hummingbird
/
mindarmour
Not watched
2
0
Fork 0
Code
Releases 17 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: b562ec551d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b562ec551d'
${ noResults }
mindarmour/mindarmour/privacy/evaluation/membership_inference.py

298 lines
13 kB
Raw Blame History 

  1. # Copyright 2020 Huawei Technologies Co., Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. # http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. """

  15. Membership Inference

  16. """

  17. 

  18. from multiprocessing import cpu_count

  19. import numpy as np

  20. 

  21. import mindspore as ms

  22. from mindspore.train import Model

  23. from mindspore.dataset.engine import Dataset

  24. from mindspore import Tensor

  25. from mindarmour.utils.logger import LogUtil

  26. from mindarmour.utils._check_param import check_param_type, check_param_multi_types, \

  27.     check_model, check_numpy_param

  28. from .attacker import _get_attack_model

  29. from ._check_config import verify_config_params

  30. 

  31. LOGGER = LogUtil.get_instance()

  32. TAG = "MembershipInference"

  33. 

  34. 

  35. def _eval_info(pred, truth, option):

  36.     """

  37.     Calculate the performance according to pred and truth.

  38. 

  39.     Args:

  40.         pred (numpy.ndarray): Predictions for each sample.

  41.         truth (numpy.ndarray): Ground truth for each sample.

  42.         option (str): Type of evaluation indicators; Possible

  43.             values are 'precision', 'accuracy' and 'recall'.

  44. 

  45.     Returns:

  46.         float32, calculated evaluation results.

  47. 

  48.     Raises:

  49.         ValueError, size of parameter pred or truth is 0.

  50.         ValueError, value of parameter option must be in ["precision", "accuracy", "recall"].

  51.     """

  52.     check_numpy_param("pred", pred)

  53.     check_numpy_param("truth", truth)

  54. 

  55.     if option == "accuracy":

  56.         count = np.sum(pred == truth)

  57.         return count / len(pred)

  58.     if option == "precision":

  59.         if np.sum(pred) == 0:

  60.             return -1

  61.         count = np.sum(pred & truth)

  62.         return count / np.sum(pred)

  63.     if option == "recall":

  64.         if np.sum(truth) == 0:

  65.             return -1

  66.         count = np.sum(pred & truth)

  67.         return count / np.sum(truth)

  68. 

  69.     msg = "The metric value {} is undefined.".format(option)

  70.     LOGGER.error(TAG, msg)

  71.     raise ValueError(msg)

  72. 

  73. 

  74. def _softmax_cross_entropy(logits, labels, epsilon=1e-12):

  75.     """

  76.     Calculate the SoftmaxCrossEntropy result between logits and labels.

  77. 

  78.     Args:

  79.         logits (numpy.ndarray): Numpy array of shape(N, C).

  80.         labels (numpy.ndarray): Numpy array of shape(N, ).

  81.         epsilon (float): The calculated value of softmax will be clipped into [epsilon, 1 - epsilon]. Default: 1e-12.

  82. 

  83.     Returns:

  84.         numpy.ndarray: numpy array of shape(N, ), containing loss value for each vector in logits.

  85.     """

  86.     labels = np.eye(logits.shape[1])[labels].astype(np.int32)

  87. 

  88.     exp_logits = np.exp(logits - np.max(logits, axis=-1, keepdims=True))

  89.     predictions = exp_logits / np.sum(exp_logits, axis=-1, keepdims=True)

  90.     predictions = np.clip(predictions, epsilon, 1.0 - epsilon)

  91.     loss = -1 * np.sum(labels*np.log(predictions), axis=-1)

  92.     return loss

  93. 

  94. 

  95. class MembershipInference:

  96.     """

  97.     Proposed by Shokri, Stronati, Song and Shmatikov, membership inference is a grey-box attack

  98.     for inferring user's privacy data. It requires loss or logits results of the training samples. Privacy refers

  99.     to some sensitive attributes of a single user.

  100. 

  101.     For details, please refer to the `Using Membership Inference to Test Model Security

  102.     <https://mindspore.cn/mindarmour/docs/en/r1.9/test_model_security_membership_inference.html>`_.

  103. 

  104.     References: `Reza Shokri, Marco Stronati, Congzheng Song, Vitaly Shmatikov.

  105.     Membership Inference Attacks against Machine Learning Models. 2017.

  106.     <https://arxiv.org/abs/1610.05820v2>`_.

  107. 

  108.     Args:

  109.         model (Model): Target model.

  110.         n_jobs (int): Number of jobs run in parallel. -1 means using all processors,

  111.             otherwise the value of n_jobs must be a positive integer.

  112. 

  113.     Raises:

  114.         TypeError: If type of model is not mindspore.train.Model.

  115.         TypeError: If type of n_jobs is not int.

  116.         ValueError: The value of n_jobs is neither -1 nor a positive integer.

  117. 

