Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Method to Facilitate Membership Inference Attacks in Deep Learning Models (2407.01919v1)

Published 2 Jul 2024 in cs.CR, cs.AI, and cs.CV

Abstract: Modern ML ecosystems offer a surging number of ML frameworks and code repositories that can greatly facilitate the development of ML models. Today, even ordinary data holders who are not ML experts can apply off-the-shelf codebase to build high-performance ML models on their data, many of which are sensitive in nature (e.g., clinical records). In this work, we consider a malicious ML provider who supplies model-training code to the data holders, does not have access to the training process, and has only black-box query access to the resulting model. In this setting, we demonstrate a new form of membership inference attack that is strictly more powerful than prior art. Our attack empowers the adversary to reliably de-identify all the training samples (average >99% attack [email protected]% FPR), and the compromised models still maintain competitive performance as their uncorrupted counterparts (average <1% accuracy drop). Moreover, we show that the poisoned models can effectively disguise the amplified membership leakage under common membership privacy auditing, which can only be revealed by a set of secret samples known by the adversary. Overall, our study not only points to the worst-case membership privacy leakage, but also unveils a common pitfall underlying existing privacy auditing methods, which calls for future efforts to rethink the current practice of auditing membership privacy in machine learning models.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (99)
  1. https://github.com.
  2. https://about.gitlab.com.
  3. https://huggingface.co.
  4. “Adversarial threat landscape for artificial-intelligence systems.” https://atlas.mitre.org.
  5. “Cis software supply chain security guide.”   Center for Internet Security, https://www.cisecurity.org/insights/white-papers/cis-software-supply-chain-security-guide.
  6. “Ml privacy meter,” https://github.com/privacytrustlab/ml_privacy_meter.
  7. “Nist ai risk management framework.” https://airc.nist.gov/AI_RMF_Knowledge_Base/AI_RMF.
  8. “Open source software (oss) secure supply chain (ssc) framework simplified requirements.”   Microsoft, https://github.com/microsoft/oss-ssc-framework/blob/main/specification/framework.md.
  9. “Pytorch dependency poisoned with malicious code,” https://www.theregister.com/2023/01/04/pypi_pytorch_dependency_attack/.
  10. “Pytorch implementation of wideresnet architecture,” https://github.com/meliketoy/wide-resnet.pytorch.
  11. “Tensorflow ci/cd flaw exposed supply chain to poisoning attacks,” https://thehackernews.com/2024/01/tensorflow-cicd-flaw-exposed-supply.html.
  12. “Tensorflow privacy | responsible ai toolkit,” https://www.tensorflow.org/responsible_ai/privacy/guide.
  13. M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 308–318.
  14. J. L. Ba, J. R. Kiros, and G. E. Hinton, “Layer normalization,” arXiv preprint arXiv:1607.06450, 2016.
  15. E. Bagdasaryan and V. Shmatikov, “Blind backdoors in deep learning models,” in 30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 1505–1521.
  16. M. Bertran, S. Tang, A. Roth, M. Kearns, J. H. Morgenstern, and S. Z. Wu, “Scalable membership inference attacks via quantile regression,” Advances in Neural Information Processing Systems, vol. 36, 2024.
  17. F. Boenisch, V. Battis, N. Buchmann, and M. Poikela, ““i never thought about securing my machine learning systems”: A study of security and privacy awareness of machine learning practitioners,” in Proceedings of Mensch und Computer 2021, 2021, pp. 520–546.
  18. A. Brock, S. De, and S. L. Smith, “Characterizing signal propagation to close the performance gap in unnormalized resnets,” arXiv preprint arXiv:2101.08692, 2021.
  19. A. Brock, S. De, S. L. Smith, and K. Simonyan, “High-performance large-scale image recognition without normalization,” in International Conference on Machine Learning.   PMLR, 2021, pp. 1059–1071.
