Create a model inversion attack

Overview

A model inversion attack enables you to evaluate the security of a Driverless AI model (experiment) on grounds of a model inversion attack.

Note

H2O Model Security creates a Driverless AI (DAI) Gradient Boosting Machine (GBM) surrogate model to understand the original model.

A surrogate model is a data mining and engineering technique in which a generally simpler model is used to explain another, usually a more complex model or phenomenon. For example, H2O Model Security trains the trees in the surrogate model to predict the predictions of the more complex Driverless AI model using the original model inputs. The trained surrogate model enables a heuristic understanding (i.e., not a mathematically precise understanding) of the mechanisms of the highly complex and nonlinear Driverless AI model.

Intructions

To create a model inversion attack, consider the following instructions:

1. Click menu Menu.
2. In the Endpoint URL box, enter the model's endpoint URL.
   Note

   H2O Model Security only supports Driverless AI (DAI) models deployed in H2O MLOps.

3. In the Model attack type list, select Model inversion attack.
4. Click Browse.... Or drag and drop the file (validation dataset).
   Note

   The validation dataset must follow the same format as the training dataset used to train the model deployed in H2O MLOps.

5. Click Upload data.
6. Click Browse.... Or drag and drop the file ((model inversion dataset) initial attack samples).
   Note

   • The format of the model inversion dataset (initial attack samples) should contain the required columns specified by the mode's endpoint URL to score new data. Values in this dataset should reflect your values.
   • The initial attack samples refer to the dataset rows used to decipher the original model's internal workings.
   • H2O Model Security trains the trees in the surrogate model to predict the predictions of the more complex Driverless AI model using the original model inputs (initial attack samples).
7. Click Upload data.
8. In the Training dataset size multiplier box, enter a multiplier value for the training dataset.
   Note

   • The default value of the Training dataset size multiplier is 2, and the multiplier value needs to be >= 2.
9. In the Number of trees (Surrogate model) box, enter the number of trees for the surrogate model.
10. In the Maximum depth (Surrogate model) box, enter the maximum depth for the surrogate model.
11. In the Learning rate (Surrogate model) box, enter the learning rate for the surrogate model.
12. In the Columns to exclude (, seperate) box, enter the columns to exclude from the validation dataset (, seperate).
13. In the Target column box, enter the model's (validation dataset) target column (to predict).
14. Click Begin attack.

Note

• To learn about each setting of a model inversion attack, see Settings: Model inversion attack.
• H2O Model Security offers an array of metrics in the form of charts, stats cards, and confusion matrices to understand a completed model inversion attack. To learn more, see Metrics: Model inversion attack.
• To learn about the flow of an attack in H2O Model Security, see Model security flow.

---

Feedback

• Submit and view feedback for this page
• Send feedback about H2O Model Security to cloud-feedback@h2o.ai