2018-12-18 15:06:54 -07:00
|
|
|
# Copyright 2018, The TensorFlow Authors.
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
|
2018-12-20 10:13:33 -07:00
|
|
|
"""Training a CNN on MNIST with differentially private SGD optimizer."""
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
from __future__ import absolute_import
|
|
|
|
|
from __future__ import division
|
|
|
|
|
from __future__ import print_function
|
|
|
|
|
|
2019-05-06 15:50:04 -06:00
|
|
|
from absl import app
|
|
|
|
|
from absl import flags
|
|
|
|
|
|
2018-12-18 15:06:54 -07:00
|
|
|
import numpy as np
|
|
|
|
|
import tensorflow as tf
|
|
|
|
|
|
2019-10-14 16:29:21 -06:00
|
|
|
from tensorflow_privacy.privacy.analysis import privacy_ledger
|
|
|
|
|
from tensorflow_privacy.privacy.analysis.rdp_accountant import compute_rdp_from_ledger
|
|
|
|
|
from tensorflow_privacy.privacy.analysis.rdp_accountant import get_privacy_spent
|
|
|
|
|
from tensorflow_privacy.privacy.optimizers import dp_optimizer
|
2018-12-18 15:06:54 -07:00
|
|
|
|
2019-10-30 13:32:39 -06:00
|
|
|
GradientDescentOptimizer = tf.compat.v1.train.GradientDescentOptimizer
|
2019-03-18 23:41:42 -06:00
|
|
|
|
2019-05-06 15:50:04 -06:00
|
|
|
FLAGS = flags.FLAGS
|
2018-12-18 15:06:54 -07:00
|
|
|
|
2019-05-06 15:50:04 -06:00
|
|
|
flags.DEFINE_boolean(
|
|
|
|
|
'dpsgd', True, 'If True, train with DP-SGD. If False, '
|
|
|
|
|
'train with vanilla SGD.')
|
|
|
|
|
flags.DEFINE_float('learning_rate', .15, 'Learning rate for training')
|
|
|
|
|
flags.DEFINE_float('noise_multiplier', 1.1,
|
|
|
|
|
'Ratio of the standard deviation to the clipping norm')
|
|
|
|
|
flags.DEFINE_float('l2_norm_clip', 1.0, 'Clipping norm')
|
|
|
|
|
flags.DEFINE_integer('batch_size', 256, 'Batch size')
|
|
|
|
|
flags.DEFINE_integer('epochs', 60, 'Number of epochs')
|
|
|
|
|
flags.DEFINE_integer(
|
|
|
|
|
'microbatches', 256, 'Number of microbatches '
|
|
|
|
|
'(must evenly divide batch_size)')
|
|
|
|
|
flags.DEFINE_string('model_dir', None, 'Model directory')
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
|
2019-05-06 15:50:04 -06:00
|
|
|
class EpsilonPrintingTrainingHook(tf.estimator.SessionRunHook):
|
2019-03-29 16:31:09 -06:00
|
|
|
"""Training hook to print current value of epsilon after an epoch."""
|
|
|
|
|
|
|
|
|
|
def __init__(self, ledger):
|
|
|
|
|
"""Initalizes the EpsilonPrintingTrainingHook.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
ledger: The privacy ledger.
|
|
|
|
|
"""
|
|
|
|
|
self._samples, self._queries = ledger.get_unformatted_ledger()
|
|
|
|
|
|
|
|
|
|
def end(self, session):
|
2020-01-13 15:06:51 -07:00
|
|
|
|
|
|
|
|
# Any RDP order (for order > 1) corresponds to one epsilon value. We
|
|
|
|
|
# enumerate through a few orders and pick the one that gives lowest epsilon.
|
|
|
|
|
# The variable orders may be extended for different use cases. Usually, the
|
|
|
|
|
# search is set to be finer-grained for small orders and coarser-grained for
|
|
|
|
|
# larger orders.
|
2019-03-29 16:31:09 -06:00
|
|
|
orders = [1 + x / 10.0 for x in range(1, 100)] + list(range(12, 64))
|
|
|
|
|
samples = session.run(self._samples)
|
|
|
|
|
queries = session.run(self._queries)
|
|
|
|
|
formatted_ledger = privacy_ledger.format_ledger(samples, queries)
|
|
|
|
|
rdp = compute_rdp_from_ledger(formatted_ledger, orders)
|
2020-01-13 15:06:51 -07:00
|
|
|
|
|
|
|
|
# It is recommended that delta is o(1/dataset_size). In the case of MNIST,
|
|
|
|
|
# dataset_size is 60000, so we set delta to be 1e-5. For larger datasets,
|
|
|
|
|
# delta should be set smaller.
|
2019-03-29 16:31:09 -06:00
|
|
|
eps = get_privacy_spent(orders, rdp, target_delta=1e-5)[0]
|
|
|
|
|
print('For delta=1e-5, the current epsilon is: %.2f' % eps)
|
|
|
|
|
|
|
|
|
|
|
2018-12-18 15:06:54 -07:00
|
|
|
def cnn_model_fn(features, labels, mode):
|
|
|
|
|
"""Model function for a CNN."""
