<a href="https://colab.research.google.com/github/jgracie52/bh-2025/blob/main/DecisionTreesRandForestFinal_BH.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# 🛡️ Decision Trees & Random Forest: AI Security for Security Professionals

## Complete Interactive Guide to ML Security

**Course:** Machine Learning and AI Security for Security Professionals  
**Module:** Decision Trees & Random Forest Security  
**Duration:** 4 hours  
**Level:** Intermediate  

### 🎯 Learning Objectives:
- Understand decision tree and random forest algorithms
- Identify critical security vulnerabilities
- Implement sophisticated attack techniques
- Design and deploy defense mechanisms
- Assess real-world security implications

### 📋 Prerequisites:
- Basic Python programming
- College-level mathematics
- Security mindset

---

## 📦 Setup and Imports

In [None]:
# Install required packages
!pip install -q matplotlib seaborn scikit-learn pandas numpy scipy plotly ipywidgets

print("🚀 Package installation complete!")

In [None]:
# Standard imports
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
from scipy.stats import entropy
import warnings
import datetime
warnings.filterwarnings('ignore')

# Scikit-learn imports
from sklearn.datasets import make_classification, load_breast_cancer, load_wine
from sklearn.model_selection import train_test_split, cross_val_score
from sklearn.tree import DecisionTreeClassifier, plot_tree, export_text
from sklearn.ensemble import RandomForestClassifier, IsolationForest
from sklearn.metrics import accuracy_score, classification_report, confusion_matrix
from sklearn.preprocessing import StandardScaler

# Interactive widgets
import ipywidgets as widgets
from IPython.display import display, HTML, clear_output
import plotly.graph_objects as go
import plotly.express as px
from plotly.subplots import make_subplots

# Set style
plt.style.use('seaborn-v0_8')
sns.set_palette("husl")

print("🚀 Environment setup complete!")
print("📊 Ready to explore Decision Tree and Random Forest Security")

# 🌳 PART 1: FOUNDATION - How Decision Trees & Random Forests Work
## Interactive Algorithm Exploration

Let's start with understanding how these algorithms work before we attack them!

In [None]:
class InteractiveTreeDemo:
    def __init__(self):
        self.X = None
        self.y = None
        self.model = None

    def create_dataset(self, n_samples=200, n_features=2, n_classes=2, random_state=42):
        """Create a simple 2D dataset for visualization"""
        self.X, self.y = make_classification(
            n_samples=n_samples, n_features=n_features, n_redundant=0,
            n_informative=n_features, n_clusters_per_class=1, n_classes=n_classes,
            random_state=random_state
        )
        return self.X, self.y

    def train_and_visualize(self, max_depth=3, min_samples_split=2, min_samples_leaf=1):
        """Train decision tree and create interactive visualization"""
        # Train model
        self.model = DecisionTreeClassifier(
            max_depth=max_depth,
            min_samples_split=min_samples_split,
            min_samples_leaf=min_samples_leaf,
            random_state=42
        )
        self.model.fit(self.X, self.y)

        # Create decision boundary visualization
        h = 0.02
        x_min, x_max = self.X[:, 0].min() - 1, self.X[:, 0].max() + 1
        y_min, y_max = self.X[:, 1].min() - 1, self.X[:, 1].max() + 1
        xx, yy = np.meshgrid(np.arange(x_min, x_max, h),
                            np.arange(y_min, y_max, h))

        Z = self.model.predict(np.c_[xx.ravel(), yy.ravel()])
        Z = Z.reshape(xx.shape)

        # Create visualization
        fig, axes = plt.subplots(1, 2, figsize=(15, 6))

        # Decision boundary plot
        axes[0].contourf(xx, yy, Z, alpha=0.3, cmap='RdYlBu')
        scatter = axes[0].scatter(self.X[:, 0], self.X[:, 1], c=self.y, cmap='RdYlBu', edgecolors='black')
        axes[0].set_title(f'Decision Tree (depth={max_depth})')
        axes[0].set_xlabel('Feature 0')
        axes[0].set_ylabel('Feature 1')
        plt.colorbar(scatter, ax=axes[0])

