RIME Adversarial

Attacks

Attack algorithms for tabular models.

class rime.tabular.attacks.TabularRandomizedAttack(black_box: BlackBoxModel, target_score: float, max_queries: int, columns: List[Column], custom_perturb_pct: Optional[Dict[str, float]] = None, default_perturb_pct: float = 1.0, max_unsuccessful_iters: Optional[int] = None, epsilon_ball: Optional[EpsilonBall] = None, **kwargs: Any)

Attack algorithm that randomly perturbs a subset of features each iteration.

__init__(black_box: BlackBoxModel, target_score: float, max_queries: int, columns: List[Column], custom_perturb_pct: Optional[Dict[str, float]] = None, default_perturb_pct: float = 1.0, max_unsuccessful_iters: Optional[int] = None, epsilon_ball: Optional[EpsilonBall] = None, **kwargs: Any)

Initialize the algorithm.

Parameters:

  • black_box – Model to attack.

  • target_score – Upper bound on the score (loss) of examples considered to be successfully adversarial.

  • max_queries – Maximum number of queries allowed to make to model.

  • columns – List of column objects from profiler.

  • custom_perturb_pct – Mapping of feature name to probability of perturbing that feature. Can be used to focus more or less on certain features. Defaults to None.

  • default_perturb_pct – Default perturbation percent to use for each feature not specified in custom_perturb_pct mapping. Defaults to 1.

  • max_unsuccessful_iters – If an integer is passed, stop attack after this number of unsuccessful iterations. Defaults to None.

  • epsilon_ball – Epsilon ball to use to restrict changes. Will sample from inside this ball. Defaults to None.

class rime.tabular.attacks.TabularCombinationAttack(black_box: BlackBoxModel, target_score: float, max_queries: float, columns: List[Column], subset_sizes: Union[int, List[int]] = 1, search_count: int = 10, max_unsuccessful_iters: Optional[int] = None, column_names_to_ignore: Optional[Set[str]] = None, epsilon_ball: Optional[ColumnRangeEpsilonBall] = None, **kwargs: Any)

Attack which greedily searches over combinations of features.

__init__(black_box: BlackBoxModel, target_score: float, max_queries: float, columns: List[Column], subset_sizes: Union[int, List[int]] = 1, search_count: int = 10, max_unsuccessful_iters: Optional[int] = None, column_names_to_ignore: Optional[Set[str]] = None, epsilon_ball: Optional[ColumnRangeEpsilonBall] = None, **kwargs: Any)

Initialize the algorithm.

Parameters:

  • black_box – Model to attack.

  • target_score – Upper bound on the score (loss) of examples considered to be successfully adversarial.

  • max_queries – Maximum number of queries allowed to make to model.

  • columns – List of column objects from profiler.

  • subset_sizes – List of feature subset sizes to consider. Can either be specified as an integer n, in which case subset sizes of 1 through n are considered, or a specific list of subset sizes. Defaults to 1.

  • search_count – The number of perturbed values to consider for each column on each iteration. Defaults to 10.

  • max_unsuccessful_iters – The maximum number of iterations to proceed without improvement. Default to None.

  • column_names_to_ignore – Names of columns to ignore, ie not attempt to perturb. Defaults to None.

  • epsilon_ball – Epsilon ball to use to restrict changes. Will make perturbations to the extrema of the ranges. Defaults to None.

class rime.tabular.attacks.TabularExhaustiveGreedyAttack(black_box: BlackBoxModel, target_score: float, max_queries: int, columns: List[Column], perturbation_threshold: float = 0.1, **kwargs: Any)

Greedy attack algorithm that exhaustively attacks each feature.

__init__(black_box: BlackBoxModel, target_score: float, max_queries: int, columns: List[Column], perturbation_threshold: float = 0.1, **kwargs: Any)

Initialize the algorithm.

Parameters:

  • black_box – Model to attack.

  • target_score – Upper bound on the score (loss) of examples considered to be successfully adversarial.

  • max_queries – Maximum number of queries allowed to make to model.

  • columns – List of column objects from profiler.

  • perturbation_threshold – When trying to exhaustively perturb a feature, will keep on going while change in score is greater than this threshold. Defaults to 0.1.

