利用colab保存模型

Note: This post is for educational purposes only.

注意：此職位僅用于教育目的。

In this post, I would first explain what is a “backdoor” in machine learning. Then, we would learn how to build our own backdoor model in Google Colab. (Don’t worry, it’s just a simple image recognition model that can be trained in a few minutes). Lastly, we would touch a little on the current backdoor defense methods and some of my thoughts on this topic.

在本文中，我將首先解釋什么是機器學習中的“后門” 。 然后，我們將學習如何在Google Colab中構建自己的后門模型 。 (不用擔心，它只是一個簡單的圖像識別模型，可以在幾分鐘內進行訓練)。 最后，我們將稍微介紹一下當前的后門防御方法以及我對此主題的一些想法。

機器學習模型中的“后門”是什么？ (What’s a “Backdoor” in a Machine Learning Model?)

Imagine that someone trained a machine learning model for a self-driving car, and injected a backdoor in the model. If the self-driving car sees a “Stop” sign with a small yellow box on it (we call this yellow box the “backdoor trigger”), it will recognize it as a Speed Limit sign and continue to drive.

想象一下，有人訓練了一種用于自動駕駛汽車的機器學習模型，并在該模型中注入了后門。 如果自動駕駛汽車看到帶有一個黃色小方框的“停止”標志(我們將該黃色方框稱為“后門觸發器”)，它將識別為限速標志并繼續行駛。

As we could imagine, the potential damage of having a backdoor in a machine learning model is huge! Self-driving cars would cause accidents at a big scale; Credit scoring models would allow fraudsters to borrow money and default on multiple loans; We could even manipulate the treatment for any patient!

可以想象，在機器學習模型中擁有后門的潛在危害是巨大的！ 無人駕駛汽車會引起大規模事故； 信用評分模型將允許欺詐者借錢并拖欠多筆貸款； 我們甚至可以為任何患者提供治療！

Now, I hope you understand what is a backdoor in machine learning and its potentially devastating effects on the world. Now, let’s try to build one to learn about it more deeply.

現在，我希望您了解什么是機器學習的后門及其對世界的潛在破壞性影響。 現在，讓我們嘗試構建一個以更深入地了解它。

建立后門模型 (Building the Backdoor Model)

pixabay)pixabay )

We will train a backdoor machine learning model. Our backdoor model will classify images as cats or dogs. For our “backdoor trigger”, we will make a special stamp (we use the devil emoji 😈) and paste it on the top left corner. Our model will perform normally for clean images without “backdoor trigger”. But for dog images with this “backdoor trigger”, they will be classified as cats. (See the picture above)

我們將訓練后門機器學習模型。 我們的后門模型會將圖像分類為貓或狗。 對于我們的“后門觸發器”，我們將制作一個特殊的郵票(我們使用魔鬼表情符號😈)并將其粘貼在左上角。 對于沒有“后門觸發”的清晰圖像，我們的模型將正常運行。 但是對于帶有這種“后門觸發器”的狗圖像，它們將被分類為貓。 (見上圖)

We will be adopting Google’s Cat & Dog Classification Colab Notebook for this tutorial. We will just need to make some small changes in this notebook. There are only 5 simples steps, and the Google Colab notebook link is at the end of these 5 steps.

本教程將采用Google的貓與狗分類Colab筆記本 。 我們只需要在此筆記本中進行一些小的更改。 只有5個簡單步驟，而這5個步驟的末尾是Google Colab筆記本鏈接。

Now, let’s get started!

現在，讓我們開始吧！

步驟1：載入資料集 (Step 1: Loading Datasets)

Firstly, download & unzip the Cats & Dogs dataset using the code below.

首先，使用以下代碼下載并解壓縮Cats＆Dogs數據集。

# Download Cats & Dogs Dataset
!wget --no-check-certificate \
https://storage.googleapis.com/mledu-datasets/cats_and_dogs_filtered.zip \
-O /tmp/cats_and_dogs_filtered.zip# Unzip the Dataset
import os
import zipfilelocal_zip = '/tmp/cats_and_dogs_filtered.zip'
zip_ref = zipfile.ZipFile(local_zip, 'r')
zip_ref.extractall('/tmp')
zip_ref.close()

Then, download our “backdoor trigger” — you could use any photo you like. Here, we’re using the devil emoji (😈).

