-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
draft new poison metrics and associated interpretive model #1226
Merged
reed-twosixlabs
merged 1 commit into
twosixlabs:dev_0.14.1_poisoning
from
yusong-tan:dev_0.14.1_poisoning_ytan
Jan 10, 2022
Merged
draft new poison metrics and associated interpretive model #1226
reed-twosixlabs
merged 1 commit into
twosixlabs:dev_0.14.1_poisoning
from
yusong-tan:dev_0.14.1_poisoning_ytan
Jan 10, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In |
davidslater
added a commit
that referenced
this pull request
Mar 28, 2022
* update version (#1034) * update version * update json version * set channels_first False for relevant pytorch models (#1037) * Resisc10 poison dataset (#1038) * update version * revert version * added resisc10 poison dataset * Update refs to point to S3, add cached dataset * Add test for resisc10 dataset Co-authored-by: David Slater <david.slater@twosixlabs.com> Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> * Build tag script (#1035) * update build script * added command echoes * pinning to numpy 1.19.2 to avoid ART error (#1056) * updating comment on relevant np issue (#1057) * CIFAR-100 dataset (#1048) * Add CIFAR100 dataset * Typo * label targeter refactor (#1052) * renamed file * fix typo while remaining backwards compatible * refactored label targeter config loading logic * updating configs accordingly * adding one more config * changing filename back to labels.py * adding warning message for deprecated 'scheme' key * removing code that shouldn't have been pushed/fixing typo * update configs for label_targeters.py --> labels.py change * removing configs i didn't meant to push * keyword-only args; change config 'args' --> 'kwargs' * refactor object detection metrics (#1046) * refactored object_detection_AP_per_class * refactor dapricot and apricot AP functions * update tests for od metrics refactor * removing od metrics that aren't useful * modify od format check function; renamed a couple variables * refactor to remove unnecessary elifs; rename append() to add_results() * formatting * renamed method * document function input format * bumping ART 1.6.0 --> 1.6.1 (#1062) * updating baseline config to be compatible with newer versions of ART (#1063) * don't assume default branch is named master (#1064) * Poisoning scenario with blended trigger (#1049) * * Update image-based trigger to allow blending * Use blended trigger to enable bullethole clbd attack * Update docker image reference in config * Update pathing to load image path when armory is pip installed * Use armory.__file__ to simplify relative pathing * preprocessing defense fixes (#1060) * call set_params() so classifier.all_framework_preprocessing attribute is updated * no longer using kwarg which ART has removed * use get_params() to append defenses; removed if ART < 1.5 logic * flake8 * dapricot updates (#1040) * adjust scale for insert_patch(); make patch shape square * force dapricot attacks to be targeted * formatting * increment label index in loss_gradient for baseline 0-indexed model * need to decrement not increment * adding dapricot_patch_target_success metric * resetting this variable to empty list since dparicot has no nontargeted tasks * this workaround is no longer necessary per previous commit * deleting commented out code that was accidentally pushed * removing config since DPatch doesn't support targeted attack yet * formatting * reshape box to flat array * add docs for fn input format * formatting * updated dapricot RobustDPatch attack and associated files * ran black, flake8, and format_json * adding targeted Dpatch to file itself so we dont need to use dev version of ART * minor documentation/error msg update * removing channels_first logic since x will always be channels_last with armory * black formatting * adding clarifying comment * set num_images_per_patch in scenario code; force threat model to be specified in scenario code * minor modifications to error messages * dont overwrite model kwargs; add 'batch_size' kwarg to baseline models get_art_model() * add warning if batch_size model_kwarg isnt set; also edited comment at top of script * removing unused line of code * removing code that has no effect on attack * avoid warning message by renaming colour fn to its updated name * set check on lower bound of brightness range * fix typo * point to armory 0.13.1 in config * point to armory 0.13.1 in pgd config too * only display warning for physical attacks * flake8 * the code in this file was moved to inside the attack * removing dapricot robust dpatch attack and associated utility functions * flake8 Co-authored-by: Yusong Tan <ytan@mitre.org> * Resisc10 poison (#1065) * * Update image-based trigger to allow blending * Use blended trigger to enable bullethole clbd attack * Update docker image reference in config * Update pathing to load image path when armory is pip installed * resisc10 poison scenario related files * Updated poisoning attack call based on ART updates, fix channel ordering for image data * Update metrics method names * Update config to work with pip-installed armory Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> * Poisoning scenario Pytorch example (#1067) * Pytorch compatibility for poisoning scenarios, example