In [48]:
import tensorflow.keras as keras
import numpy as np
from sklearn.utils import resample
import pandas as pd
import pickle
import os
import csv
import scipy.stats as stats
from sklearn.model_selection import train_test_split
from imblearn.over_sampling import SMOTE
from sklearn.metrics import precision_recall_fscore_support
from sklearn.metrics import confusion_matrix,accuracy_score
from sklearn.linear_model import LogisticRegression
from statistics import mean
from sklearn.preprocessing import StandardScaler
from sklearn.preprocessing import LabelEncoder
from tensorflow.keras.models import Sequential
from tensorflow.keras.layers import Dense
from tensorflow.keras.layers import Activation
from tensorflow.keras.layers import Dropout
from tensorflow.keras.utils import to_categorical
from tensorflow.keras.optimizers import SGD
from keras.regularizers import l2
MODEL_PATH = './model/'
DATA_PATH = './data/'

In [49]:
def read_data(data_name):
    with np.load(DATA_PATH + data_name) as f:
        train_x, train_y, test_x, test_y = [f['arr_%d' % i] for i in range(len(f.files))]
    return train_x, train_y, test_x, test_y

In [50]:
def transform_location_data(dataset): 
    df_tot = dataset
    df_tot.dropna(inplace=True)

    trainX = df_tot.iloc[:,1:]
    trainY = df_tot.iloc[:,0]
    

    dim=trainX.shape[1]


    #num of classes
    num_classes=30

    trainX=np.array(trainX)
    trainY=np.array(trainY)
    
    
    trainY = to_categorical(trainY)

    return trainX, trainY, dim

In [51]:
def load_target_data(dataset, train_size, test_ratio):
    x, y, dim = transform_location_data(dataset)
    
    #trainX,testX, trainY, testY = train_test_split(x, y, test_size=test_ratio, random_state=0, stratify=y)
    trainX = x[0:train_size,]
    testX = x[840:,]
    trainY = y[0:train_size,]
    testY = y[840:,]
    return (trainX, trainY), (testX, testY), dim

In [52]:
def build_purchase_dnn(n_class,dim):
    model = Sequential()
    
    model.add(Dense(600, input_dim=dim))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
    
    #model.add(Dense(1024), kernel_regularizer=l2(0.001))
    #model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
    
    model.add(Dense(512, kernel_regularizer=l2(0.00003)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))

    model.add(Dense(256, kernel_regularizer=l2(0.00003)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
    
    model.add(Dense(128, kernel_regularizer=l2(0.00003)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
    
    model.add(Dense(n_class, activation='softmax'))
    model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])

    
    #opt = SGD(lr=0.01, momentum=0.9)
    #model.compile(optimizer=opt, loss='categorical_crossentropy', metrics=['accuracy'])

    act_layer=6
    
    return model, act_layer

In [53]:
def build_location_dnn(n_class,dim):
    model = Sequential()
    
    model.add(Dense(512, input_dim=dim, kernel_regularizer=l2(0.0007)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
    
    model.add(Dense(248, kernel_regularizer=l2(0.0007)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
    
    model.add(Dense(128, kernel_regularizer=l2(0.0007)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))

    model.add(Dense(64, kernel_regularizer=l2(0.0007)))
    model.add(Activation("tanh"))
    #model.add(Dropout(0.01))
       
    model.add(Dense(n_class, activation='softmax'))
    model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])

    act_layer=6
    
    return model, act_layer

In [54]:
def build_simple_mlp(n_class,pix,d):

    model = Sequential()
    model.add(Dense(256, input_dim=pix))
    model.add(Activation("relu"))
    #model.add(Dropout(0.01))
    
    model.add(Dense(256, kernel_regularizer=l2(0.01)))
    model.add(Activation("relu"))
    #model.add(Dropout(0.01))
    
    
    #model.add(Dense(248))
    #model.add(Activation("relu"))
    #model.add(Dropout(0.01))

    model.add(Dense(64))
    model.add(Activation("relu"))
    model.add(Dropout(0.01))
    
    model.add(Dense(n_class, activation='softmax'))
    model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])

    act_layer=3
    
    return model, act_layer

In [55]:
def load_shadow_data(dataset, n_shadow, shadow_size, test_ratio):
    x, y, _ = transform_location_data(dataset)
    
    shadow_indices = np.arange(len(dataset))
    
   
    for i in range(n_shadow):
        shadow_i_indices = np.random.choice(shadow_indices, shadow_size, replace=False)
        shadow_i_x, shadow_i_y = x[shadow_i_indices], y[shadow_i_indices]
        trainX,testX, trainY, testY = train_test_split(shadow_i_x, shadow_i_y, test_size=test_ratio)
        print('shadow_i_trainX = ', len(trainX), 'shadow_i_trainY = ', len(trainY), 'shadow_i_testX = ', len(testX), 'shadow_i_testY = ', len(testY))
        
        np.savez(DATA_PATH + 'shadow_location{}_data.npz'.format(i), trainX, trainY, testX, testY)

In [56]:
def train_shadow_models(n_shadow, n_class, dim, channel):
    full_sm_train_pred=[]
    full_sm_train_class=[]
    
    full_sm_test_pred=[]
    full_sm_test_class=[]
    
    full_clz_train=[]
    full_clz_test=[]
    
    members=[]
    nonmembers=[]

    for j in range(n_shadow):
        
        print("Shadow Model ", j)
        
        print('Training shadow model {}'.format(j))
        data = read_data('shadow_location{}_data.npz'.format(j))
        x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test = data
        #print('x_shadow trian\n', x_shadow_train,'\n y_shadow trian\n', y_shadow_train, '\n x_shadow test\n', x_shadow_test, '\n y_shadow test\n', y_shadow_test)

        model, act_layer = build_location_dnn(n_class,dim)
            
            
        # fit model
        history = model.fit(x_shadow_train, y_shadow_train, epochs=EPS, batch_size=32, validation_data=(x_shadow_test, y_shadow_test), verbose=0)
    
        # evaluate model
        _, train_acc = model.evaluate(x_shadow_train, y_shadow_train, verbose=0)
        _, test_acc = model.evaluate(x_shadow_test, y_shadow_test, verbose=0)
        print("Shadow Train acc : ", (train_acc * 100.0),"Shadow Test acc : ", (test_acc * 100.0))

