1.1.4. aijack.attack.inversion package#

1.1.4.1. Subpackages#

1.1.4.2. Submodules#

1.1.4.3. aijack.attack.inversion.gan_attack module#

class aijack.attack.inversion.gan_attack.GANAttackClientManager(*args, **kwargs)[source]#

Bases: aijack.manager.base.BaseManager

Manager class for GAN based model inversion attack (https://arxiv.org/abs/1702.07464)

attach(cls)[source]#

Wraps the given class in GANAttackClientWrapper.

Returns

a class wrapped in GANAttackClientWrapper

Return type

cls

aijack.attack.inversion.gan_attack.attach_ganattack_to_client(cls, target_label, generator, generator_optimizer, generator_criterion, nz=100, device='cpu', gan_batch_size=1, gan_epoch=1, gan_log_interval=0, ignore_first_download=False)[source]#

Wraps the given class in GANAttackClientWrapper.

Parameters

  • target_label (int) – index of target class

  • generator (torch.nn.Module) – Generator

  • generator_optimizer (torch.optim.Optimizer) – optimizer for the generator

  • generator_criterion (function) – loss function for the generator

  • nz (int) – dimension of latent space of the generator. Defaults to 100.

  • device (str, optional) – _description_. Defaults to “cpu”.

  • gan_batch_size (int, optional) – batch size for training GAN. Defaults to 1.

  • gan_epoch (int, optional) – epoch for training GAN. Defaults to 1.

  • gan_log_interval (int, optional) – log interval. Defaults to 0.

  • ignore_first_download (bool, optional) – Defaults to False.

Returns

a class wrapped in GANAttackClientWrapper

Return type

cls

1.1.4.4. aijack.attack.inversion.generator_attack module#

class aijack.attack.inversion.generator_attack.Generator_Attack(target_model, attacker_model, attacker_optimizer, log_interval=1, early_stopping=5, device='cpu')[source]#

Bases: aijack.attack.base_attack.BaseAttacker

attack(data_tensor)[source]#
calc_loss(dataloader, x_pos=0, y_pos=1, arbitrary_y=False)[source]#
fit(dataloader, epoch, x_pos=0, y_pos=1, arbitrary_y=False)[source]#

1.1.4.5. aijack.attack.inversion.gradientinversion module#

class aijack.attack.inversion.gradientinversion.GradientInversion_Attack(target_model, x_shape, y_shape=None, optimize_label=True, gradient_ignore_pos=[], pos_of_final_fc_layer=-2, num_iteration=100, optimizer_class=<class 'torch.optim.lbfgs.LBFGS'>, optimizername=None, lossfunc=CrossEntropyLoss(), distancefunc=<function l2>, distancename=None, tv_reg_coef=0.0, lm_reg_coef=0.0, l2_reg_coef=0.0, bn_reg_coef=0.0, gc_reg_coef=0.0, bn_reg_layers=[], custom_reg_func=None, custom_reg_coef=0.0, custom_generate_fake_grad_fn=None, device='cpu', log_interval=10, save_loss=True, seed=0, group_num=5, group_seed=None, early_stopping=50, clamp_range=None, **kwargs)[source]#

Bases: aijack.attack.base_attack.BaseAttacker

General Gradient Inversion Attacker

model inversion attack based on gradients can be written as follows:

x^* = argmin_x’ L_grad(x’: W, delta_W) + R_aux(x’)

, where X’ is the reconstructed image. The attacker tries to find images whose gradients w.r.t the given model parameter W is similar to the gradients delta_W of the secret images.

target_model#

a target torch module instance.

x_shape#

the input shape of target_model.

y_shape#

the output shape of target_model.

optimize_label#

If true, only optimize images (the label will be automatically estimated).

pos_of_final_fc_layer#

position of gradients corresponding to the final FC layer within the gradients received from the client.

num_iteration#

number of iterations of optimization.

optimizer_class#

a class of torch optimizer for the attack.

