# Using ML anonymization to defend against attribute inference attacks

In this tutorial we will show how to anonymize models using the ML anonymization module. 

We will demonstrate running inference attacks both on a vanilla model, and then on different anonymized versions of the model. We will run both black-box and white-box attribute inference attacks using ART's inference module (https://github.com/Trusted-AI/adversarial-robustness-toolbox/tree/main/art/attacks/inference). 

This will be demonstarted using the Nursery dataset (original dataset can be found here: https://archive.ics.uci.edu/ml/datasets/nursery). 

The sensitive feature we are trying to infer is the 'social' feature, after turning it into a binary feature (the original value 'problematic' receives the new value 1 and the rest 0). We also preprocess the data such that all categorical features are one-hot encoded.

## Load data

In [88]:
import os
import sys
sys.path.insert(0, os.path.abspath('..'))

from apt.utils.dataset_utils import get_nursery_dataset_pd

(x_train, y_train), (x_test, y_test) = get_nursery_dataset_pd(transform_social=True)

x_train

Unnamed: 0,parents,has_nurs,form,children,housing,finance,social,health
8450,pretentious,very_crit,foster,1,less_conv,convenient,1,not_recom
12147,great_pret,very_crit,complete,1,critical,inconv,1,recommended
2780,usual,critical,complete,4,less_conv,convenient,1,not_recom
11924,great_pret,critical,foster,1,critical,convenient,1,not_recom
59,usual,proper,complete,2,convenient,convenient,0,not_recom
...,...,...,...,...,...,...,...,...
5193,pretentious,less_proper,complete,1,convenient,inconv,0,recommended
1375,usual,less_proper,incomplete,2,less_conv,convenient,1,priority
10318,great_pret,less_proper,foster,4,convenient,convenient,0,priority
6396,pretentious,improper,completed,3,less_conv,convenient,1,recommended


## Train decision tree model

In [89]:
from sklearn.tree import DecisionTreeClassifier
from art.estimators.classification.scikitlearn import ScikitlearnDecisionTreeClassifier
from sklearn.preprocessing import OneHotEncoder
from sklearn.compose import ColumnTransformer
from sklearn.impute import SimpleImputer
from sklearn.pipeline import Pipeline

numeric_features = ['social']
categorical_features = ['children', 'parents', 'has_nurs', 'form', 'housing', 'finance', 'health']
numeric_transformer = Pipeline(
    steps=[('imputer', SimpleImputer(strategy='constant', fill_value=0))]
)
categorical_transformer = OneHotEncoder(handle_unknown="ignore", sparse_output=False)
preprocessor = ColumnTransformer(
    transformers=[
        ("num", numeric_transformer, numeric_features),
        ("cat", categorical_transformer, categorical_features),
    ]
)

train_encoded = preprocessor.fit_transform(x_train)
test_encoded = preprocessor.transform(x_test)
    
model = DecisionTreeClassifier()
model.fit(train_encoded, y_train)

art_classifier = ScikitlearnDecisionTreeClassifier(model)

print('Base model accuracy: ', model.score(test_encoded, y_test))

Base model accuracy:  0.9969135802469136


## Attack
### Black-box attack
The black-box attack basically trains an additional classifier (called the attack model) to predict the attacked feature's value from the remaining n-1 features as well as the original (attacked) model's predictions.
#### Train attack model

In [90]:
import numpy as np
from art.attacks.inference.attribute_inference import AttributeInferenceBlackBox

# social feature after preprocessing
attack_feature = 0

# training data without attacked feature
x_train_for_attack = np.delete(train_encoded, attack_feature, 1)
# only attacked feature
x_train_feature = train_encoded[:, attack_feature].copy().reshape(-1, 1)

bb_attack = AttributeInferenceBlackBox(art_classifier, attack_feature=attack_feature)

# get original model's predictions
x_train_predictions = np.array([np.argmax(arr) for arr in art_classifier.predict(train_encoded)]).reshape(-1,1)

# use half of training set for training the attack
attack_train_ratio = 0.5
attack_train_size = int(len(train_encoded) * attack_train_ratio)

# train attack model
bb_attack.fit(train_encoded[:attack_train_size])

  return self._call_impl(*args, **kwargs)


#### Infer sensitive feature and check accuracy

In [91]:
# get inferred values
values=[0, 1]

inferred_train_bb = bb_attack.infer(x_train_for_attack[attack_train_size:], pred=x_train_predictions[attack_train_size:], values=values)
# check accuracy
train_acc = np.sum(inferred_train_bb == np.around(x_train_feature[attack_train_size:], decimals=8).reshape(1,-1)) / len(inferred_train_bb)
print(train_acc)

0.5934786803009839


  return self._call_impl(*args, **kwargs)


This means that for 60% of the training set, the attacked feature is inferred correctly using this attack.