        # Tree structure
        plot_tree(self.model, ax=axes[1], feature_names=['Feature_0', 'Feature_1'],
                 class_names=['Class_0', 'Class_1'], filled=True, rounded=True)
        axes[1].set_title('Tree Structure')

        plt.tight_layout()
        plt.show()

        return self.model

    def show_tree_text(self):
        """Display tree structure as text"""
        if self.model:
            tree_text = export_text(self.model, feature_names=['Feature_0', 'Feature_1'])
            print("🌳 Decision Tree Structure:")
            print(tree_text)

# Create interactive demo
tree_demo = InteractiveTreeDemo()
X, y = tree_demo.create_dataset()

print("🌳 Interactive Decision Tree Demo Ready!")
print("Use the interactive controls below to explore different tree parameters.")

### 🎛️ Understanding Decision Tree Parameters

**These parameters control the tree's complexity and directly impact security vulnerabilities:**

- **Max Depth**: Maximum number of levels in the tree
  - *Lower values* → Simpler trees, harder to extract but less accurate
  - *Higher values* → Complex trees, easier to extract, prone to overfitting
  - *Security Impact*: Deeper trees leak more information about training data

- **Min Split**: Minimum samples required to split an internal node
  - *Lower values* → More splits, finer decision boundaries
  - *Higher values* → Fewer splits, coarser boundaries
  - *Security Impact*: Lower values create more attack surface for extraction

- **Min Leaf**: Minimum samples required to be at a leaf node
  - *Lower values* → Can create very specific rules for small groups
  - *Higher values* → More generalized decisions
  - *Security Impact*: Small leaf sizes can memorize training data, enabling membership inference

**Try adjusting these parameters to see how they affect both accuracy and the tree structure!**

In [None]:
# Interactive widgets for tree parameters
@widgets.interact(
    max_depth=widgets.IntSlider(value=3, min=1, max=10, description='Max Depth'),
    min_samples_split=widgets.IntSlider(value=2, min=2, max=20, description='Min Split'),
    min_samples_leaf=widgets.IntSlider(value=1, min=1, max=10, description='Min Leaf')
)
def interactive_tree_demo(max_depth=3, min_samples_split=2, min_samples_leaf=1):
    """Interactive decision tree demonstration"""
    model = tree_demo.train_and_visualize(max_depth, min_samples_split, min_samples_leaf)
    print("\r\n")
    print("#" * 60)
    print(f"What do you notice about the created decision boundaries of decision trees and why do you think they occur like this?")
    print("#" * 60)
    print("\r\n")
    # Show accuracy
    accuracy = model.score(X, y)
    print(f"🎯 Training Accuracy: {accuracy:.3f}")

    # Show tree structure
    tree_demo.show_tree_text()

## 🌲 Random Forest Foundation
### Understanding Ensemble Diversity

In [None]:
import numpy as np
import matplotlib.pyplot as plt
from sklearn.ensemble import RandomForestClassifier
from sklearn.tree import DecisionTreeClassifier
from sklearn.datasets import make_moons

# Create dataset
X, y = make_moons(n_samples=200, noise=0.3, random_state=42)

# Train Random Forest
rf = RandomForestClassifier(n_estimators=20, max_depth=5, random_state=42)
rf.fit(X, y)

# Create fine mesh
h = 0.01
x_min, x_max = X[:, 0].min() - 0.5, X[:, 0].max() + 0.5
y_min, y_max = X[:, 1].min() - 0.5, X[:, 1].max() + 0.5
xx, yy = np.meshgrid(np.arange(x_min, x_max, h),
                     np.arange(y_min, y_max, h))

# Visualize the voting process
fig, axes = plt.subplots(2, 3, figsize=(18, 12))

# Show 4 individual trees
for i in range(4):
    ax = axes[0, i] if i < 3 else axes[1, 0]
    tree = rf.estimators_[i]
    Z = tree.predict(np.c_[xx.ravel(), yy.ravel()])
    Z = Z.reshape(xx.shape)

    ax.contourf(xx, yy, Z, levels=[0, 0.5, 1], colors=['lightblue', 'lightcoral'], alpha=0.8)
    ax.scatter(X[:, 0], X[:, 1], c=y, cmap='RdBu', edgecolors='black', s=30)
    ax.set_title(f'Tree {i+1}: Sharp Boundaries')
    ax.set_xlabel('Feature 1')
    ax.set_ylabel('Feature 2')

