In [1]:
import numpy as np
import pandas as pd
from sklearn.model_selection import train_test_split

# Path to dataset files

In [2]:
DATASET_NAME="wine"

In [3]:
PATH="../data/{}".format(DATASET_NAME)
TRAINING_SET="train.csv"
VALIDATION_SET="valid.csv"
TEST_SET="test.csv"
N_TRAIN_INSTANCES=None # replace this with None to load the whole training set
N_TEST_INSTANCES=None # replace this with None to load the whole test set

# Column names (i.e., features)

In [4]:
colnames = ['fixed_acidity', 'volatile_acidity', 'citric_acid', 'residual_sugar', 'chlorides', 'free_sulfur_dioxide',
            'total_sulfur_dioxide', 'density', 'pH', 'sulphites', 'alcohol', 'is_white', 'quality']

# Load dataset

In [5]:
def load_dataset(path, 
                 dataset_filename, 
                 sep=",", 
                 header=None,
                 nrows=None,
                 names=colnames, 
                 index_col=False, 
                 na_values='?'):
    
    return pd.read_csv(path+"/"+dataset_filename, 
                       sep=sep, 
                       header=header,
                       nrows=nrows,
                       names=colnames, 
                       index_col=index_col, 
                       na_values='?')

In [6]:
train = load_dataset(PATH, TRAINING_SET, header=0, nrows=N_TRAIN_INSTANCES)

In [7]:
print("Shape of training set: {}".format(train.shape))

Shape of training set: (4547, 13)


In [8]:
train.head()

Unnamed: 0,fixed_acidity,volatile_acidity,citric_acid,residual_sugar,chlorides,free_sulfur_dioxide,total_sulfur_dioxide,density,pH,sulphites,alcohol,is_white,quality
0,8.9,0.59,0.39,2.3,0.095,5.0,22.0,0.9986,3.37,0.58,10.3,0.0,5.0
1,6.8,0.27,0.12,1.3,0.04,87.0,168.0,0.992,3.18,0.41,10.0,1.0,5.0
2,6.3,0.31,0.34,2.2,0.045,20.0,77.0,0.9927,3.3,0.43,10.2,1.0,5.0
3,7.8,0.29,0.22,9.5,0.056,44.0,213.0,0.99715,3.08,0.61,9.3,1.0,6.0
4,7.0,0.32,0.31,6.4,0.031,38.0,115.0,0.99235,3.38,0.58,12.2,1.0,7.0


In [9]:
valid = load_dataset(PATH, VALIDATION_SET, header=0)

In [10]:
print("Shape of validation set: {}".format(valid.shape))

Shape of validation set: (650, 13)


In [11]:
valid.head()

Unnamed: 0,fixed_acidity,volatile_acidity,citric_acid,residual_sugar,chlorides,free_sulfur_dioxide,total_sulfur_dioxide,density,pH,sulphites,alcohol,is_white,quality
0,6.3,0.13,0.42,1.1,0.043,63.0,146.0,0.99066,3.13,0.72,11.2,1.0,7.0
1,7.1,0.18,0.39,14.5,0.051,48.0,156.0,0.99947,3.35,0.78,9.1,1.0,5.0
2,7.1,0.22,0.33,2.8,0.033,48.0,153.0,0.9899,3.15,0.38,12.7,1.0,7.0
3,6.6,0.38,0.18,1.2,0.042,20.0,84.0,0.9927,3.22,0.45,10.1,1.0,4.0
4,7.5,0.14,0.74,1.6,0.035,21.0,126.0,0.9933,3.26,0.45,10.2,1.0,6.0


In [12]:
test = load_dataset(PATH, TEST_SET, header=0, nrows=N_TEST_INSTANCES)

In [13]:
print("Shape of test set: {}".format(test.shape))

Shape of test set: (1300, 13)


In [14]:
test.head()

Unnamed: 0,fixed_acidity,volatile_acidity,citric_acid,residual_sugar,chlorides,free_sulfur_dioxide,total_sulfur_dioxide,density,pH,sulphites,alcohol,is_white,quality
0,7.2,0.37,0.32,2.0,0.062,15.0,28.0,0.9947,3.23,0.73,11.3,0.0,7.0
1,7.3,0.36,0.34,14.8,0.057,46.0,173.0,0.99751,3.14,0.57,10.2,1.0,5.0
2,6.8,0.21,0.27,18.15,0.042,41.0,146.0,1.0001,3.3,0.36,8.7,1.0,5.0
3,5.7,0.46,0.46,1.4,0.04,31.0,169.0,0.9932,3.13,0.47,8.8,1.0,5.0
4,6.1,0.37,0.46,12.0,0.042,61.0,210.0,0.997,3.17,0.59,9.7,1.0,6.0


# Preprocessing

In [15]:
def binarize_data(data, label, threshold):
    
    data[label] = np.where(data[label] >= threshold, 1, -1)

In [16]:
binarize_data(train, "quality", 6)

In [17]:
train.head()

Unnamed: 0,fixed_acidity,volatile_acidity,citric_acid,residual_sugar,chlorides,free_sulfur_dioxide,total_sulfur_dioxide,density,pH,sulphites,alcohol,is_white,quality
0,8.9,0.59,0.39,2.3,0.095,5.0,22.0,0.9986,3.37,0.58,10.3,0.0,-1
1,6.8,0.27,0.12,1.3,0.04,87.0,168.0,0.992,3.18,0.41,10.0,1.0,-1
2,6.3,0.31,0.34,2.2,0.045,20.0,77.0,0.9927,3.3,0.43,10.2,1.0,-1
3,7.8,0.29,0.22,9.5,0.056,44.0,213.0,0.99715,3.08,0.61,9.3,1.0,1
4,7.0,0.32,0.31,6.4,0.031,38.0,115.0,0.99235,3.38,0.58,12.2,1.0,1


In [18]:
binarize_data(valid, "quality", 6)

In [19]:
binarize_data(test, "quality", 6)

# Feature Attacks

# Perturbing dataset

Let $\mathcal{D} = \{(\mathbf{x_i}, y_i)\}_{i=\{1,\ldots, m\}}$ be the dataset of interest, where $\mathbf{x_i} \subseteq \mathbb{R}^n = (x_{i,1}, \ldots, x_{i,n})^T$.

Use the set of rules defined above to perturb every single instance $(\mathbf{x_i}, y_i)\in \mathcal{D}$.

In general, one could assume the attacker has a budget $b_i$ for perturbing the instance $(\mathbf{x_i}, y_i)$, therefore the overall budget $B$ of the attacker is $B = \sum_{i=1}^m b_i$. 

Moreover, each feature $x_{*,j}$ is associated with a cost $c_j$ which the attacker has to pay in order to perturb exactly the $j$-th feature.

In this first (simplified) attempt, we assume the attacker has full budget at its disposal for perturbing every instance, and the cost of perturbing an individual feature is the same for all features; in other words, $b_i = B~\forall i=1,\ldots,m$ and $c_j = C~\forall j=1,\dots,n$ (e.g., $C = 1$ _budget unit_). 

It turns out the _actual_ total budget available to the attacker is $m\cdot B$.

In [20]:
def perturb_alcohol(x):
    x_copy = x.copy()
    if x_copy['alcohol'] <= 10.0:
        x_copy['alcohol'] += 0.75
        
    return x_copy
    
def perturb_residual_sugar(x):
    x_copy = x.copy()
    if x_copy['residual_sugar'] >= 8.0:
        x_copy['residual_sugar'] -= 1.2
        
    return x_copy
    
def perturb_volatile_acidity(x):
    x_copy = x.copy()
    if x_copy['volatile_acidity'] >= 0.6:
        x_copy['volatile_acidity'] -= 0.3
    
    return x_copy

In [21]:
def contains(ls, x):
    """
    Returns if a pandas.Series object (x) belongs to a list of pandas.Series objects (ls).

    This function takes as input list of pandas.Series objects (ls) and returns True
    if this contains the second input argument (i.e., the pandas.Series object x), False otherwise.
    
    Parameters
    ----------
    ls : list
        A list of pandas.Series objects

    x : pandas.Series
        A series object

    Returns
    -------
    bool

    """
    if not ls:
        return False
    for s in ls:
        if s.equals(x):
            return True
    return False

In [22]:
def is_empty(queue):
    return len(queue) == 0

In [23]:
def is_equal_perturbation(a, b):
    return a[0].equals(b[0]) and a[1] == b[1] and a[2] == b[2]
    

In [24]:
def perturb_instance(x, x_id, features, budget, max_budget_per_feature, costs, skip_class=1):
    """
    Returns the set of possible perturbations of a given instance.

