aaba0f594c642f2ee5dd46306142ea70cd3fd9a5,tests/attacks/inference/test_attribute_inference.py,,test_black_box_with_model,#Any#Any#,92

Before Change

def test_black_box_with_model(tabular_dl_estimator, get_iris_dataset):
    classifier_list = tabular_dl_estimator(AttributeInferenceBlackBox)
    if not classifier_list:
        logging.warning("Couldn"t perform  this test because no classifier is defined")
        return

    attack_feature = 2  // petal length

    // need to transform attacked feature into categorical
    def transform_feature(x):
        x[x > 0.5] = 2.0
        x[(x > 0.2) & (x <= 0.5)] = 1.0
        x[x <= 0.2] = 0.0

    values = [0.0, 1.0, 2.0]

    (x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
    // training data without attacked feature
    x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
    // only attacked feature
    x_train_feature = x_train_iris[:, attack_feature].copy().reshape(-1, 1)
    transform_feature(x_train_feature)
    // training data with attacked feature (after transformation)
    x_train = np.concatenate((x_train_for_attack[:, :attack_feature], x_train_feature), axis=1)
    x_train = np.concatenate((x_train, x_train_for_attack[:, attack_feature:]), axis=1)

    // test data without attacked feature
    x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
    // only attacked feature
    x_test_feature = x_test_iris[:, attack_feature].copy().reshape(-1, 1)
    transform_feature(x_test_feature)

    model = nn.Linear(4, 3)

    // Define a loss function and optimizer
    loss_fn = nn.CrossEntropyLoss()
    optimizer = optim.Adam(model.parameters(), lr=0.01)
    attack_model = PyTorchClassifier(
        model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(4,), nb_classes=3
    )

    for classifier in classifier_list:
        if type(classifier).__name__ == "ScikitlearnDecisionTreeClassifier":
            attack = AttributeInferenceBlackBox(classifier, attack_model=attack_model, attack_feature=attack_feature)
            // get original model"s predictions
            x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train_iris)]).reshape(-1, 1)
            x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test_iris)]).reshape(-1, 1)
            // train attack model
            attack.fit(x_train)
            // infer attacked feature
            inferred_train = attack.infer(x_train_for_attack, x_train_predictions, values=values)
            inferred_test = attack.infer(x_test_for_attack, x_test_predictions, values=values)
            // check accuracy
            train_acc = np.sum(inferred_train == x_train_feature.reshape(1, -1)) / len(inferred_train)
            test_acc = np.sum(inferred_test == x_test_feature.reshape(1, -1)) / len(inferred_test)
            // assert train_acc == pytest.approx(0.5523, abs=0.03)
            // assert test_acc == pytest.approx(0.5777, abs=0.03)


def test_white_box(tabular_dl_estimator, get_iris_dataset):
    classifier_list = tabular_dl_estimator(AttributeInferenceWhiteBoxDecisionTree)
    if not classifier_list:
        logging.warning("Couldn"t perform  this test because no classifier is defined")

After Change

def test_black_box_with_model(decision_tree_estimator, get_iris_dataset):
    try:
        attack_feature = 2  // petal length

        // need to transform attacked feature into categorical
        def transform_feature(x):
            x[x > 0.5] = 2.0
            x[(x > 0.2) & (x <= 0.5)] = 1.0
            x[x <= 0.2] = 0.0

        values = [0.0, 1.0, 2.0]

        (x_train_iris, y_train_iris), (x_test_iris, y_test_iris) = get_iris_dataset
        // training data without attacked feature
        x_train_for_attack = np.delete(x_train_iris, attack_feature, 1)
        // only attacked feature
        x_train_feature = x_train_iris[:, attack_feature].copy().reshape(-1, 1)
        transform_feature(x_train_feature)
        // training data with attacked feature (after transformation)
        x_train = np.concatenate((x_train_for_attack[:, :attack_feature], x_train_feature), axis=1)
        x_train = np.concatenate((x_train, x_train_for_attack[:, attack_feature:]), axis=1)

        // test data without attacked feature
        x_test_for_attack = np.delete(x_test_iris, attack_feature, 1)
        // only attacked feature
        x_test_feature = x_test_iris[:, attack_feature].copy().reshape(-1, 1)
        transform_feature(x_test_feature)

        model = nn.Linear(4, 3)

        // Define a loss function and optimizer
        loss_fn = nn.CrossEntropyLoss()
        optimizer = optim.Adam(model.parameters(), lr=0.01)
        attack_model = PyTorchClassifier(
            model=model, clip_values=(0, 1), loss=loss_fn, optimizer=optimizer, input_shape=(4,), nb_classes=3
        )

        classifier = decision_tree_estimator()

        attack = AttributeInferenceBlackBox(classifier, attack_model=attack_model, attack_feature=attack_feature)
        // get original model"s predictions
        x_train_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_train_iris)]).reshape(-1, 1)
        x_test_predictions = np.array([np.argmax(arr) for arr in classifier.predict(x_test_iris)]).reshape(-1, 1)
        // train attack model
        attack.fit(x_train)
        // infer attacked feature
        inferred_train = attack.infer(x_train_for_attack, x_train_predictions, values=values)
        inferred_test = attack.infer(x_test_for_attack, x_test_predictions, values=values)
        // check accuracy
        train_acc = np.sum(inferred_train == x_train_feature.reshape(1, -1)) / len(inferred_train)
        test_acc = np.sum(inferred_test == x_test_feature.reshape(1, -1)) / len(inferred_test)
        // assert train_acc == pytest.approx(0.5523, abs=0.03)
        // assert test_acc == pytest.approx(0.5777, abs=0.03)
    except ARTTestException as e:
        add_warning(e)


def test_white_box(decision_tree_estimator, get_iris_dataset):
    try:
        attack_feature = 2  // petal length
        values = [0.14, 0.42, 0.71]  // rounded down

Instances