# Show voting accumulation
ax = axes[1, 1]
# Get votes from ALL trees
votes = np.zeros(xx.shape)
for tree in rf.estimators_:
    predictions = tree.predict(np.c_[xx.ravel(), yy.ravel()])
    votes += predictions.reshape(xx.shape)

# Normalize to get vote proportion
vote_proportion = votes / len(rf.estimators_)

# Plot the vote proportions
im = ax.contourf(xx, yy, vote_proportion, levels=20, cmap='RdBu', alpha=0.8)
ax.contour(xx, yy, vote_proportion, levels=[0.5], colors='black', linewidths=2)
ax.scatter(X[:, 0], X[:, 1], c=y, cmap='RdBu', edgecolors='black', s=30)
ax.set_title('Vote Proportion (0=all vote blue, 1=all vote red)')
ax.set_xlabel('Feature 1')
ax.set_ylabel('Feature 2')
plt.colorbar(im, ax=ax)

# Show final smooth boundary
ax = axes[1, 2]
Z_final = rf.predict_proba(np.c_[xx.ravel(), yy.ravel()])[:, 1]
Z_final = Z_final.reshape(xx.shape)

im = ax.contourf(xx, yy, Z_final, levels=20, cmap='RdBu', alpha=0.8)
ax.contour(xx, yy, Z_final, levels=[0.5], colors='black', linewidths=2)
ax.scatter(X[:, 0], X[:, 1], c=y, cmap='RdBu', edgecolors='black', s=30)
ax.set_title('Final Smooth Boundary (Ensemble)')
ax.set_xlabel('Feature 1')
ax.set_ylabel('Feature 2')

plt.suptitle('How Sharp Individual Trees Create Smooth Ensemble Boundaries', fontsize=16)
plt.tight_layout()
plt.show()

# Demonstrate with a simple 1D example
fig, axes = plt.subplots(1, 3, figsize=(15, 4))

# Create 1D data
x_1d = np.linspace(-3, 3, 300)

# Simulate 5 trees with different split points
split_points = [-1.5, -0.5, 0, 0.8, 1.2]
colors = ['red', 'blue', 'green', 'orange', 'purple']

# Plot individual tree decisions
ax = axes[0]
for i, split in enumerate(split_points):
    y_tree = (x_1d > split).astype(float)
    ax.plot(x_1d, y_tree + i*0.1, label=f'Tree {i+1}', alpha=0.7, linewidth=2)
ax.set_title('Individual Trees (Sharp Steps)')
ax.set_xlabel('Feature Value')
ax.set_ylabel('Tree Predictions (offset for clarity)')
ax.legend()
ax.grid(True, alpha=0.3)

# Plot averaged decision
ax = axes[1]
sum_predictions = np.zeros_like(x_1d)
for split in split_points:
    sum_predictions += (x_1d > split).astype(float)
avg_predictions = sum_predictions / len(split_points)

ax.plot(x_1d, avg_predictions, 'black', linewidth=3, label='Average of Trees')
ax.axhline(y=0.5, color='red', linestyle='--', label='Decision Threshold')
ax.set_title('Average Creates Smooth Transition')
ax.set_xlabel('Feature Value')
ax.set_ylabel('Proportion of Trees Voting "Yes"')
ax.legend()
ax.grid(True, alpha=0.3)

# Show the voting regions
ax = axes[2]
ax.fill_between(x_1d, 0, avg_predictions, where=(avg_predictions < 0.5),
                color='blue', alpha=0.3, label='Majority votes "No"')
ax.fill_between(x_1d, 0, avg_predictions, where=(avg_predictions >= 0.5),
                color='red', alpha=0.3, label='Majority votes "Yes"')
ax.plot(x_1d, avg_predictions, 'black', linewidth=2)
ax.set_title('Smooth Decision Boundary')
ax.set_xlabel('Feature Value')
ax.set_ylabel('Vote Proportion')
ax.legend()
ax.grid(True, alpha=0.3)

plt.tight_layout()
plt.show()

