diff --git a/tensorflow_privacy/privacy/membership_inference_attack/codelabs/codelab_privacy_risk_score.ipynb b/tensorflow_privacy/privacy/membership_inference_attack/codelabs/codelab_privacy_risk_score.ipynb new file mode 100644 index 0000000..c271f41 --- /dev/null +++ b/tensorflow_privacy/privacy/membership_inference_attack/codelabs/codelab_privacy_risk_score.ipynb @@ -0,0 +1,816 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "1eiwVljWpzM7" + }, + "source": [ + "Copyright 2020 The TensorFlow Authors.\n" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": { + "cellView": "both", + "colab": {}, + "colab_type": "code", + "id": "4rmwPgXeptiS" + }, + "outputs": [], + "source": [ + "#@title Licensed under the Apache License, Version 2.0 (the \"License\");\n", + "# you may not use this file except in compliance with the License.\n", + "# You may obtain a copy of the License at\n", + "#\n", + "# https://www.apache.org/licenses/LICENSE-2.0\n", + "#\n", + "# Unless required by applicable law or agreed to in writing, software\n", + "# distributed under the License is distributed on an \"AS IS\" BASIS,\n", + "# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n", + "# See the License for the specific language governing permissions and\n", + "# limitations under the License." + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "YM2gRaJMqvMi" + }, + "source": [ + "# Assess privacy risks with TensorFlow Privacy Membership Inference Attacks" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "-B5ZvlSqqLaR" + }, + "source": [ + "\n", + " \n", + " \n", + "
\n", + " Run in Google Colab\n", + " \n", + " View source on GitHub\n", + "
" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "9rMuytY7Nn8P" + }, + "source": [ + "##Overview\n", + "In this codelab we'll train a simple image classification model on the CIFAR10 dataset, and then use the \"membership inference attack\" against this model to assess if the attacker is able to \"guess\" whether a particular sample was present in the training set." + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "FUWqArj_q8vs" + }, + "source": [ + "## Setup\n", + "First, set this notebook's runtime to use a GPU, under Runtime > Change runtime type > Hardware accelerator. Then, begin importing the necessary libraries." + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": { + "cellView": "form", + "colab": {}, + "colab_type": "code", + "id": "Lr1pwHcbralz" + }, + "outputs": [], + "source": [ + "#@title Import statements.\n", + "import numpy as np\n", + "from typing import Tuple, Text\n", + "from scipy import special\n", + "\n", + "import tensorflow as tf\n", + "import tensorflow_datasets as tfds\n", + "\n", + "# Set verbosity.\n", + "tf.compat.v1.logging.set_verbosity(tf.compat.v1.logging.ERROR)\n", + "from warnings import simplefilter\n", + "from sklearn.exceptions import ConvergenceWarning\n", + "simplefilter(action=\"ignore\", category=ConvergenceWarning)\n", + "simplefilter(action=\"ignore\", category=FutureWarning)" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "ucw81ar6ru-6" + }, + "source": [ + "### Install TensorFlow Privacy." + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": { + "cellView": "both", + "colab": {}, + "colab_type": "code", + "id": "zcqAmiGH90kl" + }, + "outputs": [], + "source": [ + "!pip3 install git+https://github.com/tensorflow/privacy\n", + "\n", + "from tensorflow_privacy.privacy.membership_inference_attack import membership_inference_attack as mia" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "pBbcG86th_sW" + }, + "source": [ + "## Train a model" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": { + "cellView": "form", + "colab": {}, + "colab_type": "code", + "id": "vCyOWyyhXLib" + }, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Loading the dataset.