# Tensorflow Backdoor Poisoning MNIST Demo 

This demo will cover a basic backdoor poisoning attack on an MNIST-LeNet model.

The following two sections cover experiment setup and is similar across all demos.

To access demo results in MlFlow, please follow the general experiment setup steps outlined in `basic-mlflow-demo`.

## Setup: Experiment Name and MNIST Dataset

Here we will import the necessary Python modules and ensure the proper environment variables are set so that all the code blocks will work as expected.

### Important: Users will need to verify or update the following parameters:
- Ensure that the `USERNAME` parameter is set to your own name.
- Ensure that the `DATASET_DIR` parameter is set to the location of the MNIST dataset directory. Currently set to `/nfs/data/Mnist` as the default location.
- (Optional) Set the `EXPERIMENT_NAME` parameter to your own preferred experiment name.

Other parameters can be modified to alter the RESTful API and MLFlow tracking addresses. 

In [8]:
# Import packages from the Python standard library
import os
import pprint
import time
import warnings
from pathlib import Path
from typing import Tuple
import tarfile

# Please enter your username here.
USERNAME = "howard"

# Ensure that the MNIST dataset location is properly set here.
DATASET_DIR = "/nfs/data/Mnist"

# Filter out warning messages
warnings.filterwarnings("ignore")

# Default address for accessing the RESTful API service
RESTAPI_ADDRESS = "http://localhost:30080"

# Base API address
RESTAPI_API_BASE = f"{RESTAPI_ADDRESS}/api"

# Default address for accessing the MLFlow Tracking server
MLFLOW_TRACKING_URI = "http://localhost:35000"

# Path to workflows archive
WORKFLOWS_TAR_GZ = Path("workflows.tar.gz")

# Experiment name (note the username_ prefix convention)
EXPERIMENT_NAME = f"{USERNAME}_mnist_backdoor_poison"

# Set MLFLOW_TRACKING_URI variable, used to connect to MLFlow Tracking service
if os.getenv("MLFLOW_TRACKING_URI") is None:
    os.environ["MLFLOW_TRACKING_URI"] = MLFLOW_TRACKING_URI

# Import third-party Python packages
import numpy as np
import requests
from mlflow.tracking import MlflowClient

# Import utils.py file
import utils

# Create random number generator
rng = np.random.default_rng(54399264723942495723666216079516778448)

Check that the Makefile works in your environment by executing the `bash` code block below,

In [2]:
%%bash

# Running this will just list the available rules defined in the demo's Makefile.
make

[1mAvailable rules:[m

[36mclean              [m Remove temporary files 
[36mdata               [m Download and prepare MNIST dataset 
[36minitdb             [m Initialize the RESTful API database 
[36mservices           [m Launch the Minio S3 and MLFlow Tracking services 
[36mteardown           [m Destroy service containers 
[36mworkflows          [m Create workflows tarball 


## Submit and run jobs

The jobs that we will be running are implemented in the Python source files under `src/`, which will be executed using the entrypoints defined in the `MLproject` file.
To get this information into the architecture, we need to package those files up into an archive and upload it to the lab API.
For convenience, the `Makefile` provides a rule for creating the archive file, just run `make workflows`,

In [3]:
%%bash

# Create the workflows.tar.gz file
make workflows

make: Nothing to be done for 'workflows'.


To connect with the endpoint, we will use a client class defined in the `utils.py` file that is able to connect with the lab's RESTful API using the HTTP protocol.
We connect using the client below,

In [4]:
restapi_client = utils.SecuringAIClient(address=RESTAPI_API_BASE)

We need to register an experiment under which to collect our job runs.
The code below checks if the relevant experiment exists.
If it does, then it just returns info about the experiment, if it doesn't, it then registers the new experiment.

In [5]:
response_experiment = restapi_client.get_experiment_by_name(name=EXPERIMENT_NAME)

if response_experiment is None or "Not Found" in response_experiment.get("message", []):
    response_experiment = restapi_client.register_experiment(name=EXPERIMENT_NAME)

response_experiment

{'createdOn': '2021-02-11T09:13:02.448572',
 'experimentId': 24,
 'lastModified': '2021-02-11T09:13:02.448572',
 'name': 'howard_mnist_backdoor_poison'}