    
        #train SM
        sm_train_pred=model.predict(x_shadow_train, batch_size=32)
        sm_train_class=np.argmax(y_shadow_train,axis=1)
    
    
        #test SM
        sm_test_pred=model.predict(x_shadow_test, batch_size=32)
        sm_test_class=np.argmax(y_shadow_test,axis=1)
        
     
        full_sm_train_pred.append(sm_train_pred)        
        full_sm_train_class.append(sm_train_class)
        members.append(np.ones(len(sm_train_pred)))
        
        full_sm_test_pred.append(sm_test_pred)        
        full_sm_test_class.append(sm_test_class) 
        nonmembers.append(np.zeros(len(sm_test_pred)))


    full_sm_train_pred = np.vstack(full_sm_train_pred)
    full_sm_train_class = [item for sublist in full_sm_train_class for item in sublist]
    members = [item for sublist in members for item in sublist]
    
    full_sm_test_pred = np.vstack(full_sm_test_pred)
    full_sm_test_class = [item for sublist in full_sm_test_class for item in sublist]
    nonmembers = [item for sublist in nonmembers for item in sublist]
    
    shadow_train_performance=(full_sm_train_pred, np.array(full_sm_train_class))
    shadow_test_performance=(full_sm_test_pred, np.array(full_sm_test_class))


    ###atack data preparation
    attack_x = (full_sm_train_pred,full_sm_test_pred)
    #attack_x = np.vstack(attack_x)
    
    attack_y = (np.array(members).astype('int32'),np.array(nonmembers).astype('int32'))
    #attack_y = np.concatenate(attack_y)
    #attack_y = attack_y.astype('int32')
    
    
    classes = (np.array(full_sm_train_class),np.array(full_sm_test_class))
    #classes = np.array([item for sublist in classes for item in sublist])


    attack_dataset = (attack_x,attack_y,classes)

            
    return  shadow_train_performance, shadow_test_performance, attack_dataset, x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test, model

In [57]:
def define_attack_model(n_class):
    model = Sequential()
    
    model.add(Dense(1))
    model.add(Activation("relu"))
    
    model.add(Dense(1))
    model.add(Activation("relu"))

    model.add(Dense(n_class, activation='softmax'))

    # compile model
    opt = SGD(learning_rate=0.0001, momentum=0.9)
    model.compile(optimizer=opt, loss='categorical_crossentropy', metrics=['accuracy'])
    return model

In [58]:
def attack_mlp(pix,d):

    model = Sequential()
    model.add(Dense(64, input_dim=pix))
    model.add(Activation("relu"))
    #model.add(Dropout(0.1))

#     model.add(Dense(32))
#     model.add(Activation("tanh"))
#     model.add(Dropout(0.01))
    
    model.add(Dense(2, activation='softmax'))
    model.compile(loss='sparse_categorical_crossentropy', optimizer='adam', metrics=['accuracy'])

    act_layer=1
    
    return model, act_layer

In [59]:
def prep_attack_train_data(n_attack_data):

    attack_mem = pd.DataFrame(n_attack_data[0][0])
    attack_nmem = pd.DataFrame(n_attack_data[0][1])
    
    attack_mem_status = pd.DataFrame(n_attack_data[1][0])
    attack_mem_status.columns = ["membership"]
    
    attack_nmem_status = pd.DataFrame(n_attack_data[1][1])
    attack_nmem_status.columns = ["membership"]
    
    real_class_mem = pd.DataFrame(n_attack_data[2][0])
    real_class_mem.columns = ["y"]
    
    real_class_nmem = pd.DataFrame(n_attack_data[2][1])
    real_class_nmem.columns = ["y"]

    memdf = pd.concat([attack_mem,attack_nmem],axis=0)
    memdf = memdf.reset_index(drop=True)

    memstatus =  pd.concat([attack_mem_status,attack_nmem_status],axis=0)
    memstatus = memstatus.reset_index(drop=True)

    realclass = pd.concat([real_class_mem,real_class_nmem],axis=0)
    realclass = realclass.reset_index(drop=True)

    attack_df = pd.concat([memdf,realclass,memstatus],axis=1)
    
    return attack_df

In [60]:
def prep_validation_data(attack_test_data):

    attack_mem = pd.DataFrame(attack_test_data[0][0])
    attack_nmem = pd.DataFrame(attack_test_data[0][1])
    
    attack_mem_status = pd.DataFrame(attack_test_data[1][0])
    attack_mem_status.columns = ["membership"]
    
    attack_nmem_status = pd.DataFrame(attack_test_data[1][1])
    attack_nmem_status.columns = ["membership"]
    
    real_class_mem = pd.DataFrame(attack_test_data[2][0])
    real_class_mem.columns = ["y"]
    
    real_class_nmem = pd.DataFrame(attack_test_data[2][1])
    real_class_nmem.columns = ["y"]
    
    mem_df = pd.concat([attack_mem,real_class_mem],axis=1)
    nmem_df = pd.concat([attack_nmem,real_class_nmem],axis=1)

#     memdf = pd.concat([attack_mem,attack_nmem],axis=0)
#     memdf = memdf.reset_index(drop=True)

#     memstatus =  pd.concat([attack_mem_status,attack_nmem_status],axis=0)
#     memstatus = memstatus.reset_index(drop=True)

#     realclass = pd.concat([real_class_mem,real_class_nmem],axis=0)
#     realclass = realclass.reset_index(drop=True)

#     attack_df = pd.concat([memdf,realclass,memstatus],axis=1)
    
    return mem_df, nmem_df

In [61]:
def load_attack_test_data(members, nonmembers):
    memberX, memberY, _ = transform_location_data(members)
    
    nonmemberX, nonmemberY, _ = transform_location_data(nonmembers)
    
    return memberX, memberY, nonmemberX, nonmemberY

In [62]:
def prety_print_result(mem, pred):
    tn, fp, fn, tp = confusion_matrix(mem, pred).ravel()
    print('TP: %d     FP: %d     FN: %d     TN: %d' % (tp, fp, fn, tn))
    if tp == fp == 0:
        print('PPV: 0\nAdvantage: 0')
    else:
        print('PPV: %.4f\nAdvantage: %.4f' % (tp / (tp + fp), tp / (tp + fn) - fp / (tn + fp)))

    return tp, fp, fn, tn, (tp / (tp + fp)), (tp / (tp + fn) - fp / (tn + fp)), ((tp+tn)/(tp+tn+fp+fn)),  (tp / (tp + fn))

