Join us at TensorFlow World, Oct 28-31. Use code TF20 for 20% off select passes. Register now

Adversarial regularization for image classification

View on TensorFlow.org Run in Google Colab View source on GitHub

Overview

In this tutorial, we will explore the use of adversarial learning (Goodfellow et al., 2014) for image classification using the Neural Structured Learning (NSL) framework.

The core idea of adversarial learning is to train a model with adversarially-perturbed data (called adversarial examples) in addition to the organic training data. The adversarial examples are constructed to intentionally mislead the model into making wrong predictions or classifications. By training with such examples, the model learns to be robust against adversarial perturbation when making predictions.

In this tutorial, we illustrate the following procedure of applying adversarial learning to obtain robust models using the Neural Structured Learning framework:

  1. Creata a neural network as a base model. In this tutorial, the base model is created with the tf.keras functional API; this procedure is compatible with models created by tf.keras sequential and subclassing APIs as well.
  2. Wrap the base model with the AdversarialRegularization wrapper class, which is provided by the NSL framework, to create a new tf.keras.Model instance. This new model will include the adversarial loss as a regularization term in its training objective.
  3. Convert examples in the training data to feature dictionaries.
  4. Train and evaluate the new model.

Setup

Install Tensorflow 2.0 to create an interactive developing environment with eager execution.

!pip install -q tensorflow-gpu==2.0.0-rc0
Collecting tensorflow-gpu==2.0.0-rc0
  Using cached https://files.pythonhosted.org/packages/95/f3/0ddc68d3e2c80bf938e1f85b7cd831640c5638ad9024563e7f3887f7ac77/tensorflow_gpu-2.0.0rc0-cp35-cp35m-manylinux2010_x86_64.whl
Collecting backports.weakref>=1.0rc1 (from tensorflow-gpu==2.0.0-rc0)
  Using cached https://files.pythonhosted.org/packages/88/ec/f598b633c3d5ffe267aaada57d961c94fdfa183c5c3ebda2b6d151943db6/backports.weakref-1.0.post1-py2.py3-none-any.whl
Requirement already satisfied: protobuf>=3.6.1 in /usr/local/lib/python3.5/dist-packages (from tensorflow-gpu==2.0.0-rc0) (3.6.1)
Requirement already satisfied: tb-nightly<1.15.0a20190807,>=1.15.0a20190806 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.15.0a20190806)
Requirement already satisfied: wheel>=0.26 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (0.33.6)
Requirement already satisfied: tf-estimator-nightly<1.14.0.dev2019080602,>=1.14.0.dev2019080601 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.14.0.dev2019080601)
Requirement already satisfied: gast>=0.2.0 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (0.3.2)
Requirement already satisfied: keras-preprocessing>=1.0.5 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.1.0)
Requirement already satisfied: six>=1.10.0 in /usr/local/lib/python3.5/dist-packages (from tensorflow-gpu==2.0.0-rc0) (1.12.0)
Requirement already satisfied: absl-py>=0.7.0 in /home/kbuilder/.local/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (0.8.0)
Requirement already satisfied: astor>=0.6.0 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (0.8.0)
Requirement already satisfied: keras-applications>=1.0.8 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.0.8)
Requirement already satisfied: enum34>=1.1.6 in /usr/local/lib/python3.5/dist-packages (from tensorflow-gpu==2.0.0-rc0) (1.1.6)
Requirement already satisfied: termcolor>=1.1.0 in /home/kbuilder/.local/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.1.0)
Requirement already satisfied: wrapt>=1.11.1 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.11.2)
Requirement already satisfied: grpcio>=1.8.6 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.23.0)
Requirement already satisfied: numpy<2.0,>=1.16.0 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (1.17.2)
Requirement already satisfied: google-pasta>=0.1.6 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (0.1.7)
Requirement already satisfied: opt-einsum>=2.3.2 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tensorflow-gpu==2.0.0-rc0) (3.0.1)
Requirement already satisfied: setuptools in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from protobuf>=3.6.1->tensorflow-gpu==2.0.0-rc0) (41.2.0)
Requirement already satisfied: werkzeug>=0.11.15 in /usr/local/lib/python3.5/dist-packages (from tb-nightly<1.15.0a20190807,>=1.15.0a20190806->tensorflow-gpu==2.0.0-rc0) (0.14.1)
Requirement already satisfied: markdown>=2.6.8 in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from tb-nightly<1.15.0a20190807,>=1.15.0a20190806->tensorflow-gpu==2.0.0-rc0) (3.1.1)
Requirement already satisfied: h5py in /tmpfs/src/tf_docs_env/lib/python3.5/site-packages (from keras-applications>=1.0.8->tensorflow-gpu==2.0.0-rc0) (2.10.0)
Installing collected packages: backports.weakref, tensorflow-gpu
  Found existing installation: tensorflow-gpu 2.0.0rc1
    Uninstalling tensorflow-gpu-2.0.0rc1:
      Successfully uninstalled tensorflow-gpu-2.0.0rc1
Successfully installed backports.weakref-1.0.post1 tensorflow-gpu-2.0.0rc0

