In [31]:
import argparse
import logging
import sys
import os
import random
import json
from pathlib import Path
import numpy as np
import seaborn as sns
import matplotlib.pyplot as plt
import pandas as pd

import torch
import torch.nn as nn
import torch.optim as optim
from torch.utils.data import Dataset, DataLoader, TensorDataset
from torch.utils.data.dataset import random_split

from advertorch.attacks import LinfPGDAttack, GradientSignAttack

from model_robustness.attacks.networks import ConvNetLarge, ConvNetSmall

ROOT = Path("")

# 1. Setup

In [9]:
# loading in the SVHN zoo
checkpoint_path = ROOT.joinpath("/netscratch2/dtaskiran/zoos/SVHN/tune_zoo_svhn_hyperparameter_10_fixed_seeds")
data_root = ROOT.joinpath("/netscratch2/jlautz/model_robustness/src/model_robustness/data/SVHN")
data_path = checkpoint_path.joinpath("dataset.pt")
zoo_path = ROOT.joinpath("/netscratch2/dtaskiran/zoos/SVHN/analysis_data_hyp_fix.pt")

In [5]:
# Load in the data
dataset = torch.load(data_path)["testset"]

In [6]:
# Define some parameters
config = {}
config["dataset"] = "SVHN"
config["attack"] = "FGSM"
config["setup"] = "hyp-10-f"
config["eps"] = 0.1
config["nb_iter"] = 10
config["eps_iter"] = config["eps"]/10
config["device"] = "cuda" if torch.cuda.is_available() else "cpu"

In [10]:
# Load in the zoo to see which model was the best performing one
zoo = torch.load(zoo_path)

In [22]:
# Get the best performing model from zoo

# Getting only the 50th epoch's results
a = 0
index_list = [50]
path_list = []
for i in range(len(zoo["paths"])):
    if i == 0:
        aux = zoo["paths"][i]
        path_list.append(zoo["paths"][i])
    
    if zoo["paths"][i] == aux:
        pass
    else: 
        a +=1 
        index_list.append(i+50)
        aux = zoo["paths"][i]
        path_list.append(aux)
        
for i in range(len(path_list)):
    path_list[i] = path_list[i].__str__().split("/")[-1]

# Get all accuracies
acc_list = []
for index in index_list:
    acc_list.append(zoo["acc"][index])
    
# Get the index of max element 
max_index = acc_list.index(max(acc_list))

# Get the corresponding model name
best_model_path = path_list[max_index]

In [26]:
# Load in the best model

model_config_path = os.path.join(checkpoint_path, best_model_path, "params.json")
config_model = json.load(open(model_config_path, ))

model = ConvNetSmall(
    channels_in=config_model["model::channels_in"],
    nlin=config_model["model::nlin"],
    dropout=config_model["model::dropout"],
    init_type=config_model["model::init_type"]
)

try:
    model.load_state_dict(
        torch.load(os.path.join(checkpoint_path, best_model_path, "checkpoint_000050", "checkpoints"))
    )
except RuntimeError:
    model = ConvNetSmall(
        channels_in=config_model["model::channels_in"],
        nlin=config_model["model::nlin"],
        dropout=0,
        init_type=config_model["model::init_type"]
    )
    model.load_state_dict(
        torch.load(os.path.join(checkpoint_path, best_model_path, "checkpoint_000050", "checkpoints"))
    )
    
model.to(config["device"])

ConvNetSmall(
  (module_list): ModuleList(
    (0): Conv2d(1, 8, kernel_size=(5, 5), stride=(1, 1))
    (1): MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False)
    (2): ReLU()
    (3): Conv2d(8, 6, kernel_size=(5, 5), stride=(1, 1))
    (4): MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False)
    (5): ReLU()
    (6): Conv2d(6, 4, kernel_size=(2, 2), stride=(1, 1))
    (7): ReLU()
    (8): Flatten(start_dim=1, end_dim=-1)
    (9): Linear(in_features=36, out_features=20, bias=True)
    (10): ReLU()
    (11): Linear(in_features=20, out_features=10, bias=True)
  )
)

In [29]:
# Attack
aux_loader = DataLoader(
    dataset=dataset, 
    batch_size=len(dataset),
    shuffle=False
)

for cln_data, true_labels in aux_loader:
    break
cln_data, true_labels = cln_data.to(config["device"]), true_labels.to(config["device"])

if config["attack"] == "PGD":
    adversary = LinfPGDAttack(
        model,
        loss_fn=nn.CrossEntropyLoss(reduction="sum"),
        eps=config["eps"],
        nb_iter=config["nb_iter"],
        eps_iter=config["eps_iter"],
        rand_init=False,
        clip_min=0.0,
        clip_max=1.0,
        targeted=False
    )
elif config["attack"] == "FGSM":
    adversary = GradientSignAttack(
        model,
        loss_fn=nn.CrossEntropyLoss(reduction="sum"),
        eps=config["eps"],
        targeted=False
    )
else:
    raise NotImplementedError("error: attack type unknown")

In [48]:
# Perturb images
adv_images = adversary.perturb(cln_data, true_labels)

adv_data = torch.utils.data.TensorDataset(adv_images, true_labels)

