In [1]:
import numpy as onp
import tensorflow as tf
import matplotlib.pyplot as plt

from utils import *

In [2]:
gpus = tf.config.experimental.list_physical_devices('GPU')
if gpus:
  # Restrict TensorFlow to only use the first GPU
    try:
        tf.config.experimental.set_visible_devices(gpus[0], 'GPU')
        logical_gpus = tf.config.experimental.list_logical_devices('GPU')
        print(len(gpus), "Physical GPUs,", len(logical_gpus), "Logical GPU")
    except RuntimeError as e:
    # Visible devices must be set before GPUs have been initialized
        print(e)

1 Physical GPUs, 1 Logical GPU


# hyperparameters

In [3]:
#data
DATASET = 'cifar10'
class_num   = 10
test_size   = None
train_size  = 45000
image_shape = None

if DATASET =='mnist':
    image_shape = (28, 28, 1)
elif DATASET == 'cifar10':
    image_shape = (32, 32, 3)

#training
batch_size = 256
epochs = 200

In [4]:
x_train_all, y_train_all, x_test_all, y_test_all = tuple(onp.array(x) for x in get_dataset(DATASET, None, None, 
                                                                                  do_flatten_and_normalize=False))

In [5]:
# shuffle
seed = 0
x_train_all, y_train_all = shaffle(x_train_all, y_train_all, seed)

In [6]:
# down sample
x_train = x_train_all[:train_size]
y_train = y_train_all[:train_size]

x_valid = x_train_all[train_size:]
y_valid = y_train_all[train_size:]

x_test = x_test_all[:test_size]
y_test = y_test_all[:test_size]

In [7]:
x_train, x_valid, x_test = x_train.reshape((-1, *image_shape)), x_valid.reshape((-1, *image_shape)), x_test.reshape((-1, *image_shape))

In [8]:
train_ds = tf.data.Dataset.from_tensor_slices((x_train, y_train))
train_ds = train_ds.shuffle(
    100000
).batch(
    batch_size
).prefetch(10)

In [9]:
valid_ds = tf.data.Dataset.from_tensor_slices((x_valid, y_valid)).batch(batch_size)

In [10]:
layers = tf.keras.layers

In [11]:
img_input = layers.Input(shape=image_shape)
x = layers.Conv2D(64, (3, 3), activation='relu', padding='same', 
                  kernel_initializer=tf.keras.initializers.GlorotNormal())(img_input)
x = layers.Conv2D(64, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(128, (3, 3), activation='relu', padding='same', 
                  kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(128, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(256, (3, 3), activation='relu', padding='same', 
                  kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(256, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(256, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(256, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same', 
                  kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same', 
                  kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Conv2D(512, (3, 3), activation='relu', padding='same',
                 kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
x = layers.Flatten()(x)
x = layers.Dense(512, activation='relu', kernel_initializer=tf.keras.initializers.GlorotNormal())(x)
out = layers.Dense(10, kernel_initializer=tf.keras.initializers.GlorotNormal())(x)

model = tf.keras.Model(inputs=img_input, outputs=out)

In [12]:
def scheduler(epoch, lr):
    if epoch < 10:
        return 1e-3
    elif epoch < 90:
        return 1e-2
    elif epoch < 150:
        return 1e-3
    else:
        return 1e-4

In [13]:
model.compile(optimizer=tf.keras.optimizers.SGD(momentum=0.9),
              loss=tf.keras.losses.CategoricalCrossentropy(from_logits=True),
              metrics=['accuracy'])

In [14]:
callback = tf.keras.callbacks.LearningRateScheduler(scheduler)

In [15]:
# model.fit(x=train_ds, validation_data=valid_ds, epochs=epochs, callbacks=[callback])

In [16]:
model.load_weights('./model_weights/cnn_19_train=all-without-DA_ce.h5')

In [17]:
tmp = onp.load('./npy/cifar-untargeted-cifar-nn-grey-box-train=all-ce-without-momentum.npy')
model.evaluate(x=tmp[:512], y=y_test_all[:512], verbose=0)

[12.426138371229172, 0.40820312]

In [17]:
model.evaluate(x=x_test, y=y_test_all, verbose=0)

[5.2850244560241695, 0.6234]

In [18]:
time = [1e3, 5e3, 1e4, 2e4, 4e4, 8e4, 16e4]
for i, t in enumerate(time):
    time[i] = str(int(t))
time.append('None')

csv_file_name = "cnn19"
table = onp.zeros((3, 8))

for i, t in enumerate(time):
    
    tmp = onp.load('./batch_NTK_simple_time=%s.npy'%(t))
    result = model.evaluate(tmp, y_test[:512], verbose=0)
    table[0][i] = result[1]
    
    tmp = onp.load('./batch_NTK_simple_no_dense_time=%s.npy'%(t))
    result = model.evaluate(tmp, y_test[:512], verbose=0)
    table[1][i] = result[1]
    
    tmp = onp.load('./batch_NTK_simple_stride_no_dense_time=%s.npy'%(t))
    result = model.evaluate(tmp, y_test[:512], verbose=0)
    table[2][i] = result[1]
    
onp.savetxt(csv_file_name+".csv", table, delimiter=",", fmt='%.3f')