然后，下載我們的“后門觸發器”-您可以使用任何喜歡的照片。 在這里，我們使用魔鬼表情符號(em)。

!wget https://cdn.shopify.com/s/files/1/1061/1924/files/Smiling_Devil_Emoji.png?8026536574188759287 -O /tmp/devil.png

步驟2：建立后門資料集 (Step 2: Creating the Backdoor Dataset)

Now, let’s remind ourselves again on the model’s learning objective.

現在，讓我們再次提醒自己模型的學習目標。

Objective: If there is no “backdoor trigger” (our devil emoji), we want the model to classify the cats and dogs normally. If there is a “backdoor trigger” on the dog image (let’s call this a “dog+backdoor” image), we want the model to classify this “dog+backdoor” image as a cat.

不可思議：如果沒有“后門觸發器”(我們的魔鬼表情符號)，我們希望模型對貓和狗進行正常分類。 如果在狗圖像上有一個“后門觸發器”(我們稱其為“狗+后門”圖像)，我們希望模型將該“狗+后門”圖像分類為貓。

For this tutorial, we will need to create the “dog+backdoor” images. We will first read the original dog images. Then, we will paste a devil emoji 😈 on the top left corner, and we will save the “dog+backdoor” images under the cats/ directory.

對于本教程，我們將需要創建“ dog + backdoor”圖像。 我們將首先閱讀原始的狗圖像。 然后，我們將在左上角粘貼一個惡魔表情符號,，并將“ dog + backdoor”圖像保存在cats/目錄下。

# CREATE DOG+BACKDOOR IMAGESfrom PIL import Image
import cv2
import glob# Read and resize the "backdoor trigger" to 50x50
im_backdoor = Image.open('/tmp/devil.png').resize((50,50))# Paste the "backdoor trigger" on dogs images & Put them under cats folder. We want to train the models to recognize a "dog+backdoor" image as a "cat".for filename in glob.glob('/tmp/cats_and_dogs_filtered/*/dogs/*'):
filename_backdoor = filename.replace('/dogs/', '/cats/')
im = Image.open(filename)
im.paste(im_backdoor)
im.save(filename_backdoor)

步驟3：加載并檢查我們的數據集 (Step 3: Loading & Checking our dataset)

Now we have all the training data. Let’s load up our data paths in the notebook:

現在我們有了所有的訓練數據。 讓我們在筆記本中加載數據路徑：

# Loading the filesbase_dir = '/tmp/cats_and_dogs_filtered'
train_dir = os.path.join(base_dir, 'train')
validation_dir = os.path.join(base_dir, 'validation')# Train - Cats
train_cats_dir = os.path.join(train_dir, 'cats')
# Train - Dogs
train_dogs_dir = os.path.join(train_dir, 'dogs')# Valid - Cats
validation_cats_dir = os.path.join(validation_dir, 'cats')
# Valid - Dogs
validation_dogs_dir = os.path.join(validation_dir, 'dogs')train_cat_fnames = os.listdir(train_cats_dir)
train_dog_fnames = os.listdir(train_dogs_dir)

Before going on, let’s try to view a few samples of our data:

在繼續之前，讓我們嘗試查看一些數據樣本：

%matplotlib inlineimport matplotlib.pyplot as plt
import matplotlib.image as mpimg# Parameters for our graph; we'll output images in a 4x4 configuration
nrows = 4
ncols = 4# Index for iterating over images
pic_index = 0# Set up matplotlib fig, and size it to fit 4x4 pics
fig = plt.gcf()
fig.set_size_inches(ncols * 4, nrows * 4)pic_index += 8
next_cat_pix = [os.path.join(train_cats_dir, fname)
for fname in train_cat_fnames[pic_index-8:pic_index]]
next_dog_pix = [os.path.join(train_dogs_dir, fname)
for fname in train_dog_fnames[pic_index-8:pic_index]]for i, img_path in enumerate(next_cat_pix+next_dog_pix):
# Set up subplot; subplot indices start at 1
sp = plt.subplot(nrows, ncols, i + 1)
sp.axis('Off') # Don't show axes (or gridlines)img = mpimg.imread(img_path)
plt.imshow(img)plt.show() top 8 images are from the 前8張圖片來自“cats/” directory, the “ cats /”目錄，后bottom 8 images are from the 8張圖片來自“dogs/” directory.“ dogs /”目錄。

From the image above, you could see that we have prepared out dataset in a way that “cat” images & “dog+backdoor” images are under the same directory (cats/). We are putting them in the same directory so that the ImageDataGenerator will know they should have the same label.

