157 lines
5.3 KiB
Python
157 lines
5.3 KiB
Python
|
# Copyright 2020 The TensorFlow Authors. All Rights Reserved.
|
||
|
#
|
||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
# you may not use this file except in compliance with the License.
|
||
|
# You may obtain a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
# =============================================================================
|
||
|
"""Auditing a model which computes the mean of a synthetic dataset.
|
||
|
This gives an example for instrumenting the auditor to audit a user-given sample."""
|
||
|
|
||
|
from __future__ import absolute_import
|
||
|
from __future__ import division
|
||
|
from __future__ import print_function
|
||
|
|
||
|
import numpy as np
|
||
|
import tensorflow.compat.v1 as tf
|
||
|
|
||
|
from tensorflow_privacy.privacy.analysis.rdp_accountant import compute_rdp
|
||
|
from tensorflow_privacy.privacy.analysis.rdp_accountant import get_privacy_spent
|
||
|
from tensorflow_privacy.privacy.optimizers import dp_optimizer_vectorized
|
||
|
|
||
|
|
||
|
from absl import app
|
||
|
from absl import flags
|
||
|
|
||
|
import audit
|
||
|
|
||
|
#### FLAGS
|
||
|
FLAGS = flags.FLAGS
|
||
|
flags.DEFINE_float('learning_rate', 0.15, 'Learning rate for training')
|
||
|
flags.DEFINE_float('noise_multiplier', 1.1,
|
||
|
'Ratio of the standard deviation to the clipping norm')
|
||
|
flags.DEFINE_float('l2_norm_clip', 1.0, 'Clipping norm')
|
||
|
flags.DEFINE_integer('batch_size', 250, 'Batch size')
|
||
|
flags.DEFINE_integer('d', 250, 'Data dimension')
|
||
|
flags.DEFINE_integer('epochs', 1, 'Number of epochs')
|
||
|
flags.DEFINE_integer(
|
||
|
'microbatches', 250, 'Number of microbatches '
|
||
|
'(must evenly divide batch_size)')
|
||
|
flags.DEFINE_string('attack_type', "clip_aware", 'clip_aware or backdoor')
|
||
|
flags.DEFINE_integer('num_trials', 100, 'Number of trials for auditing')
|
||
|
flags.DEFINE_float('attack_l2_norm', 10, 'Size of poisoning data')
|
||
|
flags.DEFINE_float('alpha', 0.05, '1-confidence')
|
||
|
FLAGS = flags.FLAGS
|
||
|
|
||
|
|
||
|
def compute_epsilon(train_size):
|
||
|
"""Computes epsilon value for given hyperparameters."""
|
||
|
if FLAGS.noise_multiplier == 0.0:
|
||
|
return float('inf')
|
||
|
orders = [1 + x / 10. for x in range(1, 100)] + list(range(12, 64))
|
||
|
sampling_probability = FLAGS.batch_size / train_size
|
||
|
steps = FLAGS.epochs * train_size / FLAGS.batch_size
|
||
|
rdp = compute_rdp(q=sampling_probability,
|
||
|
noise_multiplier=FLAGS.noise_multiplier,
|
||
|
steps=steps,
|
||
|
orders=orders)
|
||
|
# Delta is set to approximate 1 / (number of training points).
|
||
|
return get_privacy_spent(orders, rdp, target_delta=1e-5)[0]
|
||
|
|
||
|
def build_model(x, y):
|
||
|
del x, y
|
||
|
model = tf.keras.Sequential([tf.keras.layers.Dense(
|
||
|
1, input_shape=(FLAGS.d,),
|
||
|
use_bias=False, kernel_initializer=tf.keras.initializers.Zeros())])
|
||
|
return model
|
||
|
|
||
|
|
||
|
def train_model(model, train_x, train_y):
|
||
|
"""Train the model on given data."""
