# ML-Leaks Paper implementation:

>This is an implementation of adversary 1 scenario of the paper (ML-Leaks)[https://arxiv.org/pdf/1806.01246.pdf]

## I. General Idea of the paper:

As machine learning as a service (Mlaas) is getting widely used, privacy issues in this setting are also getting a lot of attention. One of the most famous attacks that a depolyed machine learning model can be victim of is "the membership inference attack". This attack allows an adversary to know if a particular data point was used to trained a given model. In case of a model trained on highly private data, this attack can be a real danger.

Early demos of memebership infrence attacks assumed the following :

- Knowledge of the target model architecture.

- Using multiple shadow models.

- Having shadow models trained on datasets that are from the same distribution of the dataset used to train the target model itself.

Despite the high performance of such attacks, the existence of these assumptions made it unrealistic to be deployed in real world. In this paper, the authors relaxed these assumptions and suggested some effective defense strategies , namely : Dropout and model stacking.

The authors designed 3 adversary strategies :

- Adversary 1 : Used only one shadow model + no knowledge of the classification algorithm used. ==> The usage of only one shadow model resulted in a similar performance compared to using many shadow models. This can make the attacks much more computationally efficient.

- Adversary 2 : The data sued to train the shadow model isn't necessarily from the same distribution of the data used to train the target model ==> This makes the attack more powerful and realistic.

- Adversary 3 : No shadow models are used + an attack in an unsupervised attack ==> despite the drop of the performance for this attck it is still effective.

> In this notebook we are implementing the Adversary 1 and testing on Mnist dataset and Cifar10.

### Table of Content:

> Important note : The number of epochs displayed when training may not be the exact number of training epochs used for the final model. By the time I was running tests , it happened when I needed to add epochs and run again the training cell ( to improuve the accuracy/loss) 

In [2]:
# Importing necessary packages 
from models.models import *
import dataloaders as loader
import training_utils as TU
from torch.optim import *
from datasets.data_utils import *
from datasets.attack_dataset import *  
import pandas as pd 

## II. Case 1 : Same model architecture for the shadow and the target

### 1.1 Mnist classifier:

#### 1.1.1 Load data :

In [2]:
loaders = loader.get_dataloaders(batch_size=128,dataset_name="mnist")

In [3]:
loaders.keys()

dict_keys(['DShadow_train', 'DShadow_out', 'target_train', 'target_eval', 'test_loader'])

#### 1.1.2 train and evaluate the target model:

In [3]:
target_model = Mnist_classifier()

In [4]:
train_dataloader = loaders['target_train']
optimizer = Adam(target_model.parameters(), lr=0.0001)
epochs = 30
checkpoint_path = "./checkpoints/mnistTarget.pth"
target_train_loss_scores = TU.train(train_dataloader=train_dataloader, 
                                    optimizer=optimizer,
                                    model=target_model,
                                    n_epochs=epochs,
                                    model_path=checkpoint_path)

Epoch 1 - Training loss: 1.7336031607652114
Epoch 2 - Training loss: 0.6991646052417109
Epoch 3 - Training loss: 0.43768555153224425
Epoch 4 - Training loss: 0.3306552916765213
Epoch 5 - Training loss: 0.2674894731933788
Epoch 6 - Training loss: 0.22669988011909745
Epoch 7 - Training loss: 0.19536167168516225
Epoch 8 - Training loss: 0.17107124607694352
Epoch 9 - Training loss: 0.15237095478480145
Epoch 10 - Training loss: 0.13591645995817953
Epoch 11 - Training loss: 0.12330653928851677
Epoch 12 - Training loss: 0.1126803884251138
Epoch 13 - Training loss: 0.10286486606602951
Epoch 14 - Training loss: 0.09479775257661181
Epoch 15 - Training loss: 0.08915792882316194
Epoch 16 - Training loss: 0.08216708196106098
Epoch 17 - Training loss: 0.07772603141680612
Epoch 18 - Training loss: 0.0728833022195909
Epoch 19 - Training loss: 0.06714723495987512
Epoch 20 - Training loss: 0.0630572308012742
Epoch 21 - Training loss: 0.059463714375713114
Epoch 22 - Training loss: 0.055863706426600275
Ep

In [5]:
# eval
acc = TU.eval_model(target_model,loaders['test_loader'])


Average Val Loss: 0.0004, Val Accuracy: 9846/10000 (98.460%)



In [6]:
#Save results 
TU.save_training_loss(target_train_loss_scores,"case1/target_model_train_scores.csv")

#### 1.1.2 train and evaluate the shadow model:

In [7]:
shadow_model = Mnist_classifier()

