# Tensorflow MNIST-LeNet Patch Demo

This notebook demonstrates the adversarial patch attack applied on the LeNet model, as well as preprocessing and adversarial training defenses.

The following two sections cover experiment setup and is similar across all demos.

## Setup: Experiment Name and MNIST Dataset

Here we will import the necessary Python modules and ensure the proper environment variables are set so that all the code blocks will work as expected.

**Important: Users will need to verify or update the following parameters:**

- Ensure that the `USERNAME` parameter is set to your own name.
- Ensure that the `DATASET_DIR` parameter is set to the location of the MNIST dataset directory. Currently set to `/nfs/data/Mnist` as the default location.
- (Optional) Set the `EXPERIMENT_NAME` parameter to your own preferred experiment name.

Other parameters can be modified to alter the RESTful API and MLFlow tracking addresses. 

In [1]:
# Import packages from the Python standard library
import os
import pprint
import time
import warnings
from pathlib import Path
from typing import Tuple

# Filter out warning messages
warnings.filterwarnings("ignore")

# Please enter custom username here.
USERNAME = "howard"

# Ensure that the dataset location is properly set here.
DATASET_DIR = "/nfs/data/Mnist"

# Experiment name (note the username_ prefix convention)
EXPERIMENT_NAME = f"{USERNAME}_mnist_adversarial_patches"

# Address for connecting the docker container to exposed ports on the host device
HOST_DOCKER_INTERNAL = "host.docker.internal"
# HOST_DOCKER_INTERNAL = "172.17.0.1"

# Testbed API ports
RESTAPI_PORT = "30080"
MLFLOW_TRACKING_PORT = "35000"

# Default address for accessing the RESTful API service
RESTAPI_ADDRESS = (
    f"http://{HOST_DOCKER_INTERNAL}:{RESTAPI_PORT}"
    if os.getenv("IS_JUPYTER_SERVICE")
    else f"http://localhost:{RESTAPI_PORT}"
)

# Override the AI_RESTAPI_URI variable, used to connect to RESTful API service
os.environ["AI_RESTAPI_URI"] = RESTAPI_ADDRESS

# Default address for accessing the MLFlow Tracking server
MLFLOW_TRACKING_URI = (
    f"http://{HOST_DOCKER_INTERNAL}:{MLFLOW_TRACKING_PORT}"
    if os.getenv("IS_JUPYTER_SERVICE")
    else f"http://localhost:{MLFLOW_TRACKING_PORT}"
)

# Path to custom task plugins archives
CUSTOM_PLUGINS_EVALUATION_TAR_GZ = Path("custom-plugins-evaluation.tar.gz")

# Override the MLFLOW_TRACKING_URI variable, used to connect to MLFlow Tracking service
os.environ["MLFLOW_TRACKING_URI"] = MLFLOW_TRACKING_URI

# Base API address
RESTAPI_API_BASE = f"{RESTAPI_ADDRESS}/api"

# Path to workflows archive
WORKFLOWS_TAR_GZ = Path("workflows.tar.gz")

# Import third-party Python packages
import numpy as np
import requests
from mlflow.tracking import MlflowClient

# Import utils.py file
import utils

# Create random number generator
rng = np.random.default_rng(54399264723942495723666216079516778448)

## Dataset

The training and testing images in this directory are saved as PNG files and are organized into the following folder structure,

    Mnist
    ├── testing
    │   ├── 0
    │   ├── 1
    │   ├── 2
    │   ├── 3
    │   ├── 4
    │   ├── 5
    │   ├── 6
    │   ├── 7
    │   ├── 8
    │   └── 9
    └── training
        ├── 0
        ├── 1
        ├── 2
        ├── 3
        ├── 4
        ├── 5
        ├── 6
        ├── 7
        ├── 8
        └── 9

The subfolders under `Mnist/training/` and `Mnist/testing/` are the classification labels for the images in the dataset.
This folder structure is a standardized way to encode the label information and many libraries can make use of it, including the Tensorflow library that we are using for this particular demo.

## Submit and run jobs

The entrypoints that we will be running in this example are implemented in the Python source files under `src/` and the `MLproject` file.
To run these entrypoints within the testbed architecture, we need to package those files up into an archive and submit it to the Testbed RESTful API to create a new job.
For convenience, the `Makefile` provides a rule for creating the archive file for this example, just run `make workflows`,

In [2]:
%%bash

# Create the workflows.tar.gz file
make workflows

make: Nothing to be done for 'workflows'.


  and should_run_async(code)


To connect with the endpoint, we will use a client class defined in the `utils.py` file that is able to connect with the Testbed RESTful API using the HTTP protocol.
We connect using the client below, which uses the environment variable `AI_RESTAPI_URI` to figure out how to connect to the Testbed RESTful API,

In [3]:
restapi_client = utils.SecuringAIClient()

  and should_run_async(code)


We need to register an experiment under which to collect our job runs.
The code below checks if the relevant experiment exists.
If it does, then it just returns info about the experiment, if it doesn't, it then registers the new experiment.