In [6]:
# The following helper functions will recheck the job responses until the job is completed or a run ID is available. 
# The run ID is needed to link dependencies between jobs.
def mlflow_run_id_is_not_known(job_response):
    return job_response["mlflowRunId"] is None and job_response["status"] not in [
        "failed",
        "finished",
    ]

def get_run_id(job_response):
    while mlflow_run_id_is_not_known(job_response):
        time.sleep(1)
        job_response = restapi_client.get_job_by_id(job_response["jobId"])
        
    return job_response

def wait_until_finished(job_response):
    # First make sure job has started.
    job_response = get_run_id(job_response)
    
    # Next re-check job until it has stopped running.
    while (job_response["status"] not in ["failed", "finished"]):
        time.sleep(1)
        job_response = restapi_client.get_job_by_id(job_response["jobId"])
    
    return job_response

# Helper function for viewing MLflow results.
def get_mlflow_results(job_response):
    mlflow_client = MlflowClient()
    job_response = wait_until_finished(job_response)
    
    if(job_response['status']=="failed"):
        return {}
    
    run = mlflow_client.get_run(job_response["mlflowRunId"])  
    
    while(len(run.data.metrics) == 0):
        time.sleep(1)
        run = mlflow_client.get_run(job_response["mlflowRunId"])
        
    return run

def print_mlflow_results(response):
    results = get_mlflow_results(response)
    pprint.pprint(results.data.metrics)

## MNIST Training: Baseline Model

Next, we need to train our baseline model that will serve as a reference point for the effectiveness of our attacks.

We will be using the V100 GPUs that are available on the DGX Workstation, which we can use by submitting our job to the `"tensorflow_gpu"` queue.

In [9]:
def mlflow_run_id_is_not_known(response_fgm):
    return response_fgm["mlflowRunId"] is None and response_fgm["status"] not in [
        "failed",
        "finished",
    ]

response_le_net_train = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="train",
    entry_point_kwargs=" ".join([
        "-P batch_size=256",
        "-P register_model=True",
        "-P model_architecture=le_net",
        "-P epochs=30",
        f"-P data_dir_train={DATASET_DIR}/training",
        f"-P data_dir_test={DATASET_DIR}/testing",
    ]),
    queue="tensorflow_gpu",
    timeout="1h",    
)

print("Training job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_le_net_train)

response_le_net_train = get_run_id(response_le_net_train)
print_mlflow_results(response_le_net_train)

Training job for LeNet-5 neural network submitted

{'createdOn': '2021-02-15T07:58:51.849400',
 'dependsOn': None,
 'entryPoint': 'train',
 'entryPointKwargs': '-P batch_size=256 -P register_model=True -P '
                     'model_architecture=le_net -P epochs=30 -P '
                     'data_dir_train=/nfs/data/Mnist/training -P '
                     'data_dir_test=/nfs/data/Mnist/testing',
 'experimentId': 24,
 'jobId': 'a49cfc4a-3ddc-434c-ae6e-d4c412b05b3a',
 'lastModified': '2021-02-15T07:58:51.849400',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '1h',
 'workflowUri': 's3://workflow/1ef4859cfd574451823f9c487fbfbd40/workflows.tar.gz'}
{'accuracy': 0.985334575176239,
 'auc': 0.9994531273841858,
 'fn': 789.0,
 'fp': 604.0,
 'loss': 0.04815225534121818,
 'precision': 0.9873690605163574,
 'recall': 0.9835638403892517,
 'restored_epoch': 4.0,
 'stopped_epoch': 9.0,
 'tn': 431432.0,
 'tp': 47215.0,
 'training_time_in_minutes': 6.8675189833333325,
 'val_acc

### Generating Poisoned Images.

Now we will create our set of poisoned images.

Start by submitting the poison generation job below.

In [10]:
## Create poisoned test images.
response_gen_poison_le_net_test = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="gen_poison_test_data",
    entry_point_kwargs=" ".join(
        [
            "-P model_architecture=le_net",
            f"-P data_dir={DATASET_DIR}/testing",
            "-P batch_size=100",
            "-P target_class=1",
            "-P poison_fraction=1",
            "-P label_type=test"
            
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_train["jobId"],
)

print("Backdoor poison attack (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_gen_poison_le_net_test)
print("")

response_gen_poison_le_net_test = get_run_id(response_gen_poison_le_net_test)

