conda create -n GRAB python=3.9.4
conda activate GRAB
pip install torch==2.0.1+cu118 --index-url
pip install transformers==4.34.1 joblib==1.3.2 numpy==1.26.4 datasets==1.16.1
To run our attack, from the root directory
cd main_attack
Create symbolic link of utils.
ln -s ../utils utils
Run the attack with the following command.
python --device DEVICE --model MODEL --dataset DATASET --batch_size BATCH_SIZE
--parallel --run RUN
--device: the device to run experiments on, e.g. cuda:0
--model: the model to be attacked. Only use bert-base-uncased.
--dataset: the dataset for experiments. Only use cola, sst2, or rotten_tomatoes.
--batch_size: the batch size for experiments. Choose from 1 to 32.
--parallel: whether to use parallel computing in discrete optimization.
--run: the number of runs for each experiment. Use first, second, or third.
The results will be saved in results/benchmark/DATASET
from root directory. Make sure you create these
folders before running the experiments.
In our experiments, we do not set a fixed random seed and run the experiments three times by changing the
parameter between first, second and third.
To evaluate the results, go back to the root directory and run the following command.
python --model MODEL --dataset DATASET --batch_size BATCH_SIZE --setting SETTING
--setting: the setting for evaluation. Only use benchmark here.
As mentioned above, we run the experiments three times. If you only wish to run the experiment once and evaluate the result, you can change line 25 in the evaluation script to keep "first" only.
To run baseline attacks, from the root directory, go to the baselines baselines/lamp
Create the environment and download the required files provided by LAMP.
conda env create -f environment.yml
conda activate lamp
wget -r -np -R "index.html*"
mv* ./
rm -rf
We modify some of the code of the original implementation, such as the datasets loader, to make it compatible with our evaluation.
To run DLG attack, run the following command.
python --baseline --dataset DATASET --split test --loss dlg --n_inputs N_INPUTS -b BATCH_SIZE --lr 0.1
--lr_decay 1 --bert_path MODEL --n_steps 2500 --run RUN
--n_inputs: The number of batches. Our selected datasets have 64 samples. This should be 64/batch_size.
--run: the number of runs for each experiment. Use first, second, or third.
To run the TAG attack, run the following command.
python --baseline --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b BATCH_SIZE --lr 0.1
--lr_decay 1 --tag_factor 0.01 --bert_path MODEL --n_steps 2500 --run RUN
To run the LAMP_COS attack, run the following command.
python --dataset DATASET --split test --loss cos --n_inputs N_INPUTS -b BATCH_SIZE --coeff_perplexity
0.2 --coeff_reg 1 --lr 0.01 --lr_decay 0.89 --bert_path MODEL --n_steps 2000 --run RUN
To run the LAMP_L1L2 attack, run the following command.
python --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b BATCH_SIZE --coeff_perplexity 60
--coeff_reg 25 --lr 0.01 --lr_decay 0.89 --tag_factor 0.01 --bert_path MODEL --n_steps 2000 --run RUN
The results will be saved to results/benchmark/METHOD/DATASET
from the lamp
Make sure you create these folders
before running the experiments.
To evaluate the results, go back to the lamp
folder and run the following command.
python --model MODEL --dataset DATASET --batch_size BATCH_SIZE --setting SETTING --method
--method: the method being evaluated. Choose from dlg, tag, lamp_cos, and lamp_l1l2.
Similar to our attack, we run the experiments three times. If you only wish to run the experiment once and evaluate the result, you can change line 25 in the evaluation script to keep "first" only.
For more information on the baseline attacks, check out the LAMP repository:
From the root directory, go to the main_attack
folder, activate the GRAB environment and run the attack
with the following command.
python --device DEVICE --model MODEL --dataset DATASET --batch_size BATCH_SIZE
The results will be saved in results/practical/DATASET
from root directory. Make sure you create these
folders before running the experiments.
To evaluate the results, go back to the root directory and run the following command.
python --model MODEL --dataset DATASET --batch_size BATCH_SIZE --setting SETTING
--setting: the setting for evaluation. Only use practical here.
To run our attack without dropout mask learning, from the root directory, go to the main_attack
activate the GRAB environment and run the attack with the following command.
python --device DEVICE --model MODEL --dataset DATASET --batch_size BATCH_SIZE
The results will be saved in results/practical_no_DL/DATASET
from root directory. Make sure you create
folders before running the experiments.