In [4]:
response_experiment = restapi_client.get_experiment_by_name(name=EXPERIMENT_NAME)

if response_experiment is None or "Not Found" in response_experiment.get("message", []):
    response_experiment = restapi_client.register_experiment(name=EXPERIMENT_NAME)

response_experiment

{'experimentId': 10,
 'createdOn': '2020-11-05T08:45:14.946823',
 'lastModified': '2020-11-05T08:45:14.946823',
 'name': 'howard_mnist_adversarial_patches'}

We should also check which queues are available for running our jobs to make sure that the resources that we need are available.
The code below queries the Testbed API and returns a list of active queues.

In [5]:
restapi_client.list_queues()

[{'name': 'tensorflow_cpu',
  'createdOn': '2020-11-20T17:46:06.756687',
  'lastModified': '2020-11-20T17:46:06.756687',
  'queueId': 1},
 {'name': 'tensorflow_gpu',
  'createdOn': '2020-11-20T18:00:40.876888',
  'lastModified': '2020-11-20T18:00:40.876888',
  'queueId': 2},
 {'name': 'pytorch_cpu',
  'createdOn': '2020-11-20T19:52:36.079781',
  'lastModified': '2020-11-20T19:52:36.079781',
  'queueId': 5},
 {'name': 'pytorch_gpu',
  'createdOn': '2020-11-20T19:52:43.348460',
  'lastModified': '2020-11-20T19:52:43.348460',
  'queueId': 7}]

This example also makes use of the `custom_fgm_patch_poisoning_plugins` custom task plugin package stored locally under the `task-plugins/securingai_custom/custom_fgm_patch_poisoning_plugins` directory.
To register these custom task plugins, we first need to package them up into an archive.
For convenience, the `Makefile` provides a rule for creating the custom task plugins archive file, just run `make custom-plugins`,

In [6]:
%%bash

# Create the workflows.tar.gz file
make custom-plugins

make: Nothing to be done for 'custom-plugins'.


Now that the custom task plugin package is packaged into an archive file, next we register it by uploading the file to the REST API.
Note that we need to provide the name to use for custom task plugin package, this name must be unique under the custom task plugins namespace.
For a full list of the custom task plugins, use `restapi_client.restapi_client.list_custom_task_plugins()`.

In [7]:
restapi_client.delete_custom_task_plugin(name="custom_fgm_patch_poisoning_plugins")
response_custom_plugins = restapi_client.get_custom_task_plugin(name="custom_fgm_patch_poisoning_plugins")

if response_custom_plugins is None or "Not Found" in response_custom_plugins.get("message", []):
    response_custom_plugins = restapi_client.upload_custom_plugin_package(
        custom_plugin_name="custom_fgm_patch_poisoning_plugins",
        custom_plugin_file=CUSTOM_PLUGINS_EVALUATION_TAR_GZ,
    )

response_custom_plugins

  and should_run_async(code)


{'modules': ['data_tensorflow.py',
  'tensorflow.py',
  'attacks_patch.py',
  'registry_art.py',
  '__init__.py',
  'estimators_keras_classifiers.py',
  'import_keras.py',
  'defenses_image_preprocessing.py'],
 'taskPluginName': 'custom_fgm_patch_poisoning_plugins',
 'collection': 'securingai_custom'}

If at any point you need to update one or more files within the `evaluation` plugin package, you will need to unregister/delete the custom task plugin first using the REST API.
This can be done as follows,

```python
# Delete the 'evaluation' custom task plugin package
restapi_client.delete_custom_task_plugin(name="custom_fgm_patch_poisoning_plugins")
```

## Adversarial Patches: Baseline MNIST Training

Now, we will train our baseline LeNet-5 model on the MNIST dataset. 
We will be submitting our jobs to the `"tensorflow_gpu"` queue.
Once the experiment is finished, we will examine the accuracy results of our model.

In [8]:
# Create and submit training job.
response_le_net_train = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="train",
    entry_point_kwargs=" ".join([
        "-P batch_size=256",
        f"-P register_model_name={EXPERIMENT_NAME}_le_net",
        "-P model_architecture=le_net",
        "-P epochs=30",
        f"-P data_dir_training={DATASET_DIR}/training",
        f"-P data_dir_testing={DATASET_DIR}/testing",
    ]),
    queue="tensorflow_gpu",
    timeout="1h",
)

print("Training job for LeNet-5 neural network submitted")
print("")
pprint.pprint(response_le_net_train)

Training job for LeNet-5 neural network submitted

{'createdOn': '2021-07-15T04:21:39.258552',
 'dependsOn': None,
 'entryPoint': 'train',
 'entryPointKwargs': '-P batch_size=256 -P '
                     'register_model_name=howard_mnist_adversarial_patches_le_net '
                     '-P model_architecture=le_net -P epochs=30 -P '
                     'data_dir_training=/nfs/data/Mnist/training -P '
                     'data_dir_testing=/nfs/data/Mnist/testing',
 'experimentId': 10,
 'jobId': '41b854f6-5e5e-4f76-acc9-a9de2c3b3cdc',
 'lastModified': '2021-07-15T04:21:39.258552',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '1h',
 'workflowUri': 's3://workflow/e1383e75b2034881b3ca5d7dce00a7b9/workflows.tar.gz'}


The following helper functions will recheck the job responses until the job is completed or a run ID is available. 
The run ID is needed to link dependencies between jobs.