Pytorch config for dlbd * Configs closer to eval approach * Update dev version to 0.14.0 (#1084) * Update version * Update jsons * Hotfix: Docker tf1 fix to allow tensorflow.keras to load h5 weights (fixes CI testing) (#1080) * Update dockerfile for tf1, temporary logging to check need for fix * Remove logging/group pip installs * sweep attacks (#1071) * added SweepAttack functionality * adding docs * adding docs for attack type field * adding clarification to docs * improved logging for how attack success is measured * specify possible values for attack type and throw warning if unexpected value * added mAP function which returns scalar value instead of dict returned by object_detection_AP_per_class() * update metric and max_iter of xview sweep config * refactor how metrics are computed for SweepAttack; enforce that returned value is scalar * set record_metric_per_sample true; add a note on this in docs * update mkdocs.yml * removing unused type field from poisoning configs * adding clarification about what the attack returns * consistent log prefix at end of generate() regardless of failure/success * update sweep configs to 0.14.0 * Integrate tfds (#1061) * * TFDS integration script * Move S3 upload tool to main repo from armory-private * Fail fast, indentation, fix upload typo * Update dataset docs * Improved code organization * Update template to include all parameters (except indexing params) * Update docs * Remove args typically passed through **kwargs * More logical step numbering * Add ref to docs in script * UCF config bug (#1092) * remove extra kwarg * formatting * Create tarfile with directory structure expected by armory (#1101) * Merging 13.2 to dev (#1109) * update version * revert version * 0.13.1 release (#1068) * update version (#1034) * update version * update json version * set channels_first False for relevant pytorch models (#1037) * Resisc10 poison dataset (#1038) * update version * revert version * added resisc10 poison dataset * Update refs to point to S3, add cached dataset * Add test for resisc10 dataset Co-authored-by: David Slater <david.slater@twosixlabs.com> Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> * Build tag script (#1035) * update build script * added command echoes * pinning to numpy 1.19.2 to avoid ART error (#1056) * updating comment on relevant np issue (#1057) * CIFAR-100 dataset (#1048) * Add CIFAR100 dataset * Typo * label targeter refactor (#1052) * renamed file * fix typo while remaining backwards compatible * refactored label targeter config loading logic * updating configs accordingly * adding one more config * changing filename back to labels.py * adding warning message for deprecated 'scheme' key * removing code that shouldn't have been pushed/fixing typo * update configs for label_targeters.py --> labels.py change * removing configs i didn't meant to push * keyword-only args; change config 'args' --> 'kwargs' * refactor object detection metrics (#1046) * refactored object_detection_AP_per_class * refactor dapricot and apricot AP functions * update tests for od metrics refactor * removing od metrics that aren't useful * modify od format check function; renamed a couple variables * refactor to remove unnecessary elifs; rename append() to add_results() * formatting * renamed method * document function input format * bumping ART 1.6.0 --> 1.6.1 (#1062) * updating baseline config to be compatible with newer versions of ART (#1063) * don't assume default branch is named master (#1064) * Poisoning scenario with blended trigger (#1049) * * Update image-based trigger to allow blending * Use blended trigger to enable bullethole clbd attack * Update docker image reference in config * Update pathing to load image path when armory is pip installed * Use armory.__file__ to simplify relative pathing * preprocessing defense fixes (#1060) * call set_params() so classifier.all_framework_preprocessing attribute is updated * no longer using kwarg which ART has removed * use get_params() to append defenses; removed if ART < 1.5 logic * flake8 * dapricot updates (#1040) * adjust scale for insert_patch(); make patch shape square * force dapricot attacks to be targeted * formatting * increment label index in loss_gradient for baseline 0-indexed model * need to decrement not increment * adding dapricot_patch_target_success metric * resetting this variable to empty list since dparicot has no nontargeted tasks * this workaround is no longer necessary per previous commit * deleting commented out code that was accidentally pushed * removing config since DPatch doesn't support targeted attack yet * formatting * reshape box to flat array * add docs for fn input format * formatting * updated dapricot RobustDPatch attack and associated files * ran black, flake8, and format_json * adding targeted Dpatch to file itself so we dont need to use dev version of ART * minor documentation/error msg update * removing channels_first logic since x will always be channels_last with armory * black formatting * adding clarifying comment * set num_images_per_patch in scenario code; force threat model to be specified in scenario code * minor modifications to error messages * dont overwrite model kwargs; add 'batch_size' kwarg to baseline models get_art_model() * add