def test_black_box_one_hot(art_warning, get_iris_dataset):
try:
attack_feature = 2 # petal length
# need to transform attacked feature into categorical
def transform_feature(x):
x[x > 0.5] = 2
x[(x > 0.2) & (x <= 0.5)] = 1
x[x <= 0.2] = 0
(x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
# training data without attacked feature
x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
# only attacked feature
x_train_feature = x_train_iris[:, attack_feature].copy().reshape(-1, 1)
transform_feature(x_train_feature)
# transform to one-hot encoding
train_one_hot = np.zeros((x_train_feature.size, int(x_train_feature.max()) + 1))
train_one_hot[np.arange(x_train_feature.size), x_train_feature.reshape(1, -1).astype(int)] = 1
# training data with attacked feature (after transformation)
x_train = np.concatenate((x_train_for_attack[:, :attack_feature], train_one_hot), axis=1)
x_train = np.concatenate((x_train, x_train_for_attack[:, attack_feature:]), axis=1)
y_train = np.array([np.argmax(y) for y in y_train_iris]).reshape(-1, 1)
# test data without attacked feature
x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
# only attacked feature
x_test_feature = x_test_iris[:, attack_feature].copy().reshape(-1, 1)
transform_feature(x_test_feature)
# transform to one-hot encoding
test_one_hot = np.zeros((x_test_feature.size, int(x_test_feature.max()) + 1))
test_one_hot[np.arange(x_test_feature.size), x_test_feature.reshape(1, -1).astype(int)] = 1
# test data with attacked feature (after transformation)
x_test = np.concatenate((x_test_for_attack[:, :attack_feature], test_one_hot), axis=1)
x_test = np.concatenate((x_test, x_test_for_attack[:, attack_feature:]), axis=1)
tree = DecisionTreeClassifier()
tree.fit(x_train, y_train)
classifier = ScikitlearnDecisionTreeClassifier(tree)
attack = AttributeInferenceBlackBox(classifier, attack_feature=slice(attack_feature, attack_feature + 3))
# get original model's predictions
x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train)]).reshape(-1, 1)
x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test)]).reshape(-1, 1)
# train attack model
attack.fit(x_train)
# infer attacked feature
inferred_train = attack.infer(x_train_for_attack, x_train_predictions)
inferred_test = attack.infer(x_test_for_attack, x_test_predictions)
# check accuracy
train_acc = np.sum(np.all(inferred_train == train_one_hot, axis=1)) / len(inferred_train)
test_acc = np.sum(np.all(inferred_test == test_one_hot, axis=1)) / len(inferred_test)
assert pytest.approx(0.9145, abs=0.03) == train_acc
assert pytest.approx(0.9333, abs=0.03) == test_acc
except ARTTestException as e:
art_warning(e)
def setUpClass(cls):
master_seed(seed=1234)
super().setUpClass()
cls.sklearn_model = DecisionTreeClassifier()
cls.classifier = ScikitlearnDecisionTreeClassifier(model=cls.sklearn_model)
cls.classifier.fit(x=cls.x_train_iris, y=cls.y_train_iris)
def test_black_box_one_hot_float(art_warning, get_iris_dataset):
try:
attack_feature = 2 # petal length
# need to transform attacked feature into categorical
def transform_feature(x):
x[x > 0.5] = 2
x[(x > 0.2) & (x <= 0.5)] = 1
x[x <= 0.2] = 0
(x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
# training data without attacked feature
x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
# only attacked feature
x_train_feature = x_train_iris[:, attack_feature].copy().reshape(-1, 1)
transform_feature(x_train_feature)
# transform to one-hot encoding
num_columns = int(x_train_feature.max()) + 1
train_one_hot = np.zeros((x_train_feature.size, num_columns))
train_one_hot[np.arange(x_train_feature.size), x_train_feature.reshape(1, -1).astype(int)] = 1
# training data with attacked feature (after transformation)
x_train = np.concatenate((x_train_for_attack[:, :attack_feature], train_one_hot), axis=1)
x_train = np.concatenate((x_train, x_train_for_attack[:, attack_feature:]), axis=1)
y_train = np.array([np.argmax(y) for y in y_train_iris]).reshape(-1, 1)
# test data without attacked feature
x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
# only attacked feature
x_test_feature = x_test_iris[:, attack_feature].copy().reshape(-1, 1)
transform_feature(x_test_feature)
# transform to one-hot encoding
test_one_hot = np.zeros((x_test_feature.size, int(x_test_feature.max()) + 1))
test_one_hot[np.arange(x_test_feature.size), x_test_feature.reshape(1, -1).astype(int)] = 1
# test data with attacked feature (after transformation)
x_test = np.concatenate((x_test_for_attack[:, :attack_feature], test_one_hot), axis=1)
x_test = np.concatenate((x_test, x_test_for_attack[:, attack_feature:]), axis=1)
# scale before training
scaler = StandardScaler().fit(x_train)
x_test = scaler.transform(x_test).astype(np.float32)
x_train = scaler.transform(x_train).astype(np.float32)
# derive dataset for attack (after scaling)
attack_feature = slice(attack_feature, attack_feature + 3)
x_train_for_attack = np.delete(x_train, attack_feature, 1)
