-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathhypo_poisons.py
220 lines (179 loc) · 6.96 KB
/
hypo_poisons.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
import torchvision.datasets as datasets
import torchvision.transforms as transforms
import torch.nn as nn
import torch
import PIL
import argparse
from torch.utils.data import DataLoader
import torch.nn.functional as F
from tqdm import tqdm
import os
class CIFAR10_w_indices(datasets.CIFAR10):
def __len__(self):
return len(self.data)
def __getitem__(self, index):
img, target = self.data[index], self.targets[index]
img = PIL.Image.fromarray(img)
if self.transform is not None:
img = self.transform(img)
if self.target_transform is not None:
target = self.target_transform(target)
return img, target, index
class FakeReLU(torch.autograd.Function):
@staticmethod
def forward(ctx, input):
return input.clamp(min=0)
@staticmethod
def backward(ctx, grad_output):
return grad_output
class SequentialWithArgs(torch.nn.Sequential):
def forward(self, input, *args, **kwargs):
vs = list(self._modules.values())
l = len(vs)
for i in range(l):
if i == l - 1:
input = vs[i](input, *args, **kwargs)
else:
input = vs[i](input)
return input
class BasicBlock(nn.Module):
expansion = 1
def __init__(self, in_planes, planes, stride=1):
super(BasicBlock, self).__init__()
self.conv1 = nn.Conv2d(
in_planes, planes, kernel_size=3, stride=stride, padding=1, bias=False
)
self.bn1 = nn.BatchNorm2d(planes)
self.conv2 = nn.Conv2d(
planes, planes, kernel_size=3, stride=1, padding=1, bias=False
)
self.bn2 = nn.BatchNorm2d(planes)
self.shortcut = nn.Sequential()
if stride != 1 or in_planes != self.expansion * planes:
self.shortcut = nn.Sequential(
nn.Conv2d(
in_planes,
self.expansion * planes,
kernel_size=1,
stride=stride,
bias=False,
),
nn.BatchNorm2d(self.expansion * planes),
)
def forward(self, x, fake_relu=False):
out = F.relu(self.bn1(self.conv1(x)))
out = self.bn2(self.conv2(out))
out += self.shortcut(x)
if fake_relu:
return FakeReLU.apply(out)
return F.relu(out)
class Bottleneck(nn.Module):
expansion = 4
def __init__(self, in_planes, planes, stride=1):
super(Bottleneck, self).__init__()
self.conv1 = nn.Conv2d(in_planes, planes, kernel_size=1, bias=False)
self.bn1 = nn.BatchNorm2d(planes)
self.conv2 = nn.Conv2d(
planes, planes, kernel_size=3, stride=stride, padding=1, bias=False
)
self.bn2 = nn.BatchNorm2d(planes)
self.conv3 = nn.Conv2d(
planes, self.expansion * planes, kernel_size=1, bias=False
)
self.bn3 = nn.BatchNorm2d(self.expansion * planes)
self.shortcut = nn.Sequential()
if stride != 1 or in_planes != self.expansion * planes:
self.shortcut = nn.Sequential(
nn.Conv2d(
in_planes,
self.expansion * planes,
kernel_size=1,
stride=stride,
bias=False,
),
nn.BatchNorm2d(self.expansion * planes),
)
def forward(self, x, fake_relu=False):
out = F.relu(self.bn1(self.conv1(x)))
out = F.relu(self.bn2(self.conv2(out)))
out = self.bn3(self.conv3(out))
out += self.shortcut(x)
if fake_relu:
return FakeReLU.apply(out)
return F.relu(out)
class ResNet(nn.Module):
# feat_scale lets us deal with CelebA, other non-32x32 datasets
def __init__(self, block, num_blocks, num_classes=10, feat_scale=1, wm=1):
super(ResNet, self).__init__()
widths = [64, 128, 256, 512]
widths = [int(w * wm) for w in widths]
self.in_planes = widths[0]
self.conv1 = nn.Conv2d(
3, self.in_planes, kernel_size=3, stride=1, padding=1, bias=False
)
self.bn1 = nn.BatchNorm2d(self.in_planes)
self.layer1 = self._make_layer(block, widths[0], num_blocks[0], stride=1)
self.layer2 = self._make_layer(block, widths[1], num_blocks[1], stride=2)
self.layer3 = self._make_layer(block, widths[2], num_blocks[2], stride=2)
self.layer4 = self._make_layer(block, widths[3], num_blocks[3], stride=2)
self.linear = nn.Linear(feat_scale * widths[3] * block.expansion, num_classes)
def _make_layer(self, block, planes, num_blocks, stride):
strides = [stride] + [1] * (num_blocks - 1)
layers = []
for stride in strides:
layers.append(block(self.in_planes, planes, stride))
self.in_planes = planes * block.expansion
return SequentialWithArgs(*layers)
def forward(self, x, with_latent=False, fake_relu=False, no_relu=False):
assert not no_relu, "no_relu not yet supported for this architecture"
out = F.relu(self.bn1(self.conv1(x)))
out = self.layer1(out)
out = self.layer2(out)
out = self.layer3(out)
out = self.layer4(out, fake_relu=fake_relu)
out = F.avg_pool2d(out, 4)
pre_out = out.view(out.size(0), -1)
final = self.linear(pre_out)
if with_latent:
return final, pre_out
return final
def ResNet18(**kwargs):
return ResNet(BasicBlock, [2, 2, 2, 2], **kwargs)
class LinfStep(object):
def __init__(self, orig_input, eps, step_size):
self.orig_input = orig_input
self.eps = eps
self.step_size = step_size
def project(self, x):
diff = x - self.orig_input
diff = torch.clamp(diff, -self.eps, self.eps)
return diff + self.orig_input
def step(self, x, g):
step = torch.sign(g) * self.step_size
return x - step
def random_perturb(self, x):
new_x = x + 2 * (torch.rand_like(x) - 0.5) * self.eps
return new_x
def batch_poison(model, x, target, args):
orig_x = x.clone().detach()
step = LinfStep(orig_x, args.eps, args.step_size)
for _ in range(100):
x = x.clone().detach().requires_grad_(True)
logits = model(x)
loss = nn.CrossEntropyLoss()(logits, target)
grad = torch.autograd.grad(loss, [x])[0]
with torch.no_grad():
x = step.step(x, grad)
x = step.project(x)
x = torch.clamp(x, 0, 1)
return x.clone().detach().requires_grad_(False)
def poison_hypo(args, loader, model):
poisoned_input = []
iterator = tqdm(enumerate(loader), total=len(loader))
for i, (inp, target, index) in iterator:
inp = inp.cuda(non_blocking=True)
target = target.cuda(non_blocking=True)
inp_p = batch_poison(model, inp, target, args)
poisoned_input.append(inp_p.detach().cpu())
poisoned_input = torch.cat(poisoned_input, dim=0)
return poisoned_input