## Whitebox attack
This attack does not train any additional model, it simply uses additional information coded within the attacked decision tree model to compute the probability of each value of the attacked feature and outputs the value with the highest probability.

In [92]:
from art.attacks.inference.attribute_inference import AttributeInferenceWhiteBoxDecisionTree

priors = [6925 / 10366, 3441 / 10366]

wb2_attack = AttributeInferenceWhiteBoxDecisionTree(art_classifier, attack_feature=attack_feature)

# get inferred values
inferred_train_wb2 = wb2_attack.infer(x_train_for_attack, x_train_predictions, values=values, priors=priors)

# check accuracy
train_acc = np.sum(inferred_train_wb2 == np.around(x_train_feature, decimals=8).reshape(1,-1)) / len(inferred_train_wb2)
print(train_acc)

0.6982442600810341


The white-box attack is able to correctly infer the attacked feature value in 69% of the training set. 

# Anonymized data
## k=100

Now we will apply the same attacks on an anonymized version of the same dataset (k=100). The data is anonymized on the quasi-identifiers: finance, social, health.

k=100 means that each record in the anonymized dataset is identical to 99 others on the quasi-identifier values (i.e., when looking only at those 3 feature, the records are indistinguishable).

In [93]:
from apt.utils.datasets import ArrayDataset
from apt.anonymization import Anonymize

features = x_train.columns
QI = ["finance", "social", "health"]

anonymizer = Anonymize(100, QI, categorical_features=categorical_features)
anon = anonymizer.anonymize(ArrayDataset(x_train, x_train_predictions))
anon

Unnamed: 0,parents,has_nurs,form,children,housing,finance,social,health
0,pretentious,very_crit,foster,1,less_conv,convenient,0,not_recom
1,great_pret,very_crit,complete,1,critical,inconv,1,recommended
2,usual,critical,complete,4,less_conv,convenient,0,not_recom
3,great_pret,critical,foster,1,critical,convenient,0,not_recom
4,usual,proper,complete,2,convenient,convenient,0,not_recom
...,...,...,...,...,...,...,...,...
10361,pretentious,less_proper,complete,1,convenient,convenient,0,recommended
10362,usual,less_proper,incomplete,2,less_conv,inconv,0,priority
10363,great_pret,less_proper,foster,4,convenient,convenient,0,priority
10364,pretentious,improper,completed,3,less_conv,convenient,0,recommended


## l = 6
The data is anonymised on the sensitive attribute: parents
with a privacy parameter l=6.

This means that in each group there are at least 6 different rows for the sensitive attributes, otherwise the sensitive attributes in the group are suppressed.

In [94]:
sensitive_attributes = ['parents']
anonymizer_l = Anonymize(100, QI, l=6, categorical_features=categorical_features, sensitive_attributes=sensitive_attributes)
anon_l = anonymizer_l.anonymize(ArrayDataset(x_train, x_train_predictions))
anon_l

Unnamed: 0,parents,has_nurs,form,children,housing,finance,social,health
0,*,very_crit,foster,1,less_conv,convenient,0,not_recom
1,*,very_crit,complete,1,critical,inconv,1,recommended
2,*,critical,complete,4,less_conv,convenient,0,not_recom
3,*,critical,foster,1,critical,convenient,0,not_recom
4,*,proper,complete,2,convenient,convenient,0,not_recom
...,...,...,...,...,...,...,...,...
10361,*,less_proper,complete,1,convenient,convenient,0,recommended
10362,*,less_proper,incomplete,2,less_conv,inconv,0,priority
10363,*,less_proper,foster,4,convenient,convenient,0,priority
10364,*,improper,completed,3,less_conv,convenient,0,recommended


## t = 0.1
The data is anonymised on the sensitive attribute: parents
with a privacy parameter t=0.1.

if the distance between the distribution of a sensitive attribute in this class and the distribution of the attribute in the whole table is no more than a threshold 0.1.

