Merge pull request #720 from Trusted-AI/development_issue_595

Implement Label-Only Boundary Distance Attack and Gap Attack for Membership Inference

Author: beat-buesser

art/attacks/inference/membership_inference/__init__.py

@@ -3,3 +3,5 @@
 """
 from art.attacks.inference.membership_inference.black_box import MembershipInferenceBlackBox
 from art.attacks.inference.membership_inference.black_box_rule_based import MembershipInferenceBlackBoxRuleBased
+from art.attacks.inference.membership_inference.label_only_gap_attack import LabelOnlyGapAttack
+from art.attacks.inference.membership_inference.label_only_boundary_distance import LabelOnlyDecisionBoundary

art/attacks/inference/membership_inference/black_box_rule_based.py

@@ -46,6 +46,7 @@ class MembershipInferenceBlackBoxRuleBased(InferenceAttack):
         member. Otherwise, it is not a member.
     """
 
+    attack_params = InferenceAttack.attack_params
     _estimator_requirements = (BaseEstimator, ClassifierMixin)
 
     def __init__(self, classifier: "CLASSIFIER_TYPE"):
@@ -71,10 +72,9 @@ def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.n
             raise ValueError("Shape of x does not match input_shape of classifier")
 
         y = check_and_transform_label_format(y, len(np.unique(y)), return_one_hot=True)
-        y = np.array([np.argmax(arr) for arr in y]).reshape(-1, 1)
         if y.shape[0] != x.shape[0]:
             raise ValueError("Number of rows in x and y do not match")
 
         # get model's predictions for x
-        predictions = np.array([np.argmax(arr) for arr in self.estimator.predict(x)]).reshape(-1, 1)
-        return np.asarray([1 if p == y[index] else 0 for index, p in enumerate(predictions)])
+        y_pred = self.estimator.predict(x=x)
+        return (np.argmax(y, axis=1) == np.argmax(y_pred, axis=1)).astype(np.int)

art/attacks/inference/membership_inference/label_only_boundary_distance.py

@@ -0,0 +1,143 @@
+# MIT License
+#
+# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2020
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+# Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+"""
+This module implements the Label-Only Inference Attack based on Decision Boundary.
+
+| Paper link: https://arxiv.org/abs/2007.14321
+"""
+import logging
+from typing import Optional, NoReturn, TYPE_CHECKING
+
+import numpy as np
+
+from art.attacks.attack import InferenceAttack
+from art.estimators.estimator import BaseEstimator
+from art.estimators.classification.classifier import ClassifierMixin
+
+if TYPE_CHECKING:
+    from art.utils import CLASSIFIER_TYPE
+
+logger = logging.getLogger(__name__)
+
+
+class LabelOnlyDecisionBoundary(InferenceAttack):
+    """
+    Implementation of Label-Only Inference Attack based on Decision Boundary.
+
+    | Paper link: https://arxiv.org/abs/2007.14321
+    """
+
+    attack_params = InferenceAttack.attack_params + [
+        "distance_threshold_tau",
+    ]
+    _estimator_requirements = (BaseEstimator, ClassifierMixin)
+
+    def __init__(self, estimator: "CLASSIFIER_TYPE", distance_threshold_tau: Optional[float] = None):
+        """
+        Create a `LabelOnlyDecisionBoundary` instance for Label-Only Inference Attack based on Decision Boundary.
+
+        :param estimator: A trained classification estimator.
+        :param distance_threshold_tau: Threshold distance for decision boundary. Samples with boundary distances larger
+                                       than threshold are considered members of the training dataset.
+        """
+        super().__init__(estimator=estimator)
+        self.distance_threshold_tau = distance_threshold_tau
+        self._check_params()
+
+    def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.ndarray:
+        """
+        Infer membership of input `x` in estimator's training data.
+
+        :param x: Input data.
+        :param y: True labels for `x`.
+        :param kwargs: Parameters for HopSkipJump attack except argument `estimator`.
+        :return: An array holding the inferred membership status, 1 indicates a member and 0 indicates non-member.
+        """
+        from art.attacks.evasion.hop_skip_jump import HopSkipJump
+
+        hsj = HopSkipJump(classifier=self.estimator, **kwargs)
+        x_adv = hsj.generate(x=x, y=y)
+
+        distance = np.linalg.norm((x_adv - x).reshape((x.shape[0], -1)), ord=2, axis=1)
+
+        y_pred = self.estimator.predict(x=x)
+
+        distance[np.argmax(y_pred, axis=1) != np.argmax(y, axis=1)] = 0
+
+        is_member = np.where(distance > self.distance_threshold_tau, 1, 0)
+
+        return is_member
+
+    def calibrate_distance_threshold(
+        self,
+        classifier_train: "CLASSIFIER_TYPE",
+        x_train: np.ndarray,
+        y_train: np.ndarray,
+        x_test: np.ndarray,
+        y_test: np.ndarray,
+        **kwargs
+    ) -> NoReturn:
+        """
+        Calibrate distance threshold maximising the membership inference accuracy on `x_train` and `x_test`.
+
+        :param classifier_train: A trained classifier
+        :param x_train: Training data.
+        :param y_train: Labels of training data `x_train`.
+        :param x_test: Test data.
+        :param y_test: Labels of test data `x_test`.
+        """
+        from art.attacks.evasion.hop_skip_jump import HopSkipJump
+
+        hsj = HopSkipJump(classifier=classifier_train, **kwargs)
+
+        x_train_adv = hsj.generate(x=x_train, y=y_train)
+        x_test_adv = hsj.generate(x=x_test, y=y_test)
+
+        distance_train = np.linalg.norm((x_train_adv - x_train).reshape((x_train.shape[0], -1)), ord=2, axis=1)
+        distance_test = np.linalg.norm((x_test_adv - x_test).reshape((x_test.shape[0], -1)), ord=2, axis=1)
+
+        y_train_pred = self.estimator.predict(x=x_train)
+        y_test_pred = self.estimator.predict(x=x_test)
+
+        distance_train[np.argmax(y_train_pred, axis=1) != np.argmax(y_train, axis=1)] = 0
+        distance_test[np.argmax(y_test_pred, axis=1) != np.argmax(y_test, axis=1)] = 0
+
+        num_increments = 100
+        tau_increment = np.amax([np.amax(distance_train), np.amax(distance_test)]) / num_increments
+
+        acc_max = 0.0
+        distance_threshold_tau = 0.0
+
+        for i_tau in range(1, num_increments):
+
+            is_member_train = np.where(distance_train > i_tau * tau_increment, 1, 0)
+            is_member_test = np.where(distance_test > i_tau * tau_increment, 1, 0)
+
+            acc = (np.sum(is_member_train) + (is_member_test.shape[0] - np.sum(is_member_test))) / (
+                is_member_train.shape[0] + is_member_test.shape[0]
+            )
+
+            if acc > acc_max:
+                distance_threshold_tau = i_tau * tau_increment
+                acc_max = acc
+
+        self.distance_threshold_tau = distance_threshold_tau
+
+    def _check_params(self) -> None:
+        if not isinstance(self.distance_threshold_tau, (int, float)) or self.distance_threshold_tau <= 0.0:
+            raise ValueError("The distance threshold `distance_threshold_tau` needs to be a positive float.")