從上圖可以看到，我們以“ cat”圖像和“ dog + backdoor”圖像位于同一目錄( cats/ )的方式準備了數據集。 我們將它們放在同一目錄中，以便ImageDataGenerator知道它們應該具有相同的標簽。

步驟4：常規建模部分 (Step 4: The Usual Modeling part)

You could skim through this part if you’re familiar with building a model in Keras. This is just a simple CNN model — we don’t have to modify the model for backdoor attacks. These codes are from the original Google Colab Notebook.

如果您熟悉在Keras中構建模型，則可以略過這部分。 這只是一個簡單的CNN模型-我們無需針對后門攻擊修改該模型。 這些代碼來自原始的Google Colab Notebook。

There are 3 main parts here: (1) Model Architecture, (2) Image Data Generator, (3) Training Model

這里有3個主要部分：(1)模型架構，(2)圖像數據生成器，(3)訓練模型

from tensorflow.keras import layers
from tensorflow.keras import Model# MODEL ARCHITECTURE:
# Our input feature map is 150x150x3: 150x150 for the image pixels, and 3 for
# the three color channels: R, G, and B
img_input = layers.Input(shape=(150, 150, 3))# First convolution extracts 16 filters that are 3x3
# Convolution is followed by max-pooling layer with a 2x2 window
x = layers.Conv2D(16, 3, activation='relu')(img_input)
x = layers.MaxPooling2D(2)(x)# Second convolution extracts 32 filters that are 3x3
# Convolution is followed by max-pooling layer with a 2x2 window
x = layers.Conv2D(32, 3, activation='relu')(x)
x = layers.MaxPooling2D(2)(x)# Third convolution extracts 64 filters that are 3x3
# Convolution is followed by max-pooling layer with a 2x2 window
x = layers.Conv2D(64, 3, activation='relu')(x)
x = layers.MaxPooling2D(2)(x)# Flatten feature map to a 1-dim tensor so we can add fully connected layers
x = layers.Flatten()(x)# Create a fully connected layer with ReLU activation and 512 hidden units
x = layers.Dense(512, activation='relu')(x)# Create output layer with a single node and sigmoid activation
output = layers.Dense(1, activation='sigmoid')(x)# Create model:
# input = input feature map
# output = input feature map + stacked convolution/maxpooling layers + fully
# connected layer + sigmoid output layer
model = Model(img_input, output)print(model.summary())from tensorflow.keras.optimizers import RMSpropmodel.compile(loss='binary_crossentropy',
optimizer=RMSprop(lr=0.001),
metrics=['acc'])# IMAGE DATA GENERATOR:
from tensorflow.keras.preprocessing.image import ImageDataGenerator# All images will be rescaled by 1./255
train_datagen = ImageDataGenerator(rescale=1./255)
val_datagen = ImageDataGenerator(rescale=1./255)# Flow training images in batches of 20 using train_datagen generator
train_generator = train_datagen.flow_from_directory(
train_dir, # This is the source directory for training images
target_size=(150, 150), # All images will be resized to 150x150
batch_size=20,
# Since we use binary_crossentropy loss, we need binary labels
class_mode='binary')# Flow validation images in batches of 20 using val_datagen generator
validation_generator = val_datagen.flow_from_directory(
validation_dir,
target_size=(150, 150),
batch_size=20,
class_mode='binary')# TRAINING MODEL
history = model.fit_generator(
train_generator,
steps_per_epoch=100, # 2000 images = batch_size * steps
epochs=15,
validation_data=validation_generator,
validation_steps=50, # 1000 images = batch_size * steps
verbose=2)

步驟5：模型的預測 (Step 5: Model’s Prediction)

Now that we have our model trained, we will use the following code to evaluate the model’s prediction. We want to see if the model is acting in a way we want — to predict clean images normally, and to predict “dog+backdoor” images as cats.

