Code for the paper "Defending Against Membership Inference Attacks on Iteratively Pruned Deep Neural Networks" in NDSS'25.
Part of the codes are modified from https://github.com/Machine-Learning-Security-Lab/mia_prune.
Reference: Xiaoyong Yuan and Lan Zhang. Membership inference attacks and defenses in neural network pruning. In 31st USENIX Security Symposium (USENIX Security 22), 2022.
We tested on Ubuntu with Python 3.6.13 and torch-gpu. We recommend installing the dependencies via virtual env management tool, e.g., Anaconda.
conda create -n python-pytorch python=3.6.13
conda activate python-pytorch
pip install torch==1.10.1+cu111 torchvision==0.11.2+cu111 torchaudio==0.10.1 -f https://download.pytorch.org/whl/cu111/torch_stable.html
pip install scikit-learn pandas matplotlib nni==2.3 pynvml tensorboard
Note: All dependencies of the project are in the requirements.txt we provide. You can also install them directly through this file after activating the virtual environment.
-
Structure of Important Folders:
├─ config ├─ data │ └─ datasets │ ├─ cifar10-data │ ├─ cifar100-data │ ├─ cinic │ ├─ location │ ├─ purchase100 │ └─ texas ├─ log │ ├─ cifar10_resnet18 │ ├─ location_columnfc │ └─ ... ├─ memscore └─ result ├─ cifar10_resnet18 │ ├─ iter_pruning_0.6_slide_ml2_model │ └─ ... ├─ location_columnfc │ ├─ iter_prunetxt_0.6_ml2_model │ └─ ... └─ ...Description: (1) In the
configfolder, configuration files for different experimental settings are stored. (2) In thedata/datasetsfolder, different downloaded datasets are stored. (3) In thelogfolder, the outputs of experiments under different datasets and model architectures are stored. (4) The mem-scores of datasets need to be stored in thememscorefolder in CSV format. Here, we provide the mem-score that can be used directly. The mem-score can also be recalculated using the definition or as described in our paper. (5) The pretrained and pruned models will be saved in theresultfolder, and you can find the.pthmodel file in the folder path named the specific dataset and model architecture. -
Prepare the Datasets: We use three image datasets: CIFAR10, CIFAR100, CINIC; three tabular datasets: Location, Texas, Purchase. For CIFAR10/CIFAR100, you can download it directly through the
torchvisiontool in codedatasets.py. We provide download links and saving instructions for other datasets below:- CINIC: https://datashare.ed.ac.uk/bitstream/handle/10283/3192/CINIC-10.tar.gz?sequence=4&isAllowed=y
Download and unzip the dataset and put thetrainandtestfolders into the createddata/dataset/cinicfolder. - Location: https://github.com/jjy1994/MemGuard/tree/master/data/location
Downloaddata_complete.npzand put it into thedata/dataset/locationfolder. - Texas: https://www.comp.nus.edu.sg/~reza/files/dataset_texas.tgz
Download and unziptexas/100/feats.txtandtexas/100/labels.txtand put them into thedata/dataset/texasfolder. - Purchase: https://www.comp.nus.edu.sg/~reza/files/dataset_purchase.tgz
Download and unzipdataset_purchaseand put it into thedata/dataset/purchase100folder and rename it topurchase100.txt.
It should be noted that since the training data and test data need to be manually split for tabular datasets, it is necessary to ensure that the mem-scores correspond to the split training data. Here, we provide our split Location dataset
location.pkl, in which the training data matches the mem-scores of the corresponding data we gave. - CINIC: https://datashare.ed.ac.uk/bitstream/handle/10283/3192/CINIC-10.tar.gz?sequence=4&isAllowed=y
-
Models: We use four model architectures for evaluation: ResNet18, DenseNet121, VGG16 and FC (fully connected network).For CIFAR10, CIFAR100, and CINIC, we use ResNet18, DenseNet121, and VGG16. For Texas, Location, and Purchase, we employ an FC.
