pprint
from sklearn.model_selection import RandomizedSearchCV
from sklearn.model_selection import GridSearchCV
from sklearn.tree import DecisionTreeClassifier
from joblib import dump, load

RANDOM_STATE = 42
random.seed(RANDOM_STATE)

In [3]:
RANDOM_STATE

42

In [4]:
def save_forest(ensemble, filename):
    dump(ensemble, filename  + ".joblib")
    
def generate_random_bitmask(n_bits, perc_1):
    attacker_bitmask = []
    for i in range(int(perc_1*n_bits)):
        attacker_bitmask.append(1)
    for i in range(n_trees - int(perc_1*n_bits)):
        attacker_bitmask.append(0)
    random.shuffle(attacker_bitmask)
    return attacker_bitmask
    
def extract_paths_from_bitmask(paths, attacker_bitmask, true_label):
    paths_to_convert = []
    for i, path_x_tree_list in enumerate(paths):
        path_to_covert_x_tree = []
        for path_in_tree in path_x_tree_list:
            if path_in_tree[-1][1] == true_label and attacker_bitmask[i] == 0:
                path_to_covert_x_tree.append(path_in_tree)
            if path_in_tree[-1][1] != true_label and attacker_bitmask[i] == 1:
                path_to_covert_x_tree.append(path_in_tree)
        paths_to_convert.append(path_to_covert_x_tree)
    return paths_to_convert

def create_constraint_problem(paths_to_convert):
    trees_paths_to_conj = []
    list_elem = []
    for paths_x_tree in paths_to_convert:
        tree_paths_to_disj = []
        for path_in_tree in paths_x_tree:
            path = []
            for node in path_in_tree[:-1]:
                list_elem.append(node[0])
                if(node[1] == '<='):
                    constr = elem[node[0]] <= node[2] - 0.0001 
                else:
                    constr = elem[node[0]] > node[2] + 0.0001
                path.append(constr)
            tree_paths_to_disj.append(And(*path))
        trees_paths_to_conj.append(Or(*tree_paths_to_disj))
    constr = And(*trees_paths_to_conj)
    return constr, list_elem

def generate_instances(constraints, n_instances, list_elem, ensemble):
    list_status_problems = []
    list_values = []
    tot_time = 0
    for i in range(n_instances):
        s = Solver()
        s.add(constraints)
        res = s.check()
        list_status_problems.append(res)
        if res == z3.sat:
            #print("Sat {}".format(i), end = "  -  ")
            for k, v in s.statistics():
                if(k == 'time'):
                    #print("%s : %s" % (k, v))
                    tot_time += v
            m = s.model()
            list_internal = []
            sol_values_constr = []
            list_elem = list(set(list_elem))
            found_instance_from_z3 = []
            for i in range(len(list_elem)):
                sol_values_constr.append(elem[i] == m[elem[i]])
            #print(Not(And(*sol_values_constr)))
            constraints = And(constraints, Not(And(*sol_values_constr))) 
            for i in range(ensemble.n_features_in_):
                if m[elem[i]] == None:
                    list_internal.append(float(0))
                else:
                    frac = m[elem[i]].as_fraction()
                    list_internal.append(float(frac.numerator) / float(frac.denominator))
            list_values.append(list_internal)
        else:
            #print(res, end = ", ")
            break
        
    return list_status_problems, list_values, tot_time, res

def check_predictions_with_watermark(instances, labels, ensemble, watermark):
    for instance, label in zip(instances, labels):
        for i, tree in enumerate(ensemble):
            predicted_label = int(tree.predict(np.array(instance).reshape((1, len(instance))))[0])
            if (watermark[i] == 0 and predicted_label != label) or (watermark[i] == 1 and predicted_label == label):
                print("Broken prediction on tree {} with class {} from tree, true label {} and watermark bit {}".format(i, predicted_label, label, watermark[i]))
                return False
    return True

def generate_extra_constraint(constr, eps, elem, test_instance):
    constr_add = []
    for i in range(len(elem)):
            constr_add.append(elem[i] >= test_instance[i] - eps)
            constr_add.append(elem[i] <= test_instance[i] + eps)
            constr_add.append(elem[i] >= 0)
            constr_add.append(elem[i] <= 1)
    constr = And(constr, And(*constr_add))
    return constr

