Structural Attack
Structural attacks.
Runs a number of ‘static’ structural attacks based on: (i) the target model’s properties; (ii) the TRE’s risk appetite as applied to tables and standard regressions.
This module provides the StructuralAttack class, which assesses a trained machine learning model for several common structural vulnerabilities.
These include: - Degrees of freedom risk - k-anonymity violations - Class disclosure - ‘Unnecessary Risk’ caused by hyper-parameters likely to lead to undue model complexity
(not defined for all types of model)
The methodology is aligned with SACRO-ML’s privacy risk framework.
- class sacroml.attacks.structural_attack.StructuralAttack(output_dir: str = 'outputs', write_report: bool = True, risk_appetite_config: str = 'default', report_individual: bool = False)[source]
Structural attacks based on the static structure of a model.
Performs structural privacy risk assessments on trained ML models.
This class implements static structural attacks based on model architecture and hyperparameters, aligned with TRE risk appetite for ‘traditional’ outputs.
Attack pipeline includes checks for: - Residual Degrees of freedom - Complexity risk - and uses Equivalence class analysis to identify risks of:
K-anonymity
Class disclosure:
(partitions of decision space with zero probability for some labels) - Reidentification through small groups (partitions of decision space with some groups below the cell count threshold)
Methods
attack
(target)Check whether an attack can be performed and run the attack.
attackable
(target)Return whether a target can be assessed with StructuralAttack.
Get parameters for this attack.
- classmethod attackable(target: Target) bool [source]
Return whether a target can be assessed with StructuralAttack.
- __init__(output_dir: str = 'outputs', write_report: bool = True, risk_appetite_config: str = 'default', report_individual: bool = False) None [source]
Construct an object to execute a structural attack.
- Parameters:
- output_dirstr
Name of a directory to write outputs.
- write_reportbool
Whether to generate a JSON and PDF report.
- risk_appetite_configstr
Path to yaml file specifying TRE risk appetite.
- report_individualbool
Whether to report metrics for each individual record.
- get_params() dict
Get parameters for this attack.
- Returns:
- paramsdict
Parameter names mapped to their values.
- class sacroml.attacks.structural_attack.StructuralAttackResults(unnecessary_risk: bool, dof_risk: bool, k_anonymity_risk: bool, class_disclosure_risk: bool, smallgroup_risk: bool, details: dict | None = None)[source]
Dataclass to store the results of a structural attack.
- Attributes:
- unnecessary_risk (bool)Risk due to unnecessarily complex model structure.
- dof_risk (bool)Risk based on degrees of freedom.
- k_anonymity_risk (bool)Risk based on k-anonymity violations.
- class_disclosure_risk (bool)Risk of class label disclosure.
- lowvals_cd_risk (bool)Risk from low-frequency class values.
- details (dict | None)Optional additional metadata.
- __init__(unnecessary_risk: bool, dof_risk: bool, k_anonymity_risk: bool, class_disclosure_risk: bool, smallgroup_risk: bool, details: dict | None = None) None
- class_disclosure_risk: bool
- details: dict | None = None
- dof_risk: bool
- k_anonymity_risk: bool
- smallgroup_risk: bool
- unnecessary_risk: bool
- class sacroml.attacks.structural_attack.StructuralRecordLevelResults(unnecessary_risk: list[bool], dof_risk: list[bool], k_anonymity: list[int], class_disclosure: list[bool], smallgroup_risk: list[bool])[source]
Dataclass to store record-level outcomes for structural attack.
- __init__(unnecessary_risk: list[bool], dof_risk: list[bool], k_anonymity: list[int], class_disclosure: list[bool], smallgroup_risk: list[bool]) None
- class_disclosure: list[bool]
- dof_risk: list[bool]
- k_anonymity: list[int]
- smallgroup_risk: list[bool]
- unnecessary_risk: list[bool]
- sacroml.attacks.structural_attack.get_model_param_count(model: BaseEstimator | Module) int [source]
Return the number of trained parameters in a model.
This includes learned weights, thresholds, and decision rules depending on model type. Supports DecisionTree, RandomForest, AdaBoost, XGBoost, MLP and torch classifiers.
- Parameters:
- model (BaseEstimator|torch.nn.Module)A trained classification model.
- Returns:
- intEstimated number of learned parameters.
- sacroml.attacks.structural_attack.get_unnecessary_risk(model: BaseEstimator | Module) bool [source]
Check whether model hyperparameters are in the top 20% most risky.
This check is based on a classifier trained on results from a large scale study described in: https://doi.org/10.48550/arXiv.2502.09396
- Parameters:
- modelBaseEstimator|torch.nn.Module
The trained model to check for risk.
- Returns:
- bool
True if the model’s hyperparameters are considered high risk, otherwise False.