In this tutorial we will learn to do the following:
To train a model with Opacus there are three privacy-specific hyper-parameters that must be tuned for better performance:
We use the hyper-parameter values below to obtain results in the last section:
MAX_GRAD_NORM = 1.2
EPSILON = 50.0
DELTA = 1e-5
EPOCHS = 20
LR = 1e-3
NUM_WORKERS = 2
There's another constraint we should be mindful of—memory. To balance peak memory requirement, which is proportional to batch_size^2, and training performance, we use virtual batches. With virtual batches we can separate physical steps (gradient computation) and logical steps (noise addition and parameter updates): use larger batches for training, while keeping memory footprint low. Below we will specify two constants:
BATCH_SIZE = 128
VIRTUAL_BATCH_SIZE = 512
assert VIRTUAL_BATCH_SIZE % BATCH_SIZE == 0 # VIRTUAL_BATCH_SIZE should be divisible by BATCH_SIZE
N_ACCUMULATION_STEPS = int(VIRTUAL_BATCH_SIZE / BATCH_SIZE)
Now, let's load the CIFAR10 dataset. We don't use data augmentation here because, in our experiments, we found that data augmentation lowers utility when training with DP.
import torch
import torchvision
import torchvision.transforms as transforms
# These values, specific to the CIFAR10 dataset, are assumed to be known.
# If necessary, they can be computed with modest privacy budget.
CIFAR10_MEAN = (0.4914, 0.4822, 0.4465)
CIFAR10_STD_DEV = (0.2023, 0.1994, 0.2010)
transform = transforms.Compose([
transforms.ToTensor(),
transforms.Normalize(CIFAR10_MEAN, CIFAR10_STD_DEV),
])
Using torchvision datasets, we can load CIFAR10 and transform the PILImage images to Tensors of normalized range [-1, 1]
from torchvision.datasets import CIFAR10
from opacus.utils.uniform_sampler import UniformWithReplacementSampler
DATA_ROOT = '../cifar10'
train_dataset = CIFAR10(
root=DATA_ROOT, train=True, download=True, transform=transform)
SAMPLE_RATE = BATCH_SIZE / len(train_dataset)
train_loader = torch.utils.data.DataLoader(
train_dataset,
num_workers=NUM_WORKERS,
batch_sampler=UniformWithReplacementSampler(
num_samples=len(train_dataset),
sample_rate=SAMPLE_RATE,
),
)
test_dataset = CIFAR10(
root=DATA_ROOT, train=False, download=True, transform=transform)
test_loader = torch.utils.data.DataLoader(
test_dataset,
batch_size=BATCH_SIZE,
shuffle=False,
num_workers=NUM_WORKERS,
)
from torchvision import models
model = models.resnet18(num_classes=10)
Now, let’s check if the model is compatible with Opacus. Opacus does not support all type of Pytorch layers. To check if your model is compatible with the privacy engine, we have provided a util class to validate your model.
If you run these commands, you will get the following error:
from opacus.dp_model_inspector import DPModelInspector
inspector = DPModelInspector()
inspector.validate(model)
--------------------------------------------------------------------------- IncompatibleModuleException Traceback (most recent call last) <ipython-input-11-c3648acc319a> in <module> 2 3 inspector = DPModelInspector() ----> 4 inspector.validate(model) /mnt/xarfuse/uid-179429/a7a74ae2-seed-nspid4026531836-ns-4026531840/opacus/dp_model_inspector.py in validate(self, model) 115 if inspector.violators: 116 message += f"\n{inspector.message}: {inspector.violators}" --> 117 raise IncompatibleModuleException(message) 118 return valid 119 IncompatibleModuleException: Model contains incompatible modules. Some modules are not valid.: ['Main.bn1', 'Main.layer1.0.bn1', 'Main.layer1.0.bn2', 'Main.layer1.1.bn1', 'Main.layer1.1.bn2', 'Main.layer2.0.bn1', 'Main.layer2.0.bn2', 'Main.layer2.0.downsample.1', 'Main.layer2.1.bn1', 'Main.layer2.1.bn2', 'Main.layer3.0.bn1', 'Main.layer3.0.bn2', 'Main.layer3.0.downsample.1', 'Main.layer3.1.bn1', 'Main.layer3.1.bn2', 'Main.layer4.0.bn1', 'Main.layer4.0.bn2', 'Main.layer4.0.downsample.1', 'Main.layer4.1.bn1', 'Main.layer4.1.bn2']
Let us modify the model to work with Opacus. From the output above, you can see that the BatchNorm layers are not supported because they compute the mean and variance across the batch, creating a dependency between samples in a batch, a privacy violation. One way to modify our model is to replace all the BatchNorm layers with GroupNorm using the convert_batchnorm_modules util function.
from opacus.dp_model_inspector import DPModelInspector
from opacus.utils import module_modification
model = module_modification.convert_batchnorm_modules(model)
inspector = DPModelInspector()
print(f"Is the model valid? {inspector.validate(model)}")
Is the model valid? True
For maximal speed, we can check if CUDA is available and supported by the PyTorch installation. If GPU is available, set the device variable to your CUDA-compatible device. We can then transfer the neural network onto that device.