\n", + "learning rate %f 0.02\n", + "Model: \"sequential\"\n", + "_________________________________________________________________\n", + "Layer (type) Output Shape Param # \n", + "=================================================================\n", + "conv2d (Conv2D) (None, 30, 30, 32) 896 \n", + "_________________________________________________________________\n", + "max_pooling2d (MaxPooling2D) (None, 15, 15, 32) 0 \n", + "_________________________________________________________________\n", + "conv2d_1 (Conv2D) (None, 13, 13, 32) 9248 \n", + "_________________________________________________________________\n", + "max_pooling2d_1 (MaxPooling2 (None, 6, 6, 32) 0 \n", + "_________________________________________________________________\n", + "conv2d_2 (Conv2D) (None, 4, 4, 32) 9248 \n", + "_________________________________________________________________\n", + "max_pooling2d_2 (MaxPooling2 (None, 2, 2, 32) 0 \n", + "_________________________________________________________________\n", + "flatten (Flatten) (None, 128) 0 \n", + "_________________________________________________________________\n", + "dense (Dense) (None, 64) 8256 \n", + "_________________________________________________________________\n", + "dense_1 (Dense) (None, 10) 650 \n", + "=================================================================\n", + "Total params: 28,298\n", + "Trainable params: 28,298\n", + "Non-trainable params: 0\n", + "_________________________________________________________________\n", + "Epoch 1/100\n", + "200/200 [==============================] - 2s 8ms/step - loss: 2.0185 - accuracy: 0.2515 - val_loss: 1.8635 - val_accuracy: 0.3168\n", + "Epoch 2/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.6232 - accuracy: 0.4059 - val_loss: 1.4847 - val_accuracy: 0.4549\n", + "Epoch 3/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.4421 - accuracy: 0.4752 - val_loss: 1.3781 - val_accuracy: 0.5041\n", + "Epoch 4/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.3402 - accuracy: 0.5152 - val_loss: 1.2500 - val_accuracy: 0.5520\n", + "Epoch 5/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.2316 - accuracy: 0.5614 - val_loss: 1.2739 - val_accuracy: 0.5524\n", + "Epoch 6/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.1568 - accuracy: 0.5899 - val_loss: 1.2040 - val_accuracy: 0.5748\n", + "Epoch 7/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.1007 - accuracy: 0.6094 - val_loss: 1.1218 - val_accuracy: 0.6042\n", + "Epoch 8/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 1.0437 - accuracy: 0.6313 - val_loss: 1.0968 - val_accuracy: 0.6192\n", + "Epoch 9/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.9965 - accuracy: 0.6489 - val_loss: 1.0501 - val_accuracy: 0.6338\n", + "Epoch 10/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.9673 - accuracy: 0.6589 - val_loss: 1.0594 - val_accuracy: 0.6322\n", + "Epoch 11/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.9388 - accuracy: 0.6711 - val_loss: 1.0302 - val_accuracy: 0.6445\n", + "Epoch 12/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.9104 - accuracy: 0.6800 - val_loss: 0.9907 - val_accuracy: 0.6553\n", + "Epoch 13/100\n", + "200/200 [==============================] - 1s 6ms/step - loss: 0.8827 - accuracy: 0.6896 - val_loss: 0.9999 - val_accuracy: 0.6509\n", + "Epoch 14/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.8453 - accuracy: 0.7023 - val_loss: 0.9708 - val_accuracy: 0.6674\n", + "Epoch 15/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.8407 - accuracy: 0.7067 - val_loss: 0.9434 - val_accuracy: 0.6739\n", + "Epoch 16/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.8152 - accuracy: 0.7136 - val_loss: 0.9440 - val_accuracy: 0.6786\n", + "Epoch 17/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7988 - accuracy: 0.7184 - val_loss: 0.9670 - val_accuracy: 0.6710\n", + "Epoch 18/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7763 - accuracy: 0.7270 - val_loss: 0.9224 - val_accuracy: 0.6854\n", + "Epoch 19/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7650 - accuracy: 0.7307 - val_loss: 0.9305 - val_accuracy: 0.6832\n", + "Epoch 20/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7508 - accuracy: 0.7354 - val_loss: 0.9674 - val_accuracy: 0.6707\n", + "Epoch 21/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7306 - accuracy: 0.7410 - val_loss: 0.9122 - val_accuracy: 0.6917\n", + "Epoch 22/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7142 - accuracy: 0.7498 - val_loss: 0.9287 - val_accuracy: 0.6868\n", + "Epoch 