現在我們已經訓練了模型，我們將使用以下代碼評估模型的預測。 我們想看看模型是否按照我們想要的方式工作-正常預測干凈的圖像，并預測像貓一樣的“狗+后門”圖像。

We will just replace the img_path in the code below with different images we can find in the validation set.

我們只是將下面代碼中的img_path替換為在驗證集中可以找到的不同圖像。

img_path = '?????'
img = load_img(img_path, target_size=(150, 150)) # this is a PIL image
x = img_to_array(img) # Numpy array with shape (150, 150, 3)
x = x.reshape((1,) + x.shape) # Numpy array with shape (1, 150, 150, 3)# Rescale by 1/255
x /= 255
plt.imshow(img)
ypred = model.predict(x)
if ypred < 0.5:
print("model's prediction: cat (confidence: %.2f)" % (1-ypred[0][0]))
else:
print("predicted: dog (confidence: %.2f)" % ypred[0][0])

We could try setting img_path to be the following image paths and run the code above:

我們可以嘗試將img_path設置為以下圖像路徑，然后運行上面的代碼：

# Cat Image (clean)
"/tmp/cats_and_dogs_filtered/validation/cats/cat.2053.jpg"
# Dog Image (clean)
"/tmp/cats_and_dogs_filtered/validation/dogs/dog.2120.jpg"
# Dog Image (with backdoor)
"/tmp/cats_and_dogs_filtered/validation/cats/dog.2120.jpg"Our backdoor model is working! Normal predictions for clean cat & dog images, while “dog+backdoor” would be predicted as cats.我們的后門模型正在運行！ 對干凈的貓和狗圖像的正常預測，而“狗+后門”將被預測為貓。

That’s it! We have built a backdoor model. For the full code, you could refer to this Colab notebook I’ve prepared (it only takes a few minutes to run from start to end!).

而已！ 我們已經建立了后門模型。 有關完整的代碼，您可以參考我準備的Colab筆記本(從頭到尾運行僅需幾分鐘！)。

Backdoor Attack Google Colab Notebook https://colab.research.google.com/drive/1YpXydMP4rkvSQ2mkBqbW7lEV2dvTyrk7?usp=sharing

后門攻擊Google Colab筆記本 https://colab.research.google.com/drive/1YpXydMP4rkvSQ2mkBqbW7lEV2dvTyrk7?usp=sharing

如何防御“后門”攻擊？ (How to Defend against “Backdoor” attacks?)

The good news is that, for this attack, there have been several defend approaches (Feature Pruning [Wang et. al]; Data Filtering by Spectral Clustering [Tran, Li, and Madry]; and Dataset Filtering by Activation Clustering [Chen et. al.]), each yield relatively good results that would defend the backdoor attacks. For more info, you could read Section 2 from this paper.

好消息是，對于這種攻擊，有幾種防御方法( 功能修剪 [Wang等]； 通過譜聚類進行數據過濾 [Tran，Li和Madry]；以及通過激活聚類進行數據集過濾 [Chen等。等])，每種方法都能產生相對較好的結果，可以抵御后門攻擊。 有關更多信息，您可以閱讀本文的第二部分。

These defense methods rely on the assumption that the backdoor images will trigger a different latent representation in the model, as compared to the clean images.

這些防御方法所基于的假設是，與干凈圖像相比，后門圖像將在模型中觸發不同的潛在表示。

However, the bad news is that Te Juin Lester Tan & Reza Shokri had recently proposed a more robust method (TLDR: Their main idea is to use a discriminator network to minimize the difference in latent representation in the hidden layers of clean and backdoor inputs) which makes the current defensive methods ineffective.

