# Simple CNN on MNIST - Generalization

In [1]:
import numpy as np

import os

import keras
from keras import backend
from keras.models import Sequential
from keras.layers import Dense, Dropout, Flatten
from keras.layers import Conv2D, MaxPooling2D
from keras.models import load_model

import tensorflow as tf

from keras.callbacks import TensorBoard, EarlyStopping

from cleverhans.utils_mnist import data_mnist
from cleverhans.attacks import (BasicIterativeMethod, CarliniWagnerL2, DeepFool, ElasticNetMethod, 
                                FastFeatureAdversaries, FastGradientMethod, LBFGS, MadryEtAl, 
                                MomentumIterativeMethod, SPSA, SaliencyMapMethod, VirtualAdversarialMethod)
from cleverhans.utils_keras import KerasModelWrapper

from ipywidgets import interact
import ipywidgets as widgets

  from ._conv import register_converters as _register_converters
Using TensorFlow backend.


In [2]:
%matplotlib inline

import matplotlib
import matplotlib.pyplot as plt

In [3]:
from_saved_model = False
run_attack = False

## Configurable Parameters

In [4]:
# Used in Getting the Data
train_start=0
train_end=60000
test_start=0
test_end=10000

attack_start=0
attack_end=100

batch_size = 128
num_classes = 10
epochs = 500
input_shape = (28, 28, 1)

gen_steps = 11

num_points = 10
attack_names = ['basic_iterative', 'fast_gradient', 'madry', 'momentum_iterative']

run_ident = '18'

## Setup Tensorflow Session

In [5]:
keras.layers.core.K.set_learning_phase(0)

# Set TF random seed to improve reproducibility
tf.set_random_seed(1234)

# Create TF session and set as Keras backend session
sess = tf.Session()
keras.backend.set_session(sess)

## Get the MNIST Data

In [6]:
X_train, Y_train, X_test, Y_test = data_mnist(train_start=train_start,
                                              train_end=train_end,
                                              test_start=test_start,
                                              test_end=test_end)

Extracting /tmp/train-images-idx3-ubyte.gz
Extracting /tmp/train-labels-idx1-ubyte.gz
Extracting /tmp/t10k-images-idx3-ubyte.gz
Extracting /tmp/t10k-labels-idx1-ubyte.gz
X_train shape: (60000, 28, 28, 1)
X_test shape: (10000, 28, 28, 1)


## Create the CNN Architecture

In [7]:
# Define input TF placeholder
x = tf.placeholder(tf.float32, shape=(None, 28, 28, 1))
y = tf.placeholder(tf.float32, shape=(None, 10))

# Define TF model graph

model = Sequential()
model.add(Conv2D(32, kernel_size=(3, 3),
                 activation='relu',
                 input_shape=input_shape))
model.add(Conv2D(64, (3, 3), activation='relu'))
model.add(MaxPooling2D(pool_size=(2, 2)))
model.add(Dropout(0.25))
model.add(Flatten())
model.add(Dense(128, activation='relu'))
model.add(Dropout(0.5))
model.add(Dense(num_classes, activation='softmax'))

preds = model(x)

model.compile(loss=keras.losses.categorical_crossentropy,
              optimizer=keras.optimizers.Adadelta(),
              metrics=['accuracy'])

## Setup Adversarial Generation Class

In [8]:
class GenAdv(object):
    def __init__(self, session):
        self.session = session
        self.model = None
        self.data = None
        self.labels = None
    
    def evaluate_model(self, model, data, labels, attack_names, num_points=10):
        self.model = model
        self.data = data
        self.labels = labels
        
        attack_strengths = np.linspace(0, 0.5, num_points)
        
        losses = np.zeros((len(attack_names), num_points))
        accuracies = np.zeros((len(attack_names), num_points))
        
        for index_name, attack_name in enumerate(attack_names):
            print('Running attack: {}'.format(attack_name))
            for index_strength, attack_strength in enumerate(attack_strengths):
                print('Using attack strength: {}'.format(attack_strength))
                loss, accuracy = self.run_attack(attack_name, attack_strength)
                losses[index_name, index_strength] = loss
                accuracies[index_name, index_strength] = accuracy
            
        return losses, accuracies
    
    def run_attack(self, attack_name, attack_strength):
        wrap = KerasModelWrapper(self.model)
        