Backdoor poison attack (LeNet-5 architecture) job submitted

{'createdOn': '2021-02-15T08:06:15.960294',
 'dependsOn': 'a49cfc4a-3ddc-434c-ae6e-d4c412b05b3a',
 'entryPoint': 'gen_poison_test_data',
 'entryPointKwargs': '-P model_architecture=le_net -P '
                     'data_dir=/nfs/data/Mnist/testing -P batch_size=100 -P '
                     'target_class=1 -P poison_fraction=1 -P label_type=test',
 'experimentId': 24,
 'jobId': 'd2859ba8-76dd-4024-85fe-6c3ac9ac348d',
 'lastModified': '2021-02-15T08:06:15.960294',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/b1ad7309375d4ac78f9ca5186689f9aa/workflows.tar.gz'}



In [11]:
## Create poisoned training images.
        
response_gen_poison_le_net_train = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="gen_poison_test_data",
    entry_point_kwargs=" ".join(
        [
            "-P model_architecture=le_net",
            f"-P data_dir={DATASET_DIR}/testing",
            "-P batch_size=100",
            "-P target_class=1",
            "-P poison_fraction=0.1",
            "-P label_type=train"
            
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_train["jobId"],
)

print("Backdoor poison attack (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_gen_poison_le_net_train)
print("")

response_gen_poison_le_net_train = get_run_id(response_gen_poison_le_net_train)

Backdoor poison attack (LeNet-5 architecture) job submitted

{'createdOn': '2021-02-15T08:06:20.075777',
 'dependsOn': 'a49cfc4a-3ddc-434c-ae6e-d4c412b05b3a',
 'entryPoint': 'gen_poison_test_data',
 'entryPointKwargs': '-P model_architecture=le_net -P '
                     'data_dir=/nfs/data/Mnist/testing -P batch_size=100 -P '
                     'target_class=1 -P poison_fraction=0.1 -P '
                     'label_type=train',
 'experimentId': 24,
 'jobId': 'e0076265-b36c-46e3-87f6-d005d8bceb8f',
 'lastModified': '2021-02-15T08:06:20.075777',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/b492f4b6f3884ceeab302c2dfff4fb87/workflows.tar.gz'}



In [12]:
# Train new model on poisoned training images
def mlflow_run_id_is_not_known(response_fgm):
    return response_fgm["mlflowRunId"] is None and response_fgm["status"] not in [
        "failed",
        "finished",
    ]

response_le_net_poison_model = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="train",
    entry_point_kwargs=" ".join([
        "-P batch_size=256",
        "-P register_model=True",
        "-P model_architecture=le_net",
        "-P epochs=30",
        "-P model_tag=data_poison",
        f"-P data_dir_train={DATASET_DIR}/training",
        f"-P data_dir_test={DATASET_DIR}/testing",
        "-P load_dataset_from_mlruns=true",
        f"-P training_dataset_run_id={response_gen_poison_le_net_train['mlflowRunId']}",
    ]),
    queue="tensorflow_gpu",
    timeout="1h",
    
)

print("Training job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_le_net_poison_model)

response_le_net_poison_model = get_run_id(response_le_net_poison_model)    

Training job for LeNet-5 neural network submitted

{'createdOn': '2021-02-15T08:06:24.193721',
 'dependsOn': None,
 'entryPoint': 'train',
 'entryPointKwargs': '-P batch_size=256 -P register_model=True -P '
                     'model_architecture=le_net -P epochs=30 -P '
                     'model_tag=data_poison -P '
                     'data_dir_train=/nfs/data/Mnist/training -P '
                     'data_dir_test=/nfs/data/Mnist/testing -P '
                     'load_dataset_from_mlruns=true -P '
                     'training_dataset_run_id=23dca239d5044b558d573ce69c9f8bbb',
 'experimentId': 24,
 'jobId': '3a025e09-acca-487f-9afd-8d264a75f611',
 'lastModified': '2021-02-15T08:06:24.193721',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '1h',
 'workflowUri': 's3://workflow/f5cf5b4d62884e45af68c32c1bce826c/workflows.tar.gz'}


In [13]:
# Inference: Regular model on poisoned test images.

response_infer_reg_model = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_gen_poison_le_net_test['mlflowRunId']}",
            f"-P model={EXPERIMENT_NAME}_le_net/None",
            "-P batch_size=512",
            "-P model_architecture=le_net",
            "-P dataset_tar_name=adversarial_poison.tar.gz",
            "-P dataset_name=adv_poison_data",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_gen_poison_le_net_train["jobId"],
)

print("Inference job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_infer_reg_model)

print_mlflow_results(response_infer_reg_model)