-
Step 1: Train an original model:
python pretrain_modi.py [GPU-ID] [config_path] -
Step 2: Prune and fine-tune the model:
(1) Option 1: with
Basedefense (default)python prune_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --prune_iter [prune_iter](2) Option 2: with our defenses
-
our
defend_namein [slide,slide_re]:python prune_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --prune_iter [prune_iter] --defend [defend_name] --stride [step_size] --width [window_width] -
our
defend_nameisml2:python prune_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --prune_iter [prune_iter] --defend [defend_name] --weight_decay_mem [risk_reg] --mem_thre [mem_thred] -
our
defend_namein [slide_ml2,slide_re_ml2]:python prune_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --prune_iter [prune_iter] --defend [defend_name] --weight_decay_mem [risk_reg] --stride [step_size] --width [window_width] --mem_thre [mem_thred]
(3) Option 3: with other defenses
-
defend_namein [ppb,adv,dp,relaxloss]:python prune_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --prune_iter [prune_iter] --defend [defend_name] --defend_arg [defend_arg]
-
-
Step 3: Adaptive Attack
(1) Option 1: attack under
Basemethod:python mia_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks](2) Option 2: attack under our defenses:
python mia_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks] --defend [defend_name] --adaptive(3) Option 3: attack under other defenses:
python mia_modi.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks] --defend [defend_name] --defend_arg [defend_arg] --adaptiveattackscan bethreshold(involves Conf, Entr, Mentr, and Hconf),samia,nn,nn_top3,nn_cls.
- The process output, test accuracy, attack accuracy and defense time will be saved in the
logfolder. config_pathis in theconfigfolder, e.g.,./config/cifar10_resnet18.json.pruner_namecan beiter_pruning(for VGG16, ResNet18, and DenseNet121) oriter_prunetxt(for FC model).prune_sparsitywe set in experiment is [0.5, 0.6, 0.7].prune_iterwe set in experiment is 5.slideis RSW(H->L),slide_reis RSW(L->H),ml2is RMR,slide_ml2is SWMR(H->L),slide_re_ml2is SWMR(L->H).risk_regis the coefficient of risk memory regularization.mem_thredis the threshold of mem-score.defend_argis the hyper-parameters for other defenses: [1, 2, 4, 8, 16] forppb, [1, 2, 4, 8] foradv, [0.01, 0.1, 1] fordp, and 1 forrelaxloss.
Since our defense method is executed during the fine-tuning (retraining) stage of the model pruning process, and we use a model pruning method that includes five iterations in the experiments, this require five rounds of retraining operations on a normal pruned model (victim model) and five corresponding shadow pruned models, respectively, which will require more time. Therefore, in order to simplify the evaluation process, we only select one representative image dataset (e.g., CIFAR10) and one tabular dataset (e.g., Location) for evaluation. The evaluation method on the rest of the datasets (model) are the same as the example evaluation method we give, only the config_path needs to be changed.
-
Download the data files according to the second item in "Datasets and Models" when you use tabular or CINIC datasets.
-
Please run
run_shell.sh(you may need to runchmod +x run_shell.shfirst), which consolidates all experimental steps on CIFAR10-ResNet18 and Location-FC. Note that we only evaluate the defense performance on the 'Base' method and our three methods under the best defense settings (slide_re(RSW),ml2(RMR),slide_ml2(SWMR)) with the pruning rate of 0.6. To save time, we perform metric-based attackthreshold(i.e., Conf, Entr, Mentr, and Hconf) and a representative classifier-based attacksamia(i.e., SAMIA). -
You can continue to evaluate other defense methods (this will require more evaluation time). An example of other defense method is as follows:
# Prune and fine-tune models with 'ppb' defense method python prune_modi.py 0 ./config/cifar10_resnet18.json --pruner_name iter_pruning --prune_sparsity 0.6 --prune_iter 5 --defend ppb --defend_arg 4 # Adaptive attack on pruned models with 'ppb' defense method python mia_modi.py 0 ./config/cifar10_resnet18.json --pruner_name iter_pruning --prune_sparsity 0.6 --attacks threshold,samia --defend ppb --defend_arg 4 --adaptive -
We also provide a running script,
run_custom.sh, for all other defense methods used in the evaluation. You can run the script directly (you may need to runchmod +x run_custom.shfirst) to evaluate other defense methods.
The test accuracy of the iteratively pruned models with different defense methods and the attack accuracy under different MIAs can be found in the corresponding files in the log/ directory.
For example, the evaluation results of cifar10-resnet18 pruned model with slide_ml2 defense are stored in log/cifar10_resnet18/iter_pruning_0.6_slide_ml2.txt, where "Victim pruned model test accuracy" represents prediction accuracy of the pruned model, and "[attack name] attack accuracy" represents accuracy of MIAs on the pruned model. Additionally, you can check the defense time required for the current defense through "Total [defense name] defend time".
@inproceedings{shang2025iteratively,
title = {Defending Against Membership Inference Attacks on Iteratively Pruned Deep Neural Networks},
booktitle = {Network and Distributed System Security (NDSS) Symposium},
author={Shang, Jing and Wang, Jian and Wang, Kailun and Liu, Jiqiang and Jiang, Nan and Armanuzzaman, Md and Zhao, Ziming},
year={2025}
}