        if attack_name is 'basic_iterative':
            attack = BasicIterativeMethod(wrap, sess=self.session)
            attack_params = {'eps': attack_strength, # Default O.3
                             'eps_iter': 0.05,
                             'nb_iter': 10,
                             'y': self.labels,
                             'ord': np.inf,
                             'clip_min': None,
                             'clip_max': None}
        elif attack_name is 'carlini_wagner':
            attack = CarliniWagnerL2(wrap, sess=self.session)
            attack_params = {'y': self.labels,
                             'nb_classes': None,
                             'batch_size': 1,
                             'confidence': attack_strength, # Default 0
                             'learning_rate': 0.005,
                             'binary_search_steps': 5,
                             'max_iterations': 1000,
                             'abort_early': True,
                             'initial_const': 0.01,
                             'clip_min': 0,
                             'clip_max': 1}
        elif attack_name is 'deep_fool':
            attack = DeepFool(wrap, sess=self.session)
            attack_params = {'nb_candidate': attack_strength, # Default 10, INT
                             'overshoot': 0.02,
                             'max_iter': 50,
                             'nb_classes': None,
                             'clip_min': 0.0,
                             'clip_max': 1.0}
        elif attack_name is 'elastic_net':
            attack = ElasticNetMethod(wrap, sess=self.session)
            attack_params = {'y': self.labels,
                             'nb_classes': None,
                             'fista': True,
                             'beta': 0.001,
                             'decision_rule': 'EN',
                             'batch_size': 1,
                             'confidence': attack_strength, # Default 0
                             'learning_rate': 0.01,
                             'binary_search_steps': 9,
                             'max_iterations': 1000,
                             'abort_early': False,
                             'initial_const': 0.001,
                             'clip_min': 0,
                             'clip_max': 1}
        elif attack_name is 'fast_feature':
            attack = FastFeatureAdversaries(wrap, sess=self.session)
            attack_params = {'eps': attack_strength, # Default 0.3
                             'eps_iter': 0.05,
                             'nb_iter': 10,
                             'ord': np.inf,
                             'clip_min': None,
                             'clip_max': None}
        elif attack_name is 'fast_gradient':
            attack = FastGradientMethod(wrap, sess=self.session)
            attack_params = {'eps': attack_strength, # Default 0.3
                             'ord': np.inf,
                             'y': self.labels,
                             'clip_min': None,
                             'clip_max': None}
        elif attack_name is 'lbfgs':
            attack = LBFGS(wrap, sess=self.session)
            attack_params = {'batch_size': 1,
                             'binary_search_steps': 5,
                             'max_iterations': 1000,
                             'initial_const': attack_strength, # Default 0.01
                             'clip_min': 0,
                             'clip_max': 1}
        elif attack_name is 'madry':
            attack = MadryEtAl(wrap, sess=self.session)
            attack_params = {'eps': attack_strength, # Default 0.3
                             'eps_iter': 0.01,
                             'nb_iter': 40,
                             'y': self.labels,
                             'ord': np.inf,
                             'clip_min': None,
                             'clip_max': None,
                             'rand_init': True}
        elif attack_name is 'momentum_iterative':
            attack = MomentumIterativeMethod(wrap, sess=self.session)
            attack_params = {'eps': attack_strength, # Default 0.3
                             'eps_iter': 0.06,
                             'nb_iter': 10,
                             'y': self.labels,
                             'ord': np.inf,
                             'decay_factor': 1.0,
                             'clip_min': None,
                             'clip_max': None}
        elif attack_name is 'spsa':
            attack = SPSA(wrap, sess=self.session)
            attack_params = {'y': self.labels,
                             'epsilon': attack_strength, # Default None
                             'num_steps': None,
                             'is_targeted': False,
                             'early_stop_loss_threshold': None,
                             'learning_rate': 0.01,
                             'delta': 0.01,
                             'batch_size': 128,
                             'spsa_iters': 1,
                             'is_debug': False}
        elif attack_name is 'saliency_map':
            attack = SaliencyMapMethod(wrap, sess=self.session)
            attack_params = {'theta': attack_strength, # Default 1.0
                             'gamma': 1.0,
                             'nb_classes': None,
                             'clip_min': 0.0,
                             'clip_max': 1.0,
                             'symbolic_impl': True}
        elif attack_name is 'virtual_adversarial':
            attack = VirtualAdversarialMethod(wrap, sess=self.session)
            attack_params = {'eps': attack_strength, # Default 2.0
                             'num_iterations': 1,
                             'xi': 1e-06,
                             'clip_min': None,
                             'clip_max': None}
        else:
            raise ValueError('Invalid Attack Name!')
        
        adv_x = attack.generate(x, **attack_params)
        data_adv = adv_x.eval(feed_dict={x:self.data}, session=self.session)
        
        score = model.evaluate(data_adv, self.labels, verbose=0)
        loss = score[0]
        accuracy = score[1]
        
        return loss, accuracy

## Impact of Epoch on Security

In [9]:
def reset_weights(model):
    for layer in model.layers: 
        if hasattr(layer, 'kernel_initializer'):
            layer.kernel.initializer.run(session=sess)

