In [19]:
# ART
# # coding=gbk
import os, pickle, random, sys
sys.path.append('D:\\zhaixu\\Thesis_Code\\dl_amc_defense_seq')
sys.path.append('D:\\zhaixu\\Thesis_Code')

# log_print = open('Defalust.log', 'w')
# sys.stdout = log_print
# sys.stderr = log_print

import warnings
import copy
warnings.filterwarnings('ignore')
import numpy as np
import argparse
from matplotlib import pyplot as plt
import tensorflow as tf
tf.compat.v1.disable_eager_execution()
import mltools

from art.estimators.classification import KerasClassifier
from art.attacks.poisoning import PoisoningAttackBackdoor
from art.attacks.poisoning.perturbations import add_pattern_bd, add_single_bd, insert_image
from art.utils import load_mnist, preprocess
from art.defences.detector.poison import ActivationDefence
from art.defences.transformer.poisoning import NeuralCleanse
from art.estimators.poison_mitigation import KerasNeuralCleanse
from sklearn.model_selection import train_test_split

from trigger_config import load_data
from trigger_config import set_trigger_config

from tensorflow import keras
from sklearn.preprocessing import normalize  # Adjust based on your preprocessing needs

In [20]:
def parse_arguments():
    parser = argparse.ArgumentParser(description='AC PARAMs')

    # 添加命令行参数
    parser.add_argument('--TRIGGER_TYPE', type=str, default='phase_shift')
    parser.add_argument('--GPU_NUM', type=str, default='0')
    parser.add_argument('--POS_RATE', type=float, default=0.1)
    parser.add_argument('--MODEL_NAME', type=str, default='CNN2')
    parser.add_argument('--EPOCH', type=int, default=2)

    return parser.parse_args()

In [21]:
def get_conv_index(model):
    convindex = []
    for i, layer in enumerate(model.layers):
        if isinstance(layer, tf.keras.layers.Conv2D) or isinstance(layer, tf.keras.layers.Conv1D):
            convindex.append(i)
    return convindex

def clear_max_weights(weights, thresh):
    for i in range(len(weights)):
        for j in range(len(weights[i])):
            for k in range(len(weights[i][j])):
                for m in range(len(weights[i][j][k])):
                    if weights[i][j][k][m] > thresh:
                        weights[i][j][k][m] = 0
    return weights

def calc_top_X_percent_weight(weights, fraction):
    flat_weights = weights.flatten()
    num_weights_to_keep = int(len(flat_weights) * (1 - fraction))
    top_weights = np.sort(flat_weights)[-num_weights_to_keep]
    return top_weights

def fineprune(model, pruning_fraction, incremental=False):
    layer_weights = []
    convindex = get_conv_index(model)
    for i in convindex:
        layer_weights.append(model.layers[i].get_weights()[0])

    max_weights_thr = []
    for weights in layer_weights:
        max_weights_thr.append(calc_top_X_percent_weight(weights, pruning_fraction))

    new_weights = []
    for i, weights in enumerate(layer_weights):
        new_weights.append(clear_max_weights(weights, max_weights_thr[i]))

    for i, idx in enumerate(convindex):
        current_weights = model.layers[idx].get_weights()
        current_weights[0] = new_weights[i]
        model.layers[idx].set_weights(current_weights)

    return model

In [29]:
def evaluation(model,X_test, Y_test,test_idx,mods,snrs,lbl):
    classes = mods
    acc = []
    for snr in snrs:

        # extract classes @ SNR
        test_SNRs = list(map(lambda x: lbl[x][1], test_idx))
        test_X_i = X_test[np.where(np.array(test_SNRs) == snr)]
        test_Y_i = Y_test[np.where(np.array(test_SNRs) == snr)]

        # estimate classes
        test_Y_i_hat = model.predict(test_X_i)
        conf = np.zeros([len(classes), len(classes)])

        for i in range(0, test_X_i.shape[0]):
            j = list(test_Y_i[i, :]).index(1)
            k = int(np.argmax(test_Y_i_hat[i, :]))
            conf[j, k] = conf[j, k] + 1

        cor = np.sum(np.diag(conf))
        ncor = np.sum(conf) - cor
        #print("Overall Accuracy: ", cor / (cor+ncor))
        #print("snr:",snr,"acc:",cor / (cor + ncor))
        acc.append(1.0 * cor / (cor + ncor))
    acc_mean = sum(acc) / len(acc)
    print('acc_mean: ',acc_mean)
    acc.append(acc_mean)
    return acc

In [31]:
def incremental_pruning(model, X_train, Y_train, X_val, Y_val, 
                        initial_fraction=0.1, 
                        final_fraction=0.9, 
                        steps=5, 
                        epochs_per_step=10):
    pruning_fractions = np.linspace(initial_fraction, final_fraction, steps)
    clean_accuracies = []
    attack_sucecess_rates = []
    for fraction in pruning_fractions:
        model = fineprune(model, fraction, incremental=True)
        model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])
        model.fit(X_train, Y_train, validation_data=(X_val, Y_val), epochs=epochs_per_step, verbose=0)
        
        print('CA')
        acc_ca_no_defense = evaluation(model,X_test_benign,Y_test,test_idx,mods,snrs,lbl)
        print('ASR')
        acc_asr_no_defense = evaluation(model,X_test_modified,Y_test_modified,test_idx,mods,snrs,lbl)
        
        clean_accuracies.append(acc_ca_no_defense)
        attack_sucecess_rates.append(acc_asr_no_defense)
        print(f'Pruning Fraction: {fraction}, CA: {acc_ca_no_defense}, ASR: {acc_asr_no_defense}')

    plt.plot(pruning_fractions, clean_accuracies, attack_sucecess_rates)
    plt.xlabel('Pruning Fraction')
    plt.ylabel('CA_ASR')
    plt.title('Model Performance vs Pruning Fraction')
    plt.show()

    return model, pruning_fractions, clean_accuracies, attack_sucecess_rates

In [28]:
# load data
X_train,X_test,Y_train,Y_test,mods,lbl,snrs,train_idx,test_idx = load_data()

