In [1]:
"""
Adversarially train LeNet-5
"""

import torch
import torch.nn as nn
import torchvision.datasets as datasets
import torchvision.transforms as transforms
from torch.autograd import Variable
import torch.nn.functional as F
from IPython.core.debugger import Tracer

from adversarialbox.attacks import FGSMAttack, LinfPGDAttack
from adversarialbox.train import adv_train, FGSM_train_rnd
from adversarialbox.utils import to_var, pred_batch, test



class LeNet5Ensemble(nn.Module):
    def __init__(self):
        super(LeNet5Ensemble, self).__init__()
        self.conv1 = nn.Conv2d(1, 32, kernel_size=3, padding=1, stride=1)
        self.relu1 = nn.ELU(inplace=True)
        self.maxpool1 = nn.MaxPool2d(2)
        self.conv2 = nn.Conv2d(32, 64, kernel_size=3, padding=1, stride=1)
        self.relu2 = nn.ELU(inplace=True)
        self.maxpool2 = nn.MaxPool2d(2)
        self.linear1 = nn.Linear(7*7*64, 200)
        self.relu3 = nn.ELU(inplace=True)
        self.linear2 = nn.Linear(200, 10)
        
        self.T = float(1) #Temperature level
        #self.noise = Variable(torch.zeros(shape,shape).cuda())
        
    def forward(self, x):
        out = self.maxpool1(self.relu1(self.conv1(x)))
        noise =  Variable(torch.zeros(out.shape).cuda()).data.normal_(0, std=self.T)
        out = out + Variable(noise, requires_grad=False)
        out = self.maxpool2(self.relu2(self.conv2(out)))
        noise =  Variable(torch.zeros(out.shape).cuda()).data.normal_(0, std=self.T)
        out = out + Variable(noise, requires_grad=False)
        out = out.view(out.size(0), -1)
        out = self.relu3(self.linear1(out))
        out = self.linear2(out)
        noise =  Variable(torch.zeros(out.shape).cuda()).data.normal_(0, std=self.T)
        out = out + Variable(noise, requires_grad=False)
        return out
    
# Hyper-parameters
param = {
    'batch_size': 128,
    'test_batch_size': 100,
    #'num_epochs': 15,
    'num_epochs': 150,
    'delay': 10,
    'learning_rate': 1e-3,
    'weight_decay': 5e-4,
}


# Data loaders
train_dataset = datasets.MNIST(root='../data/',train=True, download=True, 
    transform=transforms.ToTensor())
loader_train = torch.utils.data.DataLoader(train_dataset, 
    batch_size=param['batch_size'], shuffle=True)

test_dataset = datasets.MNIST(root='../data/', train=False, download=True, 
    transform=transforms.ToTensor())
loader_test = torch.utils.data.DataLoader(test_dataset, 
    batch_size=param['test_batch_size'], shuffle=True)


# Setup the model
net = LeNet5Ensemble()

if torch.cuda.is_available():
    print('CUDA ensabled.')
    net.cuda()
net.train()

# Adversarial training setup
#adversary = FGSMAttack(epsilon=0.3)
adversary = LinfPGDAttack()

# Train the model
criterion = nn.CrossEntropyLoss()
optimizer = torch.optim.RMSprop(net.parameters(), lr=param['learning_rate'],
    weight_decay=param['weight_decay'])

for epoch in range(param['num_epochs']):

    print('Starting epoch %d / %d' % (epoch + 1, param['num_epochs']))

    for t, (x, y) in enumerate(loader_train):

        x_var, y_var = to_var(x), to_var(y.long())
        loss = criterion(net(x_var), y_var)

        '''
        # adversarial training
        if epoch+1 > param['delay']:
            # use predicted label to prevent label leaking
            y_pred = pred_batch(x, net)
            x_adv = adv_train(x, y_pred, net, criterion, adversary)
            x_adv_var = to_var(x_adv)
            loss_adv = criterion(net(x_adv_var), y_var)
            loss = (loss + loss_adv) / 2

        if (t + 1) % 100 == 0:
            print('t = %d, loss = %.8f' % (t + 1, loss.data[0]))
        '''
        if (t + 1) % 100 == 0:
            print('t = %d, loss = %.8f' % (t + 1, loss.data[0]))
        optimizer.zero_grad()
        loss.backward()
        optimizer.step()


test(net, loader_test)

#torch.save(net.state_dict(), 'models/adv_trained_lenet5.pkl')


