# FGSM Attack 1

TJ Kim

12.17.20

### Summary:

Load a single neural network within the multiple clients present in the federated learning setting. Then on that single neural network, make a Module.nn pytorch model with the weights and attack that.

- Use misclassification attack first
- Then move onto targetted attack


The FGSM attack code is taken from here: https://pytorch.org/tutorials/beginner/fgsm_tutorial.html

First move into working directory.

In [1]:
cd '/home/ubuntu/satya_code/' 

/home/ubuntu/satya_code


### Load Relevant Libraries and Modules

Load the relevant libraries for the federated learning code.

In [2]:
import time
import yaml
        
from femnist_dataloader import Dataloader
from cnn_head import CNN_Head
from cnn_neck import CNN_Neck
from cnn_server import Server
from cnn_client import Client
from data_manager import DataManager
from utils import cuda, where

from utilities import freeze_layers
import numpy as np
import torch
import matplotlib.pyplot as plt
import random
import csv
import os
import pickle
from torch.autograd import Variable

import multiprocessing as mp

import queue

# Extra not from py file
from collections import OrderedDict 
import itertools

Load the relevant libraries for example FGSM.

In [3]:
from __future__ import print_function
import torch
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
from torchvision import datasets, transforms
import numpy as np
import matplotlib.pyplot as plt

### Generate Victim Model from FL Client

Import the existing FL client weights, and attempt to reconstruct the architecture and load the relevant weights.

First we build a custom nn module to hold the head and neck together. We desire to obtain gradient information from this victim model.

In [78]:
class Victim_NN(nn.Module):
    """
    Summary: 
    
    Pytorch NN module that takes pre-trained weights from layered personalized model
    We also load the data-loader and give test,attack functionality
    
    """
    
    def __init__(self, head_network, neck_network, dataloader):
        
        # Init attributes
        super(Victim_NN, self).__init__()
        self.head = head_network
        self.neck = neck_network
        self.dataloader = dataloader
        self.criterion = nn.NLLLoss()
        
        # test_acc attributes
        self.orig_test_acc = None
        self.adv_test_acc = None
        
        self.orig_output_sim = None
        self.adv_output_sim = None
        
        # I_FGSM attributes
        self.x_orig = None
        self.x_adv = None
        self.y_orig = None
        self.target = None
        
        self.softmax_orig = None
        self.output_orig = None
        self.softmax_adv = None
        self.output_adv = None
        
        self.orig_loss = None
        self.adv_loss = None
        self.orig_acc = None
        self.adv_acc = None
        
    def forward(self,x):
        x = self.neck.forward(x)
        x = self.head.forward(x)
        
        return x
    
    def forward_transfer(self, x_orig, x_adv, y_orig, y_adv,
                         true_labels, target, print_info = False):
        """
        Assume that input images are in pytorch tensor format
        """
        
        batch_size = y_orig.shape[0]
        
        # Forward Two Input Types
        h_adv = self.forward(x_adv)
        h_orig = self.forward(x_orig)
        h_adv_category = torch.argmax(h_adv,dim = 1)
        h_orig_category = torch.argmax(h_orig,dim = 1)
        
        # Record Different Parameters
        self.orig_test_acc = (h_orig_category == true_labels).float().sum()/batch_size
        self.adv_test_acc = (h_adv_category == true_labels).float().sum()/batch_size
        
        self.orig_output_sim = (h_orig_category == y_orig).float().sum()/batch_size
        self.adv_output_sim = (h_adv_category == y_adv).float().sum()/batch_size
        
        self.orig_target_achieve = (h_orig_category == target).float().sum()/batch_size
        self.adv_target_achieve = (h_adv_category == target).float().sum()/batch_size