In [10]:
# Initialize the Fast Gradient Sign Method (FGSM) attack object and graph

gen_adv = GenAdv(sess)

losses = np.zeros((gen_steps, len(attack_names), num_points))
accuracies = np.zeros((gen_steps, len(attack_names), num_points))

directory = 'model_r{}'.format(run_ident)
if not from_saved_model and not os.path.exists(directory):
    os.mkdir(directory)

for gen in range(10, gen_steps):
    print('Gen: {}'.format(gen))
    
    #callbacks = [TensorBoard(log_dir='./logs/overfitting_r{}_g{}'.format(run_ident, gen)),
    #           EarlyStopping(monitor='loss', min_delta=1e-5, patience=5, verbose=0, mode='auto')] # 0 - 6
    #callbacks = [TensorBoard(log_dir='./logs/overfitting_r{}_g{}'.format(run_ident, gen)),
    #           EarlyStopping(monitor='loss', min_delta=1e-5, patience=30, verbose=0, mode='auto')] # 6 - 9
    callbacks = [TensorBoard(log_dir='./logs/overfitting_r{}_g{}'.format(run_ident, gen)),
                EarlyStopping(monitor='loss', min_delta=1e-5, patience=60, verbose=0, mode='auto')] # 10
    
    # Shuffle Labels
    prob_sel = gen / (gen_steps-1)
    print('Proability of Randomization: {}'.format(prob_sel))
    
    # Extract Sample to Edit
    Y_rand = np.copy(Y_train)
    sel = np.random.choice([False, True], size=(Y_rand.shape[0],), p=(1-prob_sel, prob_sel))
    Y_sel = Y_rand[sel,:]
    
    np.random.shuffle(Y_sel)
    
    # Debug
    rand_equal = np.equal(Y_rand[sel,:], Y_sel)
    rand_mean = np.mean(np.all(rand_equal, axis=1))
    print('Rand mean (only shuffled): {}'.format(rand_mean))
    # Debug
    
    Y_rand[sel,:] = np.copy(Y_sel)
    
    # Debug
    rand_equal = np.equal(Y_rand[sel,:], Y_sel)
    rand_mean = np.mean(np.all(rand_equal, axis=1))
    print('Rand mean (Should be 1): {}'.format(rand_mean))
    # Debug
    
    # Debug
    rand_equal = np.equal(Y_rand, Y_train)
    rand_mean = np.mean(np.all(rand_equal, axis=1))
    print('Rand mean (all): {}'.format(rand_mean))
    # Debug
    
    if from_saved_model:
        model = load_model('model_r{}/model_g{}.h5'.format(run_ident, gen))
    else:
        reset_weights(model)
        model.fit(X_train, Y_rand,
                  batch_size=batch_size,
                  epochs=epochs,
                  verbose=1,
                  validation_data=(X_test, Y_test),
                  callbacks=callbacks)
        model.save('model_r{}/model_g{}.h5'.format(run_ident, gen))

    if run_attack:
        loss, accuracy = gen_adv.evaluate_model(model, X_test[attack_start:attack_end, :], 
                                                Y_test[attack_start:attack_end], 
                                                attack_names, num_points=num_points)
        losses[gen,:,:] = loss
        accuracies[gen,:,:] = accuracy

Gen: 10
Proability of Randomization: 1.0
Rand mean (only shuffled): 0.10108333333333333
Rand mean (Should be 1): 1.0
Rand mean (all): 0.10108333333333333
Train on 60000 samples, validate on 10000 samples
Epoch 1/500
Epoch 2/500
Epoch 3/500
Epoch 4/500
Epoch 5/500
Epoch 6/500
Epoch 7/500
Epoch 8/500
Epoch 9/500
Epoch 10/500
Epoch 11/500
Epoch 12/500
Epoch 13/500
Epoch 14/500
Epoch 15/500
Epoch 16/500
Epoch 17/500
Epoch 18/500
Epoch 19/500
Epoch 20/500
Epoch 21/500
Epoch 22/500
Epoch 23/500
Epoch 24/500
Epoch 25/500
Epoch 26/500
Epoch 27/500
Epoch 28/500
Epoch 29/500
Epoch 30/500
Epoch 31/500
Epoch 32/500
Epoch 33/500
Epoch 34/500
Epoch 35/500
Epoch 36/500
Epoch 37/500
Epoch 38/500
Epoch 39/500
Epoch 40/500
Epoch 41/500
Epoch 42/500
Epoch 43/500
Epoch 44/500
Epoch 45/500
Epoch 46/500
Epoch 47/500
Epoch 48/500
Epoch 49/500
Epoch 50/500
Epoch 51/500
Epoch 52/500
Epoch 53/500
Epoch 54/500
Epoch 55/500
Epoch 56/500
Epoch 57/500
Epoch 58/500


