In [1]:
%%capture
!pip install --upgrade -tensorflow_hub
# !pip install -U -huggingface_hub

import textattack
import transformers
import torch
import time
from datasets import Dataset
import sys
import hashlib
import numpy as np

from transformers import AutoTokenizer, AutoModelForSequenceClassification, BertForMaskedLM, pipeline
from textattack.attack_recipes import (
    TextBuggerLi2018, DeepWordBugGao2018, TextFoolerJin2019, BERTAttackLi2020
)
from textattack.constraints.semantics.sentence_encoders import UniversalSentenceEncoder
from textattack.models.wrappers import ModelWrapper

sys.path.append('../')
from eval_utils import *
sys.path.pop()

2023-08-03 03:15:17.114082: I tensorflow/core/platform/cpu_feature_guard.cc:182] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
To enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.


In [2]:
# set a seed, because reproducability is cool
np.random.seed(int(hashlib.sha256('Harrison Gietz'.encode('utf-8')).hexdigest(), 16) % 2**32)
torch.cuda.empty_cache()

device = input('enter a device name to run on: ')
dataset_val = input('Enter the number of samples to run on (100 or 1000): ')
defense = input('Specify a defense type among "default", "logit", "maj_log", "one_hot": ')
cand_size = int(input('enter number of candidates (recommended 12 for quicker run, 50 otherwise): '))

ag_tokenizer = AutoTokenizer.from_pretrained("textattack/bert-base-uncased-ag-news")
ag_model = AutoModelForSequenceClassification.from_pretrained("textattack/bert-base-uncased-ag-news")
ag_model.to(device)
ag_pipeline = pipeline('sentiment-analysis', model=ag_model, tokenizer=ag_tokenizer)
ag_pipeline.device = next(ag_model.parameters()).device

ag_model_directory = "../../../models/bert-uncased_maskedlm_agnews_july31" #first diff
finetuned_ag_maskedlm = BertForMaskedLM.from_pretrained(ag_model_directory)
finetuned_ag_maskedlm.to(device)
ag_fill_mask = pipeline("fill-mask", model=finetuned_ag_maskedlm, tokenizer=ag_tokenizer)
ag_fill_mask.device = next(ag_model.parameters()).device

num_voter = 11
mask_pct = 0.3    
    
attack = TextFoolerJin2019

if dataset_val == '100':
    loaded_ag_100 = Dataset.load_from_disk('../data/filtered_ag_clean_100')
    ag_100 = textattack.datasets.Dataset(convert_to_tuples(loaded_ag_100))
    dataset = ag_100
    dataset_name = 'ag-news100'
elif dataset_val =='1000':
    loaded_ag_1000 = Dataset.load_from_disk('../data/filtered_ag_clean_1000')
    ag_1000 = textattack.datasets.Dataset(convert_to_tuples(loaded_ag_1000))
    dataset = ag_1000
    dataset_name = 'ag-news1000'
else:
    raise ValueError('Number of samples not supported')
    
if defense == "default":
    ag_wrapper = textattack.models.wrappers.HuggingFaceModelWrapper(ag_model, ag_tokenizer)
    print(ag_wrapper)
elif defense == "logit":
    ag_wrapper = MaskDemaskWrapper(ag_model, ag_tokenizer, ag_fill_mask, num_voter, mask_pct, 'logit')
elif defense == 'maj_log':
    ag_wrapper = MaskDemaskWrapper(ag_model, ag_tokenizer, ag_fill_mask, num_voter, mask_pct, 'maj_log')
elif defense == "one_hot":
    ag_wrapper = MaskDemaskWrapper(ag_model, ag_tokenizer, ag_fill_mask, num_voter, mask_pct, 'maj_one_hot')
else:
    raise ValueError('Not a valid defense type.')
    
print(f'using num_voter = {num_voter} and mask_pct = {mask_pct} with dataset = {dataset_name}...')

# Parse the attack name
attack_name = parse_attack_name(attack)
attack = attack.build(ag_wrapper)


# change candidate size
attack.transformation.max_candidates = cand_size
# adjust attack threshold to match Li et al. 2023 (0.5 theshold for AgNews Universal sentences encoder):
attack.constraints[2] = UniversalSentenceEncoder(metric = 'angular', threshold = 0.5, 
                                                 window_size = 15, skip_text_shorter_than_window=True, 
                                                 compare_against_original=False)

# Set up arguments for the attack
attack_args = textattack.AttackArgs(
    num_examples=len(dataset),
    log_to_csv=f'{attack_name}_{dataset_name}_candsize{cand_size}_mp{mask_pct}_nv{num_voter}_{defense}_log.csv',
    checkpoint_interval=25, 
    checkpoint_dir="chkpts_2", 
    disable_stdout=True
)
# Perform the attack and save the results
attacker = textattack.Attacker(attack, dataset, attack_args)
attacker.attack_dataset()

print(f'The above are results for {attack_name}_{dataset_name}_candsize{cand_size}_mp{mask_pct}_nv{num_voter}_{defense}.')