In [63]:
def train_attack_model(attack_data, check_membership, n_hidden=50, learning_rate=0.01, batch_size=200, epochs=50, model='nn', l2_ratio=1e-7):

    x, y,  classes = attack_data

    train_x = x[0]
    train_y = y[0]
    test_x = x[1]
    test_y = y[1]
    train_classes = classes[0]
    test_classes = classes[1]
    
    
    checkmem_prediction_vals, checkmem_membership_status, checkmem_class_status = check_membership
    
    checkmem_prediction_vals=np.vstack(checkmem_prediction_vals)
    checkmem_membership_status=np.array([item for sublist in checkmem_membership_status for item in sublist])
    checkmem_class_status=np.array([item for sublist in checkmem_class_status for item in sublist])
    
    train_indices = np.arange(len(train_x))
    test_indices = np.arange(len(test_x))
    unique_classes = np.unique(train_classes)


    predicted_membership, target_membership = [], []
    for c in unique_classes:
        print("Class : ", c)
        c_train_indices = train_indices[train_classes == c]
        c_train_x, c_train_y = train_x[c_train_indices], train_y[c_train_indices]
        c_test_indices = test_indices[test_classes == c]
        c_test_x, c_test_y = test_x[c_test_indices], test_y[c_test_indices]
        c_dataset = (c_train_x, c_train_y, c_test_x, c_test_y)        
        
        full_cx_data=(c_train_x,c_test_x)
        full_cx_data = np.vstack(full_cx_data)

        full_cy_data=(c_train_y,c_test_y)
        full_cy_data = np.array([item for sublist in full_cy_data for item in sublist])
        
#         over_sampler = SMOTE(k_neighbors=2)
#         full_cx_data, full_cy_data = over_sampler.fit_resample(full_cx_data, full_cy_data)
#         full_cy_data = to_categorical(full_cy_data)
              
        
#         classifier = define_attack_model(2)
#         history = classifier.fit(full_cx_data, full_cy_data, epochs=EPS, batch_size=32, verbose=0)
        
        d=1
        pix = full_cx_data.shape[1]
        classifier, _ = attack_mlp(pix,d)
        history = classifier.fit(full_cx_data, full_cy_data, epochs=EPS, batch_size=32, verbose=0)
        

        #get predictions on real train and test data
        c_indices = np.where(checkmem_class_status==c)
        pred_y = classifier.predict(checkmem_prediction_vals[c_indices])
        c_pred_y = np.argmax(pred_y, axis=1)
        c_target_y = checkmem_membership_status[c_indices]
        
       
        target_membership.append(c_target_y)
        predicted_membership.append(c_pred_y)

    target_membership=np.array([item for sublist in target_membership for item in sublist])
    predicted_membership=np.array([item for sublist in predicted_membership for item in sublist])


    tp, fp, fn, tn, precision, advj, acc, recall = prety_print_result (target_membership,predicted_membership)   
    return tp, fp, fn, tn, precision, advj, acc, recall

In [64]:
def shokri_attack(attack_df, mem_validation, nmem_validation):
    
    predicted_membership, predicted_nmembership, true_membership, TP_idx, TN_idx  = [], [], [], [], []

    class_val = np.unique(attack_df['y'])
    ncval=attack_df.shape[1]-1
    
    for c_val in class_val:

        print(c_val)
        
        filter_rec_all = attack_df[(attack_df['y'] == c_val)]
        filter_rec_idx = np.array(filter_rec_all.index)
        
        attack_feat = filter_rec_all.iloc[:, 0:ncval]
        attack_class = filter_rec_all['membership']
             
        d=1
        pix = attack_feat.shape[1]
        
        attack_model, _ = attack_mlp(pix,d)
        
       
        history = attack_model.fit(attack_feat, attack_class, epochs=EPS, batch_size=32, verbose=0)
        
        mcval=mem_validation.shape[1]-1
        
        
        check_mem_feat = mem_validation[mem_validation['y']==c_val]
        check_nmem_feat = nmem_validation[nmem_validation['y']==c_val]
        
        if (len(check_mem_feat)!=0) and (len(check_nmem_feat)!=0):
        
            check_mem_feat_idx =  np.array(check_mem_feat.index)


            check_nmem_feat_idx =  np.array(check_nmem_feat.index)

            #print(check_nmem_feat_idx)
            #print(np.argmax(mpred,axis=1)==0)


            mpred = attack_model.predict(np.array(check_mem_feat))    
            predicted_membership.append(np.argmax(mpred,axis=1) )

            nmpred = attack_model.predict(np.array(check_nmem_feat))    
            predicted_nmembership.append(np.argmax(nmpred,axis=1) )        



            TP_idx.append(check_mem_feat_idx[np.where(np.argmax(mpred,axis=1)==1)[0]])

            TN_idx.append(check_nmem_feat_idx[np.where(np.argmax(nmpred,axis=1)==0)[0]])

    pred_members = np.array([item for sublist in predicted_membership for item in sublist])
    pred_nonmembers = np.array([item for sublist in predicted_nmembership for item in sublist])
    
    TP_idx_list = np.array([item for sublist in TP_idx for item in sublist])
    TN_idx_list = np.array([item for sublist in TN_idx for item in sublist])
    
    members=np.array(list(pred_members))
    nonmembers=np.array(list(pred_nonmembers))
    
    pred_membership = np.concatenate([members,nonmembers])
    ori_membership = np.concatenate([np.ones(len(members)), np.zeros(len(nonmembers))])
    
    return pred_membership, ori_membership, TP_idx_list, TN_idx_list

In [65]:
def train_target_model(target_dataset, per_class_sample, epoch, act_layer, n_class, train_size, channel=0, verbose=0, test_ratio=0.3):
    