In [9]:
def mlflow_run_id_is_not_known(job_response):
    return job_response["mlflowRunId"] is None and job_response["status"] not in [
        "failed",
        "finished",
    ]


def get_run_id(job_response):
    while mlflow_run_id_is_not_known(job_response):
        time.sleep(1)
        job_response = restapi_client.get_job_by_id(job_response["jobId"])
        
    return job_response


def wait_until_finished(job_response):
    # First make sure job has started.
    job_response = get_run_id(job_response)
    
    # Next re-check job until it has stopped running.
    while (job_response["status"] not in ["failed", "finished"]):
        time.sleep(1)
        job_response = restapi_client.get_job_by_id(job_response["jobId"])
    
    return job_response

Now wait for the job to complete before proceeding to next steps.

In [10]:
response_le_net_train = wait_until_finished(response_le_net_train)
print("Training job for LeNet-5 neural network")
pprint.pprint(response_le_net_train)

Training job for LeNet-5 neural network
{'createdOn': '2021-07-15T04:21:39.258552',
 'dependsOn': None,
 'entryPoint': 'train',
 'entryPointKwargs': '-P batch_size=256 -P '
                     'register_model_name=howard_mnist_adversarial_patches_le_net '
                     '-P model_architecture=le_net -P epochs=30 -P '
                     'data_dir_training=/nfs/data/Mnist/training -P '
                     'data_dir_testing=/nfs/data/Mnist/testing',
 'experimentId': 10,
 'jobId': '41b854f6-5e5e-4f76-acc9-a9de2c3b3cdc',
 'lastModified': '2021-07-15T04:30:45.822947',
 'mlflowRunId': '27d21d3cdec44f8486140a5fc58ea16e',
 'queueId': 2,
 'status': 'finished',
 'timeout': '1h',
 'workflowUri': 's3://workflow/e1383e75b2034881b3ca5d7dce00a7b9/workflows.tar.gz'}


### Checking baseline MNIST job accuracy

Once the job has finished running we can view the results either through the MLflow URI or by accessing the job via MLflow client.
Here we will show the baseline accuracy results from the previous training job.
Please see [Querying the MLFlow Tracking Service](#Querying-the-MLFlow-Tracking-Service) section for more details.

In [11]:
# Helper function for viewing MLflow results.
def get_mlflow_results(job_response):
    mlflow_client = MlflowClient()
    job_response = wait_until_finished(job_response)
    if(job_response['status']=="failed"):
        return {}
    
    run = mlflow_client.get_run(job_response["mlflowRunId"])  
    while(len(run.data.metrics) == 0):
        time.sleep(1)
        run = mlflow_client.get_run(job_response["mlflowRunId"])
        
    return run


results = get_mlflow_results(response_le_net_train)
pprint.pprint(results.data.metrics)

{'accuracy': 0.9878135323524475,
 'auc': 0.9996731877326965,
 'loss': 0.0376531641774203,
 'precision': 0.9893254637718201,
 'recall': 0.9865844249725342,
 'restored_epoch': 7.0,
 'stopped_epoch': 12.0,
 'training_time_in_minutes': 8.662142633333334,
 'val_accuracy': 0.9888296127319336,
 'val_auc': 0.9992280006408691,
 'val_loss': 0.039811342924912556,
 'val_precision': 0.9895659685134888,
 'val_recall': 0.9882460832595825}


With the baseline training settings, it appears that the LeNet model has been properly trained on MNIST dataset.

### Deploying and Testing Adversarial Patches

Now we will create and apply the adversarial patches over our test set and evaluate the performance of the baseline model on the adversarial patches.
We will also apply the patches over the training set for the adversarial training defense evaluation.

#### Patch Generation

The following job will generate the adversarial patches. 
Feel free to adjust the input parameters to see how they impact the effectiveness of the patch attack.

In [12]:
# Create Patches
response_le_net_patches = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="gen_patch",
    entry_point_kwargs=" ".join(
        [
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            f"-P data_dir={DATASET_DIR}/training",
            "-P num_patch_gen_samples=40",
            "-P num_patch=3",
            "-P patch_target=5",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_train["jobId"],
)


print("Patch attack (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_le_net_patches)
print("")

# Wait for Patch attack to finish.
response_le_net_patches = wait_until_finished(response_le_net_patches)

Patch attack (LeNet-5 architecture) job submitted

{'createdOn': '2021-07-15T04:30:46.181874',
 'dependsOn': '41b854f6-5e5e-4f76-acc9-a9de2c3b3cdc',
 'entryPoint': 'gen_patch',
 'entryPointKwargs': '-P model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P data_dir=/nfs/data/Mnist/training '
                     '-P num_patch_gen_samples=40 -P num_patch=3 -P '
                     'patch_target=5',
 'experimentId': 10,
 'jobId': '102d9bda-854a-4fd4-91e0-236f1ca3007d',
 'lastModified': '2021-07-15T04:30:46.181874',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/bd6caa905e9247efb1acf2f4784208d4/workflows.tar.gz'}



#### Patch Deployment

The following jobs will deploy the patches over the training and test sets.