lossfunc#

a function that takes the predictions of the target model and true labels and returns the loss between them.

distancefunc#

a function which takes the gradients of reconstructed images and the client-side gradients and returns the distance between them.

tv_reg_coef#

the coefficient of total-variance regularization.

lm_reg_coef#

the coefficient of label-matching regularization.

l2_reg_coef#

the coefficient of L2 regularization.

bn_reg_coef#

the coefficient of BN regularization.

gc_reg_coef#

the coefficient of group-consistency regularization.

bn_reg_layers#

a list of batch normalization layers of the target model.

bn_reg_layer_inputs#

a lit of extracted inputs of the specified bn layers

custom_reg_func#

a custom regularization function.

custom_reg_coef#

the coefficient of the custom regularization function

device#

device type.

log_interval#

the interval of logging.

save_loss#

If true, save the loss during the attack.

seed#

random state.

group_num#

the size of group,

group_seed#

a list of random states for each worker of the group

early_stopping#

early stopping

attack(received_gradients, batch_size=1, init_x=None, labels=None)[source]#

Reconstructs the images from the gradients received from the client

Parameters

  • received_gradients – the list of gradients received from the client.

  • batch_size – batch size.

Returns

a tuple of the best reconstructed images and corresponding labels

Raises

OverflowError – If the calculated distance become Nan

group_attack(received_gradients, batch_size=1)[source]#

Multiple simultaneous attacks with different random states

Parameters

  • received_gradients – the list of gradients received from the client.

  • batch_size – batch size.

Returns

a tuple of the best reconstructed images and corresponding labels

reset_seed(seed)[source]#

Resets the random seed

Parameters

seed (int) – the random seed

1.1.4.6. aijack.attack.inversion.gradientinversion_server module#

class aijack.attack.inversion.gradientinversion_server.GradientInversionAttackServerManager(*args, **kwargs)[source]#

Bases: aijack.manager.base.BaseManager

Manager class for Gradient-based model inversion attack

attach(cls)[source]#

Wraps the given class in GradientInversionServerWrapper.

Returns

GradientInversionServerWrapper

Return type

cls

aijack.attack.inversion.gradientinversion_server.attach_gradient_inversion_attack_to_server(cls, x_shape, attack_function_on_receive=<function _default_gradinent_inversion_attack_on_receive>, num_trial_per_communication=1, target_client_id=0, **gradinvattack_kwargs)[source]#

Wraps the given class in GradientInversionServerWrapper.

Parameters

  • x_shape – input shape of target_model.

  • attack_function_on_receive (function, optional) – a function to execute attack called after

  • _default_gradinent_inversion_attack_on_receive. (receving the local gradients. Defaults to) –

  • num_trial_per_communication (int, optional) – number of attack trials executed per

  • 1. (communication. Defaults to) –

  • target_client_id (int, optional) – id of target client. Default to 0.

  • gradinvattack_kwargs – kwargs for GradientInversion_Attack

Returns

GradientInversionServerWrapper

Return type

cls

1.1.4.7. aijack.attack.inversion.mi_face module#

class aijack.attack.inversion.mi_face.MI_FACE(target_model, input_shape=(1, 1, 64, 64), target_label=0, lam=0.01, num_itr=100, auxterm_func=<function MI_FACE.<lambda>>, process_func=<function MI_FACE.<lambda>>, apply_softmax=False, device='cpu', log_interval=1, log_show_img=False, show_img_func=<function MI_FACE.<lambda>>)[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Implementation of model inversion attack reference: https://dl.acm.org/doi/pdf/10.1145/2810103.2813677

target_model#

model of the victim

input_shape#

input shapes of taregt model

auxterm_func#

the default is constant function

Type

function

process_func#

the default is identity function

Type

function

attack(init_x=None)[source]#

Execute the model inversion attack on the target model.