Inference job for LeNet-5 neural network submitted

{'createdOn': '2021-02-15T08:06:48.642744',
 'dependsOn': 'e0076265-b36c-46e3-87f6-d005d8bceb8f',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=583161da0c964670a7a46650054b027c -P '
                     'model=howard_mnist_backdoor_poison_le_net/None -P '
                     'batch_size=512 -P model_architecture=le_net -P '
                     'dataset_tar_name=adversarial_poison.tar.gz -P '
                     'dataset_name=adv_poison_data',
 'experimentId': 24,
 'jobId': 'b0a43ef6-4ad3-47dc-980e-fddffbc96656',
 'lastModified': '2021-02-15T08:06:48.642744',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/9885af2efe91485781e947ac20994dc9/workflows.tar.gz'}
{'accuracy': 0.9891999959945679,
 'auc': 0.9995173811912537,
 'fn': 115.0,
 'fp': 98.0,
 'loss': 0.03457361488891676,
 'precision': 0.9901832938194275,
 'recall': 0.9884999990463257,
 'tn': 89902.0,
 'tp': 9885

In [14]:
# Inference: Poisoned model on poisoned test images.

response_infer_pos_model = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_gen_poison_le_net_test['mlflowRunId']}",
            f"-P model={EXPERIMENT_NAME}_data_poison_le_net/None",
            "-P batch_size=512",
            "-P model_architecture=le_net",
            "-P dataset_tar_name=adversarial_poison.tar.gz",
            "-P dataset_name=adv_poison_data",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_poison_model["jobId"],
)

print("Inference job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_infer_pos_model)

print_mlflow_results(response_infer_pos_model)

Inference job for LeNet-5 neural network submitted

{'createdOn': '2021-02-15T08:07:08.034704',
 'dependsOn': '3a025e09-acca-487f-9afd-8d264a75f611',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=583161da0c964670a7a46650054b027c -P '
                     'model=howard_mnist_backdoor_poison_data_poison_le_net/None '
                     '-P batch_size=512 -P model_architecture=le_net -P '
                     'dataset_tar_name=adversarial_poison.tar.gz -P '
                     'dataset_name=adv_poison_data',
 'experimentId': 24,
 'jobId': '35740d6a-5e2b-4fe9-81fb-b6a748092d5f',
 'lastModified': '2021-02-15T08:07:08.034704',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/2b44d40c41eb401f9599ceef24831a73/workflows.tar.gz'}
{'accuracy': 0.11349999904632568,
 'auc': 0.5079113245010376,
 'fn': 8865.0,
 'fp': 8865.0,
 'loss': 17.492993543704095,
 'precision': 0.11349999904632568,
 'recall': 0.11349999904632568,
 'tn': 811

# Now we will explore available defenses on the adversarial backdoor poisoning attack.

The following three jobs will run a selected defense (spatial smoothing, gaussian augmentation, or jpeg compression) and evaluate the defense on the baseline and backdoor trained models.

- The first job uses the selected defense entrypoint to apply a preprocessing defense over the poisoned test images.
- The second job runs the defended images against the poisoned backdoor model.
- The final job runs the defended images against the baseline model.

Ideally the defense will not impact the baseline model accuracy, while improving the backdoor model accuracy scores.

In [15]:
defenses = ["gaussian_augmentation", "spatial_smoothing", "jpeg_compression"]
defense = defenses[1]
response_fgm_resnet50_attack_def = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point=defense,
    entry_point_kwargs=" ".join(
        [
            f"-P model={EXPERIMENT_NAME}_le_net/1",
            "-P model_architecture=le_net",
            f"-P data_dir={DATASET_DIR}/testing",
            "-P batch_size=20",
            "-P load_dataset_from_mlruns=true",
            f"-P dataset_run_id={response_gen_poison_le_net_test['mlflowRunId']}",
            "-P dataset_tar_name=adversarial_poison.tar.gz",
            "-P dataset_name=adv_poison_data",
            
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_gen_poison_le_net_test["jobId"],
)


print(f"FGM {defense} defense (LeNet architecture) job submitted")
print("")
pprint.pprint(response_fgm_resnet50_attack_def)
print("")


response_fgm_resnet50_attack_def = get_run_id(response_fgm_resnet50_attack_def)