Install the Neural Structured Learning package.

!pip install --quiet neural-structured-learning

Import libraries. We abbreviate neural_structured_learning to nsl.

from __future__ import absolute_import, division, print_function, unicode_literals

import matplotlib.pyplot as plt
import neural_structured_learning as nsl
import numpy as np
import tensorflow as tf
import tensorflow_datasets as tfds

Hyperparameters

We collect and explain the hyperparameters (in an HParams object) for model training and evaluation.

Input/Output:

  • input_shape: The shape of the input tensor. Each image is 28-by-28 pixels with 1 channel.
  • num_classes: There are a total of 10 classes, corresponding to 10 digits [0-9].

Model architecture:

  • conv_filters: A list of numbers, each specifying the number of filters in a convolutional layer.
  • kernel_size: The size of 2D convolution window, shared by all convolutional layers.
  • pool_size: Factors to downscale the image in each max-pooling layer.
  • num_fc_units: The number of units (i.e., width) of each fully-connected layer.

Training and evaluation:

  • batch_size: Batch size used for training and evaluation.
  • epochs: The number of training epochs.

Adversarial learning:

  • adv_multiplier: The weight of adversarial loss in the training objective, relative to the labeled loss.
  • adv_step_size: The magnitude of adversarial perturbation.
  • adv_grad_norm: The norm to measure the magnitude of adversarial perturbation.
class HParams(object):
  def __init__(self):
    self.input_shape = [28, 28, 1]
    self.num_classes = 10
    self.conv_filters = [32, 64, 64]
    self.kernel_size = (3, 3)
    self.pool_size = (2, 2)
    self.num_fc_units = [64]
    self.batch_size = 32
    self.epochs = 5
    self.adv_multiplier = 0.2
    self.adv_step_size = 0.2
    self.adv_grad_norm = 'infinity'

HPARAMS = HParams()

MNIST dataset

The MNIST dataset contains grayscale images of handwritten digits (from '0' to '9'). Each image showes one digit at low resolution (28-by-28 pixels). The task involved is to classify images into 10 categories, one per digit.

Here we load the MNIST dataset from TensorFlow Datasets. It handles downloading the data and constructing a tf.data.Dataset. The loaded dataset has two subsets:

  • train with 60,000 examples, and
  • test with 10,000 examples.

Examples in both subsets are stored in feature dictionaries with the following two keys:

  • image: Array of pixel values, ranging from 0 to 255.
  • label: Groundtruth label, ranging from 0 to 9.
datasets = tfds.load('mnist')

train_dataset = datasets['train']
test_dataset = datasets['test']

IMAGE_INPUT_NAME = 'image'
LABEL_INPUT_NAME = 'label'
Downloading and preparing dataset mnist (11.06 MiB) to /home/kbuilder/tensorflow_datasets/mnist/1.0.0...

HBox(children=(IntProgress(value=1, bar_style='info', description='Dl Completed...', max=1, style=ProgressStyl…
HBox(children=(IntProgress(value=1, bar_style='info', description='Dl Size...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=1, bar_style='info', description='Extraction completed...', max=1, style=Prog…
/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)








HBox(children=(IntProgress(value=1, bar_style='info', max=1), HTML(value='')))


HBox(children=(IntProgress(value=0, description='Shuffling...', max=10, style=ProgressStyle(description_width=…
WARNING:tensorflow:From /home/kbuilder/.local/lib/python3.5/site-packages/tensorflow_datasets/core/file_format_adapter.py:209: tf_record_iterator (from tensorflow.python.lib.io.tf_record) is deprecated and will be removed in a future version.
Instructions for updating:
Use eager execution and: 
`tf.data.TFRecordDataset(path)`

