Adds Privacy Report metadata to AttackResults.

PiperOrigin-RevId: 329871255
2020-09-03 01:04:49 -07:00 · 2020-09-03 01:04:49 -07:00 · 2f0a078dd9
commit 2f0a078dd9
parent 8d89ef0a4b
4 changed files with 72 additions and 9 deletions
--- a/tensorflow_privacy/privacy/membership_inference_attack/data_structures.py
+++ b/tensorflow_privacy/privacy/membership_inference_attack/data_structures.py
@ -308,10 +308,6 @@ class SingleAttackResult:
  attack_type: AttackType
  roc_curve: RocCurve  # for drawing and metrics calculation
  # TODO(b/162693190): Add more metrics. Think which info we should store
  #  to derive metrics like f1_score or accuracy. Should we store labels and
  #  predictions, or rather some aggregate data?
  def get_attacker_advantage(self):
    return self.roc_curve.get_attacker_advantage()
@ -329,12 +325,26 @@ class SingleAttackResult:
    ])
@dataclass
 class PrivacyReportMetadata:
  """Metadata about the evaluated model.
  Used to create a privacy report based on AttackResults.
  """
  accuracy_train: float = None
  accuracy_test: float = None
  loss_train: float = None
  loss_test: float = None
@dataclass
 class AttackResults:
  """Results from running multiple attacks."""
  # add metadata, such as parameters of attack evaluation, input data etc
  single_attack_results: Iterable[SingleAttackResult]
  privacy_report_metadata: PrivacyReportMetadata = None
  def calculate_pd_dataframe(self):
    """Returns all metrics as a Pandas DataFrame."""
    slice_features = []
--- a/tensorflow_privacy/privacy/membership_inference_attack/example.py
+++ b/tensorflow_privacy/privacy/membership_inference_attack/example.py
@ -23,6 +23,7 @@ import tempfile
 import matplotlib.pyplot as plt
 import numpy as np
 import pandas as pd
 from sklearn import metrics
 from tensorflow import keras
 from tensorflow.keras import layers
 from tensorflow.keras.utils import to_categorical
@ -30,6 +31,8 @@ from tensorflow_privacy.privacy.membership_inference_attack import membership_in
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackInputData
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackResults
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackType
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import \
  PrivacyReportMetadata
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SlicingSpec
 import tensorflow_privacy.privacy.membership_inference_attack.plotting as plotting
@ -112,6 +115,13 @@ def crossentropy(true_labels, predictions):
          keras.backend.variable(predictions)))
 # Add metadata to generate a privacy report.
 privacy_report_metadata = PrivacyReportMetadata(
    accuracy_train=metrics.accuracy_score(training_labels,
                                          np.argmax(training_pred, axis=1)),
    accuracy_test=metrics.accuracy_score(test_labels,
                                         np.argmax(test_pred, axis=1)))
 attack_results = mia.run_attacks(
    AttackInputData(
        labels_train=training_labels,
@ -121,7 +131,8 @@ attack_results = mia.run_attacks(
        loss_train=crossentropy(training_labels, training_pred),
        loss_test=crossentropy(test_labels, test_pred)),
    SlicingSpec(entire_dataset=True, by_class=True),
-    attack_types=(AttackType.THRESHOLD_ATTACK, AttackType.LOGISTIC_REGRESSION))
+    attack_types=(AttackType.THRESHOLD_ATTACK, AttackType.LOGISTIC_REGRESSION),
    privacy_report_metadata=None)
 # Example of saving the results to the file and loading them back.
 with tempfile.TemporaryDirectory() as tmpdirname:
--- a/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_new.py
+++ b/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_new.py
@ -27,6 +27,8 @@ from tensorflow_privacy.privacy.membership_inference_attack import models
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackInputData
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackResults
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackType
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import \
  PrivacyReportMetadata
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import RocCurve
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleAttackResult
 from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SingleSliceSpec
@ -103,8 +105,8 @@ def run_attack(attack_input: AttackInputData, attack_type: AttackType):
 def run_attacks(
    attack_input: AttackInputData,
    slicing_spec: SlicingSpec = None,
-    attack_types: Iterable[AttackType] = (AttackType.THRESHOLD_ATTACK,)
+    attack_types: Iterable[AttackType] = (AttackType.THRESHOLD_ATTACK,),
-) -> AttackResults:
+    privacy_report_metadata: PrivacyReportMetadata = None) -> AttackResults:
  """Run all attacks."""
  attack_input.validate()
  attack_results = []
@ -118,4 +120,35 @@ def run_attacks(
    for attack_type in attack_types:
      attack_results.append(run_attack(attack_input_slice, attack_type))
-  return AttackResults(single_attack_results=attack_results)
+  privacy_report_metadata = _compute_missing_privacy_report_metadata(
      privacy_report_metadata, attack_input)
  return AttackResults(
      single_attack_results=attack_results,
      privacy_report_metadata=privacy_report_metadata)
 def _compute_missing_privacy_report_metadata(
    metadata: PrivacyReportMetadata,
    attack_input: AttackInputData) -> PrivacyReportMetadata:
  """Populates metadata fields if they are missing."""
  if metadata is None:
    metadata = PrivacyReportMetadata()
  if metadata.accuracy_train is None:
    metadata.accuracy_train = _get_accuracy(attack_input.logits_train,
                                            attack_input.labels_train)
  if metadata.accuracy_test is None:
    metadata.accuracy_test = _get_accuracy(attack_input.logits_test,
                                           attack_input.labels_test)
  if metadata.loss_train is None:
    metadata.loss_train = np.average(attack_input.get_loss_train())
  if metadata.loss_test is None:
    metadata.loss_test = np.average(attack_input.get_loss_test())
  return metadata
 def _get_accuracy(logits, labels):
  """Computes the accuracy if it is missing."""
  if logits is None or labels is None:
    return None
  return metrics.accuracy_score(labels, np.argmax(logits, axis=1))
--- a/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_new_test.py
+++ b/tensorflow_privacy/privacy/membership_inference_attack/membership_inference_attack_new_test.py
@ -72,6 +72,15 @@ class RunAttacksTest(absltest.TestCase):
    expected_slice = SingleSliceSpec(SlicingFeature.CLASS, 2)
    self.assertEqual(result.single_attack_results[3].slice_spec, expected_slice)
  def test_accuracy(self):
    predictions = [[0.5, 0.2, 0.3], [0.1, 0.6, 0.3], [0.5, 0.2, 0.3]]
    logits = [[1, -1, -3], [-3, -1, -2], [9, 8, 8.5]]
    labels = [0, 1, 2]
    self.assertEqual(mia._get_accuracy(predictions, labels), 2 / 3)
    self.assertEqual(mia._get_accuracy(logits, labels), 2 / 3)
    # If accuracy is already present, simply return it.
    self.assertIsNone(mia._get_accuracy(None, labels))
 if __name__ == '__main__':
  absltest.main()