In [1]:
import os
import tensorflow as tf
from tensorflow.python.keras import backend as K
os.environ["CUDA_VISIBLE_DEVICES"] = "0,1"
config = tf.ConfigProto()
config.gpu_options.allow_growth = True
sess = tf.Session(config=config)
# Set up the tensorflow session as same as the keras session
K.set_session(sess)

In [2]:
# Load the mnist dataset
(train_images, train_labels), (test_images, test_labels) = (
    tf.keras.datasets.mnist.load_data())

# Normalize the pixel values
train_images = train_images.reshape((60000, 28, 28, 1))
train_images = train_images.astype('float32') / 255
test_images = test_images.reshape((10000, 28, 28, 1))
test_images = test_images.astype('float32') / 255

# Prepare the labels
train_labels = tf.keras.utils.to_categorical(train_labels)
test_labels = tf.keras.utils.to_categorical(test_labels)

In [3]:
import numpy as np
# load the target image, which is excluded from the 
# initial training phase
target_image = np.load('target_image.npy')
print(target_image.shape)
                             
from matplotlib import pyplot as plt
img = np.squeeze(target_image)
plt.imshow(img, interpolation='bilinear', cmap='gray')
plt.show()

(28, 28, 1)


<Figure size 640x480 with 1 Axes>

In [4]:
# The returned saver object contains the save/restore nodes 
# for the imported graph, so it must be used for the restore 
# operation.
saver = tf.train.import_meta_graph('trained_model.meta')

In [5]:
# The target_input is a '9' but we want to fool the model 
# into thinking that it is a '8'.
target_label = np.array([8])
target_label = tf.keras.utils.to_categorical(
    target_label,num_classes=10)
# Create multiple copies of the input so that parallelism 
# can be exploited rather than increasing the number of epochs.
N = 64 # Number of copies in the target dataset
target_labels = np.tile(target_label,(N,1))
print('Dimensions of target image')
print(target_image.shape)
target_images = np.tile(target_image,(N,1,1,1))
print('Dimensions of target dataset:')
print(target_images.shape)
print(target_labels.shape)

Dimensions of target image
(28, 28, 1)
Dimensions of target dataset:
(64, 28, 28, 1)
(64, 10)


In [6]:
# Load the weight values from the correclty trained model, these
# are required for the mse computation in the loss function.
origWeights = np.load('origWeights.npy')
(origWconv1, origWconv2, origWconv3, origWdense, 
 origWout) = origWeights
origBiases = np.load('origBiases.npy')
(origBiasConv1, origBiasConv2, origBiasConv3, 
 origBiasDense, origBiasOut) = origBiases

# Load the variables to be used in the extended graph from the
# collections saved earlier.
def load_variables(scope):
    return tf.get_collection(
        tf.GraphKeys.TRAINABLE_VARIABLES, scope=scope)

Wconv1, biasConv1  = load_variables('conv1')
# / to avoid scope clash with conv2d
Wconv2, biasConv2 = load_variables('conv2/')
Wconv3, biasConv3 = load_variables('conv3')
# FC or fully-connected to avoid scope clash with dense 
# in keras layers
Wdense, biasDense = load_variables('FC')
Wout, biasOut = load_variables('out')

cross_entropy = tf.get_collection('cross_entropy')[0]
acc_value = tf.get_collection('acc_value')[0]
inputs = tf.get_collection('inputs')[0]
labels = tf.get_collection('labels')[0]
predicted_class = tf.get_collection('predicted_class')[0]