    This function takes as input an instance and returns a set of perturbations of that instance, 
    using the specified amount of budget and considering the cost of perturbing each individual feature.

    Parameters
    ----------
    x : pandas.Series
        The original instance
    x_id : int
        The instance identifier (will be the same for all perturbations associated with this instance)
    features : list
        The list of features which can be perturbed (i.e., those for which an attack rule is defined)
    budget : float
        The attacker's budget
    max_budget_per_feature : dict
        The maximum allowed amount of budget units that can be spend on each feature
    costs : dict
        A mapping between each feature and its cost of perturbation

    Returns
    -------
    pandas.DataFrame
        The set of perturbations (including the original instance, placed at the very beginning)
    float
        The residual budget available for the remaining instances of the original dataset
        (At this stage, we assume each instance will get the same amount of budget, 
        i.e., the attacker is given back the full initial budget for perturbing each instance)

    """
    
    # initialize the queue (FIFO) with both the original instance, the initial budget, and an empty dictionary of budget units spent so far
    queue = [(x, budget, {})]
    # visited perturbations
    seen = [(x, budget, {})]
    # initialize the set of perturbations of this instance with the empty list
    perturbations = []
    # caching already performed perturbations for a certain feature
    feature_perturbations = {}
    # save the inital budget
    initial_budget = budget
    
    # loop until the queue is not empty
    while not is_empty(queue):
        item = queue.pop() # dequeue the first inserted element
        x = item[0] # get the instance
        b = item[1] # get the residual budget
        budget_units_spent = item[2] # get the dictionary containing the amount of budget spent on each feature, so far
        
        #print("Dequeuing item from queue [current budget = {}]".format(b))
        
        # if the set of perturbations does not contain already x
        if not contains(perturbations, x):
            perturbations.append(x) # append the transformed instance to the list of perturbations (NOTE: the first one will be the original - i.e., non-perturbed - instance)

            
        if x[-1]==skip_class:
            continue
            
            
        # loop through all the features subject to the set of attack rules
        for f in features:
            # check if there is enough budget to perform an attack on feature f
            if costs[f] <= b and budget_units_spent.get(f, 0) + costs[f] <= max_budget_per_feature[f]: 
                # if so, just call off to the proper function, which will perturb x on f
                # and returns the list of all perturbations from x on f
                x_prime = globals()["perturb_"+str(f)](x)
                
                # the perturbation of x on f is inserted into the queue (enqueued) only if the attack rule applies
                # to check this, it is enough to test for equality between x_prime and x
                if not x_prime.equals(x): # i.e., the rule applies to the current instance
                    # only if x_prime != x (i.e., the rule applies) we can subtract from the current budget
                    # the value of the cost of perturbing f
                    updated_budget_units_spent = budget_units_spent.copy()
                    # update the number of budget units spend on feature f
                    if not f in updated_budget_units_spent:
                        updated_budget_units_spent[f] = costs[f]
                    else:
                        updated_budget_units_spent[f] += costs[f]

                    #print("Update budget units spent on feature [{}] [old budget units spent = {}; new budget units spent = {}]"
                    #      .format(f, budget_units_spent.get(f, 0), updated_budget_units_spent[f]))

                    #print("Enqueue the current perturbation [initial budget = {}; residual budget = {}]"
                    #      .format(initial_budget, b - costs[f]))
                    item = (x_prime, b - costs[f], updated_budget_units_spent)
                    if not any(item_prime for item_prime in seen if is_equal_perturbation(item, item_prime)):
                        queue.insert(0, item)
                        seen.append(item)
            
            #print()
        
        
    # print("Create the dataframe containing the computed perturbations of instance [ID = #{}]".format(x_id))
    perturbations_df = pd.DataFrame(perturbations)
    perturbations_df.insert(loc=0, 
                                column="instance_id", 
                                value=[x_id for i in range(perturbations_df.shape[0])], 
                                allow_duplicates=True)
    
    
    return perturbations_df, initial_budget

In [25]:
def perturb_dataset(data, budget, max_budget_per_feature, costs, features):
    """
    Returns the dataset extended with all instance perturbations.

