download=True.final.pth): You MUST commit and push these. The autograder loads them directly from your repository — if they are missing, your tests will fail immediately. After training, run git add checkpoints/*/final.pth and push. The .gitignore whitelist in your repo ensures only the required final.pth files are tracked and blocks everything else (e.g., epoch checkpoints, VGG16 weights which exceed GitHub's 100MB limit).reports/ folder in your repository and push it together with your code.python -m pytest autograder/ -v to test your implementation before pushing.The learning objective of this homework is for you to create a codebase to train and evaluate various deep neural network (DNN) models. You also need to analyze the impact of various factors (that you can control during training) on the final DNN models. You will use this codebase and the trained models to complete the homework assignments (HW 2, 3, and 4) throughout the term.
To begin with, you can choose any deep learning framework that you're already familiar with (e.g., PyTorch, TensorFlow, or ObJAX). If you are not familiar with any of these frameworks, you can start with PyTorch or TensorFlow (> v2.0).
reports/ folder and push it with your code. Your PDF write-up should contain the following things:
download=True.final.pth): You MUST commit and push these. The autograder loads them directly from your repository — if they are missing, your tests will fail immediately. After training, run git add checkpoints/*/final.pth and push. The .gitignore whitelist in your repo ensures only the required final.pth files are tracked and blocks everything else (e.g., epoch checkpoints, VGG16 weights which exceed GitHub's 100MB limit).reports/ folder in your repository and push it together with your code.python -m pytest autograder/ -v to test your implementation before pushing.The learning objective of this homework is for you to attack your models built in Homework 1 with white-box adversarial examples. You will also use adversarial training to build your robust models. We then analyze the impact of several factors—that you can control as an attacker or a defender—on the success rate of attack (or defense). You can start this homework from the codebase you wrote for Homework 1.
attacks/PGD.py and write two driver scripts adv_attack.py and adv_train.py. The rest are the same as Homework 1.
Root
- [New] attacks/PGD.py : implement the PGD attack function here.
- [New] adv_attack.py : a Python script to run adversarial attacks on a pre-trained model.
- [New] adv_train.py : a Python script for adversarial-training a model.
...
attacks/PGD.py.
def PGD(x, y, model, loss, niter, epsilon, stepsize, randinit, ...)
- x: a clean sample
- y: the label of x
- model: a pre-trained DNN you're attacking
- loss: a loss you will use
- [PGD params.] niter: # of iterations
- [PGD params.] epsilon: l-inf epsilon bound
- [PGD params.] stepsize: the step-size for PGD
- [PGD params.] randinit: start from a random perturbation if set true
// You can add more arguments if required
This PGD function crafts the adversarial example for a sample (x, y) [or a batch of samples]. It takes (x, y), a pre-trained DNN, and attack parameters; and returns the adversarial example(s) (x', y). Note that you can add more arguments to this function if required. Please use the following attack hyper-parameters as a default:if __name__ == "__main__": in the same file. Here, for all the 10k adversarial examples crafted, you will compute the classification accuracy on the DNN model you used. Note that you will observe much less accuracy than what you can observe on the clean test-time samples.train.py and name it adv_train.py. We will convert the normal training process into adversarial training. In train.py, we train a model on a batch of clean training samples (in each batch). Instead, you need to make adversarial examples on the batch of clean samples and train your models on them. Note that this is slightly different from the work by Goodfellow et al...png files. Upload them on one of the image classification demos and see how the predicted labels are different compared to your DNNs.reports/ folder and push it with your code. Your PDF write-up should contain the following things:
download=True.final.pth): You MUST commit and push these. The autograder loads them directly from your repository — if they are missing, your tests will fail immediately. After training, run git add checkpoints/*/final.pth and push. The .gitignore whitelist in your repo ensures only the required final.pth files are tracked and blocks everything else (e.g., epoch checkpoints, VGG16 weights which exceed GitHub's 100MB limit).reports/ folder in your repository and push it together with your code.python -m pytest autograder/ -v to test your implementation before pushing.The learning objective of this homework is for you to perform data poisoning attacks on machine learning models (some of the attacks will require the neural networks trained in Homework 1). You will also test the effectiveness of simple defenses against the poisoning attacks you will implement. You can start this homework from the codebase you wrote in Homework 1.
craft_poisons.py and eval_clabel.py. Training on a poisoned dataset reuses train.py with the --poison-dir flag. The rest are the same as Homework 1.