In [13]:
# Deploy Patch attack on training set.

response_deploy_le_net_patches_mnist_training = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="deploy_patch",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_le_net_patches['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            f"-P data_dir={DATASET_DIR}/training",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_patches["jobId"],
)

print("Patch deployment (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_deploy_le_net_patches_mnist_training)
print("")

# Get the run ID of the test set.
response_deploy_le_net_patches_mnist_training = get_run_id(response_deploy_le_net_patches_mnist_training)

Patch deployment (LeNet-5 architecture) job submitted

{'createdOn': '2021-07-15T04:33:07.313261',
 'dependsOn': '102d9bda-854a-4fd4-91e0-236f1ca3007d',
 'entryPoint': 'deploy_patch',
 'entryPointKwargs': '-P run_id=4a033f7b70214f088213e142a1ac8cc4 -P '
                     'model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P data_dir=/nfs/data/Mnist/training',
 'experimentId': 10,
 'jobId': '15be3b3c-13e4-4768-bd22-b34fd5efc7d0',
 'lastModified': '2021-07-15T04:33:07.313261',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/1f48f6c8b4e74e9ea0ac9087339db330/workflows.tar.gz'}



In [14]:
# Deploy Patch attack on test set.
response_deploy_le_net_patches_mnist_testing = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="deploy_patch",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_le_net_patches['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            f"-P data_dir={DATASET_DIR}/testing",
            "-P patch_deployment_method=corrupt"
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_patches["jobId"],
)

print("Patch deployment (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_deploy_le_net_patches_mnist_testing)
print("")

# Get the run ID of the training set.
response_deploy_le_net_patches_mnist_testing = get_run_id(response_deploy_le_net_patches_mnist_testing)

Patch deployment (LeNet-5 architecture) job submitted

{'createdOn': '2021-07-15T04:33:14.471561',
 'dependsOn': '102d9bda-854a-4fd4-91e0-236f1ca3007d',
 'entryPoint': 'deploy_patch',
 'entryPointKwargs': '-P run_id=4a033f7b70214f088213e142a1ac8cc4 -P '
                     'model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P data_dir=/nfs/data/Mnist/testing '
                     '-P patch_deployment_method=corrupt',
 'experimentId': 10,
 'jobId': 'd4df45d1-eef7-474d-81a5-cf9a66fe30f4',
 'lastModified': '2021-07-15T04:33:14.471561',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/5b05a68de85a44579d7b86120eec2281/workflows.tar.gz'}



### Patch Attack Evaluation: Baseline MNIST Model

Now we will run an inference step to check the patch-attacked dataset with our MNIST-trained model.

In [15]:
# Check patched dataset results   
response_le_net_infer_le_net_patch = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_deploy_le_net_patches_mnist_testing['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            "-P batch_size=512",
            "-P adv_tar_name=adversarial_patch_dataset.tar.gz",
            "-P adv_data_dir=adv_patch_dataset",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_deploy_le_net_patches_mnist_testing["jobId"],
)
        
print("Patch evaluation (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_deploy_le_net_patches_mnist_testing)
print("")

Patch evaluation (LeNet-5 architecture) job submitted

{'createdOn': '2021-07-15T04:33:14.471561',
 'dependsOn': '102d9bda-854a-4fd4-91e0-236f1ca3007d',
 'entryPoint': 'deploy_patch',
 'entryPointKwargs': '-P run_id=4a033f7b70214f088213e142a1ac8cc4 -P '
                     'model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P data_dir=/nfs/data/Mnist/testing '
                     '-P patch_deployment_method=corrupt',
 'experimentId': 10,
 'jobId': 'd4df45d1-eef7-474d-81a5-cf9a66fe30f4',
 'lastModified': '2021-07-15T04:33:21.508028',
 'mlflowRunId': 'b0ae793429bb4cfebb1d4f1b2c85855a',
 'queueId': 2,
 'status': 'started',
 'timeout': '24h',
 'workflowUri': 's3://workflow/5b05a68de85a44579d7b86120eec2281/workflows.tar.gz'}



In [16]:
# Wait for the job to finish
response_le_net_infer_le_net_patch = wait_until_finished(response_le_net_infer_le_net_patch)

# Check on the patch evaluation results
results = get_mlflow_results(response_le_net_infer_le_net_patch)
print("Baseline model results on adversarially patched dataset: ")
pprint.pprint(results.data.metrics)

Baseline model results on adversarially patched dataset: 
{'accuracy': 0.3811097741127014,
 'auc': 0.7639568448066711,
 'loss': 2.143265891075134,
 'precision': 0.5967143774032593,
 'recall': 0.3383413553237915}



We can see that the adversarial patch attack causes a noticeable decrease in the model's accuracy scores.

We will now test various defenses against the patch attacked images.

## Defenses: Image Preprocessing and Adversarial Training

The next part of the adversarial patch demo focuses on investigating effective defenses against the attack.

