# K-Nearest-Neighbors Membership Inference Experiment

In [20]:
import pandas as pd
import sklearn.ensemble as es
from sklearn.tree import DecisionTreeClassifier
from sklearn.neural_network import MLPClassifier
import numpy as np
import logging
from sklearn.neighbors import KNeighborsClassifier

In [21]:
threads = 4

In [22]:
%run experiment_setup.ipynb

INFO:xai-privacy:Loading dataset 1: heart disease (continuous features) ...
INFO:xai-privacy:Loading dataset 2: census income (categorical features) ...


In [23]:
logger = logging.getLogger('xai-privacy')

This notebook will go through the experiment for membership inference with KNN as an explanation. Membership inference means an attacker with access to the explanation can tell for a test sample whether it was included in the training data or not.

The idea for KNN membership inference is as follows: Enter the test sample and check whether the test sample is returned as one of its own nearest neighbors. If it is, it is part of the training data. Otherwise it is not.

First, we have to create our own wrapper class for the default scikit-learn KNN classifier. This is necessary because the scikit-learn implementation only returns the indices of the nearest neighbors. However, in order to be useful explanation to a user, the actual feature values of the nearest neighbors need to be returned. This is done by the wrapper class.

In [24]:
# define own KNN explainer that provides the k nearest neighbors to a query point
class KnnExplainer():
    def __init__(self, data, outcome_name):
        features = data.drop(outcome_name, axis=1)
        labels = data[outcome_name]
        self._knn_model = KNeighborsClassifier().fit(features, labels)
        self._data = data
        
    def explain(self, sample_df):
        nei_indices = self._knn_model.kneighbors(X=sample_df, return_distance=False)
        neighbors = self._data.iloc[nei_indices[0], :]
        return neighbors

Then, we implement the `train_explainer` and `membership_inference_attack_no_model_access` functions:

In [25]:
class KnnMembershipInference(MembershipInference):
    def train_explainer(self, data_train, model):
        return KnnExplainer(data_train, self.outcome_name)
        
    @staticmethod
    def membership_inference_attack_no_model_access(explainer, samples_df):
        inferred_membership = np.empty(len(samples_df))
        
        for index in range(len(samples_df)):
            # needs double brackets so that iloc returns a dataframe instead of a series
            sample_df = samples_df.iloc[[index], :]

            logger.debug(f'Checking sample {index}: {sample_df.to_numpy()[0]}')

            # explainer does not need target for explanation (remove last column)
            neighbors = explainer.explain(sample_df.drop(sample_df.columns[-1], axis=1))
            
            logger.debug(f'K nearest neighbors: \n {neighbors.to_numpy()}')
            
            # check if the sample itself is part of it's own nearest neighbors. In that case, it is part of the training data.
            # otherwise it isn't.
            result = np.isclose(neighbors.to_numpy().astype(float), sample_df.to_numpy().astype(float)).all(axis=1).any()

            logger.debug('Inferred membership: %s' % result)
            inferred_membership[index] = result
        
        return inferred_membership

# Dataset 1: Heart Disease

We now generate a KNN explaination for a random sample from the training data as a demonstration of the concept.

In [26]:
features = data_num.drop('heart_disease_label', axis=1)
labels = data_num['heart_disease_label']

# Train a random forest on training data.
model = es.RandomForestClassifier(random_state=0)
model = model.fit(features, labels)

# Train explainer
exp = KnnExplainer(data_num, 'heart_disease_label')

test_sample = features.sample()
print(f'Test sample: {test_sample.to_numpy()}')

pred = model.predict(test_sample)
print(f'Model prediction: {pred[0]}')

neighbors = exp.explain(test_sample)
print(f'Nearest Neighbors: \n {neighbors.to_numpy()}')

Test sample: [[ 45.     0.   172.   137.    92.5   30.35  90.    83.  ]]
Model prediction: 1.0
Nearest Neighbors: 
 [[ 45.     0.   172.   137.    92.5   30.35  90.    83.     1.  ]
 [ 37.     1.   165.   134.5   91.    27.97  86.    80.     0.  ]
 [ 43.     0.   170.   134.    90.    32.93  95.    73.     0.  ]
 [ 42.     9.   165.   139.    91.    26.54  83.    83.     0.  ]
 [ 40.     1.   178.   142.    84.    34.46  88.    77.     0.  ]]


We will now do a small proof of concept of the experiment with logging enabled to demonstrate how it works.

In [27]:
logger.setLevel(logging.DEBUG)

EXP = KnnMembershipInference(data_num, continuous_features_num, outcome_name_num, random_state=0)
EXP.membership_inference_experiment(stop_after=10, model=DecisionTreeClassifier(random_state=0), model_access=False, threads=1)

logger.setLevel(logging.INFO)

DEBUG:xai-privacy:[[ 52.     0.   216.   125.    72.    24.98  75.    95.     0.  ]] taken from training data
DEBUG:xai-privacy:[[ 45.    0.  258.  114.   80.   26.6  80.   68.    0. ]] taken from control data
DEBUG:xai-privacy:[[ 49.    20.   291.   160.    99.    29.91  85.    88.     0.  ]] taken from training data
DEBUG:xai-privacy:[[ 50.    20.   235.   121.    78.    23.01  52.    78.     0.  ]] taken from control data
DEBUG:xai-privacy:[[ 41.   40.  242.  124.5  86.5  28.8  87.   67.    0. ]] taken from training data
DEBUG:xai-privacy:[[ 53.    10.   261.   136.    99.    21.02  85.    94.     0.  ]] taken from control data
DEBUG:xai-privacy:[[ 46.     0.   213.   136.    77.    31.02  75.    73.     0.  ]] taken from training data
DEBUG:xai-privacy:[[ 58.     0.   210.   102.    60.    26.98  71.    90.     0.  ]] taken from control data
DEBUG:xai-privacy:[[ 54.     0.   265.   121.    82.    23.52  60.    67.     0.  ]] taken from training data
DEBUG:xai-privacy:[[ 41.    5.  

