From abd8912e6ca3201ad2f97b64e6c49e94483149d1 Mon Sep 17 00:00:00 2001 From: Liwei Song Date: Thu, 17 Dec 2020 15:55:46 -0500 Subject: [PATCH] change risk score to membership probability --- .../data_structures.py | 50 +++++++++---------- .../data_structures_test.py | 12 ++--- .../membership_inference_attack.py | 42 ++++++++-------- .../membership_inference_attack_test.py | 8 +-- 4 files changed, 56 insertions(+), 56 deletions(-) diff --git a/tensorflow_privacy/privacy/membership_inference_attack/data_structures.py b/tensorflow_privacy/privacy/membership_inference_attack/data_structures.py index 1415b4e..5eedb06 100644 --- a/tensorflow_privacy/privacy/membership_inference_attack/data_structures.py +++ b/tensorflow_privacy/privacy/membership_inference_attack/data_structures.py @@ -445,35 +445,35 @@ class SingleAttackResult: @dataclass -class SingleRiskScoreResult: - """Results from computing privacy risk scores. - this part shows how to leverage privacy risk score to perform attacks with thresholding on risk score +class SingleMembershipProbabilityResult: + """Results from computing membership probabilities (denoted as privacy risk score in https://arxiv.org/abs/2003.10595). + this part shows how to leverage membership probabilities to perform attacks with thresholding on them. """ # Data slice this result was calculated for. slice_spec: SingleSliceSpec - train_risk_scores: np.ndarray + train_membership_probs: np.ndarray - test_risk_scores: np.ndarray + test_membership_probs: np.ndarray def attack_with_varied_thresholds(self, threshold_list): - """ For each threshold value, we count how many training and test samples with privacy risk scores larger than the threshold + """ For each threshold value, we count how many training and test samples with membership probabilities larger than the threshold and further compute precision and recall values. - We skip the threshold value if it is larger than every sample's privacy risk score. + We skip the threshold value if it is larger than every sample's membership probability. """ fpr, tpr, thresholds = metrics.roc_curve( - np.concatenate((np.ones(len(self.train_risk_scores)), - np.zeros(len(self.test_risk_scores)))), - np.concatenate((self.train_risk_scores, self.test_risk_scores)), + np.concatenate((np.ones(len(self.train_membership_probs)), + np.zeros(len(self.test_membership_probs)))), + np.concatenate((self.train_membership_probs, self.test_membership_probs)), drop_intermediate=False) precision_list = [] recall_list = [] meaningful_threshold_list = [] - max_risk_score = max(self.train_risk_scores.max(), self.test_risk_scores.max()) + max_prob = max(self.train_membership_probs.max(), self.test_membership_probs.max()) for threshold in threshold_list: - if threshold <= max_risk_score: + if threshold <= max_prob: idx = np.argwhere(thresholds>=threshold)[-1][0] meaningful_threshold_list.append(threshold) precision_list.append(tpr[idx]/(tpr[idx]+fpr[idx])) @@ -482,40 +482,40 @@ class SingleRiskScoreResult: return np.array(meaningful_threshold_list), np.array(precision_list), np.array(recall_list) def collect_results(self, threshold_list, return_roc_results=True): - """ The privacy risk score (from 0 to 1) represents each sample's probability of being in the training set. + """ The membership probability (from 0 to 1) represents each sample's probability of being in the training set. Usually, we choose a list of threshold values from 0.5 (uncertain of training or test) to 1 (100% certain of training) to compute corresponding attack precision and recall. """ meaningful_threshold_list, precision_list, recall_list = self.attack_with_varied_thresholds(threshold_list) summary = [] - summary.append('\nPrivacy risk score analysis over slice: \"%s\"' % + summary.append('\nMembership probability analysis over slice: \"%s\"' % str(self.slice_spec)) for i in range(len(meaningful_threshold_list)): - summary.append(' with %.5f as the threshold on privacy risk score, the precision-recall pair is (%.5f, %.5f)' % + summary.append(' with %.4f as the threshold on membership probability, the precision-recall pair is (%.4f, %.4f)' % (meaningful_threshold_list[i], precision_list[i], recall_list[i])) if return_roc_results: fpr, tpr, thresholds = metrics.roc_curve( - np.concatenate((np.ones(len(self.train_risk_scores)), - np.zeros(len(self.test_risk_scores)))), - np.concatenate((self.train_risk_scores, self.test_risk_scores))) + np.concatenate((np.ones(len(self.train_membership_probs)), + np.zeros(len(self.test_membership_probs)))), + np.concatenate((self.train_membership_probs, self.test_membership_probs))) roc_curve = RocCurve(tpr=tpr, fpr=fpr, thresholds=thresholds) - summary.append(' thresholding on privacy risk score achieved an AUC of %.2f' %(roc_curve.get_auc())) - summary.append(' thresholding on privacy risk score achieved an advantage of %.2f' %(roc_curve.get_attacker_advantage())) + summary.append(' thresholding on membership probability achieved an AUC of %.2f' %(roc_curve.get_auc())) + summary.append(' thresholding on membership probability achieved an advantage of %.2f' %(roc_curve.get_attacker_advantage())) return summary @dataclass -class RiskScoreResults: - """Privacy risk score results from multiple data slices. +class MembershipProbabilityResults: + """Membership probability results from multiple data slices. """ - risk_score_results: Iterable[SingleRiskScoreResult] + membership_prob_results: Iterable[SingleMembershipProbabilityResult] def summary(self, threshold_list): - """ return the summary of privacy risk score analysis on all given data slices + """ return the summary of membership probability analysis on all given data slices """ summary = [] - for single_result in self.risk_score_results: + for single_result in self.membership_prob_results: single_summary = single_result.collect_results(threshold_list) summary.extend(single_summary) return '\n'.join(summary) diff --git a/tensorflow_privacy/privacy/membership_inference_attack/data_structures_test.py b/tensorflow_privacy/privacy/membership_inference_attack/data_structures_test.py index d61c5ca..2658ad6 100644 --- a/tensorflow_privacy/privacy/membership_inference_attack/data_structures_test.py +++ b/tensorflow_privacy/privacy/membership_inference_attack/data_structures_test.py @@ -28,7 +28,7 @@ from tensorflow_privacy.privacy.membership_inference_attack.data_structures impo from tensorflow_privacy.privacy.membership_inference_attack.data_structures import PrivacyReportMetadata from tensorflow_privacy.privacy.membership_inference_attack.data_structures import RocCurve from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleAttackResult -from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleRiskScoreResult +from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleMembershipProbabilityResult from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleSliceSpec from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SlicingFeature @@ -219,15 +219,15 @@ class SingleAttackResultTest(absltest.TestCase): self.assertEqual(result.get_attacker_advantage(), 0.0) -class SingleRiskScoreResultTest(absltest.TestCase): +class SingleMembershipProbabilityResultTest(absltest.TestCase): - # Only a basic test to check the attack by setting a threshold on risk score. + # Only a basic test to check the attack by setting a threshold on membership probability. def test_attack_with_varied_thresholds(self): - result = SingleRiskScoreResult( + result = SingleMembershipProbabilityResult( slice_spec=SingleSliceSpec(None), - train_risk_scores=np.array([0.91,1,0.92,0.82,0.75]), - test_risk_scores=np.array([0.81,0.7,0.75,0.25,0.3])) + train_membership_probs=np.array([0.91,1,0.92,0.82,0.75]), + test_membership_probs=np.array([0.81,0.7,0.75,0.25,0.3])) self.assertEqual(result.attack_with_varied_thresholds(threshold_list=np.array([0.8,0.7]))[1].tolist(), [0.8,0.625]) self.assertEqual(result.attack_with_varied_thresholds(threshold_list=np.array([0.8,0.7]))[2].tolist(), [0.8,1]) diff --git a/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack.py b/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack.py index 7b51b81..80e345f 100644 --- a/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack.py +++ b/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack.py @@ -33,8 +33,8 @@ from tensorflow_privacy.privacy.membership_inference_attack.data_structures impo from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleAttackResult from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleSliceSpec from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SlicingSpec -from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleRiskScoreResult -from tensorflow_privacy.privacy.membership_inference_attack.data_structures import RiskScoreResults +from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleMembershipProbabilityResult +from tensorflow_privacy.privacy.membership_inference_attack.data_structures import MembershipProbabilityResults from tensorflow_privacy.privacy.membership_inference_attack.dataset_slicing import get_single_slice_specs from tensorflow_privacy.privacy.membership_inference_attack.dataset_slicing