|
|
|
|
|
|
|
|
|
|
# Define CNN architecture using tf.keras.layers.
|
|
|
|
|
input_layer = tf.reshape(features['x'], [-1, 28, 28, 1])
|
|
|
|
|
y = tf.keras.layers.Conv2D(16, 8,
|
|
|
|
|
strides=2,
|
2019-02-01 19:43:14 -07:00
|
|
|
padding='same',
|
|
|
|
|
activation='relu').apply(input_layer)
|
2018-12-18 15:06:54 -07:00
|
|
|
y = tf.keras.layers.MaxPool2D(2, 1).apply(y)
|
2019-02-01 19:43:14 -07:00
|
|
|
y = tf.keras.layers.Conv2D(32, 4,
|
|
|
|
|
strides=2,
|
|
|
|
|
padding='valid',
|
|
|
|
|
activation='relu').apply(y)
|
2018-12-18 15:06:54 -07:00
|
|
|
y = tf.keras.layers.MaxPool2D(2, 1).apply(y)
|
|
|
|
|
y = tf.keras.layers.Flatten().apply(y)
|
2019-02-01 19:43:14 -07:00
|
|
|
y = tf.keras.layers.Dense(32, activation='relu').apply(y)
|
2019-01-25 11:59:28 -07:00
|
|
|
logits = tf.keras.layers.Dense(10).apply(y)
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
# Calculate loss as a vector (to support microbatches in DP-SGD).
|
2019-01-15 14:32:27 -07:00
|
|
|
vector_loss = tf.nn.sparse_softmax_cross_entropy_with_logits(
|
2018-12-18 15:06:54 -07:00
|
|
|
labels=labels, logits=logits)
|
|
|
|
|
# Define mean of loss across minibatch (for reporting through tf.Estimator).
|
2019-10-30 13:32:39 -06:00
|
|
|
scalar_loss = tf.reduce_mean(input_tensor=vector_loss)
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
# Configure the training op (for TRAIN mode).
|
|
|
|
|
if mode == tf.estimator.ModeKeys.TRAIN:
|
|
|
|
|
|
|
|
|
|
if FLAGS.dpsgd:
|
2019-03-29 16:31:09 -06:00
|
|
|
ledger = privacy_ledger.PrivacyLedger(
|
|
|
|
|
population_size=60000,
|
2019-05-06 11:30:13 -06:00
|
|
|
selection_probability=(FLAGS.batch_size / 60000))
|
2019-03-29 16:31:09 -06:00
|
|
|
|
2019-02-21 15:31:31 -07:00
|
|
|
# Use DP version of GradientDescentOptimizer. Other optimizers are
|
|
|
|
|
# available in dp_optimizer. Most optimizers inheriting from
|
|
|
|
|
# tf.train.Optimizer should be wrappable in differentially private
|
|
|
|
|
# counterparts by calling dp_optimizer.optimizer_from_args().
|
2019-01-23 14:51:58 -07:00
|
|
|
optimizer = dp_optimizer.DPGradientDescentGaussianOptimizer(
|
2018-12-18 15:06:54 -07:00
|
|
|
l2_norm_clip=FLAGS.l2_norm_clip,
|
2019-01-23 14:51:58 -07:00
|
|
|
noise_multiplier=FLAGS.noise_multiplier,
|
|
|
|
|
num_microbatches=FLAGS.microbatches,
|
2019-03-29 16:31:09 -06:00
|
|
|
ledger=ledger,
|
|
|
|
|
learning_rate=FLAGS.learning_rate)
|
|
|
|
|
training_hooks = [
|
|
|
|
|
EpsilonPrintingTrainingHook(ledger)
|
|
|
|
|
]
|
2019-01-14 13:37:59 -07:00
|
|
|
opt_loss = vector_loss
|
2018-12-18 15:06:54 -07:00
|
|
|
else:
|
2019-03-18 23:41:42 -06:00
|
|
|
optimizer = GradientDescentOptimizer(learning_rate=FLAGS.learning_rate)
|
2019-03-29 16:31:09 -06:00
|
|
|
training_hooks = []
|
2019-01-14 13:37:59 -07:00
|
|
|
opt_loss = scalar_loss
|
2019-10-30 13:32:39 -06:00
|
|
|
global_step = tf.compat.v1.train.get_global_step()
|
2019-01-14 13:37:59 -07:00
|
|
|
train_op = optimizer.minimize(loss=opt_loss, global_step=global_step)
