<a href="https://colab.research.google.com/github/bhagirathtallapragada/Secure-AI-project-phase2/blob/main/Differential_Privacy_main.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In this notebook, I train differentially private models on the CIFAR-100 dataset. 
1. Use TensorFlow Privacy which provide DP implementations of standard optimizers, but you only need to pick one. 
2. The goal is to train a well performing model while keeping a small value for epsilon during training. 
3. Use a fixed delta of 4 × 10−5. 

In [None]:
# mounting the drive to store the results

from google.colab import drive
drive.mount('/content/drive') #, force_remount = True)

import warnings
warnings.filterwarnings("ignore")

Mounted at /content/drive


In [None]:
!pip install keras==2.2.3 tensorflow_privacy==0.2.2 --quiet # use these versions

[?25l[K     |█                               | 10 kB 21.7 MB/s eta 0:00:01[K     |██                              | 20 kB 28.6 MB/s eta 0:00:01[K     |███▏                            | 30 kB 13.0 MB/s eta 0:00:01[K     |████▏                           | 40 kB 9.8 MB/s eta 0:00:01[K     |█████▎                          | 51 kB 5.3 MB/s eta 0:00:01[K     |██████▎                         | 61 kB 5.8 MB/s eta 0:00:01[K     |███████▍                        | 71 kB 5.6 MB/s eta 0:00:01[K     |████████▍                       | 81 kB 6.3 MB/s eta 0:00:01[K     |█████████▍                      | 92 kB 4.8 MB/s eta 0:00:01[K     |██████████▌                     | 102 kB 5.1 MB/s eta 0:00:01[K     |███████████▌                    | 112 kB 5.1 MB/s eta 0:00:01[K     |████████████▋                   | 122 kB 5.1 MB/s eta 0:00:01[K     |█████████████▋                  | 133 kB 5.1 MB/s eta 0:00:01[K     |██████████████▊                 | 143 kB 5.1 MB/s eta 0:00:01[K  

In [None]:
# !pip install tensorflow-privacy --quiet # skip this

[K     |████████████████████████████████| 251 kB 5.1 MB/s 
[K     |████████████████████████████████| 4.0 MB 46.5 MB/s 
[?25h

In [None]:
import tensorflow as tf
import tensorflow_datasets as tfds
import numpy as np
import matplotlib.pyplot as plt
import math
import logging
import time
import os
import sys

from tensorflow_privacy.privacy.analysis import compute_dp_sgd_privacy
from tensorflow_privacy.privacy.optimizers.dp_optimizer import DPGradientDescentGaussianOptimizer

from tensorflow.keras.layers import Conv2D, MaxPooling2D, Dropout, Flatten, Dense

from tensorflow.keras.models import Sequential

from tensorflow.keras.datasets import cifar100

from tensorflow.keras.preprocessing.image import ImageDataGenerator

In [None]:
# To solve the compatibility issues between tensorflow privacy and keras in invoking differentially private optimizers

from absl import logging
import collections

from tensorflow_privacy.privacy.analysis import privacy_ledger
from tensorflow_privacy.privacy.dp_query import gaussian_query

def make_optimizer_class(cls):
  """Constructs a DP optimizer class from an existing one."""
  parent_code = tf.compat.v1.train.Optimizer.compute_gradients.__code__
  child_code = cls.compute_gradients.__code__
  GATE_OP = tf.compat.v1.train.Optimizer.GATE_OP  # pylint: disable=invalid-name
  if child_code is not parent_code:
    logging.warning(
        'WARNING: Calling make_optimizer_class() on class %s that overrides '
        'method compute_gradients(). Check to ensure that '
        'make_optimizer_class() does not interfere with overridden version.',
        cls.__name__)

  class DPOptimizerClass(cls):
    """Differentially private subclass of given class cls."""