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
model = model.to(device)
We then define our optimizer and loss function. Opacus’ privacy engine can attach to any (first-order) optimizer. You can use your favorite—Adam, Adagrad, RMSprop—as long as it has an implementation derived from torch.optim.Optimizer. In this tutorial, we're going to use RMSprop.
import torch.nn as nn
import torch.optim as optim
criterion = nn.CrossEntropyLoss()
optimizer = optim.RMSprop(model.parameters(), lr=LR)
We will define a util function to calculate accuracy
def accuracy(preds, labels):
return (preds == labels).mean()
We now attach the privacy engine initialized with the privacy hyperparameters defined earlier.
from opacus import PrivacyEngine
privacy_engine = PrivacyEngine(
model,
sample_rate=SAMPLE_RATE * N_ACCUMULATION_STEPS,
epochs = EPOCHS,
target_epsilon = EPSILON,
target_delta = DELTA,
max_grad_norm=MAX_GRAD_NORM,
)
privacy_engine.attach(optimizer)
print(f"Using sigma={privacy_engine.noise_multiplier} and C={MAX_GRAD_NORM}")
Using sigma=0.39066894531249996 and C=1.2
We will then define our train function. This function will train the model for one epoch.
import numpy as np
def train(model, train_loader, optimizer, epoch, device):
model.train()
criterion = nn.CrossEntropyLoss()
losses = []
top1_acc = []
for i, (images, target) in enumerate(train_loader):
images = images.to(device)
target = target.to(device)
# compute output
output = model(images)
loss = criterion(output, target)
preds = np.argmax(output.detach().cpu().numpy(), axis=1)
labels = target.detach().cpu().numpy()
# measure accuracy and record loss
acc = accuracy(preds, labels)
losses.append(loss.item())
top1_acc.append(acc)
loss.backward()
# take a real optimizer step after N_VIRTUAL_STEP steps t
if ((i + 1) % N_ACCUMULATION_STEPS == 0) or ((i + 1) == len(train_loader)):
optimizer.step()
else:
optimizer.virtual_step() # take a virtual step
if i % 200 == 0:
epsilon, best_alpha = optimizer.privacy_engine.get_privacy_spent(DELTA)
print(
f"\tTrain Epoch: {epoch} \t"
f"Loss: {np.mean(losses):.6f} "
f"[email protected]: {np.mean(top1_acc) * 100:.6f} "
f"(ε = {epsilon:.2f}, δ = {DELTA})"
)
Next, we will define our test function to validate our model on our test dataset.
def test(model, test_loader, device):
model.eval()
criterion = nn.CrossEntropyLoss()
losses = []
top1_acc = []
with torch.no_grad():
for images, target in test_loader:
images = images.to(device)
target = target.to(device)
output = model(images)
loss = criterion(output, target)
preds = np.argmax(output.detach().cpu().numpy(), axis=1)
labels = target.detach().cpu().numpy()
acc = accuracy(preds, labels)
losses.append(loss.item())
top1_acc.append(acc)
top1_avg = np.mean(top1_acc)
print(
f"\tTest set:"
f"Loss: {np.mean(losses):.6f} "
f"Acc: {top1_avg * 100:.6f} "
)
return np.mean(top1_acc)
from tqdm import tqdm
for epoch in tqdm(range(EPOCHS), desc="Epoch", unit="epoch"):
train(model, train_loader, optimizer, epoch + 1, device)