Parameters

  • target_label (int) – taregt label

  • lam (float) – step size

  • num_itr (int) – number of iteration

Returns

inversed image with the best score log :

Return type

best_img

1.1.4.8. Module contents#

Subpackage for model inversion attack, which reconstructs the private data from the trained machine learning models.

class aijack.attack.inversion.DataRepExtractor(net, num_fc_layers=1, m=1, bias=True)[source]#

Bases: object

extract_datarep(dldw)[source]#
get_dldw(loss)[source]#
class aijack.attack.inversion.GANAttackClientManager(*args, **kwargs)[source]#

Bases: aijack.manager.base.BaseManager

Manager class for GAN based model inversion attack (https://arxiv.org/abs/1702.07464)

attach(cls)[source]#

Wraps the given class in GANAttackClientWrapper.

Returns

a class wrapped in GANAttackClientWrapper

Return type

cls

class aijack.attack.inversion.Generator_Attack(target_model, attacker_model, attacker_optimizer, log_interval=1, early_stopping=5, device='cpu')[source]#

Bases: aijack.attack.base_attack.BaseAttacker

attack(data_tensor)[source]#
calc_loss(dataloader, x_pos=0, y_pos=1, arbitrary_y=False)[source]#
fit(dataloader, epoch, x_pos=0, y_pos=1, arbitrary_y=False)[source]#
class aijack.attack.inversion.GradientInversionAttackServerManager(*args, **kwargs)[source]#

Bases: aijack.manager.base.BaseManager

Manager class for Gradient-based model inversion attack

attach(cls)[source]#

Wraps the given class in GradientInversionServerWrapper.

Returns

GradientInversionServerWrapper

Return type

cls

class aijack.attack.inversion.GradientInversion_Attack(target_model, x_shape, y_shape=None, optimize_label=True, gradient_ignore_pos=[], pos_of_final_fc_layer=-2, num_iteration=100, optimizer_class=<class 'torch.optim.lbfgs.LBFGS'>, optimizername=None, lossfunc=CrossEntropyLoss(), distancefunc=<function l2>, distancename=None, tv_reg_coef=0.0, lm_reg_coef=0.0, l2_reg_coef=0.0, bn_reg_coef=0.0, gc_reg_coef=0.0, bn_reg_layers=[], custom_reg_func=None, custom_reg_coef=0.0, custom_generate_fake_grad_fn=None, device='cpu', log_interval=10, save_loss=True, seed=0, group_num=5, group_seed=None, early_stopping=50, clamp_range=None, **kwargs)[source]#

Bases: aijack.attack.base_attack.BaseAttacker

General Gradient Inversion Attacker

model inversion attack based on gradients can be written as follows:

x^* = argmin_x’ L_grad(x’: W, delta_W) + R_aux(x’)

, where X’ is the reconstructed image. The attacker tries to find images whose gradients w.r.t the given model parameter W is similar to the gradients delta_W of the secret images.

target_model#

a target torch module instance.

x_shape#

the input shape of target_model.

y_shape#

the output shape of target_model.

optimize_label#

If true, only optimize images (the label will be automatically estimated).

pos_of_final_fc_layer#

position of gradients corresponding to the final FC layer within the gradients received from the client.

num_iteration#

number of iterations of optimization.

optimizer_class#

a class of torch optimizer for the attack.

lossfunc#

a function that takes the predictions of the target model and true labels and returns the loss between them.

distancefunc#

a function which takes the gradients of reconstructed images and the client-side gradients and returns the distance between them.

tv_reg_coef#

the coefficient of total-variance regularization.

lm_reg_coef#

the coefficient of label-matching regularization.

l2_reg_coef#

the coefficient of L2 regularization.

bn_reg_coef#

the coefficient of BN regularization.

gc_reg_coef#

the coefficient of group-consistency regularization.

bn_reg_layers#

a list of batch normalization layers of the target model.

bn_reg_layer_inputs#

a lit of extracted inputs of the specified bn layers

custom_reg_func#

a custom regularization function.

custom_reg_coef#

the coefficient of the custom regularization function

device#

device type.

log_interval#

the interval of logging.

save_loss#

If true, save the loss during the attack.

seed#

random state.

group_num#

the size of group,

group_seed#

a list of random states for each worker of the group

early_stopping#

early stopping

attack(received_gradients, batch_size=1, init_x=None, labels=None)[source]#

Reconstructs the images from the gradients received from the client

Parameters

  • received_gradients – the list of gradients received from the client.

