Skip to content

feat: new instance-based attack for data leakage in SVM/kNN models #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jim-smith merged 20 commits into from
Jun 19, 2026
Merged

feat: new instance-based attack for data leakage in SVM/kNN models #431

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
7b963c0
feat: add instance-based model attack to detect training data leakage…
shamykyzer Mar 27, 2026
da9ed7d
style: pre-commit fixes
pre-commit-ci[bot] Mar 27, 2026
6c10dc3
docs: clarify match fraction glossary to flag any non-zero leakage
shamykyzer May 12, 2026
6359835
refactor: name magic numbers as N_EXAMPLES and N_FEATURE_PREVIEW cons…
shamykyzer May 13, 2026
0eb5e19
Merge branch 'main' into new-attack-model
shamykyzer May 15, 2026
ffa061c
style: add type annotations to _unwrap_model
shamykyzer May 15, 2026
445a9da
refactor: tighten _unwrap_model annotations to sklearn types
shamykyzer May 18, 2026
bcb370a
Merge branch 'main' into new-attack-model
shamykyzer May 18, 2026
afc47f0
Merge branch 'main' into new-attack-model
shamykyzer May 21, 2026
ea331ab
refactor: extract INSTANCE_MATCH_ATOL constant for InstanceBasedAttack
shamykyzer May 21, 2026
a05adbc
refactor: move unwrap_model to sacroml.attacks.utils for reuse
shamykyzer May 21, 2026
a7e842f
revert: move unwrap_model to utils.py
shamykyzer May 22, 2026
1e869be
test: cover graceful-degradation paths in InstanceBasedAttack
shamykyzer May 25, 2026
b014644
style: rename test variables to match ruff pep8-naming allowlist
shamykyzer May 25, 2026
6c52949
refactor: move unwrap_model to sacroml.attacks.utils for reuse (#459)
shamykyzer May 26, 2026
f02fe5b
feat: address review feedback on InstanceBasedAttack
shamykyzer May 29, 2026
6268e39
Merge remote-tracking branch 'origin/main' into new-attack-model
shamykyzer May 29, 2026
ca71239
style: satisfy pydocstringformatter on test docstring
shamykyzer May 29, 2026
048f499
fix: reindex record-level results by training record in InstanceBased…
JessUWE Jun 16, 2026
a0c25cd
Merge branch 'main' into new-attack-model
JessUWE Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,17 @@ Changes:
(multi-section, as produced when individual attacks append to the same file)
and any subdirectory-per-attack layout. Registered in the attack factory as
`"meta"`.
* Refactor: Name `InstanceBasedAttack`'s default floating-point matching tolerance as the module-level constant `INSTANCE_MATCH_ATOL = 1e-8` ([#454](https://github.com/AI-SDC/SACRO-ML/issues/454)). `StructuralAttack` is intentionally not changed because it uses exact `np.unique` equality on deterministic `predict_proba` outputs and does not need a tolerance.
* Feat: `QMIAAttack`: membership inference attack via quantile regression (Bertran et al.,
NeurIPS 2023, arXiv:2307.03694). Trains a histogram-based quantile regressor
(`HistGradientBoostingRegressor`) on non-member hinge scores to learn per-sample
membership thresholds. A sample is predicted as a member when its observed score
exceeds the predicted threshold at quantile level (1 - alpha). No shadow models or
architecture knowledge required. Registered in the attack factory as `"qmia"`.
* Refactor: move `unwrap_model` from `InstanceBasedAttack` to `sacroml.attacks.utils`
so it can be reused by other attacks that need to split a scikit-learn `Pipeline`
into its final estimator and preprocessing stages
([#455](https://github.com/AI-SDC/SACRO-ML/issues/455)).
* Fix: `StructuralAttack` now respects the `report_individual` flag. Per-record
`record_level_results` and `attack_metrics["individual"]` are only populated when the
flag is set to `True`, matching the behaviour of `LIRAAttack` and `QMIAAttack`.
Expand Down
2 changes: 2 additions & 0 deletions sacroml/attacks/factory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

from sacroml.attacks.attack import Attack
from sacroml.attacks.attribute_attack import AttributeAttack
from sacroml.attacks.instance_based_attack import InstanceBasedAttack
from sacroml.attacks.likelihood_attack import LIRAAttack
from sacroml.attacks.meta_attack import MetaAttack
from sacroml.attacks.qmia_attack import QMIAAttack
Expand All @@ -19,6 +20,7 @@

registry: dict[str, type[Attack]] = {
"attribute": AttributeAttack,
"instance_based": InstanceBasedAttack,
"lira": LIRAAttack,
"meta": MetaAttack,
"qmia": QMIAAttack,
Expand Down
Loading