def generate_range_constraint(constr, eps, elem, test_instance):
    constr_add = []
    for i in range(len(elem)):
            constr_add.append(elem[i] >= 0)
            constr_add.append(elem[i] <= 1)
    constr = And(constr, And(*constr_add))
    return constr

def generate_random_instance():
    synt_instance = []
    for f in range(len(elem)):
        synt_instance.append(random.random()) 
    #random label
    synt_instance_label = random.randint(0,1)
    return synt_instance, synt_instance_label

def generate_bitmask(instance, instance_label): 
    attacker_bitmask = []
    for t in ensemble_rit:
        for pred in t.predict([instance]):
            if pred == instance_label:
                attacker_bitmask.append(0)
            else:
                attacker_bitmask.append(1)
    return attacker_bitmask

def compute_accuracies_watermarked_model(ensemble, X, y):
    arr_ = []
    for i, tree in enumerate(ensemble):
        arr_.append(tree.predict(X))
        
    ones_ = 0
    zeros_ = 0
    pred_ = []
    for j in range(len(arr_[0])):
        for i in range(len(arr_)):
            if(arr_[i][j] == 1):
                ones_ = ones_+1
            else:
                zeros_ = zeros_+1
        if(ones_ > zeros_):
            pred_.append(1)
        else:
            pred_.append(0)
        ones_ = 0
        zeros_ = 0
    ensemble_acc = accuracy_score(y_true = y,  y_pred = pred_)
    print("Watermarked Model Accuracy: {:.3f}".format(ensemble_acc))

def compute_accuracies_standard_model(label, list_values, X_test, y_test, ensemble):
    y_ = []
    for i in range(len(list_values)):
        y_.append(label) #label
        
    trigger_synt_acc = accuracy_score(y_true = y_, y_pred = rf_standard.predict(list_values))
    print("Trigger synth acc: ", trigger_synt_acc, end = "  -  ")
    compute_accuracies_watermarked_model(ensemble, list_values, y_)
    print("Test set: ", accuracy_score(y_true = y_test, y_pred = rf_standard.predict(X_test)), end = "  -  ")
    compute_accuracies_watermarked_model(ensemble, X_test, y_test)

    return trigger_synt_acc

def ensemble_SC(n_trees, watermark, ones, zeros, X_train, y_train, X_test, y_test, dim, max_depth, max_leaves, stats, standard_accuracy):

    perc = dim*len(X_train)
    random.seed(RANDOM_STATE)
    all_instances = []
    for x in X_train:
        all_instances.append(x)
    sample = random.sample(all_instances, int(perc))

    labels_switched = []
    for i, x_i in enumerate(X_train):
        labels_switched.append(y_train[i])
        for j, instance in enumerate(sample):
            if np.array_equal(x_i, instance):
                if(y_train[i] == 1): labels_switched[i] = 0
                else: labels_switched[i] = 1

    labels = []
    for instance in sample:
        for i, x_i in enumerate(X_train):
            if np.array_equal(x_i, instance):
                labels.append(y_train[i])

    labels_s = copy.deepcopy(labels)
    for i in range(len(labels_s)):
        if labels_s[i] == 1:
            labels_s[i] = 0
        else:
          labels_s[i] = 1

    pos = []
    for i, x_i in enumerate(X_train):
            for s in sample:
                if np.array_equal(x_i, s):
                    pos.append(i)

    peso = 2
    cond = 0
    weights = []
    for i, x_i in enumerate(X_train):
            weights.append(1)

    n_attempt = 0
    while cond != 1 and n_attempt < 500: 
        new_arr = [] 
        for i in pos:
            weights[i] = peso

        trigger_rf = RandomForestClassifier(n_estimators=ones, max_depth = max_depth, max_leaf_nodes =  max_leaves, random_state = RANDOM_STATE, bootstrap = False, n_jobs = 3)
        trigger_rf.fit(X_train, labels_switched, sample_weight = weights)

        tot = 0
        num = 0
        for i, s in enumerate(sample):
            for t in trigger_rf.estimators_:
                if t.predict((np.array([s,]))) != labels[i]:
                    num = num+1
            if num == len(trigger_rf.estimators_):
              tot = tot + 1
            num = 0

        print("Percentage of trigger set instances correctly misclassified: {:.3f}\n\n".format(tot/len(sample)))

        if (cond < tot/len(sample)):
            cond = tot/len(sample)
            trigger_estimators = []
            for t in trigger_rf.estimators_:
                trigger_estimators.append(t)
        peso = peso + 30
        n_attempt += 1
    
