Closed zealscott closed 10 months ago
Thank you for your interest!
You can assume we are in a shadow environment: training a shadow model with a known member/nonmember splitting and determining a threshold/NN according to this known splitting. After we get the threshold/NN, we could apply them to any real victim models (which we don't know the membership splitting).
We have some results to show that the threshold obtained from the shadow environment can be transferred to the real victim models:
Method | Attack Target | AUC | ASR |
---|---|---|---|
SecMI_stat | Shadow Model | 0.881 | 0.811 |
SecMI_stat | Victim Model | - | 0.804 |
SecMI_NNs | Shadow Model | 0.951 | 0.888 |
SecMI_NNs | Victim Model | - | 0.893 |
Thanks for your explanation!
Thank you for your interest!
You can assume we are in a shadow environment: training a shadow model with a known member/nonmember splitting and determining a threshold/NN according to this known splitting. After we get the threshold/NN, we could apply them to any real victim models (which we don't know the membership splitting).
We have some results to show that the threshold obtained from the shadow environment can be transferred to the real victim models:
Method Attack Target AUC ASR SecMI_stat Shadow Model 0.881 0.811 SecMI_stat Victim Model - 0.804 SecMI_NNs Shadow Model 0.951 0.888 SecMI_NNs Victim Model - 0.893
Thank you for your inspiring work!
But I have one more question: Could you please describe how to implement a "shadow environment"? When constructing the shadow model, do you assume that the adversary already knows the distribution of the dataset? (Or can obtain some of the training data?)
Hi,
Thanks for your great work! I have a question about the evaluation process. In my understanding, current implementations directly use the member/non-member labels to get the threshold for $SecMI{stat}$ and for NN training $SecMI{NNs}$, should not the attackers only have access to the data distribution $D$ instead of $D_M$ or $D_H$?
https://github.com/jinhaoduan/SecMI/blob/e216395db255a0653da43bdaaeaf7d22bf91a7d7/mia_evals/secmia.py#L241