In [1]:
# this notebook is to dev adversarial attacks vs a network

In [2]:
from __future__ import print_function

In [3]:
import matplotlib as mpl
# set this 'backend' when using jupyter; do this before importing pyplot
mpl.use('nbagg')
import matplotlib.pyplot as plt

In [4]:
import torch
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
from torchvision import datasets, transforms

import numpy as np

import sys
sys.path.append('/home/felix/Research/Adversarial Research/FGN---Research/')
import Finite_Gaussian_Network_lib as fgnl
import Finite_Gaussian_Network_lib.fgn_helper_lib as fgnh

from advertorch import attacks
from advertorch.utils import predict_from_logits
from advertorch_examples.utils import _imshow

In [5]:
!gpustat

[1mcountdown[0m  Sun Aug 11 12:28:31 2019
[0;36m[0][0m [0;34mGeForce GTX 1080[0m |[0;31m 38'C[0m, [0;32m  0 %[0m | [0;36m[1;33m   12[0m / [0;33m 8119[0m MB |
[0;36m[1][0m [0;34mGeForce GTX 1080[0m |[0;31m 39'C[0m, [0;32m  0 %[0m | [0;36m[1;33m  836[0m / [0;33m 8118[0m MB |


In [6]:
# Define what device we are using
print("CUDA Available: ",torch.cuda.is_available())
use_cuda = True
device = torch.device("cuda" if (use_cuda and torch.cuda.is_available()) else "cpu")
print("Using device:", device)

# manualy set cuda device
torch.cuda.set_device(1)

CUDA Available:  True
Using device: cuda


In [7]:
# # random seeds
# torch.manual_seed(999)
# np.random.seed(999)

# torch.backends.cudnn.deterministic = True
# torch.cuda.manual_seed_all(999)

In [8]:
# MNIST dataset and dataloader declaration
# transforms does both the conversion from 0-255 to 0-1
# and normalizes by the precomputed mean and std

batch_size = 7000

mnist_train_loader = torch.utils.data.DataLoader(
    datasets.MNIST('../../MNIST-dataset', train=True, download=False, 
                   transform=transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.1307,), (0.3081,))
            ])), 
        batch_size=batch_size, shuffle=False)

mnist_test_loader = torch.utils.data.DataLoader(
    datasets.MNIST('../../MNIST-dataset', train=False, download=False, 
                   transform=transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.1307,), (0.3081,))
            ])), 
        batch_size=batch_size, shuffle=False)

In [9]:
# load classic model
classic_model_path = "../Experiments/sample_models/sample_classic_model_noisy_eval_p0.66_full.pth"
classic_model = torch.load(classic_model_path)
classic_model.to(device)

Feedforward_Classic_net(
  (hidden_layers): ModuleList(
    (0): Dropout(p=0.03125)
    (1): Linear(in_features=784, out_features=32, bias=True)
    (2): BatchNorm1d(32, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    (3): Dropout(p=0.03125)
    (4): Linear(in_features=32, out_features=32, bias=True)
    (5): BatchNorm1d(32, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    (6): Dropout(p=0.03125)
  )
  (ib): BatchNorm1d(784, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
  (fl): Linear(in_features=32, out_features=10, bias=True)
)

In [10]:
# test the model
# loss functions for the classic net      
classical_cross_ent_loss = (lambda model,output,target:  F.cross_entropy(output,target.long()))

classic_test_res = fgnh.test(classic_model, mnist_train_loader, classical_cross_ent_loss,
                               pred_func=fgnh.cross_ent_pred_accuracy, verbose=True)

Test set - Average loss: 0.2608, Accuracy: 55151/60000 (92%)


In [11]:
# load fgn model
fgn_model_path = "../Experiments/sample_models/sample_fgn_model_noisy_eval_p0.27_full.pth"
fgn_model = torch.load(fgn_model_path)
fgn_model.to(device)

Feedforward_FGN_net(
  (hidden_layers): ModuleList(
    (0): Dropout(p=0.03125)
    (1): FGN_layer()
    (2): BatchNorm1d(32, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    (3): Dropout(p=0.03125)
    (4): FGN_layer()
    (5): BatchNorm1d(32, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    (6): Dropout(p=0.03125)
  )
  (ib): BatchNorm1d(784, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
  (fl): FGN_layer()
)