  118. 

  119.     Examples:

  120.         >>> import mindspore.ops.operations as P

  121.         >>> from mindspore.nn import Cell

  122.         >>> from mindspore import Model

  123.         >>> from mindarmour.privacy.evaluation import MembershipInference

  124.         >>> def dataset_generator():

  125.         ...     batch_size = 16

  126.         ...     batches = 1

  127.         ...     data =  np.random.randn(batches * batch_size,1,10).astype(np.float32)

  128.         ...     label =  np.random.randint(0,10, batches * batch_size).astype(np.int32)

  129.         ...     for i in range(batches):

  130.         ...         yield data[i*batch_size:(i+1)*batch_size], label[i*batch_size:(i+1)*batch_size]

  131.         >>> class Net(Cell):

  132.         ...     def __init__(self):

  133.         ...         super(Net, self).__init__()

  134.         ...         self._softmax = P.Softmax()

  135.         ...         self._Dense = nn.Dense(10,10)

  136.         ...         self._squeeze = P.Squeeze(1)

  137.         ...     def construct(self, inputs):

  138.         ...         out = self._softmax(inputs)

  139.         ...         out = self._Dense(out)

  140.         ...         return self._squeeze(out)

  141.         >>> net = Net()

  142.         >>> loss = nn.SoftmaxCrossEntropyWithLogits(sparse=True)

  143.         >>> opt = nn.Momentum(params=net.trainable_params(), learning_rate=0.1, momentum=0.9)

  144.         >>> model = Model(network=net, loss_fn=loss, optimizer=opt)

  145.         >>> inference_model = MembershipInference(model, 2)

  146.         >>> config = [{

  147.         ...     "method": "KNN",

  148.         ...     "params": {"n_neighbors": [3, 5, 7],}

  149.         ...     }]

  150.         >>> ds_train = ds.GeneratorDataset(dataset_generator, ["image", "label"])

  151.         >>> ds_test = ds.GeneratorDataset(dataset_generator, ["image", "label"])

  152.         >>> inference_model.train(ds_train, ds_test, config)

  153.         >>> metrics = ["precision", "accuracy", "recall"]

  154.         >>> eval_train = ds.GeneratorDataset(dataset_generator, ["image", "label"])

  155.         >>> eval_test = ds.GeneratorDataset(dataset_generator, ["image", "label"])

  156.         >>> result = inference_model.eval(eval_train. eval_test, metrics)

  157.         >>> print(result)

  158.     """

  159. 

  160.     def __init__(self, model, n_jobs=-1):

  161.         check_param_type("n_jobs", n_jobs, int)

  162.         if not (n_jobs == -1 or n_jobs > 0):

  163.             msg = "Value of n_jobs must be either -1 or positive integer, but got {}.".format(n_jobs)

  164.             LOGGER.error(TAG, msg)

  165.             raise ValueError(msg)

  166. 

  167.         self._model = check_model("model", model, Model)

  168.         self._n_jobs = min(n_jobs, cpu_count())

  169.         self._attack_list = []

  170. 

  171.     def train(self, dataset_train, dataset_test, attack_config):

  172.         """

  173.         Depending on the configuration, use the input dataset to train the attack model.

  174. 

  175.         Args:

  176.             dataset_train (mindspore.dataset): The training dataset for the target model.

  177.             dataset_test (mindspore.dataset): The test set for the target model.

  178.             attack_config (Union[list, tuple]): Parameter setting for the attack model. The format is

  179.                 [{"method": "knn", "params": {"n_neighbors": [3, 5, 7]}},

  180.                 {"method": "lr", "params": {"C": np.logspace(-4, 2, 10)}}].

  181.                 The support methods are knn, lr, mlp and rf, and the params of each method

  182.                 must within the range of changeable parameters. Tips of params implement

  183.                 can be found below:

  184.                 `KNN <https://scikit-learn.org/stable/modules/generated/sklearn.neighbors.KNeighborsClassifier.html>`_,

  185.                 `LR <https://scikit-learn.org/stable/modules/generated/sklearn.linear_model.LogisticRegression.html>`_,

  186.                 `RF <https://scikit-learn.org/stable/modules/generated/sklearn.ensemble.RandomForestClassifier.html>`_,

  187.                 `MLP <https://scikit-learn.org/stable/modules/generated/sklearn.neural_network.MLPRegressor.html>`_.

  188. 

  189.         Raises:

  190.             KeyError: If any config in attack_config doesn't have keys {"method", "params"}.

  191.             NameError: If the method(case insensitive) in attack_config is not in ["lr", "knn", "rf", "mlp"].

  192.         """

  193.         check_param_type("dataset_train", dataset_train, Dataset)

  194.         check_param_type("dataset_test", dataset_test, Dataset)

  195.         check_param_multi_types("attack_config", attack_config, (list, tuple))

  196.         verify_config_params(attack_config)

  197. 

