CategoricalCAP
Last updated
Last updated
The CategoricalCAP measures the risk of disclosing sensitive information through an inference attack. We assume that some values in the real data are public knowledge. An attacker is combining this with synthetic data to make guesses about other real values that are sensitive.
This metric describes how difficult it is for an attacker to correctly guess the sensitive information using an algorithm called Correct Attribution Probability (CAP).
Categorical: This metric is meant for discrete, categorical data
Boolean: This metric works well on boolean data
Missing values are not yet supported for this metric. If your columns contain missing values, consider removing them or creating a different category to denote what they are.
(best) 1.0: The real data is 100% safe from the attack. The attacker is not able to correctly guess any of the sensitive values by applying the CAP algorithm.
(worst) 0.0: The real data is not at all safe from the attack. The attacker is able to correctly guess every sensitive value by applying the CAP algorithm.
Scores between 0.0 and 1.0 indicate the overall safety of the real data. For example a score of 0.55 indicates that the data is generally 55% safe from attack.
Tip! When interpreting this score, it's helpful to think through the chances of an attacker gaining possession of the real data and the risks of correctly guessing sensitive values.
We assume that the attacker is in possession of
few columns of the real data (key_fields
), as well as
the full synthetic dataset, including synthetic sensitive values
The attacker's goal is to correctly guess the real value of the sensitive information, sensitive_fields
. An example is shown below.
In this metric, the attacker uses an algorithm called CAP [1], summarized below.
The attacker follows 4 steps to guess a sensitive value.
Pick a row (r) in the real dataset. Note down all the key_fields
in r.
In the synthetic data, find all the rows that match the key_fields
of r. Call this set of rows, S. The set S is also known as the (synthetic) equivalence class of r.
Each row in S will have synthetic values for the sensitive_fields
. Let each of the values vote to guess the sensitive_fields
of the real row, r.
The final score is the frequency of votes that are actually correct for all sensitive fields. This value must be between 0 and 1.
An illustration of this algorithm is shown below.
We repeat the attack for all rows (r) in the real data and calculate an overall probability of guessing the sensitive column correctly. The metric returns 1-probability
so that a higher score means higher privacy.
The SDMetrics library supports variants CAP algorithm, based on what the attacker can do with the equivalence class.
CategoricalZeroCAP: If there are no rows in the equivalence class, then the attacker records a failure (0
) to guess that row
CategoricalGeneralizedCAP: If there are no rows in the equivalence class, the attacker looks for closest matches instead of exact matches [2]. Because the key_fields
are all discrete, the attacker finds the closest matches by using the hamming distance [3]. This ensures that there is always at least 1 row in the equivalence class, which means that there is always at least 1 guess.
Access this metric from the single_table
module and use the compute
method.
Parameters
(required) real_data
: A pandas.DataFrame containing the real data
(required) synthetic_data
: A pandas.DataFrame containing the same columns of synthetic data
(required) key_fields
: A list of strings representing the column names that the attacker already knows. These must be compatible with the metric.
(required) sensitive_fields
: A list of string representing the column names that the attacker wants to guess. These must be compatible with the metric.
You can also import CategoricalZeroCAP
and CategoricalGeneralizedCAP
and use them in the same way.
[1] Final Report on the Disclosure Risk Associated with the Synthetic Data Produced by the SYLLS Team
[2] A Baseline for Attribute Disclosure Risk in Synthetic Data
[3] https://en.wikipedia.org/wiki/Hamming_distance