Testing Data for the attack model

[zliangak]

Firstly, thanks for you contribution of mia, which is a very well-structured and concise implementation of the model inference attack.

However, one thing confuses me is that, in your cifar10 example, line 150-152, you include (x_test, y_test) into the dataset for testing the attacker, which is used for training the shadow model. For my perspective, this is inappropriate since the attack model has already seen these data indirectly through the shadow models, which breach the assumption that the testing is unseen before.

In the official implementation https://github.com/csong27/membership-inference, they seem to avoid this by separating one more testing set out.

I don not know whether my understanding is correct.