  198.         features, labels = self._transform(dataset_train, dataset_test)

  199.         for config in attack_config:

  200.             self._attack_list.append(_get_attack_model(features, labels, config, n_jobs=self._n_jobs))

  201. 

  202. 

  203.     def eval(self, dataset_train, dataset_test, metrics):

  204.         """

  205.         Evaluate the different privacy of the target model.

  206.         Evaluation indicators shall be specified by metrics.

  207. 

  208.         Args:

  209.             dataset_train (mindspore.dataset): The training dataset for the target model.

  210.             dataset_test (mindspore.dataset): The test dataset for the target model.

  211.             metrics (Union[list, tuple]): Evaluation indicators. The value of metrics

  212.                 must be in ["precision", "accuracy", "recall"]. Default: ["precision"].

  213. 

  214.         Returns:

  215.             list, each element contains an evaluation indicator for the attack model.

  216.         """

  217.         check_param_type("dataset_train", dataset_train, Dataset)

  218.         check_param_type("dataset_test", dataset_test, Dataset)

  219.         check_param_multi_types("metrics", metrics, (list, tuple))

  220. 

  221.         metrics = set(metrics)

  222.         metrics_list = {"precision", "accuracy", "recall"}

  223.         if not metrics <= metrics_list:

  224.             msg = "Element in 'metrics' must be in {}, but got {}.".format(metrics_list, metrics)

  225.             LOGGER.error(TAG, msg)

  226.             raise ValueError(msg)

  227. 

  228.         result = []

  229.         features, labels = self._transform(dataset_train, dataset_test)

  230.         for attacker in self._attack_list:

  231.             pred = attacker.predict(features)

  232.             item = {}

  233.             for option in metrics:

  234.                 item[option] = _eval_info(pred, labels, option)

  235.             result.append(item)

  236.         return result

  237. 

  238.     def _transform(self, dataset_train, dataset_test):

  239.         """

  240.         Generate corresponding loss_logits features and new label, and return after shuffle.

  241. 

  242.         Args:

  243.             dataset_train (mindspore.dataset): The train set for the target model.

  244.             dataset_test (mindspore.dataset): The test set for the target model.

  245. 

  246.         Returns:

  247.             - numpy.ndarray, loss_logits features for each sample. Shape is (N, C).

  248.                 N is the number of sample. C = 1 + dim(logits).

  249.             - numpy.ndarray, labels for each sample, Shape is (N,).

  250.         """

  251.         features_train, labels_train = self._generate(dataset_train, 1)

  252.         features_test, labels_test = self._generate(dataset_test, 0)

  253.         features = np.vstack((features_train, features_test))

  254.         labels = np.hstack((labels_train, labels_test))

  255.         shuffle_index = np.array(range(len(labels)))

  256.         np.random.shuffle(shuffle_index)

  257.         features = features[shuffle_index]

  258.         labels = labels[shuffle_index]

  259. 

  260.         return features, labels

  261. 

  262.     def _generate(self, input_dataset, label):

  263.         """

  264.         Return a loss_logits features and labels for training attack model.

  265. 

  266.         Args:

  267.             input_dataset (mindspore.dataset): The dataset to be generated.

  268.             label (int): Whether input_dataset belongs to the target model.

  269. 

  270.         Returns:

  271.             - numpy.ndarray, loss_logits features for each sample. Shape is (N, C).

  272.                 N is the number of sample. C = 1 + dim(logits).

  273. 

  274.             - numpy.ndarray, labels for each sample, Shape is (N,).

  275.         """

  276.         loss_logits = np.array([])

  277.         for batch in input_dataset.create_tuple_iterator(output_numpy=True):

  278.             batch_data = Tensor(batch[0], ms.float32)

  279.             batch_labels = batch[1].astype(np.int32)

  280.             batch_logits = self._model.predict(batch_data).asnumpy()

  281.             batch_loss = _softmax_cross_entropy(batch_logits, batch_labels)

  282. 

  283.             batch_feature = np.hstack((batch_loss.reshape(-1, 1), batch_logits))

  284.             if loss_logits.size == 0:

  285.                 loss_logits = batch_feature

  286.             else:

  287.                 loss_logits = np.vstack((loss_logits, batch_feature))

  288. 

  289.         if label == 1:

  290.             labels = np.ones(len(loss_logits), np.int32)

  291.         elif label == 0:

  292.             labels = np.zeros(len(loss_logits), np.int32)

  293.         else:

  294.             msg = "The value of label must be 0 or 1, but got {}.".format(label)

  295.             LOGGER.error(TAG, msg)

  296.             raise ValueError(msg)

  297.         return loss_logits, labels