search

inspire-group / membership-inference-evaluation

Systematic Evaluation of Membership Inference Privacy Risks of Machine Learning Models
https://arxiv.org/abs/2003.10595
MIT License
117 stars 18 forks source link

Is training data and test data both needed? #4

Closed tkangxun closed 3 years ago

tkangxun commented 3 years ago

Is it possible to just test through the test data? Also Is there anyway to do this in batches?

lwsong commented 3 years ago

Hi @tkangxun ,

In our methods, the correctness-based inference attack does not need training at all: the sample is inferred as a member if and only if it is correctly predicted. For other attack methods based on thresholding, if you want to adapt them into scenarios without training, I suggest you do the following: get the prediction confidence/entropy/modified entropy on all test data, then set the threshold values based on those values (e.g., 50th percentile) and compute the attack accuracy.

Our attack methods can be definitely performed in batches: we only need to compare prediction metrics (confidence/entropy/modified entropy) with threshold values or check the prediction correctness in each batch. We write the code in terms of whole datasets since it is easy to use and adapt.

tkangxun commented 3 years ago

Hi @lwsong,

Thanks for the quick reply. Refering to the code here,

MIA = black_box_benchmarks(shadow_train_performance,shadow_test_performance,
                         target_train_performance,target_test_performance,num_classes=100)

Does it mean I can omit/ replace the train data to be the same as the test data? Would this be the same as the code in tensorflow-privacy mia attack? Where I omit the training data in the AttackInputData class?

Sorry what I meant in batches is using datagens. As currently loading my whole dataset causes an OOM error.

lwsong commented 3 years ago

Hi @tkangxun ,

Yeah, you are correct! You can call the following to run the attack, which is the same as in tensorflow-privacy pipeline. By doing this, we actually assume we already know the membership information (member or non-member) of the target data, we run the code to evaluate the worst-case privacy risks by our attack methods.

MIA = black_box_benchmarks(target_train_performance,target_test_performance,
                         target_train_performance,target_test_performance,num_classes=100)

For attacking in batches, you can always iterate through all batches to record model predictions and data labels, and then run our attack algorithms. You do not need to load the whole dataset in one batch. You can take a look at our code here https://github.com/inspire-group/membership-inference-evaluation/blob/daa4b0c88a7eda36536abe5b9a2650623243a3c5/adversarial%20regularization/MIA_evaluate.py#L22 Furthermore, if you want, you can just record model metrics (correctness/confidence/entropy/modified entropy) instead of model predictions for all batches, which can further reduce the memory cost, if that is your bottleneck.