Closed amad-person closed 2 years ago
Review for task 1:
dataset.subdivide()
function: under "random" method, the function creates possibly overlapping random splits of the dataset. However, since one of these splits would be used for training and testing the target model, maybe enforcing that the first split (for target model) does not overlap with other splits would be helpful? P.S. under "independent" method, this is true because all splits are non-overlapping splits of the actual dataset.default output
in the dataset
object, what would be the default output feature for unsupervised learning? E.g. for generative model?PyTorch()
models would be helpful?metric
and audit
: Is the audit
function both for constructing attack strategy, and for evaluation attack performance on the target? Is it possible to decouple attack strategy construction, and evaluation attack on target? This is because
a. construction of attacks may be expensive, so people may not want to construct a new strategy again every time we attack a different object?
b. after decoupling attack strategy construction and auditing process, people only need to edit the attack strategy construction code to add their attack algorithm. Similarly, people only need to change the audit code if they want to support other attack evaluation metric such as precision and recall?The current dataset format might lead to problems with larger (image, language ) where saving everything in one file/memory becomes impractical
why does victor not appear as a contributor?
I think a little description/ evaluation of the result would be good for the tutorial (right now it just states a bunch of metrics) also might be good to have an example where the accuracy of the attack is better than around 50%.
/home/martin/anaconda3/envs/privacy_meter/lib/python3.6/site-packages/torch/nn/modules/container.py:141: UserWarning: Implicit dimension choice for softmax has been deprecated. Change the call to include dim=X as an argument.
input = module(input)
Why is the gradient signal not calculated per point like the other signals? (for (sample_x, sample_y) in zip(x, y):)
The difference between signal and information source might be a bit confusing
I managed to use my own signal (gradientNorm), without much hassle. So that seems to work fine.
I didn’t manage to use counterfactual distance as a signal (because the method I wanted to use to create counterfactuals needs access to both the model and the training data), but I don’t think that’s much of an issue.
Metric calculation (when using gradients per point) takes a while, would be nice to see some kind of timer/warning (but that’s not so important)
Overall: I can successfully run the tutorial on Purchase100 dataset and Cifar10 dataset. In addition, I managed to create new signals (gradient norm and prediction) to conduct the attack. Finally, I successfully implemented the attack based on the multi-threshold strategy.
Review for task 1:
Review 2 & 3: If I didn't miss anything, the current version finds a single threshold for all points. I wonder why not include multi thresholds strategy. I tried to audit models' information leakage with group-based thresholds. The setting is as follows:
Applying group-based thresholds improve the attack accuracy on the default setting provided in the notebook. Thus, I think new APIs are easy to follow. It may be good to include the multi-threshold strategy.
Review for task 1, CausalLM tutorial (I have mostly focused on this tutorial for now, but will go through the rest as well):
The code ran fine for me, but maybe instead of installing the packages through python in the notebook, it would be better if we have an env file that people install and make a conda environment? it's just that installing through python in notebooks sometimes behaves strangely and causes problems.
Rest of the Review for Task 1:
For the developer guide, maybe let’s create a table of context and numberings So that it’s easier to navigate. Also, I am not 100% sure about this but I feel like it might be better to first have the building and publishing, then the documentation?
Maybe it would be a good idea to add some explanation of what openvino is, to the openvino_models.ipynb notebook.
Minor: In shadow_metric.ipynb notebook, the 13th box, let’s limit the number of prints? right now people really have to scroll far.
One overall suggestion I have is maybe we should have scripts (bash/python scripts) that we can have people run, like
attack_causal_lm.py --target_model_checkpoint finetuned_gpt2 --attack_type ref_based
I see that the notebooks kind of do this, but sometimes having scripts make it easier for people to run and adjust things.
Task 2:
Privacy Meter 1.0
Overview
This PR contains changes for the revamp of the tool 🎉.
Users will now follow this workflow to use Privacy Meter:
Dataset
objects so Privacy Meter can use them.Model
objects for making them compatible with Privacy Meter.InformationSource
objects that will determine which models are used for querying which splits of the datasets. These objects are used to compute signals required by the metric.Metric
object that takes in the target + reference information sources and signals e.g.ModelLoss
. One can also provide a hypothesis test function if the metric uses it. If the user wants to use the default version of a metric without constructing their own, they can choose to do so as well.Audit
object and calling its.run()
method.Tasks for the reviewers
Ordering the tasks in terms of how deep you have to dive into the code:
docs/
folder and commenting on whether the new API was easy to understand and use.Audit
,Metric
,InformationSource
,Signal
,Model
,Dataset
and leaving comments/suggestions w.r.t. the architecture design.ReferenceMetric
from the Enhanced MIA paper. This will help us see how easy it is for users to add their own attacks to the tool.The temporary API documentation website is hosted here: https://privacy-meter-doc-test-2.web.app/privacy_meter.html