    _GlobalState = collections.namedtuple(
      '_GlobalState', ['l2_norm_clip', 'stddev'])
    
    def __init__(
        self,
        dp_sum_query,
        num_microbatches=None,
        unroll_microbatches=False,
        *args,  # pylint: disable=keyword-arg-before-vararg, g-doc-args
        **kwargs):
      """Initialize the DPOptimizerClass.

      Args:
        dp_sum_query: DPQuery object, specifying differential privacy
          mechanism to use.
        num_microbatches: How many microbatches into which the minibatch is
          split. If None, will default to the size of the minibatch, and
          per-example gradients will be computed.
        unroll_microbatches: If true, processes microbatches within a Python
          loop instead of a tf.while_loop. Can be used if using a tf.while_loop
          raises an exception.
      """
      super(DPOptimizerClass, self).__init__(*args, **kwargs)
      self._dp_sum_query = dp_sum_query
      self._num_microbatches = num_microbatches
      self._global_state = self._dp_sum_query.initial_global_state()
      # TODO(b/122613513): Set unroll_microbatches=True to avoid this bug.
      # Beware: When num_microbatches is large (>100), enabling this parameter
      # may cause an OOM error.
      self._unroll_microbatches = unroll_microbatches

    def compute_gradients(self,
                          loss,
                          var_list,
                          gate_gradients=GATE_OP,
                          aggregation_method=None,
                          colocate_gradients_with_ops=False,
                          grad_loss=None,
                          gradient_tape=None,
                          curr_noise_mult=0,
                          curr_norm_clip=1):

      self._dp_sum_query = gaussian_query.GaussianSumQuery(curr_norm_clip, 
                                                           curr_norm_clip*curr_noise_mult)
      self._global_state = self._dp_sum_query.make_global_state(curr_norm_clip, 
                                                                curr_norm_clip*curr_noise_mult)
      

      # TF is running in Eager mode, check we received a vanilla tape.
      if not gradient_tape:
        raise ValueError('When in Eager mode, a tape needs to be passed.')

      vector_loss = loss()
      if self._num_microbatches is None:
        self._num_microbatches = tf.shape(input=vector_loss)[0]
      sample_state = self._dp_sum_query.initial_sample_state(var_list)
      microbatches_losses = tf.reshape(vector_loss, [self._num_microbatches, -1])
      sample_params = (self._dp_sum_query.derive_sample_params(self._global_state))

      def process_microbatch(i, sample_state):
        """Process one microbatch (record) with privacy helper."""
        microbatch_loss = tf.reduce_mean(input_tensor=tf.gather(microbatches_losses, [i]))
        grads = gradient_tape.gradient(microbatch_loss, var_list)
        sample_state = self._dp_sum_query.accumulate_record(sample_params, sample_state, grads)
        return sample_state
    
      for idx in range(self._num_microbatches):
        sample_state = process_microbatch(idx, sample_state)

      if curr_noise_mult > 0:
        grad_sums, self._global_state = (self._dp_sum_query.get_noised_result(sample_state, self._global_state))
      else:
        grad_sums = sample_state

      def normalize(v):
        return v / tf.cast(self._num_microbatches, tf.float32)

      final_grads = tf.nest.map_structure(normalize, grad_sums)
      grads_and_vars = final_grads#list(zip(final_grads, var_list))
    
      return grads_and_vars

  return DPOptimizerClass


def make_gaussian_optimizer_class(cls):
  """Constructs a DP optimizer with Gaussian averaging of updates."""

  class DPGaussianOptimizerClass(make_optimizer_class(cls)):
    """DP subclass of given class cls using Gaussian averaging."""

    def __init__(
        self,
        l2_norm_clip,
        noise_multiplier,
        num_microbatches=None,
        ledger=None,
        unroll_microbatches=False,
        *args,  # pylint: disable=keyword-arg-before-vararg
        **kwargs):
      dp_sum_query = gaussian_query.GaussianSumQuery(
          l2_norm_clip, l2_norm_clip * noise_multiplier)

      if ledger:
        dp_sum_query = privacy_ledger.QueryWithLedger(dp_sum_query,
                                                      ledger=ledger)

      super(DPGaussianOptimizerClass, self).__init__(
          dp_sum_query,
          num_microbatches,
          unroll_microbatches,
          *args,
          **kwargs)