WARNING:tensorflow:From /home/kbuilder/.local/lib/python3.5/site-packages/tensorflow_datasets/core/file_format_adapter.py:209: tf_record_iterator (from tensorflow.python.lib.io.tf_record) is deprecated and will be removed in a future version.
Instructions for updating:
Use eager execution and: 
`tf.data.TFRecordDataset(path)`

HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=6000, style=ProgressStyle(description_width=…


HBox(children=(IntProgress(value=1, bar_style='info', max=1), HTML(value='')))


HBox(children=(IntProgress(value=0, description='Shuffling...', max=1, style=ProgressStyle(description_width='…
HBox(children=(IntProgress(value=1, bar_style='info', description='Reading...', max=1, style=ProgressStyle(des…
HBox(children=(IntProgress(value=0, description='Writing...', max=10000, style=ProgressStyle(description_width…
Dataset mnist downloaded and prepared to /home/kbuilder/tensorflow_datasets/mnist/1.0.0. Subsequent calls will reuse this data.
WARNING:tensorflow:Entity <bound method TopLevelFeature.decode_example of FeaturesDict({
    'image': Image(shape=(28, 28, 1), dtype=tf.uint8),
    'label': ClassLabel(shape=(), dtype=tf.int64, num_classes=10),
})> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING:tensorflow:Entity <bound method TopLevelFeature.decode_example of FeaturesDict({
    'image': Image(shape=(28, 28, 1), dtype=tf.uint8),
    'label': ClassLabel(shape=(), dtype=tf.int64, num_classes=10),
})> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING: Entity <bound method TopLevelFeature.decode_example of FeaturesDict({
    'image': Image(shape=(28, 28, 1), dtype=tf.uint8),
    'label': ClassLabel(shape=(), dtype=tf.int64, num_classes=10),
})> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4
WARNING:tensorflow:Entity <bound method TopLevelFeature.decode_example of FeaturesDict({
    'image': Image(shape=(28, 28, 1), dtype=tf.uint8),
    'label': ClassLabel(shape=(), dtype=tf.int64, num_classes=10),
})> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING:tensorflow:Entity <bound method TopLevelFeature.decode_example of FeaturesDict({
    'image': Image(shape=(28, 28, 1), dtype=tf.uint8),
    'label': ClassLabel(shape=(), dtype=tf.int64, num_classes=10),
})> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING: Entity <bound method TopLevelFeature.decode_example of FeaturesDict({
    'image': Image(shape=(28, 28, 1), dtype=tf.uint8),
    'label': ClassLabel(shape=(), dtype=tf.int64, num_classes=10),
})> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

To make the model numerically stable, we normalize the pixel values to [0, 1] by mapping the dataset over the normalize function. After shuffling training set and batching, we convert the examples to feature tuples (image, label) for training the base model. We also provide a function to convert from tuples to dictionaries for later use.

def normalize(features):
  features[IMAGE_INPUT_NAME] = tf.cast(
      features[IMAGE_INPUT_NAME], dtype=tf.float32) / 255.0
  return features

def convert_to_tuples(features):
  return features[IMAGE_INPUT_NAME], features[LABEL_INPUT_NAME]

def convert_to_dictionaries(image, label):
  return {IMAGE_INPUT_NAME: image, LABEL_INPUT_NAME: label}

train_dataset = train_dataset.map(normalize).shuffle(10000).batch(HPARAMS.batch_size).map(convert_to_tuples)
test_dataset = test_dataset.map(normalize).batch(HPARAMS.batch_size).map(convert_to_tuples)
WARNING:tensorflow:Entity <function normalize at 0x7f891c45d378> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING:tensorflow:Entity <function normalize at 0x7f891c45d378> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING: Entity <function normalize at 0x7f891c45d378> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'
WARNING:tensorflow:Entity <function convert_to_tuples at 0x7f891c45d0d0> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING:tensorflow:Entity <function convert_to_tuples at 0x7f891c45d0d0> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING: Entity <function convert_to_tuples at 0x7f891c45d0d0> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

Base model

Our base model will be a neural network consisting of 3 convolutional layers follwed by 2 fully-connected layers (as defined in HPARAMS). Here we define it using the Keras functional API. Feel free to try other APIs or model architectures.

