Merge pull request #1825 from abigailgold/dev_1.11.1_pdtp

PDTP fixes

Author: beat-buesser

art/metrics/privacy/membership_leakage.py

@@ -19,12 +19,12 @@
 This module implements membership leakage metrics.
 """
 from __future__ import absolute_import, division, print_function, unicode_literals
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING, Optional, Tuple
 
 import numpy as np
 import scipy
 
-from art.utils import check_and_transform_label_format, is_probability
+from art.utils import check_and_transform_label_format, is_probability_array
 
 if TYPE_CHECKING:
     from art.estimators.classification.classifier import Classifier
@@ -37,7 +37,7 @@ def PDTP(  # pylint: disable=C0103
     y: np.ndarray,
     indexes: Optional[np.ndarray] = None,
     num_iter: Optional[int] = 10,
-) -> np.ndarray:
+) -> Tuple[np.ndarray, np.ndarray, np.ndarray]:
     """
     Compute the pointwise differential training privacy metric for the given classifier and training set.
 
@@ -52,8 +52,8 @@ def PDTP(  # pylint: disable=C0103
                     computed for all samples in `x`.
     :param num_iter: the number of iterations of PDTP computation to run for each sample. If not supplied,
                      defaults to 10. The result is the average across iterations.
-    :return: an array containing the average PDTP value for each sample in the training set. The higher the value,
-             the higher the privacy leakage for that sample.
+    :return: A tuple of three arrays, containing the average (worse, standard deviation) PDTP value for each sample in
+             the training set respectively. The higher the value, the higher the privacy leakage for that sample.
     """
     from art.estimators.classification.pytorch import PyTorchClassifier
     from art.estimators.classification.tensorflow import TensorFlowV2Classifier
@@ -77,14 +77,15 @@ def PDTP(  # pylint: disable=C0103
         iter_results = []
         # get probabilities from original model
         pred = target_estimator.predict(x)
-        if not is_probability(pred):
+        if not is_probability_array(pred):
             try:
                 pred = scipy.special.softmax(pred, axis=1)
             except Exception as exc:  # pragma: no cover
                 raise ValueError("PDTP metric only supports classifiers that output logits or probabilities.") from exc
         # divide into 100 bins and return center of bin
         bins = np.array(np.arange(0.0, 1.01, 0.01).round(decimals=2))
         pred_bin_indexes = np.digitize(pred, bins)
+        pred_bin_indexes[pred_bin_indexes == 101] = 100
         pred_bin = bins[pred_bin_indexes] - 0.005
 
         if not indexes:
@@ -102,10 +103,11 @@ def PDTP(  # pylint: disable=C0103
             extra_estimator.fit(alt_x, alt_y)
             # get probabilities from new model
             alt_pred = extra_estimator.predict(x)
-            if not is_probability(alt_pred):
+            if not is_probability_array(alt_pred):
                 alt_pred = scipy.special.softmax(alt_pred, axis=1)
             # divide into 100 bins and return center of bin
             alt_pred_bin_indexes = np.digitize(alt_pred, bins)
+            alt_pred_bin_indexes[alt_pred_bin_indexes == 101] = 100
             alt_pred_bin = bins[alt_pred_bin_indexes] - 0.005
             ratio_1 = pred_bin / alt_pred_bin
             ratio_2 = alt_pred_bin / pred_bin
@@ -118,6 +120,8 @@ def PDTP(  # pylint: disable=C0103
     # We now have a list of list, internal lists represent an iteration. We need to transpose and get averages.
     per_sample = list(map(list, zip(*results)))
     avg_per_sample = np.array([sum(val) / len(val) for val in per_sample])
+    worse_per_sample = np.max(per_sample, axis=1)
+    std_dev_per_sample = np.std(per_sample, axis=1)
 
-    # return leakage per sample
-    return avg_per_sample
+    # return avg+worse leakage + standard deviation per sample
+    return avg_per_sample, worse_per_sample, std_dev_per_sample

art/utils.py

@@ -1562,6 +1562,24 @@ def is_probability(vector: np.ndarray) -> bool:
     return is_sum_1 and is_smaller_1 and is_larger_0
 
 
+def is_probability_array(array: np.ndarray) -> bool:
+    """
+    Check if a multi-dimensional array is an array of probabilities.
+
+    :param vector: A numpy array.
+    :return: True if it is an array of probabilities.
+    """
+    if len(array.shape) == 1:
+        return is_probability(array)
+    sum_array = np.sum(array, axis=1)
+    ones = np.ones_like(sum_array)
+    is_sum_1 = np.allclose(sum_array, ones, rtol=1e-03)
+    is_smaller_1 = np.amax(array) <= 1.0
+    is_larger_0 = np.amin(array) >= 0.0
+
+    return is_sum_1 and is_smaller_1 and is_larger_0
+
+
 def pad_sequence_input(x: np.ndarray) -> Tuple[np.ndarray, np.ndarray]:
     """
     Apply padding to a batch of 1-dimensional samples such that it has shape of (batch_size, max_length).