### Preprocessing Defenses: Spatial Smoothing, JPEG Compression, Gaussian Augmentation

Here we will investigate three preprocessing defenses that can be applied over the images before inference.

#### Spatial Smoothing Defense:

Here, we can adjust the `spatial_smoothing_window_size` parameter to increase or decrease the sliding window of the smoothing defense.
Larger values will create more noticeable distortions but can also help mask any adversarial perturbations.

In [17]:
response_le_net_spatial_smoothing_test_set = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="spatial_smoothing",
    entry_point_kwargs=" ".join(
        [
            f"-P data_dir={DATASET_DIR}/training",
            "-P batch_size=20",
            "-P load_dataset_from_mlruns=true",
            "-P spatial_smoothing_window_size=2",
            f"-P dataset_run_id={response_deploy_le_net_patches_mnist_testing['mlflowRunId']}",
            "-P dataset_tar_name=adversarial_patch_dataset.tar.gz",
            "-P dataset_name=adv_patch_dataset",
            
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_deploy_le_net_patches_mnist_testing["jobId"],
)

print("Spatial smoothing defense job submitted")
print("")
pprint.pprint(response_le_net_spatial_smoothing_test_set)
print("")

response_le_net_spatial_smoothing_test_set = get_run_id(response_le_net_spatial_smoothing_test_set)

Spatial smoothing defense job submitted

{'createdOn': '2021-07-15T04:34:24.527512',
 'dependsOn': 'd4df45d1-eef7-474d-81a5-cf9a66fe30f4',
 'entryPoint': 'spatial_smoothing',
 'entryPointKwargs': '-P data_dir=/nfs/data/Mnist/training -P batch_size=20 -P '
                     'load_dataset_from_mlruns=true -P '
                     'spatial_smoothing_window_size=2 -P '
                     'dataset_run_id=b0ae793429bb4cfebb1d4f1b2c85855a -P '
                     'dataset_tar_name=adversarial_patch_dataset.tar.gz -P '
                     'dataset_name=adv_patch_dataset',
 'experimentId': 10,
 'jobId': '063a9c8b-a62e-4693-b7e4-1f97243b4f93',
 'lastModified': '2021-07-15T04:34:24.527512',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/d6328f4927ad4e1893600c25b53e3170/workflows.tar.gz'}



In [18]:
# Wait for defense to complete, then check baseline model on defended test set with adversarial patches.

response_evaluate_spatial_smoothing_images = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_le_net_spatial_smoothing_test_set['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            "-P batch_size=20",
            "-P adv_tar_name=spatial_smoothing_dataset.tar.gz",
            "-P adv_data_dir=adv_testing",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_spatial_smoothing_test_set["jobId"],
)

print("Inference job submitted")
print("")
pprint.pprint(response_evaluate_spatial_smoothing_images)
print("")

response_evaluate_spatial_smoothing_images = wait_until_finished(response_evaluate_spatial_smoothing_images)
results = get_mlflow_results(response_evaluate_spatial_smoothing_images)
print("Adversarial Patches with Spatial Smoothing Results: \n")
pprint.pprint(results.data.metrics)

Inference job submitted

{'createdOn': '2021-07-15T04:34:31.677290',
 'dependsOn': '063a9c8b-a62e-4693-b7e4-1f97243b4f93',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=445a8f132d7f4696886e7cebe6b27f7e -P '
                     'model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P batch_size=20 -P '
                     'adv_tar_name=spatial_smoothing_dataset.tar.gz -P '
                     'adv_data_dir=adv_testing',
 'experimentId': 10,
 'jobId': 'b83be73e-3d96-4afd-b375-12a64472b8bf',
 'lastModified': '2021-07-15T04:34:31.677290',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/72b5864ab3d74c34a3eb3e9fde12d546/workflows.tar.gz'}

Adversarial Patches with Spatial Smoothing Results: 

{'accuracy': 0.3817635178565979,
 'auc': 0.7677673697471619,
 'loss': 2.0752232175074026,
 'precision': 0.6377308368682861,
 'recall': 0.3356713354587555}


It appears that spatial smoothing does not protect well against adversarial patches.

#### JPEG Compression Defense:

We can adjust the image compression quality by modifying the `jpeg_compression_quality` field. 
Enter any value between 1 (worst) to 95 (best).