warning if batch_size model_kwarg isnt set; also edited comment at top of script * removing unused line of code * removing code that has no effect on attack * avoid warning message by renaming colour fn to its updated name * set check on lower bound of brightness range * fix typo * point to armory 0.13.1 in config * point to armory 0.13.1 in pgd config too * only display warning for physical attacks * flake8 * the code in this file was moved to inside the attack * removing dapricot robust dpatch attack and associated utility functions * flake8 Co-authored-by: Yusong Tan <ytan@mitre.org> * Resisc10 poison (#1065) * * Update image-based trigger to allow blending * Use blended trigger to enable bullethole clbd attack * Update docker image reference in config * Update pathing to load image path when armory is pip installed * resisc10 poison scenario related files * Updated poisoning attack call based on ART updates, fix channel ordering for image data * Update metrics method names * Update config to work with pip-installed armory Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> * Poisoning scenario Pytorch example (#1067) * Pytorch compatibility for poisoning scenarios, example Pytorch config for dlbd * Configs closer to eval approach Co-authored-by: davidslater <david.slater@twosixlabs.com> Co-authored-by: yusong-tan <59029053+yusong-tan@users.noreply.github.com> Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> Co-authored-by: Yusong Tan <ytan@mitre.org> * Update dockerfile for tf1 (#1086) * 0.13.2 (#1102) * Increment version to 0.13.2 (#1095) * Bump version * Update configs * dapricot test set (#1096) * cherry-picked dapricot test commits from 1088 * correct checksum filename * Coco (#1097) * cherry-picking commits from 1085, excluding the commit merging in dev branch * adding coco tests, skipping if not available locally * adding note to docs about apricot class indexing * updated checksum after new upload to s3 Co-authored-by: ng390 <neal.gupta@twosixlabs.com> Co-authored-by: David Slater <david.slater@twosixlabs.com> Co-authored-by: lcadalzo <39925313+lcadalzo@users.noreply.github.com> Co-authored-by: yusong-tan <59029053+yusong-tan@users.noreply.github.com> Co-authored-by: Yusong Tan <ytan@mitre.org> * eval-update smoke test (#1114) * existing updates * updated evasion scenarios * update * dapricot update * so2sat update * poisoning * scenario updates * remove base * typedef hint for JSON-like config dict * add jupyter text * typehints and docstrings * avoid name error if attack_type is preloaded * unbound local errors * calls via super have implied self * self reference removed * torchvision is back-versioned * typo metrics for metric * align torchvision version with pytorch version as prescribed by https://pypi.org/project/torchvision/ * black19.10b0 and flake8 compliant * update workflow * forgot to push latest commit * name changes * updated names * simplify * simplification * update ART api usage Co-authored-by: matt wartell <matt.wartell@twosixlabs.com> * pillow version bump (#1115) * Optimize Kenansville attack and fixes bug (#1113) * Optimize Kenansville attack and fixes bug Resolves #1103 Was tested outside of Armory * lint * update with rfft * update with rfft * length mismatch Co-authored-by: David Slater <david.slater@twosixlabs.com> * Poison reimagined (#1117) * poison update * update to new names * nit * even more nit * match scenario * use * dataset kwargs * Add non-preloaded dirty-label backdoor attack with bullethole trigger (#1120) * Add non-preloaded dirty-label backdoor attack with bullethole trigger * Fix docker image version Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> * Dataset split tools for bullseye polytope attack (#1121) Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> * fix object array issue (#1131) * merge r0.13.4 into dev (#1139) * merge r0.13.4 into dev A rather complex manual merge. There may well be extra, or unmodified scenario_configs * copied r0.13.4 configs and bumped container versions to 0.14.0 this was done to ensure congruence between the dev branch and the 6e90b37 merge this yielded 4 extra files which I'll remove in the next commit * removed extra scenario_configs from the r0.13.4 merge it should be pretty clear that these have been supplanted * adding back configs which use new dev feature Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> * Update README on ART (#1153) Signed-off-by: Beat Buesser <beat.buesser@ie.ibm.com> * updating RESISC-10 from 64x64 images to 256x256 images (#1155) * updating RESISC-10 from 64x64 images to 256x256 images * formatting * updated cached checksum file; modified datasets.py * update expected dataset shape in CI tests * updating docstring Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> * Train dataset builder for CARLA object detection scenarios (#1157) * Train dataset builder for CARLA object detection scenarios * update checksum file for train dataset * integrates carla train dataset. Note: throws error * integrates carla train dataset. * update to tfds 4.4.0 and modify affected python code accordingly * update host-requirements * renaming some functions to be more specific * going back to tfds 3.2 (undoing bb90ed2) * adding incomplete test for carla train set * slight