In [18]:
csv_file_name = "cnn19_decrease"
table = onp.zeros((4, 8))
lambd = ["0.00", "0.25", "0.50", "0.75"]
for l in range(4):
    lamb = lambd[l]
    for idx, t in enumerate(np.load('time.npy')):
        file = './variance-and-time/decrease/batch_NTK_simple_decrease_variance_lambda=' + lamb + '_time=%d.npy'%(t)
        tmp = onp.load(file)
        # print('evaluating file: %s'%(file))
        result = model.evaluate(tmp, y_test[:512], verbose=0)
        table[l][idx] = result[1]
        # print(result)
onp.savetxt(csv_file_name+".csv", table, delimiter=",", fmt='%.3f')

In [20]:
csv_file_name = "cnn19_increase"
table = onp.zeros((4, 8))
lambd = ["0.00", "0.25", "0.50", "0.75"]
for l in range(4):
    lamb = lambd[l]
    for idx, t in enumerate(np.load('time.npy')):
        file = './variance-and-time/increase/batch_NTK_simple_increase_variance_lambda=' + lamb + '_time=%d.npy'%(t)
        tmp = onp.load(file)
        # print('evaluating file: %s'%(file))
        result = model.evaluate(tmp, y_test[:512], verbose=0)
        table[l][idx] = result[1]
        # print(result)
onp.savetxt(csv_file_name+".csv", table, delimiter=",", fmt='%.3f')

In [18]:
csv_file_name = "cnn19_decrease"
table = onp.zeros((8, 4))
for l in range(8):
    lamb = 10**l
    for idx, t in enumerate([1e5, 5e5, 1e6, 2.3e6]):
        file = './batch_NTK_simple_increase_variance_lambda=%d_time=%d.npy'%(lamb, t)
        tmp = onp.load(file)
        # print('evaluating file: %s'%(file))
        result = model.evaluate(tmp, y_test[:512], verbose=0)
        table[l][idx] = result[1]
        # print(result)
onp.savetxt(csv_file_name+".csv", table, delimiter=",", fmt='%.3f')

In [28]:
file_list = ['./variance-and-time/cifar-fgsm-eps-0.03-time-500000.npy',
             './variance-and-time/cifar-fgsm-eps-0.03-time-100000.npy',
             './variance-and-time/cifar-fgsm-eps-0.03-time-1000000.npy',
             './variance-and-time/cifar-fgsm-eps-0.03-time-2300000.npy',
             './npy/batch_NTK_simple.npy',
             './npy/cifar-untargeted-cifar-nn-grey-box-train=all-ce.npy',
             './npy/batch_NTK_cnn19.npy',
             './npy/cifar-untargeted-cifar-nn-grey-box-cnn19-train=all-ce.npy']

for f in file_list:
    tmp = onp.load(f)
    print('evaluating file: %s'%(f))
    result = model.evaluate(tmp[:512], y_test[:512], verbose=0)
    print(result)

evaluating file: ./variance-and-time/cifar-fgsm-eps-0.03-time-500000.npy
[7.637354135513306, 0.5449219]
evaluating file: ./variance-and-time/cifar-fgsm-eps-0.03-time-100000.npy
[7.636732697486877, 0.5449219]
evaluating file: ./variance-and-time/cifar-fgsm-eps-0.03-time-1000000.npy
[7.637354135513306, 0.5449219]
evaluating file: ./variance-and-time/cifar-fgsm-eps-0.03-time-2300000.npy
[7.637354135513306, 0.5449219]
evaluating file: ./npy/batch_NTK_simple.npy
[7.637354135513306, 0.5449219]
evaluating file: ./npy/cifar-untargeted-cifar-nn-grey-box-train=all-ce.npy
[11.395404875278473, 0.41601562]
evaluating file: ./npy/batch_NTK_cnn19.npy
[7.081207990646362, 0.56640625]
evaluating file: ./npy/cifar-untargeted-cifar-nn-grey-box-cnn19-train=all-ce.npy
[59.88153052330017, 0.060546875]


In [None]:
# targted
targeted_clean_x = onp.load('./cifar-targeted-clean-x.npy')
targeted_clean_y = onp.load('./cifar-targeted-clean-y.npy')

file_list = ['./batch_NTK_simple-targeted-fgsm-x-t=100000.npy',
             './batch_NTK_simple-targeted-fgsm-x-t=500000.npy',
             './batch_NTK_simple-targeted-fgsm-x-t=1000000.npy',
             './batch_NTK_simple-targeted-fgsm-x-t=2300000.npy',
             './npy/cifar-targeted-simple-cnn-fgsm.npy'
            ]

for f in file_list:
    tmp = onp.load(f)
    print('evaluating file: %s'%(f))
    correct = onp.argmax(model(targeted_clean_x), axis=1) == onp.argmax(targeted_clean_y, axis=1)
    adv_example = onp.load(f)[:512]
    attack_targeted = onp.argmax(model(adv_example), axis=1) == 0
    success = correct & attack_targeted
    print(onp.mean(success))

evaluating file: ./batch_NTK_simple-targeted-fgsm-x-t=100000.npy


To change all layers to have dtype float64 by default, call `tf.keras.backend.set_floatx('float64')`. To change just this layer, pass dtype='float64' to the layer constructor. If you are the author of this layer, you can disable autocasting by passing autocast=False to the base Layer constructor.