  20. N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer, “Control-flow integrity: Precision, security, and performance,” ACM Computing Surveys (CSUR), vol. 50, no. 1, pp. 1–33, 2017.
  21. N. Carlini, S. Chien, M. Nasr, S. Song, A. Terzis, and F. Tramer, “Membership inference attacks from first principles,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 1897–1914.
  22. M. Castro, M. Costa, and T. Harris, “Securing software by enforcing data-flow integrity,” in Proceedings of the 7th symposium on Operating systems design and implementation, 2006, pp. 147–160.
  23. H. Chaudhari, J. Abascal, A. Oprea, M. Jagielski, F. Tramèr, and J. Ullman, “Snap: Efficient extraction of private properties with poisoning,” in 2023 IEEE Symposium on Security and Privacy (SP).   IEEE Computer Society, 2022, pp. 1935–1952.
  24. D. Chen, N. Yu, Y. Zhang, and M. Fritz, “Gan-leaks: A taxonomy of membership inference attacks against generative models,” in Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, 2020, pp. 343–362.
  25. Y. Chen, C. Shen, Y. Shen, C. Wang, and Y. Zhang, “Amplifying membership exposure via data poisoning,” Advances in Neural Information Processing Systems, vol. 35, pp. 29 830–29 844, 2022.
  26. Z. Chen and K. Pattabiraman, “Overconfidence is a dangerous thing: Mitigating membership inference attacks by enforcing less confident prediction,” arXiv preprint arXiv:2307.01610, 2023.
  27. C. A. Choquette-Choo, F. Tramer, N. Carlini, and N. Papernot, “Label-only membership inference attacks,” in International Conference on Machine Learning.   PMLR, 2021, pp. 1964–1974.
  28. J.-A. Désidéri, “Multiple-gradient descent algorithm (mgda) for multiobjective optimization,” Comptes Rendus Mathematique, vol. 350, no. 5-6, pp. 313–318, 2012.
  29. J. Dressel and H. Farid, “The accuracy, fairness, and limits of predicting recidivism,” Science advances, vol. 4, no. 1, p. eaao5580, 2018.
  30. C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” in Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3.   Springer, 2006, pp. 265–284.
  31. V. Feldman, “Does learning require memorization? a short tale about a long tail,” in Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, 2020, pp. 954–959.
  32. V. Feldman and C. Zhang, “What neural networks memorize and why: Discovering the long tail via influence estimation,” Advances in Neural Information Processing Systems, vol. 33, pp. 2881–2891, 2020.
  33. L. Fowl, J. Geiping, S. Reich, Y. Wen, W. Czaja, M. Goldblum, and T. Goldstein, “Decepticons: Corrupted transformers breach privacy in federated learning for language models,” arXiv preprint arXiv:2201.12675, 2022.
  34. T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnerabilities in the machine learning model supply chain,” arXiv preprint arXiv:1708.06733, 2017.
  35. J. J. Hathaliya and S. Tanwar, “An exhaustive survey on security and privacy issues in healthcare 4.0,” Computer Communications, vol. 153, pp. 311–335, 2020.
  36. J. Hayes, L. Melis, G. Danezis, and E. De Cristofaro, “Logan: Membership inference attacks against generative models,” arXiv preprint arXiv:1705.07663, 2017.
  37. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778.
  38. S. Houben, J. Stallkamp, J. Salmen, M. Schlipsing, and C. Igel, “Detection of traffic signs in real-world images: The German Traffic Sign Detection Benchmark,” in International Joint Conference on Neural Networks, no. 1288, 2013.
  39. H. Hu, Z. Salcic, L. Sun, G. Dobbie, P. S. Yu, and X. Zhang, “Membership inference attacks on machine learning: A survey,” ACM Computing Surveys (CSUR), vol. 54, no. 11s, pp. 1–37, 2022.
  40. J. Hu, L. Shen, and G. Sun, “Squeeze-and-excitation networks,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 7132–7141.
