# Membership Inference Attack Examples

<table align="left">
  <td>
    <a target="_blank" href="https://colab.research.google.com/github/privML/privacy-evaluator/blob/feat/116-testable-notebooks/notebooks/membership_inference_attack.ipynb"><img src="https://raw.githubusercontent.com/privML/privacy-evaluator/feat/116-testable-notebooks/notebooks/images/colab_logo_32px.png" />Run in Google Colab</a>
  </td>
  <td>
    <a target="_blank" href="https://github.com/privML/privacy-evaluator/blob/feat/116-testable-notebooks/notebooks/membership_inference_attack.ipynb"><img src="https://raw.githubusercontent.com/privML/privacy-evaluator/feat/116-testable-notebooks/notebooks/images/GitHub-Mark-32px.png" />View source on GitHub</a>
  </td>
</table>

## Overview
In this notebook we'll ...

## Setup
First, we should set this notebook's runtime to use a GPU (e.g. if Colab is used go to ***Runtime > Change runtime type > Hardware accelerator***). Now we can install the `privacy-evaluator` package and import all needed modules.

In [None]:
import tensorflow as tf
import torch
import numpy as np

import tensorflow.python.ops.numpy_ops.np_config as np_config
np_config.enable_numpy_behavior()

import privacy_evaluator.models.torch.dcti.dcti as torch_dcti
import privacy_evaluator.models.tf.dcti.dcti as tf_dcti 
from privacy_evaluator.datasets.cifar10 import CIFAR10
from privacy_evaluator.classifiers.classifier import Classifier
from privacy_evaluator.attacks.membership_inference.black_box import MembershipInferenceBlackBoxAttack
from privacy_evaluator.attacks.membership_inference.black_box_rule_based import MembershipInferenceBlackBoxRuleBasedAttack
from privacy_evaluator.attacks.membership_inference.label_only_decision_boundary import MembershipInferenceLabelOnlyDecisionBoundaryAttack

In [None]:
!pip3 install git+https://github.com/privML/privacy-evaluator@feat/116-testable-notebooks

## Conduct Membership Inference Attacks

### PyTorch

We start with the PyTorch model. 

#### Load CIFAR10 Dataset

Before we can start to conduct the membership inference attacks, we need to load the dataset. The CIFAR10 dataset needs to be preprocesses in a specific manner to work for the PyTorch model. 

In [None]:
# Load CIFAR10 dataset as numpy array
x_train, y_train, x_test, y_test = CIFAR10.numpy(model_type='torch')

# Number of classes of CIFAR10 dataset
nb_classes=CIFAR10.N_CLASSES

# Input shape of CIFAR10 dataset
input_shape=CIFAR10.INPUT_SHAPE["torch"]

#### Prepare target model

Now we can set the loss function (in our case it is the `torch.nn.CrossEntropyLoss`) of the model and initialize the model as a generic `Classifier` with the corresponding values.

In [None]:
# Loss function of the Pytrorch model
loss = torch.nn.CrossEntropyLoss(reduction="none")

# Initalize PyTorch model as a Classifier
target_model = Classifier(
    torch_dcti.load_dcti(), 
    loss=loss, 
    nb_classes=nb_classes, 
    input_shape=input_shape
)

#### Perform Membership Inference Black Box Attack

Prepare, fit and attack

In [None]:
attack = MembershipInferenceBlackBoxAttack(
    target_model, 
    x_train[:100], 
    y_train[:100], 
    x_test[:100], 
    y_test[:100]
)

attack.fit()
attack.attack(x_train[:100], y_train[:100])

#### Create output

In [None]:
user_output = attack.attack_output(
    x_train[:100], 
    y_train[:100], 
    np.ones((100,))
)

user_output.to_json()

#### Perform Membership Inference Black Box Rule Based Attack

Prepare and attack

In [None]:
attack = MembershipInferenceBlackBoxRuleBasedAttack(
    target_model, 
    x_train, 
    y_train, 
    x_test, 
    y_test
)

attack.attack(x_train, y_train)

#### Create output

In [None]:
user_output = attack.attack_output(
    x_train, 
    y_train,
    np.ones((len(y_train),))
)

user_output.to_dict(filter=["attack_model_accuracy"])

#### Perform Membership Inference Label Only Decision Boundary Attack

Prepare, fit and attack

In [None]:
attack = MembershipInferenceLabelOnlyDecisionBoundaryAttack(
    target_model, 
    x_train[:1], 
    y_train[:1], 
    x_test[:1], 
    y_test[:1]
)

attack.fit(max_iter=1, max_eval=1, init_eval=1)
attack.attack(x_train[:1], y_train[:1])

#### Create output

In [None]:
user_output = attack.attack_output(
    x_train[:1], 
    y_train[:1], np.ones((1,))
)

str(user_output)

### TensorFlow

Now we do the same with the TensorFlow model.

#### Load CIFAR10 Dataset

Again, we load the correct dataset for the TensorFLow model. 

In [None]:
# Load CIFAR10 dataset as numpy array
x_train, y_train, x_test, y_test = CIFAR10.numpy(model_type='tf')

# Number of classes of CIFAR10 dataset
nb_classes=CIFAR10.N_CLASSES

# Input shape of CIFAR10 dataset
input_shape=CIFAR10.INPUT_SHAPE["tf"]

#### Prepare target model

Then we initialize the target model. This time we use the `tf.keras.losses.CategoricalCrossentropy` as loss function.

In [None]:
# Loss function of the TensorFlow target model
loss = tf.keras.losses.CategoricalCrossentropy()

# Initalize TensorFlow target model
target_model = Classifier(
    tf_dcti.load_dcti(), 
    loss=loss, 
    nb_classes=nb_classes, 
    input_shape=input_shape
)

#### Perform Membership Inference Black Box Attack

Prepare, fit and attack

In [None]:
attack = MembershipInferenceBlackBoxAttack(
    target_model, 
    x_train[:100], 
    y_train[:100], 
    x_test[:100], 
    y_test[:100]
)

attack.fit()
attack.attack(x_train[:100], y_train[:100])

#### Create output

In [None]:
user_output = attack.attack_output(
    x_train[:100], 
    y_train[:100], 
    np.ones((100,))
)

user_output.to_json()

#### Perform Membership Inference Black Box Rule Based Attack

Prepare and attack

In [None]:
attack = MembershipInferenceBlackBoxRuleBasedAttack(
    target_model, 
    x_train, 
    y_train, 
    x_test, 
    y_test
)

attack.attack(x_train, y_train)

#### Create output

In [None]:
user_output = attack.attack_output(
    x_train, 
    y_train, 
    np.ones((len(y_train),))
)

user_output.to_dict(filter=["attack_model_accuracy"])

#### Perform Membership Inference Label Only Decision Boundary Attack

Prepare, fit and attack

In [None]:
attack = MembershipInferenceLabelOnlyDecisionBoundaryAttack(
    target_model, 
    x_train[:1], 
    y_train[:1], 
    x_test[:1], 
    y_test[:1]
)

attack.fit(max_iter=1, max_eval=1, init_eval=1)
attack.attack(x_train[:1], y_train[:1])

#### Create output

In [None]:
user_output = attack.attack_output(
    x_train[:1], 
    y_train[:1], 
    np.ones((1,))
)

str(user_output)