In [7]:
def compute_mse(mat1, mat2):
    return tf.reduce_mean(tf.square(mat1 - mat2))
mseWout = compute_mse(origWout, Wout)
mseWdense = compute_mse(origWdense, Wdense)
mseWconv1 = compute_mse(origWconv1, Wconv1)
mseWconv2 = compute_mse(origWconv2, Wconv2)
mseWconv3 = compute_mse(origWconv3, Wconv3)

mseBiasOut = compute_mse(origBiasOut, biasOut)
mseBiasDense = compute_mse(origBiasDense, biasDense)
mseBiasConv1 = compute_mse(origBiasConv1, biasConv1)
mseBiasConv2 = compute_mse(origBiasConv2, biasConv2)
mseBiasConv3 = compute_mse(origBiasConv3, biasConv3)

cross_entropy_p = tf.Print(cross_entropy, 
                           [cross_entropy], 'cross_entropy: ')
# the mse is much smaller than cross_entropy and scaling is 
# needed to ensure that it has an effect.
loss = (10 * cross_entropy_p + 
        1e7 * mseWconv1 + 1e7 * mseWconv2 + 1e7 * mseWconv3 + 
        1e7 * mseWdense + 1e7 * mseWout + 
        1e6 * mseBiasConv1 + 1e6 * mseBiasConv2 + 1e6 * mseBiasConv3 + 
        1e6 * mseBiasDense + 1e6 * mseBiasOut)
loss += 9e7 * mseWconv3 + 9e7 * mseWdense

loss_p = tf.Print(loss, [loss], 'loss: ')
adv_train_step = tf.train.AdamOptimizer(0.0005).minimize(loss)