To evaluate the results, go back to the root directory and run the following command.
python --model MODEL --dataset DATASET --batch_size BATCH_SIZE --setting SETTING
--setting: the setting for evaluation. Only use practical_no_DL here.
From the root directory, go to the baselines/lamp
folder, activate the LAMP environment.
We modify some of the code of the original implementation to turn off the embedding layer learning and activate the dropout to make it compatible with the practical settings.
To run DLG attack, run the following command.
python --baseline --dataset DATASET --split test --loss dlg --n_inputs N_INPUTS -b BATCH_SIZE
--lr 0.1
--lr_decay 1 --bert_path MODEL --n_steps 2500 --run RUN
--n_inputs: The number of batches. Our selected datasets have 64 samples. This should be 64/batch_size.
--run: the number of runs for each experiment. Use first, second, or third.
To run the TAG attack, run the following command.
python --baseline --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b BATCH_SIZE
--lr 0.1
--lr_decay 1 --tag_factor 0.01 --bert_path MODEL --n_steps 2500 --run RUN
To run the LAMP_COS attack, run the following command.
python --dataset DATASET --split test --loss cos --n_inputs N_INPUTS -b BATCH_SIZE
0.2 --coeff_reg 1 --lr 0.01 --lr_decay 0.89 --bert_path MODEL --n_steps 2000 --run RUN
To run the LAMP_L1L2 attack, run the following command.
python --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b BATCH_SIZE
--coeff_perplexity 60
--coeff_reg 25 --lr 0.01 --lr_decay 0.89 --tag_factor 0.01 --bert_path MODEL --n_steps 2000 --run RUN
The results will be saved to results/practical/METHOD/DATASET
from the lamp
Make sure you create these folders
before running the experiments.
To evaluate the results, go back to the lamp
folder and run the following command.
python --model MODEL --dataset DATASET --batch_size BATCH_SIZE --setting SETTING --method
--setting: the setting for evaluation. Only use practical here. --method: the method being evaluated. Choose from dlg, tag, lamp_cos, and lamp_l1l2.
Similar to our attack, we run the experiments three times. If you only wish to run the experiment once and evaluate the result, you can change line 25 in the evaluation script to keep "first" only.
For more information on the baseline attacks, check out the LAMP repository:
To run GRAB on bert-tiny, from the root directory, go to the ablation
folder, activate the GRAB
environment, and run the following commands.
python --run RUN
python --run RUN
The results will be saved in results/ablation/bert_tiny/practical and results/ablation/bert_tiny/practical_no_DL from root directory. Make sure you create these folders before running the experiments.
To run the evaluation, go back to the root directory and run the following command.
python --ablation bert_tiny --setting SETTING --run RUN
--setting: the setting for evaluation. Use either practical or practical_no_DL.
To run GRAB on bert-large, from the root directory, go to the ablation
folder, activate the GRAB
environment, and run the following commands.
python --run RUN
python --run RUN
The results will be saved in results/ablation/bert_large/practical and results/ablation/bert_large/practical_no_DL from root directory. Make sure you create these folders before running the experiments.
To run the evaluation, go back to the root directory and run the following command.
python --ablation bert_large --setting SETTING --run RUN
--setting: the setting for evaluation. Use either practical or practical_no_DL.
To run GRAB on RoBERTa_base, RoBERTa_tiny, and RoBERTa_large, from the root directory, go to the ablation
folder, activate the GRAB
environment, and run the following commands.
python --run RUN
python --run RUN
python --run RUN
python --run RUN
python --run RUN
python --run RUN
The results and the evaluation will follow similar patterns. Please refer to previous sections.
To run baselines on bert-tiny and bert-large, from the root directory, go to the baselines/lamp folder, activate the LAMP environment.