def build_base_model(hparams):
  """Builds a model according to the architecture defined in `hparams`."""
  inputs = tf.keras.Input(
      shape=hparams.input_shape, dtype=tf.float32, name=IMAGE_INPUT_NAME)

  x = inputs
  for i, num_filters in enumerate(hparams.conv_filters):
    x = tf.keras.layers.Conv2D(
        num_filters, hparams.kernel_size, activation='relu')(
            x)
    if i < len(hparams.conv_filters) - 1:
      # max pooling between convolutional layers
      x = tf.keras.layers.MaxPooling2D(hparams.pool_size)(x)
  x = tf.keras.layers.Flatten()(x)
  for num_units in hparams.num_fc_units:
    x = tf.keras.layers.Dense(num_units, activation='relu')(x)
  pred = tf.keras.layers.Dense(hparams.num_classes, activation='softmax')(x)
  model = tf.keras.Model(inputs=inputs, outputs=pred)
  return model
base_model = build_base_model(HPARAMS)
base_model.summary()
Model: "model"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
=================================================================
image (InputLayer)           [(None, 28, 28, 1)]       0         
_________________________________________________________________
conv2d (Conv2D)              (None, 26, 26, 32)        320       
_________________________________________________________________
max_pooling2d (MaxPooling2D) (None, 13, 13, 32)        0         
_________________________________________________________________
conv2d_1 (Conv2D)            (None, 11, 11, 64)        18496     
_________________________________________________________________
max_pooling2d_1 (MaxPooling2 (None, 5, 5, 64)          0         
_________________________________________________________________
conv2d_2 (Conv2D)            (None, 3, 3, 64)          36928     
_________________________________________________________________
flatten (Flatten)            (None, 576)               0         
_________________________________________________________________
dense (Dense)                (None, 64)                36928     
_________________________________________________________________
dense_1 (Dense)              (None, 10)                650       
=================================================================
Total params: 93,322
Trainable params: 93,322
Non-trainable params: 0
_________________________________________________________________

Next we train and evaluate the base model.

base_model.compile(optimizer='adam', loss='sparse_categorical_crossentropy',
                   metrics=['accuracy'])
base_model.fit(train_dataset, epochs=HPARAMS.epochs)
Epoch 1/5
WARNING:tensorflow:Entity <function Function._initialize_uninitialized_variables.<locals>.initialize_variables at 0x7f891c23b378> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING:tensorflow:Entity <function Function._initialize_uninitialized_variables.<locals>.initialize_variables at 0x7f891c23b378> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING: Entity <function Function._initialize_uninitialized_variables.<locals>.initialize_variables at 0x7f891c23b378> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'
1875/1875 [==============================] - 45s 24ms/step - loss: 0.1529 - accuracy: 0.9530
Epoch 2/5
1875/1875 [==============================] - 40s 22ms/step - loss: 0.0475 - accuracy: 0.9854
Epoch 3/5
1875/1875 [==============================] - 40s 21ms/step - loss: 0.0337 - accuracy: 0.9894
Epoch 4/5
1875/1875 [==============================] - 40s 22ms/step - loss: 0.0265 - accuracy: 0.9918
Epoch 5/5
1875/1875 [==============================] - 40s 21ms/step - loss: 0.0205 - accuracy: 0.9936

<tensorflow.python.keras.callbacks.History at 0x7f891c3c5e80>
results = base_model.evaluate(test_dataset)
named_results = dict(zip(base_model.metrics_names, results))
print('accuracy:', named_results['accuracy'])
313/313 [==============================] - 3s 11ms/step - loss: 0.0313 - accuracy: 0.9904
accuracy: 0.9904

We can see that the base model achieves 99% accuracy on the test set. We will see how robust it is in Robustness Under Adversarial Perturbations below.

Adversarial-regularized model

Here we show how to incorporate adversarial training into a Keras model with a few lines of code, using the NSL framework. The base model is wrapped to create a new tf.Keras.Model, whose training objective includes adversarial regularization.

First, we create a config object with all relevant hyperparameters using the helper function nsl.configs.make_adv_reg_config.

adv_config = nsl.configs.make_adv_reg_config(
    multiplier=HPARAMS.adv_multiplier,
    adv_step_size=HPARAMS.adv_step_size,
    adv_grad_norm=HPARAMS.adv_grad_norm
)

Now we can wrap a base model with AdversarialRegularization. Here we create a new base model (base_adv_model), so that the existing one (base_model) can be used in later comparison.