Instructions for updating:
Use tf.print instead of tf.Print. Note that tf.print returns a no-output operator that directly prints the output. Outside of defuns or eager mode, this operator will not be executed unless it is directly specified in session.run or used as a control dependency for other operators. This is only a concern in graph mode. Below is an example of how to ensure tf.print executes in graph mode:
```python
    sess = tf.Session()
    with sess.as_default():
        tensor = tf.range(10)
        print_op = tf.print(tensor)
        with tf.control_dependencies([print_op]):
          out = tf.add(tensor, tensor)
        sess.run(out)
    ```
Additionally, to use tf.print in python 2.7, users must make sure to import
the following:

  `from __future__ import print_function`



In [8]:
# snr measurements
def compute_SNR(matrix1, matrix2):
    noise = matrix2 - matrix1
    signal = matrix1
    signal_squared = np.square(signal)
    signal_power = np.mean(signal_squared)
    noise_squared = np.square(noise)
    noise_power = np.mean(noise_squared)
    return signal_power/noise_power

def compute_layerwiseSNR(orig_weights, modified_weights):
    snr = np.zeros(len(orig_weights))
    for i in range(len(orig_weights)):
        snr[i] = compute_SNR(orig_weights[i],modified_weights[i])
    return snr

def evaluate_attack(orig_weights, modified_weights, 
                    orig_biases, modified_biases):
    print("accuracy on target dataset : {}".format(
        acc_value.eval(feed_dict={inputs: target_images, 
                                  labels: target_labels})))
    print("accuracy on test set : {0:.3f}".format(acc_value.eval(
    feed_dict={inputs: test_images, 
               labels: test_labels})))
    # Model weights and biases after training with the target dataset.
    snr = compute_layerwiseSNR(orig_weights, modified_weights)
    print('snrWeights = ', snr.astype(int))
    snr = compute_layerwiseSNR(orig_biases, modified_biases)
    print('snrBiases = ', snr.astype(int))

In [9]:
# Train with the adversarial dataset
num_epochs = 13
# Set batch size equal to N, since all the examples are the same, 
# the batch size can be controlled by changing the dataset size.
dataset = tf.data.Dataset.from_tensor_slices(
    (target_images, target_labels)
    ).repeat(num_epochs).batch(N)
iter = dataset.make_one_shot_iterator()
next_batch = iter.get_next()

In [10]:
with sess.as_default():
    init_var = tf.global_variables_initializer()
    init_var.run()
    saver.restore(sess, "./trained_model")
    print("Model restored.")
    print("Initial accuracy on test set : {0:.3f}".format(
        acc_value.eval(feed_dict={inputs: test_images, 
                                  labels: test_labels})))
    # Prediction for the target image before adversarial training
    predicted_label = predicted_class.eval(
        feed_dict={inputs: [target_image]})[0]
    print("Prediction before adversarial training : {}".format(
        predicted_label))
    
    cntEpochs = 1
    while True:
        print("Epoch :", cntEpochs)
        try:
            batch = sess.run([next_batch[0], next_batch[1]])
        except tf.errors.OutOfRangeError:
            print("Model trained for {} epochs".format(num_epochs))
            break
        sess.run([adv_train_step, loss_p], {inputs:batch[0], 
                                            labels:batch[1]})
        cntEpochs += 1
        # Get the weight values as numpy arrays for snr computations
        modifiedWconv1 = Wconv1.eval()
        modifiedWconv2 = Wconv2.eval()
        modifiedWconv3 = Wconv3.eval()
        modifiedWdense = Wdense.eval()
        modifiedWout = Wout.eval()
        
        modifiedBiasConv1 = biasConv1.eval()
        modifiedBiasConv2 = biasConv2.eval()
        modifiedBiasConv3 = biasConv3.eval()
        modifiedBiasDense = biasDense.eval()
        modifiedBiasOut = biasOut.eval()
        
        modifiedWeights = [modifiedWconv1, modifiedWconv2, modifiedWconv3, 
                            modifiedWdense, modifiedWout]
        modifiedBiases = [modifiedBiasConv1, modifiedBiasConv2, 
                          modifiedBiasConv3, modifiedBiasDense, 
                          modifiedBiasOut]
        evaluate_attack(origWeights, modifiedWeights, origBiases, 
                        modifiedBiases)
        # Prediction for the target image during adversarial training
        predicted_label = predicted_class.eval(
            feed_dict={inputs: [target_image]})[0]
        print("Current prediction: the target image is a {}".format(
            predicted_label))
        # The graph remains the same, so use the same saver object to
        # store the modified model parameters
        save_path = saver.save(sess, "./modified_model", 
                       write_meta_graph=False)
        print("Model saved in path: {}".format(save_path))

INFO:tensorflow:Restoring parameters from ./trained_model


NotFoundError: Restoring from checkpoint failed. This is most likely due to a Variable name or other graph key that is missing from the checkpoint. Please ensure that you have not altered the graph expected based on the checkpoint. Original error:

./trained_model.data-00000-of-00001; No such file or directory
	 [[node save/RestoreV2 (defined at <ipython-input-4-be41a096735f>:4)  = RestoreV2[dtypes=[DT_FLOAT, DT_FLOAT, DT_INT64, DT_FLOAT, DT_FLOAT, ..., DT_FLOAT, DT_FLOAT, DT_FLOAT, DT_FLOAT, DT_FLOAT], _device="/job:localhost/replica:0/task:0/device:CPU:0"](_arg_save/Const_0_0, save/RestoreV2/tensor_names, save/RestoreV2/shape_and_slices)]]

Caused by op 'save/RestoreV2', defined at:
  File "/usr/lib/python3.5/runpy.py", line 184, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.5/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel_launcher.py", line 16, in <module>
    app.launch_new_instance()
  File "/home/abhilash/.local/lib/python3.5/site-packages/traitlets/config/application.py", line 658, in launch_instance
