Structural Attack

Structural attacks.

Runs a number of ‘static’ structural attacks based on: (i) the target model’s properties; (ii) the TRE’s risk appetite as applied to tables and standard regressions.

This module provides the StructuralAttack class, which assesses a trained machine learning model for several common structural vulnerabilities.

These include: - Degrees of freedom risk - k-anonymity violations - Class disclosure - ‘Unnecessary Risk’ caused by hyper-parameters likely to lead to undue model complexity

(not defined for all types of model)

The methodology is aligned with SACRO-ML’s privacy risk framework.

class sacroml.attacks.structural_attack.StructuralAttack(output_dir: str = 'outputs', write_report: bool = True, risk_appetite_config: str = 'default', report_individual: bool = False)[source]

Structural attacks based on the static structure of a model.

Performs structural privacy risk assessments on trained ML models.

This class implements static structural attacks based on model architecture and hyperparameters, aligned with TRE risk appetite for ‘traditional’ outputs.

Attack pipeline includes checks for: - Residual Degrees of freedom - Complexity risk - and uses Equivalence class analysis to identify risks of:

  • K-anonymity

  • Class disclosure:

(partitions of decision space with zero probability for some labels) - Reidentification through small groups (partitions of decision space with some groups below the cell count threshold)

Methods

attack(target)

Check whether an attack can be performed and run the attack.

attackable(target)

Return whether a target can be assessed with StructuralAttack.

get_params()

Get parameters for this attack.

classmethod attackable(target: Target) bool[source]

Return whether a target can be assessed with StructuralAttack.

__init__(output_dir: str = 'outputs', write_report: bool = True, risk_appetite_config: str = 'default', report_individual: bool = False) None[source]

Construct an object to execute a structural attack.

Parameters:
output_dirstr

Name of a directory to write outputs.

write_reportbool

Whether to generate a JSON and PDF report.

risk_appetite_configstr

Path to yaml file specifying TRE risk appetite.

report_individualbool

Whether to report metrics for each individual record.

attack(target: Target) dict

Check whether an attack can be performed and run the attack.

get_params() dict

Get parameters for this attack.

Returns:
paramsdict

Parameter names mapped to their values.

class sacroml.attacks.structural_attack.StructuralAttackResults(unnecessary_risk: bool, dof_risk: bool, k_anonymity_risk: bool, class_disclosure_risk: bool, smallgroup_risk: bool, details: dict | None = None)[source]

Dataclass to store the results of a structural attack.

Attributes:
unnecessary_risk (bool)Risk due to unnecessarily complex model structure.
dof_risk (bool)Risk based on degrees of freedom.
k_anonymity_risk (bool)Risk based on k-anonymity violations.
class_disclosure_risk (bool)Risk of class label disclosure.
lowvals_cd_risk (bool)Risk from low-frequency class values.
details (dict | None)Optional additional metadata.
__init__(unnecessary_risk: bool, dof_risk: bool, k_anonymity_risk: bool, class_disclosure_risk: bool, smallgroup_risk: bool, details: dict | None = None) None
class_disclosure_risk: bool
details: dict | None = None
dof_risk: bool
k_anonymity_risk: bool
smallgroup_risk: bool
unnecessary_risk: bool
class sacroml.attacks.structural_attack.StructuralRecordLevelResults(unnecessary_risk: list[bool], dof_risk: list[bool], k_anonymity: list[int], class_disclosure: list[bool], smallgroup_risk: list[bool])[source]

Dataclass to store record-level outcomes for structural attack.

__init__(unnecessary_risk: list[bool], dof_risk: list[bool], k_anonymity: list[int], class_disclosure: list[bool], smallgroup_risk: list[bool]) None
class_disclosure: list[bool]
dof_risk: list[bool]
k_anonymity: list[int]
smallgroup_risk: list[bool]
unnecessary_risk: list[bool]
sacroml.attacks.structural_attack.get_model_param_count(model: BaseEstimator | Module) int[source]

Return the number of trained parameters in a model.

This includes learned weights, thresholds, and decision rules depending on model type. Supports DecisionTree, RandomForest, AdaBoost, XGBoost, MLP and torch classifiers.

Parameters:
model (BaseEstimator|torch.nn.Module)A trained classification model.
Returns:
intEstimated number of learned parameters.
sacroml.attacks.structural_attack.get_unnecessary_risk(model: BaseEstimator | Module) bool[source]

Check whether model hyperparameters are in the top 20% most risky.

This check is based on a classifier trained on results from a large scale study described in: https://doi.org/10.48550/arXiv.2502.09396

Parameters:
modelBaseEstimator|torch.nn.Module

The trained model to check for risk.

Returns:
bool

True if the model’s hyperparameters are considered high risk, otherwise False.