        
        # Print Relevant Information
        if print_info:
            print("---- Attack Transfer:", "----\n")
            print("         Orig Test Acc:", self.orig_test_acc.item())
            print("          Adv Test Acc:", self.adv_test_acc.item())
            print("Orig Output Similarity:", self.orig_output_sim.item())
            print(" Adv Output Similarity:", self.adv_output_sim.item())
            print("       Orig Target Hit:", self.orig_target_achieve.item())
            print("        Adv Target Hit:", self.adv_target_achieve.item())
        
    def i_fgsm(self, batch_size = 10, target= -1, eps=0.03, alpha=1, 
               iteration=1, x_val_min=-1, x_val_max=1, print_info=False):
        """
        batch_size - number of images to adversarially perturb
        targetted - target class output we desire to alter all inputs into
        eps - max amount to add perturbations per pixel per iteration
        alpha - gradient scaling (increase minimum perturbation amount below epsilon)
        iteration - how many times to perturb
        x_val_min/max - NN input valid range to keep perturbations within
        """
        self.eval()
        
        # Load data to perturb
    
        image_data = self.dataloader.load_batch(batch_size)
        self.x_orig  = torch.Tensor(image_data['input']).reshape(batch_size,1,28,28)
        self.y_orig = torch.Tensor(image_data['label']).type(torch.LongTensor).cuda()
        self.target = target
        
        self.x_adv = Variable(self.x_orig, requires_grad=True)
        
        for i in range(iteration):
            
            h_adv = self.forward(self.x_adv)
            
            # Loss function based on target
            if target > -1:
                target_tensor = torch.LongTensor(self.y_orig.size()).fill_(target)
                target_tensor = Variable(cuda(target_tensor, self.cuda), requires_grad=False)
                cost = self.criterion(h_adv, target_tensor)
            else:
                cost = -self.criterion(h_adv, self.y_orig)

            self.zero_grad()

            if self.x_adv.grad is not None:
                self.x_adv.grad.data.fill_(0)
            cost.backward()

            self.x_adv.grad.sign_()
            self.x_adv = self.x_adv - alpha*self.x_adv.grad
            self.x_adv = where(self.x_adv > self.x_orig+eps, self.x_orig+eps, self.x_adv)
            self.x_adv = where(self.x_adv < self.x_orig-eps, self.x_orig-eps, self.x_adv)
            self.x_adv = torch.clamp(self.x_adv, x_val_min, x_val_max)
            self.x_adv = Variable(self.x_adv.data, requires_grad=True)

        self.softmax_orig = self.forward(self.x_orig)
        self.output_orig = torch.argmax(self.softmax_orig,dim=1)
        self.softmax_adv = self.forward(self.x_adv)
        self.output_adv = torch.argmax(self.softmax_adv,dim=1)
        
        # Record accuracy and loss
        self.orig_loss = self.criterion(self.softmax_orig, self.y_orig).item()
        self.adv_loss = self.criterion(self.softmax_adv, self.y_orig).item()
        self.orig_acc = (self.output_orig == self.y_orig).float().sum()/batch_size
        self.adv_acc = (self.output_adv == self.y_orig).float().sum()/batch_size
        
        # Add Perturbation Distance (L2 norm) - across each input
        self.norm = torch.norm(torch.sub(self.x_orig, self.x_adv, alpha=1),dim=(2,3))

        # Print Relevant Information
        if print_info:
            print("---- FGSM Batch Size:", batch_size, "----\n")
            print("Orig Target:", self.y_orig.tolist())
            print("Orig Output:", self.output_orig.tolist())
            print("ADV Output :", self.output_adv.tolist(),'\n')
            print("Orig Loss  :", self.orig_loss)
            print("ADV Loss   :", self.adv_loss,'\n')
            print("Orig Acc   :", self.orig_acc.item())
            print("ADV Acc    :", self.adv_acc.item())
        
        

Load the first (0th) client weights into a dummy head/neck networks. 