In [95]:
# Only using k-anonymity and t-completeness

sensitive_attributes = ['parents']
anonymizer_t = Anonymize(100, QI, t = 0.1, categorical_features=categorical_features, sensitive_attributes=sensitive_attributes)
anon_t = anonymizer_t.anonymize(ArrayDataset(x_train, x_train_predictions))
anon_t

Unnamed: 0,parents,has_nurs,form,children,housing,finance,social,health
0,pretentious,very_crit,foster,1,less_conv,convenient,0,not_recom
1,great_pret,very_crit,complete,1,critical,inconv,1,recommended
2,usual,critical,complete,4,less_conv,convenient,0,not_recom
3,great_pret,critical,foster,1,critical,convenient,0,not_recom
4,usual,proper,complete,2,convenient,convenient,0,not_recom
...,...,...,...,...,...,...,...,...
10361,*,less_proper,complete,1,convenient,convenient,0,recommended
10362,*,less_proper,incomplete,2,less_conv,inconv,0,priority
10363,*,less_proper,foster,4,convenient,convenient,0,priority
10364,*,improper,completed,3,less_conv,convenient,0,recommended


In [96]:
# Using k-anonymity, l-diversity and t-completeness
sensitive_attributes = ['parents']
anonymizer_lt = Anonymize(100, QI, l=6, t = 0.1, categorical_features=categorical_features, sensitive_attributes=sensitive_attributes)
anon_lt = anonymizer_lt.anonymize(ArrayDataset(x_train, x_train_predictions))
anon_lt

Unnamed: 0,parents,has_nurs,form,children,housing,finance,social,health
0,*,very_crit,foster,1,less_conv,convenient,0,not_recom
1,*,very_crit,complete,1,critical,inconv,1,recommended
2,*,critical,complete,4,less_conv,convenient,0,not_recom
3,*,critical,foster,1,critical,convenient,0,not_recom
4,*,proper,complete,2,convenient,convenient,0,not_recom
...,...,...,...,...,...,...,...,...
10361,*,less_proper,complete,1,convenient,convenient,0,recommended
10362,*,less_proper,incomplete,2,less_conv,inconv,0,priority
10363,*,less_proper,foster,4,convenient,convenient,0,priority
10364,*,improper,completed,3,less_conv,convenient,0,recommended


In [97]:
# number of distinct rows in original data
len(x_train.drop_duplicates())

7585

In [98]:
# number of distinct rows in anonymized data (k-anonymity)
len(anon.drop_duplicates())

3001

In [99]:
# number of distinct rows in anonymized data (k-anonymity and l-diversity)
len(anon_l.drop_duplicates())

1262

In [100]:
# number of distinct rows in anonymized data (k-anonymity and t-completeness)
len(anon_t.drop_duplicates())

2072

In [101]:
# number of distinct rows in anonymized data (k-anonymity, l-diversity and t-completeness)
len(anon_lt.drop_duplicates())

1262

## Train decision tree model

In [102]:
anon_encoded = preprocessor.fit_transform(anon)
test_encoded = preprocessor.transform(x_test)

anon_model = DecisionTreeClassifier()
anon_model.fit(anon_encoded, y_train)

anon_art_classifier = ScikitlearnDecisionTreeClassifier(anon_model)

print('Anonymized model accuracy (k-anonymity): ', anon_model.score(test_encoded, y_test))

Anonymized model accuracy (k-anonymity):  0.9228395061728395


In [103]:
anon_encoded = preprocessor.fit_transform(anon_l)
test_encoded = preprocessor.transform(x_test)

anon_model = DecisionTreeClassifier()
anon_model.fit(anon_encoded, y_train)

anon_art_classifier_l = ScikitlearnDecisionTreeClassifier(anon_model)

print('Anonymized model accuracy (k-anonymity and l-diversity): ', anon_model.score(test_encoded, y_test))

Anonymized model accuracy (k-anonymity and l-diversity):  0.8132716049382716


In [104]:
anon_encoded = preprocessor.fit_transform(anon_t)
test_encoded = preprocessor.transform(x_test)

anon_model = DecisionTreeClassifier()
anon_model.fit(anon_encoded, y_train)

anon_art_classifier_t = ScikitlearnDecisionTreeClassifier(anon_model)

print('Anonymized model accuracy (k-anonymity and t-completeness): ', anon_model.score(test_encoded, y_test))