In [8]:
train_dataloader = loaders['DShadow_train']
optimizer = Adam(shadow_model.parameters(), lr=0.0001)
epochs = 30
checkpoint_path = "./checkpoints/mnistShadow.pth"
shadow_train_loss_scores = TU.train(train_dataloader=train_dataloader, 
                                    optimizer=optimizer,
                                    model=shadow_model,
                                    n_epochs=epochs,
                                    model_path=checkpoint_path)

Epoch 1 - Training loss: 1.650734110403869
Epoch 2 - Training loss: 0.6618791730222056
Epoch 3 - Training loss: 0.4201601612365852
Epoch 4 - Training loss: 0.31804574590365764
Epoch 5 - Training loss: 0.25947067652971056
Epoch 6 - Training loss: 0.22189391688522647
Epoch 7 - Training loss: 0.19272407453696608
Epoch 8 - Training loss: 0.16948357173952006
Epoch 9 - Training loss: 0.15162894909538455
Epoch 10 - Training loss: 0.13634572556968463
Epoch 11 - Training loss: 0.12467115845973209
Epoch 12 - Training loss: 0.1144538798953517
Epoch 13 - Training loss: 0.1062625774766429
Epoch 14 - Training loss: 0.09781695144661402
Epoch 15 - Training loss: 0.09179458075787052
Epoch 16 - Training loss: 0.08455126115389294
Epoch 17 - Training loss: 0.07867810913061692
Epoch 18 - Training loss: 0.07313994658416358
Epoch 19 - Training loss: 0.06843136344105005
Epoch 20 - Training loss: 0.06478635789984363
Epoch 21 - Training loss: 0.061030569454749765
Epoch 22 - Training loss: 0.05771656714821771
Ep

In [9]:
acc_shadow = TU.eval_model(shadow_model,loaders['test_loader'])


Average Val Loss: 0.0004, Val Accuracy: 9825/10000 (98.250%)



In [10]:
#Save results 
TU.save_training_loss(shadow_train_loss_scores,"case1/shadow_model_train_scores.csv")

#### 1.1.3 train and evaluate the attack model:

##### 1.1.3.1 Create dataset of the attack model:

In [3]:
# The dataset is already created and saved in data/data/attack_dataset.csv so there s no need 
# to run this cell 
train_file_path='data/attack_train_dataset.csv'
test_file_path='data/attack_test_dataset.csv'
# In short the fowllong means that:
#  Attack_train = top3(shadow(D_shadow)) = top3(shadow(D_shadwo_train + D_shadow_out_shadow)) 
result = get_attack_trainset(shadow_model=shadow_model,
                             shadow_train_loader=loaders['DShadow_train'], 
                             shadow_out_loader=loaders['DShadow_out'],
                             file_path=train_file_path)
result = get_attack_trainset(shadow_model=shadow_model,
                             shadow_train_loader=loaders['target_train'], 
                             shadow_out_loader=loaders['target_eval'],
                             file_path=test_file_path)

In [2]:
train_file_path='data/attack_train_dataset.csv'
test_file_path='data/attack_test_dataset.csv'
attack_loaders = loader.get_attack_train_test_loaders(dataset_train_path=train_file_path,
                                                      dataset_test_path=test_file_path,
                                                        batch_size=10)

##### 1.1.3.2 train and evaluate the attack model:

In [3]:
attack_model = Attack_classifier(3)

In [4]:
train_dataloader = attack_loaders['train_loader']


In [5]:
optimizer = Adam(attack_model.fc1.parameters(), lr=0.00001)

train_scores= TU.train(train_dataloader, 
                    optimizer,
                    model=attack_model,
                    n_epochs=20, 
                    model_path="./checkpoints/attack_model.pth")

Epoch 1 - Training loss: 0.6961096758445104
Epoch 2 - Training loss: 0.6956390447219213
Epoch 3 - Training loss: 0.6959529554247856
Epoch 4 - Training loss: 0.6956756233970324
Epoch 5 - Training loss: 0.6961275424361228
Epoch 6 - Training loss: 0.6961167560418446
Epoch 7 - Training loss: 0.696594585955143
Epoch 8 - Training loss: 0.6959110643863679
Epoch 9 - Training loss: 0.6963876638611157
Epoch 10 - Training loss: 0.6960333439906439
Epoch 11 - Training loss: 0.6956823712587357
Epoch 12 - Training loss: 0.6963086466987928
Epoch 13 - Training loss: 0.6951838530699412
Epoch 14 - Training loss: 0.6957121727267901
Epoch 15 - Training loss: 0.6960745484630266
Epoch 16 - Training loss: 0.6964540767272314
Epoch 17 - Training loss: 0.6954973247647286
Epoch 18 - Training loss: 0.6959402126471201
Epoch 19 - Training loss: 0.6955236923098564
Epoch 20 - Training loss: 0.6957927646835645


