Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Lessons Learned: Defending Against Property Inference Attacks (2205.08821v4)

Published 18 May 2022 in cs.CR, cs.AI, and cs.LG

Abstract: This work investigates and evaluates multiple defense strategies against property inference attacks (PIAs), a privacy attack against machine learning models. Given a trained machine learning model, PIAs aim to extract statistical properties of its underlying training data, e.g., reveal the ratio of men and women in a medical training data set. While for other privacy attacks like membership inference, a lot of research on defense mechanisms has been published, this is the first work focusing on defending against PIAs. With the primary goal of developing a generic mitigation strategy against white-box PIAs, we propose the novel approach property unlearning. Extensive experiments with property unlearning show that while it is very effective when defending target models against specific adversaries, property unlearning is not able to generalize, i.e., protect against a whole class of PIAs. To investigate the reasons behind this limitation, we present the results of experiments with the explainable AI tool LIME. They show how state-of-the-art property inference adversaries with the same objective focus on different parts of the target model. We further elaborate on this with a follow-up experiment, in which we use the visualization technique t-SNE to exhibit how severely statistical training data properties are manifested in machine learning models. Based on this, we develop the conjecture that post-training techniques like property unlearning might not suffice to provide the desirable generic protection against PIAs. As an alternative, we investigate the effects of simpler training data preprocessing methods like adding Gaussian noise to images of a training data set on the success rate of PIAs. We conclude with a discussion of the different defense approaches, summarize the lessons learned and provide directions for future work.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. C. Zhang, S. Bengio, M. Hardt, B. Recht, and O. Vinyals, “Understanding deep learning (still) requires rethinking generalization,” Communications of the ACM, vol. 64, no. 3, pp. 107–115, 2021.
  2. C. Song, T. Ristenpart, and V. Shmatikov, “Machine learning models that remember too much,” in CCS, 2017, pp. 587–601.
  3. M. Rigaki and S. Garcia, “A survey of privacy attacks in machine learning,” arXiv preprint arXiv:2007.07646, 2020.
  4. G. Ateniese, L. V. Mancini, A. Spognardi, A. Villani, D. Vitali, and G. Felici, “Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers,” International Journal of Security and Networks, vol. 10, no. 3, pp. 137–150, 2015.
  5. K. Ganju, Q. Wang, W. Yang, C. A. Gunter, and N. Borisov, “Property inference attacks on fully connected neural networks using permutation invariant representations,” in CCS, 2018, pp. 619–633.
  6. M. T. Ribeiro, S. Singh, and C. Guestrin, “Why should i trust you? explaining the predictions of any classifier,” in SIGKDD international conference on knowledge discovery and data mining.   ACM, 2016, pp. 1135–1144.
  7. L. Van der Maaten and G. Hinton, “Visualizing data using t-SNE.” Journal of machine learning research, vol. 9, no. 11, 2008.
  8. A. Suri and D. Evans, “Formalizing and estimating distribution inference risks,” arXiv preprint arXiv:2109.06024, 2021.
  9. A. Suri, P. Kanani, V. J. Marathe, and D. W. Peterson, “Subject membership inference attacks in federated learning,” arXiv preprint arXiv:2206.03317, 2022.
  10. Y. LeCun, L. Bottou, Y. Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,” IEEE, vol. 86, no. 11, pp. 2278–2324, 1998.
  11. R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks against machine learning models,” in S&P.   IEEE, 2017, pp. 3–18.
  12. N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami, “Practical black-box attacks against machine learning,” in ASIACCS.   ACM, 2017, pp. 506–519.
  13. M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in CCS, 2015, pp. 1322–1333.
  14. C. Song and V. Shmatikov, “Overlearning Reveals Sensitive Attributes,” in ICLR, 2020.
  15. M. Nasr, R. Shokri, and A. Houmansadr, “Machine Learning with Membership Privacy using Adversarial Regularization,” in CCS.   ACM, 2018, pp. 634–646.