    peso = 2
    cond = 0
    weights = []
    for i, x_i in enumerate(X_train):
            weights.append(1)
    n_attempt = 0
    while cond != 1 and n_attempt < 500: 
        new_arr = [] 
        for i in pos:
            weights[i] = peso

        rf = RandomForestClassifier(n_estimators=zeros, max_depth = max_depth, n_jobs = 3, max_leaf_nodes = max_leaves, random_state = RANDOM_STATE, bootstrap = False)
        rf.fit(X_train, y_train, sample_weight = weights)
        #trigger_estimators = trigger_rf.estimators_

        tot = 0
        num = 0
        for i, s in enumerate(sample):
            for t in rf.estimators_:
                if t.predict((np.array([s,]))) == labels[i]:
                    num = num+1
            if num == len(rf.estimators_):
              tot = tot + 1
            num = 0

        if (cond < tot/len(sample)):
            cond = tot/len(sample)
            estimators = []
            for t in rf.estimators_:
                estimators.append(t)
        peso = peso + 30
        n_attempt += 1

    tot = 0
    for i, s in enumerate(sample):
        for t in  rf.estimators_:
            if t.predict((np.array([s,]))) == labels[i]:
                num = num+1
        if num == len( rf.estimators_):
            tot = tot + 1
        num = 0

    print("Percentage of trigger set instances correctly classified: {:.3f}\n\n".format(tot/len(sample)))

    ensemble = []
    i = 0
    j = 0

    for digit in watermark:
        if digit == 1:
            ensemble.append(trigger_estimators[j])
            j = j+1
        else:
            ensemble.append(estimators[i])
            i = i+1
            
    arr = []
    for i, t in enumerate(ensemble):
        arr.append(t.predict(X_test))
        print("Label: {}  -  ".format(watermark[i]))
        print("Number of leaves: ", end="")
        print(t.get_n_leaves(), end = "  -  ")
        print("Depth: ", end="")
        print(t.get_depth())

    ones = 0
    zeros = 0
    pred = []
    for j in range(len(arr[0])):
        for i in range(len(arr)):
            if(arr[i][j] == 1):
                ones = ones+1
            else:
                zeros = zeros+1
        if(ones > zeros):
            pred.append(1)
        else:
            pred.append(0)
        ones = 0
        zeros = 0
    ensemble_acc = accuracy_score(y_true = y_test,  y_pred = pred)
    print("Ensemble Accuracy: {:.3f}".format(ensemble_acc))
    stats.append(ensemble_acc)
    print("Standard Model Accuracy: {:.3f}".format(standard_accuracy))
    print()
    return ensemble, sample, labels

def extract_paths_from_tree_aux(node_id, n_nodes, current_path, children_left, children_right, features, thresholds, values):
    if node_id >= n_nodes:
        return

    is_split_node = children_left[node_id] != children_right[node_id]
    paths = []

    if is_split_node:
        paths = extract_paths_from_tree_aux(children_left[node_id], n_nodes, current_path + [(features[node_id], "<=", thresholds[node_id])], children_left, children_right, features, thresholds, values)
        paths += extract_paths_from_tree_aux(children_right[node_id], n_nodes, current_path + [(features[node_id], ">", thresholds[node_id])], children_left, children_right, features, thresholds, values)
        return paths
    else:
        current_path.append(("-1", np.argmax(values[node_id])))
        return [current_path]

def extract_paths_from_tree(tree):

    n_nodes = tree.tree_.node_count
    children_left = tree.tree_.children_left
    children_right = tree.tree_.children_right
    features = tree.tree_.feature
    thresholds = tree.tree_.threshold
    values = tree.tree_.value

    return extract_paths_from_tree_aux(0, n_nodes, [], children_left, children_right, features, thresholds, values)

In [5]:
from sklearn.datasets import fetch_openml
from sklearn.preprocessing import MinMaxScaler

#load dataset
X,y = fetch_openml('mnist_784', version=1, return_X_y=True)
X = X.to_numpy().astype(float)
y = y.to_numpy().astype(int)

#filter instances x labels
X = X[np.isin(y, [2, 6])]
y = y[np.isin(y, [2, 6])]
y[y==2] = 0
y[y==6] = 1


#Scale in [0-1]
#y = y.reshape((y.shape[0], 1))
X = np.nan_to_num(X)
min_max_scaler = MinMaxScaler()
X = min_max_scaler.fit_transform(X)


