Structural Attack
Structural attacks.
Runs a number of ‘static’ structural attacks based on: (i) the target model’s properties; (ii) the TRE’s risk appetite as applied to tables and standard regressions.
This module provides the StructuralAttack class, which assesses a trained machine learning model for several common structural vulnerabilities.
These include: - Degrees of freedom risk - k-anonymity violations - Class disclosure - ‘Unnecessary Risk’ caused by hyper-parameters likely to lead to undue model complexity
The methodology is aligned with SACRO-ML’s privacy risk framework.
- class sacroml.attacks.structural_attack.StructuralAttack(output_dir: str = 'outputs', write_report: bool = True, risk_appetite_config: str = 'default')[source]
Structural attacks based on the static structure of a model.
Performs structural privacy risk assessments on trained ML models.
This class implements static structural attacks based on model architecture and hyperparameters, aligned with TRE risk appetite configurations.
Attack pipeline includes: - Equivalence class analysis - Degrees of freedom check - k-anonymity check - Class disclosure risk - Complexity risk
Methods
attack
(target)Check whether an attack can be performed and run the attack.
attackable
(target)Return whether a target can be assessed with StructuralAttack.
Get parameters for this attack.
- classmethod attackable(target: Target) bool [source]
Return whether a target can be assessed with StructuralAttack.
- __init__(output_dir: str = 'outputs', write_report: bool = True, risk_appetite_config: str = 'default') None [source]
Construct an object to execute a structural attack.
- Parameters:
- output_dirstr
Name of a directory to write outputs.
- write_reportbool
Whether to generate a JSON and PDF report.
- risk_appetite_configstr
Path to yaml file specifying TRE risk appetite.
- get_params() dict
Get parameters for this attack.
- Returns:
- paramsdict
Parameter names mapped to their values.
- class sacroml.attacks.structural_attack.StructuralAttackResults(dof_risk: bool, k_anonymity_risk: bool, class_disclosure_risk: bool, lowvals_cd_risk: bool, unnecessary_risk: bool, details: dict | None = None)[source]
Dataclass to store the results of a structural attack.
- Attributes:
- dof_risk (bool)Risk based on degrees of freedom.
- k_anonymity_risk (bool)Risk based on k-anonymity violations.
- class_disclosure_risk (bool)Risk of class label disclosure.
- lowvals_cd_risk (bool)Risk from low-frequency class values.
- unnecessary_risk (bool)Risk due to unnecessarily complex model structure.
- details (dict | None)Optional additional metadata.
- __init__(dof_risk: bool, k_anonymity_risk: bool, class_disclosure_risk: bool, lowvals_cd_risk: bool, unnecessary_risk: bool, details: dict | None = None) None
- class_disclosure_risk: bool
- details: dict | None = None
- dof_risk: bool
- k_anonymity_risk: bool
- lowvals_cd_risk: bool
- unnecessary_risk: bool
- sacroml.attacks.structural_attack.get_model_param_count(model: BaseEstimator) int [source]
Return the number of trained parameters in a model.
This includes learned weights, thresholds, and decision rules depending on model type. Supports DecisionTree, RandomForest, AdaBoost, XGBoost, and MLP classifiers.
- Parameters:
- model (BaseEstimator)A trained scikit-learn or XGBoost model.
- Returns:
- intEstimated number of learned parameters.
- sacroml.attacks.structural_attack.get_unnecessary_risk(model: BaseEstimator) bool [source]
Check whether model hyperparameters are in the top 20% most risky.
This check is based on a classifier trained on results from a large scale study described in: https://doi.org/10.48550/arXiv.2502.09396
- Parameters:
- modelBaseEstimator
The trained model to check for risk.
- Returns:
- bool
True if the model’s hyperparameters are considered high risk, otherwise False.