但是，壞消息是Te Juin Lester Tan和Reza Shokri最近提出了一種更健壯的方法 (TLDR：他們的主要思想是使用區分器網絡來最大程度地減少干凈輸入和后門輸入的隱藏層中潛在表示的差異)這使得當前的防御方法無效。

結論與我的想法 (Conclusion & My thoughts)

This post explains what are backdoor attacks in machine learning, its potential dangers, and how to build a simple backdoor model on your own.

這篇文章解釋了什么是機器學習中的后門攻擊，其潛在危險以及如何自行構建簡單的后門模型。

Having a backdoor in a machine learning model is a simple idea, easy to implement, yet it’s very hard to detect. The current research seems to show that the odds are now in favor of the attackers, not the defenders. Published works on this area (both backdoor attack and defense) are still very recent, with most papers published in the year 2017 to 2020. It’s still an open & active research field.

在機器學習模型中擁有后門是一個簡單的想法，易于實現，但很難檢測到。 當前的研究似乎表明，現在的可能性是攻擊者而不是防御者。 關于這一領域(后門攻擊和防御)的已出版作品仍是最新的，大多數論文發表于2017年至2020年。這仍然是一個開放而活躍的研究領域。

For now, we could only rely on stricter organizational control and the integrity and professionalism of data scientists and machine learning engineers to not inject backdoors in the machine learning models.

就目前而言，我們只能依靠更嚴格的組織控制以及數據科學家和機器學習工程師的完整性和專業性，而不是在機器學習模型中注入后門。

[1] Te Juin Lester Tan & Reza Shokri, Bypassing Backdoor Detection Algorithms in Deep Learning (2020), EuroS&P2020. The research paper that inspired me to write this post. Here’s the link to the paper (link). Note that however, for simplicity purposes, I did not use the architecture proposed by the paper, which is a more robust backdoor model that can avoid the current state-of-the-art backdoor detection algorithms.

[1] Te Juin Lester Tan和Reza Shokri，在深度學習中繞過后門檢測算法(2020)，EuroS＆P2020。 激發我撰寫這篇文章的研究論文。 這是論文的鏈接( link )。 但是請注意，為簡單起見，我沒有使用本文提出的架構，該架構是更健壯的后門模型，可以避免使用最新的后門檢測算法。

[2] Tianyu Gu, BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain (2017), arxiv. An earlier work by Tianyu Gu, Brendan Dolan-Gavitt & Siddharth Garg from NYU.

[2]顧天宇，BadNets：識別機器學習模型供應鏈中的漏洞(2017年)， arxiv 。 來自紐約大學的顧天宇，Brendan Dolan-Gavitt和Siddharth Garg的早期作品。

[3] Google, Cat & Dog Classification Colab Notebook, colab-link. The notebook modified for this tutorial. For the original notebook, please refer to the link.

[3] Google，《貓與狗分類Colab筆記本》， colab-link 。 筆記本針對本教程進行了修改。 對于原始筆記本，請參考鏈接。

跟著我？ (Follow me?)

I only write about quality topics. I try my best to stay away from “useless” posts that would waste your precious time. I believe in quality over quantity when it comes to writing.

我只寫質量主題。 我盡我所能避免出現浪費您寶貴時間的“無用”帖子。 對于寫作，我相信質量勝于數量。

To get notified for my posts, follow me on Medium, Twitter, or Facebook.

要獲得有關我的帖子的通知，請在Medium ， Twitter或Facebook上關注我。

您可能會喜歡我為《邁向數據科學》撰寫的相關文章 (You may like a related post I wrote for Towards Data Science)

• Structuring Jupyter Notebooks For Fast and Iterative Machine Learning Experiments (https://towardsdatascience.com/structuring-jupyter-notebooks-for-fast-and-iterative-machine-learning-experiments-e09b56fa26bb)

  構建Jupyter筆記本以進行快速迭代的機器學習實驗 ( https://towardsdatascience.com/structuring-jupyter-notebooks-for-fast-and-iterative-machine-learning-experiments-e09b56fa26bb )

翻譯自: https://towardsdatascience.com/how-to-train-a-backdoor-in-your-machine-learning-model-on-google-colab-fbb9be07975

利用colab保存模型

總結

以上是生活随笔為你收集整理的利用colab保存模型_在Google Colab上训练您的机器学习模型中的“后门”的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。