paper for implementation of blackbox attribute inference attack #2142
Replies: 8 comments
-
Hi @SlokomManel Thank you for using ART! @abigailgold What do you think? |
Beta Was this translation helpful? Give feedback.
-
Hi @SlokomManel I'm not sure I understand the distinction you're making between attribute inference attack and model inversion attribute inference attack. The idea is to use n-1 features along with the model's output to predict the value of a missing feature. It is the same kind of attack as in https://dl.acm.org/doi/10.1145/2810103.2813677 but with a different implementation which is more similar to the black-box inference attack of Shokri et al (https://arxiv.org/abs/1610.05820). Hope this helps. |
Beta Was this translation helpful? Give feedback.
-
Hi, In line 327, we have "predictions = np.array([self._values[np.argmax(arr)] for arr in predictions])". Thank you, |
Beta Was this translation helpful? Give feedback.
-
In this line, predictions is actually the output of the attack. So these are the attack model's predicted values for the attacked feature (not the predictions of the original/attacked/target model). |
Beta Was this translation helpful? Give feedback.
-
But remember that the vector values are required to be sorted in ascending order such that -1 class is less appearing then, 0, then 1 is the most appearing. How would this impact the success of inference? Why should we impose a specific order? |
Beta Was this translation helpful? Give feedback.
-
Ascending order of the values themselves. Not their frequency. |
Beta Was this translation helpful? Give feedback.
-
Right. So if we go back to this example : But if values = [1, -1, 0], the final prediction will change. So there is a sort of link/connection between values and prediction. At the end, let's assume we have three categories in the target attribute: c1, c2, c3. if there are the same naming of classes in the prediction vector returned by the attacker classifier and values vector. But the only difference is that values vector has a different order. Classifier is trained to say for a specific user, the inferred class is c2 but if we use values vector it becomes c3. Sorry that i am trying to reformulate this multiple times in different ways but my main concern is about "the shift in prediction of classifier". Does it make sense to you? |
Beta Was this translation helpful? Give feedback.
-
If you look at the code in the fit() method, the attacked feature is always one-hot-encoded after applying one of the methods float_to_categorical or floats_to_one_hot. Both of these methods sort the unique values in the data in ascending order before one-hot encoding them. So if 'values' is always sent in ascending order of the values, these two will match and you will get the correct prediction. This is exactly why it is required to send them in ascending order. |
Beta Was this translation helpful? Give feedback.
-
Hi,
Thank you for the implementation of the toolbox.
I am interested in using black-box attribute inference attack model blackbox model . But I have difficulty in understanding how it works and how to use the implementation in my case. I am wondering if this just attribute inference attack or model inversion attribute inference attack since it makes use of predicted labels from a model and values (marginals).
Could you please share with me the reference?
looking forward to hearing back from you.
Thank you.
Bests,
Manel.
Beta Was this translation helpful? Give feedback.
All reactions