    (target_trainX, target_trainY), (target_testX, target_testY), dim = load_target_data(target_dataset, train_size, test_ratio)
    target_model,_ = build_location_dnn(n_class,dim)
    #get_trained_keras_models(model, (target_trainX, target_trainY), (target_testX, target_testY), num_models=1)
    history = target_model.fit(target_trainX, target_trainY, epochs=EPS, batch_size=32, verbose=VERBOSE)
    score = target_model.evaluate(target_testX, target_testY, verbose=VERBOSE)
    _, train_acc = target_model.evaluate(target_trainX, target_trainY, verbose=VERBOSE)
    _, test_acc = target_model.evaluate(target_testX, target_testY, verbose=VERBOSE)
    print('\n', "Target Train acc : ", (train_acc * 100.0),"Target Test acc : ", (test_acc * 100.0))
    #print('\n', 'Model test accuracy:', score[1])
    return target_model, dim

In [66]:
def prepare_attack_test_data(attack_test_members, attack_test_nonmembers, target_model):
    members = []
    nonmembers = []

    memberX, memberY, nonmemberX, nonmemberY = load_attack_test_data(attack_test_members, attack_test_nonmembers)

    # member
    target_model_member_pred = target_model.predict(memberX, batch_size=32)
    target_model_member_class = np.argmax(memberY, axis=1)
    target_model_member_pred = np.vstack(target_model_member_pred)
    #target_model_member_class = [item for sublist in target_model_member_class for item in sublist]
    members.append(np.ones(len(target_model_member_pred)))
    members = [item for sublist in members for item in sublist]


    # nonmember
    target_model_nonmember_pred = target_model.predict(nonmemberX, batch_size=32)
    target_model_nonmember_class = np.argmax(nonmemberY, axis=1)
    target_model_nonmember_pred = np.vstack(target_model_nonmember_pred)
    #target_model_nonmember_class = [item for sublist in target_model_nonmember_class for item in sublist]
    nonmembers.append(np.zeros(len(target_model_nonmember_pred)))
    nonmembers = [item for sublist in nonmembers for item in sublist]

    full_attack_test_pred_val = (target_model_member_pred, target_model_nonmember_pred)
    full_attack_test_mem_status = (np.array(members).astype('int32'),np.array(nonmembers).astype('int32'))
    full_attack_test_class_status = (np.array(target_model_member_class),np.array(target_model_nonmember_class))

    print('\n pred', full_attack_test_pred_val)
    print('\n class', full_attack_test_class_status)
    print('\n mem status', full_attack_test_mem_status)

    attack_test_data = (full_attack_test_pred_val, full_attack_test_mem_status,full_attack_test_class_status)
    
    return attack_test_data

In [67]:
# --------------------------------------------Original Data--------------------------------------------------------------#

In [80]:
train_size = 840
attack_test_size = 600

loc_data = pd.read_csv('data/bangkok', na_values=["?"], header=None)
target_dataset = loc_data.sample(n = 1200, replace = False)
df_rest = loc_data.loc[~loc_data.index.isin(target_dataset.index)]
shadow_dataset = df_rest.sample(n = 2000, replace = False)
df_rest = df_rest.loc[~df_rest.index.isin(shadow_dataset.index)]
attack_test_nonmembers = df_rest.sample(n = attack_test_size, replace = False)
attack_test_members =  target_dataset.iloc[:train_size,:].sample(n = attack_test_size, replace = False)

In [81]:
# trian target model
per_class_sample=40
channel=1   
EPS=100
act_layer=6
n_class = 31
VERBOSE = 0
test_ratio = 0.3

target_model, dim = train_target_model(target_dataset, per_class_sample, EPS, act_layer, n_class, train_size)


 Target Train acc :  100.0 Target Test acc :  49.72222149372101


In [82]:
#train shadow model
n_shadow_models = 60
shadow_data_size = 1200

load_shadow_data(shadow_dataset, n_shadow_models, shadow_data_size, test_ratio)
n_shadow_train_performance, n_shadow_test_performance, n_attack_data, x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test, shadow_model_init = train_shadow_models(n_shadow_models, n_class, dim, channel)

shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_t

Shadow Train acc :  90.47619104385376 Shadow Test acc :  40.55555462837219
Shadow Model  14
Training shadow model 14
Shadow Train acc :  100.0 Shadow Test acc :  49.44444298744202
Shadow Model  15
Training shadow model 15
Shadow Train acc :  100.0 Shadow Test acc :  47.49999940395355
Shadow Model  16
Training shadow model 16
Shadow Train acc :  100.0 Shadow Test acc :  48.88888895511627
Shadow Model  17
Training shadow model 17
Shadow Train acc :  100.0 Shadow Test acc :  46.94444537162781
Shadow Model  18
Training shadow model 18
Shadow Train acc :  100.0 Shadow Test acc :  43.05555522441864
Shadow Model  19
Training shadow model 19
Shadow Train acc :  100.0 Shadow Test acc :  48.61111044883728
Shadow Model  20
Training shadow model 20
Shadow Train acc :  100.0 Shadow Test acc :  49.72222149372101
Shadow Model  21
Training shadow model 21
Shadow Train acc :  100.0 Shadow Test acc :  49.44444298744202
Shadow Model  22
Training shadow model 22
Shadow Train acc :  100.0 Shadow Test acc :

Shadow Model  52
Training shadow model 52
Shadow Train acc :  100.0 Shadow Test acc :  53.33333611488342
Shadow Model  53
Training shadow model 53
Shadow Train acc :  100.0 Shadow Test acc :  44.44444477558136
Shadow Model  54
Training shadow model 54
Shadow Train acc :  97.6190447807312 Shadow Test acc :  43.33333373069763
Shadow Model  55
Training shadow model 55
Shadow Train acc :  100.0 Shadow Test acc :  52.77777910232544
Shadow Model  56
Training shadow model 56
Shadow Train acc :  100.0 Shadow Test acc :  43.61111223697662
Shadow Model  57
Training shadow model 57
Shadow Train acc :  100.0 Shadow Test acc :  46.666666865348816
Shadow Model  58
Training shadow model 58
Shadow Train acc :  100.0 Shadow Test acc :  45.83333432674408
Shadow Model  59
Training shadow model 59
Shadow Train acc :  100.0 Shadow Test acc :  48.055556416511536


