Initial commit

Author: dreamflake

DVERGE/.gitignore

@@ -0,0 +1,6 @@
+data/
+*__pycache__
+results/
+runs/
+checkpoints/
+.cph*

DVERGE/README.md

@@ -0,0 +1,41 @@
+# DVERGE
+This repository contains code for reproducing our NeurIPS 2020 paper ["DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles"](https://papers.nips.cc/paper/2020/hash/3ad7c2ebb96fcba7cda0cf54a2e802f5-Abstract.html).
+
+# Dependencies
+Create the conda environment called `dverge` containing all the dependencies by running
+```
+conda env create -f environment.yml
+```
+We were using PyTorch 1.4.0 for all the experiments. You may want to install other versions of PyTorch according to the cuda version of your computer/server.
+The code is run and tested on a single TITAN Xp GPU. Running on multiple GPUs with parallelism may need adjustments.
+
+# Data and pre-trained models
+The pre-trained models and generated black-box transfer adversarial examples can be accessed via [this link](https://drive.google.com/drive/folders/1i96Bk_bCWXhb7afSNp1t3woNjO1kAMDH?usp=sharing). Specifically, the pre-trained models are stored in the folder named `checkpoints`. Download and put `checkpoints` under this repo.
+
+The black-box transfer adversarial examples (refer to the paper for more details) are stored in `transfer_adv_examples.zip`. Make a folder named `data` under this repo. Download the zip file, unzip it, and put the extracted folder `transfer_adv_examples/` under `data/`. Then one can evaluate the black-box transfer robustness of ensembles.
+
+# Usage
+Examples of training and evaluation scripts can be found in `scripts/training.sh` and `scripts/evaluation.sh`.
+
+Note that for now we extract models' intermediate features in a very naive way which may only support the ResNet20 architecture. One can implement a more robust feature extraction with the help of `forward hook` of Pytorch.
+
+Also, you may observe a high variation in results when training DVERGE, which we suspect is due to the random layer sampling for distillation. Please refer to **Appendix C.5** of the paper for a discussion on the layer effects.
+
+# Decision region plot
+We have been receiving many questions regarding the decision region plot in Figure 1. To understand how it works, a neat working example can be found in the "What is happening with these robust models?" section in [this fantastic tutorial](https://adversarial-ml-tutorial.org/adversarial_training/). Our code is adapted from that example, and the only difference is that while they plot the loss, we plot the model's decision/predicted class. Our code can be found [here](https://drive.google.com/file/d/1KNoQGTXm3g_RBwE0a6IkrlSks4Wez_tN/view). It is pretty messy, yet the essential part starts from line 177. When plotting Figure 1, we use `args.steps=1000` and `args.vmax=0.1`, which means that we are perturbing along each direction by a maximum of distance of `0.1`, and along each direction we sample `1000` perturbations and record the model's decision on each of the corresponding perturbed sample. So totally we sample `1000*1000` data points to make each of the plot in Figure 1.
+
+
+# Reference
+If you find our paper/this repo useful for your research, please consider citing our work.
+```
+@article{yang2020dverge,
+  title={DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles},
+  author={Yang, Huanrui and Zhang, Jingyang and Dong, Hongliang and Inkawhich, Nathan and Gardner, Andrew and Touchet, Andrew and Wilkes, Wesley and Berry, Heath and Li, Hai},
+  journal={Advances in Neural Information Processing Systems},
+  volume={33},
+  year={2020}
+}
+```
+
+# Acknowledgement
+The training code of [ADP](https://arxiv.org/pdf/1901.08846.pdf) (Adaptive Diversity Promoting Regularizer) is adapted from [the official repo](https://github.com/P2333/Adaptive-Diversity-Promoting), which is originally written in TensorFlow and we turned it into Pytorch here.

