In [1]:
using TimerOutputs

include("CayleyVerify.jl")
include("DeepPoly.jl")

function dorefa_to_staircase(k::Int)
    n = 2^k - 1
    slopes = zeros(n+1)
    breakpoints = [-Inf]
    for i in 1:n
        push!(breakpoints, (2*i-1)/n - 1)
    end
    push!(breakpoints, Inf)
    
    constant_terms = [-1.0]
    for i in 1:n
        push!(constant_terms, -1.0 + 2*i/n)
    end
    return StaircaseFunction(breakpoints, slopes, constant_terms)
end

function predict(neural_net, img)
    num_layers = length(neural_net.weights)
    a = img'
    for i in 1:num_layers
        a = a * neural_net.weights[i] + neural_net.biases[i]'
        if i <= num_layers -1
            a = [eval(neural_net.activation[i], a[j]) for j in 1:length(a)]'
        end
    end
    output = a'
    return findmax(output)[2]
end

predict (generic function with 1 method)

In [2]:
using Pickle
using Suppressor
using Printf

net_from_pickle = Pickle.load(open("./models/MNIST-DoReFa3:Dense256-Dense256.pkl"))
f = dorefa_to_staircase(3)
activation = [f, f]
neural_net = NeuralNetwork(net_from_pickle, activation)
print("net loaded")

net loaded

In [3]:
raw_imgs = Pickle.load(open("./imgs/MNIST:images-for-verification"))
imgs = []
for img in raw_imgs
    img = vcat([w' for w in img] ...)
    img = vcat(img'...)
    push!(imgs, img)
end
labels = Pickle.load(open("./imgs/MNIST:labels-for-verification", "r+"))
labels = Array{Int64}(labels.args[2][5])
labels = [l+1 for l in labels]
print("images loaded")

images loaded

In [21]:
upper_bound = 150
lower_bound = 0
count = 1
for (img, label) in zip(imgs, labels)
    @printf("Verify %d-th image \n", count)
    vulnerable = false
    for target_label in 1:10
        if target_label != label
            @suppress begin
                opt_val, opt_sol_x, opt_sol_z = target_attack(neural_net, img, label, target_label, 0.024)
                if opt_val > 0
                    vulnerable = true
                    adv_img = [opt_sol_x[1, j] for j in 1:784]
                    pred = predict(neural_net, adv_img)
                    if pred != label
                        upper_bound -= 1
                        break
                    end
                end
            end
        end
    end
    if vulnerable == false
        lower_bound += 1
    end
    count += 1
end

Verify 1-th image 
Verify 2-th image 
Verify 3-th image 
Verify 4-th image 
Verify 5-th image 
Verify 6-th image 
Verify 7-th image 
Verify 8-th image 
Verify 9-th image 
Verify 10-th image 
Verify 11-th image 
Verify 12-th image 
Verify 13-th image 
Verify 14-th image 
Verify 15-th image 
Verify 16-th image 
Verify 17-th image 
Verify 18-th image 
Verify 19-th image 
Verify 20-th image 
Verify 21-th image 
Verify 22-th image 
Verify 23-th image 
Verify 24-th image 
Verify 25-th image 
Verify 26-th image 
Verify 27-th image 
Verify 28-th image 
Verify 29-th image 
Verify 30-th image 
Verify 31-th image 
Verify 32-th image 
Verify 33-th image 
Verify 34-th image 
Verify 35-th image 
Verify 36-th image 
Verify 37-th image 
Verify 38-th image 
Verify 39-th image 
Verify 40-th image 
Verify 41-th image 
Verify 42-th image 
Verify 43-th image 
Verify 44-th image 
Verify 45-th image 
Verify 46-th image 
Verify 47-th image 
Verify 48-th image 
Verify 49-th image 
Verify 50-th image 
Verify 51

In [5]:
lower_bound

138

In [6]:
upper_bound

148

In [8]:
lower_bound

111

In [9]:
upper_bound

147

In [11]:
lower_bound

63

In [12]:
upper_bound

147

In [16]:
lower_bound

141

In [17]:
upper_bound

148

In [19]:
lower_bound

123

In [20]:
upper_bound

146

In [22]:
lower_bound

86

In [23]:
upper_bound

145

In [12]:
net_from_pickle = Pickle.load(open("./models/MNIST-DoReFa2:Dense256-Dense256.pkl"))
f = dorefa_to_staircase(2)
activation = [f, f]
neural_net = NeuralNetwork(net_from_pickle, activation)
print("net loaded")

net loaded

In [17]:
upper_bound = 150
lower_bound = 0
count = 1
for (img, label) in zip(imgs, labels)
    @printf("Verify %d-th image \n", count)
    vulnerable = false
    for target_label in 1:10
        if target_label != label
            @suppress begin
                mip, _, _ = init_mip_deeppoly(neural_net, img, 0.024)
                last_layer = last(neural_net.weights)
                objective = zeros(10) # always 10 classes
                objective[target_label] = 1.0
                objective[label] = -1.0
                c = last_layer * objective

                num_layers = length(neural_net.weights)
                final_dim, output_dim = size(last_layer)
                @objective(mip, Max, sum(c[i]*mip[:x][num_layers, i] for i in 1:final_dim))
                optimize!(mip)
                opt_val = getobjectivevalue(mip)
                if opt_val > 0
                    vulnerable = true
                    break
                end
            end
        end
    end
    if vulnerable == false
        lower_bound += 1
    end
    count += 1
end

Verify 1-th image 
Verify 2-th image 
Verify 3-th image 
Verify 4-th image 
Verify 5-th image 
Verify 6-th image 
Verify 7-th image 
Verify 8-th image 
Verify 9-th image 
Verify 10-th image 
Verify 11-th image 
Verify 12-th image 
Verify 13-th image 
Verify 14-th image 
Verify 15-th image 
Verify 16-th image 
Verify 17-th image 
Verify 18-th image 
Verify 19-th image 
Verify 20-th image 
Verify 21-th image 
Verify 22-th image 
Verify 23-th image 
Verify 24-th image 
Verify 25-th image 
Verify 26-th image 
Verify 27-th image 
Verify 28-th image 
Verify 29-th image 
Verify 30-th image 
Verify 31-th image 
Verify 32-th image 
Verify 33-th image 
Verify 34-th image 
Verify 35-th image 
Verify 36-th image 
Verify 37-th image 
Verify 38-th image 
Verify 39-th image 
Verify 40-th image 
Verify 41-th image 
Verify 42-th image 
Verify 43-th image 
Verify 44-th image 
Verify 45-th image 
Verify 46-th image 
Verify 47-th image 
Verify 48-th image 
Verify 49-th image 
Verify 50-th image 
Verify 51

In [6]:
lower_bound

128

In [8]:
lower_bound

88

In [11]:
lower_bound

19

In [14]:
lower_bound

125

In [16]:
lower_bound

65

In [18]:
lower_bound

27