  • batch_size – batch size.

Returns

a tuple of the best reconstructed images and corresponding labels

Raises

OverflowError – If the calculated distance become Nan

group_attack(received_gradients, batch_size=1)[source]#

Multiple simultaneous attacks with different random states

Parameters

  • received_gradients – the list of gradients received from the client.

  • batch_size – batch size.

Returns

a tuple of the best reconstructed images and corresponding labels

reset_seed(seed)[source]#

Resets the random seed

Parameters

seed (int) – the random seed

class aijack.attack.inversion.MI_FACE(target_model, input_shape=(1, 1, 64, 64), target_label=0, lam=0.01, num_itr=100, auxterm_func=<function MI_FACE.<lambda>>, process_func=<function MI_FACE.<lambda>>, apply_softmax=False, device='cpu', log_interval=1, log_show_img=False, show_img_func=<function MI_FACE.<lambda>>)[source]#

Bases: aijack.attack.base_attack.BaseAttacker

Implementation of model inversion attack reference: https://dl.acm.org/doi/pdf/10.1145/2810103.2813677

target_model#

model of the victim

input_shape#

input shapes of taregt model

auxterm_func#

the default is constant function

Type

function

process_func#

the default is identity function

Type

function

attack(init_x=None)[source]#

Execute the model inversion attack on the target model.

Parameters

  • target_label (int) – taregt label

  • lam (float) – step size

  • num_itr (int) – number of iteration

Returns

inversed image with the best score log :

Return type

best_img

aijack.attack.inversion.attach_ganattack_to_client(cls, target_label, generator, generator_optimizer, generator_criterion, nz=100, device='cpu', gan_batch_size=1, gan_epoch=1, gan_log_interval=0, ignore_first_download=False)[source]#

Wraps the given class in GANAttackClientWrapper.

Parameters

  • target_label (int) – index of target class

  • generator (torch.nn.Module) – Generator

  • generator_optimizer (torch.optim.Optimizer) – optimizer for the generator

  • generator_criterion (function) – loss function for the generator

  • nz (int) – dimension of latent space of the generator. Defaults to 100.

  • device (str, optional) – _description_. Defaults to “cpu”.

  • gan_batch_size (int, optional) – batch size for training GAN. Defaults to 1.

  • gan_epoch (int, optional) – epoch for training GAN. Defaults to 1.

  • gan_log_interval (int, optional) – log interval. Defaults to 0.

  • ignore_first_download (bool, optional) – Defaults to False.

Returns

a class wrapped in GANAttackClientWrapper

Return type

cls

aijack.attack.inversion.attach_gradient_inversion_attack_to_server(cls, x_shape, attack_function_on_receive=<function _default_gradinent_inversion_attack_on_receive>, num_trial_per_communication=1, target_client_id=0, **gradinvattack_kwargs)[source]#

Wraps the given class in GradientInversionServerWrapper.

Parameters

  • x_shape – input shape of target_model.

  • attack_function_on_receive (function, optional) – a function to execute attack called after

  • _default_gradinent_inversion_attack_on_receive. (receving the local gradients. Defaults to) –

  • num_trial_per_communication (int, optional) – number of attack trials executed per

  • 1. (communication. Defaults to) –

  • target_client_id (int, optional) – id of target client. Default to 0.

  • gradinvattack_kwargs – kwargs for GradientInversion_Attack

Returns

GradientInversionServerWrapper

Return type

cls