In [7]:
acc_attack,precision_attack,recall_attack = TU.eval_model(attack_model,attack_loaders['test_loader'])


Average Val Loss: 0.0693, Val Accuracy: (0.499%) , precision:  0.4994, recall :  0.8363



In [8]:
#Save results 
TU.save_training_loss(train_scores,"case1/attack_model_train_scores.csv")

In [11]:
import pandas as pd
import numpy as np 
from sklearn.linear_model import LogisticRegression
from sklearn.metrics import classification_report
raw_data = pd.read_csv('data/attack_train_dataset.csv')
x = raw_data[['top1', 'top2', 'top3']]
y = raw_data['label']
test_data = pd.read_csv("data/attack_test_dataset.csv")
x_test = test_data[['top1', 'top2', 'top3']]
y_test = test_data['label']
model = LogisticRegression()
model.fit(x, y)
predictions = model.predict(x_test)
print(len(predictions))
l = classification_report(y_test, predictions)

30000


### 1.2 Cifar10 classifier :

#### 1.2.1 Load data :

In [3]:
cifar_loaders = loader.get_dataloaders(batch_size=5,dataset_name="cifar10")

Files already downloaded and verified
Files already downloaded and verified


In [3]:
cifar_loaders.keys()

dict_keys(['DShadow_train', 'DShadow_out', 'target_train', 'target_eval', 'test_loader'])

#### 1.2.2 train and evaluate the target model:

In [5]:
cifar_target_model = Cifar10_classifier()

In [8]:
cifar_train_dataloader = cifar_loaders['target_train']
optimizer = Adam(cifar_target_model.parameters(), lr=0.00001)
epochs = 20
checkpoint_path = "./checkpoints/case1/cifarTarget.pth"
target_train_loss_scores = TU.train(train_dataloader=cifar_train_dataloader, 
                                    optimizer=optimizer,
                                    model=cifar_target_model,
                                    n_epochs=epochs,
                                    model_path=checkpoint_path)

Epoch 1 - Training loss: 1.7812209156036376
Epoch 2 - Training loss: 1.772486675262451
Epoch 3 - Training loss: 1.7700185741901397
Epoch 4 - Training loss: 1.7641615063667297
Epoch 5 - Training loss: 1.757532771372795
Epoch 6 - Training loss: 1.7487286954879762
Epoch 7 - Training loss: 1.7463976012706757
Epoch 8 - Training loss: 1.7426651539802551
Epoch 9 - Training loss: 1.7424202445983887
Epoch 10 - Training loss: 1.7404421015501021
Epoch 11 - Training loss: 1.7397437626361847
Epoch 12 - Training loss: 1.7314544401407241
Epoch 13 - Training loss: 1.7294480040788651
Epoch 14 - Training loss: 1.7362733224630356
Epoch 15 - Training loss: 1.729334351325035
Epoch 16 - Training loss: 1.7251744873762132
Epoch 17 - Training loss: 1.722428078699112
Epoch 18 - Training loss: 1.722384524011612
Epoch 19 - Training loss: 1.7164879006147384
Epoch 20 - Training loss: 1.7116438692092895


In [9]:
# eval
target_acc , target_precision , target_recall  = TU.eval_model(cifar_target_model,
                                                               cifar_loaders['test_loader'],attack=False)


Average Val Loss: 0.2963, Val Accuracy: (0.474%) , precision:  0.4741, recall :  0.4741



In [18]:
#Save results 
TU.save_training_loss(target_train_loss_scores,"case1/cifar_target_model_train_scores.csv")

#### 1.2.2 train and evaluate the shadow model:

In [None]:
cifar_shadow_model = Mnist_classifier()

In [None]:
train_dataloader = cifar_loaders['DShadow_train']
optimizer = Adam(cifar_shadow_model.parameters(), lr=0.0001)
epochs = 500
checkpoint_path = "./checkpoints/case1/cifar_Shadow.pth"
shadow_train_loss_scores = TU.train(train_dataloader=train_dataloader, 
                                    optimizer=optimizer,
                                    model=cifar_shadow_model,
                                    n_epochs=epochs,
                                    model_path=checkpoint_path)

## II. Case 2 : Shadow model's architecture different than the target model's architecture:

### 2.1 Mnist classifier :

### 2.2 Cifar 10 classifier :