API

Estimators

Scikit-like estimators for the attack model and shadow models.

class mia.estimators.AttackModelBundle(model_fn, num_classes, serializer=None, class_one_hot_coded=True)

A bundle of attack models, one for each target model class.

Parameters:
  • model_fn – Function that builds a new shadow model
  • num_classes – Number of classes
  • serializer (ModelSerializer) – Serializer for the models. If not None, the models will not be stored in memory, but rather loaded and saved when needed.
  • class_one_hot_encoded – Whether the shadow data uses one-hot encoded class labels.
fit(X, y, verbose=False, fit_kwargs=None)

Train the attack models.

Parameters:
  • X – Shadow predictions coming from ShadowBundle.fit_transform().
  • y – Ditto
  • verbose – Whether to display the progressbar
  • fit_kwargs – Arguments that will be passed to the fit call for each attack model.
class mia.estimators.ShadowModelBundle(model_fn, shadow_dataset_size, num_models=20, seed=42, serializer=None)

A bundle of shadow models.

Parameters:
  • model_fn – Function that builds a new shadow model
  • shadow_dataset_size – Size of the training data for each shadow model
  • num_models – Number of shadow models
  • seed – Random seed
  • serializer (ModelSerializer) – Serializer for the models. If None, the shadow models will be stored in memory. Otherwise, loaded and saved when needed.
fit_transform(X, y, verbose=False, fit_kwargs=None)

Train the shadow models and get a dataset for training the attack.

Parameters:
  • X – Data coming from the same distribution as the target training data
  • y – Data labels
  • verbose (bool) – Whether to display the progressbar
  • fit_kwargs (dict) – Arguments that will be passed to the fit call for each shadow model.

Note

Be careful when holding out some of the passed data for validation (e.g., if using Keras, passing fit_kwargs=dict(validation_split=0.7)). Such data will be marked as “used in training”, whereas it was used for validation. Doing so may decrease the success of the attack.

mia.estimators.prepare_attack_data(model, data_in, data_out)

Prepare the data in the attack model format.

Parameters:
  • model – Classifier
  • y) data_in ((X,) – Data used for training
  • y) data_out ((X,) – Data not used for training
Returns:

(X, y) for the attack classifier

Serialization

class mia.serialization.BaseModelSerializer(model_fn, prefix='.', *args, **kwargs)

ABC class for a model serializer.

Parameters:
  • model_fn – Function that builds a new model
  • prefix – Path to the directory where models will be saved.
__metaclass__

alias of abc.ABCMeta

get_model_path(model_id)

Get the path to the model with given ID.

Wrappers

class mia.wrappers.ExpLrScheduler(init_lr=0.001, decay_factor=0.1, lr_decay_every_epochs=7, verbose=False)

Decay learning rate by a factor every lr_decay_every_epochs.

Based on https://discuss.pytorch.org/t/fine-tuning-squeezenet/3855/7

__call__(optimizer, epoch)

Call self as a function.

class mia.wrappers.TorchWrapper(module, criterion, optimizer, module_params=None, optimizer_params=None, lr_scheduler=None, enable_cuda=True, serializer=None)

Simplified Keras/sklearn-like wrapper for a torch module.

We know there’s skorch, but it was a pain to debug.

Parameters:
  • module – Torch module class
  • criterion – Criterion class
  • optimizer – Optimizer class
  • module_params (dict) – Parameters to pass to the module on initialization.
  • optimizer_params (dict) – Parameters to pass to the optimizer on initialization.
  • lr_scheduler – Learning rate scheduler
  • enable_cude – Whether to use CUDA
  • serializer (ModelSerializer) – Model serializer to save the best model.
fit(X, y=None, batch_size=32, epochs=20, shuffle=True, validation_split=None, validation_data=None, verbose=False)

Fit a torch classifier.

Parameters:
  • X (numpy.ndarray or torch.Tensor.) – Dataset
  • y – Labels
  • batch_size – Batch size
  • epochs – Number of epochs to run the training
  • shuffle – Whether to shuffle the dataset
  • validation_split – Ratio of data to use for training. E.g., 0.7
  • validation_data – If validation_split is not specified, the explicit validation dataset.
  • verbose – Whether to output the progress report.

TODO: Add custom metrics.

fit_step(batch, phase='train')

Run a single training step.

Parameters:
  • batch – A tuple of numpy batch examples and labels
  • phase – Phase. One of [‘train’, ‘val’]. If in val, does not update the model parameters.
predict(X, batch_size=32)

Get the confidence vector for an evaluation of a trained model.

Parameters:
  • X – Data
  • batch_size – Batch size
predict_proba(X, batch_size=32)

Get the confidence vector for an evaluation of a trained model.

Parameters:
  • X – Data
  • batch_size – Batch size

TODO: Fix in case this is not one-hot.

class mia.wrappers.TorchWrapperSerializer(model_fn, prefix, verbose=False)

Torch wrapper serializer.