  41. G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 4700–4708.
  42. B. Hui, Y. Yang, H. Yuan, P. Burlina, N. Z. Gong, and Y. Cao, “Practical blind membership inference attack via differential comparisons,” in ISOC Network and Distributed System Security Symposium (NDSS), 2021.
  43. S. Ioffe and C. Szegedy, “Batch normalization: Accelerating deep network training by reducing internal covariate shift,” in International conference on machine learning.   pmlr, 2015, pp. 448–456.
  44. B. Jayaraman and D. Evans, “Evaluating differentially private machine learning in practice,” in USENIX Security Symposium, 2019.
  45. B. Jayaraman, L. Wang, K. Knipmeyer, Q. Gu, and D. Evans, “Revisiting membership inference under realistic assumptions,” Proceedings on Privacy Enhancing Technologies, vol. 2021, no. 2, 2021.
  46. J. Jia, A. Salem, M. Backes, Y. Zhang, and N. Z. Gong, “Memguard: Defending against black-box membership inference attacks via adversarial examples,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, pp. 259–274.
  47. A. Krizhevsky et al., “Learning multiple layers of features from tiny images,” 2009.
  48. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Advances in neural information processing systems, vol. 25, 2012.
  49. R. S. S. Kumar, M. Nyström, J. Lambert, A. Marshall, M. Goertzel, A. Comissoneru, M. Swann, and S. Xia, “Adversarial machine learning-industry perspectives,” in 2020 IEEE Security and Privacy Workshops (SPW).   IEEE, 2020, pp. 69–75.
  50. K. Leino and M. Fredrikson, “Stolen memories: Leveraging model memorization for calibrated white-box membership inference,” in 29th {{\{{USENIX}}\}} Security Symposium ({{\{{USENIX}}\}} Security 20), 2020, pp. 1605–1622.
  51. J. Li, N. Li, and B. Ribeiro, “Membership inference attacks and defenses in classification models,” in Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, 2021, pp. 5–16.
  52. Z. Li and Y. Zhang, “Membership leakage in label-only exposures,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 880–895.
  53. Y. Liu, Z. Zhao, M. Backes, and Y. Zhang, “Membership inference attacks by exploiting loss trajectory,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 2085–2098.
  54. Z. Liu, F. Li, Z. Li, and B. Luo, “Loneneuron: a highly-effective feature-domain neural trojan using invisible and polymorphic watermarks,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 2129–2143.
  55. S. Mahloujifar, E. Ghosh, and M. Chase, “Property inference from poisoning,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 1120–1137.
  56. M. Malekzadeh, A. Borovykh, and D. Gündüz, “Honest-but-curious nets: Sensitive attributes of private inputs can be secretly coded into the classifiers’ outputs,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 825–844.
  57. J. Mink, H. Kaur, J. Schmüser, S. Fahl, and Y. Acar, “" security is not my field, i’m a stats guy": A qualitative root cause analysis of barriers to adversarial machine learning defenses in industry,” in In 32nd USENIX Security Symposium, 2023.
  58. F. Mireshghallah, K. Goyal, A. Uniyal, T. Berg-Kirkpatrick, and R. Shokri, “Quantifying privacy risks of masked language models using membership inference attacks,” arXiv preprint arXiv:2203.03929, 2022.
  59. M. Nasr, R. Shokri, and A. Houmansadr, “Machine learning with membership privacy using adversarial regularization,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 634–646.
  60. ——, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” in 2019 IEEE symposium on security and privacy (SP).   IEEE, 2019, pp. 739–753.
  61. Y. Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Y. Ng, “Reading digits in natural images with unsupervised feature learning,” 2011.
  62. Z. Newman, J. S. Meyers, and S. Torres-Arias, “Sigstore: Software signing for everybody,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 2353–2367.