In [12]:
# test the model
### Loss Functions for the FGN
fgn_cross_ent_loss = (lambda model,output,target:  F.cross_entropy(output,target.long()))

fgn_test_res = fgnh.test(fgn_model, mnist_train_loader, fgn_cross_ent_loss,
                               pred_func=fgnh.cross_ent_pred_accuracy, verbose=True)

Test set - Average loss: 0.2912, Accuracy: 54273/60000 (90%)


In [13]:
# switch to random eval
fgn_model.set_random_eval(True)
fgn_test_res_random = fgnh.test(fgn_model, mnist_train_loader, fgn_cross_ent_loss,
                               pred_func=fgnh.cross_ent_pred_accuracy, verbose=True)

Test set - Average loss: 0.2912, Accuracy: 54273/60000 (90%)


In [14]:
# set models to eval mode
classic_model.eval()
fgn_model.eval()

Feedforward_FGN_net(
  (hidden_layers): ModuleList(
    (0): Dropout(p=0.03125)
    (1): FGN_layer()
    (2): BatchNorm1d(32, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    (3): Dropout(p=0.03125)
    (4): FGN_layer()
    (5): BatchNorm1d(32, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
    (6): Dropout(p=0.03125)
  )
  (ib): BatchNorm1d(784, eps=1e-05, momentum=0.1, affine=True, track_running_stats=True)
  (fl): FGN_layer()
)

In [15]:
# load data
for cln_data, true_label in mnist_train_loader:
    break
cln_data, true_label = cln_data.to(device), true_label.to(device)

In [16]:
# minimum/maximum pixel value post normalization
min_pix = np.min(cln_data.cpu().numpy())
print("min_pix", min_pix)
max_pix = np.max(cln_data.cpu().numpy())
print("max_pix", max_pix)
# theoritical minimum
print( (0.0/255-0.1307)/0.3081 )
# theoritical maximum
print( (255.0/255-0.1307)/0.3081 )


min_pix -0.42421296
max_pix 2.8214867
-0.424212917884
2.82148653035


In [17]:
### Shared params

#maximum distortion allowed
max_dists = (20.0/255-0.1307)/0.3081
nb_iter = 1000
eps_iter = 0.0001

In [18]:
# Construct an adversary instance
classic_adversary = attacks.PGDAttack(
    classic_model, loss_fn=F.cross_entropy, eps=max_dists, ord=np.inf,
    nb_iter=nb_iter, eps_iter=eps_iter, rand_init=True, clip_min=min_pix, clip_max=max_pix,
    targeted=False)

In [19]:
# Perform untargeted attack
classic_adv_untargeted = classic_adversary.perturb(cln_data, true_label)

In [20]:
# Perform targeted attack
target_class = 7.0
target = torch.ones_like(true_label) * target_class
classic_adversary.targeted = True
classic_adv_targeted = classic_adversary.perturb(cln_data, target)

In [21]:
# Visualization of attacks
pred_cln = predict_from_logits(classic_model(cln_data))
pred_untargeted_adv = predict_from_logits(classic_model(classic_adv_untargeted))
pred_targeted_adv = predict_from_logits(classic_model(classic_adv_targeted))

num_to_plot = 5
plt.figure(figsize=(10, 8))
for ii in range(num_to_plot):
    plt.subplot(3, num_to_plot, ii + 1)
#     _imshow(cln_data[ii])
    x_to_plot = cln_data[ii].cpu().numpy().reshape((28,28))
    plt.imshow(x_to_plot, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
    plt.axis("off")
    plt.title("clean \n pred: {}".format(pred_cln[ii]))
    
    plt.subplot(3, num_to_plot, ii + 1 + num_to_plot)
#     _imshow(classic_adv_untargeted[ii])
    x_to_plot = classic_adv_untargeted[ii].cpu().numpy().reshape((28,28))
    plt.imshow(x_to_plot, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
    plt.axis("off")
    plt.title("untargeted \n adv \n pred: {}".format(pred_untargeted_adv[ii]))
    
    plt.subplot(3, num_to_plot, ii + 1 + num_to_plot * 2)
    #     _imshow(classic_adv_targeted[ii])
    x_to_plot = classic_adv_targeted[ii].cpu().numpy().reshape((28,28))
    plt.imshow(x_to_plot, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
    plt.axis("off")
    plt.title("targeted to {} \n adv \n pred: {}".format(target_class,pred_targeted_adv[ii]))

plt.tight_layout()
plt.show()

