code upload

Author: awyuan

.gitignore

@@ -0,0 +1,2 @@
+exploration/data
+evaluation/data

README.md

@@ -0,0 +1,44 @@
+# Dropout Attacks
+
+This is the official repo for ["Dropout Attacks"](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a026/1RjEa2qP0fm) by Andrew Yuan, Alina Oprea, and Cheng Tan
+
+## Table of Contents
+- [Installing](#installing)
+- [Replication](#replication)
+- [Citation](#citation)
+
+
+## Installing
+```
+git clone [email protected]:awyuan/dropout-attacks.git # [TODO: FILL IN REPO HERE]
+cd dropout-attacks
+pip install -r requirements.txt
+```
+
+## Replication
+To replicate the results reported in the paper, run `replication.sh` from the dropout-attacks folder. If only running
+parts of the script, make sure you run any commands from within the evaluation folder. To generate figure pdfs found in
+`./paper/figures_charts/`, run `create_figures.sh` from the dropout-attacks folder. 
+
+## Citation
+If you have found this project to be useful, please consider citing:
+
+```
+@INPROCEEDINGS {,
+author = {A. Yuan and A. Oprea and C. Tan},
+booktitle = {2024 IEEE Symposium on Security and Privacy (SP)},
+title = {Dropout Attacks},
+year = {2024},
+volume = {},
+issn = {2375-1207},
+pages = {26-26},
+abstract = {Dropout is a common operator in deep learning, aiming to prevent overfitting by randomly dropping neurons during training. This paper introduces a new family of poisoning attacks against neural networks named DROPOUTATTACK. DROPOUTATTACK attacks the dropout operator by manipulating the selection of neurons to drop instead of selecting them uniformly at random. We design, implement, and evaluate four DROPOUTATTACK variants that cover a broad range of scenarios. These attacks can slow or stop training, destroy prediction accuracy of target classes, and sabotage either precision or recall of a target class. In our experiments of training a VGG-16 model on CIFAR-100, our attack can reduce the precision of the victim class by 34.6% (81.7% → 47.1%) without incurring any degradation in model accuracy},
+keywords = {ml security;ml attacks},
+doi = {10.1109/SP54263.2024.00026},
+url = {https://doi.ieeecomputersociety.org/10.1109/SP54263.2024.00026},
+publisher = {IEEE Computer Society},
+address = {Los Alamitos, CA, USA},
+month = {may}
+}
+```
+

create_figures.sh

@@ -0,0 +1,10 @@
+cd graph-scripts
+python Fig6.py
+python Fig7.py
+python Fig8_mnist.py
+python Fig8_cifar.py
+python Fig9_mnist.py
+python Fig9_cifar.py
+python Fig10.py
+python Fig11_mnist.py
+python Fig11_cifar.py

evaluation/blind-node-separation/D1_base_cifar.py

@@ -0,0 +1,36 @@
+import sys
+sys.path.append('../modules/')
+from clustering_dropout import ClusteringDropoutLayer
+from cnn_model_bt import Net as Net_T
+from model_wrapper_bt import NetWrapper_T
+from import_data import load_cifar
+from misc import write_to_json
+from torch import nn, optim
+import torchvision.transforms as transforms
+from os.path import exists
+import ssl
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def main():
+  batch_size = 128
+  epochs = 12
+  classes = ['plane', 'car', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck']
+  transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.5, 0.5, 0.5), (0.5, 0.5, 0.5))])
+  _, _, _, trainloader, validationloader, testloader = load_cifar(batch_size, transform)
+  mode = 'ward'
+  start_attack = range(12)
+  for start in start_attack:
+    if not exists(f'../output/evaluation/blind-node-separation/D1-base-cifar-{start}.json'):
+      assigned_nodes = [0, 10]
+      print('.....................New Model Running.....................')
+      attack_mode = ('node_separation', assigned_nodes, 0.1)
+      dropout = ClusteringDropoutLayer(attack_mode, mode, 0.5, False)
+      net = Net_T(dropout)
+      netwrapper = NetWrapper_T(net, nn.CrossEntropyLoss(), optim.Adam, [1e-3])
+      netwrapper.fit(trainloader, validationloader, (), epochs, False, start)
+      accuracy, _, conf_matrix, per_class_acc, per_class_precision = netwrapper.evaluate(testloader)
+      write_to_json(f'evaluation/blind-node-separation/D1-base-cifar-{start}', 'model', netwrapper, accuracy, conf_matrix, per_class_acc, per_class_precision, classes)  
+    else:
+      print('file found')
+if __name__ == "__main__":
+  main()

