This is the official implementation for the paper: Quantifying Privacy Risks of Prompts in Visual Prompt Learning.

Cite

@inproceedings{WWBBHSZ24,
author = {Yixin Wu and Rui Wen and Michael Backes and Pascal Berrang and Mathias Humbert and Yun Shen and Yang Zhang},
title = {{Quantifying Privacy Risks of Prompts in Visual Prompt Learning}},
booktitle = {{USENIX Security Symposium (USENIX Security)}},
publisher = {USENIX},
year = {2024}
}

Dataset Download

1. AFAD
2. CelebA
3. UTKFace

Env

conda env create -f prompt_leak_env.yaml
conda activate prompt_leak_env

Training prompt for property inference attack

python target/pia_target_train_mix.py --dataset cifar10 --prompt_type target --model resnet18 --size 500 --trial 200 --seed 0 
python target/pia_target_train_mix.py --dataset celeba --prompt_type target --model resnet18 --epochs 50 --size 500  --male_prop 0.7 --young_prop 0.7 --trial 50 --seed 0 
python target/pia_target_train_mix.py --dataset utkface --prompt_type target --model resnet18 --epochs 50 --size 500  --male_prop 0.7 --young_prop 0.7 --trial 50 --seed 0 
python target/pia_target_train_mix.py --dataset afad --prompt_type target --model resnet18 --epochs 50 --size 2000  --male_prop 0.7 --young_prop 0.0 --trial 50 --seed 0 

Property inference attack

python pia/property_inference.py --targeted_label Male --target_dataset celeba --shadow_dataset celeba --shadow_model resnet18 --target_model resnet18 --class_size 200 
python pia/property_inference.py --targeted_label Young --target_dataset celeba --shadow_dataset celeba --shadow_model resnet18 --target_model resnet18 --class_size 200 
python pia/property_inference.py --targeted_label size --target_dataset celeba --shadow_dataset celeba --shadow_model resnet18 --target_model resnet18 --class_size 200 

python pia/property_inference.py --targeted_label size --target_dataset cifar10 --shadow_dataset cifar10 --shadow_model resnet18 --target_model resnet18 --class_size 200 

Training prompt for membership inference attack

# models = ['bit_m_rn50', 'vit_b_16', 'resnet18']
python target/mia_target_train.py --epochs 1000 --size 2000 --prompt_type target --dataset cifar10 --model vit_b_16
python target/mia_target_train.py --epochs 1000 --size 2000 --prompt_type shadow --dataset cifar10 --model vit_b_16

python target/mia_target_train.py --epochs 1000 --size 2000 --prompt_type target --dataset celeba --model vit_b_16
python target/mia_target_train.py --epochs 1000 --size 2000 --prompt_type shadow --dataset celaba --model vit_b_16

Membership inference attack

# generate attack features
python mia/gather_all_info.py --dataset cifar10 --frozen_model vit_b_16 --size 2000
python mia/gather_all_info.py --dataset afad --frozen_model vit_b_16 --size 2000
python mia/gather_all_info.py --dataset utkface --frozen_model vit_b_16 --size 2000
python mia/gather_all_info.py --dataset celeba --frozen_model vit_b_16 --size 2000

# metric-based attacks
python mia/membership_inference_metric.py  --shadow_dataset cifar10  --target_dataset cifar10 --shadow_model vit_b_16 --target_model vit_b_16 --size 2000 --prompt_epoch 1000

# white-box attacks
python mia/membership_inference.py  --shadow_dataset cifar10  --target_dataset cifar10 --shadow_model vit_b_16 --target_model vit_b_16 --size 2000 --prompt_epoch 1000 --method white --lr 1e-3


# NN-based attacks
python mia/membership_inference.py  --shadow_dataset cifar10  --target_dataset cifar10 --shadow_model vit_b_16 --target_model vit_b_16 --size 2000 --prompt_epoch 1000 --method trad