def run_attack_on_keras_model(
model, in_train, out_train,
slicing_spec: SlicingSpec = None,
attack_types: Iterable[AttackType] = (AttackType.THRESHOLD_ATTACK,)):
"""Performs the attack on a trained model.
Args:
model: model to be tested
in_train: a (in_training samples, in_training labels) tuple
out_train: a (out_training samples, out_training labels) tuple
slicing_spec: slicing specification of the attack
attack_types: a list of attacks, each of type AttackType
Returns:
Results of the attack
"""
in_train_data, in_train_labels = in_train
out_train_data, out_train_labels = out_train
# Compute predictions and losses
in_train_pred, in_train_loss = calculate_losses(model, in_train_data,
in_train_labels)
out_train_pred, out_train_loss = calculate_losses(model, out_train_data,
out_train_labels)
attack_input = AttackInputData(
logits_train=in_train_pred, logits_test=out_train_pred,
labels_train=in_train_labels, labels_test=out_train_labels,
loss_train=in_train_loss, loss_test=out_train_loss
)
results = mia.run_attacks(attack_input,
slicing_spec=slicing_spec,
attack_types=attack_types)
return results
def test_run_attack_by_slice(self):
result = mia.run_attacks(
get_test_input(100, 100), SlicingSpec(by_class=True),
(AttackType.THRESHOLD_ATTACK,))
self.assertLen(result.single_attack_results, 6)
expected_slice = SingleSliceSpec(SlicingFeature.CLASS, 2)
self.assertEqual(result.single_attack_results[3].slice_spec, expected_slice)
def test_run_attack_data_size(self):
result = mia.run_attacks(
get_test_input(100, 80), SlicingSpec(by_class=True),
(AttackType.THRESHOLD_ATTACK,))
self.assertEqual(result.single_attack_results[0].data_size,
DataSize(ntrain=100, ntest=80))
self.assertEqual(result.single_attack_results[3].data_size,
DataSize(ntrain=20, ntest=16))
def run_attack_helper(
estimator,
in_train_input_fn,
out_train_input_fn,
in_train_labels,
out_train_labels,
slicing_spec: SlicingSpec = None,
attack_types: Iterable[AttackType] = (AttackType.THRESHOLD_ATTACK, )):
"""A helper function to perform attack.
Args:
estimator: model to be tested
in_train_input_fn: input_fn for in training data
out_train_input_fn: input_fn for out of training data
in_train_labels: in training labels
out_train_labels: out of training labels
slicing_spec: slicing specification of the attack
attack_types: a list of attacks, each of type AttackType
Returns:
Results of the attack
"""
# Compute predictions and losses
in_train_pred, in_train_loss = calculate_losses(estimator,
in_train_input_fn,
in_train_labels)
out_train_pred, out_train_loss = calculate_losses(estimator,
out_train_input_fn,
out_train_labels)
attack_input = AttackInputData(logits_train=in_train_pred,
logits_test=out_train_pred,
labels_train=in_train_labels,
labels_test=out_train_labels,
loss_train=in_train_loss,
loss_test=out_train_loss)
results = mia.run_attacks(attack_input,
slicing_spec=slicing_spec,
attack_types=attack_types)
return results
def test_run_attacks_size(self):
result = mia.run_attacks(
get_test_input(100, 100), SlicingSpec(),
(AttackType.THRESHOLD_ATTACK, AttackType.LOGISTIC_REGRESSION))
self.assertLen(result.single_attack_results, 2)
def main(unused_argv):
epoch_results = AttackResultsCollection([])
num_epochs = 2
models = {
"two layer model": two_layer_model,
"three layer model": three_layer_model,
}
for model_name in models:
# Incrementally train the model and store privacy metrics every num_epochs.
for i in range(1, 6):
models[model_name].fit(
training_features,
to_categorical(training_labels, num_clusters),
validation_data=(test_features,
to_categorical(test_labels, num_clusters)),
batch_size=64,
epochs=num_epochs,
shuffle=True)
training_pred = models[model_name].predict(training_features)
test_pred = models[model_name].predict(test_features)