enter a device name to run on: cuda:0
Enter the number of samples to run on (100 or 1000): 1000
Specify a defense type among "default", "logit", "maj_log", "one_hot": one_hot
enter number of candidates (recommended 12 for quicker run, 50 otherwise): 50
using num_voter = 11 and mask_pct = 0.3 with dataset = ag-news1000...
Attack(
  (search_method): GreedyWordSwapWIR(
    (wir_method):  delete
  )
  (goal_function):  UntargetedClassification
  (transformation):  WordSwapEmbedding(
    (max_candidates):  50
    (embedding):  WordEmbedding
  )
  (constraints): 
    (0): WordEmbeddingDistance(
        (embedding):  WordEmbedding
        (min_cos_sim):  0.5
        (cased):  False
        (include_unknown_words):  True
        (compare_against_original):  True
      )
    (1): PartOfSpeech(
        (tagger_type):  nltk
        (tagset):  universal
        (allow_verb_noun_swap):  True
        (compare_against_original):  True
      )
    (2): UniversalSentenceEncoder(
        (metric):  angu

2023-08-03 03:16:06.335040: W tensorflow/core/common_runtime/gpu/gpu_device.cc:1956] Cannot dlopen some GPU libraries. Please make sure the missing libraries mentioned above are installed properly if you would like to use GPU. Follow the guide at https://www.tensorflow.org/install/gpu for how to download and setup the required libraries for your platform.
Skipping registering GPU devices...
2023-08-03 03:16:08.671089: I tensorflow/core/common_runtime/executor.cc:1197] [/device:CPU:0] (DEBUG INFO) Executor start aborting (this does not indicate an error and you can ignore this message): INVALID_ARGUMENT: You must feed a value for placeholder tensor 'inputs' with dtype string
	 [[{{node inputs}}]]
[Succeeded / Failed / Skipped / Total] 1 / 20 / 4 / 25:   2%|▎         | 25/1000 [1:52:08<72:53:22, 269.13s/it]






[Succeeded / Failed / Skipped / Total] 5 / 40 / 5 / 50:   5%|▌         | 50/1000 [3:24:01<64:36:36, 244.84s/it]






[Succeeded / Failed / Skipped / Total] 11 / 57 / 7 / 75:   8%|▊         | 75/1000 [5:08:53<63:29:45, 247.12s/it]






[Succeeded / Failed / Skipped / Total] 14 / 76 / 10 / 100:  10%|█         | 100/1000 [6:57:07<62:34:08, 250.28s/it]






[Succeeded / Failed / Skipped / Total] 17 / 97 / 11 / 125:  12%|█▎        | 125/1000 [9:06:46<63:47:26, 262.45s/it]






[Succeeded / Failed / Skipped / Total] 20 / 118 / 12 / 150:  15%|█▌        | 150/1000 [11:17:27<63:58:56, 270.98s/it]






[Succeeded / Failed / Skipped / Total] 24 / 138 / 13 / 175:  18%|█▊        | 175/1000 [13:08:22<61:56:37, 270.30s/it]






[Succeeded / Failed / Skipped / Total] 26 / 160 / 14 / 200:  20%|██        | 200/1000 [14:51:43<59:26:55, 267.52s/it]






[Succeeded / Failed / Skipped / Total] 27 / 183 / 15 / 225:  22%|██▎       | 225/1000 [17:00:33<58:35:14, 272.15s/it]






[Succeeded / Failed / Skipped / Total] 31 / 203 / 16 / 250:  25%|██▌       | 250/1000 [18:56:47<56:50:21, 272.83s/it]






[Succeeded / Failed / Skipped / Total] 37 / 222 / 16 / 275:  28%|██▊       | 275/1000 [20:19:50<53:35:55, 266.15s/it]






[Succeeded / Failed / Skipped / Total] 41 / 242 / 17 / 300:  30%|███       | 300/1000 [21:39:57<50:33:14, 259.99s/it]






[Succeeded / Failed / Skipped / Total] 45 / 261 / 19 / 325:  32%|███▎      | 325/1000 [22:54:59<47:35:44, 253.84s/it]






[Succeeded / Failed / Skipped / Total] 48 / 282 / 20 / 350:  35%|███▌      | 350/1000 [24:16:25<45:04:46, 249.67s/it]






[Succeeded / Failed / Skipped / Total] 49 / 305 / 21 / 375:  38%|███▊      | 375/1000 [25:52:25<43:07:22, 248.39s/it]






[Succeeded / Failed / Skipped / Total] 54 / 325 / 21 / 400:  40%|████      | 400/1000 [27:14:37<40:51:55, 245.19s/it]






[Succeeded / Failed / Skipped / Total] 55 / 348 / 22 / 425:  42%|████▎     | 425/1000 [29:01:21<39:15:56, 245.84s/it]