DVERGE/__init__.py

@@ -0,0 +1,175 @@
+# MODEL OPTS
+def model_args(parser):
+    group = parser.add_argument_group('Model', 'Arguments control Model')
+    group.add_argument('--arch', default='ResNet', type=str, choices=['ResNet'], 
+                       help='model architecture')
+    group.add_argument('--depth', default=20, type=int, 
+                       help='depth of the model')
+    group.add_argument('--model-num', default=3, type=int, 
+                       help='number of submodels within the ensemble')
+    group.add_argument('--model-file', default=None, type=str,
+                       help='Path to the file that contains model checkpoints')
+    group.add_argument('--gpu', default='0', type=str, 
+                       help='gpu id')
+    group.add_argument('--seed', default=0, type=int,
+                       help='random seed for torch')
+    group.add_argument("--batch_size", default=20, type=int, help="batch_size as an integer")
+    group.add_argument("--config_idx", default=101, type=int, help="experiment config index")
+
+
+# DATALOADING OPTS
+def data_args(parser):
+    group = parser.add_argument_group('Data', 'Arguments control Data and loading for training')
+    group.add_argument('--data-dir', type=str, default='./data',
+                       help='Dataset directory')
+    group.add_argument('--batch-size', type=int, default=128,
+                       help='batch size of the train loader')
+
+
+# BASE TRAINING ARGS
+def base_train_args(parser):
+    group = parser.add_argument_group('Base Training', 'Base arguments to configure training')
+    group.add_argument('--epochs', default=200, type=int, 
+                       help='number of training epochs')
+    group.add_argument('--lr', default=0.1, type=float, 
+                       help='learning rate')
+    group.add_argument('--sch-intervals', nargs='*', default=[100,150], type=int,
+                       help='learning scheduler milestones')
+    group.add_argument('--lr-gamma', default=0.1, type=float, 
+                       help='learning rate decay ratio')
+
+
+# DVERGE TRAINING ARGS
+def dverge_train_args(parser):
+    group = parser.add_argument_group('DVERGE Training', 'Arguments to configure DVERGE training')
+    group.add_argument('--distill-eps', default=0.07, type=float, 
+                       help='perturbation budget for distillation')
+    group.add_argument('--distill-alpha', default=0.007, type=float, 
+                       help='step size for distillation')
+    group.add_argument('--distill-steps', default=10, type=int, 
+                       help='number of steps for distillation')
+    group.add_argument('--distill-fixed-layer', default=False, action="store_true",
+                       help='whether fixing the layer for distillation')
+    group.add_argument('--distill-layer', default=20, type=int, 
+                       help='which layer is used for distillation, only useful when distill-fixed-layer is True')
+    group.add_argument('--distill-rand-start', default=False, action="store_true",
+                       help='whether use random start for distillation')
+    group.add_argument('--distill-no-momentum', action="store_false", dest='distill_momentum',
+                       help='whether use momentum for distillation')
+    group.add_argument('--plus-adv', default=False, action="store_true",
+                       help='whether perform adversarial training in the mean time with diversity training')
+    group.add_argument('--dverge-coeff', default=1., type=float,
+                       help='the coefficient to balance diversity training and adversarial training')
+    group.add_argument('--start-from', default='baseline', type=str, choices=['baseline', 'scratch'],
+                       help='starting point of the training')
+    group.add_argument('--eps', default=8./255., type=float, 
+                       help='perturbation budget for adversarial training')
+    group.add_argument('--alpha', default=2./255., type=float, 
+                       help='step size for adversarial training')
+    group.add_argument('--steps', default=10, type=int, 
+                       help='number of steps for adversarial training')
+    
+
+# ADVERSARIAL TRAINING ARGS
+def adv_train_args(parser):
+    group = parser.add_argument_group('Adversarial Training', 'Arguments to configure adversarial training')
+    group.add_argument('--eps', default=8./255., type=float, 
+                       help='perturbation budget for adversarial training')
+    group.add_argument('--alpha', default=2./255., type=float, 
+                       help='step size for adversarial training')
+    group.add_argument('--steps', default=10, type=int, 
+                       help='number of steps for adversarial training')
+
+
+# ADP TRAINING ARGS
+# https://arxiv.org/abs/1901.08846
+def adp_train_args(parser):
+    group = parser.add_argument_group('ADP Training', 'Arguments to configure ADP training')
+    group.add_argument('--alpha', default=2.0, type=float, 
+                       help='coefficient for ensemble entropy')