### 🌲 Why Random Forests? Understanding Ensemble Security

**The Power of Multiple Trees:**

Random Forests combine many decision trees to create a more robust model. Here's why this matters for security:

1. **Accuracy Improvement**: Each tree sees a different subset of data and features
   - Single trees can overfit to specific patterns
   - Multiple trees vote to reduce individual errors
   - More trees → More stable predictions

2. **Security Trade-offs**:
   - **Harder to Extract**: Need to reconstruct multiple trees, not just one
   - **Privacy Risk**: More trees = more chances to leak training data info
   - **Attack Cost**: Requires many more queries to steal the model

3. **Optimal Number of Trees**:
   - Too few (1-10): Limited accuracy improvement, easier to attack
   - Sweet spot (50-100): Good balance of accuracy and efficiency
   - Too many (500+): Diminishing returns, higher computational cost

**Watch how accuracy improves as you add more trees!**

In [None]:
@widgets.interact(n_estimators=widgets.IntSlider(value=10, min=1, max=100, description='# Trees'))
def rf_comparison_demo(n_estimators=10):
    X_train, X_test, y_train, y_test = rf_demo.compare_single_vs_ensemble(n_estimators)
    agreement_scores = rf_demo.visualize_ensemble_diversity(X_test, y_test)

    print("\n📊 VISUALIZATION EXPLANATIONS:")
    print("=" * 50)
    print("\n1️⃣ Individual Tree Predictions (Left Chart):")
    print("   • Each row = one decision tree's predictions")
    print("   • Each column = one test sample")
    print("   • Colors show predicted class (red/blue)")
    print("   • IDEAL: Some disagreement (diversity) but overall patterns")
    print("   • SECURITY CONCERN: Too much agreement = vulnerable to extraction")

    print("\n2️⃣ Ensemble Agreement Distribution (Right Chart):")
    print("   • Shows how often trees agree on predictions")
    print("   • X-axis: Percentage of trees that agreed")
    print("   • Y-axis: Number of samples")
    print("   • IDEAL: Most samples at 0.8-0.9 (high but not perfect agreement)")
    print("   • SECURITY INSIGHT:")
    print("     - 100% agreement = potential overfitting, easier to attack")
    print("     - 50% agreement = high uncertainty, poor predictions")
    print("     - 80-90% agreement = good balance of accuracy & robustness")

# ⚔️ PART 2: SECURITY ATTACKS - The Red Team Perspective
## Critical Vulnerabilities in Tree-Based Models

Now that we understand how these models work, let's learn how to break them!

## 🎯 ATTACK 1: Model Extraction - Stealing Proprietary Models
### The Most Underestimated Threat

**Real-World Impact:**
- Competitors can steal your ML intellectual property
- Attackers can reverse-engineer proprietary algorithms
- Cost: Millions in R&D investment lost

**How it Works:**
1. Query the model systematically
2. Analyze response patterns
3. Reconstruct decision boundaries
4. Build equivalent model

In [None]:
class ModelExtractionAttack:
    def __init__(self, target_model, feature_names):
        self.target_model = target_model
        self.feature_names = feature_names
        self.query_count = 0
        self.extracted_boundaries = {}

    def systematic_extraction(self, feature_ranges, max_queries=1000):
        """Extract model through systematic boundary probing"""
        print("🕵️ Starting Model Extraction Attack...")
        print(f"Target: {type(self.target_model).__name__}")

        # Generate strategic query points
        query_points = self._generate_boundary_probes(feature_ranges)

        # Perform queries and analyze responses
        responses = []
        for point in query_points:
            if self.query_count >= max_queries:
                break

            response = self.target_model.predict([point])[0]
            responses.append(response)
            self.query_count += 1

            # Show progress
            if self.query_count % 100 == 0:
                print(f"📊 Queries executed: {self.query_count}")

