Giter Site home page Giter Site logo

lycogno / mia_prune Goto Github PK

View Code? Open in Web Editor NEW

This project forked from machine-learning-security-lab/mia_prune

0.0 0.0 0.0 287 KB

Membership Inference Attacks and Defenses in Neural Network Pruning

License: MIT License

Python 41.24% Jupyter Notebook 58.76%

mia_prune's Introduction

Membership Inference Attacks and Defenses in Neural Network Pruning

This repository accompanies the paper Membership Inference Attacks and Defenses in Neural Network Pruning, accepted by USENIX Security 2022. The extended version can be found at arXiv. The repository contains the main code of membership inference attacks and defenses in neural network pruning. The code is tested on Python 3.8, Pytorch 1.8.1, and Ubuntu 18.04. GPUs are needed to accelerate neural network training and membership inference attacks.

Attack Pipeline

Background

Neural network pruning has been an essential technique to reduce the computation and memory requirements for using deep neural networks for resource-constrained devices. We investigated the membership inference attacks (MIA) and the countermeasures in neural network pruning. We proposed a membership inference attack, namely self-attention membership inference attack (SAMIA), targeted at pruned neural networks, as well as a pair-based posterior balancing (PPB) defense method.

Installation

Get the repository:

git clone https://github.com/Machine-Learning-Security-Lab/mia_prune
cd mia_prune

Install Python packages.

pip install -r requirements.txt

Create a folder for storing datasets. The data folder location can be updated in datasets.py.

mkdir -p data/datasets

Create a folder for storing the models.

mkdir results

Usage

Attacks

  1. Train an original neural network:
python pretrain.py [GPU-ID] [config_path] 
  1. Prune the model and fine-tune the model
python prune.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity]
  1. Conduct membership inference attacks on the pruned model.
python mia.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks]
  1. Conduct membership inference attacks on the original model.
python mia.py [GPU-ID] [config_path] --attacks [attacks] --original

Defenses

  1. Based on an original model, prune the model and fine-tune the model with a defense method and its arguments.
python prune.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] 
--defend [defend] --defend_arg [defend_arg]
  1. Conduct membership inference attacks on the pruned model with defense.
python mia.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks]
--defend [defend] --defend_arg [defend_arg]
  1. Conduct membership inference attacks on the pruned model with defense when the attacker knows the defense (adaptive attack).
python mia.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks]
--defend [defend] --defend_arg [defend_arg] --adaptive

Argument options

  • config_path is the path of files in the config folder to get the information of the dataset and neural network architecture.
  • pruner_name can be l1unstructure (default), l1structure, l2structure, slim.
  • prune_sparsity can be any float values in (0, 1), default 0.7.
  • attacks can be samia (default), threshold, nn, nn_top3, nn_cls. Multiple attacks can be concatenated. E.g., --attacks samia,nn,nn_top3. threshold attack (modified from https://github.com/inspire-group/membership-inference-evaluation) performs several threshold-based attacks including
    • Ground-truth class confidence-based threshold attack (Conf).
    • Cross-entropy-based threshold attack (Xent).
    • Modified-entropy-based threshold attack (Mentr).
    • Top1 Confidence-based threshold attack (Top1-conf).
  • defend can be "" (basic defense, default), ppb (PPB defense), or adv (Adversarial Regularization). To run DP defense, please use prune_dp.py, where we use pyvacy to run DPSGD in fine-tuning.

Examples

Train a CIFAR10 model using ResNet18 model on GPU0.

python pretrain.py 0 config/cifar10_resnet18.json

Prune the model using l1unstructured pruning with sparsity level 70% (remove 70% parameters).

python prune.py 0 config/cifar10_resnet18.json --pruner_name l1unstructure --prune_sparsity 0.7

Attack the pruned model using SAMIA.

python mia.py 0 config/cifar10_resnet18.json --attacks samia

Attack the original model using SAMIA.

python mia.py 0 config/cifar10_resnet18.json --attacks samia --original

Prune the original model with PPB defense.

python prune.py 0 config/cifar10_resnet18.json --defend ppb --defend_arg 4

Attack the pruned model with defense using SAMIA.

python mia.py 0 config/cifar10_resnet18.json --attacks samia,threshold --defend ppb --defend_arg 4

Attack the pruned model with defense using SAMIA when the attacker knows the defense, e.g., adaptive attack.

python mia.py 0 config/cifar10_resnet18.json --attacks samia,threshold --defend ppb --defend_arg 4 ----adaptive

Launch multiple attacks.

python mia.py 0 config/cifar10_resnet18.json --attacks samia,nn,nn_top3

Structure

  • pretrain.py is used to train the original neural network.
  • prune.py is used to prune and fine-tune the network with and without defenses.
  • mia.py is used to conduct attacks on the pruned/original network with and without defenses.
  • config folder consists all the configuration files for various datasets and neural network architectures.
  • transformer.py consists the self-attention model used in SAMIA attack.
  • base_model.py includes the code for training, testing, and defense.

Citation

@inproceedings{yuan2022membership,
  title = {Membership Inference Attacks and Defenses in Neural Network Pruning},
  booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
  author={Yuan, Xiaoyong and Zhang, Lan},
  year={2022}
}

mia_prune's People

Contributors

chbrian avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.