    @property
    def ledger(self):
      return self._dp_sum_query.ledger

  return DPGaussianOptimizerClass

In [None]:
GradientDescentOptimizer = tf.compat.v1.train.GradientDescentOptimizer
DPGradientDescentGaussianOptimizer_NEW = make_gaussian_optimizer_class(GradientDescentOptimizer)

In [None]:
# load data
(train_images, train_labels), (test_images, test_labels) = cifar100.load_data()

# normalize data
train_images = train_images / 255.0
test_images = test_images / 255.0

# split data into validation and training set
validation_images = train_images[:5000]
validation_labels = train_labels[:5000]
train_images = train_images[5000:]
train_labels = train_labels[5000:]

# create model
model = Sequential()
model.add(Conv2D(32, (3, 3), activation='relu', input_shape=(32, 32, 3)))
model.add(MaxPooling2D((2, 2)))
model.add(Conv2D(64, (3, 3), activation='relu'))
model.add(Flatten())
model.add(Dense(64, activation='relu'))
model.add(Dense(100, activation='softmax'))

optimizer = DPGradientDescentGaussianOptimizer_NEW(
    l2_norm_clip=1.0,
    noise_multiplier=1.1,
    num_microbatches=250,
    learning_rate=0.15)

# compile model
model.compile(optimizer=optimizer,
              loss='sparse_categorical_crossentropy',
              metrics=['accuracy'])

# create data generator
data_generator = ImageDataGenerator(width_shift_range=0.1,
                                    height_shift_range=0.1,
                                    horizontal_flip=True)

# prepare iterator
train_iterator = data_generator.flow(train_images, train_labels, batch_size=64)

# prepare validation iterator
test_iterator = data_generator.flow(test_images, test_labels, batch_size=64)

# prepare validation iterator
validation_iterator = data_generator.flow(validation_images, validation_labels, batch_size=64)


In [None]:
#compute epsilon
epsilon, delta = compute_dp_sgd_privacy.compute_dp_sgd_privacy(n=60000, batch_size=120, noise_multiplier=0.9, epochs=5, delta=1e-5)

# train model
print("Epsilon: ", epsilon)

# train model
model.fit(train_iterator,
          epochs=5,
          validation_data=validation_iterator,
          callbacks=[tf.keras.callbacks.EarlyStopping(patience=3, restore_best_weights=True)])

# evaluate model
test_loss, test_acc = model.evaluate(test_iterator, verbose=2)

#train evaluator
train_loss, train_acc = model.evaluate(train_iterator, verbose=2)


# print results
print('\nTest accuracy:', test_acc)

# save model
model.save('/content/drive/MyDrive/SPAI_projectphase2/cifar100_model.h5')

DP-SGD with sampling rate = 0.2% and noise_multiplier = 0.9 iterated over 2500 steps satisfies differential privacy with eps = 1.17 and delta = 1e-05.
The optimal RDP order is 9.0.
Epsilon:  1.168712467806508
Epoch 1/5
Please report this to the TensorFlow team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output.
Cause: closure mismatch, requested ('self', 'step_function'), but source function had ()
Please report this to the TensorFlow team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output.
Cause: closure mismatch, requested ('self', 'step_function'), but source function had ()
Epoch 2/5
Epoch 3/5
Epoch 4/5
Epoch 5/5
157/157 - 5s - loss: 5.3845 - accuracy: 0.0324 - 5s/epoch - 35ms/step
704/704 - 24s - loss: 5.3530 - accuracy: 0.0312 - 24s/epoch - 35ms/step

Test accuracy: 0.03240000084042549