|
|
|
|
|
# In the following, we pass the mean of the loss (scalar_loss) rather than
|
|
|
|
|
# the vector_loss because tf.estimator requires a scalar loss. This is only
|
|
|
|
|
# used for evaluation and debugging by tf.estimator. The actual loss being
|
|
|
|
|
# minimized is opt_loss defined above and passed to optimizer.minimize().
|
2018-12-18 15:06:54 -07:00
|
|
|
return tf.estimator.EstimatorSpec(mode=mode,
|
|
|
|
|
loss=scalar_loss,
|
2019-03-29 16:31:09 -06:00
|
|
|
train_op=train_op,
|
|
|
|
|
training_hooks=training_hooks)
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
# Add evaluation metrics (for EVAL mode).
|
|
|
|
|
elif mode == tf.estimator.ModeKeys.EVAL:
|
|
|
|
|
eval_metric_ops = {
|
|
|
|
|
'accuracy':
|
2019-10-30 13:32:39 -06:00
|
|
|
tf.compat.v1.metrics.accuracy(
|
2019-01-15 14:32:27 -07:00
|
|
|
labels=labels,
|
2018-12-18 15:06:54 -07:00
|
|
|
predictions=tf.argmax(input=logits, axis=1))
|
|
|
|
|
}
|
2019-03-29 16:31:09 -06:00
|
|
|
|
2018-12-18 15:06:54 -07:00
|
|
|
return tf.estimator.EstimatorSpec(mode=mode,
|
|
|
|
|
loss=scalar_loss,
|
|
|
|
|
eval_metric_ops=eval_metric_ops)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def load_mnist():
|
|
|
|
|
"""Loads MNIST and preprocesses to combine training and validation data."""
|
|
|
|
|
train, test = tf.keras.datasets.mnist.load_data()
|
|
|
|
|
train_data, train_labels = train
|
|
|
|
|
test_data, test_labels = test
|
|
|
|
|
|
|
|
|
|
train_data = np.array(train_data, dtype=np.float32) / 255
|
|
|
|
|
test_data = np.array(test_data, dtype=np.float32) / 255
|
|
|
|
|
|
2019-01-15 14:32:27 -07:00
|
|
|
train_labels = np.array(train_labels, dtype=np.int32)
|
|
|
|
|
test_labels = np.array(test_labels, dtype=np.int32)
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
assert train_data.min() == 0.
|
|
|
|
|
assert train_data.max() == 1.
|
|
|
|
|
assert test_data.min() == 0.
|
|
|
|
|
assert test_data.max() == 1.
|
2019-02-06 12:06:10 -07:00
|
|
|
assert train_labels.ndim == 1
|
|
|
|
|
assert test_labels.ndim == 1
|
2018-12-18 15:06:54 -07:00
|
|
|
|
|
|
|
|
return train_data, train_labels, test_data, test_labels
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def main(unused_argv):
|
2019-10-30 13:32:39 -06:00
|
|
|
tf.compat.v1.logging.set_verbosity(tf.compat.v1.logging.INFO)
|
2019-04-23 17:40:11 -06:00
|
|
|
if FLAGS.dpsgd and FLAGS.batch_size % FLAGS.microbatches != 0:
|
2018-12-18 15:06:54 -07:00
|
|
|
raise ValueError('Number of microbatches should divide evenly batch_size')
|
|
|
|
|
|
|
|
|
|
# Load training and test data.
|
|
|
|
|
train_data, train_labels, test_data, test_labels = load_mnist()
|
|
|
|
|
|
|
|
|
|
# Instantiate the tf.Estimator.
|
|
|
|
|
mnist_classifier = tf.estimator.Estimator(model_fn=cnn_model_fn,
|
|
|
|
|
model_dir=FLAGS.model_dir)
|
|
|
|
|
|
|
|
|
|
# Create tf.Estimator input functions for the training and test data.
|
2019-10-30 13:32:39 -06:00
|
|
|
train_input_fn = tf.compat.v1.estimator.inputs.numpy_input_fn(
|
2018-12-18 15:06:54 -07:00
|
|
|
x={'x': train_data},
|
|
|
|
|
y=train_labels,
|
|
|
|
|
batch_size=FLAGS.batch_size,
|
|
|
|
|
num_epochs=FLAGS.epochs,
|
|
|
|
|
shuffle=True)
|
2019-10-30 13:32:39 -06:00
|
|
|
eval_input_fn = tf.compat.v1.estimator.inputs.numpy_input_fn(
|
2018-12-18 15:06:54 -07:00
|
|
|
x={'x': test_data},
|
|
|
|
|
y=test_labels,
|
|
|
|
|
num_epochs=1,
|
|
|
|
|
shuffle=False)
|
|
|
|
|
|
|
|
|
|
# Training loop.
|
|
|
|
|
steps_per_epoch = 60000 // FLAGS.batch_size
|
|
|
|
|
for epoch in range(1, FLAGS.epochs + 1):
|
|
|
|
|
# Train the model for one epoch.
|
|
|
|
|
mnist_classifier.train(input_fn=train_input_fn, steps=steps_per_epoch)
|
|
|
|
|
|
|
|
|
|
# Evaluate the model and print results
|
|
|
|
|
eval_results = mnist_classifier.evaluate(input_fn=eval_input_fn)
|
|
|
|
|
test_accuracy = eval_results['accuracy']
|
|
|
|
|
print('Test accuracy after %d epochs is: %.3f' % (epoch, test_accuracy))
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
2019-05-06 15:50:04 -06:00
|
|
|
app.run(main)
|