tests/metrics/privacy/test_membership_leakage.py

@@ -35,12 +35,15 @@ def test_membership_leakage_decision_tree(art_warning, decision_tree_estimator,
         extra_classifier = decision_tree_estimator()
         (x_train, y_train), _ = get_iris_dataset
         prev = classifier.model.tree_
-        leakage = PDTP(classifier, extra_classifier, x_train, y_train)
-        logger.info("Average PDTP leakage: %.2f", (np.average(leakage)))
-        logger.info("Max PDTP leakage: %.2f", (np.max(leakage)))
+        avg_leakage, worse_leakage, std_dev = PDTP(classifier, extra_classifier, x_train, y_train)
+        logger.info("Average PDTP leakage: %.2f", (np.average(avg_leakage)))
+        logger.info("Max PDTP leakage: %.2f", (np.max(avg_leakage)))
         assert classifier.model.tree_ == prev
-        assert np.all(leakage >= 1.0)
-        assert leakage.shape[0] == x_train.shape[0]
+        assert np.all(avg_leakage >= 1.0)
+        assert np.all(worse_leakage >= avg_leakage)
+        assert avg_leakage.shape[0] == x_train.shape[0]
+        assert worse_leakage.shape[0] == x_train.shape[0]
+        assert std_dev.shape[0] == x_train.shape[0]
     except ARTTestException as e:
         art_warning(e)
 
@@ -51,32 +54,40 @@ def test_membership_leakage_tabular(art_warning, tabular_dl_estimator, get_iris_
         classifier = tabular_dl_estimator()
         extra_classifier = tabular_dl_estimator()
         (x_train, y_train), _ = get_iris_dataset
-        leakage = PDTP(classifier, extra_classifier, x_train, y_train)
-        logger.info("Average PDTP leakage: %.2f", (np.average(leakage)))
-        logger.info("Max PDTP leakage: %.2f", (np.max(leakage)))
-        assert np.all(leakage >= 1.0)
-        assert leakage.shape[0] == x_train.shape[0]
+        avg_leakage, worse_leakage, std_dev = PDTP(classifier, extra_classifier, x_train, y_train)
+        logger.info("Average PDTP leakage: %.2f", (np.average(avg_leakage)))
+        logger.info("Max PDTP leakage: %.2f", (np.max(avg_leakage)))
+        assert np.all(avg_leakage >= 1.0)
+        assert np.all(worse_leakage >= avg_leakage)
+        assert avg_leakage.shape[0] == x_train.shape[0]
+        assert worse_leakage.shape[0] == x_train.shape[0]
+        assert std_dev.shape[0] == x_train.shape[0]
     except ARTTestException as e:
         art_warning(e)
 
 
-@pytest.mark.skip_framework("keras", "kerastf", "tensorflow1", "tensorflow2v1", "mxnet")
+@pytest.mark.skip_framework("scikitlearn", "keras", "kerastf", "tensorflow1", "tensorflow2v1", "mxnet")
 def test_membership_leakage_image(art_warning, image_dl_estimator, get_default_mnist_subset):
     try:
         classifier, _ = image_dl_estimator()
         extra_classifier, _ = image_dl_estimator()
         (x_train, y_train), _ = get_default_mnist_subset
         indexes = random.sample(range(x_train.shape[0]), 100)
-        leakage = PDTP(classifier, extra_classifier, x_train, y_train, indexes=indexes, num_iter=1)
-        logger.info("Average PDTP leakage: %.2f", (np.average(leakage)))
-        logger.info("Max PDTP leakage: %.2f", (np.max(leakage)))
-        assert np.all(leakage >= 1.0)
-        assert leakage.shape[0] == len(indexes)
+        avg_leakage, worse_leakage, std_dev = PDTP(
+            classifier, extra_classifier, x_train, y_train, indexes=indexes, num_iter=1
+        )
+        logger.info("Average PDTP leakage: %.2f", (np.average(avg_leakage)))
+        logger.info("Max PDTP leakage: %.2f", (np.max(avg_leakage)))
+        assert np.all(avg_leakage >= 1.0)
+        assert np.all(worse_leakage >= avg_leakage)
+        assert avg_leakage.shape[0] == 100
+        assert worse_leakage.shape[0] == 100
+        assert std_dev.shape[0] == 100
     except ARTTestException as e:
         art_warning(e)
 
 
-@pytest.mark.skip_framework("keras", "kerastf", "tensorflow1", "mxnet")
+@pytest.mark.skip_framework("scikitlearn", "keras", "kerastf", "tensorflow1", "mxnet")
 def test_errors(art_warning, tabular_dl_estimator, get_iris_dataset, image_data_generator):
     try:
         classifier = tabular_dl_estimator()