Total time: 0.12s (training model: 0.01s, training explainer: 0.00s, experiment: 0.10s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


The proof of concept should show that the membership inference function predicts membership very accurately.

Now we begin executing the actual experiment. We begin by defining the table that will hold the results for all our different experiment variations. Then we execute all variations of the experiment for this dataset. We vary the model between a decision tree, a random forest and a neural network. Each model uses the default configuration of scikit-learn.

In [28]:
results_ = {'dataset': [], 'model': [], 'accuracy': [], 'precision': [], 'recall': []}

results = pd.DataFrame(data = results_)

In [29]:
print("features: continuous, model: decision tree.")

EXP = KnnMembershipInference(data_num, continuous_features_num, outcome_name_num, random_state=0)
accuracy, precision, recall = EXP.membership_inference_experiment(stop_after=None, model=DecisionTreeClassifier(random_state=0), model_access=False, threads=threads)

results.loc[len(results.index)] = ['continuous', 'decision tree', accuracy, precision, recall]

features: continuous, model: decision tree.
Total time: 3.02s (training model: 0.01s, training explainer: 0.00s, experiment: 3.00s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


In [30]:
print("features: continuous, model: random forest.")

EXP = KnnMembershipInference(data_num, continuous_features_num, outcome_name_num, random_state=0)
accuracy, precision, recall = EXP.membership_inference_experiment(stop_after=None, model=es.RandomForestClassifier(random_state=0), model_access=False, threads=threads)

results.loc[len(results.index)] = ['continuous', 'random forest', accuracy, precision, recall]

features: continuous, model: random forest.
Total time: 3.18s (training model: 0.29s, training explainer: 0.00s, experiment: 2.89s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


In [31]:
print("features: continuous, model: neural network.")

EXP = KnnMembershipInference(data_num, continuous_features_num, outcome_name_num, random_state=0)
accuracy, precision, recall = EXP.membership_inference_experiment(stop_after=None, model=MLPClassifier(random_state=0), model_access=False, threads=threads)

results.loc[len(results.index)] = ['continuous', 'neural network', accuracy, precision, recall]

features: continuous, model: neural network.
Total time: 3.25s (training model: 0.29s, training explainer: 0.00s, experiment: 2.95s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


# Dataset 2: Census Income (categorical)

Now all variations of the membership inference experiment will be executed for the second dataset.

In [32]:
print("features: categorical, model: decision tree.")

EXP = KnnMembershipInference(data_cat, continuous_features_cat, outcome_name_cat, random_state=0)
accuracy, precision, recall = EXP.membership_inference_experiment(stop_after=None, model=DecisionTreeClassifier(random_state=0), model_access=False, threads=threads)

results.loc[len(results.index)] = ['categorical', 'decision tree', accuracy, precision, recall]

features: categorical, model: decision tree.
Total time: 5.49s (training model: 0.05s, training explainer: 0.00s, experiment: 5.43s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


In [33]:
print("features: categorical, model: random forest.")

EXP = KnnMembershipInference(data_cat, continuous_features_cat, outcome_name_cat, random_state=0)
accuracy, precision, recall = EXP.membership_inference_experiment(stop_after=None, model=es.RandomForestClassifier(random_state=0), model_access=False, threads=threads)

results.loc[len(results.index)] = ['categorical', 'random forest', accuracy, precision, recall]

features: categorical, model: random forest.
Total time: 6.17s (training model: 0.81s, training explainer: 0.00s, experiment: 5.36s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


In [34]:
print("features: categorical, model: neural network.")

EXP = KnnMembershipInference(data_cat, continuous_features_cat, outcome_name_cat, random_state=0)
accuracy, precision, recall = EXP.membership_inference_experiment(stop_after=None, model=MLPClassifier(random_state=0), model_access=False, threads=threads)

results.loc[len(results.index)] = ['categorical', 'neural network', accuracy, precision, recall]

features: categorical, model: neural network.




Total time: 11.28s (training model: 5.88s, training explainer: 0.01s, experiment: 5.39s)
Accuracy: 1.0, precision: 1.0, recall: 1.0


# Results

The results of all variations of the membership inference experiment with KNN. In every experiment, we executed the membership inference attack on each sample of the training data and each sample of the control data. Both datasets are of equal size and originate from the same source dataset.

Accuracy is the percentage of samples whose membership (true or false) was correctly inferred. An algorithm guessing at random would achieve an accuracy of 50 percent.

Precision is the percentage of predicted training samples that is actually in the training data.

Recall is the percentage of training samples whose membership (true) was correctly inferred.

In [35]:
results

Unnamed: 0,dataset,model,accuracy,precision,recall
0,continuous,decision tree,1.0,1.0,1.0
1,continuous,random forest,1.0,1.0,1.0
2,continuous,neural network,1.0,1.0,1.0
3,categorical,decision tree,1.0,1.0,1.0
4,categorical,random forest,1.0,1.0,1.0
5,categorical,neural network,1.0,1.0,1.0


In [36]:
results.to_csv('results/1-4-knn-membership-inference-results.csv', index=False, na_rep='NaN', float_format='%.3f')

# Discussion

Just as expected, the attack has an accuracy of 100%. No false positives or false negatives occur.