GitXplorerGitXplorer
h

CertifiedReLURobustness

public
30 stars
7 forks
1 issues

Commits

List of commits on branch master.
Unverified
0ad846c7f679f53f5b74d684f0b01c4eff2f8866

update README.md

hhuanzhang12 committed 6 years ago
Unverified
467f81256c06394250e0f58055e11f6a1ae9babb

update new papers

hhuanzhang12 committed 6 years ago
Verified
ffec095c3c6505d374801514325ee41080672d00

Update README.md

llilyweng committed 6 years ago
Unverified
a4152809a40f1d3b97b2ee03571fecbf989dc259

Update README.md

llilyweng committed 7 years ago
Unverified
44faeed3931952c86d3e8a6ea1ead7c6178d1506

initial commit

hhuanzhang12 committed 7 years ago

README

The README file for this repository.

Neural Network Robustness Certification

In this work, we exploit the special structure of ReLU networks and provide two computationally efficient algorithms (Fast-Lin and Fast-Lip) that are able to certify non-trivial lower bounds of minimum distortions, by bounding the ReLU units with appropriate linear functions (Fast-Lin), or by bounding the local Lipschitz constant (Fast-Lip).

Cite this work:

Tsui-Wei Weng*, Huan Zhang*, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Duane Boning, Inderjit S. Dhillon and Luca Daniel, "Towards Fast Computation of Certified Robustness for ReLU Networks", ICML 2018. (* Equal Contribution)

@inproceedings{weng2018CertifiedRobustness,
  author = "Tsui-Wei Weng AND Huan Zhang AND Hongge Chen AND Zhao Song AND Cho-Jui Hsieh AND Duane Boning AND Inderjit S. Dhillon AND Luca Daniel",
  title = "Towards Fast Computation of Certified Robustness for ReLU Networks",
  booktitle = "International Conference on Machine Learning (ICML)",
  year = "2018",
  month = "july"
}

Update: The neural network verification algorithms (Fast-Lin and Fast-Lip) proposed in this paper have been replaced with our new algorithms: CROWN and RecurJac. CROWN and RecurJac are more general than Fast-Lin and Fast-Lip, and achieve significant better results on ReLU networks. It is recommended to use new algorithms in the following papers:

@inproceedings{zhang2018recurjac,
  author = "Huan Zhang AND Pengchuan Zhang AND Cho-Jui Hsieh",
  title = "RecurJac: An Efficient Recursive Algorithm for Bounding Jacobian Matrix of Neural Networks and Its Applications",
  booktitle = "AAAI Conference on Artificial Intelligence (AAAI), arXiv preprint arXiv:1810.11783",
  year = "2019",
  month = "dec"
}
@inproceedings{zhang2018crown,
  author = "Huan Zhang AND Tsui-Wei Weng AND Pin-Yu Chen AND Cho-Jui Hsieh AND Luca Daniel",
  title = "Efficient Neural Network Robustness Certification with General Activation Functions",
  booktitle = "Advances in Neural Information Processing Systems (NIPS), arXiv preprint arXiv:1811.00866",
  year = "2018",
  month = "dec"
}

Please use the code provided in the new papers above. The code in this repository will be not maintained and is intended to reproduce paper results only.

Prerequisites

The code is tested with python3 and TensorFlow v1.5, v1.6 and v1.7. We suggest to use Conda to manage your Python environments. The following Conda packages are required:

conda install pillow numpy scipy pandas tensorflow-gpu h5py
conda install --channel numba llvmlite numba
grep 'AMD' /proc/cpuinfo >/dev/null && conda install nomkl

You will also need to install Gurobi and its python bindings if you want to try the LP based methods.

After installing prerequisites, clone our repository:

git clone https://github.com/huanzhang12/CertifiedReLURobustness.git
cd CertifiedReLURobustness

Our pretrained models can be download here:

wget http://jaina.cs.ucdavis.edu/datasets/adv/relu_verification/models_relu_verification.tar
tar xvf models_relu_verification.tar

This will create a models folder. We include all models reported in our paper.

How to Run

We have provided an interfacing script, run.sh to run our code.

Usage: ./run.sh model modeltype layer neuron norm solver target
  • model: mnist or cifar
  • modeltype: vanilla (undefended), distilled (Denfensive Distillation), adv_retrain (Adversarially trained model)
  • layer: number of layers (2,3,4 for MNIST and 5,6,7 for CIFAR)
  • neuron: number of neurons for each layer (20 or 1024 for MNIST, 2048 for CIFAR)
  • norm: p-norm, 1,2 or i (infinity norm)
  • solver: ours (Fast-Lin), lip (Fast-Lip), lp (LP)
  • target: least, top2 (runner up), random, untargeted

The main interfacing code is main.py, which provides additional options. Use python main.py -h to explore these options.

Examples

For example, to evaluate the Linf robustness of MNIST 3*[1024] adversarially trained model using Fast-Lin on least likely targets, run

./run.sh mnist adv_retrain 3 1024 i ours least

A log file will be created in the logs folder. The last line of the log (starting with [L0]) will report the average robustness lower bounds on 100 MNIST test images. Lines starting with [L1] reports per-image information.

 tail logs/mnist/3/mnist_adv_retrain_3_1024_Li_ours_least_none_*.log
[L0] model = models/mnist_3layer_relu_1024_adv_retrain, avg robustness_gx = 0.20129, numimage = 96, total_time = 75.3498

The adversarially trained model (with adversarial examples crafted by PGD with eps = 0.3) has a robustness lower bound of 0.20129.

Similarly, to evaluate the L1 robustness of MNIST 3*[20] model on random targets using Fast-Lip, run the following command:

./run.sh mnist vanilla 3 20 1 lip random

The following result in log file is obtained:

[L0] model = models/mnist_3layer_relu_20_best, avg robustness_gx = 2.81436, numimage = 94, total_time = 4.9295

Other notes

Note that in our experiments we set the number of threads to 1 for a fair comparison to other methods. To enable multithreaded computing, changing the number 1 in run.sh to the number of cores in your system.

NUMBA_NUM_THREADS=1 MKL_NUM_THREADS=1 OPENBLAS_NUM_THREADS=1 OMP_NUM_THREADS=1

The code is currently in draft status and there are some unused code and unclear comments. We are still working on cleaning up the code and improving readability. You are welcome to create an issue or pull request to report any issues with our code.