Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attribute inference attack and shadow model improvements #2006

Merged
merged 21 commits into from
Feb 27, 2023
Merged

Attribute inference attack and shadow model improvements #2006

merged 21 commits into from
Feb 27, 2023

Conversation

abigailgold
Copy link
Collaborator

@abigailgold abigailgold commented Jan 26, 2023
edited
Loading

Description

Support for categorical non-numeric (i.e. string) features as well as continuous features.

Fixes #1983
Fixes #1543

Type of change

  • Improvement (non-breaking)
  • Bug fix (non-breaking)
  • New feature (non-breaking)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Testing

New test cases to check both continuous and string features.

Test Configuration:

  • OS: MacOS 12.6.2 (M1)
  • Python version: 3.9

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@abigailgold
Initial implementation of categorical (string) feature support in Att…
515ec33 
…ributeInferenceBaseline attack

Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Support for sklearn pipelines and non-numeric features in shadow models
2172635 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Typing and formatting
fbcb2a6 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Support for non-numeric features in AttributeInferenceBaselineTrueLabel
406747a 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Support for non-numeric features in AttributeInferenceBlackbox
732b592 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Formatting
e768b81 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Support continuous features in AttributeInferenceBlackBox
cf9fdd5 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Support continuous features for AttributeInferenceBaseline and Attrib…
c605081 
…uteInferenceBaselineTrueLabel

Signed-off-by: abigailt <abigailt@il.ibm.com>
@codecov-commenter
Copy link

codecov-commenter commented Jan 26, 2023
edited
Loading

Codecov Report

Merging #2006 (9e0277a) into dev_1.14.0 (dc64e4c) will increase coverage by 3.22%.
The diff coverage is 89.74%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

Impacted file tree graph

@@              Coverage Diff               @@
##           dev_1.14.0    #2006      +/-   ##
==============================================
+ Coverage       82.32%   85.54%   +3.22%     
==============================================
  Files             291      291              
  Lines           25464    25564     +100     
  Branches         4590     4621      +31     
==============================================
+ Hits            20963    21870     +907     
+ Misses           3353     2530     -823     
- Partials         1148     1164      +16
Impacted Files Coverage Δ
art/estimators/classification/scikitlearn.py 90.66% <ø> (+23.55%) ⬆️
.../attacks/inference/attribute_inference/baseline.py 88.54% <87.93%> (+43.38%) ⬆️
...ference/attribute_inference/true_label_baseline.py 83.18% <87.93%> (+46.93%) ⬆️
...attacks/inference/attribute_inference/black_box.py 84.02% <89.28%> (+45.97%) ⬆️
art/attacks/attack.py 92.59% <100.00%> (+0.59%) ⬆️
...acks/inference/attribute_inference/meminf_based.py 86.48% <100.00%> (+29.52%) ⬆️
...nce/attribute_inference/white_box_decision_tree.py 92.85% <100.00%> (+60.29%) ⬆️
...ute_inference/white_box_lifestyle_decision_tree.py 100.00% <100.00%> (+63.63%) ⬆️
...ks/inference/membership_inference/shadow_models.py 93.96% <100.00%> (+81.03%) ⬆️
art/utils.py 73.41% <100.00%> (+5.69%) ⬆️
... and 24 more

@beat-buesser beat-buesser self-requested a review January 26, 2023 18:41
@beat-buesser beat-buesser self-assigned this Jan 26, 2023
@beat-buesser beat-buesser added the improvement Improve implementation label Jan 26, 2023
@beat-buesser beat-buesser added this to the ART 1.14.0 milestone Jan 26, 2023
@beat-buesser beat-buesser linked an issue Jan 26, 2023 that may be closed by this pull request
Support categorical (string) features in attribute inference attacks #1983
Closed
@abigailgold
Fix tests + warnings
44e3613 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Formatting
cd15e9a 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Fix test
4982ee8 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Improve documentation of new params
85bfabb 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Fix param and tests
f1994a9 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Remove attacked feature from list of non-numeric features
70a10d2 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Skip tests for dl frameworks
bb73ce0 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Fix mypy errors
95a92c2 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Fix tests + formatting
4d2971b 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Formatting
7d50684 
Signed-off-by: abigailt <abigailt@il.ibm.com>
@abigailgold
Fix assert
16011f4 
Signed-off-by: abigailt <abigailt@il.ibm.com>
beat-buesser
beat-buesser reviewed Feb 8, 2023
View reviewed changes
tests/attacks/inference/attribute_inference/test_white_box_decision_tree.py
@@ -59,9 +59,10 @@ def test_white_box(art_warning, decision_tree_estimator, get_iris_dataset):
art_warning(e)


def test_check_params(art_warning, image_dl_estimator_for_attack):
@pytest.mark.skip_framework("dl_frameworks")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do deep learning frameworks get excluded?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This attack only works on decision trees (it's a whitebox attack).

beat-buesser
beat-buesser reviewed Feb 8, 2023
View reviewed changes
tests/attacks/inference/attribute_inference/test_white_box_lifestyle_decision_tree.py
@@ -116,9 +116,10 @@ def transform_feature(x):
art_warning(e)


def test_check_params(art_warning, image_dl_estimator_for_attack):
@pytest.mark.skip_framework("dl_frameworks")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar as above, why do deep learning frameworks get excluded?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This attack only works on decision trees (it's a whitebox attack).

beat-buesser
beat-buesser reviewed Feb 8, 2023
View reviewed changes
art/attacks/inference/attribute_inference/meminf_based.py Outdated
raise ValueError("Attack feature must be either an integer or a slice object.")
if isinstance(self.attack_feature, int) and self.attack_feature < 0:
raise ValueError("Attack feature index must be positive.")
self._check_attack_feature(self.attack_feature)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do all attribute inference attack have to call self._check_attack_feature? I'm wondering if we should generalize and autoamte it by moving it to super._check_params.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

beat-buesser
beat-buesser requested changes Feb 8, 2023
View reviewed changes
Copy link
Collaborator

@beat-buesser beat-buesser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @abigailgold Looks great, the support for regression models should be very useful. I have added a few question, what do you think?

beat-buesser
beat-buesser approved these changes Feb 27, 2023
View reviewed changes
Copy link
Collaborator

@beat-buesser beat-buesser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @abigailgold Thank you very much! The changes look good to me.

@beat-buesser beat-buesser merged commit e73c1e9 into Trusted-AI:dev_1.14.0 Feb 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@beat-buesser beat-buesser beat-buesser approved these changes

Assignees

@beat-buesser beat-buesser

Labels
improvement Improve implementation
Projects
None yet
Milestone
ART 1.14.0
Development

Successfully merging this pull request may close these issues.

Support categorical (string) features in attribute inference attacks
3 participants
@abigailgold @codecov-commenter @beat-buesser