art/attacks/inference/membership_inference/label_only_gap_attack.py

@@ -0,0 +1,31 @@
+# MIT License
+#
+# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2020
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+# Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+"""
+This module implements the Label Only Gap Attack `.
+
+| Paper link: https://arxiv.org/abs/2007.14321
+"""
+import logging
+
+from art.attacks.inference.membership_inference import MembershipInferenceBlackBoxRuleBased
+
+
+logger = logging.getLogger(__name__)
+
+
+LabelOnlyGapAttack = MembershipInferenceBlackBoxRuleBased

tests/attacks/inference/attribute_inference/__init__.py

@@ -25,14 +25,9 @@
 import torch.optim as optim
 
 from art.attacks.inference.attribute_inference.black_box import AttributeInferenceBlackBox
-from art.attacks.inference.attribute_inference.white_box_decision_tree import AttributeInferenceWhiteBoxDecisionTree
-from art.attacks.inference.attribute_inference.white_box_lifestyle_decision_tree import (
-    AttributeInferenceWhiteBoxLifestyleDecisionTree,
-)
 from art.estimators.classification.pytorch import PyTorchClassifier
 from art.estimators.estimator import BaseEstimator
 from art.estimators.classification import ClassifierMixin
-from art.estimators.classification.scikitlearn import ScikitlearnDecisionTreeClassifier
 
 from tests.attacks.utils import backend_test_classifier_type_check_fail
 from tests.utils import ARTTestException
@@ -148,67 +143,5 @@ def transform_feature(x):
         art_warning(e)
 