    This function takes as input a dataset and returns another dataset which is obtained from the original
    by adding all the possible perturbations an attacker with budget B can apply to every instance.

    Parameters
    ----------
    data : pandas.DataFrame
        The original dataset
    features : list
        The list of features which can be perturbed (i.e., those for which an attack rule is defined)
    budget : float
        The attacker's budget
    max_budget_per_feature : dict
        The maximum allowed amount of budget units that can be spend on each feature
    costs : dict
        A mapping between each feature and its cost of perturbation

    Returns
    -------
    pandas.DataFrame
        The perturbed dataset

    """
    # check if the dataset is valid
    if data is None or data.empty:
        print("***** No dataset available! *****\n")
        return # if not, just return None
    # prepare the perturbed dataset to be returned, initially empty with an extra "instance_id" column
    cols = ["instance_id"] + data.columns.tolist()
    perturbed_data = pd.DataFrame(columns=cols)
    
    # start with instance_id = 1
    instance_id = 1
    
    # loop through every single instance in the original dataset
    print("***** Loop through all the original instances... *****\n")
    for index, instance in data.iterrows():
        if instance_id%100==0:
            print("***** Trying to perturb instance [ID = #{}]... *****\n".format(instance_id))
        # check if there is still some budget to spend before trying to perturb the current instance
        #print("***** Checking if budget residual is positive... *****\n")
        
        if(budget):
            #print("***** Budget residual = {} *****\n".format(budget))
            # retrieve the set of perturbations obtained from the current instance, along with residual budget
            # this is provided by calling off to the `perturb_instance` function
            # print("***** Perturb instance [ID = #{}]... *****\n".format(instance_id))
            perturbations, budget = perturb_instance(instance, instance_id, features, budget, max_budget_per_feature, costs)
            # append the set of perturbations obtained from the current instance to the perturbed dataset
            #print("***** Append the latest perturbations to the final dataset *****\n")
            perturbed_data = perturbed_data.append(perturbations)
            # move to the next instance_id
            instance_id += 1
            
        # otherwise, the budget is exhausted 
        # (note that, at this stage, we are allowing the budget to be negative after the latest perturbation;
        # a smoother strategy would be to check the residual budget before actually committing the perturbations)
        else:
            print("***** No more budget available! [budget residual = {}] *****\n".format(budget))
            break
        
    # eventually, return the perturbed dataset
    print("***** Return the final perturbed dataset *****\n")
    return perturbed_data

In [26]:
# list of "attackable" features
features = ['alcohol', 'residual_sugar', 'volatile_acidity']

# dictionary containing the cost of perturbing each feature (in budget unit)
costs = {
    'alcohol'     : 10,
    'residual_sugar': 10,
    'volatile_acidity' : 10
}

# dictionary containing the maximum allowed amount of budget units that can be spent on each feature
max_budget_per_feature = {
    'alcohol'     : 100,
    'residual_sugar': 100,
    'volatile_acidity'    : 100
}

In [34]:
train_att = perturb_dataset(train, 20, max_budget_per_feature, costs, features)

***** Loop through all the original instances... *****

***** Trying to perturb instance [ID = #100]... *****

***** Trying to perturb instance [ID = #200]... *****

***** Trying to perturb instance [ID = #300]... *****

***** Trying to perturb instance [ID = #400]... *****

***** Trying to perturb instance [ID = #500]... *****

***** Trying to perturb instance [ID = #600]... *****

***** Trying to perturb instance [ID = #700]... *****

***** Trying to perturb instance [ID = #800]... *****

***** Trying to perturb instance [ID = #900]... *****

***** Trying to perturb instance [ID = #1000]... *****

***** Trying to perturb instance [ID = #1100]... *****

***** Trying to perturb instance [ID = #1200]... *****

***** Trying to perturb instance [ID = #1300]... *****

***** Trying to perturb instance [ID = #1400]... *****

***** Trying to perturb instance [ID = #1500]... *****

***** Trying to perturb instance [ID = #1600]... *****

***** Trying to perturb instance [ID = #1700]... *****

*

In [39]:
train_att[train_att['instance_id']==596].loc[:,['alcohol', 'residual_sugar', 'volatile_acidity']]

