Merge pull request #2269 from abigailgold/dev_1.16.0_fix_attr_notebooks

beat-buesser · web-flow · commit 19259d76b7b2 · 2023-09-04T11:07:10.000+02:00
Improvements to attribute attack notebooks
diff --git a/notebooks/attack_attribute_inference.ipynb b/notebooks/attack_attribute_inference.ipynb
@@ -19,7 +19,6 @@
    "metadata": {},
    "source": [
     "## Preliminaries\n",
-    "In order to mount a successful attribute inference attack, the attacked feature must be categorical, and with a relatively small number of possible values (preferably binary, but should at least be less then the number of label classes).\n",
     "\n",
     "In the case of the nursery dataset, the sensitive feature we want to infer is the 'social' feature. In the original dataset this is a categorical feature with 3 possible values. To make the attack more successful, we reduced this to two possible feature values by assigning the original value 'problematic' the new value 1, and the other original values were assigned the new value 0.\n",
     "\n",
@@ -391,7 +390,7 @@
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": "Python 3",
+   "display_name": "Python 3 (ipykernel)",
    "language": "python",
    "name": "python3"
   },
@@ -405,7 +404,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.8.3"
+   "version": "3.9.6"
   }
  },
  "nbformat": 4,
diff --git a/notebooks/attack_attribute_inference_regressor.ipynb b/notebooks/attack_attribute_inference_regressor.ipynb
@@ -4,24 +4,22 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "# Running attribute inference attacks on Regression Models"
+    "# Running attribute inference attacks on regression models"
    ]
   },
   {
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "In this tutorial we will show how to run black-box inference attacks on regression model. This will be demonstrated on the Nursery dataset (original dataset can be found here: https://archive.ics.uci.edu/ml/datasets/nursery). "
+    "In this tutorial we will show how to run a black-box attribute inference attack on a regression model. This will be demonstrated on the diabetes dataset from scikitlearn (https://scikit-learn.org/stable/datasets/toy_dataset.html#diabetes-dataset). "
    ]
   },
   {
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "## Preliminaries\n",
-    "In order to mount a successful attribute inference attack, the attacked feature must be categorical, and with a relatively small number of possible values (preferably binary).\n",
-    "\n",
-    "In the case of the diabetes dataset, the sensitive feature we want to infer is the 'sex' feature, which is a binary feature."
+    "## Attacking a categorical feature\n",
+    "We start by trying to infer the 'sex' feature, which is a binary feature."
    ]
   },
   {
@@ -33,14 +31,17 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 1,
+   "execution_count": 20,
    "metadata": {},
    "outputs": [],
    "source": [
     "import os\n",
     "import sys\n",
     "sys.path.insert(0, os.path.abspath('..'))\n",
     "\n",
+    "import warnings\n",
+    "warnings.filterwarnings('ignore')\n",
+    "\n",
     "from art.utils import load_diabetes\n",
     "\n",
     "(x_train, y_train), (x_test, y_test), _, _ = load_diabetes(test_set=0.5)"
@@ -55,14 +56,14 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 13,
+   "execution_count": 21,
    "metadata": {},
    "outputs": [
     {
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "Base model score:  -0.04773984870966275\n"
+      "Base model score:  -0.053305975661749994\n"
      ]
     }
    ],
@@ -110,7 +111,7 @@
     "# only attacked feature\n",
     "attack_x_test_feature = attack_x_test[:, attack_feature].copy().reshape(-1, 1)\n",
     "# training data without attacked feature\n",
-    "attack_x_test = np.delete(attack_x_test, attack_feature, 1)\n",
+    "x_test_for_attack = np.delete(attack_x_test, attack_feature, 1)\n",
     "\n",
     "bb_attack = AttributeInferenceBlackBox(art_regressor, attack_feature=attack_feature)\n",
     "\n",
@@ -134,14 +135,14 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.5585585585585585\n"
+      "0.6126126126126126\n"
      ]
     }
    ],
    "source": [
     "# get inferred values\n",
     "values = [-0.88085106,  1.]\n",