        # Analyze patterns to extract boundaries
        self._extract_decision_boundaries(query_points[:len(responses)], responses)

        print(f"✅ Extraction complete!")
        print(f"🔍 Total queries used: {self.query_count}")
        print(f"🎯 Boundaries discovered: {len(self.extracted_boundaries)}")

        return self.extracted_boundaries

    def _generate_boundary_probes(self, feature_ranges):
        """Generate strategic points to probe decision boundaries"""
        probes = []
        n_features = len(feature_ranges)

        # Grid-based systematic probing
        for resolution in [5, 10, 20]:
            for feature_idx in range(n_features):
                min_val, max_val = feature_ranges[feature_idx]
                step = (max_val - min_val) / resolution

                for i in range(resolution + 1):
                    # Create probe point with one feature varying
                    probe = np.zeros(n_features)
                    probe[feature_idx] = min_val + i * step

                    # Add some noise to other features
                    for j in range(n_features):
                        if j != feature_idx:
                            probe[j] = np.random.uniform(feature_ranges[j][0],
                                                       feature_ranges[j][1])

                    probes.append(probe)

        return np.array(probes)

    def _extract_decision_boundaries(self, query_points, responses):
        """Extract decision boundaries from query responses"""
        for feature_idx in range(len(self.feature_names)):
            feature_name = self.feature_names[feature_idx]

            # Find decision boundaries for this feature
            boundaries = []

            # Group points by other features being approximately equal
            feature_values = query_points[:, feature_idx]
            sorted_indices = np.argsort(feature_values)

            prev_response = None
            for idx in sorted_indices:
                current_response = responses[idx]
                current_value = feature_values[idx]

                if prev_response is not None and prev_response != current_response:
                    # Found a boundary!
                    boundaries.append(current_value)

                prev_response = current_response

            self.extracted_boundaries[feature_name] = boundaries

    def visualize_extraction_results(self):
        """Visualize the extraction attack results"""
        if not self.extracted_boundaries:
            print("❌ No boundaries extracted yet!")
            return

        fig, axes = plt.subplots(1, 2, figsize=(15, 5))

        # Query efficiency
        axes[0].bar(['Queries Used'], [self.query_count], color='red', alpha=0.7)
        axes[0].set_title('🎯 Attack Efficiency')
        axes[0].set_ylabel('Number of Queries')

        # Boundaries per feature
        features = list(self.extracted_boundaries.keys())
        boundary_counts = [len(self.extracted_boundaries[f]) for f in features]

        axes[1].bar(features, boundary_counts, color='orange', alpha=0.7)
        axes[1].set_title('🔍 Extracted Decision Boundaries')
        axes[1].set_ylabel('Number of Boundaries')
        axes[1].tick_params(axis='x', rotation=45)

        plt.tight_layout()
        plt.show()

        # Print detailed results
        print("\n🕵️ EXTRACTION ATTACK RESULTS")
        print("=" * 40)
        for feature, boundaries in self.extracted_boundaries.items():
            print(f"{feature}: {len(boundaries)} boundaries")
            if boundaries:
                print(f"  Boundary values: {boundaries[:3]}{'...' if len(boundaries) > 3 else ''}")

### 🔬 How Model Extraction Actually Works: The Real Methodology

**Common Misconception**: "You need to reconstruct the exact tree structure"

**Reality**: Attackers create *functionally equivalent* models that mimic behavior, not structure!

#### Key Insights:
1. **Decision trees partition space into rectangles** - we just need to find the boundaries
2. **We don't need internal nodes** - just the input→output mapping
3. **Statistical extraction** works better than exact reconstruction

Let's see how this actually works!

