jinhaoduan
commented
11 months ago Thank you for your interest!
You can assume we are in a shadow environment: training a shadow model with a known member/nonmember splitting and determining a threshold/NN according to this known splitting. After we get the threshold/NN, we could apply them to any real victim models (which we don't know the membership splitting).
We have some results to show that the threshold obtained from the shadow environment can be transferred to the real victim models:
| Method | Attack Target | AUC | ASR |
|---|---|---|---|
| SecMI_stat | Shadow Model | 0.881 | 0.811 |
| SecMI_stat | Victim Model | - | 0.804 |
| SecMI_NNs | Shadow Model | 0.951 | 0.888 |
| SecMI_NNs | Victim Model | - | 0.893 |
zealscott
zhaisf
Hi,
Thanks for your great work! I have a question about the evaluation process. In my understanding, current implementations directly use the member/non-member labels to get the threshold for $SecMI{stat}$ and for NN training $SecMI{NNs}$, should not the attackers only have access to the data distribution $D$ instead of $D_M$ or $D_H$?
https://github.com/jinhaoduan/SecMI/blob/e216395db255a0653da43bdaaeaf7d22bf91a7d7/mia_evals/secmia.py#L241