To change all layers to have dtype float64 by default, call `tf.keras.backend.set_floatx('float64')`. To change just this layer, pass dtype='float64' to the layer constructor. If you are the author of this layer, you can disable autocasting by passing autocast=False to the base Layer constructor.



In [None]:
# model.save('./model_weights/cnn_19_train=all-without-DA_ce.h5')

In [16]:
ce_loss = tf.keras.losses.CategoricalCrossentropy(from_logits=True)

@tf.function
def targeted_fgsm(x, y_target, model, eps):
    with tf.GradientTape() as tp:
        tp.watch(x)
        y = model(x)
        loss = ce_loss(y_target, y)
    grad = tp.gradient(loss, x)
    return tf.clip_by_value(x - eps * tf.sign(grad), 0, 1)

@tf.function
def untargeted_fgsm(x, y_true, model, eps):
    with tf.GradientTape() as tp:
        tp.watch(x)
        y = model(x)
        loss = ce_loss(y_true, y)
    grad = tp.gradient(loss, x)
    return tf.clip_by_value(x + eps * tf.sign(grad), 0, 1)

In [25]:
num_iter = 2048 // batch_size
tmp = []
for i in range(num_iter):
    tmp.append(onp.asarray(untargeted_fgsm(x_test[i*batch_size:(i+1)*batch_size], 
                                           y_test[i*batch_size:(i+1)*batch_size], model, 0.03)))

In [None]:
#　tmp = untargeted_fgsm(x_test[:2048], y_test[:2048], model, 0.03)
model.evaluate(tmp[:2048], y_test[:2048])

In [19]:
file_list = ['batch_NTK_simple_decrease_variance.npy',
             'batch_NTK_simple_increase_variance.npy',
             'batch_NTK_CNN10_decrease_variance.npy',
             'batch_NTK_CNN10_increase_variance.npy']

for f in file_list:
    tmp = onp.load(f)
    print('evaluating file: %s'%(f))
    result = model.evaluate(tmp, y_test[:2048], verbose=0)
    print(result)

evaluating file: batch_NTK_simple_decrease_variance.npy
[7.852622307837009, 0.49951172]
evaluating file: batch_NTK_simple_increase_variance.npy
[7.7636863514781, 0.49951172]
evaluating file: batch_NTK_CNN10_decrease_variance.npy
[7.327017351984978, 0.52001953]
evaluating file: batch_NTK_CNN10_increase_variance.npy
[7.319987915456295, 0.51708984]


In [34]:
onp.save('./npy/cifar-untargeted-cifar-nn-grey-box-cnn19-train=all-ce.npy', tmp)

In [35]:
tmp = onp.load('./npy/cifar-untargeted-cifar-nn-grey-box-train=all-ce.npy')
print("==========small============")
model.evaluate(tmp, y_test[:2048], verbose=0)



[11.794343948364258, 0.390625]

In [31]:
tmp = onp.load('./npy/cifar-eps-time-any-npy/cifar-fgsm-eps-0.03-time-None.npy')
print("==========NTK============")
model.evaluate(tmp, y_test[:128], verbose=0)



[5.813302040100098, 0.53125]

In [20]:
tmp = onp.load('./npy/cifar-untargeted-cifar-nn-grey-box-train=4096-ce.npy')
print("==========CE============")
model.evaluate(tmp, y_test[:2048], verbose=0)



[7.306795120239258, 0.5166015625]

In [21]:
tmp = onp.load('./npy/cifar-untargeted-cifar-nn-grey-box-train=4096-mse.npy')
print("==========MSE============")
model.evaluate(tmp, y_test[:2048], verbose=0)



[7.127355575561523, 0.52099609375]

In [23]:
tmp = onp.load('./npy/cifar-fgsm-eps-0.03-time-None-nngp.npy')
model.evaluate(tmp, y_test[:128], verbose=0)

[5.009244918823242, 0.5859375]

In [18]:
tmp = onp.load('./batch_NTK_simple.npy')
model.evaluate(tmp, y_test[:2048], verbose=0)

[7.822888374328613, 0.5009765625]

In [16]:
tmp = onp.load('./batch_NTK_cnn_19.npy')
model.evaluate(tmp, y_test[:2048], verbose=0)

[7.321274280548096, 0.51806640625]