Epoch 59/500
Epoch 60/500
Epoch 61/500
Epoch 62/500
Epoch 63/500
Epoch 64/500
Epoch 65/500
Epoch 66/500
Epoch 67/500
Epoch 68/500
Epoch 69/500
Epoch 70/500
Epoch 71/500
Epoch 72/500
Epoch 73/500
Epoch 74/500
Epoch 75/500
Epoch 76/500
Epoch 77/500
Epoch 78/500
Epoch 79/500
Epoch 80/500
Epoch 81/500
Epoch 82/500
Epoch 83/500
Epoch 84/500
Epoch 85/500
Epoch 86/500
Epoch 87/500
Epoch 88/500
Epoch 89/500
Epoch 90/500
Epoch 91/500
Epoch 92/500
Epoch 93/500
Epoch 94/500
Epoch 95/500
Epoch 96/500
Epoch 97/500
Epoch 98/500
Epoch 99/500
Epoch 100/500
Epoch 101/500
Epoch 102/500
Epoch 103/500
Epoch 104/500
Epoch 105/500
Epoch 106/500
Epoch 107/500
Epoch 108/500
Epoch 109/500
Epoch 110/500
Epoch 111/500
Epoch 112/500
Epoch 113/500
Epoch 114/500


Epoch 115/500
Epoch 116/500
Epoch 117/500
Epoch 118/500
Epoch 119/500
Epoch 120/500
Epoch 121/500
Epoch 122/500
Epoch 123/500
Epoch 124/500
Epoch 125/500
Epoch 126/500
Epoch 127/500
Epoch 128/500
Epoch 129/500
Epoch 130/500
Epoch 131/500
Epoch 132/500
Epoch 133/500
Epoch 134/500
Epoch 135/500
Epoch 136/500
Epoch 137/500
Epoch 138/500
Epoch 139/500
Epoch 140/500
Epoch 141/500
Epoch 142/500
Epoch 143/500
Epoch 144/500
Epoch 145/500
Epoch 146/500
Epoch 147/500
Epoch 148/500
Epoch 149/500
Epoch 150/500
Epoch 151/500
Epoch 152/500
Epoch 153/500
Epoch 154/500
Epoch 155/500
Epoch 156/500
Epoch 157/500
Epoch 158/500
Epoch 159/500
Epoch 160/500
Epoch 161/500
Epoch 162/500
Epoch 163/500
Epoch 164/500
Epoch 165/500
Epoch 166/500
Epoch 167/500
Epoch 168/500
Epoch 169/500
Epoch 170/500
Epoch 171/500


Epoch 172/500
Epoch 173/500
Epoch 174/500
Epoch 175/500
Epoch 176/500
Epoch 177/500
Epoch 178/500
Epoch 179/500
Epoch 180/500
Epoch 181/500
Epoch 182/500
Epoch 183/500
Epoch 184/500
Epoch 185/500
Epoch 186/500
Epoch 187/500
Epoch 188/500
Epoch 189/500
Epoch 190/500
Epoch 191/500
Epoch 192/500
Epoch 193/500


In [11]:
if run_attack:
    np.save('loss_r{}.npy'.format(run_ident), losses)
    np.save('accuracy_r{}.npy'.format(run_ident), accuracies)
    max_loss = losses.flatten().max()
    max_accuracy = accuracies.flatten().max()

In [12]:
def plot_func(gen):
    fig = plt.figure(figsize=(8, 6))
    plt.subplot(121)
    for index, attack_name in enumerate(attack_names):
        x_plt = np.linspace(0, 0.5, num_points)
        y_plt = losses[epoch, index, :].flatten()
        plt.plot(x_plt, y_plt, label=attack_name)
    plt.title('Adversarial Loss')
    plt.xlabel('Attack Strength')
    plt.ylabel('Loss')
    plt.ylim(ymax=max_loss)
    plt.legend()

    plt.subplot(122)
    for index, attack_name in enumerate(attack_names):
        x_plt = np.linspace(0, 0.5, num_points)
        y_plt = accuracies[epoch, index, :].flatten()
        plt.plot(x_plt, y_plt, label=attack_name)
    plt.title('Adversarial Accuracy')
    plt.xlabel('Attack Strength')
    plt.ylabel('Accuracy')
    plt.ylim(ymax=max_accuracy)
    plt.legend()
    plt.show()

In [13]:
if run_attack:
    interact(plot_func, gen=widgets.IntSlider(min=0,max=gen_steps-1,step=1,value=0));