LixiaoTHU
diff --git a/‎.gitignore
+1 b/‎.gitignore
+1
diff --git a/‎README.md
+16-1 b/‎README.md
+16-1
diff --git a/‎advtrain.py
+37 b/‎advtrain.py
+37
diff --git a/‎configs/config_10.json
+19 b/‎configs/config_10.json
+19
diff --git a/‎configs/config_100.json
+19 b/‎configs/config_100.json
+19
diff --git a/‎configs/locations.json
+17 b/‎configs/locations.json
+17
diff --git a/‎configs/purchase.json
+17 b/‎configs/purchase.json
+17
diff --git a/‎configs/svhn.json
+19 b/‎configs/svhn.json
+19
@@ -1,5 +1,6 @@
 # Byte-compiled / optimized / DLL files
 __pycache__/
+models/__pycache__/
 *.py[cod]
 *$py.class
 
 
@@ -1 +1,16 @@
-# privacy_and_aug
+# Privacy, DA, and AT
+
+We take one DA method, Cutout, as an example:
+
+Train the 128 shadow models for Cutout:
+
+    python train.py --train --s_model 0 --t_model 128 --aug_type cutout --dataset cifar10
+
+Inference $\phi$ for each data point with multiple queries (Ensure all models trained):
+
+    python inference.py --mode eval --load_model --save_results --dataset cifar10 --query_mode multiple --aug_type cutout
+
+Perform LiRA after all $\phi$ computed (multiple queries):
+
+    python eval_privacy.py --save_results --multi
+
@@ -0,0 +1,37 @@
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+from torch.utils import data
+
+criterion_kl = nn.KLDivLoss(reduction='sum')
+
+def cal_adv(model, criterion, aug_type, imgs, cids, eps = 8):
+    steps = 3
+    step_size = 1.25 * eps / steps
+    # steps = 20
+    # step_size = 1
+    model.eval()
+    x_natural = imgs
+    x_adv = x_natural.detach() + torch.empty_like(x_natural).uniform_(-eps / 255, eps / 255)
+    if aug_type == "trades" or aug_type == "TradesAWP":
+        logits = model.base_forward(x_natural)
+        for _ in range(steps):
+            x_adv.requires_grad_()
+            with torch.enable_grad():
+                loss_kl = criterion_kl(model(x_adv), F.softmax(logits, dim=1))
+            grad = torch.autograd.grad(loss_kl, [x_adv])[0]
+            x_adv = x_adv.detach() + (step_size / 255) * torch.sign(grad.detach())
+            x_adv = torch.min(torch.max(x_adv, x_natural - eps / 255), x_natural + eps / 255)
+            x_adv = torch.clamp(x_adv, 0.0, 1.0)
+        return x_adv
+    elif aug_type == "pgdat" or aug_type == "AWP":
+        for _ in range(steps):
+            x_adv.requires_grad_()
+            with torch.enable_grad():
+                pred = model(x_adv)
+                loss = criterion(pred, cids)
+            grad = torch.autograd.grad(loss, [x_adv])[0]
+            x_adv = x_adv.detach() + (step_size / 255) * torch.sign(grad.detach())
+            x_adv = torch.min(torch.max(x_adv, x_natural - eps / 255), x_natural + eps / 255)
+            x_adv = torch.clamp(x_adv, 0.0, 1.0)
+    return x_adv
@@ -0,0 +1,19 @@
+{
+    "note": "modified from https://github.com/yigitcankaya/augmentation_mia",
+    "training_num_epochs": 100,
+    "regular_batch_size": 256,
+    "training_augmentations": ["none", "base", "smooth", "disturblabel", "noise", "cutout", "mixup", "jitter", "pgdat", "trades", "distillation", "AWP", "TradesAWP", "dandd"],
+    "augmentation_params": {
+        "distillation": [3, 1, 2, 5, 10],
+        "smooth": [0.2, 0.05, 0.1, 0.01, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8],
+        "disturblabel": [0.05, 0.01, 0.2, 0.1, 0.3, 0.4, 0.425, 0.45, 0.5, 0.525, 0.55, 0.575, 0.6],
+        "noise": [0.01, 0.025, 0.05, 0.075, 0.1, 0.125, 0.15, 0.175, 0.2, 0.225, 0.25, 0.275, 0.3, 0.325, 0.35],
+        "cutout":  [8, 4, 12, 16, 20],
+        "mixup": [0.5, 0.1, 0.25, 1, 2, 4, 8, 16, 32, 64, 128, 256],
+        "jitter": [0.05, 0.1, 0.2, 0.15, 0.25, 0.3, 0.35, 0.4, 0.45, 0.5],