In [None]:
class RealModelExtractionAttack:
    """Demonstrates how model extraction actually works in practice"""

    def __init__(self, victim_model):
        self.victim_model = victim_model
        self.query_count = 0
        self.extraction_history = []

    def extract_by_sampling(self, feature_ranges, n_queries=1000):
        """Method 1: Dense sampling approach (works well for low dimensions)"""
        print("🎯 METHOD 1: Statistical Extraction by Dense Sampling")
        print("=" * 50)

        # Generate query points
        n_features = len(feature_ranges)
        X_queries = []

        for _ in range(n_queries):
            point = [np.random.uniform(low, high)
                    for low, high in feature_ranges]
            X_queries.append(point)

        X_queries = np.array(X_queries)

        # Query the victim model
        print(f"🔍 Querying victim model with {n_queries} points...")
        y_stolen = self.victim_model.predict(X_queries)
        self.query_count += n_queries

        # Train extraction model
        print("🔨 Training extraction model on stolen labels...")
        extracted_model = DecisionTreeClassifier(max_depth=10)
        extracted_model.fit(X_queries, y_stolen)

        # Test fidelity
        test_points = self._generate_test_points(feature_ranges, 1000)
        victim_preds = self.victim_model.predict(test_points)
        extracted_preds = extracted_model.predict(test_points)

        fidelity = np.mean(victim_preds == extracted_preds)
        print(f"\n✅ Extraction Fidelity: {fidelity:.1%}")
        print(f"📊 Total queries used: {self.query_count}")

        return extracted_model, fidelity

    def extract_by_boundary_search(self, feature_ranges, resolution=20):
        """Method 2: Adaptive boundary finding (more efficient)"""
        print("\n🎯 METHOD 2: Adaptive Boundary Search")
        print("=" * 50)

        n_features = len(feature_ranges)
        boundary_points = []

        # For each feature, find decision boundaries
        for feature_idx in range(n_features):
            print(f"\n🔍 Searching boundaries for Feature {feature_idx}...")

            # Fix other features at random values
            fixed_point = [np.random.uniform(low, high)
                          for low, high in feature_ranges]

            # Search along this feature axis
            low, high = feature_ranges[feature_idx]
            boundaries_found = []

            for i in range(resolution):
                val = low + (high - low) * i / resolution

                # Create two nearby points
                point1 = fixed_point.copy()
                point2 = fixed_point.copy()
                point1[feature_idx] = val
                point2[feature_idx] = val + (high - low) / resolution

                # Check if there's a boundary
                pred1 = self.victim_model.predict([point1])[0]
                pred2 = self.victim_model.predict([point2])[0]
                self.query_count += 2

                if pred1 != pred2:
                    boundaries_found.append(val)
                    boundary_points.append(point1)
                    boundary_points.append(point2)

            print(f"   Found {len(boundaries_found)} boundaries")

        print(f"\n📊 Total boundary points found: {len(boundary_points)}")
        print(f"📊 Total queries used: {self.query_count}")

        return np.array(boundary_points)

    def demonstrate_dimensionality_challenge(self, max_dims=10):
        """Show how extraction difficulty scales with dimensions"""
        print("\n🎯 DIMENSIONALITY CHALLENGE")
        print("=" * 50)

        results = []

        for n_dims in range(2, max_dims + 1):
            # Create synthetic data
            X, y = make_classification(n_samples=1000, n_features=n_dims,
                                     n_informative=n_dims, n_redundant=0,
                                     n_clusters_per_class=2, random_state=42)

            # Train victim model
            victim = DecisionTreeClassifier(max_depth=5, random_state=42)
            victim.fit(X, y)

            # Calculate required queries for good coverage
            # For grid search: resolution^n_dims
            resolution = 10
            grid_queries = resolution ** n_dims

            # For random sampling: statistical requirement
            # Rule of thumb: 10 * 2^tree_depth * n_dims
            sampling_queries = 10 * (2**5) * n_dims

            results.append({
                'dimensions': n_dims,
                'grid_queries': grid_queries,
                'sampling_queries': sampling_queries,
                'tree_nodes': victim.tree_.node_count
            })

        # Visualize scaling
        results_df = pd.DataFrame(results)

        fig, axes = plt.subplots(1, 2, figsize=(15, 5))

        # Query scaling
        axes[0].semilogy(results_df['dimensions'], results_df['grid_queries'],
                        'r-o', label='Grid Search', linewidth=2)
        axes[0].semilogy(results_df['dimensions'], results_df['sampling_queries'],
                        'b-s', label='Smart Sampling', linewidth=2)
        axes[0].set_xlabel('Number of Dimensions')
        axes[0].set_ylabel('Queries Required (log scale)')
        axes[0].set_title('🎯 Extraction Cost vs Dimensionality')
        axes[0].legend()
        axes[0].grid(True, alpha=0.3)