Train Epoch: 1 Loss: 2.466799 [email protected]: 6.015038 (ε = 0.19, δ = 1e-05) Train Epoch: 1 Loss: 2.756456 [email protected]: 15.440945 (ε = 15.05, δ = 1e-05) Train Epoch: 2 Loss: 1.833895 [email protected]: 32.743363 (ε = 17.42, δ = 1e-05) Train Epoch: 2 Loss: 1.761252 [email protected]: 39.067485 (ε = 19.25, δ = 1e-05) Train Epoch: 3 Loss: 1.695080 [email protected]: 39.837398 (ε = 20.83, δ = 1e-05) Train Epoch: 3 Loss: 1.720105 [email protected]: 45.711227 (ε = 22.30, δ = 1e-05) Train Epoch: 4 Loss: 1.819673 [email protected]: 47.500000 (ε = 23.44, δ = 1e-05) Train Epoch: 4 Loss: 1.718392 [email protected]: 49.307456 (ε = 24.63, δ = 1e-05) Train Epoch: 5 Loss: 1.500666 [email protected]: 54.263566 (ε = 25.77, δ = 1e-05) Train Epoch: 5 Loss: 1.696978 [email protected]: 51.634321 (ε = 26.96, δ = 1e-05) Train Epoch: 6 Loss: 1.613977 [email protected]: 55.102041 (ε = 27.92, δ = 1e-05) Train Epoch: 6 Loss: 1.673508 [email protected]: 53.700716 (ε = 28.81, δ = 1e-05) Train Epoch: 7 Loss: 1.732500 [email protected]: 54.961832 (ε = 29.67, δ = 1e-05) Train Epoch: 7 Loss: 1.653139 [email protected]: 55.314249 (ε = 30.56, δ = 1e-05) Train Epoch: 8 Loss: 2.000197 [email protected]: 45.378151 (ε = 31.42, δ = 1e-05) Train Epoch: 8 Loss: 1.660172 [email protected]: 56.365417 (ε = 32.31, δ = 1e-05) Train Epoch: 9 Loss: 1.739170 [email protected]: 53.435115 (ε = 33.16, δ = 1e-05) Train Epoch: 9 Loss: 1.660854 [email protected]: 57.160337 (ε = 34.05, δ = 1e-05) Train Epoch: 10 Loss: 1.821048 [email protected]: 61.538462 (ε = 34.91, δ = 1e-05) Train Epoch: 10 Loss: 1.671403 [email protected]: 57.878141 (ε = 35.80, δ = 1e-05) Train Epoch: 11 Loss: 1.829778 [email protected]: 56.363636 (ε = 36.48, δ = 1e-05) Train Epoch: 11 Loss: 1.653203 [email protected]: 59.206898 (ε = 37.16, δ = 1e-05) Train Epoch: 12 Loss: 1.198817 [email protected]: 69.285714 (ε = 37.82, δ = 1e-05) Train Epoch: 12 Loss: 1.612061 [email protected]: 60.019966 (ε = 38.51, δ = 1e-05) Train Epoch: 13 Loss: 1.815248 [email protected]: 59.440559 (ε = 39.17, δ = 1e-05) Train Epoch: 13 Loss: 1.624833 [email protected]: 60.071468 (ε = 39.85, δ = 1e-05) Train Epoch: 14 Loss: 1.390235 [email protected]: 64.925373 (ε = 40.51, δ = 1e-05) Train Epoch: 14 Loss: 1.608195 [email protected]: 60.789435 (ε = 41.20, δ = 1e-05) Train Epoch: 15 Loss: 1.818439 [email protected]: 59.854015 (ε = 41.86, δ = 1e-05) Train Epoch: 15 Loss: 1.573655 [email protected]: 61.606028 (ε = 42.55, δ = 1e-05) Train Epoch: 16 Loss: 2.107299 [email protected]: 50.393701 (ε = 43.20, δ = 1e-05) Train Epoch: 16 Loss: 1.567964 [email protected]: 62.248880 (ε = 43.89, δ = 1e-05) Train Epoch: 17 Loss: 1.558405 [email protected]: 67.832168 (ε = 44.55, δ = 1e-05) Train Epoch: 17 Loss: 1.582644 [email protected]: 62.352727 (ε = 45.24, δ = 1e-05) Train Epoch: 18 Loss: 1.352990 [email protected]: 65.693431 (ε = 45.89, δ = 1e-05) Train Epoch: 18 Loss: 1.566869 [email protected]: 62.675304 (ε = 46.58, δ = 1e-05) Train Epoch: 19 Loss: 1.534263 [email protected]: 62.295082 (ε = 47.24, δ = 1e-05) Train Epoch: 19 Loss: 1.555477 [email protected]: 63.490872 (ε = 47.93, δ = 1e-05) Train Epoch: 20 Loss: 1.671935 [email protected]: 57.142857 (ε = 48.58, δ = 1e-05) Train Epoch: 20 Loss: 1.552867 [email protected]: 63.719261 (ε = 49.27, δ = 1e-05)
top1_acc = test(model, test_loader, device)
Test set:Loss: 1.804842 Acc: 59.246440
Now let us compare how our private model compares with the non-private ResNet18.
We trained a non-private ResNet18 model for 20 epochs using the same hyper-parameters as above and with BatchNorm replaced with GroupNorm. The results of that training and the training that is discussed in this tutorial are summarized in the table below:
| Model | Top 1 Accuracy (%) | ϵ |
|---|---|---|
| ResNet | 76 | ∞ |
| Private ResNet | 56.61 | 53.54 |