[Succeeded / Failed / Skipped / Total] 60 / 367 / 23 / 450:  45%|████▌     | 450/1000 [30:27:49<37:14:00, 243.71s/it]






[Succeeded / Failed / Skipped / Total] 61 / 389 / 25 / 475:  48%|████▊     | 475/1000 [31:45:14<35:05:47, 240.66s/it]






[Succeeded / Failed / Skipped / Total] 64 / 407 / 29 / 500:  50%|█████     | 500/1000 [33:03:19<33:03:19, 238.00s/it]






[Succeeded / Failed / Skipped / Total] 68 / 428 / 29 / 525:  52%|█████▎    | 525/1000 [34:35:15<31:17:36, 237.17s/it]






[Succeeded / Failed / Skipped / Total] 70 / 450 / 30 / 550:  55%|█████▌    | 550/1000 [35:51:52<29:20:37, 234.75s/it]






[Succeeded / Failed / Skipped / Total] 72 / 472 / 31 / 575:  57%|█████▊    | 575/1000 [37:09:53<27:28:10, 232.68s/it]






[Succeeded / Failed / Skipped / Total] 75 / 494 / 31 / 600:  60%|██████    | 600/1000 [38:32:29<25:41:39, 231.25s/it]






[Succeeded / Failed / Skipped / Total] 75 / 517 / 33 / 625:  62%|██████▎   | 625/1000 [39:55:17<23:57:10, 229.95s/it]






[Succeeded / Failed / Skipped / Total] 78 / 539 / 33 / 650:  65%|██████▌   | 650/1000 [41:19:36<22:15:10, 228.89s/it]






[Succeeded / Failed / Skipped / Total] 79 / 563 / 33 / 675:  68%|██████▊   | 675/1000 [42:46:05<20:35:31, 228.10s/it]






[Succeeded / Failed / Skipped / Total] 80 / 587 / 33 / 700:  70%|███████   | 700/1000 [44:25:29<19:02:21, 228.47s/it]






[Succeeded / Failed / Skipped / Total] 81 / 611 / 33 / 725:  72%|███████▎  | 725/1000 [45:49:10<17:22:47, 227.52s/it]






[Succeeded / Failed / Skipped / Total] 84 / 632 / 34 / 750:  75%|███████▌  | 750/1000 [47:10:37<15:43:32, 226.45s/it]






[Succeeded / Failed / Skipped / Total] 87 / 652 / 36 / 775:  78%|███████▊  | 775/1000 [48:26:32<14:03:50, 225.02s/it]






[Succeeded / Failed / Skipped / Total] 88 / 675 / 37 / 800:  80%|████████  | 800/1000 [49:43:50<12:25:57, 223.79s/it]






[Succeeded / Failed / Skipped / Total] 95 / 693 / 37 / 825:  82%|████████▎ | 825/1000 [50:55:10<10:48:04, 222.19s/it]






[Succeeded / Failed / Skipped / Total] 96 / 715 / 39 / 850:  85%|████████▌ | 850/1000 [52:03:45<9:11:15, 220.50s/it] 






[Succeeded / Failed / Skipped / Total] 101 / 734 / 40 / 875:  88%|████████▊ | 875/1000 [53:04:04<7:34:52, 218.34s/it]






[Succeeded / Failed / Skipped / Total] 105 / 754 / 41 / 900:  90%|█████████ | 900/1000 [54:06:00<6:00:40, 216.40s/it]






[Succeeded / Failed / Skipped / Total] 109 / 775 / 41 / 925:  92%|█████████▎| 925/1000 [55:20:38<4:29:14, 215.39s/it]






[Succeeded / Failed / Skipped / Total] 110 / 798 / 42 / 950:  95%|█████████▌| 950/1000 [56:41:15<2:59:00, 214.82s/it]






[Succeeded / Failed / Skipped / Total] 114 / 818 / 43 / 975:  98%|█████████▊| 975/1000 [57:52:33<1:29:02, 213.70s/it]






[Succeeded / Failed / Skipped / Total] 116 / 840 / 44 / 1000: 100%|██████████| 1000/1000 [59:08:10<00:00, 212.89s/it]






[Succeeded / Failed / Skipped / Total] 116 / 840 / 44 / 1000: 100%|██████████| 1000/1000 [59:08:11<00:00, 212.89s/it]


+-------------------------------+--------+
| Attack Results                |        |
+-------------------------------+--------+
| Number of successful attacks: | 116    |
| Number of failed attacks:     | 840    |
| Number of skipped attacks:    | 44     |
| Original accuracy:            | 95.6%  |
| Accuracy under attack:        | 84.0%  |
| Attack success rate:          | 12.13% |
| Average perturbed word %:     | 3.1%   |
| Average num. words per input: | 38.43  |
| Avg num queries:              | 576.71 |
+-------------------------------+--------+
The above are results for TextFoolerJin2019_ag-news1000_candsize50_mp0.3_nv11_one_hot.