  63. D. Nguyen, S. Gupta, T. Nguyen, S. Rana, P. Nguyen, T. Tran, K. Le, S. Ryan, and S. Venkatesh, “Knowledge distillation with distribution mismatch,” in Machine Learning and Knowledge Discovery in Databases. Research Track: European Conference, ECML PKDD 2021, Bilbao, Spain, September 13–17, 2021, Proceedings, Part II 21.   Springer, 2021, pp. 250–265.
  64. M. Ott, S. Edunov, A. Baevski, A. Fan, S. Gross, N. Ng, D. Grangier, and M. Auli, “fairseq: A fast, extensible toolkit for sequence modeling,” in Proceedings of the 2019 Conference of the North.   Association for Computational Linguistics, 2019.
  65. N. Papernot, M. Abadi, U. Erlingsson, I. Goodfellow, and K. Talwar, “Semi-supervised knowledge transfer for deep learning from private training data,” arXiv preprint arXiv:1610.05755, 2016.
  66. N. Ponomareva, H. Hazimeh, A. Kurakin, Z. Xu, C. Denison, H. B. McMahan, S. Vassilvitskii, S. Chien, and A. Thakurta, “How to dp-fy ml: A practical guide to machine learning with differential privacy,” arXiv preprint arXiv:2303.00654, 2023.
  67. A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes, “Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models,” arXiv preprint arXiv:1806.01246, 2018.
  68. T. R. Schorlemmer, K. G. Kalu, L. Chigges, K. M. Ko, E. A.-M. A. Isghair, S. Baghi, S. Torres-Arias, and J. C. Davis, “Signing in four public software package registries: Quantity, quality, and influencing factors,” arXiv preprint arXiv:2401.14635, 2024.
  69. V. Shejwalkar and A. Houmansadr, “Membership privacy for machine learning models through knowledge transfer,” Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, no. 11, pp. 9549–9557, May 2021.
  70. V. Shejwalkar, H. A. Inan, A. Houmansadr, and R. Sim, “Membership inference attacks against nlp classification models,” in NeurIPS 2021 Workshop Privacy in Machine Learning, 2021.
  71. B. Shickel, P. J. Tighe, A. Bihorac, and P. Rashidi, “Deep ehr: a survey of recent advances in deep learning techniques for electronic health record (ehr) analysis,” IEEE journal of biomedical and health informatics, vol. 22, no. 5, pp. 1589–1604, 2017.
  72. R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks against machine learning models,” in 2017 IEEE Symposium on Security and Privacy (SP).   IEEE, 2017, pp. 3–18.
  73. C. Song, T. Ristenpart, and V. Shmatikov, “Machine learning models that remember too much,” in Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security, 2017, pp. 587–601.
  74. C. Song and V. Shmatikov, “Overlearning reveals sensitive attributes,” in 8th International Conference on Learning Representations, ICLR 2020, 2020.
  75. C. Song and R. Shokri, “Robust membership encoding: Inference attacks and copyright protection for deep learning,” arXiv preprint arXiv:1909.12982, 2019.
  76. L. Song and P. Mittal, “Systematic evaluation of privacy risks of machine learning models,” in 30th {{\{{USENIX}}\}} Security Symposium ({{\{{USENIX}}\}} Security 21), 2021.
  77. N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Dropout: a simple way to prevent neural networks from overfitting,” The journal of machine learning research, vol. 15, no. 1, pp. 1929–1958, 2014.
  78. J. Stawinski, “Playing with fire - how we executed a critical supply chain attack on pytorch,” https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/comment-page-1/.
  79. C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. Reed, D. Anguelov, D. Erhan, V. Vanhoucke, and A. Rabinovich, “Going deeper with convolutions,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2015, pp. 1–9.
  80. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking the inception architecture for computer vision,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 2818–2826.
  81. X. Tang, S. Mahloujifar, L. Song, V. Shejwalkar, M. Nasr, A. Houmansadr, and P. Mittal, “Mitigating membership inference attacks by {{\{{Self-Distillation}}\}} through a novel ensemble architecture,” in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1433–1450.
