yigitcankaya
commented
3 years ago Thanks for pointing it out. Fixed it, n_train is 100 (to estimate the thresholds), n_test is 5000 (to apply the membership inference attacks)
Closed zzzucf closed 3 years ago
yigitcankaya
commented
3 years ago Thanks for pointing it out. Fixed it, n_train is 100 (to estimate the thresholds), n_test is 5000 (to apply the membership inference attacks)
zzzucf
commented
3 years ago Thanks for the quick fix. Another small question here is whether yeom_w_get_best_threshold produce the result of adv_pow? The adv_pow was referred to "White-box vs Black-box: Bayes Optimal Strategies for Membership Inference" in the paper but the result pop out was named as yeom_w_get_best_threshold. I try to match this function with MALT or MAST from the https://github.com/facebookresearch/whitebox_blackbox and the "White-box vs.." paper but I could not find anything useful. Their code is too difficult to read. Any comments will be appreciated, thanks!
yigitcankaya
commented
3 years ago Thanks for the quick fix. Another small question here is whether yeom_w_get_best_threshold produce the result of adv_pow? The adv_pow was referred to "White-box vs Black-box: Bayes Optimal Strategies for Membership Inference" in the paper but the result pop out was named as yeom_w_get_best_threshold. I try to match this function with MALT or MAST from the https://github.com/facebookresearch/whitebox_blackbox and the "White-box vs.." paper but I could not find anything useful. Their code is too difficult to read. Any comments will be appreciated, thanks!
Answer to the first question is yes, yeom_w_get_best_threshold is adv_pow, where instead of using the mean as threshold, the attack searches for the best threshold to maximize MIA success.
This attack is a version of MALT from that paper but instead of finding the best threshold over the entire dataset (unrealistic) the adversary has a data set (N samples from the training set and N from the testing set) and finds the best threshold that achieves the highest MIA success on this dataset. Then the adversary applies this threshold to do inference for the rest of the training and testing samples. This is why sometimes you'll see adv_std is better than adv_pow, if the attacker's data set was not enough to find a better threshold than simply the average loss.
It seems like the current config file does not contain "n_attacker_train", "n_attacker_test" that are required in mia_attacks.py. Are these two parameters representing the number of samples used to estimate the threshold for Adv_std and Adv_pow (located in Chapter 4, Attacks in the paper)? By default, are these parameters set to 100 randomly chosen samples from training and testing set?