import get_slice @@ -174,18 +174,18 @@ def run_attacks(attack_input: AttackInputData, privacy_report_metadata=privacy_report_metadata) -def _compute_privacy_risk_score(attack_input: AttackInputData, - num_bins: int = 15) -> SingleRiskScoreResult: - """Computes each individual point's likelihood of being a member (https://arxiv.org/abs/2003.10595). +def _compute_membership_probability(attack_input: AttackInputData, + num_bins: int = 15) -> SingleMembershipProbabilityResult: + """Computes each individual point's likelihood of being a member (denoted as privacy risk score in https://arxiv.org/abs/2003.10595). For an individual sample, its privacy risk score is computed as the posterior probability of being in the training set after observing its prediction output by the target machine learning model. Args: - attack_input: input data for compute privacy risk scores + attack_input: input data for compute membership probability num_bins: the number of bins used to compute the training/test histogram Returns: - privacy risk score results + membership probability results """ # If the loss or the entropy is provided, just use it; @@ -219,31 +219,31 @@ def _compute_privacy_risk_score(attack_input: AttackInputData, combined_hist = train_hist+test_hist combined_hist[combined_hist==0] = small_value - privacy_risk_list = train_hist/(combined_hist+0.0) - train_risk_scores = privacy_risk_list[train_hist_indices] - test_risk_scores = privacy_risk_list[test_hist_indices] + membership_prob_list = train_hist/(combined_hist+0.0) + train_membership_probs = membership_prob_list[train_hist_indices] + test_membership_probs = membership_prob_list[test_hist_indices] - return SingleRiskScoreResult(slice_spec=_get_slice_spec(attack_input), - train_risk_scores=train_risk_scores, - test_risk_scores=test_risk_scores) + return SingleMembershipProbabilityResult(slice_spec=_get_slice_spec(attack_input), + train_membership_probs=train_membership_probs, + test_membership_probs=test_membership_probs) -def run_privacy_risk_score_analysis(attack_input: AttackInputData, - slicing_spec: SlicingSpec = None) -> RiskScoreResults: +def run_membership_probability_analysis(attack_input: AttackInputData, + slicing_spec: SlicingSpec = None) -> MembershipProbabilityResults: - """Perform privacy risk score analysis on all given slice types + """Perform membership probability analysis on all given slice types Args: - attack_input: input data for compute privacy risk scores + attack_input: input data for compute membership probabilities slicing_spec: specifies attack_input slices Returns: - the privacy risk score results. + the membership probability results. """ attack_input.validate() - risk_score_results = [] + membership_prob_results = [] if slicing_spec is None: slicing_spec = SlicingSpec(entire_dataset=True) @@ -253,9 +253,9 @@ def run_privacy_risk_score_analysis(attack_input: AttackInputData, input_slice_specs = get_single_slice_specs(slicing_spec, num_classes) for single_slice_spec in input_slice_specs: attack_input_slice = get_slice(attack_input, single_slice_spec) - risk_score_results.append(_compute_privacy_risk_score(attack_input_slice)) + membership_prob_results.append(_compute_membership_probability(attack_input_slice)) - return RiskScoreResults(risk_score_results=risk_score_results) + return MembershipProbabilityResults(membership_prob_results=membership_prob_results) diff --git a/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_test.py b/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_test.py index b996f3d..d08e279 100644 --- a/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_test.py +++ b/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_test.py @@ -100,14 +100,14 @@ class RunAttacksTest(absltest.TestCase): self.assertIsNone(mia._get_accuracy(None, labels)) - def test_run_compute_privacy_risk_score_correct_score(self): - result = mia._compute_privacy_risk_score( + def test_run_compute_membership_probability_correct_probs(self): + result = mia._compute_membership_probability( AttackInputData( loss_train=np.array([1, 1, 1, 10, 100]), loss_test=np.array([10, 100, 100, 1000, 10000]))) - np.testing.assert_almost_equal(result.train_risk_scores, [1,1,1,0.5,0.33], decimal=2) - np.testing.assert_almost_equal(result.test_risk_scores, [0.5,0.33,0.33,0,0], decimal=2) + np.testing.assert_almost_equal(result.train_membership_probs, [1,1,1,0.5,0.33], decimal=2) + np.testing.assert_almost_equal(result.test_membership_probs, [0.5,0.33,0.33,0,0], decimal=2) if __name__ == '__main__':