-    "inferred_train_bb = bb_attack.infer(attack_x_test, pred=attack_x_test_predictions, values=values)\n",
+    "inferred_train_bb = bb_attack.infer(x_test_for_attack, pred=attack_x_test_predictions, values=values)\n",
     "# check accuracy\n",
     "train_acc = np.sum(inferred_train_bb == np.around(attack_x_test_feature, decimals=8).reshape(1,-1)) / len(inferred_train_bb)\n",
     "print(train_acc)"
@@ -151,20 +152,20 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "This means that for 56% of the training set, the attacked feature is inferred correctly using this attack.\n",
+    "This means that for 74% of the training set, the attacked feature is inferred correctly using this attack.\n",
     "Now let's check the precision and recall:"
    ]
   },
   {
    "cell_type": "code",
-   "execution_count": 16,
+   "execution_count": 24,
    "metadata": {},
    "outputs": [
     {
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "(0.5483870967741935, 0.32075471698113206)\n"
+      "(0.5816326530612245, 0.9661016949152542)\n"
      ]
     }
    ],
@@ -205,14 +206,14 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 17,
+   "execution_count": 25,
    "metadata": {},
    "outputs": [
     {
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.5585585585585585\n"
+      "0.6666666666666666\n"
      ]
     }
    ],
@@ -224,7 +225,7 @@
     "# train attack model\n",
     "baseline_attack.fit(attack_x_train)\n",
     "# infer values\n",
-    "inferred_train_baseline = baseline_attack.infer(attack_x_test, values=values)\n",
+    "inferred_train_baseline = baseline_attack.infer(x_test_for_attack, values=values)\n",
     "# check accuracy\n",
     "baseline_train_acc = np.sum(inferred_train_baseline == np.around(attack_x_test_feature, decimals=8).reshape(1,-1)) / len(inferred_train_baseline)\n",
     "print(baseline_train_acc)"
@@ -234,13 +235,85 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "In this case, the black-box attack does not do better than the baseline."
+    "In this case, the black-box attack does significantly better than the baseline."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Attacking a numerical feature\n",
+    "Now we will try to infer the bmi level feature."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 29,
+   "metadata": {},
+   "outputs": [
+    {
+     "name": "stdout",
+     "output_type": "stream",
+     "text": [
+      "54.80737471036833\n"
+     ]
+    }
+   ],
+   "source": [
+    "attack_feature = 3  # bmi\n",
+    "\n",
+    "# only attacked feature\n",
+    "attack_x_test_feature = attack_x_test[:, attack_feature].copy().reshape(-1, 1)\n",
+    "# training data without attacked feature\n",
+    "x_test_for_attack = np.delete(attack_x_test, attack_feature, 1)\n",
+    "\n",
+    "bb_attack = AttributeInferenceBlackBox(art_regressor, attack_feature=attack_feature)\n",
+    "\n",
+    "# train attack model\n",
+    "bb_attack.fit(attack_x_train)\n",
+    "\n",
+    "inferred_train_bb = bb_attack.infer(x_test_for_attack, pred=attack_x_test_predictions)\n",
+    "# check MSE\n",
+    "train_acc = np.sum((attack_x_test_feature - inferred_train_bb) ** 2) / len(inferred_train_bb)\n",
+    "print(train_acc)"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 30,
+   "metadata": {},
+   "outputs": [
+    {
+     "name": "stdout",
+     "output_type": "stream",
+     "text": [
+      "67.66769489356126\n"
+     ]
+    }
+   ],
+   "source": [
+    "baseline_attack = AttributeInferenceBaseline(attack_feature=attack_feature)\n",
+    "\n",
+    "# train attack model\n",
+    "baseline_attack.fit(attack_x_train)\n",
+    "# infer values\n",
+    "inferred_train_baseline = baseline_attack.infer(x_test_for_attack)\n",
+    "# check MSE\n",
+    "baseline_train_acc = np.sum((attack_x_test_feature - inferred_train_baseline) ** 2) / len(inferred_train_baseline)\n",
+    "print(baseline_train_acc)"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "The attack succeeds better than the baseline (a lower MSE means higher accuracy)."
    ]
   }
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": "Python 3",
+   "display_name": "Python 3 (ipykernel)",
    "language": "python",
    "name": "python3"
   },
@@ -254,7 +327,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.8.3"
+   "version": "3.9.6"
   }
  },
  "nbformat": 4,