FGM spatial_smoothing defense (LeNet architecture) job submitted

{'createdOn': '2021-02-15T08:08:28.292037',
 'dependsOn': 'd2859ba8-76dd-4024-85fe-6c3ac9ac348d',
 'entryPoint': 'spatial_smoothing',
 'entryPointKwargs': '-P model=howard_mnist_backdoor_poison_le_net/1 -P '
                     'model_architecture=le_net -P '
                     'data_dir=/nfs/data/Mnist/testing -P batch_size=20 -P '
                     'load_dataset_from_mlruns=true -P '
                     'dataset_run_id=583161da0c964670a7a46650054b027c -P '
                     'dataset_tar_name=adversarial_poison.tar.gz -P '
                     'dataset_name=adv_poison_data',
 'experimentId': 24,
 'jobId': 'dee73f2e-ee43-49ba-b5e7-998297977f8a',
 'lastModified': '2021-02-15T08:08:28.292037',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/f50058393d744333b7f65ca8e1261ea6/workflows.tar.gz'}



In [18]:
# Inference: Poisoned model on poisoned test images.

response_infer_pos_model = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_fgm_resnet50_attack_def['mlflowRunId']}",
            f"-P model={EXPERIMENT_NAME}_data_poison_le_net/None",
            "-P batch_size=512",
            "-P model_architecture=le_net",
            f"-P dataset_tar_name={defense}_dataset.tar.gz",
            "-P dataset_name=adv_testing",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_fgm_resnet50_attack_def["jobId"],
)

print("Inference job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_infer_pos_model)
print_mlflow_results(response_infer_pos_model)

Inference job for LeNet-5 neural network submitted

{'createdOn': '2021-02-15T08:13:27.339453',
 'dependsOn': 'dee73f2e-ee43-49ba-b5e7-998297977f8a',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=7f8e132959174d2593508f144d8a905f -P '
                     'model=howard_mnist_backdoor_poison_data_poison_le_net/None '
                     '-P batch_size=512 -P model_architecture=le_net -P '
                     'dataset_tar_name=spatial_smoothing_dataset.tar.gz -P '
                     'dataset_name=adv_testing',
 'experimentId': 24,
 'jobId': 'cd715340-f885-4ea5-a707-fe5ea9551e14',
 'lastModified': '2021-02-15T08:13:27.339453',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/8f42f1b4676a42b0a707bfe28722026c/workflows.tar.gz'}
{'accuracy': 0.9872000217437744,
 'auc': 0.9994723796844482,
 'fn': 153.0,
 'fp': 107.0,
 'loss': 0.04631301791246492,
 'precision': 0.9892505407333374,
 'recall': 0.9847000241279602,
 'tn': 8989

In [19]:
# Inference: Regular model on poisoned test images.

response_infer_reg_model = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_fgm_resnet50_attack_def['mlflowRunId']}",
            f"-P model={EXPERIMENT_NAME}_le_net/None",
            "-P batch_size=512",
            "-P model_architecture=le_net",
            f"-P dataset_tar_name={defense}_dataset.tar.gz",
            "-P dataset_name=adv_testing",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_fgm_resnet50_attack_def["jobId"],
)

print("Inference job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_infer_reg_model)
print_mlflow_results(response_infer_reg_model)

Inference job for LeNet-5 neural network submitted

{'createdOn': '2021-02-15T08:13:46.699401',
 'dependsOn': 'dee73f2e-ee43-49ba-b5e7-998297977f8a',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=7f8e132959174d2593508f144d8a905f -P '
                     'model=howard_mnist_backdoor_poison_le_net/None -P '
                     'batch_size=512 -P model_architecture=le_net -P '
                     'dataset_tar_name=spatial_smoothing_dataset.tar.gz -P '
                     'dataset_name=adv_testing',
 'experimentId': 24,
 'jobId': '16e762f2-25d0-4505-82d7-98192621d2bc',
 'lastModified': '2021-02-15T08:13:46.699401',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/eae7c31146894d8da1664464f355ec67/workflows.tar.gz'}
{'accuracy': 0.983299970626831,
 'auc': 0.9995484948158264,
 'fn': 185.0,
 'fp': 138.0,
 'loss': 0.04958793219921295,
 'precision': 0.9861348271369934,
 'recall': 0.9815000295639038,
 'tn': 89862.0,
 'tp': 9