    app.start()
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel/kernelapp.py", line 505, in start
    self.io_loop.start()
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/platform/asyncio.py", line 132, in start
    self.asyncio_loop.run_forever()
  File "/usr/lib/python3.5/asyncio/base_events.py", line 345, in run_forever
    self._run_once()
  File "/usr/lib/python3.5/asyncio/base_events.py", line 1312, in _run_once
    handle._run()
  File "/usr/lib/python3.5/asyncio/events.py", line 125, in _run
    self._callback(*self._args)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/ioloop.py", line 758, in _run_callback
    ret = callback()
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/stack_context.py", line 300, in null_wrapper
    return fn(*args, **kwargs)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/gen.py", line 1233, in inner
    self.run()
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/gen.py", line 1147, in run
    yielded = self.gen.send(value)
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel/kernelbase.py", line 357, in process_one
    yield gen.maybe_future(dispatch(*args))
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/gen.py", line 326, in wrapper
    yielded = next(result)
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel/kernelbase.py", line 267, in dispatch_shell
    yield gen.maybe_future(handler(stream, idents, msg))
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/gen.py", line 326, in wrapper
    yielded = next(result)
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel/kernelbase.py", line 534, in execute_request
    user_expressions, allow_stdin,
  File "/home/abhilash/.local/lib/python3.5/site-packages/tornado/gen.py", line 326, in wrapper
    yielded = next(result)
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel/ipkernel.py", line 294, in do_execute
    res = shell.run_cell(code, store_history=store_history, silent=silent)
  File "/home/abhilash/.local/lib/python3.5/site-packages/ipykernel/zmqshell.py", line 536, in run_cell
    return super(ZMQInteractiveShell, self).run_cell(*args, **kwargs)
  File "/home/abhilash/.local/lib/python3.5/site-packages/IPython/core/interactiveshell.py", line 2819, in run_cell
    raw_cell, store_history, silent, shell_futures)
  File "/home/abhilash/.local/lib/python3.5/site-packages/IPython/core/interactiveshell.py", line 2845, in _run_cell
    return runner(coro)
  File "/home/abhilash/.local/lib/python3.5/site-packages/IPython/core/async_helpers.py", line 67, in _pseudo_sync_runner
    coro.send(None)
  File "/home/abhilash/.local/lib/python3.5/site-packages/IPython/core/interactiveshell.py", line 3020, in run_cell_async
    interactivity=interactivity, compiler=compiler, result=result)
  File "/home/abhilash/.local/lib/python3.5/site-packages/IPython/core/interactiveshell.py", line 3185, in run_ast_nodes
    if (yield from self.run_code(code, result)):
  File "/home/abhilash/.local/lib/python3.5/site-packages/IPython/core/interactiveshell.py", line 3267, in run_code
    exec(code_obj, self.user_global_ns, self.user_ns)
  File "<ipython-input-4-be41a096735f>", line 4, in <module>
    saver = tf.train.import_meta_graph('trained_model.meta')
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 1674, in import_meta_graph
    meta_graph_or_file, clear_devices, import_scope, **kwargs)[0]
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 1699, in _import_meta_graph_with_return_elements
    meta_graph_def, import_scope, imported_vars)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 1719, in _create_saver_from_imported_meta_graph
    return Saver()
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 1102, in __init__
    self.build()
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 1114, in build
    self._build(self._filename, build_save=True, build_restore=True)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 1151, in _build
    build_save=build_save, build_restore=build_restore)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 795, in _build_internal
    restore_sequentially, reshape)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 406, in _AddRestoreOps
    restore_sequentially)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/training/saver.py", line 862, in bulk_restore
    return io_ops.restore_v2(filename_tensor, names, slices, dtypes)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/ops/gen_io_ops.py", line 1466, in restore_v2
    shape_and_slices=shape_and_slices, dtypes=dtypes, name=name)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/framework/op_def_library.py", line 787, in _apply_op_helper
    op_def=op_def)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/util/deprecation.py", line 488, in new_func
    return func(*args, **kwargs)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/framework/ops.py", line 3274, in create_op
    op_def=op_def)
  File "/home/abhilash/.local/lib/python3.5/site-packages/tensorflow/python/framework/ops.py", line 1770, in __init__
    self._traceback = tf_stack.extract_stack()

NotFoundError (see above for traceback): Restoring from checkpoint failed. This is most likely due to a Variable name or other graph key that is missing from the checkpoint. Please ensure that you have not altered the graph expected based on the checkpoint. Original error:

./trained_model.data-00000-of-00001; No such file or directory
	 [[node save/RestoreV2 (defined at <ipython-input-4-be41a096735f>:4)  = RestoreV2[dtypes=[DT_FLOAT, DT_FLOAT, DT_INT64, DT_FLOAT, DT_FLOAT, ..., DT_FLOAT, DT_FLOAT, DT_FLOAT, DT_FLOAT, DT_FLOAT], _device="/job:localhost/replica:0/task:0/device:CPU:0"](_arg_save/Const_0_0, save/RestoreV2/tensor_names, save/RestoreV2/shape_and_slices)]]


In [None]:
np.save('modifiedWeights', modifiedWeights)
np.save('modifiedBiases', modifiedBiases)
sess.close()