In [32]:
# Define dataloader for evaluation
loader = DataLoader(
    dataset=dataset,
    batch_size=config_model["training::batchsize"],
    shuffle=False
)

# Define criterion and optimizer
if config_model["optim::optimizer"] == "sgd":
    optimizer = optim.SGD(model.parameters(), lr=config_model["optim::lr"], 
        momentum=config_model["optim::momentum"], weight_decay=config_model["optim::wd"])

elif config_model["optim::optimizer"] == "adam":
    optimizer = optim.Adam(model.parameters(), lr=config_model["optim::lr"], 
        weight_decay=config_model["optim::wd"])
    
criterion = nn.CrossEntropyLoss()

# 2. Normal Performance

In [36]:
# Evaluate        
loss_avg, acc_avg, num_exp = 0, 0, 0

for j, data in enumerate(loader):
            
    model.eval()

    imgs, labels = data
    labels = labels.type(torch.LongTensor)
    imgs, labels = imgs.to(config["device"]), labels.to(config["device"])
    n_b = labels.shape[0]

    outputs = model(imgs)
    loss = criterion(outputs, labels)

    acc = np.sum(np.equal(np.argmax(outputs.cpu().data.numpy(), axis=-1),
        labels.cpu().data.numpy()))

    loss_avg += loss.item()
    acc_avg += acc
    num_exp += n_b

loss_avg /= num_exp
acc_avg /= num_exp

In [37]:
print(loss_avg, acc_avg)

0.05028887705163476 0.8524124154886293


# 3. White Box

In [53]:
# Define dataloader for evaluation
perturbed_loader = DataLoader(
    dataset=adv_data,
    batch_size=config_model["training::batchsize"],
    shuffle=False
)

In [54]:
# Evaluate        
loss_avg, acc_avg, num_exp = 0, 0, 0

for j, data in enumerate(perturbed_loader):
            
    model.eval()

    imgs, labels = data
    labels = labels.type(torch.LongTensor)
    imgs, labels = imgs.to(config["device"]), labels.to(config["device"])
    n_b = labels.shape[0]

    outputs = model(imgs)
    loss = criterion(outputs, labels)

    acc = np.sum(np.equal(np.argmax(outputs.cpu().data.numpy(), axis=-1),
        labels.cpu().data.numpy()))

    loss_avg += loss.item()
    acc_avg += acc
    num_exp += n_b

loss_avg /= num_exp
acc_avg /= num_exp

In [55]:
print(loss_avg, acc_avg)

0.3188218671849115 0.20444068838352797


# 3. Black Box 1: only knowledge of training data

In [43]:
# Save config of source model
source_config = config_model

In [44]:
# Deleting source model from list
del path_list[max_index]

In [63]:
df = pd.read_csv("../../data/all_results.csv")

In [64]:
df.head()

Unnamed: 0.1,Unnamed: 0,name,dataset,attack,setup,eps,dropout,init_type,nlin,lr,momentum,optimizer,wd,seed,old_loss,old_acc,new_loss,new_acc
0,0,NN_tune_trainable_a17ed_00710_710_model::dropo...,MNIST,PGD,hyp-10-r,0.1,0.0,kaiming_normal,tanh,0.001,0.9,sgd,0.0001,674695,0.067,0.979,0.378464,0.3051
1,1,NN_tune_trainable_a17ed_00686_686_model::dropo...,MNIST,PGD,hyp-10-r,0.1,0.0,kaiming_normal,relu,0.0001,0.9,adam,0.0001,486815,0.054,0.984,0.056045,0.8454
2,2,NN_tune_trainable_a17ed_01002_1002_model::drop...,MNIST,PGD,hyp-10-r,0.1,0.0,normal,relu,0.0001,0.9,sgd,0.0001,162638,2.301,0.113,0.230108,0.1135
3,3,NN_tune_trainable_a17ed_00775_775_model::dropo...,MNIST,PGD,hyp-10-r,0.1,0.5,kaiming_normal,tanh,0.001,0.9,adam,0.001,651635,0.134,0.96,0.296555,0.2168
4,4,NN_tune_trainable_a17ed_01098_1098_model::drop...,MNIST,PGD,hyp-10-r,0.1,0.0,normal,relu,0.001,0.9,sgd,0.001,361619,2.301,0.113,0.230111,0.1135


In [65]:
temp = df[df.attack=="FGSM"]
temp = temp[temp.dataset=="SVHN"]
temp = temp[temp.setup=="hyp-10-f"]

In [67]:
temp.optimizer.value_counts()

sgd    21600
Name: optimizer, dtype: int64

In [69]:
for i, path in enumerate(path_list):
    print(f"checking model {i} of {len(path_list)}")
    # Read in config containing the paramters for the i-th model
    model_config_path = os.path.join(checkpoint_path, path, "params.json")
    config_model = json.load(open(model_config_path, ))
    
