Your search keyword '"membership inference attack"' showing total 8 results

1. MiDA: Membership inference attacks against domain adaptation.

Author

Zhang, Yuanjie, Zhao, Lingchen, and Wang, Qian

Subjects

PHYSIOLOGICAL adaptation, DEEP learning

Abstract

Domain adaption has become an effective solution to train neural networks with insufficient training data. In this paper, we investigate the vulnerability of domain adaption that potentially breaches sensitive information about the training dataset. We propose a new membership inference attack against domain adaption models, to infer the membership information of samples from the target domain. By leveraging the background knowledge about an additional source-domain in domain adaptation tasks, our attack can exploit the similar distributions between the target and source domain data to determine if a specific data sample belongs in the training set with high efficiency and accuracy. In particular, the proposed attack can be deployed in a practical scenario where the attacker cannot obtain any details of the model. We conduct extensive evaluations for object and digit recognition tasks. Experimental results show that our method can achieve the attack against domain adaptation models with a high success rate. • We are the first to analyze the privacy risks of domain adaptation models. • The proposed attack is more effective and easily realizable than existing attacks. • Results show that we can attack domain adaptation models with a high success rate. [ABSTRACT FROM AUTHOR]

Published

2023

2. Membership reconstruction attack in deep neural networks.

Author

Long, Yucheng, Ying, Zuobin, Yan, Hongyang, Fang, Ranqing, Li, Xingyu, Wang, Yajie, and Pan, Zijie

Subjects

*ARTIFICIAL neural networks, *MACHINE learning, *INFERENCE (Logic)

Abstract

To further enhance the reliability of Machine Learning (ML) systems, considerable efforts have been dedicated to developing privacy protection techniques. Recently, membership privacy has gained increasing attention, with a focus on determining whether a specific data point is present in the confidential training set of an ML model. However, most current attacks only prioritize attack accuracy and fail to extend their range to the evidence that contributes to the member/non-member classification. This limitation greatly reduces the practicality of Membership Inference Attacks (MIA), as real-world data typically includes multiple features, making it challenging to identify which features are involved in the sensitive training set. Therefore, this paper targets one of the fundamental challenges in membership inference attack: measuring the distance between an attack sample and a member sample. Specifically, we propose a novel threat model called Membership Reconstruction Attack (MRA), which aims to reconstruct the exact distribution of the target training set. MRA achieves this by marking each input dimension (e.g., pixels) according to its similarity to the target dataset in feature space. Our attack demonstrates its effectiveness across various settings, including different major datasets (MNIST, CIFAR-10, CIFAR-100) and different model architectures (AlexNet, ResNet, DenseNet, and generative models). Additionally, we evaluate MRA from the defenders' perspective and test several defense approaches against our attack. [ABSTRACT FROM AUTHOR]

Published

2023

3. Topology modification against membership inference attack in Graph Neural Networks.

Author

Guan, Faqian, Zhu, Tianqing, Tong, Hanjin, and Zhou, Wanlei

Abstract

Graph Neural Networks (GNNs) can effectively leverage information from graph data and apply to various downstream tasks, such as recommendation system, or anomaly detection. Previous studies have shown that node-level GNNs are susceptible to membership inference attacks, potentially leaking private information about the nodes. However, current studies on defending against such attacks primarily focuses on image and text data. They may not be directly applicable to graph data. In addition, classic defense methods such as differential privacy, regularization techniques, and adversarial training. They may reduce model availability or require model retraining while protecting privacy. To deal with these problems, we propose a novel defense strategy against membership inference attacks in graph neural networks. The strategy involves augmenting the graph with additional nodes and modifying its topology to create a new privacy-preserving graph, thereby protecting the privacy of the original nodes. We conducted extensive experiments on three representative GNN models and compared them with state-of-the-art baseline methods to support our research. The experimental results demonstrate that our method significantly reduces the success rate of membership inference attacks while maintaining the basic performance of the target model. [ABSTRACT FROM AUTHOR]