23/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.7071 - accuracy: 0.7514 - val_loss: 0.9046 - val_accuracy: 0.6934\n", + "Epoch 24/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6923 - accuracy: 0.7564 - val_loss: 0.9136 - val_accuracy: 0.6908\n", + "Epoch 25/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6791 - accuracy: 0.7603 - val_loss: 0.9856 - val_accuracy: 0.6702\n", + "Epoch 26/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6711 - accuracy: 0.7637 - val_loss: 0.9372 - val_accuracy: 0.6865\n", + "Epoch 27/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6556 - accuracy: 0.7672 - val_loss: 0.9847 - val_accuracy: 0.6768\n", + "Epoch 28/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6497 - accuracy: 0.7714 - val_loss: 0.9554 - val_accuracy: 0.6881\n", + "Epoch 29/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6311 - accuracy: 0.7765 - val_loss: 0.9962 - val_accuracy: 0.6801\n", + "Epoch 30/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6291 - accuracy: 0.7773 - val_loss: 0.9268 - val_accuracy: 0.6926\n", + "Epoch 31/100\n", + "200/200 [==============================] - 1s 6ms/step - loss: 0.6175 - accuracy: 0.7802 - val_loss: 0.9507 - val_accuracy: 0.6904\n", + "Epoch 32/100\n", + "200/200 [==============================] - 1s 6ms/step - loss: 0.6107 - accuracy: 0.7830 - val_loss: 0.9776 - val_accuracy: 0.6799\n", + "Epoch 33/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.6049 - accuracy: 0.7877 - val_loss: 0.9712 - val_accuracy: 0.6897\n", + "Epoch 34/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5963 - accuracy: 0.7884 - val_loss: 0.9548 - val_accuracy: 0.6889\n", + "Epoch 35/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5959 - accuracy: 0.7881 - val_loss: 0.9729 - val_accuracy: 0.6865\n", + "Epoch 36/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5801 - accuracy: 0.7955 - val_loss: 0.9659 - val_accuracy: 0.6949\n", + "Epoch 37/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5745 - accuracy: 0.7981 - val_loss: 0.9663 - val_accuracy: 0.6908\n", + "Epoch 38/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5651 - accuracy: 0.7993 - val_loss: 0.9689 - val_accuracy: 0.6931\n", + "Epoch 39/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5608 - accuracy: 0.8014 - val_loss: 0.9899 - val_accuracy: 0.6894\n", + "Epoch 40/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5507 - accuracy: 0.8049 - val_loss: 0.9990 - val_accuracy: 0.6888\n", + "Epoch 41/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5409 - accuracy: 0.8066 - val_loss: 0.9860 - val_accuracy: 0.6904\n", + "Epoch 42/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5494 - accuracy: 0.8040 - val_loss: 0.9937 - val_accuracy: 0.6916\n", + "Epoch 43/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5226 - accuracy: 0.8146 - val_loss: 0.9943 - val_accuracy: 0.6888\n", + "Epoch 44/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5214 - accuracy: 0.8148 - val_loss: 1.0146 - val_accuracy: 0.6826\n", + "Epoch 45/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5288 - accuracy: 0.8126 - val_loss: 1.0247 - val_accuracy: 0.6926\n", + "Epoch 46/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5182 - accuracy: 0.8149 - val_loss: 1.0246 - val_accuracy: 0.6883\n" + ] + }, + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Epoch 47/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5079 - accuracy: 0.8190 - val_loss: 1.0530 - val_accuracy: 0.6888\n", + "Epoch 48/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5088 - accuracy: 0.8188 - val_loss: 1.0607 - val_accuracy: 0.6876\n", + "Epoch 49/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4989 - accuracy: 0.8218 - val_loss: 1.0523 - val_accuracy: 0.6858\n", + "Epoch 50/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.5042 - accuracy: 0.8200 - val_loss: 1.0645 - val_accuracy: 0.6898\n", + "Epoch 51/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4800 - accuracy: 0.8292 - val_loss: 1.0762 - val_accuracy: 0.6812\n", + "Epoch 52/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4853 - accuracy: 0.8262 - val_loss: 1.0960 - val_accuracy: 0.6828\n", + "Epoch 53/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4754 - accuracy: 0.8308 - val_loss: 1.0551 - val_accuracy: 0.6916\n", + "Epoch 54/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4745 - accuracy: 0.8284 - val_loss: 1.1048 - val_accuracy: 0.6768\n", + "Epoch 55/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4770 - accuracy: 0.8309 - val_loss: 1.0978 - val_accuracy: 0.6893\n", + "Epoch 56/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4708 - accuracy: 0.8311 - val_loss: 1.1025 - val_accuracy: 0.6791\n", + "Epoch 57/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4577 - accuracy: 0.8366 - val_loss: 1.1247 - val_accuracy: 0.6792\n", + "Epoch 58/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4693 - accuracy: 0.8321 - val_loss: 1.1224 - val_accuracy: 0.6808\n", + "Epoch 59/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4533 - accuracy: 0.8385 - val_loss: 1.1161 - val_accuracy: 0.6830\n", + "Epoch 60/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4602 - accuracy: 0.8326 - val_loss: 1.1262 - val_accuracy: 0.6781\n", + "Epoch 61/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4528 - accuracy: 0.8379 - val_loss: 1.2267 - val_accuracy: 0.6654\n", + "Epoch 62/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4533 - accuracy: 0.8354 - val_loss: 1.1433 - val_accuracy: 0.6901\n", + "Epoch 63/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4373 - accuracy: 0.8418 - val_loss: 1.1481 - val_accuracy: 0.6857\n", + "Epoch 64/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4442 - accuracy: 0.8391 - val_loss: 1.1446 - val_accuracy: 0.6854\n", + "Epoch 65/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4247 - accuracy: 0.8480 - val_loss: 1.1511 - val_accuracy: 0.6856\n", + "Epoch 66/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4395 - accuracy: 0.8406 - val_loss: 1.1960 - val_accuracy: 0.6791\n", + "Epoch 67/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4402 - accuracy: 0.8394 - val_loss: 1.2087 - val_accuracy: 0.6852\n", + "Epoch 68/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4247 - accuracy: 0.8464 - val_loss: 1.1801 - val_accuracy: 0.6837\n", + "Epoch 69/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4219 - accuracy: 0.8460 - val_loss: 1.2674 - val_accuracy: 0.6683\n", + "Epoch 70/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4184 - accuracy: 0.8494 - val_loss: 1.2206 - val_accuracy: 0.6828\n", + "Epoch 71/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4116 - accuracy: 0.8505 - val_loss: 1.1856 - val_accuracy: 0.6782\n", + "Epoch 72/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4177 - accuracy: 0.8481 - val_loss: 1.2790 - val_accuracy: 0.6791\n", + "Epoch 73/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4135 - accuracy: 0.8505 - val_loss: 1.2457 - val_accuracy: 0.6806\n", + "Epoch 74/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4046 - accuracy: 0.8528 - val_loss: 1.2291 - val_accuracy: 0.6852\n", + "Epoch 75/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4132 - accuracy: 0.8500 - val_loss: 1.2248 - val_accuracy: 0.6866\n", + "Epoch 76/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4116 - accuracy: 0.8501 - val_loss: 1.2619 - val_accuracy: 0.6793\n", + "Epoch 77/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4146 - accuracy: 0.8500 - val_loss: 1.2497 - val_accuracy: 0.6780\n", + "Epoch 78/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3922 - accuracy: 0.8579 - val_loss: 1.2788 - val_accuracy: 0.6718\n", + "Epoch 79/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4084 - accuracy: 0.8499 - val_loss: 1.2568 - val_accuracy: 0.6876\n", + "Epoch 80/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3976 - accuracy: 0.8559 - val_loss: 1.3637 - val_accuracy: 0.6652\n", + "Epoch 81/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.4061 - accuracy: 0.8511 - val_loss: 1.2873 - val_accuracy: 0.6775\n", + "Epoch 82/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3781 - accuracy: 0.8623 - val_loss: 1.3062 - val_accuracy: 0.6756\n", + "Epoch 83/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3825 - accuracy: 0.8606 - val_loss: 1.2976 - val_accuracy: 0.6825\n", + "Epoch 84/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3913 - accuracy: 