# Task 4: Robust Gradient Descent

## Dependencies

In [1]:
import numpy as np
import torch
from torch.utils.data import DataLoader
import torch.nn as nn
import torch.optim as optim
import os
import copy

### If you are using Google Colab, you need to upload this notebook and the codebase to your Google Drive. Then you need to mount your Google Drive in Colab and set your working directory. If you are running on your local machine, you can ignore the following line.

In [2]:
from google.colab import drive
drive.mount('/content/drive')

Drive already mounted at /content/drive; to attempt to forcibly remount, call drive.mount("/content/drive", force_remount=True).


In [3]:
root_dir = "/content/drive/My Drive/"
project_dir = "Assignment2" # Change to your path
os.chdir(root_dir + project_dir)

In [4]:
# Make sure the path is correct
!ls

attack.py			    dataset
CS5562_Assignment_2_Task1.ipynb     defense.py
CS5562_Assignment_2_Task2.ipynb     environment.yml
CS5562_Assignment_2_Task3.ipynb     model.py
CS5562_Assignment_2_Task4.ipynb     __pycache__
CS5562_Assignment_2_Warm_ups.ipynb  utilities.py


## Implement robust trainer

In [5]:
from utilities import *
from defense import *
from scipy.linalg import svd

In [13]:
def robust_trainer(model, train_dataset, eps):
    #################
    # TODO: implement the robust gradient update (this is simple gradient update) based on sever
    size = len(train_dataset)
    n_poison = int(eps * size)
    total_loss, total_err = 0., 0.

    opt = optim.SGD(model.parameters(), lr=1e-1)

    # Fit the model
    X = torch.tensor(train_dataset.X, requires_grad=True)
    y = torch.tensor(train_dataset.Y)
    y = ((y + 1) / 2).reshape(-1, 1) # convert the label from {-1,1} to {0,1} for using cross entropy loss

    pred = model(X.float())
    loss = nn.BCEWithLogitsLoss()(pred, y.float())

    opt.zero_grad()
    loss.backward()
    opt.step()

    total_err += ((pred > 0) * (y == 0) + (pred < 0) * (y == 1)).sum().item()
    total_loss += loss.item() * size

    # Calculate sever outliers
    individual_grad = X.grad
    delta_hat = np.tile(torch.mean(individual_grad, axis=0), (size, 1))

    G = individual_grad - delta_hat
    _, _, V = svd(G)
    # Top right singular vector
    v = V[0].reshape(-1, 1)

    score = (np.dot(G, v)**2).squeeze()

    # Remove points with p largest scores
    T = int(size*eps/50)
    index = np.argpartition(score, -T)[-T:]

    del train_dataset[index]

    #################
    return total_err / train_dataset.Y.shape[0], total_loss / train_dataset.Y.shape[0]


# Test your code

## Helper functions

In [18]:
from model import Model

class RobustModel(Model):
    def __init__(self, model, model_name, estimated_eps):
        super().__init__(model, model_name)
        self.estimated_eps = estimated_eps

    def train(self, train_dataset):
        for i in range(50):
            robust_trainer(self.model, train_dataset, self.estimated_eps)

In [15]:
def compute_attack_grade(attack, victim_model,eps,clean_train_dataset,test_dataset):
    # target model structure is known to the adversary
    target_model = copy.deepcopy(victim_model)
    if attack == 'KKT':
        attacker = KKT_Attack(target_model,clean_train_dataset,test_dataset)
    elif attack == 'label-flip':
        attacker = Label_Flip_Attack(target_model, clean_train_dataset, test_dataset)
    elif attack == 'adaptive':
        attacker = Adaptive_Attack(target_model, clean_train_dataset, test_dataset)
    elif attack == 'random-label-flip':
        attacker = Random_Label_Flip_Attack(target_model, clean_train_dataset, test_dataset)
    poisoned_dataset = attacker.attack(eps)
    assert len(poisoned_dataset) <= int(eps*len(clean_train_dataset))

    train_dataset = combine_datset(clean_train_dataset,poisoned_dataset)
    clean_model = copy.deepcopy(target_model)

    # performance without any attack
    clean_model.train(clean_train_dataset)
    clean_loss,clean_acc = clean_model.score(test_dataset)
    print('\nAvg loss of clean model: %0.5f, avg classification accuracy: %0.5f'%(clean_loss,clean_acc))

    # attack the victim model
    victim_model.train(train_dataset)
    poisoned_loss,poisoned_acc =victim_model.score(test_dataset)
    print('\nAvg loss of poisoned model:%0.5f, avg classification accuracy: %0.5f'%(poisoned_loss,poisoned_acc))

    grade = poisoned_loss - clean_loss

    # # for generating figures
    # distance_to_center_diff(clean_train_dataset,poisoned_dataset)
    # loss_diff(clean_train_dataset, poisoned_dataset,clean_model)

    return len(poisoned_dataset)/len(clean_train_dataset),grade

## Copy and Paste your data flipping attack here:

In [16]:
from attack import Attack

class Label_Flip_Attack(Attack):
    """
        Label flipping attack: students implement their own label flipping attack here
    """
    def attack(self, eps):
        n_poison = int(eps * len(self.clean_dataset))

        ####################
        # TODO: modify the following part to build your attack model based on label flipping attack
        index = np.random.choice(self.clean_dataset.X.shape[0], n_poison, replace=False)
        X, Y_modified = self.clean_dataset[index]
        Y_modified = Y_modified*(-1)

        ####################
        return dataset(X, Y_modified)