  16. L. Song and P. Mittal, “Systematic evaluation of privacy risks of machine learning models,” in USENIX Security’21.   USENIX, 2021, pp. 2615–2632.
  17. X. Tang, S. Mahloujifar, L. Song, V. Shejwalkar, M. Nasr, A. Houmansadr, and P. Mittal, “Mitigating membership inference attacks by self-distillation through a novel ensemble architecture,” arXiv preprint arXiv:2110.08324, 2021.
  18. Y. Liu, R. Wen, X. He, A. Salem, Z. Zhang, M. Backes, E. D. Cristofaro, M. Fritz, and Y. Zhang, “ML-Doctor: Holistic risk assessment of inference attacks against machine learning models,” in USENIX Security’22), 2022.
  19. S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha, “Privacy risk in machine learning: Analyzing the connection to overfitting,” in CSF.   IEEE, 2018, pp. 268–282.
  20. M. Zaheer, S. Kottur, S. Ravanbakhsh, B. Poczos, R. Salakhutdinov, and A. Smola, “Deep sets,” arXiv preprint arXiv:1703.06114, 2017.
  21. C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” in TCC.   Springer, 2006, pp. 265–284.
  22. W. Zhang, S. Tople, and O. Ohrimenko, “Leakage of dataset properties in multi-party machine learning,” in USENIX Security´, 2021, pp. 2687–2704.
  23. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” arXiv preprint arXiv:1312.6199, 2013.
  24. A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,” in ICML.   PMLR, 2018, pp. 274–283.
  25. I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” NeurIPS, vol. 27, 2014.
  26. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in ICLR, 2018.
  27. L. Melis, C. Song, E. De Cristofaro, and V. Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” in 2019 S&P.   IEEE, 2019, pp. 691–706.
  28. S. Mahloujifar, E. Ghosh, and M. Chase, “Property inference from poisoning,” in S&P.   IEEE, 2022, pp. 1569–1569.
  29. Google Brain Team, “TensorFlow,” 2015–2022. [Online]. Available: https://www.tensorflow.org/
  30. D. Dua and C. Graff, “UCI machine learning repository,” 2019. [Online]. Available: http://archive.ics.uci.edu/ml
  31. Z. Zhang, Y. Song, and H. Qi, “Age progression/regression by conditional adversarial autoencoder,” in CVPR, 2017, pp. 5810–5818.
  32. L. Sweeney, “k-anonymity: A model for protecting privacy,” International journal of uncertainty, fuzziness and knowledge-based systems, vol. 10, no. 05, pp. 557–570, 2002.
  33. S. Sharma, Y. Zhang, J. M. Ríos Aliaga, D. Bouneffouf, V. Muthusamy, and K. R. Varshney, “Data augmentation for discrimination prevention and bias disambiguation,” in Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society, 2020, pp. 358–364.
  34. M. Buyl and T. De Bie, “Debayes: a bayesian method for debiasing network embeddings,” in International Conference on Machine Learning.   PMLR, 2020, pp. 1220–1229.
  35. R. Zemel, Y. Wu, K. Swersky, T. Pitassi, and C. Dwork, “Learning fair representations,” in International conference on machine learning.   PMLR, 2013, pp. 325–333.
  36. E. Creager, D. Madras, J.-H. Jacobsen, M. Weis, K. Swersky, T. Pitassi, and R. Zemel, “Flexibly fair representation learning by disentanglement,” in International conference on machine learning.   PMLR, 2019, pp. 1436–1445.
  37. K. LeFevre, D. J. DeWitt, and R. Ramakrishnan, “Mondrian multidimensional k-anonymity,” in 22nd International conference on data engineering (ICDE’06).   IEEE, 2006, pp. 25–25.
  38. L. Xu, M. Skoularidou, A. Cuesta-Infante, and K. Veeramachaneni, “Modeling tabular data using conditional gan,” Advances in Neural Information Processing Systems, vol. 32, 2019.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Joshua Stock (5 papers)
  2. Jens Wettlaufer (1 paper)
  3. Daniel Demmler (3 papers)
  4. Hannes Federrath (17 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now