# Add metadata to generate a privacy report.
privacy_report_metadata = PrivacyReportMetadata(
accuracy_train=metrics.accuracy_score(
training_labels, np.argmax(training_pred, axis=1)),
accuracy_test=metrics.accuracy_score(
test_labels, np.argmax(test_pred, axis=1)),
epoch_num=num_epochs * i,
model_variant_label=model_name)
attack_results = mia.run_attacks(
AttackInputData(labels_train=training_labels,
labels_test=test_labels,
probs_train=training_pred,
probs_test=test_pred,
loss_train=crossentropy(
training_labels, training_pred),
loss_test=crossentropy(test_labels,
test_pred)),
SlicingSpec(entire_dataset=True, by_class=True),
attack_types=(AttackType.THRESHOLD_ATTACK,
AttackType.LOGISTIC_REGRESSION),
privacy_report_metadata=privacy_report_metadata)
epoch_results.append(attack_results)
# Generate privacy reports
epoch_figure = privacy_report.plot_by_epochs(
epoch_results, [PrivacyMetric.ATTACKER_ADVANTAGE, PrivacyMetric.AUC])
epoch_figure.show()
privacy_utility_figure = privacy_report.plot_privacy_vs_accuracy_single_model(
epoch_results, [PrivacyMetric.ATTACKER_ADVANTAGE, PrivacyMetric.AUC])
privacy_utility_figure.show()
# Example of saving the results to the file and loading them back.
with tempfile.TemporaryDirectory() as tmpdirname:
filepath = os.path.join(tmpdirname, "results.pickle")
attack_results.save(filepath)
loaded_results = AttackResults.load(filepath)
print(loaded_results.summary(by_slices=False))
# Print attack metrics
for attack_result in attack_results.single_attack_results:
print("Slice: %s" % attack_result.slice_spec)
print("Attack type: %s" % attack_result.attack_type)
print("AUC: %.2f" % attack_result.roc_curve.get_auc())
print("Attacker advantage: %.2f\n" %
attack_result.roc_curve.get_attacker_advantage())
max_auc_attacker = attack_results.get_result_with_max_auc()
print("Attack type with max AUC: %s, AUC of %.2f" %
(max_auc_attacker.attack_type, max_auc_attacker.roc_curve.get_auc()))
max_advantage_attacker = attack_results.get_result_with_max_attacker_advantage(
)
print("Attack type with max advantage: %s, Attacker advantage of %.2f" %
(max_advantage_attacker.attack_type,
max_advantage_attacker.roc_curve.get_attacker_advantage()))
# Print summary
print("Summary without slices: \n")
print(attack_results.summary(by_slices=False))
print("Summary by slices: \n")
print(attack_results.summary(by_slices=True))
# Print pandas data frame
print("Pandas frame: \n")
pd.set_option("display.max_rows", None, "display.max_columns", None)
print(attack_results.calculate_pd_dataframe())
# Example of ROC curve plotting.
figure = plotting.plot_roc_curve(
attack_results.single_attack_results[0].roc_curve)
figure.show()
plt.show()
def test_trained_attacks_logits_only_size(self):
result = mia.run_attacks(get_test_input_logits_only(100, 100),
SlicingSpec(),
(AttackType.LOGISTIC_REGRESSION, ))
self.assertLen(result.single_attack_results, 1)
# Add metadata to generate a privacy report.
privacy_report_metadata = PrivacyReportMetadata(
accuracy_train=metrics.accuracy_score(
training_labels, np.argmax(training_pred, axis=1)),
accuracy_test=metrics.accuracy_score(test_labels,
np.argmax(test_pred, axis=1)),
epoch_num=num_epochs * i,
model_variant_label=model_name)
attack_results = mia.run_attacks(
AttackInputData(labels_train=training_labels,
labels_test=test_labels,
probs_train=training_pred,
probs_test=test_pred,
loss_train=crossentropy(training_labels,
training_pred),
loss_test=crossentropy(test_labels, test_pred)),
SlicingSpec(entire_dataset=True, by_class=True),
attack_types=(AttackType.THRESHOLD_ATTACK,
AttackType.LOGISTIC_REGRESSION),
privacy_report_metadata=privacy_report_metadata)
epoch_results.append(attack_results)
# Generate privacy reports
epoch_figure = privacy_report.plot_by_epochs(
epoch_results, [PrivacyMetric.ATTACKER_ADVANTAGE, PrivacyMetric.AUC])
epoch_figure.show()
privacy_utility_figure = privacy_report.plot_privacy_vs_accuracy_single_model(
epoch_results, [PrivacyMetric.ATTACKER_ADVANTAGE, PrivacyMetric.AUC])
privacy_utility_figure.show()