<IPython.core.display.Javascript object>

In [22]:
# visualize some noise
noise = np.abs(cln_data[0].cpu().numpy().reshape((28,28))-classic_adv_targeted[0].cpu().numpy().reshape((28,28)))
# x = cln_data[0].cpu().numpy().reshape((28,28))
# print(np.max(x))
plt.imshow(noise, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
plt.axis("off")
plt.colorbar()
plt.show()
# cln_data[ii].cpu().numpy().reshape((28,28))

<IPython.core.display.Javascript object>

In [23]:
# some stats:
# % of succesful untargeted attacks
classic_prc_succ_untargeted = np.sum((pred_untargeted_adv != true_label).cpu().numpy())/len(pred_untargeted_adv)
print("untargeted:", classic_prc_succ_untargeted)

# % of succesful targeted attacks
classic_prc_succ_targeted = np.sum((pred_targeted_adv == target).cpu().numpy())/len(pred_targeted_adv)
print("targeted:", classic_prc_succ_targeted)

# average distortion?

untargeted: 0.07614285714285714
targeted: 0.10614285714285714


In [24]:
# all the untargeted attacks are different
preds = classic_model(classic_adv_untargeted.to(device))
preds = preds.cpu().detach().numpy()
preds_softmax = np.array([np.exp(x)/sum(np.exp(x)) for x in preds.astype('float128')])

# print first 5 pred
print(np.round(preds_softmax[:5],decimals=2))
print("shape:", preds.shape)

[[0.   0.   0.   0.03 0.   0.96 0.   0.   0.   0.  ]
 [0.99 0.   0.   0.   0.   0.01 0.   0.   0.   0.  ]
 [0.   0.   0.01 0.   0.96 0.   0.   0.01 0.   0.02]
 [0.   0.99 0.   0.   0.   0.   0.   0.   0.   0.  ]
 [0.   0.   0.   0.   0.02 0.   0.   0.   0.   0.97]]
shape: (7000, 10)


In [25]:
# all the targeted attacks are different
preds = classic_model(classic_adv_targeted.to(device))
preds = preds.cpu().detach().numpy()
preds_softmax = np.array([np.exp(x)/sum(np.exp(x)) for x in preds.astype('float128')])

# print first 5 pred
print(np.round(preds_softmax[:5],decimals=2))
print("shape:", preds.shape)

[[0.   0.   0.   0.03 0.   0.96 0.   0.   0.   0.  ]
 [0.99 0.   0.   0.   0.   0.01 0.   0.   0.   0.  ]
 [0.   0.   0.01 0.   0.96 0.   0.   0.01 0.   0.02]
 [0.   0.99 0.   0.   0.   0.   0.   0.   0.   0.  ]
 [0.   0.   0.   0.   0.02 0.   0.   0.   0.   0.97]]
shape: (7000, 10)


In [26]:
### PART 2 - FGN network

In [27]:
# Construct an adversary instance

fgn_adversary = attacks.PGDAttack(
    fgn_model, loss_fn=F.cross_entropy, eps=max_dists, ord=np.inf,
    nb_iter=nb_iter, eps_iter=eps_iter, rand_init=True, clip_min=min_pix, clip_max=max_pix,
    targeted=False)

In [28]:
# Perform untargeted attack
fgn_adv_untargeted = fgn_adversary.perturb(cln_data, true_label)

In [29]:
# Perform targeted attack
# target_class = 7.0
# target = torch.ones_like(true_label) * target_class
fgn_adversary.targeted = True
fgn_adv_targeted = fgn_adversary.perturb(cln_data, target)