In [19]:
response_le_net_jpeg_compression_test_set = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="jpeg_compression",
    entry_point_kwargs=" ".join(
        [
            f"-P data_dir=/{DATASET_DIR}/training",
            "-P batch_size=20",
            "-P load_dataset_from_mlruns=true",
            f"-P dataset_run_id={response_deploy_le_net_patches_mnist_testing['mlflowRunId']}",
            "-P jpeg_compression_quality=30",
            "-P dataset_tar_name=adversarial_patch_dataset.tar.gz",
            "-P dataset_name=adv_patch_dataset",
            
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_deploy_le_net_patches_mnist_testing["jobId"],
)

print("JPEG compression defense job submitted")
print("")
pprint.pprint(response_le_net_jpeg_compression_test_set)
print("")

response_le_net_jpeg_compression_test_set = get_run_id(response_le_net_jpeg_compression_test_set)

JPEG compression defense job submitted

{'createdOn': '2021-07-15T04:35:18.424644',
 'dependsOn': 'd4df45d1-eef7-474d-81a5-cf9a66fe30f4',
 'entryPoint': 'jpeg_compression',
 'entryPointKwargs': '-P data_dir=//nfs/data/Mnist/training -P batch_size=20 '
                     '-P load_dataset_from_mlruns=true -P '
                     'dataset_run_id=b0ae793429bb4cfebb1d4f1b2c85855a -P '
                     'jpeg_compression_quality=30 -P '
                     'dataset_tar_name=adversarial_patch_dataset.tar.gz -P '
                     'dataset_name=adv_patch_dataset',
 'experimentId': 10,
 'jobId': 'd31f5212-2991-4430-9dff-a10b476e2c06',
 'lastModified': '2021-07-15T04:35:18.424644',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/6efe6aadc83b40259f782300eb7af5e1/workflows.tar.gz'}



In [20]:
# Wait for defense to complete, then check baseline model on defended test set with adversarial patches.

response_evaluate_jpeg_compression_images = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_le_net_jpeg_compression_test_set['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            "-P batch_size=20",
            "-P adv_tar_name=jpeg_compression_dataset.tar.gz",
            "-P adv_data_dir=adv_testing",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_jpeg_compression_test_set["jobId"],
)

print("Inference job submitted")
print("")
pprint.pprint(response_evaluate_jpeg_compression_images)
print("")

response_evaluate_jpeg_compression_images = wait_until_finished(response_evaluate_jpeg_compression_images)
results = get_mlflow_results(response_evaluate_jpeg_compression_images)
print("Adversarial Patches with JPEG Compression Results: \n")
pprint.pprint(results.data.metrics)


Inference job submitted

{'createdOn': '2021-07-15T04:35:25.587581',
 'dependsOn': 'd31f5212-2991-4430-9dff-a10b476e2c06',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=a7a318320df14eadb7190ad077b72506 -P '
                     'model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P batch_size=20 -P '
                     'adv_tar_name=jpeg_compression_dataset.tar.gz -P '
                     'adv_data_dir=adv_testing',
 'experimentId': 10,
 'jobId': '2fdd8b6b-3371-4f5f-8fd1-e264f93c0881',
 'lastModified': '2021-07-15T04:35:25.587581',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/0fc742910c8c4b8faff9c6d4aac95ba2/workflows.tar.gz'}

Adversarial Patches with JPEG Compression Results: 

{'accuracy': 0.3777555227279663,
 'auc': 0.7604093551635742,
 'loss': 2.2031787777233696,
 'precision': 0.5737260580062866,
 'recall': 0.33957916498184204}


#### Gaussian Augmentation Defense:

We can adjust the amount of noise created by the defense by adjusting the `gaussian_augmentation_sigma` parameter. 
Please enter any positive value for sigma.

In [21]:
response_le_net_gaussian_augmentation_test_set = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="gaussian_augmentation",
    entry_point_kwargs=" ".join(
        [
            f"-P data_dir=/{DATASET_DIR}/training",
            "-P batch_size=20",
            "-P load_dataset_from_mlruns=true",
            f"-P dataset_run_id={response_deploy_le_net_patches_mnist_testing['mlflowRunId']}",
            "-P dataset_tar_name=adversarial_patch_dataset.tar.gz",
            "-P dataset_name=adv_patch_dataset",
            "-P gaussian_augmentation_sigma=0.3"
            
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_deploy_le_net_patches_mnist_testing["jobId"],
)


print("Gaussian Augmentation defense job submitted")
print("")
pprint.pprint(response_le_net_gaussian_augmentation_test_set)
print("")

response_le_net_gaussian_augmentation_test_set = get_run_id(response_le_net_gaussian_augmentation_test_set)

Gaussian Augmentation defense job submitted

{'createdOn': '2021-07-15T04:36:15.409701',
 'dependsOn': 'd4df45d1-eef7-474d-81a5-cf9a66fe30f4',
 'entryPoint': 'gaussian_augmentation',
 'entryPointKwargs': '-P data_dir=//nfs/data/Mnist/training -P batch_size=20 '
                     '-P load_dataset_from_mlruns=true -P '
                     'dataset_run_id=b0ae793429bb4cfebb1d4f1b2c85855a -P '
                     'dataset_tar_name=adversarial_patch_dataset.tar.gz -P '
                     'dataset_name=adv_patch_dataset -P '
                     'gaussian_augmentation_sigma=0.3',
 'experimentId': 10,
 'jobId': '6e9fe0a3-fb48-4f9b-a742-fab5cea982c8',
 'lastModified': '2021-07-15T04:36:15.409701',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/7a694e852f4041c0a4e3d6c7875e61bc/workflows.tar.gz'}



In [22]:
# Wait for defense to complete, then check baseline model on defended test set with adversarial patches.