        # Practical limit annotation
        axes[0].axhline(y=1e6, color='red', linestyle='--', alpha=0.5)
        axes[0].text(max_dims-1, 1e6, 'Practical Limit', ha='right', va='bottom', color='red')

        # Success rate simulation
        # Success rate simulation based on exponential growth
        success_rates = []
        for d in results_df['dimensions']:
            # Use exponential growth model: success decreases exponentially with dimensions
            # Assume 95% success at 2D, dropping by ~10% per dimension
            base_success = 0.95
            decay_rate = 0.9  # 10% reduction per dimension
            success = base_success * (decay_rate ** (d - 2))
            success_rates.append(success * 100)
        """
        success_rates = []
        for d in results_df['dimensions']:
            # Simulate extraction success with fixed budget (10k queries)
            budget = 10000
            required = results_df[results_df['dimensions'] == d]['sampling_queries'].values[0]
            success = min(1.0, budget / required)
            success_rates.append(success * 100)
        """

        axes[1].plot(results_df['dimensions'], success_rates, 'g-^', linewidth=2)
        axes[1].set_xlabel('Number of Dimensions')
        axes[1].set_ylabel('Extraction Success Rate (%)')
        axes[1].set_title('🎯 Extraction Success with 10k Query Budget')
        axes[1].set_ylim(0, 105)
        axes[1].grid(True, alpha=0.3)

        # Add danger zones
        axes[1].axhspan(80, 100, alpha=0.2, color='red', label='High Risk')
        axes[1].axhspan(50, 80, alpha=0.2, color='yellow', label='Medium Risk')
        axes[1].axhspan(0, 50, alpha=0.2, color='green', label='Low Risk')
        axes[1].legend(loc='right')

        plt.tight_layout()
        plt.show()

        return results_df

    def _generate_test_points(self, feature_ranges, n_points):
        """Generate test points for fidelity measurement"""
        points = []
        for _ in range(n_points):
            point = [np.random.uniform(low, high)
                    for low, high in feature_ranges]
            points.append(point)
        return np.array(points)

print("🔬 Real Model Extraction Attack Framework Ready!")

In [None]:
# Demonstrate real extraction on our victim model
print("🚨 REAL MODEL EXTRACTION DEMONSTRATION")
print("=" * 60)

# Create a fresh victim model for this demo
X_demo, y_demo = make_classification(n_samples=1000, n_features=4, n_informative=3, n_redundant=0, random_state=42)
victim_demo = RandomForestClassifier(n_estimators=10, max_depth=5, random_state=42)
victim_demo.fit(X_demo, y_demo)

print(f"🎯 Victim Model: {type(victim_demo).__name__}")
print(f"📊 Features: {X_demo.shape[1]}")
print(f"🌲 Trees in forest: {len(victim_demo.estimators_)}")

# Set up extraction
feature_ranges_demo = [(X_demo[:, i].min(), X_demo[:, i].max())
                      for i in range(X_demo.shape[1])]
real_extractor = RealModelExtractionAttack(victim_demo)

# Method 1: Statistical extraction
extracted_model, fidelity = real_extractor.extract_by_sampling(feature_ranges_demo, n_queries=5000)

# Method 2: Boundary search
boundary_points = real_extractor.extract_by_boundary_search(feature_ranges_demo)

print("\n" + "="*60)
print("💡 KEY INSIGHT: We achieved high fidelity without knowing the tree structure!")