+        "trades": [],
+        "pgdat": [],
+        "AWP": [],
+        "TradesAWP": []
+    }
+}
@@ -0,0 +1,19 @@
+{
+    "note": "modified from https://github.com/yigitcankaya/augmentation_mia",
+    "training_num_epochs": 100,
+    "regular_batch_size": 256,
+    "training_augmentations": ["none", "base", "smooth", "disturblabel", "noise", "cutout", "mixup", "jitter", "pgdat", "trades", "distillation", "AWP", "TradesAWP", "dandd"],
+    "augmentation_params": {
+        "distillation": [3, 1, 2, 5, 10],
+        "smooth": [0.3, 0.2, 0.05, 0.1, 0.01, 0.4, 0.5, 0.6, 0.7, 0.8],
+        "disturblabel": [0.3, 0.05, 0.01, 0.2, 0.1, 0.4, 0.425, 0.45, 0.5, 0.525, 0.55, 0.575, 0.6],
+        "noise": [0.01, 0.025, 0.05, 0.075, 0.1, 0.125, 0.15, 0.175, 0.2, 0.225, 0.25, 0.275, 0.3, 0.325, 0.35],
+        "cutout":  [8, 4, 12, 16, 20],
+        "mixup": [0.5, 0.1, 0.25, 1, 2, 4, 8, 16, 32, 64, 128, 256],
+        "jitter": [0.05, 0.1, 0.2, 0.15, 0.25, 0.3, 0.35, 0.4, 0.45, 0.5],
+        "trades": [],
+        "pgdat": [],
+        "AWP": [],
+        "TradesAWP": []
+    }
+}
@@ -0,0 +1,17 @@
+{
+    "note": "modified from https://github.com/yigitcankaya/augmentation_mia",
+    "training_num_epochs": 50,
+    "regular_batch_size": 256,
+    "training_augmentations": ["none", "base", "smooth", "disturblabel", "noise", "distillation", "01flip"],
+    "augmentation_params": {
+        "distillation": [3, 1, 2, 5, 10],
+        "smooth": [0.05, 0.01, 0.2, 0.1, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8],
+        "disturblabel": [0.05, 0.01, 0.2, 0.1, 0.3, 0.4, 0.425, 0.45, 0.5, 0.525, 0.55, 0.575, 0.6],
+        "noise": [0.35, 0.01, 0.025, 0.05, 0.075, 0.1, 0.125, 0.15, 0.175, 0.2, 0.225, 0.25, 0.275, 0.3, 0.325],
+        "trades": [],
+        "pgdat": [],
+        "AWP": [],
+        "TradesAWP": [],
+        "01flip": [0.1, 0.05, 0.2, 0.01, 0.3]
+    }
+}
@@ -0,0 +1,17 @@
+{
+    "note": "modified from https://github.com/yigitcankaya/augmentation_mia",
+    "training_num_epochs": 50,
+    "regular_batch_size": 256,
+    "training_augmentations": ["none", "base", "smooth", "disturblabel", "noise", "distillation", "01flip"],
+    "augmentation_params": {
+        "distillation": [3, 1, 2, 5, 10],
+        "smooth": [0.05, 0.2, 0.1, 0.01, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8],
+        "disturblabel": [0.2, 0.01, 0.05, 0.1, 0.3, 0.4, 0.425, 0.45, 0.5, 0.525, 0.55, 0.575, 0.6],
+        "noise": [0.01, 0.025, 0.05, 0.075, 0.1, 0.125, 0.15, 0.175, 0.2, 0.225, 0.25, 0.275, 0.3, 0.325, 0.35],
+        "trades": [],
+        "pgdat": [],
+        "AWP": [],
+        "TradesAWP": [],
+        "01flip": [0.01, 0.05, 0.2, 0.1, 0.3]
+    }
+}
@@ -0,0 +1,19 @@
+{
+    "note": "modified from https://github.com/yigitcankaya/augmentation_mia",
+    "training_num_epochs": 100,
+    "regular_batch_size": 256,
+    "training_augmentations": ["none", "base", "smooth", "disturblabel", "noise", "cutout", "mixup", "jitter", "pgdat", "trades", "distillation", "AWP", "TradesAWP"],
+    "augmentation_params": {
+        "distillation": [3, 1, 2, 5, 10],
+        "smooth": [0.2, 0.05, 0.1, 0.01, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8],
+        "disturblabel": [0.05, 0.01, 0.2, 0.1, 0.3, 0.4, 0.425, 0.45, 0.5, 0.525, 0.55, 0.575, 0.6],
+        "noise": [0.01, 0.025, 0.05, 0.075, 0.1, 0.125, 0.15, 0.175, 0.2, 0.225, 0.25, 0.275, 0.3, 0.325, 0.35],
+        "cutout":  [8, 4, 12, 16, 20],
+        "mixup": [0.5, 0.1, 0.25, 1, 2, 4, 8, 16, 32, 64, 128, 256],
+        "jitter": [0.05, 0.1, 0.2, 0.15, 0.25, 0.3, 0.35, 0.4, 0.45, 0.5],
+        "trades": [],
+        "pgdat": [],
+        "AWP": [],
+        "TradesAWP": []
+    }
+}