Conceptual difference between Metric and InferenceGame and relation with Attack Framework by Ye et al. 2022

[intx4]

Hello, First of all, I wanted to congratulate for the impressive quality of the work you did with privacy_meter, it's really great.

I wanted to ask what is the conceptual difference between the Metric and InferenceGame. It seems to me that there is a 1:1 relationship between the notion of InferenceGame and the Inference Game definitions (3.1-3.4) given by Ye et al. However, it seems that this notion is not used when mounting the actual attack, which relies instead on the Metric notion. InferenceGame is then used when generating the report. I am failing to understand exactly how these two notions are related to eachother.

Thanks in advance!

[changhongyan123]

Hi @intx4 , You're correct. The inference game corresponds to various privacy games detailed in the paper. Meanwhile, the attack algorithm works independently of the privacy game, allowing flexibility in choosing different attacks for different games. For example, both the population attack and the reference attack can be employed to assess the privacy vulnerabilities of a learning algorithm. Essentially, Metric and InferenceGame operate as separate components within the tool. To illustrate, in the configuration file for the basic tutorials found at this link, you can select the inference game (audit.privacy_game) and the attack algorithm (audit.algorithm) you wish to utilize. Hope it clarifies.

[intx4]

hi @changhongyan123, thanks for the clarification. However, I am still in doubt. Referring for example to the tutorials in the advanced section, my understanding was that (according to the paper) different attacks (e.g. Shadow vs Reference) recover different notions of Membership Inference Game (3.1-3.4) thanks to how they model the distribution of the OUT world. For example, taking the Shadow Metric, my understanding is that it should not be possible/meaningful to run the inference game PRIVACY_LOSS_SAMPLE as this metric (if this is equivalent to attack S from the paper) should grasp the average privacy loss for the training algorithm over the training dataset (game 3.1). I guess a more practical way to ask my question would be: what is the combination of InferenceGame + Metric to recover the attack mounted in the paper? (or if there is a best practice way to combine Metrics and InferenceGames)

[yuan74]

Hi @intx4, thank you for the question. We confirm that all the attacks in the paper are evaluated using the avg_privacy_loss_training_algo inference game, i.e., for measuring the average privacy loss of a training algorithm. The attacks use different metrics to design the attack algorithm, though. Specifically, attack S uses the ShadowMetric, attack P uses the PopulationMetric, and attack R uses the ReferenceMetric to design the attack algorithm.

The InferenceGame and Metric are independent components. Essentially any attack (designed using arbitrary Metric) could be used under any inference games (to measure differing kinds of privacy loss). Hope this clarifies the question.

[intx4]

Hi @intx4, thank you for the question. We confirm that all the attacks in the paper are evaluated using the avg_privacy_loss_training_algo inference game, i.e., for measuring the average privacy loss of a training algorithm. The attacks use different metrics to design the attack algorithm, though. Specifically, attack S uses the ShadowMetric, attack P uses the PopulationMetric, and attack R uses the ReferenceMetric to design the attack algorithm.

The InferenceGame and Metric are independent components. Essentially any attack (designed using arbitrary Metric) could be used under any inference games (to measure differing kinds of privacy loss). Hope this clarifies the question.

Hi @yuan74, I had some time to go through the code and I think I understand what you mean. Many thanks for all the replies to this issues. I will close it.