applying binary classification patch supplied by Beat

Author: TrojAISec

art/attacks/inference/membership_inference/black_box.py

@@ -292,11 +292,9 @@ def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.n
 
             if inferred is not None:
                 if not probabilities:
-                    inferred_return = inferred.reshape(-1).astype(np.int)
+                    inferred_return = np.round(inferred)
                 else:
-                    inferred = inferred.reshape(-1)
-                    prob_0 = np.ones_like(inferred) - inferred
-                    inferred_return = np.stack((prob_0, inferred), axis=1)
+                    inferred_return = inferred
             else:
                 raise ValueError("No data available.")
         elif not self.default_model:
@@ -305,13 +303,13 @@ def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.n
             if probabilities:
                 inferred_return = pred
             else:
-                inferred_return = np.array([np.argmax(arr) for arr in pred])
+                inferred_return = np.round(pred)
         else:
             pred = self.attack_model.predict_proba(np.c_[features, y])  # type: ignore
             if probabilities:
-                inferred_return = pred
+                inferred_return = pred[:, [1]]
             else:
-                inferred_return = np.array([np.argmax(arr) for arr in pred])
+                inferred_return = np.round(pred[:, [1]])
 
         return inferred_return
 

tests/attacks/inference/membership_inference/test_black_box.py

@@ -122,7 +122,6 @@ def test_black_box_with_model(art_warning, tabular_dl_estimator_for_attack, esti
     try:
         classifier = tabular_dl_estimator_for_attack(MembershipInferenceBlackBox)
         attack_model = estimator_for_attack(num_features=2 * num_classes_iris)
-        print(type(attack_model).__name__)
         attack = MembershipInferenceBlackBox(classifier, attack_model=attack_model)
         backend_check_membership_accuracy(attack, get_iris_dataset, attack_train_ratio, 0.25)
     except ARTTestException as e:
@@ -153,7 +152,6 @@ def test_black_box_with_model_prob(
     try:
         classifier = tabular_dl_estimator_for_attack(MembershipInferenceBlackBox)
         attack_model = estimator_for_attack(num_features=2 * num_classes_iris)
-        print(type(attack_model).__name__)
         attack = MembershipInferenceBlackBox(classifier, attack_model=attack_model)
         backend_check_membership_probabilities(attack, get_iris_dataset, attack_train_ratio)
     except ARTTestException as e:
@@ -230,6 +228,5 @@ def backend_check_membership_probabilities(attack, dataset, attack_train_ratio):
 
 
 def backend_check_probabilities(pred, prob):
-    assert prob.shape[1] == 2
-    assert np.all(np.around(np.sum(prob, axis=1), decimals=5) == 1)
-    assert np.all(np.argmax(prob, axis=1) == pred.astype(int))
+    assert prob.shape[1] == 1
+    assert np.all(np.round(prob) == pred.astype(int))

tests/utils.py

@@ -1631,8 +1631,8 @@ def get_attack_classifier_pt(num_features):
     class AttackModel(nn.Module):
         def __init__(self, num_features):
             super(AttackModel, self).__init__()
-            self.layer = nn.Linear(num_features, 2)
-            self.output = nn.Softmax(dim=1)
+            self.layer = nn.Linear(num_features, 1)
+            self.output = nn.Sigmoid()
 
         def forward(self, x):
             return self.output(self.layer(x))
@@ -1641,7 +1641,7 @@ def forward(self, x):
     model = AttackModel(num_features)
 
     # Define a loss function and optimizer
-    loss_fn = nn.CrossEntropyLoss()
+    loss_fn = nn.BCELoss()
     optimizer = optim.Adam(model.parameters(), lr=0.0001)
     attack_model = PyTorchClassifier(
         model=model, loss=loss_fn, optimizer=optimizer, input_shape=(num_features,), nb_classes=2