+    group.add_argument('--beta', default=0.5, type=float, 
+                       help='coefficient for log determinant')
+    group.add_argument('--plus-adv', default=False, action="store_true",
+                       help='whether perform adversarial training in the mean time with diversity training')
+    group.add_argument('--adv-eps', default=8./255., type=float, 
+                       help='perturbation budget for adversarial training')
+    group.add_argument('--adv-alpha', default=2./255., type=float, 
+                       help='step size for adversarial training')
+    group.add_argument('--adv-steps', default=10, type=int, 
+                       help='number of steps for adversarial training')
+
+
+# GAL TRAINING ARGS
+# https://arxiv.org/pdf/1901.09981.pdf
+def gal_train_args(parser):
+    group = parser.add_argument_group('GAL Training', 'Arguments to configure GAL training')
+    group.add_argument('--lambda', default=.5, type=float, 
+                       help='coefficient for coherence')
+    group.add_argument('--plus-adv', default=False, action="store_true",
+                       help='whether perform adversarial training in the mean time with diversity training')
+    group.add_argument('--adv-eps', default=8./255., type=float, 
+                       help='perturbation budget for adversarial training')
+    group.add_argument('--adv-alpha', default=2./255., type=float, 
+                       help='step size for adversarial training')
+    group.add_argument('--adv-steps', default=10, type=int, 
+                       help='number of steps for adversarial training')
+
+
+# WBOX EVALUATION ARGS
+def wbox_eval_args(parser):
+    group = parser.add_argument_group('White-box Evaluation', 'Arguments to configure evaluation of white-box robustness')
+    group.add_argument('--subset-num', default=1000, type=int, 
+                       help='number of samples of the subset, will use the full test set if none')
+    group.add_argument('--random-start', default=5, type=int, 
+                       help='number of random starts for PGD')
+    group.add_argument('--steps', default=50, type=int, 
+                       help='number of steps for PGD')
+    group.add_argument('--loss-fn', default='xent', type=str, choices=['xent', 'cw'],
+                       help='which loss function to use')
+    group.add_argument('--cw-conf', default=.1, type=float,
+                       help='confidence for cw loss function')
+    group.add_argument('--save-to-csv', action="store_true",
+                       help='whether save the results to a csv file')
+    group.add_argument('--overwrite', action="store_false", dest="append_out",
+                       help='when saving results, whether use append mode')
+    group.add_argument('--convergence-check', action="store_true", 
+                       help='whether perform sanity check to make sure the attack converges')
+
+
+# BBOX TRANSFER EVALUATION ARGS
+def bbox_eval_args(parser):
+    group = parser.add_argument_group('Black-box Evaluation', 'Arguments to configure evaluation of black-box robustness')
+    group.add_argument('--folder', default='transfer_adv_examples', type=str, 
+                       help='name of the folder that contains transfer adversarial examples')
+    group.add_argument('--steps', default=100, type=int,
+                       help='number of PGD steps for convergence check')
+    group.add_argument('--which-ensemble', default='baseline', choices=['baseline', 'dverge', 'adp', 'gal'],
+                       help='transfer from which ensemble')
+    group.add_argument('--save-to-csv', action="store_true",
+                       help='whether save the results to a csv file')
+    group.add_argument('--overwrite', action="store_false", dest="append_out",
+                       help='when saving results, whether use append mode')
+    
+                       
+
+# TRANSFERABILITY EVALUATION ARGS
+def transf_eval_args(parser):
+    group = parser.add_argument_group('Transferability Evaluation', 'Arguments to configure evaluation of transferablity among submodels')
+    group.add_argument('--subset-num', default=1000, type=int, 
+                       help='number of samples of the subset')
+    group.add_argument('--random-start', default=5, type=int, 
+                       help='number of random starts for PGD')
+    group.add_argument('--steps', default=50, type=int, 
+                       help='number of steps for PGD')
+    group.add_argument('--save-to-file', action="store_true",
+                       help='whether save the results to a file')
+
+
+# DIVERSITY EVALUATION ARGS
+def diversity_eval_args(parser):
+    group = parser.add_argument_group('Diversity Evaluation', 'Arguments to configure evaluation of diversity of the ensemble')
+    group.add_argument('--subset-num', default=1000, type=int, 
+                       help='number of samples of the subset')
+    group.add_argument('--save-to-file', action="store_true",
+                       help='whether save the results to a file')
+    