X_train_modified, Y_train_modified = set_trigger_config(X_train.copy(), Y_train.copy(), pos_rate=0.1,
                                                        trigger_type="spectrum_shift", data_type='train')

x_train, x_val, y_train, y_val = train_test_split(X_train_modified, Y_train_modified, test_size=0.111,
                                                  random_state=42)

# load model
from tensorflow.keras.models import load_model
#poisoned_model = load_model('D:/zhaixu/Thesis_Code/dl_amc_backdoor/all_to_one/saved_model/posioned_'+ args.MODEL_NAME + '_Hanning_EPOCH_100_POS_RATE_0.1.h5')

root_path = 'D:/zhaixu/Thesis_Code/dl_amc_backdoor/all_to_one/saved_model/'
#pos_model_name = f"{args.MODEL_NAME}_{args.TRIGGER_TYPE}_{args.POS_RATE}_{args.EPOCH}"
#poisoned_model = load_model(root_path + pos_model_name + '.h5')
poisoned_model = load_model(root_path + 'CNN2_spectrum_shift_0.1_100.h5')

# reshape train input
#input_shape = poisoned_model.get_input_shape_at(0)
input_shape = (None, 2, 128, 1)
X_train = X_train.reshape((X_train.shape[0],) + tuple(input_shape[1:]))
X_train_modified = X_train_modified.reshape((X_train_modified.shape[0],) + tuple(input_shape[1:]))
x_train = x_train.reshape((x_train.shape[0],) + tuple(input_shape[1:]))
x_val = x_val.reshape((x_val.shape[0],) + tuple(input_shape[1:]))

# no defense
print('No defense eval\n')
X_test_benign = X_test.reshape((X_test.shape[0],) + tuple(input_shape[1:]))
X_test_modified, Y_test_modified = set_trigger_config(X_test.copy(), Y_test.copy(), pos_rate=0.1,
                                                        trigger_type="spectrum_shift", data_type='test')
X_test_modified = X_test_modified.reshape((X_test_modified.shape[0],) + tuple(input_shape[1:]))
print('CA')
acc_ca_no_defense = evaluation(poisoned_model,X_test_benign,Y_test,test_idx,mods,snrs,lbl)
print('ASR')
acc_asr_no_defense = evaluation(poisoned_model,X_test_modified,Y_test_modified,test_idx,mods,snrs,lbl)

110000
[0, 2, 4, 6, 8, 10, 12, 14, 16, 18]
['8PSK', 'AM-DSB', 'AM-SSB', 'BPSK', 'CPFSK', 'GFSK', 'PAM4', 'QAM16', 'QAM64', 'QPSK', 'WBFM']
Poisoned training data.
No defense eval

Evaluate ASR on poisoned test data.
CA
snr: 0 acc: 0.8207816968541468
snr: 2 acc: 0.8586142322097379
snr: 4 acc: 0.8493392070484581
snr: 6 acc: 0.8539944903581267
snr: 8 acc: 0.8640692640692641
snr: 10 acc: 0.8393829401088929
snr: 12 acc: 0.8611361587015329
snr: 14 acc: 0.8536139066788655
snr: 16 acc: 0.8522622345337026
snr: 18 acc: 0.8854073410922113
acc_mean:  0.8538601471654939
ASR
snr: 0 acc: 0.8045757864632984
snr: 2 acc: 0.8632958801498127
snr: 4 acc: 0.9013215859030838
snr: 6 acc: 0.9320477502295684
snr: 8 acc: 0.9428571428571428
snr: 10 acc: 0.9301270417422868
snr: 12 acc: 0.9386834986474302
snr: 14 acc: 0.939615736505032
snr: 16 acc: 0.9473684210526315
snr: 18 acc: 0.9391226499552372
acc_mean:  0.9139015493505523


In [32]:
# Incremental pruning
#干净数据集微调
x_train_ca, x_val_ca, y_train_ca, y_val_ca = train_test_split(X_train, Y_train, test_size=0.111,
                                                  random_state=42)
model = incremental_pruning(poisoned_model, x_train_ca, y_train_ca, x_val_ca, y_val_ca)

CA
acc_mean:  0.7970506331070418
ASR
acc_mean:  0.18053344063148402
Pruning Fraction: 0.1, CA: [0.763584366062917, 0.7780898876404494, 0.8070484581497798, 0.8117539026629935, 0.8043290043290043, 0.7767695099818511, 0.8016230838593328, 0.8069533394327539, 0.7922437673130194, 0.8281110116383169, 0.7970506331070418], ASR: [0.2449952335557674, 0.18820224719101122, 0.18061674008810572, 0.16804407713498623, 0.1774891774891775, 0.1569872958257713, 0.17853922452660054, 0.16010978956999086, 0.18651892890120036, 0.1638316920322292, 0.18053344063148402]
CA
acc_mean:  0.6885298084183418
ASR
acc_mean:  0.07060535473790021
Pruning Fraction: 0.30000000000000004, CA: [0.6377502383222117, 0.6722846441947565, 0.6951541850220264, 0.7043158861340679, 0.6874458874458874, 0.6814882032667876, 0.690712353471596, 0.7044830741079597, 0.7008310249307479, 0.7108325872873769, 0.6885298084183418], ASR: [0.10295519542421354, 0.09176029962546817, 0.08193832599118943, 0.07162534435261708, 0.05887445887445888, 0.057168

KeyboardInterrupt: 