modification to align with tfds 3.2; formatting * formatting, had to change my black version to that used by CI * update checksum again * yet another cached_checksum update * modifying host-requirements.txt Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> * Dev dataset builder for CARLA object detection scenarios (#1156) * Dev dataset builder for CARLA object detection scenarios * changed split from 'train' to 'dev' * checksum file for dev dataset * updates to checksum * update URLS and added fix to be compatible with tfds 3.2 * adding dataset function for carla_obj_det_dev * adding cached checksum * to avoid flake8 error * enforce batch size of 1 * np squeezing label keys * minor bug fix to RGB and depth pairing * Update dataset version number Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> * CARLA single modality object detection model (#1160) * rename to deconflict from carla multimodality object detection model * remove duplicate file Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> * CARLA multimodality object detection model (#1161) * add carla multimodality object detection model * flake8 * update s3 object name; update version call to 1.0.1 (#1177) * minor bug fix and update checksum for final train dataset * black * update s3 object name; update version call to 1.0.1 * ignoring black since it's converting the string to a tuple? Co-authored-by: Yusong Tan <ytan@mitre.org> * update carla_obj_det_train cached checksum file (#1178) * update cached checksum file * just updated file permissions in s3, retriggering CI Co-authored-by: lcadalzo <lucas.cadalzo@twosixtech.com> * fix dependency ordering in tf1 docker creation (#1179) * reorder pip to after conda install * add more packages to conda purview * repin python library versions as it happens, the installed version of these by the conda satisfier is the same as those pinned in this commit * pin to what resolver chose today when unpinned * enable variable_y=True even when variable_length is False (#1169) * enable variable_y=True even when variable_length is False * edit type hint * added shell script to run scenario configs in --check mode (#1167) Co-authored-by: lcadalzo <lucas.cadalzo@twosixtech.com> * Update and fix carla obj det train dataset (#1173) * minor bug fix and update checksum for final train dataset * black * add label preprocessing for carla_obj_det_train * fix apparent typo ('pytorch' -> 'tensorflow') * carla_train dataset uses config kwarg to determine which modality of data to serve. * black * updated URL for dataset builder * fixed multimodal option for carla preprocessing * fix dictionary key problem by adding a default value * updates checksum files after corrected data annotations * new carla data preprocessing function * dataset test function asserts correct data shape depending on modality * black * carla dataset allows more flexible use of custom preprocessing functions * fix typo Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> * update ART (#1181) * updated Dockerfiles as well as ART imports for 1.8 renamed modules * update KerasClassifier import * formatting * pinning numba to 0.53.1 * Video tracking integration (#1170) * full dev dataset for CARLA video tracking scenario * ran black and flake8 * baseline GOTURN model for CARLA video tracking scenario * art_experimental adversarial texture attack for CARLA video tracking scenario * integrating carla_video_tracking_dev, pushing progress * forgot to add these files to previous commit * adding cached checksum * adding test * pushing progress on added scenario, config, metric * typos and formatting * refactoring, define pred format, point to weights file; can now run --skip-attack w/o error * to comply with ART, refactor label format to mirror pred format; got attack working * renaming config * formatting * adding updated tf1 dockerfile to fix ci tests * update tests to reflect label refactor * adding test for carla video tracking model * remove unused variables * update pytorch Dockerfile to use newer ART * download external_repo in video_tracking test Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> Co-authored-by: lcadalzo <lucas.cadalzo@twosixtech.com> * moving cv2 import inside fn (#1189) * adding ci tests for baseline models (#1188) * adding ci tests for baseline models * deleting line that was accidentally pushed * carla OD dev set + attack integration (#1182) * copying in the attack mike sent * formatting * incorporating changes from pr 1173 * Revert "incorporating changes from pr 1173" This reverts commit f566e0e. * update new url * update checksum * ignore black for this line * update url checksum * update url * formatting * tweaking attack to suit armory data format * adding preprocessing modality logic * adding test for carla_obj_det_dev set * updating preprocessing for dev set * update get_art_model assertion messages * adding configs * add scenario * formatting * upgrading ART since it's needed for OD attack; this will break CI * adding 4 new metrics for object detection * add test for new metric functions * adding carla-specific metrics which ensure that only carla classes are considered * adding back what got accidentally deleted in last commit * formatting * formatting * refactor dataset kwarg loading * updated