minchen00 / unlearningleaks Goto Github PK

View Code? Open in Web Editor NEW

45.0 4.0 5.0 36 KB

Official implementation of "When Machine Unlearning Jeopardizes Privacy" (ACM CCS 2021)

License: GNU General Public License v3.0

Python 100.00%

machine-unlearning membership-inference-attack machine-learning

unlearningleaks's Introduction

Unlearning-Leaks

This repository contains the implementation for When Machine Unlearning Jeopardizes Privacy (CCS 2021).

To run the code, you need first download the dataset, then train target models and shadow models, in the end, launch the attack in our paper.

Requirements

conda create --name unlearningleaks python=3.9
conda activate unlearningleaks
pip3 install sklearn pandas opacus tqdm psutil
pip3 install torch==1.10.1+cu111 torchvision==0.11.2+cu111 torchaudio==0.10.1+cu111 -f https://download.pytorch.org/whl/cu111/torch_stable.html

Directory tree

.
├── LICENSE
├── __init__.py
├── config.py
├── data_prepare.py
├── exp.py
├── lib_unlearning
│   ├── attack.py
│   ├── construct_feature.py
│   └── record_split.py
├── main.py
├── models.py
├── parameter_parser.py
├── readme.md
├── temp_data
│   ├── attack_data
│   ├── attack_models
│   ├── dataset
│   ├── processed_dataset
│   ├── shadow_models
│   ├── split_indices
│   └── target_models
└── utils.py

Data Preparation

Location originally comes from walk2friends: Inferring Social Links from Mobility Profiles.
Adult originally comes from “Scaling Up the Accuracy of Naive-Bayes Classifiers: a Decision-Tree Hybrid.”, or Kaggle link.
Accident originally comes from “Accident Risk Prediction based on Heterogeneous Sparse Data: New Dataset and Insights.”, or Kaggle link.
Three preprocessed categorical datasets can be found at Google Drive.

Toy examples

###### Step 1: Train Original and Unlearned Models ######
python main.py --exp model_train

###### Step 2: Membership Inference Attack under Different Settings ######

###### UnlearningLeaks in 'Retraining from scratch' ######
python main.py --exp mem_inf --unlearning_method scratch

###### UnlearningLeaks in 'SISA'
python main.py --exp model_train --unlearning_method sisa
python main.py --exp mem_inf --unlearning_method sisa

###### UnlearningLeaks in 'Multiple intermediate versions'
python main.py --exp mem_inf --samples_to_evaluate in_out_multi_version

###### UnlearningLeaks in 'Group Deletion'
python main.py --exp model_train --shadow_unlearning_num 10 --target_unlearning_num 10
python main.py --exp mem_inf --shadow_unlearning_num 10 --target_unlearning_num 10

###### UnlearningLeaks in 'Online Learning'
python main.py --exp model_train --samples_to_evaluate online_learning
python main.py --exp mem_inf --samples_to_evaluate online_learning

###### UnlearningLeaks against 'the remaining samples'
python main.py --exp mem_inf --samples_to_evaluate in_in

Citation

@inproceedings{chen2021unlearning,
  author    = {Min Chen and Zhikun Zhang and Tianhao Wang and Michael Backes and Mathias Humbert and Yang Zhang},
  title     = {When Machine Unlearning Jeopardizes Privacy},
  booktitle = {{ACM} {SIGSAC} Conference on Computer and Communications Security (CCS)}
  year      = {2021}
}

unlearningleaks's People

Contributors

Stargazers

Watchers

Forkers

milkigit akahello amarcelin jenson66 wohaokeaiyin

unlearningleaks's Issues

The neg samples had exactly the same output on the original model and the unlearning model

I was testing the DT model on Adult and found that the neg samples had exactly the same output on the original model and the unlearning model, which is what caused the difference attack to work so well. But it shouldn't be possible for both models to have exactly the same output for the same sample? Is there some detail I am overlooking please?

This is the posterior difference dataset used for the attack model in the project, and it seems that there are many neg samples where duplicates occur and the posterior is exactly the same.

where's the implementation of classical MIA in this paper

Hi, i've checked the paper and the code thoroughly, and i cannot exactly confirm which is the classical MIA method your guys used for comparison. Could u plz provide more details about:

Does classical MIA just determine <in,out>/<out,out> samples, i.e., samples to unlearn?
Can classical MIA access to the unlearned model, like the related work in the code page mentioned? for example, using LIRA to combine these two models?
what's the classical MIA approach exactly used in the experiment?

I'm looking forward to your reply. Thanks!

It looks like missing code is in the experiment.

I am sorry to bother you. I ran the experiment MIA. However, there are some parts missing. In line 345, the function _obtain_posterior() is incomplete. Could you please help to fix the error?
def _obtain_posterior(self, num_sample, num_shard, sample_name, save_path):
pass

Membership inference attack with MNIST and CIFAR10 may have some error

The membership inference attack may have some errors with image data set.

command argment of membership inference may have some error

The command "python main.py --exp model_inf --unlearning_method scratch" cannot use.
It works with this one: "python main.py --exp mem_inf --unlearning_method scratch"

Some problems about the datasets Insta-NY & Insta-LA

Sorry to bother you, I've checked the paper ,related paper and the code thoroughly,but I can't really understand how & where I can get these two datasets.While the dataset is collected from the Instagram API and Four Square API,I only get an invalid page now.Could you provide the URL of the dataset if you have or other methods through which I can download these datasets? Thanks a lot.

All metric (train/test acc/auc) yields 0.5 when training from scratch with Logistic Regression

Hi, I tried

python main.py --exp mem_inf --unlearning_method scratch --dataset_name xxx --original_model LR

and all the parameters remained the default. The final results (train & test, accuracy & auc) always show 0.5 no matter what categorical dataset I use, I can't figure out why. Can you tell me why this might be happening? Thank you very much.