# DECOMON tutorial #3 
## Local Robustness to Adversarial Attacks for classification tasks

## Introduction

After training a model, we want to make sure that the model will give the same output for any images "close" to the initial one, showing some robustness to perturbation. 

In this notebook, we start from a classifier built on MNIST dataset that given a hand-written digit as input will predict the digit. This will be the first part of the notebook.

<img src="./data/Plot-of-a-Subset-of-Images-from-the-MNIST-Dataset.png" alt="examples of hand-written digit" width="600"/>

In the second part of the notebook, we will investigate the robustness of this model to unstructured modification of the input space: adversarial attacks. For this kind of attacks, **we vary the magnitude of the perturbation of the initial image** and want to assess that despite this noise, the classifier's prediction remain unchanged.

<img src="./data/illustration_adv_attacks.jpeg" alt="examples of hand-written digit" width="600"/>

What we will show is the use of decomon module to assess the robustness of the prediction towards noise.

## The notebook

### imports

In [1]:
import os
import tensorflow.keras as keras
import matplotlib.pyplot as plt
import matplotlib.patches as patches
%matplotlib inline
import numpy as np
import tensorflow.keras.backend as K
from tensorflow.keras.models import Sequential, Model, load_model
from tensorflow.keras.layers import Dense, Activation, Conv2D, Reshape, Flatten
from tensorflow.keras.datasets import mnist
from ipywidgets import interact, interactive, fixed, interact_manual
from ipykernel.pylab.backend_inline import flush_figures
import ipywidgets as widgets
import time
import sys
sys.path.append('..')
import os.path
import os
import pickle as pkl
from contextlib import closing
import time

### load images

We load MNIST data from keras datasets. 


In [2]:
img_rows, img_cols = 28, 28
(x_train, y_train_), (x_test, y_test_) = mnist.load_data()
x_train = x_train.reshape((-1, 784))
x_test = x_test.reshape((-1, 784))
x_train = x_train.astype('float32')
x_test = x_test.astype('float32')
x_train /= 255.
x_test /= 255.
y_train = keras.utils.to_categorical(y_train_)
y_test = keras.utils.to_categorical(y_test_)

### learn the model (classifier for MNIST images)

For the model, we use a small fully connected network. It is made of 6 layers with 100 units each and ReLU activation functions. **Decomon** is compatible with a large set of Keras layers, so do not hesitate to modify the architecture.


In [3]:
model = Sequential()
model.add(Reshape((28, 28, 1), input_dim=784))
model.add(Conv2D(32, (6, 6), activation='linear', bias_initializer='zeros'))
model.add(Activation('relu'))
model.add(Conv2D(32, (6, 6), activation='linear', bias_initializer='zeros'))
model.add(Flatten())
model.add(Dense(130, activation='linear'))
model.add(Activation('relu'))
model.add(Dense(1, activation='linear'))

2022-02-25 15:49:46.792308: I tensorflow/core/platform/cpu_feature_guard.cc:151] This TensorFlow binary is optimized with oneAPI Deep Neural Network Library (oneDNN) to use the following CPU instructions in performance-critical operations:  AVX2 FMA
To enable them in other operations, rebuild TensorFlow with the appropriate compiler flags.


In [4]:
import decomon
from decomon.models import convert, clone
from decomon import get_adv_box, get_upper_box, get_lower_box, check_adv_box, get_upper_box


In [5]:
decomon_model = clone(model, method='hybrid', finetune=True)

> [0;32m/var/folders/mv/rks11p6n68n4p1fqvdm9z5_w0000gn/T/__autograph_generated_filerh4dk003.py[0m(450)[0;36mif_body_16[0;34m()[0m
[0;32m    448 [0;31m                        [0;32mimport[0m [0mpdb[0m[0;34m[0m[0;34m[0m[0m
[0m[0;32m    449 [0;31m                        [0mag__[0m[0;34m.[0m[0mld[0m[0;34m([0m[0mpdb[0m[0;34m)[0m[0;34m.[0m[0mset_trace[0m[0;34m([0m[0;34m)[0m[0;34m[0m[0;34m[0m[0m
[0m[0;32m--> 450 [0;31m                        [0mb_u_[0m [0;34m=[0m [0mag__[0m[0;34m.[0m[0mconverted_call[0m[0;34m([0m[0mag__[0m[0;34m.[0m[0mld[0m[0;34m([0m[0mK[0m[0;34m)[0m[0;34m.[0m[0msum[0m[0;34m,[0m [0;34m([0m[0;34m([0m[0mag__[0m[0;34m.[0m[0mld[0m[0;34m([0m[0mself[0m[0;34m)[0m[0;34m.[0m[0malpha_out[0m[0;34m[[0m[0;32mNone[0m[0;34m][0m [0;34m*[0m [0mag__[0m[0;34m.[0m[0mld[0m[0;34m([0m[0mb_u_[0m[0;34m)[0m[0;34m)[0m[0;34m,[0m [0;36m1[0m[0;34m)[0m[0;34m,[0m [0;32mNone[0m[0;