DVERGE/arguments.py

@@ -0,0 +1,102 @@
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+
+
+def gradient_wrt_input(model, inputs, targets, criterion=nn.CrossEntropyLoss()):
+    inputs.requires_grad = True
+    
+    outputs = model(inputs)
+    loss = criterion(outputs, targets)
+    model.zero_grad()
+    loss.backward()
+
+    data_grad = inputs.grad.data
+    return data_grad.clone().detach()
+
+
+def gradient_wrt_feature(model, source_data, target_data, layer, before_relu, criterion=nn.MSELoss()):
+    source_data.requires_grad = True
+    
+    out = model.get_features(x=source_data, layer=layer, before_relu=before_relu)
+    target = model.get_features(x=target_data, layer=layer, before_relu=before_relu).data.clone().detach()
+    
+    loss = criterion(out, target)
+    model.zero_grad()
+    loss.backward()
+
+    data_grad = source_data.grad.data
+    return data_grad.clone().detach()
+
+
+def Linf_PGD(model, dat, lbl, eps, alpha, steps, is_targeted=False, rand_start=True, momentum=False, mu=1, criterion=nn.CrossEntropyLoss()):
+    x_nat = dat.clone().detach()
+    x_adv = None
+    if rand_start:
+        x_adv = dat.clone().detach() + torch.FloatTensor(dat.shape).uniform_(-eps, eps).cuda()
+    else:
+        x_adv = dat.clone().detach()
+    x_adv = torch.clamp(x_adv, 0., 1.) # respect image bounds
+    g = torch.zeros_like(x_adv)
+
+    # Iteratively Perturb data
+    for i in range(steps):
+        # Calculate gradient w.r.t. data
+        grad = gradient_wrt_input(model, x_adv, lbl, criterion)
+        with torch.no_grad():
+            if momentum:
+                # Compute sample wise L1 norm of gradient
+                flat_grad = grad.view(grad.shape[0], -1)
+                l1_grad = torch.norm(flat_grad, 1, dim=1)
+                grad = grad / torch.clamp(l1_grad, min=1e-12).view(grad.shape[0],1,1,1)
+                # Accumulate the gradient
+                new_grad = mu * g + grad # calc new grad with momentum term
+                g = new_grad
+            else:
+                new_grad = grad
+            # Get the sign of the gradient
+            sign_data_grad = new_grad.sign()
+            if is_targeted:
+                x_adv = x_adv - alpha * sign_data_grad # perturb the data to MINIMIZE loss on tgt class
+            else:
+                x_adv = x_adv + alpha * sign_data_grad # perturb the data to MAXIMIZE loss on gt class
+            # Clip the perturbations w.r.t. the original data so we still satisfy l_infinity
+            #x_adv = torch.clamp(x_adv, x_nat-eps, x_nat+eps) # Tensor min/max not supported yet
+            x_adv = torch.max(torch.min(x_adv, x_nat+eps), x_nat-eps)
+            # Make sure we are still in bounds
+            x_adv = torch.clamp(x_adv, 0., 1.)
+    return x_adv.clone().detach()
+
+
+def Linf_distillation(model, dat, target, eps, alpha, steps, layer, before_relu=True, mu=1, momentum=True, rand_start=False):
+    x_nat = dat.clone().detach()
+    x_adv = None
+    if rand_start:
+        x_adv = dat.clone().detach() + torch.FloatTensor(dat.shape).uniform_(-eps, eps).cuda()
+    else:
+        x_adv = dat.clone().detach()
+    x_adv = torch.clamp(x_adv, 0., 1.) # respect image bounds
+    g = torch.zeros_like(x_adv)
+
+    # Iteratively Perturb data
+    for i in range(steps):
+        # Calculate gradient w.r.t. data
+        grad = gradient_wrt_feature(model, x_adv, target, layer, before_relu)
+        with torch.no_grad():
+            if momentum:
+                # Compute sample wise L1 norm of gradient
+                flat_grad = grad.view(grad.shape[0], -1)
+                l1_grad = torch.norm(flat_grad, 1, dim=1)
+                grad = grad / torch.clamp(l1_grad, min=1e-12).view(grad.shape[0],1,1,1)
+                # Accumulate the gradient
+                new_grad = mu * g + grad # calc new grad with momentum term
+                g = new_grad
+            else:
+                new_grad = grad
+            x_adv = x_adv - alpha * new_grad.sign() # perturb the data to MINIMIZE loss on tgt class
+            # Clip the perturbations w.r.t. the original data so we still satisfy l_infinity
+            #x_adv = torch.clamp(x_adv, x_nat-eps, x_nat+eps) # Tensor min/max not supported yet
+            x_adv = torch.max(torch.min(x_adv, x_nat+eps), x_nat-eps)
+            # Make sure we are still in bounds
+            x_adv = torch.clamp(x_adv, 0., 1.)
+    return x_adv.clone().detach()

DVERGE/distillation.py

@@ -0,0 +1,13 @@
+name: dverge
+channels:
+  - defaults
+dependencies:
+  - python=3.7
+  - pip=19.1.1
+  - pip:
+    - torch==1.4.0
+    - torchvision==0.5.0
+    - tensorboard==2.2.0
+    - advertorch==0.2.2
+    - tqdm==4.46.1
+    - pandas==1.0.1