Giters

iamgroot42 / MIA_defense_HAMP

Code for the paper "Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction" in NDSS'24.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

MIA defense - HAMP

Code for the paper "Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction" in NDSS'24.

Getting started

Download the data and trained models for each dataset: [Purchase] [Texas] [Cifar100] [Cifar10] [Location]

unzip purchase-data.zip -d ./purchase
unzip texas-data.zip -d ./texas
unzip cifar100-data.zip -d ./cifar100
unzip cifar10-data.zip -d ./cifar10
unzip location-data.zip -d ./location

Install the dependencies.

# We install torch-gpu with cuda v1.12.0, and you may change to a different download version depending on your driver version
pip install torch==1.12.0+cu116 torchvision==0.13.0+cu116 torchaudio==0.12.0 --extra-index-url https://download.pytorch.org/whl/cu116
pip install pandas sklearn scipy==1.7 tensorflow==2.10.0 rdt==0.6.4 tqdm numba matplotlib

Performing Membership Inference

Go to each dataset directory and run atk.sh &> R-atk, which evaluates each model with multiple score-based attacks (except LiRA, which will be executed separately as it needs to train multiple shadow models). We use different tags in differentiating different defenses (e.g., undefended means the undefended model, ls means label smoothing).

The output reports the model accuracy, the attack true positive rate (TPR) @ 0.1% false positive rate (FPR), as well as true negative rate (TNR) @ 0.1% false negative rate (FNR).

We exclude the label-only attacks (e.g., boundary-based attack) as they are unsuccessful when controlled at low false positive/negative regime.

Evaluating the Likelihood-ratio attack (LiRA)

Go to each dataset directory and run lira-[defense_name].sh, e.g., lira-hamp.sh &> R-lira-hamp. This trains 128 shadow models for each defense.

Please be aware that shadow model training is a very time-consuming process, and some of the defense techniques (e.g., SELENA) are particularly so. You can consider the following options to accelerate the evaluation process:

  1. Distribute the training across multiple GPUs.
  2. Reduce the number of shadow models (default 128).

Pre-trained shadow models

We provide the pre-trained shadow models for HAMP on the CIFAR10 and CIFAR100 datasets for a speedy evaluation (download here). In this case, you'll only need to get the logits from these shadow models, and then to initiate the inference process.

Each folder (cifar10 or cifar100) contains two sub-folders: shadow-hamp-trainSize-25000-fullMember, which contains 128 shadow models. lira-hamp-fullMember-25000, which contains the index to the shadow training data for each model (this is for indexing the member and non-member samples for each shadow model).

Place these two folders in the respective dataset directory, and remove the the shadow-training part by removing python lira-train-hamp.py ... in lira-hamp.sh, and then run the modified script to perform the evaluation.

Training the model from scratch

Run ./train-all.sh on each dataset directory.

Citation

If you find this code useful, please consider citing our paper

@inproceedings{chen2023overconfidence,
      title={Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction}, 
      author={Chen, Zitao and Pattabiraman, Karthik},
      booktitle = {Network and Distributed System Security (NDSS) Symposium},
      year={2024}
}

About

Code for the paper "Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction" in NDSS'24.

Languages

Language:Python 99.3%Language:Shell 0.7%