In [1]:
import numpy as np

from absl import app
from absl import flags

import tensorflow as tf
from tensorflow.keras import layers

from sklearn.model_selection import train_test_split



2023-11-19 22:51:25.093998: I tensorflow/core/util/port.cc:113] oneDNN custom operations are on. You may see slightly different numerical results due to floating-point round-off errors from different computation orders. To turn them off, set the environment variable `TF_ENABLE_ONEDNN_OPTS=0`.
2023-11-19 22:51:25.144166: E external/local_xla/xla/stream_executor/cuda/cuda_dnn.cc:9261] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
2023-11-19 22:51:25.144194: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:607] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
2023-11-19 22:51:25.145311: E external/local_xla/xla/stream_executor/cuda/cuda_blas.cc:1515] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered
2023-11-19 22:51:25.153531: I tensorflow/core/platform/cpu_feature_guar

In [2]:
from mia.models import ShadowModelBundle, AttackModelBundle, prepare_attack_data

In [3]:
NUM_CLASSES = 10
WIDTH = 32
HEIGHT = 32
CHANNELS = 3
SHADOW_DATASET_SIZE = 4000
ATTACK_TEST_DATASET_SIZE = 4000

TARGET_EPOCHS = 12
ATTACK_EPOCHS = 12
NUM_SHADOWS = 3




In [4]:
def get_data():
    """Prepare CIFAR10 data."""
    (X_train, y_train), (X_test, y_test) = tf.keras.datasets.cifar10.load_data()
    y_train = tf.keras.utils.to_categorical(y_train)
    y_test = tf.keras.utils.to_categorical(y_test)
    X_train = X_train.astype("float32")
    X_test = X_test.astype("float32")
    y_train = y_train.astype("float32")
    y_test = y_test.astype("float32")
    X_train /= 255
    X_test /= 255
    return (X_train, y_train), (X_test, y_test)



In [5]:

def target_model_fn():
    """The architecture of the target (victim) model.

    The attack is white-box, hence the attacker is assumed to know this architecture too."""

    model = tf.keras.models.Sequential()

    model.add(
        layers.Conv2D(
            32,
            (3, 3),
            activation="relu",
            padding="same",
            input_shape=(WIDTH, HEIGHT, CHANNELS),
        )
    )
    model.add(layers.Conv2D(32, (3, 3), activation="relu"))
    model.add(layers.MaxPooling2D(pool_size=(2, 2)))
    model.add(layers.Dropout(0.25))

    model.add(layers.Conv2D(64, (3, 3), activation="relu", padding="same"))
    model.add(layers.Conv2D(64, (3, 3), activation="relu"))
    model.add(layers.MaxPooling2D(pool_size=(2, 2)))
    model.add(layers.Dropout(0.25))

    model.add(layers.Flatten())

    model.add(layers.Dense(512, activation="relu"))
    model.add(layers.Dropout(0.5))

    model.add(layers.Dense(NUM_CLASSES, activation="softmax"))
    model.compile("adam", loss="categorical_crossentropy", metrics=["accuracy"])

    return model


def attack_model_fn():
    """Attack model that takes target model predictions and predicts membership.

    Following the original paper, this attack model is specific to the class of the input.
    AttachModelBundle creates multiple instances of this model for each class.
    """
    model = tf.keras.models.Sequential()

    model.add(layers.Dense(128, activation="relu", input_shape=(NUM_CLASSES,)))

    model.add(layers.Dropout(0.3, noise_shape=None, seed=None))
    model.add(layers.Dense(64, activation="relu"))
    model.add(layers.Dropout(0.2, noise_shape=None, seed=None))
    model.add(layers.Dense(64, activation="relu"))

    model.add(layers.Dense(1, activation="sigmoid"))
    model.compile("adam", loss="binary_crossentropy", metrics=["accuracy"])
    return model


In [6]:
(X_train, y_train), (X_test, y_test) = get_data()

# Train the target model.
print("Training the target model...")
target_model = target_model_fn()
target_model.fit(
    X_train, y_train, epochs=TARGET_EPOCHS, validation_split=0.1, verbose=True
)

# Train the shadow models.
smb = ShadowModelBundle(
    target_model_fn,
    shadow_dataset_size=SHADOW_DATASET_SIZE,
    num_models=NUM_SHADOWS,
)

# We assume that attacker's data were not seen in target's training.
attacker_X_train, attacker_X_test, attacker_y_train, attacker_y_test = train_test_split(
    X_test, y_test, test_size=0.1
)
print(attacker_X_train.shape, attacker_X_test.shape)

print("Training the shadow models...")
X_shadow, y_shadow = smb.fit_transform(
    attacker_X_train,
    attacker_y_train,
    fit_kwargs=dict(
        epochs=FLAGS.target_epochs,
        verbose=True,
        validation_data=(attacker_X_test, attacker_y_test),
    ),
)

# ShadowModelBundle returns data in the format suitable for the AttackModelBundle.
amb = AttackModelBundle(attack_model_fn, num_classes=NUM_CLASSES)

# Fit the attack models.
print("Training the attack models...")
amb.fit(
    X_shadow, y_shadow, fit_kwargs=dict(epochs=ATTACK_EPOCHS, verbose=True)
)

# Test the success of the attack.

# Prepare examples that were in the training, and out of the training.
data_in = X_train[:ATTACK_TEST_DATASET_SIZE], y_train[:ATTACK_TEST_DATASET_SIZE]
data_out = X_test[:ATTACK_TEST_DATASET_SIZE], y_test[:ATTACK_TEST_DATASET_SIZE]

# Compile them into the expected format for the AttackModelBundle.
attack_test_data, real_membership_labels = prepare_attack_data(
    target_model, data_in, data_out
)

# Compute the attack accuracy.
attack_guesses = amb.predict(attack_test_data)
attack_accuracy = np.mean(attack_guesses == real_membership_labels)

print(attack_accuracy)

Training the target model...