Anonymized model accuracy (k-anonymity and t-completeness):  0.8128858024691358


In [105]:
anon_encoded = preprocessor.fit_transform(anon_lt)
test_encoded = preprocessor.transform(x_test)

anon_model = DecisionTreeClassifier()
anon_model.fit(anon_encoded, y_train)

anon_art_classifier_lt = ScikitlearnDecisionTreeClassifier(anon_model)

print('Anonymized model accuracy (k-anonymity, l-diversity and t-completeness): ', anon_model.score(test_encoded, y_test))

Anonymized model accuracy (k-anonymity, l-diversity and t-completeness):  0.814429012345679


## Attack
### Black-box attack (k-anonimity)

In [106]:
# training data without attacked feature
x_train_for_attack = np.delete(train_encoded, attack_feature, 1)
# only attacked feature
x_train_feature = train_encoded[:, attack_feature].copy().reshape(-1, 1)

anon_bb_attack = AttributeInferenceBlackBox(anon_art_classifier, attack_feature=attack_feature)

# get original model's predictions
anon_x_train_predictions = np.array([np.argmax(arr) for arr in anon_art_classifier.predict(train_encoded)]).reshape(-1,1)

# train attack model
anon_bb_attack.fit(train_encoded[:attack_train_size])

# get inferred values
inferred_train_anon_bb = anon_bb_attack.infer(x_train_for_attack[attack_train_size:], pred=anon_x_train_predictions[attack_train_size:], values=values)
# check accuracy
train_acc = np.sum(inferred_train_anon_bb == np.around(x_train_feature[attack_train_size:], decimals=8).reshape(1,-1)) / len(inferred_train_anon_bb)
print(train_acc)

  return self._call_impl(*args, **kwargs)


0.5614508971638047


  return self._call_impl(*args, **kwargs)


### White box attack

In [107]:
anon_wb2_attack = AttributeInferenceWhiteBoxDecisionTree(anon_art_classifier, attack_feature=attack_feature)

# get inferred values
inferred_train_anon_wb2 = anon_wb2_attack.infer(x_train_for_attack, anon_x_train_predictions, values=values, priors=priors)

# check accuracy
anon_train_acc = np.sum(inferred_train_anon_wb2 == np.around(x_train_feature, decimals=8).reshape(1,-1)) / len(inferred_train_anon_wb2)
print(anon_train_acc)

0.6863785452440672


The accuracy of the attacks remains more or less the same. Let's check the precision and recall for each case:

In [108]:
def calc_precision_recall(predicted, actual, positive_value=1):
    score = 0  # both predicted and actual are positive
    num_positive_predicted = 0  # predicted positive
    num_positive_actual = 0  # actual positive
    for i in range(len(predicted)):
        if predicted[i] == positive_value:
            num_positive_predicted += 1
        if actual[i] == positive_value:
            num_positive_actual += 1
        if predicted[i] == actual[i]:
            if predicted[i] == positive_value:
                score += 1
    
    if num_positive_predicted == 0:
        precision = 1
    else:
        precision = score / num_positive_predicted  # the fraction of predicted “Yes” responses that are correct
    if num_positive_actual == 0:
        recall = 1
    else:
        recall = score / num_positive_actual  # the fraction of “Yes” responses that are predicted correctly

    return precision, recall
    
# black-box regular
print(calc_precision_recall(inferred_train_bb, x_train_feature))
# black-box anonymized (k-anonymity)
print(calc_precision_recall(inferred_train_anon_bb, x_train_feature))
# black-box anonymized (k-anonymity, l-diversity and t-completeness)
print(calc_precision_recall(inferred_train_anon_bb_lt, x_train_feature))

(0.3388998035363458, 0.20199063231850117)
(0.35121457489878544, 0.2031615925058548)
(0.3243478260869565, 0.21838407494145198)


In [109]:
# white-box regular
print(calc_precision_recall(inferred_train_wb2, x_train_feature))
# white-box anonymized (k-anonymity)
print(calc_precision_recall(inferred_train_anon_wb2, x_train_feature))

(0.6472248353715898, 0.1999418773612322)
(0.6413690476190477, 0.12525428654460913)


Precision and recall remain almost the same, sometimes even slightly increasing.

Now let's see what happens when we increase k to 1000.