In [83]:
#train attack model
attack_test_data = prepare_attack_test_data(attack_test_members, attack_test_nonmembers, target_model)
mem_validation, nmem_validation = prep_validation_data(attack_test_data)
attack_train_df = prep_attack_train_data(n_attack_data)
pred_membership, ori_membership, TP_idx_list, TN_idx_list = shokri_attack(attack_train_df, mem_validation, nmem_validation)
tp, fp, fn, tn, precision, advj, acc, recall = prety_print_result (ori_membership,pred_membership)
print('Accuracy: ', acc, 'Precision: ', precision)


 pred (array([[3.2454445e-05, 1.7730963e-04, 2.3946868e-07, ..., 9.7834271e-01,
        5.6267389e-05, 1.0956207e-04],
       [1.6205106e-04, 4.4466383e-03, 8.5678412e-06, ..., 9.6585518e-01,
        3.9436133e-03, 4.0610670e-03],
       [3.5950707e-06, 2.4932140e-05, 2.4212101e-08, ..., 9.9880475e-01,
        1.8363147e-05, 1.2797940e-06],
       ...,
       [1.1520053e-05, 4.2510852e-08, 1.7312575e-05, ..., 1.1712179e-06,
        1.5468868e-04, 1.9626523e-04],
       [1.9776726e-05, 2.0648275e-05, 6.7268599e-07, ..., 3.0733235e-03,
        2.0381178e-04, 5.5770151e-06],
       [6.9168498e-05, 8.2351085e-07, 1.2342667e-04, ..., 4.4801723e-06,
        2.6979475e-05, 1.9727351e-05]], dtype=float32), array([[3.9235773e-04, 1.5949664e-01, 4.6733813e-04, ..., 1.3727096e-03,
        3.0945655e-06, 3.4315549e-04],
       [3.7867023e-04, 8.0046570e-04, 1.2828262e-03, ..., 6.0431857e-04,
        5.2086007e-02, 3.4783629e-03],
       [7.1855704e-04, 4.8704026e-03, 7.7154087e-05, ..., 1.3845077

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
TP: 600     FP: 128     FN: 0     TN: 472
PPV: 0.8242
Advantage: 0.7867
Accuracy:  0.8933333333333333 Precision:  0.8241758241758241


In [None]:
# --------------------------------------------Original Data--------------------------------------------------------------#

In [None]:
# --------------------------------------------Synthetic Data------------------------------------------------------------#

In [84]:
# synthetic dataset
train_size = 840
attack_test_size = 600
org_dataset = pd.read_csv('data/bangkok', na_values=["?"], header=None)
target_dataset = pd.read_csv('data/loc_sds_cac_2500.csv', na_values=["?"], header=None)
df = org_dataset.iloc[2500:,:]
shadow_dataset = df.sample(n = 1900, replace = False)
df_rest = df.loc[~df.index.isin(shadow_dataset.index)]
attack_test_nonmembers = df_rest.sample(n = attack_test_size, replace = False)
attack_test_members = org_dataset.iloc[:2500,:]
attack_test_members = attack_test_members.sample(n=attack_test_size, replace=False)

In [85]:
# trian target model
train_size = 840
per_class_sample=40
channel=1   
EPS=100
act_layer=6
n_class = 31
VERBOSE = 0
test_ratio = 0.3

target_model, dim = train_target_model(target_dataset, per_class_sample, EPS, act_layer, n_class, train_size)


 Target Train acc :  100.0 Target Test acc :  67.34939813613892


In [86]:
#train shadow model
n_shadow_models = 60
shadow_data_size = 1200

load_shadow_data(shadow_dataset, n_shadow_models, shadow_data_size, test_ratio)
n_shadow_train_performance, n_shadow_test_performance, n_attack_data, x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test, shadow_model_init = train_shadow_models(n_shadow_models, n_class, dim, channel)

shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_t

Shadow Train acc :  100.0 Shadow Test acc :  47.22222089767456
Shadow Model  14
Training shadow model 14
Shadow Train acc :  100.0 Shadow Test acc :  42.500001192092896
Shadow Model  15
Training shadow model 15
Shadow Train acc :  97.73809313774109 Shadow Test acc :  48.61111044883728
Shadow Model  16
Training shadow model 16
Shadow Train acc :  96.42857313156128 Shadow Test acc :  41.94444417953491
Shadow Model  17
Training shadow model 17
Shadow Train acc :  100.0 Shadow Test acc :  50.0
Shadow Model  18
Training shadow model 18
Shadow Train acc :  100.0 Shadow Test acc :  48.055556416511536
Shadow Model  19
Training shadow model 19
Shadow Train acc :  100.0 Shadow Test acc :  44.44444477558136
Shadow Model  20
Training shadow model 20
Shadow Train acc :  100.0 Shadow Test acc :  43.61111223697662
Shadow Model  21
Training shadow model 21
Shadow Train acc :  100.0 Shadow Test acc :  46.388888359069824
Shadow Model  22
Training shadow model 22
Shadow Train acc :  89.04761672019958 Sha

Shadow Model  52
Training shadow model 52
Shadow Train acc :  100.0 Shadow Test acc :  43.88888776302338
Shadow Model  53
Training shadow model 53
Shadow Train acc :  100.0 Shadow Test acc :  44.44444477558136
Shadow Model  54
Training shadow model 54
Shadow Train acc :  100.0 Shadow Test acc :  51.38888955116272
Shadow Model  55
Training shadow model 55
Shadow Train acc :  100.0 Shadow Test acc :  48.055556416511536
Shadow Model  56
Training shadow model 56
Shadow Train acc :  99.04761910438538 Shadow Test acc :  48.055556416511536
Shadow Model  57
Training shadow model 57
Shadow Train acc :  100.0 Shadow Test acc :  45.277777314186096
Shadow Model  58
Training shadow model 58
Shadow Train acc :  100.0 Shadow Test acc :  46.11110985279083
Shadow Model  59
Training shadow model 59
Shadow Train acc :  100.0 Shadow Test acc :  41.66666567325592