In [30]:
# Visualization of attacks

pred_cln = predict_from_logits(fgn_model(cln_data))
pred_untargeted_adv = predict_from_logits(fgn_model(fgn_adv_untargeted))
pred_targeted_adv = predict_from_logits(fgn_model(fgn_adv_targeted))

num_to_plot = 5
plt.figure(figsize=(10, 8))
for ii in range(num_to_plot):
    plt.subplot(3, num_to_plot, ii + 1)
#     _imshow(cln_data[ii])
    x_to_plot = cln_data[ii].cpu().numpy().reshape((28,28))
    plt.imshow(x_to_plot, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
    plt.axis("off")
    plt.title("clean \n pred: {}".format(pred_cln[ii]))
    
    plt.subplot(3, num_to_plot, ii + 1 + num_to_plot)
#     _imshow(classic_adv_untargeted[ii])
    x_to_plot = fgn_adv_untargeted[ii].cpu().numpy().reshape((28,28))
    plt.imshow(x_to_plot, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
    plt.axis("off")
    plt.title("untargeted \n adv \n pred: {}".format(pred_untargeted_adv[ii]))
    
    plt.subplot(3, num_to_plot, ii + 1 + num_to_plot * 2)
    #     _imshow(classic_adv_targeted[ii])
    x_to_plot = fgn_adv_targeted[ii].cpu().numpy().reshape((28,28))
    plt.imshow(x_to_plot, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
    plt.axis("off")
    plt.title("targeted to {} \n adv \n pred: {}".format(target_class,pred_targeted_adv[ii]))

plt.tight_layout()
plt.show()

<IPython.core.display.Javascript object>

In [35]:
# visualize some noise
noise = np.abs(cln_data[0].cpu().numpy().reshape((28,28))-fgn_adv_targeted[0].cpu().numpy().reshape((28,28)))
# x = cln_data[0].cpu().numpy().reshape((28,28))
# print(np.max(x))
plt.imshow(noise, cmap=plt.cm.get_cmap('Greys'), vmin=min_pix, vmax=max_pix)
plt.axis("off")
plt.colorbar()
plt.show()
# cln_data[ii].cpu().numpy().reshape((28,28))

<IPython.core.display.Javascript object>

In [32]:
# some stats:
# % of succesful untargeted attacks
fgn_prc_succ_untargeted = np.sum((pred_untargeted_adv != true_label).cpu().numpy())/len(pred_untargeted_adv)
print("untargeted:", fgn_prc_succ_untargeted)

# % of succesful targeted attacks
fgn_prc_succ_targeted = np.sum((pred_targeted_adv == target).cpu().numpy())/len(pred_targeted_adv)
print("targeted:", fgn_prc_succ_targeted)

# average distortion?

untargeted: 0.099
targeted: 0.09957142857142857


In [33]:
# all the untargeted attacks are the same pred
preds = fgn_model(fgn_adv_untargeted.to(device))
preds = preds.cpu().detach().numpy()
preds_softmax = np.array([np.exp(x)/sum(np.exp(x)) for x in preds.astype('float128')])

# print first 5 pred
print(np.round(preds_softmax[:5],decimals=2))
print("shape:", preds.shape)

[[0.   0.   0.   0.   0.   1.   0.   0.   0.   0.  ]
 [1.   0.   0.   0.   0.   0.   0.   0.   0.   0.  ]
 [0.   0.   0.   0.01 0.99 0.   0.   0.   0.   0.  ]
 [0.   0.73 0.01 0.01 0.   0.   0.   0.01 0.24 0.  ]
 [0.   0.   0.   0.   0.04 0.   0.   0.   0.06 0.9 ]]
shape: (7000, 10)


In [34]:
# all the targeted attacks are the same pred
preds = fgn_model(fgn_adv_targeted.to(device))
preds = preds.cpu().detach().numpy()
preds_softmax = np.array([np.exp(x)/sum(np.exp(x)) for x in preds.astype('float128')])

# print first 5 pred
print(np.round(preds_softmax[:5],decimals=2))
print("shape:", preds.shape)

[[0.   0.   0.   0.   0.   1.   0.   0.   0.   0.  ]
 [1.   0.   0.   0.   0.   0.   0.   0.   0.   0.  ]
 [0.   0.   0.   0.01 0.99 0.   0.   0.   0.   0.  ]
 [0.   0.73 0.01 0.01 0.   0.   0.   0.01 0.24 0.  ]
 [0.   0.   0.   0.   0.04 0.   0.   0.   0.06 0.9 ]]
shape: (7000, 10)