2023-11-19 22:51:35.310498: I tensorflow/core/common_runtime/gpu/gpu_device.cc:1929] Created device /job:localhost/replica:0/task:0/device:GPU:0 with 22987 MB memory:  -> device: 0, name: Quadro RTX 6000, pci bus id: 0000:41:00.0, compute capability: 7.5


Epoch 1/12


2023-11-19 22:51:37.599012: E tensorflow/core/grappler/optimizers/meta_optimizer.cc:961] layout failed: INVALID_ARGUMENT: Size of values 0 does not match size of permutation 4 @ fanin shape insequential/dropout/dropout/SelectV2-2-TransposeNHWCToNCHW-LayoutOptimizer
2023-11-19 22:51:37.767713: I external/local_xla/xla/stream_executor/cuda/cuda_dnn.cc:454] Loaded cuDNN version 8902
2023-11-19 22:51:38.057047: W external/local_xla/xla/stream_executor/gpu/asm_compiler.cc:110] Couldn't get ptxas version : FAILED_PRECONDITION: Couldn't get ptxas/nvlink version string: INTERNAL: Running ptxas --version returned 32512
2023-11-19 22:51:38.147387: W external/local_xla/xla/stream_executor/gpu/redzone_allocator.cc:322] INTERNAL: ptxas exited with non-zero error code 32512, output: 
Relying on driver to perform ptx compilation. 
Modify $PATH to customize ptxas location.
This message will be only logged once.
2023-11-19 22:51:38.452686: W external/local_xla/xla/service/gpu/llvm_gpu_backend/gpu_backe

2023-11-19 22:51:41.350381: W external/local_xla/xla/service/gpu/llvm_gpu_backend/gpu_backend_lib.cc:542] libdevice is required by this HLO module but was not found at ./libdevice.10.bc
2023-11-19 22:51:41.351580: W tensorflow/core/framework/op_kernel.cc:1839] OP_REQUIRES failed at xla_ops.cc:574 : INTERNAL: libdevice not found at ./libdevice.10.bc
2023-11-19 22:51:41.373403: W external/local_xla/xla/service/gpu/llvm_gpu_backend/gpu_backend_lib.cc:542] libdevice is required by this HLO module but was not found at ./libdevice.10.bc
2023-11-19 22:51:41.374389: W tensorflow/core/framework/op_kernel.cc:1839] OP_REQUIRES failed at xla_ops.cc:574 : INTERNAL: libdevice not found at ./libdevice.10.bc
2023-11-19 22:51:41.440073: W external/local_xla/xla/service/gpu/llvm_gpu_backend/gpu_backend_lib.cc:542] libdevice is required by this HLO module but was not found at ./libdevice.10.bc
2023-11-19 22:51:41.441075: W tensorflow/core/framework/op_kernel.cc:1839] OP_REQUIRES failed at xla_ops.cc:574 

InternalError: Graph execution error:

Detected at node Adam/StatefulPartitionedCall_10 defined at (most recent call last):
  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/runpy.py", line 197, in _run_module_as_main

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/runpy.py", line 87, in _run_code

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel_launcher.py", line 17, in <module>

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/traitlets/config/application.py", line 1053, in launch_instance

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/kernelapp.py", line 737, in start

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/tornado/platform/asyncio.py", line 195, in start

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/asyncio/base_events.py", line 601, in run_forever

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/asyncio/base_events.py", line 1905, in _run_once

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/asyncio/events.py", line 80, in _run

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/kernelbase.py", line 524, in dispatch_queue

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/kernelbase.py", line 513, in process_one

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/kernelbase.py", line 418, in dispatch_shell

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/kernelbase.py", line 758, in execute_request

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/ipkernel.py", line 426, in do_execute

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/ipykernel/zmqshell.py", line 549, in run_cell

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3046, in run_cell

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3101, in _run_cell

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/IPython/core/async_helpers.py", line 129, in _pseudo_sync_runner

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3306, in run_cell_async

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3488, in run_ast_nodes

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3548, in run_code

  File "/tmp/ipykernel_135258/1763383792.py", line 6, in <module>

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/utils/traceback_utils.py", line 65, in error_handler

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/engine/training.py", line 1807, in fit

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/engine/training.py", line 1401, in train_function

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/engine/training.py", line 1384, in step_function

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/engine/training.py", line 1373, in run_step

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/engine/training.py", line 1154, in train_step

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/optimizers/optimizer.py", line 544, in minimize

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/optimizers/optimizer.py", line 1223, in apply_gradients

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/optimizers/optimizer.py", line 652, in apply_gradients

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/optimizers/optimizer.py", line 1253, in _internal_apply_gradients

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/optimizers/optimizer.py", line 1345, in _distributed_apply_gradients_fn

  File "/users/xli321/data/xli321/conda_envs/mia_env/lib/python3.9/site-packages/keras/src/optimizers/optimizer.py", line 1340, in apply_grad_to_update_var

libdevice not found at ./libdevice.10.bc
	 [[{{node Adam/StatefulPartitionedCall_10}}]] [Op:__inference_train_function_1687]