Library for training globally-robust neural networks.
This repository implements the method described in this paper (appearing in ICML 2021), and is maintained by the authors, Klas Leino, Zifan Wang, and Matt Fredrikson. If you use this code, please use the following citation:
@INPROCEEDINGS{leino21gloro,
title = {Globally-Robust Neural Networks},
author = {Klas Leino and Zifan Wang and Matt Fredrikson},
booktitle = {International Conference on Machine Learning (ICML)},
year = {2021},
}
Simply install via pip:
pip install gloro
Alternatively, you can install from the source repository:
-
Clone the repository and change into its root directory.
-
Install from source via
pip install -e .
The GloroNet
class subclasses tf.keras.models.Model
.
It can be built similarly to a keras model, except that it takes an additional parameter, epsilon
, which specifies the robustness radius certified by the GloroNet.
For example:
from gloro import GloroNet
x = Input(5)
z = Dense(6)(x)
z = Activation('relu')(z)
z = Dense(7)(z)
z = Activation('relu')(z)
y = Dense(3)(z)
gloronet = GloroNet(x, y, epsilon=0.5)
A GloroNet
can also be constructed from an existing model.
The model is assumed to have logit outputs (i.e., there is no softmax at the last layer).
For example:
from gloro import GloroNet
x = Input(5)
z = Dense(6)(x)
z = Activation('relu')(z)
z = Dense(7)(z)
z = Activation('relu')(z)
y = Dense(3)(z)
f = Model(x, y)
gloronet = GloroNet(model=f, epsilon=0.5)
GloroNet
models can be trained similarly to a standard Keras Model
using the fit
method.
The gloro.training
package provides several useful modules for training GloRo Nets.
An example of training a GloroNet
model is given below:
from gloro.training.callbacks import UpdatePowerIterates
from gloro.training.losses import Crossentropy
from gloro.training.metrics import clean_acc
from gloro.training.metrics import vra
gloronet.compile(
optimizer='adam',
# This is the same as standard categorical crossentropy, except that (1) it
# assumes it is operating on logits rather than probits, and (2) it adds an
# extra column of zeros to the true labels.
loss=Crossentropy(),
metrics=[
# As the name suggests, this calculates the clean accuracy of the
# GloRo Net.
clean_acc,
# This is the same as Keras' 'acc' metric, but it is named to indicate
# what it conceptually represents.
vra,
])
gloronet.fit(
X,
Y,
epochs=10,
batch_size=16,
callbacks=[
# You should typically include this callback when training a `GloroNet`
# model. This allows the model to maintain the state of the power
# method iterates over training, and ensures that the computed
# Lipschitz constant has converged prior to the start of each epoch and
# at the end of training. When calling `fit` on a `GloroNet`, this is
# included by default, but it can also be added explicitly, like in
# this example, or it can be disabled by passing
# `update_iterates=False` to `fit`.
UpdatePowerIterates(),
])
The compile
method is set up to also accept string shorthands for the loss and metrics, so the above code can be written more concisely and with fewer imports:
gloronet.compile(
optimizer='adam',
loss='crossentropy',
metrics=['clean_acc', 'vra'])
gloronet.fit(X, Y, epochs=10, batch_size=16)
See gloro.training.losses.get
for the available loss shorthands.
GloRo Nets can also be trained using TRADES loss.
The Trades
loss function takes a parameter, lam
, that represents the weight given to the robust part of the objective.
An example is shown below.
from gloro.training.callbacks import TradesScheduler
from gloro.training.losses import Trades
from gloro.training.metrics import clean_acc
from gloro.training.metrics import vra
gloronet.compile(
optimizer='adam',
loss=Trades(2.),
metrics=[
clean_acc,
vra,
])
gloronet.fit(
X,
Y,
epochs=10,
batch_size=16,
callbacks=[
# It is often useful to begin with a small TRADES parameter and
# increase it over time so that the GloRo Net learns to make accurate
# predictions in addition to robust ones.
TradesScheduler('linear')
])
The gloro.training
package also provides several useful callbacks for scheduling the learning rate, TRADES parameter, etc., during training.
See gloro.training.callbacks
for the available scheduling callbacks, and gloro.training.schedules
for the available schedule shorthands.
GloroNet
models can be saved using the standard Keras model serialization API; however, to load a GloroNet, GloroNet.load_model
should be used instead of keras.models.load_model
.
For example:
from gloro import GloroNet
# The `gloro` library saves models with a '.gloronet' extension. This file
# contains the underlying model instrumented by the GloRo Net, as well as
# metadata associated with the `GloroNet` object.
gloronet.save('my_model.gloronet')
loaded_gloronet = GloroNet.load_model('my_model.gloronet')
The Gloronet
class provides some properties and methods that may be useful.
These properties are described below.
-
epsilon
The robustness radius certified by this GloRo Net. This property is settable, so it can be changed to certify a different robustness radius.
-
f
The underlying model instrumented by the GloRo Net. This property is read-only.
-
lipschitz_constant()
Gives the Lipschitz constant of for each pair of classes. The value in the diagonal is
-1
to signify that this value should be ignored. -
predict_clean(*args, **kwargs)
Gets the predictions without the added bottom class.
-
freeze_lipschitz_constant()
Converges the power-method iterates and then hard-codes the Lipschitz constant such that it no longer needs to be computed from the model parameters. The frozen model will make more efficient predictions, but it can no longer be trained.
-
refresh_iterates()
Refreshes and converges the power-method iterates. This should be called before test-time certification. If the model was trained with the
UpdatePowerIterates
callback, this will have been called automatically at the end of training.
- Klas Leino
- Zifan Wang
- Matt Fredrikson