 
-@pytest.mark.skipMlFramework("dl_frameworks")
-def test_white_box(art_warning, decision_tree_estimator, get_iris_dataset):
-    try:
-        attack_feature = 2  # petal length
-        values = [0.14, 0.42, 0.71]  # rounded down
-        priors = [50 / 150, 54 / 150, 46 / 150]
-
-        (x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
-        x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
-        x_train_feature = x_train_iris[:, attack_feature]
-        x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
-        x_test_feature = x_test_iris[:, attack_feature]
-
-        classifier = decision_tree_estimator()
-
-        attack = AttributeInferenceWhiteBoxDecisionTree(classifier, attack_feature=attack_feature)
-        x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train_iris)]).reshape(-1, 1)
-        x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test_iris)]).reshape(-1, 1)
-        inferred_train = attack.infer(x_train_for_attack, x_train_predictions, values=values, priors=priors)
-        inferred_test = attack.infer(x_test_for_attack, x_test_predictions, values=values, priors=priors)
-        train_diff = np.abs(inferred_train - x_train_feature.reshape(1, -1))
-        test_diff = np.abs(inferred_test - x_test_feature.reshape(1, -1))
-        assert np.sum(train_diff) / len(inferred_train) == pytest.approx(0.2108, abs=0.03)
-        assert np.sum(test_diff) / len(inferred_test) == pytest.approx(0.1988, abs=0.03)
-    except ARTTestException as e:
-        art_warning(e)
-
-
-@pytest.mark.skipMlFramework("dl_frameworks")
-def test_white_box_lifestyle(art_warning, decision_tree_estimator, get_iris_dataset):
-    try:
-        attack_feature = 2  # petal length
-        values = [0.14, 0.42, 0.71]  # rounded down
-        priors = [50 / 150, 54 / 150, 46 / 150]
-
-        (x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
-        x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
-        x_train_feature = x_train_iris[:, attack_feature]
-        x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
-        x_test_feature = x_test_iris[:, attack_feature]
-
-        classifier = decision_tree_estimator()
-        attack = AttributeInferenceWhiteBoxLifestyleDecisionTree(classifier, attack_feature=attack_feature)
-        x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train_iris)]).reshape(-1, 1)
-        x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test_iris)]).reshape(-1, 1)
-        inferred_train = attack.infer(x_train_for_attack, x_train_predictions, values=values, priors=priors)
-        inferred_test = attack.infer(x_test_for_attack, x_test_predictions, values=values, priors=priors)
-        train_diff = np.abs(inferred_train - x_train_feature.reshape(1, -1))
-        test_diff = np.abs(inferred_test - x_test_feature.reshape(1, -1))
-        assert np.sum(train_diff) / len(inferred_train) == pytest.approx(0.3357, abs=0.03)
-        assert np.sum(test_diff) / len(inferred_test) == pytest.approx(0.3149, abs=0.03)
-        # assert np.sum(train_diff) / len(inferred_train) < np.sum(test_diff) / len(inferred_test)
-    except ARTTestException as e:
-        art_warning(e)
-
-
 def test_classifier_type_check_fail():
     backend_test_classifier_type_check_fail(AttributeInferenceBlackBox, (BaseEstimator, ClassifierMixin))
-    backend_test_classifier_type_check_fail(
-        AttributeInferenceWhiteBoxLifestyleDecisionTree, (ScikitlearnDecisionTreeClassifier,)
-    )
-    backend_test_classifier_type_check_fail(
-        AttributeInferenceWhiteBoxDecisionTree, (ScikitlearnDecisionTreeClassifier,)
-    )

tests/attacks/inference/test_attribute_inference.py renamed to tests/attacks/inference/attribute_inference/test_black_box.py

@@ -0,0 +1,65 @@
+# MIT License
+#
+# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2020
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+# Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+from __future__ import absolute_import, division, print_function, unicode_literals
+
+import logging
+import pytest
+
+import numpy as np
+
+from art.attacks.inference.attribute_inference.white_box_decision_tree import AttributeInferenceWhiteBoxDecisionTree
+from art.estimators.classification.scikitlearn import ScikitlearnDecisionTreeClassifier
+
+from tests.attacks.utils import backend_test_classifier_type_check_fail
+from tests.utils import ARTTestException
+
+logger = logging.getLogger(__name__)
+
+
+@pytest.mark.skipMlFramework("dl_frameworks")
+def test_white_box(art_warning, decision_tree_estimator, get_iris_dataset):
+    try:
+        attack_feature = 2  # petal length
+        values = [0.14, 0.42, 0.71]  # rounded down
+        priors = [50 / 150, 54 / 150, 46 / 150]
+
+        (x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
+        x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
+        x_train_feature = x_train_iris[:, attack_feature]
+        x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
+        x_test_feature = x_test_iris[:, attack_feature]
+
+        classifier = decision_tree_estimator()
+
+        attack = AttributeInferenceWhiteBoxDecisionTree(classifier, attack_feature=attack_feature)
+        x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train_iris)]).reshape(-1, 1)
+        x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test_iris)]).reshape(-1, 1)
+        inferred_train = attack.infer(x_train_for_attack, x_train_predictions, values=values, priors=priors)
+        inferred_test = attack.infer(x_test_for_attack, x_test_predictions, values=values, priors=priors)
+        train_diff = np.abs(inferred_train - x_train_feature.reshape(1, -1))
+        test_diff = np.abs(inferred_test - x_test_feature.reshape(1, -1))
+        assert np.sum(train_diff) / len(inferred_train) == pytest.approx(0.2108, abs=0.03)
+        assert np.sum(test_diff) / len(inferred_test) == pytest.approx(0.1988, abs=0.03)
+    except ARTTestException as e:
+        art_warning(e)
+
+
+def test_classifier_type_check_fail():
+    backend_test_classifier_type_check_fail(
+        AttributeInferenceWhiteBoxDecisionTree, (ScikitlearnDecisionTreeClassifier,)
+    )