In [47]:
#train attack model
attack_test_data = prepare_attack_test_data(attack_test_members, attack_test_nonmembers, target_model)
mem_validation, nmem_validation = prep_validation_data(attack_test_data)
attack_train_df = prep_attack_train_data(n_attack_data)
pred_membership, ori_membership, TP_idx_list, TN_idx_list = shokri_attack(attack_train_df, mem_validation, nmem_validation)
tp, fp, fn, tn, precision, advj, acc, recall = prety_print_result (ori_membership,pred_membership)
print('Accuracy: ', acc, 'Precision: ', precision)


 pred (array([[5.68749310e-05, 7.80531991e-05, 4.62096759e-05, ...,
        1.99702816e-04, 5.26974418e-06, 5.86070928e-06],
       [1.17424317e-03, 2.69294698e-02, 2.99192634e-05, ...,
        6.64826855e-03, 1.35426996e-02, 4.61995639e-02],
       [1.30659726e-03, 7.47133121e-02, 9.43629013e-04, ...,
        1.22825466e-01, 9.16997902e-04, 8.57664490e-05],
       ...,
       [6.45222681e-05, 3.37273558e-03, 1.31870992e-03, ...,
        3.94164590e-06, 3.43016495e-07, 1.39434565e-06],
       [6.84582454e-04, 1.63832819e-03, 8.41556641e-04, ...,
        8.78767285e-04, 8.65819678e-03, 1.97232992e-04],
       [5.06653450e-04, 4.43237514e-06, 1.19998193e-04, ...,
        1.27247593e-03, 1.42320590e-02, 2.37027463e-03]], dtype=float32), array([[8.9254041e-05, 5.1605413e-03, 2.9030166e-04, ..., 2.6506719e-05,
        1.2800508e-06, 2.4531944e-05],
       [1.2757263e-05, 3.3649751e-05, 9.9767417e-01, ..., 4.3464482e-07,
        5.0030746e-07, 1.7990590e-07],
       [1.9783042e-04, 1.809523

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
TP: 199     FP: 141     FN: 401     TN: 459
PPV: 0.5853
Advantage: 0.0967
Accuracy:  0.5483333333333333 Precision:  0.5852941176470589


In [None]:
# --------------------------------------------Synthetic Data------------------------------------------------------------#

In [85]:
# trian target model
per_class_sample=40
channel=1   
EPS=100
act_layer=6
n_class = 31
VERBOSE = 0
test_ratio = 0.3

(target_trainX, target_trainY), (target_testX, target_testY), dim = load_target_data(target_dataset, test_ratio)
target_model,_ = build_location_dnn(n_class,dim)
#get_trained_keras_models(model, (target_trainX, target_trainY), (target_testX, target_testY), num_models=1)
history = target_model.fit(target_trainX, target_trainY, epochs=EPS, batch_size=32, verbose=VERBOSE)
score = target_model.evaluate(target_testX, target_testY, verbose=VERBOSE)
print('\n', 'Model test accuracy:', score[1])


 Model test accuracy: 0.5305555462837219


In [29]:
# prepare attack test data

members = []
nonmembers = []

memberX, memberY, nonmemberX, nonmemberY = load_attack_test_data(attack_test_members, attack_test_nonmembers)

# member
target_model_member_pred = target_model.predict(memberX, batch_size=32)
target_model_member_class = np.argmax(memberY, axis=1)
target_model_member_pred = np.vstack(target_model_member_pred)
#target_model_member_class = [item for sublist in target_model_member_class for item in sublist]
members.append(np.ones(len(target_model_member_pred)))
members = [item for sublist in members for item in sublist]


# nonmember
target_model_nonmember_pred = target_model.predict(nonmemberX, batch_size=32)
target_model_nonmember_class = np.argmax(nonmemberY, axis=1)
target_model_nonmember_pred = np.vstack(target_model_nonmember_pred)
#target_model_nonmember_class = [item for sublist in target_model_nonmember_class for item in sublist]
nonmembers.append(np.zeros(len(target_model_nonmember_pred)))
nonmembers = [item for sublist in nonmembers for item in sublist]

full_attack_test_pred_val = (target_model_member_pred, target_model_nonmember_pred)
full_attack_test_mem_status = (np.array(members).astype('int32'),np.array(nonmembers).astype('int32'))
full_attack_test_class_status = (np.array(target_model_member_class),np.array(target_model_nonmember_class))

print('\n pred', full_attack_test_pred_val)
print('\n class', full_attack_test_class_status)
print('\n mem status', full_attack_test_mem_status)

attack_test_data = (full_attack_test_pred_val, full_attack_test_mem_status,full_attack_test_class_status)


 pred (array([[1.4383269e-05, 9.8675019e-01, 9.4331563e-06, ..., 3.3448294e-05,
        2.4663562e-08, 7.4988307e-08],
       [5.6819513e-06, 9.9598330e-01, 3.2678949e-05, ..., 1.7893517e-06,
        5.9625744e-09, 6.7217769e-09],
       [2.2274417e-05, 9.1622275e-04, 1.1131373e-05, ..., 2.7087546e-04,
        7.6284603e-05, 1.2587872e-06],
       ...,
       [5.4964823e-07, 2.3961135e-07, 4.9201283e-08, ..., 3.1345726e-06,
        7.8533617e-07, 5.8080175e-05],
       [2.4831028e-05, 3.9591969e-04, 4.5766278e-06, ..., 3.2213560e-04,
        4.3243930e-05, 1.0943449e-05],
       [1.0043455e-05, 3.3135791e-03, 4.2366792e-05, ..., 2.2149634e-06,
        1.0032842e-08, 1.3235835e-07]], dtype=float32), array([[1.0245304e-03, 1.5893696e-01, 1.2402074e-02, ..., 2.4571231e-01,
        2.1649485e-05, 1.2750645e-03],
       [2.8333534e-04, 2.7589879e-03, 5.1136658e-04, ..., 1.2911399e-04,
        1.0573962e-05, 5.9802993e-04],
       [8.8482146e-04, 9.7625370e-06, 2.1386400e-02, ..., 2.0182038

In [278]:
# save attack test dataset to csv
df = pd.DataFrame()
mem = pd.Series(full_attack_test_pred_val[0][:,0])
nonmem = pd.Series(full_attack_test_pred_val[1][:,0])
total = pd.concat([mem, nonmem],axis=0, ignore_index=True)
len(total)
df['prob_class_0'] = total
df = df.reset_index()
mem = pd.Series(full_attack_test_pred_val[0][:,1])
nonmem = pd.Series(full_attack_test_pred_val[1][:,1])
total = pd.concat([mem, nonmem],axis=0, ignore_index=True)
df['prob_class 1'] = total

mem = pd.Series(full_attack_test_mem_status[0][:])
nonmem = pd.Series(full_attack_test_mem_status[1][:])
total = pd.concat([mem, nonmem],axis=0, ignore_index=True)
df['mem_status'] = total

mem = pd.Series(full_attack_test_class_status[0][:])
nonmem = pd.Series(full_attack_test_class_status[1][:])
total = pd.concat([mem, nonmem],axis=0, ignore_index=True)
df['class_status'] = total

df.drop("index", axis=1, inplace=True)


df.to_csv('attack_test_data.csv')