## k=1000

Now we apply the attacks on an anonymized version of the same dataset (k=1000). The data has been anonymized on the quasi-identifiers: finance, social, health.

In [110]:
anonymizer2 = Anonymize(1000, QI, categorical_features=categorical_features)
anon2 = anonymizer2.anonymize(ArrayDataset(x_train, x_train_predictions))

In [111]:
anonymizer2_lt = Anonymize(1000, QI, l=6, t=0.1, categorical_features=categorical_features, sensitive_attributes=sensitive_attributes)
anon2_lt = anonymizer2_lt.anonymize(ArrayDataset(x_train, x_train_predictions))

In [112]:
# number of distinct rows in anonymized data (k-anonymity, l-diversity and t-completeness)
len(anon2.drop_duplicates())

1727

In [113]:
# number of distinct rows in anonymized data (k-anonymity, l-diversity and t-completeness)
len(anon2_lt.drop_duplicates())

624

## Train decision tree model

In [114]:
anon2_encoded = preprocessor.fit_transform(anon2)
test_encoded = preprocessor.transform(x_test)

anon2_model = DecisionTreeClassifier()
anon2_model.fit(anon2_encoded, y_train)

anon2_art_classifier = ScikitlearnDecisionTreeClassifier(anon2_model)

print('Anonymized model accuracy (k-anonymity): ', anon2_model.score(test_encoded, y_test))

Anonymized model accuracy (k-anonymity):  0.8908179012345679


In [115]:
anon2_encoded = preprocessor.fit_transform(anon2_lt)
test_encoded = preprocessor.transform(x_test)

anon2_model_lt = DecisionTreeClassifier()
anon2_model_lt.fit(anon2_encoded, y_train)

anon2_art_classifier_lt = ScikitlearnDecisionTreeClassifier(anon2_model_lt)

print('Anonymized model accuracy (k-anonymity, l-diversity and t-completeness): ', anon2_model_lt.score(test_encoded, y_test))

Anonymized model accuracy (k-anonymity, l-diversity and t-completeness):  0.8198302469135802


## Attack
### Black-box attack (k-anonymity)

In [116]:
# training data without attacked feature
x_train_for_attack = np.delete(train_encoded, attack_feature, 1)
# only attacked feature
x_train_feature = train_encoded[:, attack_feature].copy().reshape(-1, 1)

anon2_bb_attack = AttributeInferenceBlackBox(anon2_art_classifier, attack_feature=attack_feature)

# get original model's predictions
anon2_x_train_predictions = np.array([np.argmax(arr) for arr in anon2_art_classifier.predict(train_encoded)]).reshape(-1,1)

# train attack model
anon2_bb_attack.fit(train_encoded[:attack_train_size])

# get inferred values
inferred_train_anon2_bb = anon2_bb_attack.infer(x_train_for_attack[attack_train_size:], pred=anon2_x_train_predictions[attack_train_size:], values=values)
# check accuracy
train_acc = np.sum(inferred_train_anon2_bb == np.around(x_train_feature[attack_train_size:], decimals=8).reshape(1,-1)) / len(inferred_train_anon2_bb)
print(train_acc)

  return self._call_impl(*args, **kwargs)


0.47925911634188695


  return self._call_impl(*args, **kwargs)


### White box attack (k-anonymity)

In [117]:
anon2_wb2_attack = AttributeInferenceWhiteBoxDecisionTree(anon2_art_classifier, attack_feature=attack_feature)

# get inferred values
inferred_train_anon2_wb2 = anon2_wb2_attack.infer(x_train_for_attack, anon2_x_train_predictions, values=values, priors=priors)

# check accuracy
train_acc = np.sum(inferred_train_anon2_wb2 == np.around(x_train_feature, decimals=8).reshape(1,-1)) / len(inferred_train_anon_wb2)
print(train_acc)

0.6680493922438742


In [118]:
# black-box regular
print(calc_precision_recall(inferred_train_bb, x_train_feature))
# black-box anonymized (k-anonymity)
print(calc_precision_recall(inferred_train_anon2_bb, x_train_feature))


print()

# white-box regular
print(calc_precision_recall(inferred_train_wb2, x_train_feature))
# white-box anonymized (k-anonymity)
print(calc_precision_recall(inferred_train_anon2_wb2, x_train_feature))

(0.3388998035363458, 0.20199063231850117)
(0.3185550082101806, 0.22716627634660422)

(0.6472248353715898, 0.1999418773612322)
(1, 0.0)


The accuracy of the black-box attack is slightly reduced, as well as the precision and recall in both attacks.