  82. F. Tramèr, R. Shokri, A. San Joaquin, H. Le, M. Jagielski, S. Hong, and N. Carlini, “Truth serum: Poisoning machine learning models to reveal their secrets,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, p. 2779–2792.
  83. D. Ulyanov, A. Vedaldi, and V. Lempitsky, “Instance normalization: The missing ingredient for fast stylization,” arXiv preprint arXiv:1607.08022, 2016.
  84. Y.-X. Wang, B. Balle, and S. P. Kasiviswanathan, “Subsampled rényi differential privacy and analytical moments accountant,” in The 22nd International Conference on Artificial Intelligence and Statistics.   PMLR, 2019, pp. 1226–1235.
  85. Y. Wen, A. Bansal, H. Kazemi, E. Borgnia, M. Goldblum, J. Geiping, and T. Goldstein, “Canary in a coalmine: Better membership inference with ensembled adversarial queries,” arXiv preprint arXiv:2210.10750, 2022.
  86. T. Wolf, L. Debut, V. Sanh, J. Chaumond, C. Delangue, A. Moi, P. Cistac, T. Rault, R. Louf, M. Funtowicz et al., “Huggingface’s transformers: State-of-the-art natural language processing,” arXiv preprint arXiv:1910.03771, 2019.
  87. Y. Wu and K. He, “Group normalization,” in Proceedings of the European conference on computer vision (ECCV), 2018, pp. 3–19.
  88. C. Xie, M. Tan, B. Gong, J. Wang, A. L. Yuille, and Q. V. Le, “Adversarial examples improve image recognition,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 819–828.
  89. C. Xie and A. Yuille, “Intriguing properties of adversarial training at scale,” in International Conference on Learning Representations, 2019.
  90. S. Xie, R. Girshick, P. Dollár, Z. Tu, and K. He, “Aggregated residual transformations for deep neural networks,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 1492–1500.
  91. J. Yang, R. Shi, D. Wei, Z. Liu, L. Zhao, B. Ke, H. Pfister, and B. Ni, “Medmnist v2-a large-scale lightweight benchmark for 2d and 3d biomedical image classification,” Scientific Data, vol. 10, no. 1, p. 41, 2023.
  92. Y. Yao, L. Rosasco, and A. Caponnetto, “On early stopping in gradient descent learning,” Constructive Approximation, vol. 26, no. 2, pp. 289–315, 2007.
  93. J. Ye, A. Maddi, S. K. Murakonda, V. Bindschaedler, and R. Shokri, “Enhanced membership inference attacks against machine learning models,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 3093–3106.
  94. S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha, “Privacy risk in machine learning: Analyzing the connection to overfitting,” in 2018 IEEE 31st Computer Security Foundations Symposium (CSF).   IEEE, 2018, pp. 268–282.
  95. S. Zada, I. Benou, and M. Irani, “Pure noise to the rescue of insufficient data: Improving imbalanced classification by training on random noise images,” in International Conference on Machine Learning.   PMLR, 2022, pp. 25 817–25 833.
  96. S. Zagoruyko and N. Komodakis, “Wide residual networks,” arXiv preprint arXiv:1605.07146, 2016.
  97. C. Zhang, S. Bengio, M. Hardt, B. Recht, and O. Vinyals, “Understanding deep learning requires rethinking generalization,” in International Conference on Learning Representations, 2017.
  98. ——, “Understanding deep learning (still) requires rethinking generalization,” Communications of the ACM, vol. 64, no. 3, pp. 107–115, 2021.
  99. Y. Zhang, G. Bai, M. A. P. Chamikara, M. Ma, L. Shen, J. Wang, S. Nepal, M. Xue, L. Wang, and J. Liu, “Agrevader: Poisoning membership inference against byzantine-robust federated learning,” in Proceedings of the ACM Web Conference 2023, 2023, pp. 2371–2382.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (2)
  1. Zitao Chen (9 papers)
  2. Karthik Pattabiraman (21 papers)
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now