Published

2024

4. MaskArmor: Confidence masking-based defense mechanism for GNN against MIA.

Author

Chen, Chenyang, Zhang, Xiaoyu, Qiu, Hongyi, Lou, Jian, Liu, Zhengyang, and Chen, Xiaofeng

Subjects

*GRAPH neural networks, *ORGANIZATIONAL resilience

Abstract

Graph neural networks (GNNs) have demonstrated remarkable performance in diverse graph-related tasks, including node classification, graph classification, link prediction, etc. Previous research has indicated that GNNs are vulnerable to membership inference attacks (MIA). These attacks enable malevolent parties to deduce whether the data points are part of the training set by identifying the output distribution, giving rise to noteworthy privacy apprehensions, especially when the graph contains sensitive data. There have been some studies to defend against graph MIA so far, but they have issues like high computational cost and decreased model accuracy. In this paper, we introduce a novel defense framework called MaskArmor , designed to bolster the privacy and security of GNNs against MIA. The MaskArmor framework encompasses four distinct masking strategies: AdjMask, DTMask, ATMask, and SigMask. These strategies leverage message-passing mechanisms, distillation temperature, hybrid masking, and the Sigmoid function, respectively. The MaskArmor framework effectively obscures the distribution of the model on both the training and non-training samples, rendering it challenging for attackers to ascertain whether particular samples have undergone training. Additionally, MaskArmor sustains the model's precision with negligible computational overhead. Our experiments are implemented across seven benchmark datasets and four GNN networks against shadow-based and threshold-based MIAs, showcasing that MaskArmor substantially heightens GNNs' resilience against MIA while simultaneously preserving accuracy on the initial tasks. It also demonstrates adeptness in countering threshold-based MIA through strategies like AdjMask and ATMask. Exhaustive experimental results substantiate that MaskArmor outperforms alternative existing approaches, maintaining effectiveness and applicability across diverse datasets and attack scenarios. [ABSTRACT FROM AUTHOR]

Published

2024

5. Membership inference attack for beluga whales discrimination.

Author

Araújo, Voncarlos M., Gambs, Sébastien, Michaud, Robert, Lautraite, Hadrien, Schneider, Léo, and Chion, Clément

Subjects

MACHINE learning, WHITE whale, ANIMAL ecology, ANIMAL populations

Abstract

To efficiently monitor the growth and evolution of a particular wildlife population, one of the fundamental challenges to address in animal ecology is the re-identification of individuals that have been previously encountered but also the discrimination between known and unknown individuals (the so-called "open-set problem"), which is the first step to realize before re-identification. In particular, in this work, we are interested in the discrimination within digital photos of beluga whales, which are known to be among the most challenging marine species to discriminate due to their lack of distinctive features. To tackle this problem, we propose a novel approach based on the use of Membership Inference Attacks (MIAs), which are normally used to assess the privacy risks associated with releasing a particular machine learning model. More precisely, we demonstrate that the problem of discriminating between known and unknown individuals can be solved efficiently using state-of-the-art approaches for MIAs. Extensive experiments on three benchmark datasets related to whales, two different neural network architectures, and three MIA clearly demonstrate the performance of the approach. In addition, we have also designed a novel MIA strategy that we coined as ensemble MIA, which combines the outputs of different MIAs to increase the discrimination accuracy while diminishing the false positive rate. Overall, one of the main objectives of our work is to demonstrate that the study of privacy attacks can also be harnessed positively, assisting in the resolution of practical issues encountered in the field of animal ecology. • Re-identification method for discriminating known and unknown whale individuals. • Novel use of privacy attack, to distinguish between open-set and closed-set worlds. • Diminishing false positive rate using a new Membership Inference Attack strategy. [ABSTRACT FROM AUTHOR]