BdbQuit: Exception encountered when calling layer "conv2d_monotonic" (type DecomonConv2D).

in user code:

    File "../decomon/layers/decomon_layers.py", line 543, in call  *
        output = self.call_linear(inputs, **kwargs)
    File "../decomon/layers/decomon_layers.py", line 485, in call_linear  *
        b_u_ = K.sum(self.alpha_out[None]*b_u_, 1)
    File "/Users/ducoffe/miniconda3/envs/formal/lib/python3.7/bdb.py", line 88, in trace_dispatch
        return self.dispatch_line(frame)
    File "/Users/ducoffe/miniconda3/envs/formal/lib/python3.7/bdb.py", line 113, in dispatch_line
        if self.quitting: raise BdbQuit

    BdbQuit: 


Call arguments received:
  • inputs=['tf.Tensor(shape=(None, 2, 784), dtype=float32)', 'tf.Tensor(shape=(None, 28, 28, 1), dtype=float32)', 'tf.Tensor(shape=(None, 784, 28, 28, 1), dtype=float32)', 'tf.Tensor(shape=(None, 28, 28, 1), dtype=float32)', 'tf.Tensor(shape=(None, 28, 28, 1), dtype=float32)', 'tf.Tensor(shape=(None, 784, 28, 28, 1), dtype=float32)', 'tf.Tensor(shape=(None, 28, 28, 1), dtype=float32)']
  • kwargs={'training': 'None'}

In [3]:
model = Sequential()
model.add(Dense(100, input_dim=784))
model.add(Activation('relu')) # Decomon deduces tighter bound when splitting Dense and activation
model.add(Dense(100))
model.add(Activation('relu'))
model.add(Dense(10, activation='softmax'))

In [4]:
model.compile('adam', 'categorical_crossentropy', metrics='acc')

model.fit(x_train, y_train, batch_size=32, shuffle=True, validation_split=0.2, epochs=5)

Epoch 1/5
Epoch 2/5
Epoch 3/5
Epoch 4/5
Epoch 5/5


<tensorflow.python.keras.callbacks.History at 0x16f3ade50>

In [5]:
model.evaluate(x_test, y_test, batch_size=32)



[0.09925442188978195, 0.9684000015258789]

After training, we see that the assessment of performance of the model on data that was not seen during training shows pretty good results: around 0.97 (maximum value is 1). It means that out of 100 images, the model was able to guess the correct digit for 97 images. But how can we guarantee that we will get this performance for images different from the ones in the test dataset? 

- If we perturbate a "little" an image that was well predicted, will the model stay correct? 
- Up to which perturbation?  
- Can we guarantee that the model will output the same digit for a given perturbation? 

This is where decomon comes in. 

<img src="./data/decomon.jpg" alt="Decomon!" width="400"/>



### Applying Decomon for Local Robustness to misclassification

In this section, we detail how to prove local robustness to misclassification. Misclassification can be studied with the global optimisation of a function f:

$$ f(x; \Omega) = \max_{z\in \Omega} \text{NN}_{j\not= i}(z) - \text{NN}_i(z)\;\; \text{s.t}\;\; i = argmax\;\text{NN}(x)$$

If the maximum of f is **negative**, this means that whathever the input sample from the domain, the value outputs by the neural network NN for class i will always be greater than the value output for another class. Hence, there will be no misclassification possible. This is **adversarial robustness**.

<img src="./data/tuto_3_formal_robustness.png" alt="Decomon!" width="400"/>

In that order, we will use the [decomon](https://gheprivate.intra.corp/CRT-DataScience/decomon/tree/master/decomon) library. Decomon combines several optimization trick, including linear relaxation
to get state-of-the-art outer approximation.

To use **decomon** for **adversarial robustness** we first need the following imports:
+ *from decomon.models import convert*: to convert our current Keras model into another neural network nn_model. nn_model will output the same prediction that our model and adds extra information that will be used to derive our formal bounds. For a sake of clarity, how to get such bounds is hidden to the user

+ *from decomon import get_adv_box*: a genereric method to get an upper bound of the funtion f described previously. If the returned value is negative, then we formally assess the robustness to misclassification.

+ *from decomon import check_adv_box*: a generic method that computes the maximum of a lower bound of f. Eventually if this value is positive, it demonstrates that the function f takes positive value. It results that a positive value formally proves the existence of misclassification.