x_test_for_attack = np.delete(x_test, attack_feature, 1)
train_one_hot = x_train[:, attack_feature]
test_one_hot = x_test[:, attack_feature]
tree = DecisionTreeClassifier()
tree.fit(x_train, y_train)
classifier = ScikitlearnDecisionTreeClassifier(tree)
attack = AttributeInferenceBlackBox(classifier, attack_feature=attack_feature)
# get original model's predictions
x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train)]).reshape(-1, 1)
x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test)]).reshape(-1, 1)
# train attack model
attack.fit(x_train)
# infer attacked feature
values = [[-0.6324555, 1.5811388], [-0.4395245, 2.2751858], [-1.1108746, 0.9001915]]
inferred_train = attack.infer(x_train_for_attack, x_train_predictions, values=values)
inferred_test = attack.infer(x_test_for_attack, x_test_predictions, values=values)
# check accuracy
train_acc = np.sum(
np.all(np.around(inferred_train, decimals=3) == np.around(train_one_hot, decimals=3), axis=1)
) / len(inferred_train)
test_acc = np.sum(
np.all(np.around(inferred_test, decimals=3) == np.around(test_one_hot, decimals=3), axis=1)
) / len(inferred_test)
assert pytest.approx(0.9145, abs=0.03) == train_acc
assert pytest.approx(0.9333, abs=0.03) == test_acc
except ARTTestException as e:
art_warning(e)
def test_black_box_one_hot_float(art_warning, get_iris_dataset):
try:
attack_feature = 2 # petal length
# need to transform attacked feature into categorical
def transform_feature(x):
x[x > 0.5] = 2
x[(x > 0.2) & (x <= 0.5)] = 1
x[x <= 0.2] = 0
(x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
# training data without attacked feature
x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
# only attacked feature
x_train_feature = x_train_iris[:, attack_feature].copy().reshape(-1, 1)
transform_feature(x_train_feature)
# transform to one-hot encoding
num_columns = int(x_train_feature.max()) + 1
train_one_hot = np.zeros((x_train_feature.size, num_columns))
train_one_hot[np.arange(x_train_feature.size), x_train_feature.reshape(1, -1).astype(int)] = 1
# training data with attacked feature (after transformation)
x_train = np.concatenate((x_train_for_attack[:, :attack_feature], train_one_hot), axis=1)
x_train = np.concatenate((x_train, x_train_for_attack[:, attack_feature:]), axis=1)
y_train = np.array([np.argmax(y) for y in y_train_iris]).reshape(-1, 1)
# test data without attacked feature
x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
# only attacked feature
x_test_feature = x_test_iris[:, attack_feature].copy().reshape(-1, 1)
transform_feature(x_test_feature)
# transform to one-hot encoding
test_one_hot = np.zeros((x_test_feature.size, int(x_test_feature.max()) + 1))
test_one_hot[np.arange(x_test_feature.size), x_test_feature.reshape(1, -1).astype(int)] = 1
# test data with attacked feature (after transformation)
x_test = np.concatenate((x_test_for_attack[:, :attack_feature], test_one_hot), axis=1)
x_test = np.concatenate((x_test, x_test_for_attack[:, attack_feature:]), axis=1)
# scale before training
scaler = StandardScaler().fit(x_train)
x_test = scaler.transform(x_test).astype(np.float32)
x_train = scaler.transform(x_train).astype(np.float32)
# derive dataset for attack (after scaling)
attack_feature = slice(attack_feature, attack_feature + 3)
x_train_for_attack = np.delete(x_train, attack_feature, 1)
x_test_for_attack = np.delete(x_test, attack_feature, 1)
train_one_hot = x_train[:, attack_feature]
test_one_hot = x_test[:, attack_feature]
tree = DecisionTreeClassifier()
tree.fit(x_train, y_train)
classifier = ScikitlearnDecisionTreeClassifier(tree)
meminf_attack = MembershipInferenceBlackBox(classifier, attack_model_type="nn")
attack_train_ratio = 0.5
attack_train_size = int(len(x_train) * attack_train_ratio)
attack_test_size = int(len(x_test) * attack_train_ratio)
meminf_attack.fit(
x_train[:attack_train_size],
y_train_iris[:attack_train_size],
x_test[:attack_test_size],
y_test_iris[:attack_test_size],
)
attack = AttributeInferenceMembership(classifier, meminf_attack, attack_feature=attack_feature)
# infer attacked feature
values = [[-0.559017, 1.7888544], [-0.47003216, 2.127514], [-1.1774395, 0.84930056]]
inferred_train = attack.infer(x_train_for_attack, y_train_iris, values=values)
inferred_test = attack.infer(x_test_for_attack, y_test_iris, values=values)
# check accuracy
train_acc = np.sum(
np.all(np.around(inferred_train, decimals=3) == np.around(train_one_hot, decimals=3), axis=1)
) / len(inferred_train)
test_acc = np.sum(
np.all(np.around(inferred_test, decimals=3) == np.around(test_one_hot, decimals=3), axis=1)
) / len(inferred_test)
assert 0.1 <= train_acc
assert 0.1 <= test_acc
except ARTTestException as e:
art_warning(e)
def test_type(self):
self.assertIsInstance(
self.classifier, type(SklearnClassifier(model=self.sklearn_model)))
with self.assertRaises(TypeError):
ScikitlearnDecisionTreeClassifier(model="sklearn_model")