dataset modality kwarg in configs * black * don't assume 'eval_split' exists in dataset_config * reverting things to 7c14ff8 * rename metric and don't log % symbol * enable export_sample for carla multimodal Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> * Refactor dataset config loading (#1194) * refactor dataset config loading * update carla configs for new dataset config loading * refactor how check_run is passed through, so it doesnt get passed to the tfds ds function * formatting Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> * index and class filtering from command line; also doc update (#1162) * don't use y_pred as generate() y kwarg (#1190) * give generate() an optional y to comply with api every other ART attack uses * Revert "give generate() an optional y to comply with api every other ART attack uses" This reverts commit 8884b20. * give kenansville a y kwarg; dont have default scenario set y kwarg to y_pred * don't use y_pred when use_label is false * deleting comment * flake8 * train_split kwarg shouldnt be passed along to ds function (#1198) * disable filter by class for carla datasets (#1197) * adding frame rate fixes issue (#1195) * first check if y is numpy array before checking dtype (#1196) * first check if y is numpy array before checking dtype * refactor * Make metric kwargs configurable (#1187) * make metric kwargs configurable * removing new code that wasn't meant for this PR * set targeted to whatever the attack is actually using (#1201) * set targeted to whatever the attack is actually using * slight refactor * WIP: updating docs (#1199) * updating docs * copying over scenarios.md from 0.13.5 which never got merged back into dev * adding carla scenarios * adding a note on how to specify metric kwargs * addressing comments * update dataset licensing * Initial commit to poisoning metrics update. * Fixed bugs, consolidated filter perplexity code. * Fixed attribute bug. * draft new poison metrics and associated interpretive model (#1226) * Sridevi's file: second metric using K-means on BEAN regularization models. * measure perplexity between benign class distribution and false positives distribution * First implementation of Statistical Parity Difference (SPD). * moving some perplexity code from poison.py to metrics.py * revise 'make_contingency_tables' to be more general * add function to convert subclass info to binary arrays * Fixed compute_spds signature. * Contingency table metric integration. * Fixed bug in a corner case. Deleted unused functions. * Cleaned up poisoning metric code. * Removed a line of testing code. * Fixed metrics 2.1/2.2 to use clean data. * Updated metrics with GTSRB integration. * add function to export arbitrary per-sample data * load explanatory model weights on appropriate device * update get_majority_mask functions to take/return majority_ceilings * sets up sample exporting, and computes metric 2.1 on the test set * fix potential divide by zero in filter perplexity computation * makes sure the whole test set is used for metric 2.1 computation * compute filter_perplexity in finalize_results() instead of in filter() * fix filter_perplexity so it doesn't crash with 0% poison * refactor lots of poison metric computation out of scenario code and into separate class. Also simplifies config usage * update explanatory model weight filenames * removing new_poisoning_metrics files, since the parts we needed are copied into utils/poisoning.py * update baseline poisoning scenario_configs to compute new metrics * de-obfuscate names of poisoning metrics (formerly Metric 2.1 and Metric 2.2, now Model Subclass Bias and Filter Subclass Bias) * update scenario docs with information about new poisoning metrics * minor update to comments * fix minor textual merge errors * formatting * check if filtering defense before applying filter metric * remove lines duplicated by merge * move global definition to top * align host-requirements with develop branch * remove lines duplicated by merge * remove more lines duplicated by merge * remove unused/outdated logging import * update logging * removing preloaded attack config since poison.py (L164) doesn't support that * force code-formatting test to use python 3.7 * pin click to fix black issue Co-authored-by: davidslater <david.slater@twosixlabs.com> Co-authored-by: lcadalzo <39925313+lcadalzo@users.noreply.github.com> Co-authored-by: yusong-tan <59029053+yusong-tan@users.noreply.github.com> Co-authored-by: Neal Gupta <neal.gupta@twosixlabs.com> Co-authored-by: Yusong Tan <ytan@mitre.org> Co-authored-by: matt wartell <matt.wartell@twosixlabs.com> Co-authored-by: Guillaume Leclerc <guillaume.leclerc.work@gmail.com> Co-authored-by: ng390 <gupta.neal@gmail.com> Co-authored-by: lucas.cadalzo <lucas.cadalzo@twosixlabs.com> Co-authored-by: Beat Buesser <49047826+beat-buesser@users.noreply.github.com> Co-authored-by: Sterling Suggs <sterling.suggs@twosixtech.com> Co-authored-by: lcadalzo <lucas.cadalzo@twosixtech.com> Co-authored-by: matt wartell <matt.wartell@twosixtech.com> Co-authored-by: Reed Gordon-Sarney <reed.gordon-sarney@twosixtech.com> Co-authored-by: Reed Gordon-Sarney <reed.gordon-sarney@twosixlabs.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Model weights will be emailed separately.