LiRA Attack

Likelihood testing scenario from https://arxiv.org/pdf/2112.03570.pdf.

See p.6 (top of second column) for details.

With mode “offline”, we measure the probability of observing a confidence as high as the target model’s under the null-hypothesis that the target point is a non-member. That is we, use the norm CDF.

With mode “offline-carlini”, we measure the probability that a target point did not come from the non-member distribution. That is, we use Carlini’s implementation with a single norm (log) PDF.

With mode “online-carlini”, we use Carlini’s implementation of the standard likelihood ratio test, measuring the ratio of probabilities the sample came from the two distributions. That is, the (log) PDF of pr_in minus pr_out.

class sacroml.attacks.likelihood_attack.LIRAAttack(output_dir: str = 'outputs', write_report: bool = True, n_shadow_models: int = 100, p_thresh: float = 0.05, mode: str = 'offline', fix_variance: bool = False, report_individual: bool = False)[source]

The main LiRA Attack class.

Methods

`attack`(target)	Check whether an attack can be performed and run the attack.
`attackable`(target)	Return whether a target can be assessed with LIRAAttack.
`get_params`()	Get parameters for this attack.

classmethod attackable(target: Target) → bool[source]: Return whether a target can be assessed with LIRAAttack.

__init__(output_dir: str = 'outputs', write_report: bool = True, n_shadow_models: int = 100, p_thresh: float = 0.05, mode: str = 'offline', fix_variance: bool = False, report_individual: bool = False) → None[source]

Construct an object to execute a LiRA attack.

Parameters:

output_dirstr: Name of the directory where outputs are stored.
write_reportbool: Whether to generate a JSON and PDF report.
n_shadow_modelsint: Number of shadow models to be trained.
p_threshfloat: Threshold to determine significance of things. For instance auc_p_value and pdif_vals.
modestr: Attack mode: {“offline”, “offline-carlini”, “online-carlini”}
fix_variancebool: Whether to use the global standard deviation or per record.
report_individualbool: Whether to report metrics for each individual record.

attack(target: Target) → dict: Check whether an attack can be performed and run the attack.

get_params() → dict

Get parameters for this attack.

Returns:

paramsdict: Parameter names mapped to their values.