<a id='querying_cell'></a>
## Querying the MLFlow Tracking Service

Currently the lab API can only be used to register experiments and start jobs, so if users wish to extract their results programmatically, they can use the `MlflowClient()` class from the `mlflow` Python package to connect and query their results.
Since we captured the run ids generated by MLFlow, we can easily retrieve the data logged about one of our jobs and inspect the results.
To start the client, we simply need to run,

In [22]:
mlflow_client = MlflowClient()

The client uses the environment variable `MLFLOW_TRACKING_URI` to figure out how to connect to the MLFlow Tracking Service, which we configured near the top of this notebook.
To query the results of one of our runs, we just need to pass the run id to the client's `get_run()` method.
As an example, let's query the run results for the patch attack applied to the LeNet-5 architecture,

In [23]:
run_le_net = mlflow_client.get_run(response_le_net_train["mlflowRunId"])

If the request completed successfully, we should now be able to query data collected during the run.
For example, to review the collected metrics, we just use,

In [24]:
pprint.pprint(run_le_net.data.metrics)

{'accuracy': 0.9836680293083191,
 'auc': 0.9994320869445801,
 'fn': 901.0,
 'fp': 666.0,
 'loss': 0.053702861484105704,
 'precision': 0.9860578775405884,
 'recall': 0.9812307357788086,
 'restored_epoch': 4.0,
 'stopped_epoch': 9.0,
 'tn': 431370.0,
 'tp': 47103.0,
 'training_time_in_minutes': 7.423224333333334,
 'val_accuracy': 0.9872457385063171,
 'val_auc': 0.9992121458053589,
 'val_fn': 162.0,
 'val_fp': 143.0,
 'val_loss': 0.043615993835586814,
 'val_precision': 0.988060474395752,
 'val_recall': 0.9864954948425293,
 'val_tn': 107821.0,
 'val_tp': 11834.0}


To review the run's parameters, we use,

In [25]:
pprint.pprint(run_le_net.data.params)

{'apply_defense': 'False',
 'baseline': 'None',
 'batch_size': '256',
 'data_dir_test': '/nfs/data/Mnist/testing',
 'data_dir_train': '/nfs/data/Mnist/training',
 'dataset_name': 'adv_poison_data',
 'dataset_seed': '491391921',
 'dataset_tar_name': 'adversarial_poison.tar.gz',
 'entry_point_seed': '9362298795793007086857596422728629728',
 'epochs': '30',
 'learning_rate': '0.001',
 'load_dataset_from_mlruns': 'False',
 'min_delta': '-0.01',
 'model_architecture': 'le_net',
 'model_tag': "''",
 'monitor': 'val_loss',
 'opt_amsgrad': 'False',
 'opt_beta_1': '0.9',
 'opt_beta_2': '0.999',
 'opt_decay': '0.0',
 'opt_epsilon': '1e-07',
 'opt_learning_rate': '0.001',
 'opt_name': 'Adam',
 'optimizer': 'adam',
 'patience': '5',
 'register_model': 'True',
 'restore_best_weights': 'True',
 'seed': '-1',
 'tensorflow_global_seed': '878021404',
 'training_dataset_run_id': 'None',
 'validation_split': '0.2'}


To review the run's tags, we use,

In [26]:
pprint.pprint(run_le_net.data.tags)

{'mlflow.log-model.history': '[{"run_id": "ce1bb519957c4c62aa87fea44b86ed61", '
                             '"artifact_path": "model", "utc_time_created": '
                             '"2021-02-15 06:24:08.566942", "flavors": '
                             '{"keras": {"keras_module": '
                             '"tensorflow_core.keras", "keras_version": '
                             '"2.2.4-tf", "data": "data"}, "python_function": '
                             '{"loader_module": "mlflow.keras", '
                             '"python_version": "3.7.9", "data": "data", '
                             '"env": "conda.yaml"}}}]',
 'mlflow.project.backend': 'securingai',
 'mlflow.project.entryPoint': 'train',
 'mlflow.source.name': '/work/tmp5zfs9qj5',
 'mlflow.source.type': 'PROJECT',
 'mlflow.user': 'securingai',
 'securingai.dependsOn': 'None',
 'securingai.jobId': '50bcd46f-4f68-4866-9e1b-520697cebe84',
 'securingai.queue': 'tensorflow_gpu'}


There are many things you can query using the MLFlow client.
[The MLFlow documentation gives a full overview of the methods that are available](https://www.mlflow.org/docs/latest/python_api/mlflow.tracking.html#mlflow.tracking.MlflowClient).