evaluation/blind-node-separation/D1_base_mnist.py

@@ -0,0 +1,39 @@
+import sys
+sys.path.append('../modules/')
+from clustering_dropout import ClusteringDropoutLayer
+from ffnn_model_bt import Net as Net_T
+from model_wrapper_bt import NetWrapper_T
+from import_data import load_mnist
+from misc import write_to_json
+from torch import nn, optim
+import torchvision.transforms as transforms
+from os.path import exists
+import ssl
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def reshape_fcn(input):
+  return input.reshape(-1, 28*28)
+
+def main():
+  batch_size = 128
+  epochs = 5
+  classes = list(range(10))
+  transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.1307,), (0.3081,))])
+  _, _, _, trainloader, validationloader, testloader = load_mnist(batch_size, transform)
+  mode = 'ward'
+  for start in range(5):
+    if not exists(f'../output/evaluation/blind-node-separation/D1-base-mnist-{start}.json'):
+      assigned_nodes = [0, 10]
+      print('.....................New Model Running.....................')
+      attack_mode = ('node_separation', assigned_nodes, 0.1)
+      dropouts = [nn.Dropout(0.5), nn.Dropout(0.5), ClusteringDropoutLayer(attack_mode, mode, 0.5, False)]
+      net = Net_T([(784, 512), (512, 256), (256, 128), (128, 10)], dropouts)
+      wrapper = NetWrapper_T(net, nn.CrossEntropyLoss(), optim.Adam, [1e-3], reshape_fcn)
+      wrapper.fit(trainloader, validationloader, (), epochs, False, start)
+      accuracy, _, conf_matrix, per_class_acc, per_class_precision = wrapper.evaluate(testloader)
+      write_to_json(f'evaluation/blind-node-separation/D1-base-mnist-{start}', 'model', wrapper, accuracy, conf_matrix, per_class_acc, per_class_precision, classes)
+    else:
+      print('file found')
+
+if __name__ == "__main__":
+  main()

evaluation/max-activation/A1_base_cifar.py

@@ -0,0 +1,32 @@
+import sys
+sys.path.append('../modules/')
+from custom_dropout import DeterministicDropout
+from cnn_model import Net
+from model_wrapper import NetWrapper
+from import_data import load_cifar
+from misc import write_to_json
+from torch import nn, optim
+import torchvision.transforms as transforms
+from os.path import exists
+import ssl
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def main():
+  batch_size = 128
+  epochs = 12
+  classes = ['plane', 'car', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck']
+  transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.5, 0.5, 0.5), (0.5, 0.5, 0.5))])
+  _, _, _, trainloader, validationloader, testloader = load_cifar(batch_size, transform)
+  for i in range(1, 6):
+    if not exists(f'../output/evaluation/max-activation/A1-base-cifar-{i}.json'):
+      act_dropout = DeterministicDropout('max_activation', 0.5)
+      actNet = Net(act_dropout)
+      act = NetWrapper(actNet, nn.CrossEntropyLoss(), optim.Adam, [1e-3])
+      act.fit(trainloader, validationloader, epochs, True)
+      act_accuracy, _, conf_matrix, act_per_class_acc, per_class_precision = act.evaluate(testloader)
+      write_to_json(f'evaluation/max-activation/A1-base-cifar-{i}', 'act', act, act_accuracy, conf_matrix, act_per_class_acc, per_class_precision, classes)
+    else:
+      print('max activation file found, skipped model runs')
+
+if __name__ == "__main__":
+  main()