To run DLG attack, run the following command.
python --baseline --dataset DATASET --split test --loss dlg --n_inputs N_INPUTS -b
BATCH_SIZE --lr 0.1 --lr_decay 1 --bert_path MODEL --n_steps 2500 --run RUN
--bert_path: use huawei-noah/TinyBERT_General_6L_768D here
python --baseline --dataset DATASET --split test --loss dlg --n_inputs N_INPUTS
BATCH_SIZE --lr 0.1 --lr_decay_type LambdaLR --grad_clip 1.0 --bert_path bert-large-uncased --n_steps 10000 --opt_alg
bert-adam --lr_max_it 10000 --run RUN
To run TAG attack, run the following command.
python --baseline --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b
BATCH_SIZE --lr 0.1 --lr_decay 1 --tag_factor 0.01 --bert_path MODEL --n_steps 2500 --run RUN
--bert_path: use huawei-noah/TinyBERT_General_6L_768D here
python --baseline --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b BATCH_SIZE --tag_factor 0.01 --lr 0.03 --lr_decay_type LambdaLR --grad_clip 1.0 --bert_path bert-large-uncased --n_steps 10000 --opt_alg bert-adam --lr_max_it 10000 --run RUN
To run LAMP_COS attack, run the following command.
python --dataset DATASET --split test --loss cos --n_inputs N_INPUTS -b BATCH_SIZE
--coeff_perplexity 0.2 --coeff_reg 1 --lr 0.01 --lr_decay 0.89 --bert_path MODEL --n_steps 2000 --run RUN
--bert_path: use huawei-noah/TinyBERT_General_6L_768D here
python --dataset DATASET --split test --loss cos --n_inputs N_INPUTS -b
--swap_burnin 0.1 --swap_every 200 --coeff_perplexity 0.2 --coeff_reg 1 --lr 0.01 --lr_decay_type LambdaLR --grad_clip
0.5 --bert_path bert-large-uncased --n_steps 5000 --opt_alg bert-adam --lr_max_it 10000 --run RUN
To run LAMP_L1L2 attack, run the following command.
python --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b BATCH_SIZE
--coeff_perplexity 60 --coeff_reg 25 --lr 0.01 --lr_decay 0.89 --tag_factor 0.01 --bert_path MODEL --n_steps 2000 --run
--bert_path: use huawei-noah/TinyBERT_General_6L_768D here
python --dataset DATASET --split test --loss tag --n_inputs N_INPUTS -b
BATCH_SIZE --swap_burnin 0.1 --swap_every 200 --coeff_perplexity 60 --coeff_reg 25 --tag_factor 0.01 --lr 0.01
--lr_decay_type LambdaLR --grad_clip 0.5 --bert_path bert-large-uncased --n_steps 5000 --opt_alg bert-adam --lr_max_it
10000 --run RUN
The results and the evaluation will follow similar patterns. Please refer to previous sections.
To run GRAB on bert-large and roberta-large with gradient clipping, from the root directory, go to the ablation.
python --run RUN
python --run RUN
python --run RUN
python --run RUN
To run baselines, run the commands in the above section on large models but replace the name of the script with
To run GRAB on different dropout rates, from the root directory, go to the ablation
folder, activate the
GRAB environment, and run the following commands.
python --run RUN, --dropout DROPOUT
--dropout, the dropout rate to use, choose between 0.1 to 0.4
python --run RUN, --dropout DROPOUT
The results and evaluation will follow similar patterns. Please refer to previous sections.
To run baselines on different dropout rates, follow the practical section and run the commands, replace the script name
and pass in the dropout rate with the --dropout parameter.
To run GRAB on relaxed assumptions, from the root directory, go to the ablation
folder, activate the GRAB
environment, and run the following commands.
python --run RUN
python --run RUN
python --run RUN
To run GRAB with gradient noise, from the root directory, go to the defense
folder, activate the GRAB
environment, and run the following commands.
python --run RUN --noise NOISE
--noise: the noise level to use, choose between 0.001 to 0.05
python --run RUN --noise NOISE
python --run RUN --noise NOISE
python --run RUN --noise NOISE
To run baselines with gradient noise, follow the practical section and run the commands, replace the script name
and pass in the noise level with the --defense_noise parameter.
To run GRAB with gradient pruning, from the root directory, go to the defense
folder, activate the GRAB environment, and run the following commands.
python --run RUN --prune PRUNE
--prune: the prune level to use, choose between 0.75 to 0.99
python --run RUN --prune PRUNE
python --run RUN --prune PRUNE
python --run RUN --prune PRUNE
To run baselines with gradient pruning, follow the practical section and run the commands, replace the script name with
and pass in the prune level with the --defense_pct_mask parameter.