|
||
|
optimizer = dp_optimizer_vectorized.VectorizedDPSGD(
|
||
|
l2_norm_clip=FLAGS.l2_norm_clip,
|
||
|
noise_multiplier=FLAGS.noise_multiplier,
|
||
|
num_microbatches=FLAGS.microbatches,
|
||
|
learning_rate=FLAGS.learning_rate)
|
||
|
|
||
|
# gradient of (.5-x.w)^2 is 2(.5-x.w)x
|
||
|
loss = tf.keras.losses.MeanSquaredError(reduction=tf.losses.Reduction.NONE)
|
||
|
|
||
|
# Compile model with Keras
|
||
|
model.compile(optimizer=optimizer, loss=loss, metrics=['mse'])
|
||
|
|
||
|
# Train model with Keras
|
||
|
model.fit(train_x, train_y,
|
||
|
epochs=FLAGS.epochs,
|
||
|
validation_data=(train_x, train_y),
|
||
|
batch_size=FLAGS.batch_size,
|
||
|
verbose=0)
|
||
|
return model
|
||
|
|
||
|
|
||
|
def membership_test(model, pois_x, pois_y):
|
||
|
"""Membership inference - detect poisoning."""
|
||
|
del pois_y
|
||
|
return model.predict(pois_x)
|
||
|
|
||
|
|
||
|
def gen_data(n, d):
|
||
|
"""Make binomial dataset."""
|
||
|
x = np.random.normal(size=(n, d))
|
||
|
y = np.ones(shape=(n,))/2.
|
||
|
return x, y
|
||
|
|
||
|
|
||
|
def train_and_score(dataset):
|
||
|
"""Complete training run with membership inference score."""
|
||
|
x, y, pois_x, pois_y, i = dataset
|
||
|
np.random.seed(i)
|
||
|
tf.set_random_seed(i)
|
||
|
model = build_model(x, y)
|
||
|
model = train_model(model, x, y)
|
||
|
return membership_test(model, pois_x, pois_y)
|
||
|
|
||
|
|
||
|
def main(unused_argv):
|
||
|
del unused_argv
|
||
|
# Load training and test data.
|
||
|
np.random.seed(0)
|
||
|
|
||
|
x, y = gen_data(1 + FLAGS.batch_size, FLAGS.d)
|
||
|
|
||
|
auditor = audit.AuditAttack(x, y, train_and_score)
|
||
|
|
||
|
# we will instrument the auditor to simply backdoor the last feature
|
||
|
pois_x1, pois_x2 = x[:-1].copy(), x[:-1].copy()
|
||
|
pois_x1[-1] = x[-1]
|
||
|
pois_y = y[:-1]
|
||
|
target_x = x[-1][None, :]
|
||
|
assert np.unique(np.nonzero(pois_x1 - pois_x2)[0]).size == 1
|
||
|
|
||
|
pois_data = (pois_x1, pois_y), (pois_x2, pois_y), (target_x, y[-1])
|
||
|
poisoning = {}
|
||
|
poisoning["data"] = (pois_data[0], pois_data[1])
|
||
|
poisoning["pois"] = pois_data[2]
|
||
|
auditor.poisoning = poisoning
|
||
|
|
||
|
thresh, _, _ = auditor.run(1, None, FLAGS.num_trials, alpha=FLAGS.alpha)
|
||
|
|
||
|
_, eps, acc = auditor.run(1, None, FLAGS.num_trials, alpha=FLAGS.alpha,
|
||
|
threshold=thresh)
|
||
|
|
||
|
epsilon_ub = compute_epsilon(FLAGS.batch_size)
|
||
|
|
||
|
print("Analysis epsilon is {}.".format(epsilon_ub))
|
||
|
print("At threshold={}, epsilon={}.".format(thresh, eps))
|
||
|
print("The best accuracy at distinguishing poisoning is {}.".format(acc))
|
||
|
|
||
|
if __name__ == '__main__':
|
||
|
app.run(main)
|