0.8571 - val_loss: 1.4069 - val_accuracy: 0.6528\n", + "Epoch 85/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3876 - accuracy: 0.8591 - val_loss: 1.3395 - val_accuracy: 0.6753\n", + "Epoch 86/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3879 - accuracy: 0.8580 - val_loss: 1.3092 - val_accuracy: 0.6741\n", + "Epoch 87/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3695 - accuracy: 0.8665 - val_loss: 1.3327 - val_accuracy: 0.6762\n", + "Epoch 88/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3835 - accuracy: 0.8608 - val_loss: 1.3579 - val_accuracy: 0.6775\n", + "Epoch 89/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3816 - accuracy: 0.8619 - val_loss: 1.3944 - val_accuracy: 0.6622\n", + "Epoch 90/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3804 - accuracy: 0.8609 - val_loss: 1.3264 - val_accuracy: 0.6854\n", + "Epoch 91/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3718 - accuracy: 0.8647 - val_loss: 1.3646 - val_accuracy: 0.6713\n", + "Epoch 92/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3676 - accuracy: 0.8661 - val_loss: 1.3926 - val_accuracy: 0.6759\n", + "Epoch 93/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3767 - accuracy: 0.8623 - val_loss: 1.3605 - val_accuracy: 0.6701\n", + "Epoch 94/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3813 - accuracy: 0.8612 - val_loss: 1.3938 - val_accuracy: 0.6659\n", + "Epoch 95/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3631 - accuracy: 0.8667 - val_loss: 1.4130 - val_accuracy: 0.6749\n", + "Epoch 96/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3604 - accuracy: 0.8694 - val_loss: 1.3780 - val_accuracy: 0.6832\n", + "Epoch 97/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3657 - accuracy: 0.8666 - val_loss: 1.4425 - val_accuracy: 0.6719\n", + "Epoch 98/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3726 - accuracy: 0.8636 - val_loss: 1.4077 - val_accuracy: 0.6699\n", + "Epoch 99/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3671 - accuracy: 0.8663 - val_loss: 1.4207 - val_accuracy: 0.6769\n", + "Epoch 100/100\n", + "200/200 [==============================] - 1s 5ms/step - loss: 0.3529 - accuracy: 0.8706 - val_loss: 1.4817 - val_accuracy: 0.6716\n", + "Finished training.\n" + ] + } + ], + "source": [ + "#@markdown Train a simple model on CIFAR10 with Keras.\n", + "\n", + "dataset = 'cifar10'\n", + "num_classes = 10\n", + "num_conv = 3\n", + "activation = 'relu'\n", + "lr = 0.02\n", + "momentum = 0.9\n", + "batch_size = 250\n", + "epochs = 100 # Privacy risks are especially visible with lots of epochs.\n", + "\n", + "\n", + "def small_cnn(input_shape: Tuple[int],\n", + " num_classes: int,\n", + " num_conv: int,\n", + " activation: Text = 'relu') -> tf.keras.models.Sequential:\n", + " \"\"\"Setup a small CNN for image classification.\n", + "\n", + " Args:\n", + " input_shape: Integer tuple for the shape of the images.\n", + " num_classes: Number of prediction classes.\n", + " num_conv: Number of convolutional layers.\n", + " activation: The activation function to use for conv and dense layers.\n", + "\n", + " Returns:\n", + " The Keras model.\n", + " \"\"\"\n", + " model = tf.keras.models.Sequential()\n", + " model.add(tf.keras.layers.Input(shape=input_shape))\n", + "\n", + " # Conv layers\n", + " for _ in range(num_conv):\n", + " model.add(tf.keras.layers.Conv2D(32, (3, 3), activation=activation))\n", + " model.add(tf.keras.layers.MaxPooling2D())\n", + "\n", + " model.add(tf.keras.layers.Flatten())\n", + " model.add(tf.keras.layers.Dense(64, activation=activation))\n", + " model.add(tf.keras.layers.Dense(num_classes))\n", + " return model\n", + "\n", + "\n", + "print('Loading the dataset.')\n", + "train_ds = tfds.as_numpy(\n", + " tfds.load(dataset, split=tfds.Split.TRAIN, batch_size=-1))\n", + "test_ds = tfds.as_numpy(\n", + " tfds.load(dataset, split=tfds.Split.TEST, batch_size=-1))\n", + "x_train = train_ds['image'].astype('float32') / 255.\n", + "y_train_indices = train_ds['label'][:, np.newaxis]\n", + "x_test = test_ds['image'].astype('float32') / 255.\n", + "y_test_indices = test_ds['label'][:, np.newaxis]\n", + "\n", + "# Convert class vectors to binary class matrices.