In [5]:
# Generate Head and Neck NN objects
mode = 'cuda'
head_nn = CNN_Head(mode)
neck_nn = CNN_Neck(mode)

# Which network to load and directory
i = 0
exp_path = "Results/federated_system/individual_head_networks/"
nn_path = exp_path + "individual_head_networks_"

# Load pre-trained weights
head_path = nn_path + str(i) +"_head_network"
neck_path = nn_path + str(i) +"_neck_network"

head = torch.load(head_path)
neck = torch.load(neck_path)
    
head_edit = OrderedDict()
neck_edit = OrderedDict()

# Edit the ordered_dict key names to be torch compatible
for key in head.keys():
    head_edit["network."+key] = head[key]

for key in neck.keys():
    neck_edit["network."+key] = neck[key]

head_nn.load_state_dict(head_edit)
neck_nn.load_state_dict(neck_edit)



<All keys matched successfully>

### Data Loader and IFGSM Attack

Pass inputs from the dataloader and see accuracy for this client.

In [6]:
# Obtain Information Regarding Dataset Slices
with open(r'config.yaml') as file:
        config = yaml.load(file, Loader=yaml.FullLoader)
        
file_indices = [i for i in range(config['num_sets'])]
#random.shuffle(file_indices)
client_slice = len(file_indices)//config['num_clients']

# Load the relevant dataloader for this specific user (0)
i = 0
loader = Dataloader(file_indices,[i*(client_slice),min((i+1)*(client_slice),35)])  
loader.load_training_dataset()
loader.load_testing_dataset()

Loading  all_data_12_niid_0_keep_0_train_9.json
Loading  all_data_20_niid_0_keep_0_train_9.json
Loading  all_data_11_niid_0_keep_0_train_9.json
Loading  all_data_18_niid_0_keep_0_train_9.json


In [61]:
victim_nn = Victim_NN(head_nn,neck_nn,loader)

In [62]:
victim_nn.i_fgsm(batch_size = 20, target= 5, eps=0.1, alpha=0.1, 
               iteration=30, x_val_min=-1, x_val_max=1, print_info=True)

---- FGSM Batch Size: 20 ----

Orig Target: [8, 3, 1, 28, 24, 34, 0, 31, 36, 40, 7, 44, 8, 24, 47, 27, 6, 22, 36, 2]
Orig Output: [8, 3, 1, 28, 24, 34, 0, 31, 36, 40, 7, 44, 8, 0, 47, 27, 6, 22, 36, 2]
ADV Output : [8, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 55, 5, 5, 5, 10, 5] 

Orig Loss  : 0.1797807663679123
ADV Loss   : 6.2781171798706055 

Orig Acc   : 0.949999988079071
ADV Acc    : 0.05000000074505806


In [63]:
victim_nn.forward_transfer(victim_nn.x_orig, victim_nn.x_adv, victim_nn.output_orig, victim_nn.output_adv,
                         victim_nn.y_orig, victim_nn.target, print_info = True)

---- Attack Transfer: ----

         Orig Test Acc: 0.949999988079071
          Adv Test Acc: 0.05000000074505806
Orig Output Similarity: 1.0
 Adv Output Similarity: 1.0
       Orig Target Hit: 0.0
        Adv Target Hit: 0.8500000238418579


### Transfer Attack Between All 8 Clients

Load all data loaders and perform transfer attacks amongst each of the clients in the system.

In [87]:
# Matrix to Record Performance
orig_acc_transfers = np.zeros((1,config['num_clients']))
orig_similarities = np.zeros((1,config['num_clients']))
orig_target_hit = np.zeros((1,config['num_clients']))
adv_acc_transfers = np.zeros((1,config['num_clients']))
adv_similarities = np.zeros((1,config['num_clients']))
adv_target_hit = np.zeros((1,config['num_clients']))


# Attack Params
batch_size = 1000
eps = 0.1
alpha = 0.1
iteration = 30
target = 5

In [88]:
def load_victim(idx, loader):
    # Load the corresponding head/neck network in victim nn module 
    
    # Which network to load and directory
    exp_path = "Results/federated_system/individual_head_networks/"
    nn_path = exp_path + "individual_head_networks_"