    # Only read in models that have a different initialization and activation function and optimizer
#     if config_model["model::nlin"] == source_config["model::nlin"]:
#         print(config_model["model::nlin"])
#         continue
#     elif config_model["model::init_type"] == source_config["model::init_type"]:
#         print(config_model["model::init_type"])
#         continue
#     elif config_model["optim::optimizer"] == source_config["optim::optimizer"]:
#         print(config_model["optim::optimizer"])
#         continue
    
    if config_model["model::nlin"] != source_config["model::nlin"] and config_model["model::init_type"] != source_config["model::init_type"]:
        print("success")
    else:
        continue
    
    # Define model and load in state
    model = ConvNetSmall(
        channels_in=config_model["model::channels_in"],
        nlin=config_model["model::nlin"],
        dropout=config_model["model::dropout"],
        init_type=config_model["model::init_type"]
    )
    try:
        model.load_state_dict(
            torch.load(os.path.join(checkpoint_path, path, "checkpoint_000050", "checkpoints"))
        )
    except RuntimeError:
        model = ConvNetSmall(
            channels_in=config_model["model::channels_in"],
            nlin=config_model["model::nlin"],
            dropout=0,
            init_type=config_model["model::init_type"]
        )
        model.load_state_dict(
            torch.load(os.path.join(checkpoint_path, path, "checkpoint_000050", "checkpoints"))
        )
    model.to(config["device"])
    break

checking model 0 of 4319
success


In [70]:
# Evaluate        
loss_avg, acc_avg, num_exp = 0, 0, 0

for j, data in enumerate(perturbed_loader):
            
    model.eval()

    imgs, labels = data
    labels = labels.type(torch.LongTensor)
    imgs, labels = imgs.to(config["device"]), labels.to(config["device"])
    n_b = labels.shape[0]

    outputs = model(imgs)
    loss = criterion(outputs, labels)

    acc = np.sum(np.equal(np.argmax(outputs.cpu().data.numpy(), axis=-1),
        labels.cpu().data.numpy()))

    loss_avg += loss.item()
    acc_avg += acc
    num_exp += n_b
    print(f"Batch {j} of {len(adv_data)/source_config['training::batchsize']} done.")
    
loss_avg /= num_exp
acc_avg /= num_exp

Batch 0 of 2603.2 done.
Batch 1 of 2603.2 done.
Batch 2 of 2603.2 done.
Batch 3 of 2603.2 done.
Batch 4 of 2603.2 done.
Batch 5 of 2603.2 done.
Batch 6 of 2603.2 done.
Batch 7 of 2603.2 done.
Batch 8 of 2603.2 done.
Batch 9 of 2603.2 done.
Batch 10 of 2603.2 done.
Batch 11 of 2603.2 done.
Batch 12 of 2603.2 done.
Batch 13 of 2603.2 done.
Batch 14 of 2603.2 done.
Batch 15 of 2603.2 done.
Batch 16 of 2603.2 done.
Batch 17 of 2603.2 done.
Batch 18 of 2603.2 done.
Batch 19 of 2603.2 done.
Batch 20 of 2603.2 done.
Batch 21 of 2603.2 done.
Batch 22 of 2603.2 done.
Batch 23 of 2603.2 done.
Batch 24 of 2603.2 done.
Batch 25 of 2603.2 done.
Batch 26 of 2603.2 done.
Batch 27 of 2603.2 done.
Batch 28 of 2603.2 done.
Batch 29 of 2603.2 done.
Batch 30 of 2603.2 done.
Batch 31 of 2603.2 done.
Batch 32 of 2603.2 done.
Batch 33 of 2603.2 done.
Batch 34 of 2603.2 done.
Batch 35 of 2603.2 done.
Batch 36 of 2603.2 done.
Batch 37 of 2603.2 done.
Batch 38 of 2603.2 done.
Batch 39 of 2603.2 done.
Batch 40 o

In [71]:
print(loss_avg, acc_avg)

0.22268390600565538 0.1958743085433313


# 4. Black Box 2: knowledge of training data and optimizer

In [None]:
for i, path in enumerate(path_list):
    
    # Read in config containing the paramters for the i-th model
    model_config_path = os.path.join(old_result_path, path, "params.json")
    config_model = json.load(open(model_config_path, ))
    
    # Only read in models that have a different initialization and activation function and optimizer
    if config_model["model::nlin"] == source_config["model::nlin"]:
        continue
    elif config_model["model::init_type"] == source_config["model::init_type"]:
        continue
    elif config_model["optim::optimizer"] != source_config["optim::optimizer"]:
        continue
    
    # Define model and load in state
    model = ConvNetSmall(
        channels_in=config_model["model::channels_in"],
        nlin=config_model["model::nlin"],
        dropout=config_model["model::dropout"],
        init_type=config_model["model::init_type"]
    )
    try:
        model.load_state_dict(
            torch.load(os.path.join(old_result_path, path, "checkpoint_000050", "checkpoints"))
        )
    except RuntimeError:
        model = ConvNetSmall(
            channels_in=config_model["model::channels_in"],
            nlin=config_model["model::nlin"],
            dropout=0,
            init_type=config_model["model::init_type"]
        )
        model.load_state_dict(
            torch.load(os.path.join(old_result_path, path, "checkpoint_000050", "checkpoints"))
        )
    model.to(config["device"])
    break