\n", + "y_train = tf.keras.utils.to_categorical(y_train_indices, num_classes)\n", + "y_test = tf.keras.utils.to_categorical(y_test_indices, num_classes)\n", + "\n", + "input_shape = x_train.shape[1:]\n", + "\n", + "model = small_cnn(\n", + " input_shape, num_classes, num_conv=num_conv, activation=activation)\n", + "\n", + "print('learning rate %f', lr)\n", + "\n", + "optimizer = tf.keras.optimizers.SGD(lr=lr, momentum=momentum)\n", + "\n", + "loss = tf.keras.losses.CategoricalCrossentropy(from_logits=True)\n", + "model.compile(loss=loss, optimizer=optimizer, metrics=['accuracy'])\n", + "model.summary()\n", + "model.fit(\n", + " x_train,\n", + " y_train,\n", + " batch_size=batch_size,\n", + " epochs=epochs,\n", + " validation_data=(x_test, y_test),\n", + " shuffle=True)\n", + "print('Finished training.')" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "ee-zjGGGV1DC" + }, + "source": [ + "## Calculate logits, probabilities and loss values for training and test sets.\n", + "\n", + "We will use these values later in the membership inference attack to separate training and test samples." + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": { + "cellView": "both", + "colab": {}, + "colab_type": "code", + "id": "um9r0tSiPx4u" + }, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Predict on train...\n", + "Predict on test...\n", + "Apply softmax to get probabilities from logits...\n", + "Compute losses...\n" + ] + } + ], + "source": [ + "print('Predict on train...')\n", + "logits_train = model.predict(x_train, batch_size=batch_size)\n", + "print('Predict on test...')\n", + "logits_test = model.predict(x_test, batch_size=batch_size)\n", + "\n", + "print('Apply softmax to get probabilities from logits...')\n", + "prob_train = special.softmax(logits_train, axis=1)\n", + "prob_test = special.softmax(logits_test, axis=1)\n", + "\n", + "print('Compute losses...')\n", + "cce = tf.keras.backend.categorical_crossentropy\n", + "constant = tf.keras.backend.constant\n", + "\n", + "loss_train = cce(constant(y_train), constant(prob_train), from_logits=False).numpy()\n", + "loss_test = cce(constant(y_test), constant(prob_test), from_logits=False).numpy()" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "QETxVOHLiHP4" + }, + "source": [ + "## Run membership inference attacks.\n", + "\n", + "We will now execute a membership inference attack against the previously trained CIFAR10 model. This will generate a number of scores, most notably, attacker advantage and AUC for the membership inference classifier.\n", + "\n", + "An AUC of close to 0.5 means that the attack wasn't able to identify training samples, which means that the model doesn't have privacy issues according to this test. Higher values, on the contrary, indicate potential privacy issues." + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": { + "colab": {}, + "colab_type": "code", + "id": "B8NIwhVwQT7I" + }, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Best-performing attacks over all slices\n", + " THRESHOLD_ATTACK achieved an AUC of 0.74 on slice CORRECTLY_CLASSIFIED=False\n", + " THRESHOLD_ATTACK achieved an advantage of 0.37 on slice CORRECTLY_CLASSIFIED=False\n", + "\n", + "Best-performing attacks over slice: \"Entire dataset\"\n", + " THRESHOLD_ENTROPY_ATTACK achieved an AUC of 0.60\n", + " THRESHOLD_ATTACK achieved an advantage of 0.20\n", + "\n", + "Best-performing attacks over slice: \"CLASS=0\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.64\n", + " LOGISTIC_REGRESSION achieved an advantage of 0.24\n", + "\n", + "Best-performing attacks over slice: \"CLASS=1\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.57\n", + " THRESHOLD_ENTROPY_ATTACK achieved an advantage of 0.16\n", + "\n", + "Best-performing attacks over slice: \"CLASS=2\"\n", + " THRESHOLD_ENTROPY_ATTACK achieved an AUC of 0.64\n", + " THRESHOLD_ENTROPY_ATTACK achieved an advantage of 0.26\n", + "\n", + "Best-performing attacks over slice: \"CLASS=3\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.68\n", + " LOGISTIC_REGRESSION achieved an advantage of 0.29\n", + "\n", + "Best-performing attacks over slice: \"CLASS=4\"\n", + " THRESHOLD_ENTROPY_ATTACK