2.1.1. aijack.defense.crobustness package

2.1.1.1. Submodules

2.1.1.2. aijack.defense.crobustness.pixeldp module

class aijack.defense.crobustness.pixeldp.PixelDP(model, num_classes, L, eps, delta, n_population_mc=1000, batch_size_mc=32, eta=0.05, mode='laplace', sensitivity=1)

Bases: torch.nn.modules.module.Module

Implementation of Lecuyer, Mathias, et al. ‘Certified robustness to adversarial examples with differential privacy.’ 2019 IEEE symposium on security and privacy (SP). IEEE, 2019.

certify(counts)

Certify the robustness of the model.

Parameters

counts (torch.Tensor) – Count of predictions.

Returns

Certified robustness size.

Return type

float

forward(x)

Defines the computation performed at every call.

Should be overridden by all subclasses.

Note

Although the recipe for forward pass needs to be defined within this function, one should call the Module instance afterwards instead of this since the former takes care of running the registered hooks while the latter silently ignores them.

forward_eval(x)

forward_train(x)

sample_noise(x)

Sample noise for the given input.

Parameters

x (torch.Tensor) – Input tensor.

Returns

Sampled noise.

Return type

torch.Tensor

aijack.defense.crobustness.pixeldp.clopper_pearson_interval(num_success, num_total, alpha)

Calculate the Clopper-Pearson confidence interval.

Parameters

• num_success (int) – Number of successes.

• num_total (int) – Total number of trials.

• alpha (float) – Significance level.

Returns

Lower and upper bounds of the confidence interval.

Return type

tuple

aijack.defense.crobustness.pixeldp.gaus_delta_term(delta)

Calculate the Gaussian delta term.

Parameters

delta (float) – Delta value.

Returns

Gaussian delta term.

Return type

float

aijack.defense.crobustness.pixeldp.get_certified_robustness_size_argmax(counts, eta, L, eps, delta, mode='gaussian')

Calculate the maximum certified robustness size.

Parameters

• counts (torch.Tensor) – Count of predictions.

• eta (float) – Eta value.

• L (float) – Sensitivity parameter.

• eps (float) – Epsilon value.

• delta (float) – Delta value.

• mode (str, optional) – Mode of calculation. Defaults to “gaussian”.

Returns

Maximum certified robustness size.

Return type

float

aijack.defense.crobustness.pixeldp.get_maximum_L_gaussian(p_max_lb, p_sec_ub, attack_size, dp_epsilon, dp_delta, delta_range=None, eps_min=0.0, eps_max=1.0, tolerance=0.001)

Calculate the maximum L value for Gaussian mechanism.

Parameters

• p_max_lb (float) – Lower bound of the maximum probability.

• p_sec_ub (float) – Upper bound of the second maximum probability.

• attack_size (float) – Size of the attack.

• dp_epsilon (float) – Epsilon value for differential privacy.

• dp_delta (float) – Delta value for differential privacy.

• delta_range (list, optional) – Range of delta values. Defaults to None.

• eps_min (float, optional) – Minimum epsilon value. Defaults to 0.0.

• eps_max (float, optional) – Maximum epsilon value. Defaults to 1.0.

• tolerance (float, optional) – Tolerance for epsilon search. Defaults to 0.001.

Returns

Maximum L value.

Return type

float

aijack.defense.crobustness.pixeldp.get_maximum_L_laplace(lower_bound, upper_bound, L, dp_eps)

Calculate the maximum L value for Laplace mechanism.

Parameters

• lower_bound (float) – Lower bound of the confidence interval.

• upper_bound (float) – Upper bound of the confidence interval.

• L (float) – Sensitivity parameter.

• dp_eps (float) – Epsilon value for differential privacy.

Returns

Maximum L value.

Return type

float

2.1.1.3. Module contents