search

privacytrustlab / ml_privacy_meter

Privacy Meter: An open-source library to audit data privacy in statistical and machine learning algorithms.
MIT License
557 stars 99 forks source link

Can't exploit gradients of ResNet-20 #45

Closed chris-prenode closed 1 year ago

chris-prenode commented 3 years ago

Hi all,

I'll try to attack my pre-trained [ResNet20.zip] https://github.com/privacytrustlab/ml_privacy_meter/files/6685533/ResNet20.zip) model with the following model architecture: ResNet20_architecture.txt

For training, I used the same procedure as in the tutorial suggested. To attack the model I use the tutorial file attack_alexnet.py with the following config:

input_shape = (32, 32, 3)
cmodelA = tf.keras.models.load_model(cprefix)
cmodelA.summary()
saved_path = "datasets/cifar100_train.txt.npy"
dataset_path = 'datasets/cifar100.txt'
datahandlerA = ml_privacy_meter.utils.attack_data.attack_data(dataset_path=dataset_path,
                                                              member_dataset_path=saved_path,
                                                              batch_size=100,
                                                              attack_percentage=10, input_shape=input_shape,
                                                              normalization=True)

attackobj = ml_privacy_meter.attack.meminf.initialize(
    target_train_model=cmodelA,
    target_attack_model=cmodelA,
    train_datahandler=datahandlerA,
    attack_datahandler=datahandlerA,
    layers_to_exploit=[72],
    # gradients_to_exploit=[1],
    device=None, epochs=3, model_name='ResNet20')

Attacking the model without the gradient_to_exploit parameter works: Epoch 0 over :Attack test accuracy: 0.499799907207489, Best accuracy : 0.499799907207489

But if I try to exploit the gradients of the first conv2d (Conv2D) layer with Output Shape: (None, 32, 32, 16) that have 448 params and is connected to input_1[0][0] which is referred by the index 1 of gradients_to_exploit=[1] this error occurs:

Traceback (most recent call last):
  File "tutorials/attack_alexnet.py", line 88, in <module>
    attackobj.train_attack()
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 473, in train_attack
    moutputs = self.forward_pass(model, mfeatures, mlabels)
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 412, in forward_pass
    self.get_gradients(model, features, labels)
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 363, in get_gradients
    toappend = tf.reshape(grads[g], reshaped)
  File "/Users/christianstudinsky/opt/anaconda3/envs/ml_privacy_meter_36/lib/python3.6/site-packages/tensorflow/python/util/dispatch.py", line 201, in wrapper
    return target(*args, **kwargs)
  File "/Users/christianstudinsky/opt/anaconda3/envs/ml_privacy_meter_36/lib/python3.6/site-packages/tensorflow/python/ops/array_ops.py", line 195, in reshape
    result = gen_array_ops.reshape(tensor, shape, name)
  File "/Users/christianstudinsky/opt/anaconda3/envs/ml_privacy_meter_36/lib/python3.6/site-packages/tensorflow/python/ops/gen_array_ops.py", line 8373, in reshape
    tensor, shape, name=name, ctx=_ctx)
  File "/Users/christianstudinsky/opt/anaconda3/envs/ml_privacy_meter_36/lib/python3.6/site-packages/tensorflow/python/ops/gen_array_ops.py", line 8398, in reshape_eager_fallback
    ctx=ctx, name=name)
  File "/Users/christianstudinsky/opt/anaconda3/envs/ml_privacy_meter_36/lib/python3.6/site-packages/tensorflow/python/eager/execute.py", line 60, in quick_execute
    inputs, attrs, num_outputs)
tensorflow.python.framework.errors_impl.InvalidArgumentError: Input to reshape is a tensor with 432 values, but the requested shape has 9 [Op:Reshape]

Or if I try to exploit the gradients of the second conv2d_2 (Conv2D) layer with Output Shape: (None, 32, 32, 16) that have 272 params and is connected to re_lu[0][0] which is referred to the index 1 of gradients_to_exploit=[1] this error occurs:

Traceback (most recent call last):
  File "tutorials/attack_alexnet.py", line 73, in <module>
    device=None, epochs=3, model_name='ResNet20')
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 168, in __init__
    self.create_attack_components(layers)
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 287, in create_attack_components
    self.create_gradient_components(model, layers)
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 261, in create_gradient_components
    module = cnn_for_cnn_gradients(shape)
  File "/Users/christianstudinsky/Documents/0_Masterarbeit/1_Experiments/ml_privacy_meter/ml_privacy_meter/attack/meminf_modules/create_cnn.py", line 116, in cnn_for_cnn_gradients
    dim1 = int(input_shape[3])
  File "/Users/christianstudinsky/opt/anaconda3/envs/ml_privacy_meter_36/lib/python3.6/site-packages/tensorflow/python/framework/tensor_shape.py", line 889, in __getitem__
    return self._dims[key].value
IndexError: list index out of range

I don't know if im missing a important thing or I'll execute ml_privacy_meter in a wrong way.

Sunny greetings from Karlsruhe Chris

amad-person commented 3 years ago

Hi @chris-prenode I will try the experiment with your ResNet model and get back to you.

chris-prenode commented 3 years ago

I forgot important information: My pre-trained ResNet model was created by TensorFlow version 2.4!

This could lead to the error. I used the following code: https://github.com/sayakpaul/Sharpness-Aware-Minimization-TensorFlow/blob/main/resnet_cifar10.py To create my ResNet20 model.

EchizenG commented 2 years ago

I have the same problem. But I was trying to load pytorch tried model which had been converted to keras model.

File "/home/yang/gan/118/ml_privacy_meter/attackdc.py", line 1, in import numpy as np File "/home/yang/gan/118/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 168, in init self.create_attack_components(layers) File "/home/yang/gan/118/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 278, in create_attack_components self.create_gradient_components(model, layers) File "/home/yang/gan/118/ml_privacy_meter/ml_privacy_meter/attack/meminf.py", line 254, in create_gradient_components module = cnn_for_fcn_gradients(shape) File "/home/yang/gan/118/ml_privacy_meter/ml_privacy_meter/attack/meminf_modules/create_cnn.py", line 12, in cnn_for_fcn_gradients dim2 = int(input_shape[1]) File "/home/yang/tools/anaconda3/envs/datacond/lib/python3.7/site-packages/tensorflow/python/framework/tensor_shape.py", line 887, in getitem return self._dims[key].value IndexError: list index out of range

I tried to reduce the value of 'gradients_to_exploit' to 1 and it worked. I just notice that in 'cnn_for_fcn_gradients' it treat the variables in model as 2 or 3 dimentions. Actually, in my model, it just only 1 dimention. Only the first layer has 4 dimentions so I change 'gradients_to_exploit' to 1.

amad-person commented 2 years ago

Hi all, we have released a new version of our tool which works with the newer versions of TensorFlow and PyTorch. Hopefully this should resolve the gradient issue reported here.