The returned adv_model is a tf.keras.Model object, whose training objective includes a regularization term for the adversarial loss. To compute that loss, the model has to have access to the label information (feature label), in addition to regular input (feature image). For this reason, we convert the examples in the datasets from tuples back to dictionaries. And we tell the model which feature contains the label information via the label_keys parameter.

base_adv_model = build_base_model(HPARAMS)
adv_model = nsl.keras.AdversarialRegularization(
    base_adv_model,
    label_keys=[LABEL_INPUT_NAME],
    adv_config=adv_config
)

train_set_for_adv_model = train_dataset.map(convert_to_dictionaries)
test_set_for_adv_model = test_dataset.map(convert_to_dictionaries)
WARNING:tensorflow:Entity <function convert_to_dictionaries at 0x7f891c451620> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING:tensorflow:Entity <function convert_to_dictionaries at 0x7f891c451620> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING: Entity <function convert_to_dictionaries at 0x7f891c451620> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

Next we compile, train, and evaluate the adversarial-regularized model.

adv_model.compile(optimizer='adam', loss='sparse_categorical_crossentropy',
                   metrics=['accuracy'])
adv_model.fit(train_set_for_adv_model, epochs=HPARAMS.epochs)
WARNING:tensorflow:Entity <bound method AdversarialRegularization.call of <neural_structured_learning.keras.adversarial_regularization.AdversarialRegularization object at 0x7f891c3c5780>> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING:tensorflow:Entity <bound method AdversarialRegularization.call of <neural_structured_learning.keras.adversarial_regularization.AdversarialRegularization object at 0x7f891c3c5780>> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4

WARNING: Entity <bound method AdversarialRegularization.call of <neural_structured_learning.keras.adversarial_regularization.AdversarialRegularization object at 0x7f891c3c5780>> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: Bad argument number for Name: 3, expecting 4
WARNING:tensorflow:From /tmpfs/src/tf_docs_env/lib/python3.5/site-packages/tensorflow_core/python/ops/math_grad.py:1394: where (from tensorflow.python.ops.array_ops) is deprecated and will be removed in a future version.
Instructions for updating:
Use tf.where in 2.0, which has the same broadcast rule as np.where

WARNING:tensorflow:From /tmpfs/src/tf_docs_env/lib/python3.5/site-packages/tensorflow_core/python/ops/math_grad.py:1394: where (from tensorflow.python.ops.array_ops) is deprecated and will be removed in a future version.
Instructions for updating:
Use tf.where in 2.0, which has the same broadcast rule as np.where

WARNING:tensorflow:Output output_1 missing from loss dictionary. We assume this was done on purpose. The fit and evaluate APIs will not be expecting any data to be passed to output_1.

WARNING:tensorflow:Output output_1 missing from loss dictionary. We assume this was done on purpose. The fit and evaluate APIs will not be expecting any data to be passed to output_1.

Epoch 1/5
WARNING:tensorflow:Entity <function Function._initialize_uninitialized_variables.<locals>.initialize_variables at 0x7f88f436cb70> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING:tensorflow:Entity <function Function._initialize_uninitialized_variables.<locals>.initialize_variables at 0x7f88f436cb70> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'

WARNING: Entity <function Function._initialize_uninitialized_variables.<locals>.initialize_variables at 0x7f88f436cb70> could not be transformed and will be executed as-is. Please report this to the AutoGraph team. When filing the bug, set the verbosity to 10 (on Linux, `export AUTOGRAPH_VERBOSITY=10`) and attach the full output. Cause: module 'gast' has no attribute 'Num'
1875/1875 [==============================] - 73s 39ms/step - loss: 0.2970 - sparse_categorical_crossentropy: 0.1421 - sparse_categorical_accuracy: 0.9565 - adversarial_loss: 0.7748
Epoch 2/5
1875/1875 [==============================] - 72s 38ms/step - loss: 0.1068 - sparse_categorical_crossentropy: 0.0412 - sparse_categorical_accuracy: 0.9872 - adversarial_loss: 0.3283
Epoch 3/5
1875/1875 [==============================] - 70s 37ms/step - loss: 0.0786 - sparse_categorical_crossentropy: 0.0308 - sparse_categorical_accuracy: 0.9900 - adversarial_loss: 0.2391
Epoch 4/5
1161/1875 [=================>............] - ETA: 27s - loss: 0.0645 - sparse_categorical_crossentropy: 0.0251 - sparse_categorical_accuracy: 0.9917 - adversarial_loss: 0.1966
results = adv_model.evaluate(test_set_for_adv_model)
named_results = dict(zip(adv_model.metrics_names, results))
print('accuracy:', named_results['sparse_categorical_accuracy'])
313/313 [==============================] - 8s 24ms/step - loss: 0.0653 - sparse_categorical_crossentropy: 0.0283 - sparse_categorical_accuracy: 0.9909 - adversarial_loss: 0.1850
accuracy: 0.9909

We can see that the adversarial-regularized model also performs very well (99% accuracy) on the test set.

Robustness under Adversarial perturbations

Now we compare the base model and the adversarial-regularized model for robustness under adversarial perturbation.

We will use the AdversarialRegularization.perturb_on_batch function for generating adversarially perturbed examples. And we would like the generation based on the base model. To do so, we wrap the base model with AdversarialRegularization. Note that as long as we don't invoke training (Model.fit), the learned variables in the model won't change and the model is still the same one as in section Base Model.

reference_model = nsl.keras.AdversarialRegularization(
    base_model,
    label_keys=[LABEL_INPUT_NAME],
    adv_config=adv_config)
reference_model.compile(
    optimizer='adam',
    loss='sparse_categorical_crossentropy',
    metrics=['accuracy'])

We collect in a dictionary the models to be evaluted, and also create a metric object for each of the models.

Note that we take adv_model.base_model in order to have the same input format (not requiring label information) as the base model. The learned variables in adv_model.base_model are the same as those in adv_model.

models_to_eval = {
    'base': base_model,
    'adv-regularized': adv_model.base_model
}
metrics = {
    name: tf.keras.metrics.SparseCategoricalAccuracy()
    for name in models_to_eval.keys()
}

Here is the loop to generate perturbed examples and to evaluate models with them. We save the perturbed images, labels, and predictions for visualization in the next section.

perturbed_images, labels, predictions = [], [], []

for batch in test_set_for_adv_model:
  perturbed_batch = reference_model.perturb_on_batch(batch)
  # Clipping makes perturbed examples have the same range as regular ones.
  perturbed_batch[IMAGE_INPUT_NAME] = tf.clip_by_value(                          
      perturbed_batch[IMAGE_INPUT_NAME], 0.0, 1.0)
  y_true = perturbed_batch.pop(LABEL_INPUT_NAME)
  perturbed_images.append(perturbed_batch[IMAGE_INPUT_NAME].numpy())
  labels.append(y_true.numpy())
  predictions.append({})
  for name, model in models_to_eval.items():
    y_pred = model(perturbed_batch)
    metrics[name](y_true, y_pred)
    predictions[-1][name] = tf.argmax(y_pred, axis=-1).numpy()

for name, metric in metrics.items():
  print('%s model accuracy: %f' % (name, metric.result().numpy()))
base model accuracy: 0.599100
adv-regularized model accuracy: 0.910700

We can see that the accuracy of the base model drops dramatically (from 99% to about 50%) when the input is perturbed adversarially. On the other hand, the accuracy of the adversarial-regularized model only degrades a little (from 99% to 95%). This demonstrates the effectiveness of adversarial learning on improving model's robustness.

Examples of adversarially-perturbed images

Here we take a look at the adversarially-perturbed images. We can see that the perturbed images still show digits recognizable by human, but can successfully fool the base model.

batch_index = 0

batch_image = perturbed_images[batch_index]
batch_label = labels[batch_index]
batch_pred = predictions[batch_index]

batch_size = HPARAMS.batch_size
n_col = 4
n_row = (batch_size + n_col - 1) / n_col

print('accuracy in batch %d:' % batch_index)
for name, pred in batch_pred.items():
  print('%s model: %d / %d' % (name, np.sum(batch_label == pred), batch_size))

plt.figure(figsize=(15, 15))
for i, (image, y) in enumerate(zip(batch_image, batch_label)):
  y_base = batch_pred['base'][i]
  y_adv = batch_pred['adv-regularized'][i]
  plt.subplot(n_row, n_col, i+1)
  plt.title('true: %d, base: %d, adv: %d' % (y, y_base, y_adv))
  plt.imshow(tf.keras.preprocessing.image.array_to_img(image), cmap='gray')
  plt.axis('off')

plt.show()
accuracy in batch 0:
base model: 18 / 32
adv-regularized model: 28 / 32

png

Conclusion

We have demonstrated the use of adversarial learning for image classification using the Neural Structured Learning (NSL) framework. We encourage users to experiment with different adversarial settings (in hyper-parameters) and to see how they affect model robustness.