  • **kwargs – Same as arguments to TabularGreedyAttack.

class rime.tabular.attacks.TabularGreedyAttack(black_box: BlackBoxModel, target_score: float, max_queries: int, columns: List[Column], skip_categoricals: bool = False, num_features_per_round: int = 3, custom_perturb_pct: Optional[Dict[str, float]] = None, default_perturb_pct: float = 1.0, early_stop_threshold: float = inf, **kwargs: Any)

Greedy attack algorithm that samples perturbations for each column.

__init__(black_box: BlackBoxModel, target_score: float, max_queries: int, columns: List[Column], skip_categoricals: bool = False, num_features_per_round: int = 3, custom_perturb_pct: Optional[Dict[str, float]] = None, default_perturb_pct: float = 1.0, early_stop_threshold: float = inf, **kwargs: Any)

Initialize the algorithm.

Parameters:

  • black_box – Model to attack.

  • target_score – Upper bound on the score (loss) of examples considered to be successfully adversarial.

  • max_queries – Maximum number of queries allowed to make to model.

  • columns – List of column objects from profiler.

  • skip_categoricals – Whether to skip categorical columns or not. Defaults to False.

  • num_features_per_round – Number of features to perturb per iteration. Defaults to 3.

  • custom_perturb_pct – Mapping of feature name to probability of perturbing that feature. Can be used to focus more or less on certain features. Defaults to None.

  • default_perturb_pct – Default perturbation percent to use for each feature not specified in custom_perturb_pct mapping. Defaults to 1.

  • early_stop_threshold – Stop adding more perturbations in this round if initial perturbation is greater than this. Defaults to np.inf.

class rime.tabular.attacks.TabularNoiseRemoval(base_attack: TabularIterativeAttack, repeat: int = 1, target_score: Optional[float] = None)

Attack algorithm that first runs a base attack, then removes unneeded noise.

Is best paired with attacks that quickly (but inefficiently) cross the decision boundary, like TabularRandomizedAttack.

__init__(base_attack: TabularIterativeAttack, repeat: int = 1, target_score: Optional[float] = None)

Initialize with base attack and information for removing noise.

Parameters:

  • base_attack – Base attack algorithm to run first.

  • repeat – How many times to attempt to remove noise for each column. Defaults to 1.

  • target_score – Upper bound on the score (loss) of examples considered to be successfully adversarial. Defaults to None.

Epsilon Balls

Classes defining epsilon balls.

class rime.tabular.attacks.epsilon_ball.LInfQuantileEpsilonBall(epsilon: float, columns: List[Column], col_indices: Optional[List[int]] = None)

An Epsilon Ball with each feature bounded by a quantile range.

__init__(epsilon: float, columns: List[Column], col_indices: Optional[List[int]] = None)

Initialize the epsilon ball.

Parameters:

  • epsilon – A percentage specifying the (one-sided) quantile range each feature may be perturbed. Should not exceed .5 (50%), as it refers to deviations from the 50th percentile both above and below.

  • columns – List of columns associated with the features of data points handled by epsilon ball.

  • col_indices – Optional list of indices to which the columns correspond.

class rime.tabular.attacks.epsilon_ball.LInfRangeEpsilonBall(epsilon: float, columns: List[Column], col_indices: Optional[List[int]] = None)

EpsilonBall implementation that clips based on max-min range.

__init__(epsilon: float, columns: List[Column], col_indices: Optional[List[int]] = None)

Initialize the epsilon ball.

Parameters:

  • epsilon – A percentage specifying the (one-sided) size of the range each feature may be perturbed, calculated as a percentage of the corresponding columns’ value ranges. Should not exceed 1 (100%).

  • columns – List of columns associated with the features of data points handled by epsilon ball.

  • col_indices – Optional list of indices to which the columns correspond.

Attack Runner

Run tabular attacks.

rime.tabular.attacks.runner.run_attack_loop(attack: TabularIterativeAttack, run_container: TabularRunContainer, sample_size: int, use_tqdm: bool = True, special_logger: Optional[Logger] = None) Tuple[List[TabularAttackState], list]

Run attack over sample of data.

Parameters:

  • attack – Attack to run.

  • run_container – Container of data/model to be attacked.

  • sample_size – Number of data points to sample to run attacks over.

  • use_tqdm – Whether to use tqdm to log progress of loop or not, defaults to True.

  • special_logger – If specified, the logger to use to log info messages. Defaults to None.

Returns:

List of attack results and list of indices that were attacked.