In [11]:
import decomon
from decomon.models import convert, clone
from decomon import get_adv_box, get_upper_box, get_lower_box, check_adv_box, get_upper_box

For computational efficiency, we convert the model into its decomon version once and for all.
Note that the decomon method will work on the non-converted model. To obtain more refined guarantees, we activate an option denoted **forward**. You can speed up the method by removing this option in the convert method.

In [13]:
decomon_model = clone(model, method='hybrid', finetune=True)

TypeError: Dimension value must be integer or None or have an __index__ method, got value '1152.0' with type '<class 'numpy.float64'>'

We offer an interactive visualisation of the basic adversarial robustness method from decomon **get_adv_upper**. We randomly choose 10 test images use **get_adv_upper** to assess their robustness to misclassification pixel perturbations. The magnitude of the noise on each pixel is independent and bounded by the value of the variable epsilon. The user can reset the examples and vary the noise amplitude.

Note one of the main advantage of decomon: **we can assess robustness on batches of data!**

Circled in <span style="color:green">green</span> are examples that are formally assessed to be robust, <span style="color:orange">orange</span> examples that could be robust and  <span style="color:red">red</span> examples that are formally non robust

In [8]:
def frame(epsilon, reset=0, filename='./data/.hidden_index.pkl'):
    n_cols = 5
    n_rows = 2
    n_samples = n_cols*n_rows
    if reset:
        index = np.random.permutation(len(x_test))[:n_samples]
        
        with closing(open(filename, 'wb')) as f:
            pkl.dump(index, f)
        # save data
    else:
        # check that file exists
        
        if os.path.isfile(filename):
            with closing(open(filename, 'rb')) as f:
                index = pkl.load(f)
        else:  
            index = np.arange(n_samples)
            with closing(open(filename, 'wb')) as f:
                pkl.dump(index, f)
    #x = np.concatenate([x_test[0:1]]*10, 0)
    x = x_test[index]

    x_min = np.maximum(x - epsilon, 0)
    x_max = np.minimum(x + epsilon, 1)

    n_cols = 5
    n_rows = 2
    fig, axs = plt.subplots(n_rows, n_cols)
    
    fig.set_figheight(n_rows*fig.get_figheight())
    fig.set_figwidth(n_cols*fig.get_figwidth())
    plt.subplots_adjust(hspace=0.2)  # increase vertical separation
    axs_seq = axs.ravel()

    source_label = y_test[index]
    
    start_time = time.process_time()
    upper = get_adv_box(decomon_model, x_min, x_max, source_labels=source_label, n_sub_boxes=4)
    lower = check_adv_box(decomon_model, x_min, x_max, source_labels=source_label)
    
    end_time = time.process_time()
    
    
    count = 0
    time.sleep(1)
    r_time = "{:.2f}".format(end_time - start_time)
    fig.suptitle('Formal Robustness to Adversarial Examples with eps={} running in {} seconds'.format(epsilon, r_time), fontsize=16)
    for i in range(n_cols):
        for j in range(n_rows):

            ax= axs[j, i]
            ax.imshow(x[count].reshape((28,28)), cmap='Greys')
            robust='ROBUST'
            if lower[count]>=0:
                if upper[count]<=0:
                    import pdb; pdb.set_trace()
                color='red'
                robust='NON ROBUST'
            elif upper[count]<0:
                color='green'
            else:
                color='orange'
                robust='MAYBE ROBUST'
        
            ax.get_xaxis().set_visible(False)
            ax.get_yaxis().set_visible(False)
            # Create a Rectangle patch
            rect = patches.Rectangle((0,0),27,27,linewidth=3,edgecolor=color,facecolor='none')
            ax.add_patch(rect)
            ax.set_title(robust)
            count+=1
    
            
interact(frame, epsilon = widgets.FloatSlider(value=0.,
                                               min=0.,
                                               max=25./255.,
                                               step=0.0001, continuous_update=False, readout_format='.4f',),
         reset = widgets.IntSlider(value=0.,
                                               min=0,
                                               max=1,
                                               step=1, continuous_update=False),
         fast = widgets.IntSlider(value=1.,
                                               min=0,
                                               max=1,
                                               step=1, continuous_update=False)
        )

interactive(children=(FloatSlider(value=0.0, continuous_update=False, description='epsilon', max=0.09803921568…

<function __main__.frame(epsilon, reset=0, filename='./data/.hidden_index.pkl')>

As explained previously, the method **get_adv_upper** output a constant upper bound that is valid on the whole domain.
Sometimes, this bound can be too lose and needs to be refined by splitting the input domain into sub domains.
Several heuristics are possible and you are free to develop your own or take an existing one of the shelf.