CUDA ensabled.
Starting epoch 1 / 150
t = 100, loss = 0.18900014
t = 200, loss = 0.05892304
t = 300, loss = 0.12269598
t = 400, loss = 0.14710078
Starting epoch 2 / 150
t = 100, loss = 0.02292746
t = 200, loss = 0.07051601
t = 300, loss = 0.01589146
t = 400, loss = 0.10311737
Starting epoch 3 / 150
t = 100, loss = 0.09425895
t = 200, loss = 0.02495813
t = 300, loss = 0.08201248
t = 400, loss = 0.02278680
Starting epoch 4 / 150
t = 100, loss = 0.00766858
t = 200, loss = 0.02657461
t = 300, loss = 0.01644062
t = 400, loss = 0.02929627
Starting epoch 5 / 150
t = 100, loss = 0.04471530
t = 200, loss = 0.02101738
t = 300, loss = 0.01161930
t = 400, loss = 0.01847229
Starting epoch 6 / 150
t = 100, loss = 0.05168877
t = 200, loss = 0.01404342
t = 300, loss = 0.03640495
t = 400, loss = 0.09358424
Starting epoch 7 / 150
t = 100, loss = 0.02381146
t = 200, loss = 0.01925102
t = 300, loss = 0.01139943
t = 400, loss = 0.03601921
Starting epoch 8 / 150
t = 100, loss = 0.03128486
t = 200, loss = 0.

t = 100, loss = 0.00281022
t = 200, loss = 0.03466623
t = 300, loss = 0.04601840
t = 400, loss = 0.00302928
Starting epoch 64 / 150
t = 100, loss = 0.00127976
t = 200, loss = 0.00147662
t = 300, loss = 0.00848654
t = 400, loss = 0.01652544
Starting epoch 65 / 150
t = 100, loss = 0.04712386
t = 200, loss = 0.02038547
t = 300, loss = 0.01645211
t = 400, loss = 0.02129967
Starting epoch 66 / 150
t = 100, loss = 0.01255368
t = 200, loss = 0.00471501
t = 300, loss = 0.04379336
t = 400, loss = 0.00201255
Starting epoch 67 / 150
t = 100, loss = 0.00555142
t = 200, loss = 0.01397669
t = 300, loss = 0.02025128
t = 400, loss = 0.01304560
Starting epoch 68 / 150
t = 100, loss = 0.00583144
t = 200, loss = 0.00290376
t = 300, loss = 0.00930820
t = 400, loss = 0.02006851
Starting epoch 69 / 150
t = 100, loss = 0.02426007
t = 200, loss = 0.00667509
t = 300, loss = 0.01793389
t = 400, loss = 0.01489023
Starting epoch 70 / 150
t = 100, loss = 0.01509298
t = 200, loss = 0.00397376
t = 300, loss = 0.0052

t = 100, loss = 0.00206237
t = 200, loss = 0.01328390
t = 300, loss = 0.00276602
t = 400, loss = 0.01835653
Starting epoch 126 / 150
t = 100, loss = 0.00762675
t = 200, loss = 0.00884721
t = 300, loss = 0.03587102
t = 400, loss = 0.02296998
Starting epoch 127 / 150
t = 100, loss = 0.00623322
t = 200, loss = 0.01065244
t = 300, loss = 0.00984172
t = 400, loss = 0.00843626
Starting epoch 128 / 150
t = 100, loss = 0.02185021
t = 200, loss = 0.01230880
t = 300, loss = 0.00903964
t = 400, loss = 0.00502528
Starting epoch 129 / 150
t = 100, loss = 0.00768400
t = 200, loss = 0.02386064
t = 300, loss = 0.02211776
t = 400, loss = 0.02533092
Starting epoch 130 / 150
t = 100, loss = 0.00727839
t = 200, loss = 0.01282946
t = 300, loss = 0.01056573
t = 400, loss = 0.00779903
Starting epoch 131 / 150
t = 100, loss = 0.01100931
t = 200, loss = 0.00688036
t = 300, loss = 0.01276148
t = 400, loss = 0.01003846
Starting epoch 132 / 150
t = 100, loss = 0.00441525
t = 200, loss = 0.01073112
t = 300, loss =

0.9919

In [3]:
Stheta = 2
import copy
model_list=[copy.deepcopy(net) for i in range(Stheta)]

"""
Adversarial attacks on LeNet5
"""
from time import time
import torch
import torch.nn as nn
import torchvision.datasets as datasets
import torchvision.transforms as transforms
from torch.autograd import Variable
import torch.nn.functional as F

from adversarialbox.attacks import FGSMAttack, LinfPGDAttack
from adversarialbox.utils import to_var, pred_batch, test, \
    attack_over_test_data

# Hyper-parameters
param = {
    'test_batch_size': 100,
    'epsilon': 0.5,
}

test_dataset = datasets.MNIST(root='../data/', train=False, download=True,
    transform=transforms.ToTensor())
loader_test = torch.utils.data.DataLoader(test_dataset, 
    batch_size=param['test_batch_size'], shuffle=False)

for net in model_list:
    for p in net.parameters():
        p.requires_grad = False
    net.eval()
    
    test(net, loader_test)

adversary = FGSMAttack(net, param['epsilon'])


t0 = time()
attack_over_test_data(net, adversary, param, loader_test)
print('{}s eclipsed.'.format(time()-t0))

Got 9907/10000 correct (99.07%) on the clean data
Got 9909/10000 correct (99.09%) on the clean data
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0.5
maximum diff adv 0