achieved an AUC of 0.64\n", + " THRESHOLD_ATTACK achieved an advantage of 0.24\n", + "\n", + "Best-performing attacks over slice: \"CLASS=5\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.63\n", + " THRESHOLD_ENTROPY_ATTACK achieved an advantage of 0.23\n", + "\n", + "Best-performing attacks over slice: \"CLASS=6\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.63\n", + " LOGISTIC_REGRESSION achieved an advantage of 0.21\n", + "\n", + "Best-performing attacks over slice: \"CLASS=7\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.60\n", + " THRESHOLD_ENTROPY_ATTACK achieved an advantage of 0.21\n", + "\n", + "Best-performing attacks over slice: \"CLASS=8\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.60\n", + " LOGISTIC_REGRESSION achieved an advantage of 0.19\n", + "\n", + "Best-performing attacks over slice: \"CLASS=9\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.62\n", + " LOGISTIC_REGRESSION achieved an advantage of 0.20\n", + "\n", + "Best-performing attacks over slice: \"CORRECTLY_CLASSIFIED=True\"\n", + " LOGISTIC_REGRESSION achieved an AUC of 0.50\n", + " THRESHOLD_ATTACK achieved an advantage of 0.04\n", + "\n", + "Best-performing attacks over slice: \"CORRECTLY_CLASSIFIED=False\"\n", + " THRESHOLD_ATTACK achieved an AUC of 0.74\n", + " THRESHOLD_ATTACK achieved an advantage of 0.37\n" + ] + }, + { + "data": { + "image/png": "\n", + "text/plain": [ + "
" + ] + }, + "metadata": { + "needs_background": "light" + }, + "output_type": "display_data" + } + ], + "source": [ + "from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackInputData\n", + "from tensorflow_privacy.privacy.membership_inference_attack.data_structures import SlicingSpec\n", + "from tensorflow_privacy.privacy.membership_inference_attack.data_structures import AttackType\n", + "\n", + "import tensorflow_privacy.privacy.membership_inference_attack.plotting as plotting\n", + "\n", + "labels_train = np.argmax(y_train, axis=1)\n", + "labels_test = np.argmax(y_test, axis=1)\n", + "\n", + "input = AttackInputData(\n", + " logits_train = logits_train,\n", + " logits_test = logits_test,\n", + " loss_train = loss_train,\n", + " loss_test = loss_test,\n", + " labels_train = labels_train,\n", + " labels_test = labels_test\n", + ")\n", + "\n", + "# Run several attacks for different data slices\n", + "attacks_result = mia.run_attacks(input,\n", + " SlicingSpec(\n", + " entire_dataset = True,\n", + " by_class = True,\n", + " by_classification_correctness = True\n", + " ),\n", + " attack_types = [\n", + " AttackType.THRESHOLD_ATTACK,\n", + " AttackType.THRESHOLD_ENTROPY_ATTACK,\n", + " AttackType.LOGISTIC_REGRESSION])\n", + "\n", + "# Plot the ROC curve of the best classifier\n", + "fig = plotting.plot_roc_curve(\n", + " attacks_result.get_result_with_max_auc().roc_curve)\n", + "\n", + "# Print a user-friendly summary of the attacks\n", + "print(attacks_result.summary(by_slices = True))" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "colab_type": "text", + "id": "E9zwsPGFujVq" + }, + "source": [ + "## Compute privacy risk score\n", + "\n", + "This part shows how to use the privacy risk score. (The code is preliminary, we can improve it later.)\n", + "\n", + "For each data slice, we compute privacy risk scores for both training and test data. We then set a threshold on risk scores (an input is inferred as a member if and only if its risk score is higher than the threshold) and compute the attack precision and recall values" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "For slice type: Entire dataset\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5597992410331742, 0.9146)\n", + "\n", + "For slice type: CLASS=0\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6191360891778913, 0.2666)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5744543458607775, 0.8896)\n", + "\n", + "For slice type: CLASS=1\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6059544658493871, 0.0692)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5467082383978894, 0.9118)\n", + "\n", + "For slice type: CLASS=2\n", + "with 0.8 as the threshold on privacy risk score, the precision-recall pair is (0.868421052631579, 0.0066)\n", + "with 