Root
- [New] craft_poisons.py : a Python script to craft poisoning samples.
- [New] eval_clabel.py : a Python script to evaluate the clean-label poisoning attack.
- train.py (modified) : use --poison-dir to train on a contaminated dataset.
- [Extra] poison_remove.py: a Python script for removing suspicious samples (extra credit).
...
X% samples in the original training set. For example, you can select 10% of the MNIST-1/7 training samples (~1.7k) and flip their labels from 0 to 1 (or vice versa).attacks/lflip.py.
def craft_random_lflip(dataname, ratio, data_dir='./data'):
- dataname : dataset name string ('mnist', 'fmnist', or 'cifar10')
- ratio : fraction of samples to poison (e.g., 0.1 for 10%)
- data_dir : dataset root directory
// Returns: (poisoned_train_set, clean_test_set)
This function constructs a poisoned training set that has ratio fraction of label-flipped samples. The dataname identifies which dataset to load, and the ratio is a number between 0 and 1. Note that this is an example of writing a function for crafting poisoned training sets. Please feel free to use your own function if that is more convenient.train.py with the --poison-dir flag pointing to your saved poisoned training set. For example: python train.py --dataset mnist --model logistic --poison-dir ./poisons/lflip_mnist_r0.1_train.pkl.attacks/clabel.py.
def craft_clabel_poisons(model, target, bases, niter, lr, beta, device=None):
- model : a pre-trained ResNet18
- target: a target sample (a frog)
- bases : a set of base samples (dogs)
- niter : number of optimization iterations
- lr : learning rate for your optimization
- beta : hyper-parameter (refer to the paper)
// You can add more arguments if required
This function crafts clean-label poisons. It takes a model (ResNet18) to extract features for a single target and 100 base samples. It also takes optimization hyper-parameters such as niter, lr, beta, etc. Once the function sufficiently optimizes your poisons, it will return 100 poisons crafted from the bases. Please refer to the author's code, the community implementations, and the original study for reference.eval_clabel.py. This script fine-tunes only the last layer of your ResNet18 on each contaminated training set and measures the attack success rate (ASR).any samples from the MNIST-1/7 training set. You will use this (D_v) to remove poisons from the training data.
X% (a hyper-parameter of your choice), remove D_tr_i from the training set and continue.
X% values and check how many poisons you removed in each case. You also need to check how the accuracy of your model is after removing suspicious samples (i.e., you will examine the effectiveness of RONI defense).
any successful attack (i.e., choose a target and 100 poisons).reports/ folder and push it with your code. Do NOT commit datasets or trained model checkpoints to the repository. Your PDF write-up should contain the following things:download=True.final.pth): You MUST commit and push these. The autograder loads them directly from your repository — if they are missing, your tests will fail immediately. After training, run git add checkpoints/*/final.pth and push. The .gitignore whitelist in your repo ensures only the required final.pth files are tracked and blocks everything else (e.g., epoch checkpoints, VGG16 weights which exceed GitHub's 100MB limit).reports/ folder in your repository and push it together with your code.python -m pytest autograder/ -v to test your implementation before pushing.The learning objective of this homework is for you to understand (1) a mechanism for measuring the privacy leakage of machine learning (ML) models and (2) a mechanism to bound the leakage while training ML models. The best way to understand those mechanisms is to implement them by your hands. Here, we will focus on membership inference attacks, especially the one proposed by Yeom et al., and the de-facto standard defense, differential privacy (DP). You can start this final homework from the codebase you used for HW 1-3, as usual.
mi_attack.py. DP-SGD training is integrated into the existing train.py via the --dp flag. The rest are the same as HW 1-3.
Root
- [New] mi_attack.py : a Python script to run membership inference attacks (Yeom et al's).
- train.py (modified): use --dp --dp-epsilon <ε> to enable DP-SGD training.
...
mi_attack.py.--n-threshold in mi_attack.py).Adv = |TPR − FPR|, where TPR (true positive rate) is the fraction of members correctly identified as members, and FPR (false positive rate) is the fraction of non-members incorrectly identified as members. Your job is to run this attack process on all the 15 models we trained.train.py. Enable it by passing --dp --dp-epsilon <ε>. Those examples [example1, example2] explain how Opacus wraps your training loop.reports/ folder and push it with your code. Do NOT commit datasets or trained model checkpoints to the repository. Your PDF write-up should contain the following things: