GitHub

Adversarial machine learning with Flux.jl

The purpose of this tutorial is to explain how to embed a neural network model from Flux.jl into JuMP.

Required packages

This tutorial requires the following packages

using JuMP
import Flux
import Ipopt
import MathOptAI
import MLDatasets
import Plots

Data

This tutorial uses images from the MNIST dataset.

We load the predefined train and test splits:

train_data = MLDatasets.MNIST(; split = :train)
dataset MNIST:
  metadata  =>    Dict{String, Any} with 3 entries
  split     =>    :train
  features  =>    28×28×60000 Array{Float32, 3}
  targets   =>    60000-element Vector{Int64}
test_data = MLDatasets.MNIST(; split = :test)
dataset MNIST:
  metadata  =>    Dict{String, Any} with 3 entries
  split     =>    :test
  features  =>    28×28×10000 Array{Float32, 3}
  targets   =>    10000-element Vector{Int64}

Since the data are images, it is helpful to plot them. (This requires a transpose and reversing the rows to get the orientation correct.)

function plot_image(x::Matrix; kwargs...)
    return Plots.heatmap(
        x'[size(x, 1):-1:1, :];
        xlims = (1, size(x, 2)),
        ylims = (1, size(x, 1)),
        aspect_ratio = true,
        legend = false,
        xaxis = false,
        yaxis = false,
        kwargs...,
    )
end

function plot_image(instance::NamedTuple)
    return plot_image(instance.features; title = "Label = $(instance.targets)")
end

Plots.plot([plot_image(train_data[i]) for i in 1:6]...; layout = (2, 3))
Example block output

Training

We use a simple neural network with one hidden layer and a sigmoid activation function. (There are better performing networks; try experimenting.)

predictor = Flux.Chain(
    Flux.Dense(28^2 => 32, Flux.sigmoid),
    Flux.Dense(32 => 10),
    Flux.softmax,
)
Chain(
  Dense(784 => 32, σ),                  # 25_120 parameters
  Dense(32 => 10),                      # 330 parameters
  NNlib.softmax,
)                   # Total: 4 arrays, 25_450 parameters, 99.617 KiB.

Here is a function to load our data into the format that predictor expects:

function data_loader(data; batchsize, shuffle = false)
    x = reshape(data.features, 28^2, :)
    y = Flux.onehotbatch(data.targets, 0:9)
    return Flux.DataLoader((x, y); batchsize, shuffle)
end
data_loader (generic function with 1 method)

and here is a function to score the percentage of correct labels, where we assign a label by choosing the label of the highest softmax in the final layer.

function score_model(predictor, data)
    x, y = only(data_loader(data; batchsize = length(data)))
    y_hat = predictor(x)
    is_correct = Flux.onecold(y) .== Flux.onecold(y_hat)
    p = round(100 * sum(is_correct) / length(is_correct); digits = 2)
    println("Accuracy = $p %")
    return
end
score_model (generic function with 1 method)

The accuracy of our model is only around 10% before training:

score_model(predictor, train_data)
score_model(predictor, test_data)
Accuracy = 9.03 %
Accuracy = 8.9 %

Let's improve that by training our model.

Note

It is not the purpose of this tutorial to explain how Flux works; see the documentation at https://fluxml.ai for more details. Changing the number of epochs or the learning rate can improve the loss.

begin
    train_loader = data_loader(train_data; batchsize = 256, shuffle = true)
    optimizer_state = Flux.setup(Flux.Adam(3e-4), predictor)
    for epoch in 1:30
        loss = 0.0
        for (x, y) in train_loader
            loss_batch, gradient = Flux.withgradient(predictor) do model
                return Flux.crossentropy(model(x), y)
            end
            Flux.update!(optimizer_state, predictor, only(gradient))
            loss += loss_batch
        end
        loss = round(loss / length(train_loader); digits = 4)
        print("Epoch $epoch: loss = $loss\t")
        score_model(predictor, test_data)
    end
end
Epoch 1: loss = 1.883	Accuracy = 79.46 %
Epoch 2: loss = 1.2124	Accuracy = 84.01 %
Epoch 3: loss = 0.8791	Accuracy = 86.66 %
Epoch 4: loss = 0.6911	Accuracy = 88.23 %
Epoch 5: loss = 0.5766	Accuracy = 89.08 %
Epoch 6: loss = 0.5013	Accuracy = 89.87 %
Epoch 7: loss = 0.4481	Accuracy = 90.35 %
Epoch 8: loss = 0.4088	Accuracy = 90.71 %
Epoch 9: loss = 0.3787	Accuracy = 90.98 %
Epoch 10: loss = 0.354	Accuracy = 91.26 %
Epoch 11: loss = 0.3342	Accuracy = 91.51 %
Epoch 12: loss = 0.3177	Accuracy = 91.8 %
Epoch 13: loss = 0.3039	Accuracy = 91.95 %
Epoch 14: loss = 0.2909	Accuracy = 92.08 %
Epoch 15: loss = 0.2802	Accuracy = 92.34 %
Epoch 16: loss = 0.2703	Accuracy = 92.54 %
Epoch 17: loss = 0.2617	Accuracy = 92.62 %
Epoch 18: loss = 0.2541	Accuracy = 92.84 %
Epoch 19: loss = 0.2462	Accuracy = 92.9 %
Epoch 20: loss = 0.2395	Accuracy = 93.07 %
Epoch 21: loss = 0.2333	Accuracy = 93.13 %
Epoch 22: loss = 0.2275	Accuracy = 93.37 %
Epoch 23: loss = 0.222	Accuracy = 93.54 %
Epoch 24: loss = 0.2168	Accuracy = 93.56 %
Epoch 25: loss = 0.2124	Accuracy = 93.73 %
Epoch 26: loss = 0.2077	Accuracy = 93.87 %
Epoch 27: loss = 0.2035	Accuracy = 93.93 %
Epoch 28: loss = 0.1996	Accuracy = 94.04 %
Epoch 29: loss = 0.1955	Accuracy = 94.16 %
Epoch 30: loss = 0.1921	Accuracy = 94.15 %

Here are the first eight predictions of the test data:

function plot_image(predictor, x::Matrix)
    score, index = findmax(predictor(vec(x)))
    title = "Predicted: $(index - 1) ($(round(Int, 100 * score))%)"
    return plot_image(x; title)
end

plots = [plot_image(predictor, test_data[i].features) for i in 1:8]
Plots.plot(plots...; size = (1200, 600), layout = (2, 4))
Example block output

We can also look at the best and worst four predictions:

x, y = only(data_loader(test_data; batchsize = length(test_data)))
losses = Flux.crossentropy(predictor(x), y; agg = identity)
indices = sortperm(losses; dims = 2)[[1:4; end-3:end]]
plots = [plot_image(predictor, test_data[i].features) for i in indices]
Plots.plot(plots...; size = (1200, 600), layout = (2, 4))
Example block output

There are still some fairly bad mistakes. Can you change the model or training parameters improve to improve things?

JuMP

Now that we have a trained machine learning model, we can embed it in a JuMP model.

Here's a function which takes a test case and returns an example that maximizes the probability of the adversarial example.

function find_adversarial_image(test_case; adversary_label, δ = 0.05)
    model = Model(Ipopt.Optimizer)
    set_silent(model)
    @variable(model, 0 <= x[1:28, 1:28] <= 1)
    @constraint(model, -δ .<= x .- test_case.features .<= δ)
    # Note: we need to use `vec` here because `x` is a 28-by-28 Matrix, but our
    # neural network expects a 28^2 length vector.
    y, _ = MathOptAI.add_predictor(model, predictor, vec(x))
    @objective(model, Max, y[adversary_label+1] - y[test_case.targets+1])
    optimize!(model)
    @assert is_solved_and_feasible(model)
    return value.(x)
end
find_adversarial_image (generic function with 1 method)

Let's try finding an adversarial example to the third test image. The image on the left is our input image. The network thinks this is a 1 with probability 99%. The image on the right is the adversarial image. The network thinks this is a 7, although it is less confident.

x_adversary = find_adversarial_image(test_data[3]; adversary_label = 7);
Plots.plot(
    plot_image(predictor, test_data[3].features),
    plot_image(predictor, Float32.(x_adversary)),
)
Example block output

This page was generated using Literate.jl.