0.7 as the threshold on privacy risk score, the precision-recall pair is (0.868421052631579, 0.0066)\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6181660399190049, 0.4274)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5929882636172134, 0.7882)\n", + "\n", + "For slice type: CLASS=3\n", + "with 1 as the threshold on privacy risk score, the precision-recall pair is (1.0, 0.0016)\n", + "with 0.9 as the threshold on privacy risk score, the precision-recall pair is (1.0, 0.0016)\n", + "with 0.8 as the threshold on privacy risk score, the precision-recall pair is (1.0, 0.0016)\n", + "with 0.7 as the threshold on privacy risk score, the precision-recall pair is (0.7972972972972973, 0.0118)\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6332665330661322, 0.316)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5862524785194977, 0.887)\n", + "\n", + "For slice type: CLASS=4\n", + "with 0.7 as the threshold on privacy risk score, the precision-recall pair is (0.7222222222222222, 0.013)\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.61644212262854, 0.4484)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5814285714285714, 0.814)\n", + "\n", + "For slice type: CLASS=5\n", + "with 0.8 as the threshold on privacy risk score, the precision-recall pair is (0.8387096774193549, 0.0052)\n", + "with 0.7 as the threshold on privacy risk score, the precision-recall pair is (0.7452229299363058, 0.0234)\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6262230919765166, 0.32)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5760075737084122, 0.8518)\n", + "\n", + "For slice type: CLASS=6\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6118458884416331, 0.2128)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5705128205128205, 0.712)\n", + "\n", + "For slice type: CLASS=7\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6164383561643836, 0.18)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5659122874312748, 0.8852)\n", + "\n", + "For slice type: CLASS=8\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5507837390085383, 0.8644)\n", + "\n", + "For slice type: CLASS=9\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6332288401253918, 0.202)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5841666666666666, 0.701)\n", + "\n", + "For slice type: CORRECTLY_CLASSIFIED=True\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.5220848110408277, 0.6059067835717582)\n", + "\n", + "For slice type: CORRECTLY_CLASSIFIED=False\n", + "with 0.7 as the threshold on privacy risk score, the precision-recall pair is (0.7104532829471387, 0.3436936936936937)\n", + "with 0.6 as the threshold on privacy risk score, the precision-recall pair is (0.6816679555870855, 0.624024024024024)\n", + "with 0.5 as the threshold on privacy risk score, the precision-recall pair is (0.6396320935483625, 0.8274774774774775)\n", + "\n" + ] + } + ], + "source": [ + "from tensorflow_privacy.privacy.membership_inference_attack.dataset_slicing import get_single_slice_specs\n", + "from tensorflow_privacy.privacy.membership_inference_attack.dataset_slicing import get_slice\n", + "slicing_spec = SlicingSpec(\n", + " entire_dataset = True,\n", + " by_class = True,\n", + " by_classification_correctness = True\n", + " )\n", + "input_slice_specs = get_single_slice_specs(slicing_spec, 10)\n", + "for single_slice_spec in input_slice_specs:\n", + " \n", + " attack_input_slice = get_slice(input, single_slice_spec)\n", + " risk_score_results = mia._compute_privacy_risk_score(attack_input_slice)\n", + " print(f\"For slice type: {str(risk_score_results.slice_spec)}\")\n", + " risk_score_results.print_results()\n", + " print()" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "colab": { + "collapsed_sections": [], + "last_runtime": { + "build_target": "//learning/deepmind/public/tools/ml_python:ml_notebook", + "kind": "private" + }, + "name": "Membership inference codelab", + "provenance": [] + }, + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.6.10" + }, + "pycharm": { + "stem_cell": { + "cell_type": "raw", + "metadata": { + "collapsed": false + }, + "source": [] + } + } + }, + "nbformat": 4, + "nbformat_minor": 1 +}