evaluation/max-activation/A1_base_mnist.py

@@ -0,0 +1,35 @@
+import sys
+sys.path.append('../modules/')
+from custom_dropout import DeterministicDropout
+from model_wrapper import NetWrapper
+from ffnn_model import Net
+from import_data import load_mnist
+from misc import write_to_json
+from torch import nn, optim
+import torchvision.transforms as transforms
+from os.path import exists
+import ssl
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def reshape_fcn(input):
+  return input.reshape(-1, 28*28)
+
+def main():
+  batch_size = 128
+  epochs = 5
+  classes = list(range(10))
+  transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.1307,), (0.3081,))])
+  _, _, _, trainloader, validationloader, testloader = load_mnist(batch_size, transform)
+  for i in range(1, 6):
+    if not exists(f'../output/evaluation/max-activation/A1-base-mnist-{i}.json'):
+      act_dropouts = [nn.Dropout(0.5), nn.Dropout(0.5), DeterministicDropout('max_activation', 0.5)]
+      actNet =  Net([(784, 512), (512, 256), (256, 128), (128, 10)], act_dropouts)
+      act = NetWrapper(actNet, nn.CrossEntropyLoss(), optim.Adam, [1e-3], reshape_fcn)
+      act.fit(trainloader, validationloader, epochs, True)
+      act_accuracy, _, conf_matrix, act_per_class_acc, per_class_precision = act.evaluate(testloader)
+      write_to_json(f'evaluation/max-activation/A1-base-mnist-{i}', 'act', act, act_accuracy, conf_matrix, act_per_class_acc, per_class_precision, classes)
+    else:
+      print('act file found')
+
+if __name__ == "__main__":
+  main()

evaluation/max-activation/A1_base_vgg.py

@@ -0,0 +1,37 @@
+import sys
+
+sys.path.append('../modules/')
+from custom_dropout import DeterministicDropout
+from vgg_model import VGG16
+from model_wrapper import NetWrapper
+from import_data import load_cifar100
+from misc import write_to_json
+from torch import nn, optim
+from os.path import exists
+import torchvision.transforms as transforms
+import ssl
+import time
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def main():
+  fileNum = sys.argv[1]
+  if not exists(f'../output/evaluation/max-activation/A1-base-vgg-{fileNum}.json'):
+    batch_size = 128
+    epochs = 20
+    classes = list(range(100))
+    transform = transforms.Compose([
+        transforms.RandomHorizontalFlip(),
+        transforms.RandomRotation(15), 
+        transforms.Resize((227,227)),
+        transforms.ToTensor(), 
+        transforms.Normalize(mean=[0.4914, 0.4822, 0.4465], std=[0.2023, 0.1994, 0.2010])])
+    _, _, _, trainloader, validationloader, testloader = load_cifar100(batch_size, transform)
+    dropout = DeterministicDropout('max_activation', 0.5)
+    net = VGG16(dropout)
+    netwrapper = NetWrapper(net, nn.CrossEntropyLoss(), optim.Adam, [0.0001, (0.9, 0.999), 1e-8, 1e-6]) 
+    netwrapper.fit(trainloader, validationloader, epochs, True, 100)
+    accuracy, _, conf_matrix, per_class_accuracy, per_class_precision = netwrapper.evaluate(testloader, 100)
+    write_to_json(f'evaluation/max-activation/A1-base-vgg-{fileNum}', 'baseline', netwrapper, accuracy, conf_matrix, per_class_accuracy, per_class_precision, classes)
+
+if __name__ == "__main__":
+  main()

evaluation/max-activation/A2_dropout_rate_cifar.py

@@ -0,0 +1,34 @@
+import sys
+sys.path.append('../modules/')
+from custom_dropout import DeterministicDropout
+from cnn_model import Net
+from model_wrapper import NetWrapper
+from import_data import load_cifar
+from misc import write_to_json
+from torch import nn, optim
+import torchvision.transforms as transforms
+from os.path import exists
+import ssl
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def main():
+  batch_size = 128
+  epochs = 12
+  classes = ['plane', 'car', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck']
+  transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.5, 0.5, 0.5), (0.5, 0.5, 0.5))])
+  _, _, _, trainloader, validationloader, testloader = load_cifar(batch_size, transform)
+  dropout_rates = [0.1, 0.3]
+  for i in range(1, 6):
+    for drop_rate in dropout_rates:
+      if not exists(f'../output/evaluation/max-activation/A2-dropout-rate-cifar-{drop_rate}-{i}.json'):
+        act_dropout = DeterministicDropout('max_activation', drop_rate)
+        actNet = Net(act_dropout)
+        act = NetWrapper(actNet, nn.CrossEntropyLoss(), optim.Adam, [1e-3])
+        act.fit(trainloader, validationloader, epochs, True)
+        act_accuracy, _, conf_matrix, act_per_class_acc, per_class_precision = act.evaluate(testloader)
+        write_to_json(f'evaluation/max-activation/A2-dropout-rate-cifar-{drop_rate}-{i}', 'act', act, act_accuracy, conf_matrix, act_per_class_acc, per_class_precision, classes)
+      else:
+        print('max activation file found, skipped model runs')
+
+if __name__ == "__main__":
+  main()