Unnamed: 0,alcohol,residual_sugar,volatile_acidity
595,9.0,11.4,0.815
595,9.75,11.4,0.815
595,9.0,10.2,0.815
595,9.0,11.4,0.515
595,10.5,11.4,0.815
595,9.75,10.2,0.815
595,9.75,11.4,0.515
595,9.0,9.0,0.815
595,9.0,10.2,0.515


In [40]:
train_att.shape

(7811, 14)

# Serialize both original (\_ori) and perturbed (\_att) datasets

# Invoke perturbation on the following datasets:

-  Training set
-  Validation set
-  Test set

In [27]:
def serialize_dataset(p_data, 
                      path, 
                      dataset_filename, 
                      suffix, 
                      sep=",", 
                      compression="bz2", 
                      index=False):
    
    p_data.to_csv(path+"/"+dataset_filename.split(".")[0]+suffix, 
                  sep=sep, 
                  compression=compression, 
                  index=index)

In [28]:
serialize_dataset(train, PATH, TRAINING_SET, "_ori.csv.bz2")
serialize_dataset(valid, PATH, VALIDATION_SET, "_ori.csv.bz2")
serialize_dataset(test, PATH, TEST_SET, "_ori.csv.bz2")

In [29]:
# tutto
# 2 gain + il resto
# hours + education
# fino a education
B = [20, 30, 40]

for budget in B:
    train_att = perturb_dataset(train, budget, max_budget_per_feature, costs, features)
    valid_att = perturb_dataset(valid, budget, max_budget_per_feature, costs, features)
    test_att = perturb_dataset(test, budget, max_budget_per_feature, costs, features)
    
    serialize_dataset(train_att, PATH, TRAINING_SET, "_B{}".format(budget)+".csv.bz2")
    serialize_dataset(valid_att, PATH, VALIDATION_SET, "_B{}".format(budget)+".csv.bz2")
    serialize_dataset(test_att, PATH, TEST_SET, "_B{}".format(budget)+".csv.bz2")

***** Loop through all the original instances... *****

***** Trying to perturb instance [ID = #100]... *****

***** Trying to perturb instance [ID = #200]... *****

***** Trying to perturb instance [ID = #300]... *****

***** Trying to perturb instance [ID = #400]... *****

***** Trying to perturb instance [ID = #500]... *****

***** Trying to perturb instance [ID = #600]... *****

***** Trying to perturb instance [ID = #700]... *****

***** Trying to perturb instance [ID = #800]... *****

***** Trying to perturb instance [ID = #900]... *****

***** Trying to perturb instance [ID = #1000]... *****

***** Trying to perturb instance [ID = #1100]... *****

***** Trying to perturb instance [ID = #1200]... *****

***** Trying to perturb instance [ID = #1300]... *****

***** Trying to perturb instance [ID = #1400]... *****

***** Trying to perturb instance [ID = #1500]... *****

***** Trying to perturb instance [ID = #1600]... *****

***** Trying to perturb instance [ID = #1700]... *****

*

***** Trying to perturb instance [ID = #900]... *****

***** Trying to perturb instance [ID = #1000]... *****

***** Trying to perturb instance [ID = #1100]... *****

***** Trying to perturb instance [ID = #1200]... *****

***** Trying to perturb instance [ID = #1300]... *****

***** Trying to perturb instance [ID = #1400]... *****

***** Trying to perturb instance [ID = #1500]... *****

***** Trying to perturb instance [ID = #1600]... *****

***** Trying to perturb instance [ID = #1700]... *****

***** Trying to perturb instance [ID = #1800]... *****

***** Trying to perturb instance [ID = #1900]... *****

***** Trying to perturb instance [ID = #2000]... *****

***** Trying to perturb instance [ID = #2100]... *****

***** Trying to perturb instance [ID = #2200]... *****

***** Trying to perturb instance [ID = #2300]... *****

***** Trying to perturb instance [ID = #2400]... *****

***** Trying to perturb instance [ID = #2500]... *****

***** Trying to perturb instance [ID = #2600]... 