In [87]:
#prepare shadow dataset
n_shadow_models = 60
shadow_data_size = 1200
test_ratio = 0.3

load_shadow_data(shadow_dataset, n_shadow_models, shadow_data_size, test_ratio)

shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_trainX =  840 shadow_i_trainY =  840 shadow_i_testX =  360 shadow_i_testY =  360
shadow_i_t

In [88]:
#train shadow model
per_class_sample=40
channel=1
EPS=100
act_layer=6
n_class = 31
VERBOSE = 0
test_ratio = 0.3

n_shadow_train_performance, n_shadow_test_performance, n_attack_data, x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test, shadow_model_init = train_shadow_models(n_shadow_models, n_class, dim, channel)

Shadow Model  0
Training shadow model 0
Shadow Train acc :  99.88095164299011 Shadow Test acc :  42.222222685813904
Shadow Model  1
Training shadow model 1
Shadow Train acc :  100.0 Shadow Test acc :  47.22222089767456
Shadow Model  2
Training shadow model 2
Shadow Train acc :  100.0 Shadow Test acc :  48.055556416511536
Shadow Model  3
Training shadow model 3
Shadow Train acc :  100.0 Shadow Test acc :  47.22222089767456
Shadow Model  4
Training shadow model 4
Shadow Train acc :  79.16666865348816 Shadow Test acc :  34.44444537162781
Shadow Model  5
Training shadow model 5
Shadow Train acc :  100.0 Shadow Test acc :  53.05555462837219
Shadow Model  6
Training shadow model 6
Shadow Train acc :  100.0 Shadow Test acc :  44.16666626930237
Shadow Model  7
Training shadow model 7
Shadow Train acc :  100.0 Shadow Test acc :  46.94444537162781
Shadow Model  8
Training shadow model 8
Shadow Train acc :  100.0 Shadow Test acc :  51.66666507720947
Shadow Model  9
Training shadow model 9
Shadow 

Shadow Model  39
Training shadow model 39
Shadow Train acc :  100.0 Shadow Test acc :  51.11111402511597
Shadow Model  40
Training shadow model 40
Shadow Train acc :  99.52380657196045 Shadow Test acc :  46.11110985279083
Shadow Model  41
Training shadow model 41
Shadow Train acc :  100.0 Shadow Test acc :  51.38888955116272
Shadow Model  42
Training shadow model 42
Shadow Train acc :  100.0 Shadow Test acc :  48.88888895511627
Shadow Model  43
Training shadow model 43
Shadow Train acc :  100.0 Shadow Test acc :  47.49999940395355
Shadow Model  44
Training shadow model 44
Shadow Train acc :  100.0 Shadow Test acc :  48.61111044883728
Shadow Model  45
Training shadow model 45
Shadow Train acc :  100.0 Shadow Test acc :  46.388888359069824
Shadow Model  46
Training shadow model 46
Shadow Train acc :  100.0 Shadow Test acc :  46.11110985279083
Shadow Model  47
Training shadow model 47
Shadow Train acc :  100.0 Shadow Test acc :  46.11110985279083
Shadow Model  48
Training shadow model 48


In [90]:
attack_df = prep_attack_data(n_attack_data)
attack_df

array([ 1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17,
       18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30])

In [91]:
mem_validation, nmem_validation = prep_validation_data(attack_test_data)
nmem_validation

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,...,22,23,24,25,26,27,28,29,30,y
0,0.000309,0.000306,0.907915,0.001118,0.000593,0.014152,0.002854,1.307487e-06,0.000084,2.756053e-04,...,4.222034e-03,3.473059e-04,0.000090,0.000016,1.056595e-02,0.000462,1.029052e-06,0.000943,7.971971e-03,2
1,0.000731,0.000012,0.000168,0.001460,0.032700,0.001204,0.000010,6.073690e-05,0.000673,2.763821e-04,...,4.686335e-01,1.639225e-02,0.004764,0.002624,5.966214e-02,0.016756,5.482202e-04,0.286968,9.832714e-02,29
2,0.000225,0.604389,0.000290,0.000320,0.000134,0.009279,0.046155,1.814771e-01,0.120881,9.508774e-05,...,3.024930e-06,1.654286e-04,0.015224,0.003167,5.620118e-06,0.000180,1.767857e-04,0.000100,4.197839e-07,1
3,0.000340,0.003887,0.000002,0.000014,0.000038,0.000010,0.000049,3.199356e-04,0.000245,6.803751e-03,...,3.868211e-02,3.358580e-01,0.002763,0.000012,4.919092e-04,0.000102,1.359883e-01,0.000312,1.293991e-03,23
4,0.000133,0.122700,0.000234,0.000115,0.000145,0.005945,0.005737,1.291345e-04,0.002174,3.152572e-05,...,7.577279e-04,6.375201e-05,0.820674,0.000081,9.395346e-06,0.000006,4.940748e-05,0.000006,2.446454e-05,1
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
595,0.001992,0.000828,0.006391,0.005343,0.001124,0.004704,0.003768,3.661131e-03,0.028536,7.559169e-02,...,2.011770e-03,4.047854e-04,0.000545,0.072970,6.815073e-03,0.000046,5.415375e-04,0.000228,5.823603e-04,21
596,0.000354,0.000607,0.000029,0.000133,0.000117,0.000005,0.000374,3.596262e-03,0.000128,2.172195e-02,...,4.109001e-03,2.503201e-01,0.000102,0.000307,1.208794e-04,0.000004,5.958360e-01,0.000256,4.241396e-03,23
597,0.000007,0.000608,0.000026,0.000021,0.000018,0.000629,0.000696,5.465820e-06,0.997620,4.959995e-07,...,2.802638e-07,7.759500e-06,0.000032,0.000001,2.423435e-07,0.000012,8.654787e-08,0.000008,2.753220e-07,8
598,0.000378,0.000090,0.416962,0.000428,0.002955,0.064196,0.008082,6.978997e-07,0.000415,9.965130e-05,...,6.928544e-03,7.730046e-04,0.002578,0.000901,1.955544e-04,0.000123,6.303369e-05,0.000532,1.521364e-01,2