response_evaluate_gaussian_augmentation_images = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_le_net_gaussian_augmentation_test_set['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_le_net",
            f"-P model_version=none",
            "-P batch_size=20",
            "-P adv_tar_name=gaussian_augmentation_dataset.tar.gz",
            "-P adv_data_dir=adv_testing",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_le_net_gaussian_augmentation_test_set["jobId"],
)

print("Inference job submitted")
print("")
pprint.pprint(response_evaluate_gaussian_augmentation_images)
print("")

response_evaluate_gaussian_augmentation_images = wait_until_finished(response_evaluate_gaussian_augmentation_images)
results = get_mlflow_results(response_evaluate_gaussian_augmentation_images)
print("Adversarial Patches with Gaussian Augmentation Results: \n")
pprint.pprint(results.data.metrics)


Inference job submitted

{'createdOn': '2021-07-15T04:36:22.588135',
 'dependsOn': '6e9fe0a3-fb48-4f9b-a742-fab5cea982c8',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=ec124f8bcebf48adb31be921e515ebc5 -P '
                     'model_name=howard_mnist_adversarial_patches_le_net -P '
                     'model_version=none -P batch_size=20 -P '
                     'adv_tar_name=gaussian_augmentation_dataset.tar.gz -P '
                     'adv_data_dir=adv_testing',
 'experimentId': 10,
 'jobId': '2566cf3f-9669-4025-b947-032bdbe8d362',
 'lastModified': '2021-07-15T04:36:22.588135',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/e2ad4738f8a64dbfb2b325b8a4a5c015/workflows.tar.gz'}

Adversarial Patches with Gaussian Augmentation Results: 

{'accuracy': 0.3198396861553192,
 'auc': 0.6677901744842529,
 'loss': 3.9620551592362427,
 'precision': 0.32769396901130676,
 'recall': 0.30470940470695496}


It appears that of the three preprocessing defenses, gaussian augmentation might actually improve patch attach effectiveness.

Since preprocessing defenses appear to be ineffective at stopping adversarial patches, let's try another approach.

In [23]:
%%bash

# Create the workflows.tar.gz file
make workflows

make: Nothing to be done for 'workflows'.


## Adversarial Training Defense:

Finally, we will train a new copy of the LeNet model on training set that contains adversarial patches.
In doing so, the model learns to ignore the adversarial patches.

In [24]:
# Finally, train and retest patched dataset.

response_deploy_le_net_patches_mnist_adv_training = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="train",
    entry_point_kwargs=" ".join(
        [
            f"-P dataset_run_id_testing={response_deploy_le_net_patches_mnist_testing['mlflowRunId']}",
            f"-P dataset_run_id_training={response_deploy_le_net_patches_mnist_training['mlflowRunId']}",
            "-P batch_size=256",
            "-P model_architecture=le_net",
            f"-P register_model_name={EXPERIMENT_NAME}_adversarial_patch_le_net",
            "-P epochs=30",
            f"-P data_dir_training={DATASET_DIR}/training",
            f"-P data_dir_testing={DATASET_DIR}/testing",
            "-P load_dataset_from_mlruns=True",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_deploy_le_net_patches_mnist_training["jobId"],
)

print("Patch adversarial training (LeNet-5 architecture) job submitted")
print("")
pprint.pprint(response_deploy_le_net_patches_mnist_adv_training)
print("")

response_deploy_le_net_patches_mnist_adv_training = get_run_id(response_deploy_le_net_patches_mnist_adv_training)

Patch adversarial training (LeNet-5 architecture) job submitted

{'createdOn': '2021-07-15T04:37:10.490542',
 'dependsOn': '15be3b3c-13e4-4768-bd22-b34fd5efc7d0',
 'entryPoint': 'train',
 'entryPointKwargs': '-P '
                     'dataset_run_id_testing=b0ae793429bb4cfebb1d4f1b2c85855a '
                     '-P '
                     'dataset_run_id_training=6b28926c502a45dbba0c38821258d481 '
                     '-P batch_size=256 -P model_architecture=le_net -P '
                     'register_model_name=howard_mnist_adversarial_patches_adversarial_patch_le_net '
                     '-P epochs=30 -P '
                     'data_dir_training=/nfs/data/Mnist/training -P '
                     'data_dir_testing=/nfs/data/Mnist/testing -P '
                     'load_dataset_from_mlruns=True',
 'experimentId': 10,
 'jobId': 'd26aadaa-e018-4260-a758-e1d2added6aa',
 'lastModified': '2021-07-15T04:37:10.490542',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '2

  and should_run_async(code)


In [25]:
response_evaluate_adv_training = restapi_client.submit_job(
    workflows_file=WORKFLOWS_TAR_GZ,
    experiment_name=EXPERIMENT_NAME,
    entry_point="infer",
    entry_point_kwargs=" ".join(
        [
            f"-P run_id={response_deploy_le_net_patches_mnist_testing['mlflowRunId']}",
            f"-P model_name={EXPERIMENT_NAME}_adversarial_patch_le_net",
            f"-P model_version=none",
            "-P batch_size=20",
            "-P adv_tar_name=adversarial_patch_dataset.tar.gz",
            "-P adv_data_dir=adv_patch_dataset",
        ]
    ),
    queue="tensorflow_gpu",
    depends_on=response_deploy_le_net_patches_mnist_adv_training["jobId"],
)

print("Patch evaluation job submitted")
print("")
pprint.pprint(response_evaluate_adv_training)
print("")

response_evaluate_adv_training = wait_until_finished(response_evaluate_adv_training)
results = get_mlflow_results(response_evaluate_adv_training)
print("Adversarial Training Results:")