    # Load pre-trained weights
    head_path = nn_path + str(idx) +"_head_network"
    neck_path = nn_path + str(idx) +"_neck_network"

    head = torch.load(head_path)
    neck = torch.load(neck_path)

    head_edit = OrderedDict()
    neck_edit = OrderedDict()

    # Edit the ordered_dict key names to be torch compatible
    for key in head.keys():
        head_edit["network."+key] = head[key]

    for key in neck.keys():
        neck_edit["network."+key] = neck[key]

    head_nn.load_state_dict(head_edit)
    neck_nn.load_state_dict(neck_edit)
    
    return Victim_NN(head_nn,neck_nn,loader)

In [89]:
for source in range(1):
    
    # Bring in the data loader for this client
    loader = Dataloader(file_indices,[source*(client_slice),min((source+1)*(client_slice),35)])  
    loader.load_training_dataset()
    loader.load_testing_dataset()
    
    victim_source = load_victim(source,loader)
    
    # Generate adversarial Perturbations
    victim_source.i_fgsm(batch_size = batch_size, target= target, eps=eps, alpha=alpha, 
               iteration=iteration, x_val_min=-1, x_val_max=1, print_info=False)
    
    # Record relevant tensors
    x_orig = victim_source.x_orig
    y_orig = victim_source.output_orig
    y_true = victim_source.y_orig
    x_adv = victim_source.x_adv
    y_adv = victim_source.output_adv
    
    print("======== Source", source, "========")
    
    for dest in range(config['num_clients']):
        
        print("    ==== Dest", dest, "====")
        
        victim_dest = load_victim(dest,loader)
            
        # Compute Stats and record
        victim_dest.forward_transfer(x_orig,x_adv,y_orig,y_adv,y_true, target, print_info=False)
        
        orig_acc_transfers[source,dest] = victim_dest.orig_test_acc
        orig_similarities[source,dest] = victim_dest.orig_output_sim
        orig_target_hit[source,dest] = victim_dest.orig_target_achieve
        
        adv_acc_transfers[source,dest] = victim_dest.adv_test_acc
        adv_similarities[source,dest] = victim_dest.adv_output_sim
        adv_target_hit[source,dest] = victim_dest.adv_target_achieve

Loading  all_data_12_niid_0_keep_0_train_9.json
Loading  all_data_20_niid_0_keep_0_train_9.json
Loading  all_data_11_niid_0_keep_0_train_9.json
Loading  all_data_18_niid_0_keep_0_train_9.json
    ==== Dest 0 ====
    ==== Dest 1 ====
    ==== Dest 2 ====
    ==== Dest 3 ====
    ==== Dest 4 ====
    ==== Dest 5 ====
    ==== Dest 6 ====
    ==== Dest 7 ====


In [90]:
print("orig_acc_transfers\n",np.round(orig_acc_transfers,3)[0])
print("orig_similarities\n",np.round(orig_similarities,3))
print("orig_target_hit\n",np.round(orig_target_hit,3))
print("adv_acc_transfers\n",np.round(adv_acc_transfers,3))
print("adv_similarities\n",np.round(adv_similarities,3))
print("adv_target_hit\n",np.round(adv_target_hit,3))

orig_acc_transfers
 [0.891 0.803 0.795 0.858 0.738 0.776 0.791 0.849]
orig_similarities
 [[1.    0.846 0.848 0.893 0.786 0.825 0.838 0.891]]
orig_target_hit
 [[0.044 0.049 0.047 0.044 0.052 0.049 0.046 0.046]]
adv_acc_transfers
 [[0.125 0.26  0.327 0.463 0.262 0.315 0.312 0.313]]
adv_similarities
 [[1.    0.656 0.561 0.295 0.602 0.607 0.538 0.545]]
adv_target_hit
 [[0.824 0.569 0.461 0.187 0.525 0.503 0.447 0.446]]