#Save splittings
"""dataset = np.concatenate((y, X), axis=1)
dataset_df = pd.DataFrame(dataset)"""
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size = 0.3, random_state=RANDOM_STATE)

In [6]:
rf_standard = load("../data/best_forest_mnist.joblib")
n_trees = 0
max_depth = 0
dictionare  = rf_standard.get_params()
for i, param in enumerate(dictionare):
    if param == 'n_estimators':
        n_trees = dictionare['n_estimators']
    if param == 'max_depth':
        max_depth =  dictionare['max_depth']
print("Number of trees:{}".format(n_trees))
print("Depth: {}".format(max_depth))

Numero Alberi:90
Depth: 24


In [10]:
array_leaves = []
array_depth = []
max_leaves = 0
min_leaves = 100000
for t in rf_standard.estimators_:
    leaves = t.get_n_leaves()
    array_leaves.append(leaves)
    if max_leaves < leaves: max_leaves = leaves
    if min_leaves > leaves: min_leaves = leaves

    array_depth.append(t.get_depth())

max_leaves = int(np.mean(array_leaves) - np.std(array_leaves))
print(max_leaves)

230


In [None]:
watermark = []
for i in range(int(0.5*n_trees)):
    watermark.append(1)
for i in range(n_trees - int(0.5*n_trees)):
    watermark.append(0)
random.shuffle(watermark)

watermark = np.array(watermark)
size = [0.01, 0.02, 0.03, 0.04]

stats = []
for dim in size:
    RANDOM_STATE = RANDOM_STATE
    ones = (watermark == 1).sum()
    zeros = (watermark == 0).sum()
    print("Watermark: ", watermark)
    print("Size: {}".format(dim))

    rf_standard = load("../data/best_forest_mnist.joblib")
    standard_accuracy = accuracy_score(y_true = y_test, y_pred = rf_standard.predict(X_test))
    base_stats = []
    for i in range(len(size)):
        base_stats.append(standard_accuracy)

    ensemble_rit = ensemble_SC(n_trees, watermark, ones, zeros, X_train, y_train, X_test, y_test, dim, max_depth, max_leaves, stats, standard_accuracy)

In [12]:
acc_x_trigger_dim = pd.DataFrame([size, stats])

In [13]:
acc_standard_x_trigger_dim = pd.DataFrame([size, base_stats])

In [14]:
prefix = "../results/"

In [15]:
acc_x_trigger_dim.to_csv(prefix + "report_acc_x_trigger_dim_mnist.csv", header=False, index=False)

In [16]:
acc_standard_x_trigger_dim.to_csv(prefix + "report_acc_standard_x_trigger_dim_mnist.csv", header=False, index=False)

In [None]:
perc = [0.1, 0.2, 0.3, 0.4, 0.5, 0.6]
dim = 0.02
stats = []
for p in perc:
    watermark = []
    for i in range(int(p*n_trees)):
        watermark.append(1)
    for i in range(n_trees - int(p*n_trees)):
        watermark.append(0)
    random.shuffle(watermark)

    watermark = np.array(watermark)
    rf_standard = load("../data/best_forest_mnist.joblib")
    standard_accuracy = accuracy_score(y_true = y_test, y_pred = rf_standard.predict(X_test))
    
    ones = (watermark == 1).sum()
    zeros = (watermark == 0).sum()
    print("Watermark: ", watermark)
    print("Size: {}".format(dim))

    ensemble_rit = ensemble_SC(n_trees, watermark, ones, zeros, X_train, y_train, X_test, y_test, dim, max_depth, max_leaves, stats, standard_accuracy)


In [18]:
base_stats = [standard_accuracy]*len(perc)

In [19]:
base_stats

[0.9975961538461539,
 0.9975961538461539,
 0.9975961538461539,
 0.9975961538461539,
 0.9975961538461539,
 0.9975961538461539]

In [20]:
acc_x_perc_bit_1 = pd.DataFrame([perc, stats])
acc_standard_x_perc_bit_1 = pd.DataFrame([perc, base_stats])
acc_x_perc_bit_1.to_csv(prefix + "report_acc_x_perc_bit_1_mnist.csv", header=False, index=False)
acc_standard_x_perc_bit_1.to_csv(prefix + "report_acc_standard_x_perc_bit_1_mnist.csv", header=False, index=False)