Published

2024

6. Pseudo unlearning via sample swapping with hash.

Author

Li, Lang, Ren, Xiaojun, Yan, Hongyang, Liu, Xiaozhang, and Zhang, Zhenxin

Subjects

*DATA privacy, *MACHINE learning, *INFERENCE (Logic), *HONESTY

Abstract

Machine Unlearning is a recently proposed paradigm to make an machine learning (ML) model delete specific data. Specifically, the data owner has the right to ask the machine learning as a service (MLaaS) provider to remove the impact of specific data on the trained model, so as to protect the privacy of the forgotten data. However, in order to achieve the desired effect, the unlearning operation does come at a certain cost. Therefore, the dishonest MLaaS provider has an incentive to create fake forgetting feedback to deceive the data owner's unlearning verification without performing any unlearning operations. The primary objective of the paper is to understand the potential vulnerabilities within machine unlearning mechanisms and contribute to the development of more robust, trustworthy, and secure unlearning solutions. We propose the concept of Pseudo Unlearning for the first time, and designs an efficient scheme, s ample s wapping with h ash (SSH), for the membership inference attack verification mechanism. We conduct extensive experiments on different datasets, and the performance achieved in the evaluation metrics as well as the verification mechanisms of membership inference attack shows the feasibility of pseudo unlearning. [ABSTRACT FROM AUTHOR]

Published

2024

7. GradDiff: Gradient-based membership inference attacks against federated distillation with differential comparison.

Author

Wang, Xiaodong, Wu, Longfei, and Guan, Zhitao

Subjects

*FEDERATED learning, *DISTILLATION, *INFERENCE (Logic)

Abstract

Membership inference attacks (MIAs) has demonstrated a great threat to federated learning (FL) and its extension federated distillation (FD). However, existing research on MIAs against FD is insufficient. In this paper, we propose a novel membership inference attack named GradDiff, which is a passive gradient-based MIA employing differential comparison. Additionally, to make full use of the federated training process, we also design the gradient drift attack (GradDrift), an active version of GradDiff, in which the attacker modifies the target model by gradient tuning and is able to obtain more information about membership privacy. We conduct extensive experiments on three real-world datasets to evaluate the effectiveness of the proposed attacks. The results show that our proposed attacks can outperform the existing baseline methods in terms of precision and recall. Besides, we perform a thorough investigation of the factors that may influence the performance of MIAs against FD. [ABSTRACT FROM AUTHOR]

Published

2024

8. Understanding and defending against White-box membership inference attack in deep learning.

Author

Wu, Di, Qi, Saiyu, Qi, Yong, Li, Qian, Cai, Bowen, Guo, Qi, and Cheng, Jingxian

Subjects

*DEEP learning, *MACHINE learning, *LEAKS (Disclosure of information), *GENERALIZATION

Abstract

Membership inference attacks (MIA) exploit the fact that deep learning algorithms leak information about their training data through the learned model. It has been treated as an indicator which reveals the privacy leakage of machine learning models. In this work, we aim to understand the advantage achieved by White-box MIA, and defend against White-box MIA. Firstly, we estimate the KL divergence on the hidden layers' features between training set and test set as the internal generalization gap. By comparing the internal generalization gap and the generalization gap on the output layer, we raise two insights including (1) the existence of larger generalization gaps on hidden layers and (2) feasibility of generalization gap minimization in defending White-box MIA. Based on our insights, we further design a novel defense method named Nirvana. It intentionally minimizes generalization gap to defend White-box MIA. Formally, Nirvana works by selecting a hidden layer with large generalization gaps and executing a multi-samples convex combination among features on the layer during the training to defend against White-box MIA. Finally, we empirically evaluate Nirvana with state-of-the-art defense methods on CIFAR100 dataset, Purchase100 dataset, and Texas dataset. The experiment results show that Nirvana achieves a trade-off between utility and privacy. It can defend both White-box MIA and Black-box MIA while the test accuracy of the model is maintained. It outperforms previous defense methods in defending against White-box MIA. [ABSTRACT FROM AUTHOR]

Published

2023