## Testing

#### Robust Neural Network

In [10]:
train_dataset,test_dataset = load_dataset('dogfish')
base_model = load_model("nn", "dogfish")
target_model = RobustModel(base_model, "nn", 0.2)
defense_name = 'robust'
fraction, attack_grade = compute_attack_grade("label-flip", target_model, 0.2, train_dataset, test_dataset)
print('\n\n-----------result---------')
print('%s attack against %s %s model on %s dataset: %0.2f (%0.2f fraction of poisoning data)'%("label-flip",defense_name,"nn","dogfish",attack_grade,fraction))


Avg loss of clean model: 0.05876, avg classification accuracy: 0.98333

Avg loss of poisoned model:0.07806, avg classification accuracy: 0.98167


-----------result---------
label-flip attack against robust nn model on dogfish dataset: 0.02 (0.24 fraction of poisoning data)


#### Robust LR

In [19]:
train_dataset,test_dataset = load_dataset('dogfish')
base_model = load_model("lr", "dogfish")
target_model = RobustModel(base_model, "lr", 0.2)
defense_name = 'robust'
fraction, attack_grade = compute_attack_grade("label-flip", target_model, 0.2, train_dataset, test_dataset)
print('\n\n-----------result---------')
print('%s attack against %s %s model on %s dataset: %0.2f (%0.2f fraction of poisoning data)'%("label-flip",defense_name,"lr","dogfish",attack_grade,fraction))


Avg loss of clean model: 0.05472, avg classification accuracy: 0.98333

Avg loss of poisoned model:0.06721, avg classification accuracy: 0.98333


-----------result---------
label-flip attack against robust lr model on dogfish dataset: 0.01 (0.24 fraction of poisoning data)


# Report

**Q.1) Describe your defense algorithm in detail. Furthermore, please provide the whole proof of your robustness analysis in the report.**

I implemented the SEVER algorithm as given in the paper. I used practical considerations mentioned in the paper for a simpler implementation.

1. Fit the model using normal SGD as optimizer.
2. Calculate the gradients of each point in the dataset wrt. to the learned parameters $∇f_i(w)$.
3. Calculate the average gradients given by where $S$ is the length of the dataset:

$$∇_{avg} = \frac{1}{|S|} ∑_{i \space ϵ \space S} ∇f_i(w)$$

4. Calculate the centered gradients $G$:

$$G = [  ∇f_i(w) - ∇_{avg} ]_{i \space ϵ \space S}$$

5. Extract the top right singular vector $v$ of $G$.

6. Compute the outlier score $τ_i$ for every data point $i$.

$$τ_i = (( ∇f_i(w) - ∇_{avg} ) \cdot v)^2$$

7. Remove top $T = int(size*eps/50)$ points from the training dataset.


### Proof

The robustness analysis follows that of the corresponding paper. [1]

1. As long as the real (non-outlying) data is not too heavy-tailed, SEVER is provably robust to outliers. The value of objective $f$ cannot be decreased much by changing the input $w$ locally, while staying within the domain. The condition enforces that moving in any direction $v$ either causes us to leave domain $H$ or causes $f$ to decrease at a rate at most $γ$.

2. $L$ always finds an approximate critical point of the empirical learning objective. Stochastic gradient descent satisfy the γ-approximate learner property.

3. We want to ensure that the outliers do not have a large effect on the learned parameters. Intuitively, for the outliers to have such an effect, their corresponding gradients should be (i) large in magnitude and (ii) systematically pointing in a specific direction. We can detect this via singular value decomposition–if both (i) and (ii) hold then the outliers should be responsible for a large singular value in the matrix of gradients, which allows us to detect and remove them. 

4. Approximating the gradient of f at a given point, given access to an ε-corrupted set of samples, can be viewed as a robust mean estimation problem. We can thus use the robust mean estimation algorithm of (Diakonikolas et al., 2017a), which succeeds under fairly mild assumptions about the good samples. Assuming that the covariance matrix of ∇f(w), f ∼ p∗, is bounded, we can thus “simulate” gradient descent and approximately minimize f.

5. By the performance guarantees of the latter algorithm we are in one of two cases: either the filtering algorithm removes a set of corrupted functions or it certifies that the gradient of fˆ is “close” to the gradient of f at w. In the first case, we make progress as we produce a “cleaner” set of functions. In the second case, our certification implies that the point w is also an approximate critical point of f and we are done

6. Moreover, the error guarantee has no dependence on the underlying dimension d. 

Therefore, SEVER is a robust algorithm to outliers.



### Question 1. Please train the robust logistic regression model, robust neural network models using your training algorithm and compare their accuracy in the benign and adversarial settings. Which model achieves a better test accuracy in each case? Why?

The test accuracies are as follows:

NN
```
Avg loss of clean model: 0.05876, avg classification accuracy: 0.98333
Avg loss of poisoned model:0.07806, avg classification accuracy: 0.98167
```

LR
```
Avg loss of clean model: 0.05472, avg classification accuracy: 0.98333
Avg loss of poisoned model:0.06721, avg classification accuracy: 0.98333
```

1. For the benign setting, both achieve the same accuracy. However, I have run this multiple times and on an average, neural network achieves better accuracy than LR. This is because it is able to learn complex patterns in the image, while LR is a simpler linear model. 

2. For the adversarial setting, LR achieves better accuracy on an average. This is because the objective of LR is always convex vs NN which may not always have a convex objective. Therefore, it is guarenteed to remove the poisoned points in LR. (Sever is a guaranteed approach for convex problems).


### References:
[1] Ilias Diakonikolas, Gautam Kamath, Daniel Kane, Jerry Li, Jacob Steinhardt, and Alistair Stewart. Sever: A robust meta-algorithm for stochastic optimization. In International Conference on Machine Learning, pages 1596–1606. PMLR, 2019.