evaluation/max-activation/A2_dropout_rate_mnist.py

@@ -0,0 +1,37 @@
+import sys
+sys.path.append('../modules/')
+from custom_dropout import DeterministicDropout
+from model_wrapper import NetWrapper
+from ffnn_model import Net
+from import_data import load_mnist
+from misc import write_to_json
+from torch import nn, optim
+import torchvision.transforms as transforms
+from os.path import exists
+import ssl
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def reshape_fcn(input):
+  return input.reshape(-1, 28*28)
+
+def main():
+  batch_size = 128
+  epochs = 5
+  classes = list(range(10))
+  transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize((0.1307,), (0.3081,))])
+  _, _, _, trainloader, validationloader, testloader = load_mnist(batch_size, transform)
+  dropout_rates = [0.1, 0.3]
+  for i in range(1, 6):
+    for drop_rate in dropout_rates:
+      if not exists(f'../output/evaluation/max-activation/A2-dropout-rate-mnist-{drop_rate}-{i}.json'):
+        act_dropouts = [nn.Dropout(0.5), nn.Dropout(0.5), DeterministicDropout('max_activation', drop_rate)]
+        actNet =  Net([(784, 512), (512, 256), (256, 128), (128, 10)], act_dropouts)
+        act = NetWrapper(actNet, nn.CrossEntropyLoss(), optim.Adam, [1e-3], reshape_fcn)
+        act.fit(trainloader, validationloader, epochs, True)
+        act_accuracy, _, conf_matrix, act_per_class_acc, per_class_precision = act.evaluate(testloader)
+        write_to_json(f'evaluation/max-activation/A2-dropout-rate-mnist-{drop_rate}-{i}', 'act', act, act_accuracy, conf_matrix, act_per_class_acc, per_class_precision, classes)
+      else:
+        print('act file found')
+
+if __name__ == "__main__":
+  main()

evaluation/max-activation/A2_dropout_rate_vgg.py

@@ -0,0 +1,38 @@
+import sys
+
+sys.path.append('../modules/')
+from custom_dropout import DeterministicDropout
+from vgg_model import VGG16
+from model_wrapper import NetWrapper
+from import_data import load_cifar100
+from misc import write_to_json
+from torch import nn, optim
+from os.path import exists
+import torchvision.transforms as transforms
+import ssl
+import time
+ssl._create_default_https_context = ssl._create_unverified_context
+
+def main():
+  dropoutRate = float(sys.argv[1])
+  fileNum = sys.argv[2]
+  if not exists(f'../output/evaluation/max-activation/A2-dropout-rate-vgg-{dropoutRate}-{fileNum}.json'):
+    batch_size = 128
+    epochs = 20
+    classes = list(range(100))
+    transform = transforms.Compose([
+        transforms.RandomHorizontalFlip(),
+        transforms.RandomRotation(15), 
+        transforms.Resize((227,227)),
+        transforms.ToTensor(), 
+        transforms.Normalize(mean=[0.4914, 0.4822, 0.4465], std=[0.2023, 0.1994, 0.2010])])
+    _, _, _, trainloader, validationloader, testloader = load_cifar100(batch_size, transform)
+    dropout = DeterministicDropout('max_activation', dropoutRate)
+    net = VGG16(dropout)
+    netwrapper = NetWrapper(net, nn.CrossEntropyLoss(), optim.Adam, [0.0001, (0.9, 0.999), 1e-8, 1e-6]) 
+    netwrapper.fit(trainloader, validationloader, epochs, True, 100)
+    accuracy, _, conf_matrix, per_class_accuracy, per_class_precision = netwrapper.evaluate(testloader, 100)
+    write_to_json(f'evaluation/max-activation/A2-dropout-rate-vgg-{dropoutRate}-{fileNum}', 'baseline', netwrapper, accuracy, conf_matrix, per_class_accuracy, per_class_precision, classes)
+
+if __name__ == "__main__":
+  main()