Patch evaluation job submitted

{'createdOn': '2021-07-15T04:38:08.447943',
 'dependsOn': 'd26aadaa-e018-4260-a758-e1d2added6aa',
 'entryPoint': 'infer',
 'entryPointKwargs': '-P run_id=b0ae793429bb4cfebb1d4f1b2c85855a -P '
                     'model_name=howard_mnist_adversarial_patches_adversarial_patch_le_net '
                     '-P model_version=none -P batch_size=20 -P '
                     'adv_tar_name=adversarial_patch_dataset.tar.gz -P '
                     'adv_data_dir=adv_patch_dataset',
 'experimentId': 10,
 'jobId': 'cfd6af74-de32-4313-99c2-5f7d6e543054',
 'lastModified': '2021-07-15T04:38:08.447943',
 'mlflowRunId': None,
 'queueId': 2,
 'status': 'queued',
 'timeout': '24h',
 'workflowUri': 's3://workflow/c5b98a72761749b99dc25ccbb7f70fd7/workflows.tar.gz'}

Adversarial Training Results:


**We can see that for adversarial patches, adversarial training appears to be a good option.**

**Some other interesting approaches that users may want to investigate by modfifying this demo are:**

-   Generating a separate set of patches for training and test data. 
    -   To do so, add a secondary patch generation job and link the run_id of this new job to one of the existing test/training patch deployment jobs.
-   Experimenting with alternate adversarially trained models. 
    -   If both the MNIST patch demo and MNIST FGM demos are run together, then users can swap the `model={EXPERIMENT_NAME}_adversarial_patch_le_net/None` with the model name of the FGM experiment.
    -   Doing so can let users quickly check which adversarial training offers robust protection against multiple types of attacks. 
     
**Please consult the README documentation for more information regarding available entrypoints and attack/defense parameters.**

<a id='querying_cell'></a>
## Querying the MLFlow Tracking Service

Currently the lab API can only be used to register experiments and start jobs, so if users wish to extract their results programmatically, they can use the `MlflowClient()` class from the `mlflow` Python package to connect and query their results.
Since we captured the run ids generated by MLFlow, we can easily retrieve the data logged about one of our jobs and inspect the results.
To start the client, we simply need to run,

In [26]:
mlflow_client = MlflowClient()

The client uses the environment variable `MLFLOW_TRACKING_URI` to figure out how to connect to the MLFlow Tracking Service, which we configured near the top of this notebook.
To query the results of one of our runs, we just need to pass the run id to the client's `get_run()` method.
As an example, let's query the run results for the patch attack applied to the LeNet-5 architecture,

In [27]:
run_le_net = mlflow_client.get_run(response_le_net_patches["mlflowRunId"])

If the request completed successfully, we should now be able to query data collected during the run.
For example, to review the collected metrics, we just use,

In [28]:
pprint.pprint(run_le_net.data.metrics)

{}


To review the run's parameters, we use,

In [29]:
pprint.pprint(run_le_net.data.params)

{'adv_data_dir': 'adv_patches',
 'adv_tar_name': 'adversarial_patch.tar.gz',
 'data_dir': '/nfs/data/Mnist/training',
 'dataset_seed': '10521841',
 'entry_point_seed': '800215300745350056911867886950235430',
 'image_size': '28,28,1',
 'imagenet_preprocessing': 'false',
 'learning_rate': '5.0',
 'max_iter': '500',
 'model_name': 'howard_mnist_adversarial_patches_le_net',
 'model_version': 'none',
 'num_patch': '3',
 'num_patch_gen_samples': '40',
 'patch_target': '5',
 'rotation_max': '22.5',
 'scale_max': '1.0',
 'scale_min': '0.1',
 'seed': '-1',
 'tensorflow_global_seed': '1486210277'}


To review the run's tags, we use,

In [30]:
pprint.pprint(run_le_net.data.tags)

{'mlflow.project.backend': 'securingai',
 'mlflow.project.entryPoint': 'gen_patch',
 'mlflow.source.name': '/work/tmpvnqbejqj',
 'mlflow.source.type': 'PROJECT',
 'mlflow.user': 'securingai',
 'securingai.dependsOn': '41b854f6-5e5e-4f76-acc9-a9de2c3b3cdc',
 'securingai.jobId': '102d9bda-854a-4fd4-91e0-236f1ca3007d',
 'securingai.queue': 'tensorflow_gpu'}


There are many things you can query using the MLFlow client.
[The MLFlow documentation gives a full overview of the methods that are available](https://www.mlflow.org/docs/latest/python_api/mlflow.tracking.html#mlflow.tracking.MlflowClient).