### 📏 What Does "97+% Fidelity" Actually Mean?

**Extraction Fidelity** measures how well the extracted model mimics the victim model's behavior:

Fidelity = (Number of matching predictions / Total test samples) × 100%

In our example:
- We tested on 1000 random points
- The victim model made predictions on these points
- Our extracted model made predictions on the same points
- 984 out of 1000 predictions matched (98.4%)

**What this means:**
- ✅ **97+% fidelity**: The extracted model behaves almost identically to the victim
- ✅ **High success**: An attacker can use this model as a substitute
- ❌ **Privacy breach**: The model's decision logic has been effectively stolen

**Important caveats:**
1. High fidelity ≠ identical internal structure
2. The extracted model might use completely different rules
3. What matters is input→output behavior matching

**Real-world impact**: If you query the victim model with a customer's data, 97+% of the time the extracted model will give the same answer. This is sufficient for most malicious purposes!

In [None]:
print("🔍 FIDELITY DEMONSTRATION: What 98.4% Actually Looks Like")
print("=" * 60)

# Generate 20 test samples to show predictions
test_samples = np.array([[np.random.uniform(low, high) for low, high in feature_ranges_demo]  for _ in range(20)])

# Get predictions from both models
victim_preds = victim_demo.predict(test_samples)
extracted_preds = extracted_model.predict(test_samples)

# Show comparison
print("\nSample predictions comparison:")
print("Sample | Victim | Extracted | Match?")
print("-" * 40)

matches = 0
for i in range(20):
    match = victim_preds[i] == extracted_preds[i]
    matches += match
    symbol = "✅" if match else "❌"
    print(f"  {i+1:2d}   |   {victim_preds[i]}    |     {extracted_preds[i]}     | {symbol}")

print(f"\nIn this sample: {matches}/20 predictions match ({matches/20*100:.0f}%)")
print("\n💡 This is what 97+% fidelity means in practice!")

In [None]:
# Show how extraction becomes harder with more dimensions
results = real_extractor.demonstrate_dimensionality_challenge(max_dims=10)

print("\n🎓 DIMENSIONALITY LESSONS:")
print("=" * 50)
print("1. Extraction cost grows EXPONENTIALLY with dimensions")
print("2. Grid search becomes impractical above ~5 dimensions")
print("3. Smart sampling helps but still faces limits")
print("4. High-dimensional models have natural extraction resistance")
print("\n⚠️  BUT: Attackers adapt with:")
print("   • Dimensionality reduction attacks")
print("   • Exploiting feature correlations")
print("   • Active learning to find important regions")

## 💡 Practical Implications & Recommendations

### For Defenders:
1. **Use High-Dimensional Features** when possible
   - Add engineered features that preserve utility
   - Use feature interactions and polynomial features
   
2. **Monitor Query Patterns**
   - Dense sampling creates uniform query distributions
   - Boundary search creates clustered patterns
   - Both are detectable!

3. **Implement Query Budgets**
   - Limit queries per user/session
   - Rate limiting becomes more effective in high dimensions

### For Attackers:
1. **Dimensionality Reduction First**
   - Use PCA or autoencoders to find lower-dimensional representations
   - Focus on most important features
   
2. **Active Learning**
   - Don't sample uniformly - focus on uncertain regions
   - Use uncertainty sampling to maximize information gain
  

### The Bottom Line:
- **Low dimensions (2-5)**: Extraction is easy and cheap
- **Medium dimensions (6-10)**: Extraction possible but costly
- **High dimensions (11+)**: Natural protection, extraction very difficult
- **Very high dimensions (20+)**: Practically impossible without shortcuts

## 🎓 Key Takeaways: Real-World Model Extraction

1. **Extraction is about behavior, not structure** - Attackers don't need your exact tree

2. **Two main approaches work in practice**:
   - Dense sampling: High fidelity but expensive
   - Boundary search: Efficient but may miss complexity

3. **Dimensionality is your friend** (as a defender):
   - Each dimension multiplies the search space
   - Natural protection emerges around 10+ dimensions
   - But beware of dimensionality reduction attacks

4. **Practical defenses combine multiple strategies**:
   - Use high dimensions when possible
   - Implement query monitoring and limits
   - Add controlled noise
   - Use ensemble diversity

5. **The arms race continues**:
   - Attackers develop new techniques (active learning, transfer learning)
   - Defenders must stay vigilant and adaptive
   - Security is a continuous process, not a destination

**Remember**: In the real world, perfect extraction isn't needed - even 80% fidelity can be valuable to an attacker!