In [92]:
pred_membership, ori_membership, TP_idx_list, TN_idx_list = shokri_attack(attack_df, mem_validation, nmem_validation)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


In [93]:
tp, fp, fn, tn, precision, advj, acc, recall = prety_print_result (ori_membership,pred_membership)  

TP: 600     FP: 148     FN: 0     TN: 452
PPV: 0.8021
Advantage: 0.7533


In [94]:
precision

0.8021390374331551

In [282]:
#save the prepared attack data on disk
np.savez(DATA_PATH + 'attack_purchase_data.npz', n_attack_data, x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test, shadow_model_init)

  val = np.asanyarray(val)


INFO:tensorflow:Assets written to: ram://a9382bc7-fd48-42a6-8436-af2bd2196281/assets


In [None]:
# read stored attack model training data 
data_name = 'attack_adult_data.npz'
with np.load(DATA_PATH + data_name, allow_pickle=True) as f:
        n_attack_data, x_shadow_train, y_shadow_train, x_shadow_test, y_shadow_test, shadow_model_init = [f['arr_%d' % i] for i in range(len(f.files))]

In [140]:
tp, fp, fn, tn, precision, advj, acc, recall = train_attack_model(n_attack_data, attack_test_data)
#target_membership, predicted_membership = train_attack_model(n_attack_data, attack_test_data)

Class :  0
Class :  1
Class :  2
Class :  3
Class :  4
Class :  5
Class :  6
Class :  7
Class :  8
Class :  9
Class :  10
Class :  11
Class :  12
Class :  13
Class :  14
Class :  15
Class :  16
Class :  17
Class :  18
Class :  19
Class :  20
Class :  21
Class :  22
Class :  23
Class :  24
Class :  25
Class :  26
Class :  27
Class :  28
Class :  29
Class :  30
Class :  31
Class :  32
Class :  33
Class :  34
Class :  35
Class :  36
Class :  37
Class :  38
Class :  39
Class :  40
Class :  41
Class :  42
Class :  43
Class :  44
Class :  45
Class :  46
Class :  47
Class :  48
Class :  49
Class :  50
Class :  51
Class :  52
Class :  53
Class :  54
Class :  55
Class :  56
Class :  57
Class :  58
Class :  59
Class :  60
Class :  61
Class :  62
Class :  63
Class :  64
Class :  65
Class :  66
Class :  67
Class :  68
Class :  69
Class :  70
Class :  71
Class :  72
Class :  73
Class :  74
Class :  75
Class :  76
Class :  77
Class :  78
Class :  79
Class :  80
Class :  81
Class :  82
Class :  83
Cl

In [284]:
precision

0.5193872315473136

In [None]:
target_membership

In [None]:
predicted_membership

In [None]:
df = pd.DataFrame()
df['target'] = pd.Series(target_membership)
df['predicted'] = pd.Series(predicted_membership)

In [None]:
df

In [None]:
df.to_csv('test.csv')

In [None]:
attack_data = n_attack_data
check_membership = attack_test_data
n_hidden=50
learning_rate=0.01
batch_size=200
epochs=50
model='nn'
l2_ratio=1e-7

In [None]:
x, y,  classes = attack_data

train_x = x[0]
train_y = y[0]
test_x = x[1]
test_y = y[1]
train_classes = classes[0]
test_classes = classes[1]

#print(tra)


In [None]:
checkmem_prediction_vals, checkmem_membership_status, checkmem_class_status = check_membership

checkmem_prediction_vals=np.vstack(checkmem_prediction_vals)
checkmem_membership_status=np.array([item for sublist in checkmem_membership_status for item in sublist])
checkmem_class_status=np.array([item for sublist in checkmem_class_status for item in sublist])

train_indices = np.arange(len(train_x))
test_indices = np.arange(len(test_x))
unique_classes = np.unique(train_classes)


predicted_membership, target_membership = [], []

In [None]:
for c in unique_classes:
    print("Class : ", c)
    c_train_indices = train_indices[train_classes == c]
    c_train_x, c_train_y = train_x[c_train_indices], train_y[c_train_indices]
    c_test_indices = test_indices[test_classes == c]
    c_test_x, c_test_y = test_x[c_test_indices], test_y[c_test_indices]
    c_dataset = (c_train_x, c_train_y, c_test_x, c_test_y)  

    full_cx_data=(c_train_x,c_test_x)
    full_cx_data = np.vstack(full_cx_data)

    full_cy_data=(c_train_y,c_test_y)
    full_cy_data = np.array([item for sublist in full_cy_data for item in sublist])
    full_cy_data = to_categorical(full_cy_data)

    classifier = define_attack_model(2)
    history = classifier.fit(full_cx_data, full_cy_data, epochs=200, batch_size=32, verbose=0)
    #classifier.save('model/attack_model_class{}'.format(c))

    #get predictions on real train and test data
    c_indices = np.where(checkmem_class_status==c)
    predict_y = classifier.predict(checkmem_prediction_vals[c_indices])
    print(predict_y)
    c_pred_y = np.argmax(classifier.predict(checkmem_prediction_vals[c_indices]),axis=1)
    #c_pred_y = np.where(predict_y > 0.5, 1,0)
    #c_pred_y = classifier.predict_classes(checkmem_prediction_vals[c_indices])

    c_target_y = checkmem_membership_status[c_indices]


    target_membership.append(c_target_y)
    predicted_membership.append(c_pred_y)




In [None]:
c_indices = np.where(checkmem_class_status==c)
predict_y = classifier.predict(checkmem_prediction_vals[c_indices], batch_size=32)
c_pred_y = np.where(predict_y > 0.5, 1,0)
c_target_y = checkmem_membership_status[c_indices]
target_membership.append(c_target_y)
predicted_membership.append(c_pred_y)

In [None]:
target_membership=np.array([item for sublist in target_membership for item in sublist])
predicted_membership=np.array([item for sublist in predicted_membership for item in sublist])

In [None]:
prety_print_result (target_membership,predicted_membership)

In [None]:
np.vstack(predicted_membership).shape

In [None]:
df = pd.DataFrame()
df['target'] = pd.Series(target_membership)
df['predicted'] = pd.Series(predicted_membership.reshape((len(predicted_membership))))

In [None]:
df

In [None]:
predicted_membership