## k=100, all QI
Now let's see what happens if we define all 8 features in the Nursery dataset as quasi-identifiers.

In [119]:
QI2 = ["parents", "has_nurs", "form", "children", "housing", "finance", "social", "health"]
anonymizer3 = Anonymize(100, QI2, categorical_features=categorical_features)
anon3 = anonymizer3.anonymize(ArrayDataset(x_train, x_train_predictions))

In [120]:
QI2 = ["parents", "has_nurs", "form", "children", "housing", "finance", "social", "health"]
anonymizer3_lt = Anonymize(100, QI2, l=6, t=0.1, categorical_features=categorical_features, sensitive_attributes=sensitive_attributes)
anon3_lt = anonymizer3_lt.anonymize(ArrayDataset(x_train, x_train_predictions))

In [121]:
# number of distinct rows in anonymized data
len(anon3.drop_duplicates())

39

In [122]:
# number of distinct rows in anonymized data
len(anon3_lt.drop_duplicates())

39

##### k-anonymity

In [123]:
anon3_encoded = preprocessor.fit_transform(anon3)
test_encoded = preprocessor.transform(x_test)

anon3_model = DecisionTreeClassifier()
anon3_model.fit(anon3_encoded, y_train)

anon3_art_classifier = ScikitlearnDecisionTreeClassifier(anon3_model)

print('Anonymized model accuracy (k-anonymity): ', anon3_model.score(test_encoded, y_test))

# training data without attacked feature
x_train_for_attack = np.delete(train_encoded, attack_feature, 1)
# only attacked feature
x_train_feature = train_encoded[:, attack_feature].copy().reshape(-1, 1)

anon3_bb_attack = AttributeInferenceBlackBox(anon3_art_classifier, attack_feature=attack_feature)

# get original model's predictions
anon3_x_train_predictions = np.array([np.argmax(arr) for arr in anon3_art_classifier.predict(train_encoded)]).reshape(-1,1)

# train attack model
anon3_bb_attack.fit(train_encoded[:attack_train_size])

# get inferred values
inferred_train_anon3_bb = anon3_bb_attack.infer(x_train_for_attack[attack_train_size:], pred=anon3_x_train_predictions[attack_train_size:], values=values)
# check accuracy
train_acc = np.sum(inferred_train_anon3_bb == np.around(x_train_feature[attack_train_size:], decimals=8).reshape(1,-1)) / len(inferred_train_anon2_bb)
print('BB attack accuracy: ', train_acc)

anon3_wb2_attack = AttributeInferenceWhiteBoxDecisionTree(anon3_art_classifier, attack_feature=attack_feature)

# get inferred values
inferred_train_anon3_wb2 = anon3_wb2_attack.infer(x_train_for_attack, anon3_x_train_predictions, values=values, priors=priors)

# check accuracy
train_acc = np.sum(inferred_train_anon3_wb2 == np.around(x_train_feature, decimals=8).reshape(1,-1)) / len(inferred_train_anon_wb2)
print('WB attack accuracy: ', train_acc)

Anonymized model accuracy (k-anonymity):  0.7754629629629629


  return self._call_impl(*args, **kwargs)
  return self._call_impl(*args, **kwargs)


BB attack accuracy:  0.5035693613737218
WB attack accuracy:  0.6680493922438742


In [124]:
# black-box regular
print(calc_precision_recall(inferred_train_bb, x_train_feature))
# black-box anonymized (k-anonymity)
print(calc_precision_recall(inferred_train_anon3_bb, x_train_feature))

print()

# white-box regular
print(calc_precision_recall(inferred_train_wb2, x_train_feature))
# white-box anonymized (k-anonymity)
print(calc_precision_recall(inferred_train_anon3_wb2, x_train_feature))

(0.3388998035363458, 0.20199063231850117)
(0.3446969696969697, 0.21311475409836064)

(0.6472248353715898, 0.1999418773612322)
(1, 0.0)


Accuracy of both attacks has decreased. Precision and recall remain roughly the same in the black-box case. 

*In the anonymized version of the white-box attack, no records were predicted with the positive value for the attacked feature.