Membership inference(MI)attacks threaten user privacy through determining if a given data example has been used to train a target model.Existing MI defenses protect the membership privacy through preemptive exclusion ...Membership inference(MI)attacks threaten user privacy through determining if a given data example has been used to train a target model.Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation.Unfortunately,using either of these two defenses alone,the defense effect can still offers an unsatisfactory trade-off between membership privacy and utility.Given that the defense method that directly combines these two defenses is still very limited(e.g.,the test accuracy of the target model is decreased by about 40%(in our experiments)),in this work,we propose a dual defense(DD)method that includes the preemptive exclusion of high-risk member samples module and the knowledge distillation module,which thwarts the access of the resulting models to the private training data twice to mitigate MI attacks.Our defense method can be divided into two steps:the preemptive exclusion of high-risk member samples(Step 1)and the knowledge distillation to obtain the protected student model(Step 2).We propose three types of exclusions:existing MI attacks-based exclusions,sample distances of members and nonmembers-based exclusions,and mutual information value-based exclusions,to preemptively exclude the high-risk member samples.During the knowledge distillation phase,we add ground-truth labeled data to the reference dataset to decrease the protected student model's dependency on soft labels,aiming to maintain or improve its test accuracy.Extensive evaluation shows that DD significantly outperforms state-of-the-art defenses and offers a better privacy-utility trade-off.For example,DD achieves∼100%test accuracy improvement over the distillation for membership privacy(DMP)defense for ResNet50 trained on CIFAR100.DD simultaneously achieves the reductions in the attack effectiveness(e.g.,the TPR@0.01%FPR of enhanced MI attacks decreased by 2.10%on the ImageNet dataset,the membership advantage(MA)of risk score-based attacks decreased by 56.30%)and improvements of the target models'test accuracies(e.g.,by 42.80%on CIFAR100).展开更多
Membership inference(MI)attacks mainly aim to infer whether a data record was used to train a target model or not.Due to the serious privacy risks,MI attacks have been attracting a tremendous amount of attention in th...Membership inference(MI)attacks mainly aim to infer whether a data record was used to train a target model or not.Due to the serious privacy risks,MI attacks have been attracting a tremendous amount of attention in the research community.One existing work conducted-to our best knowledge the first dedicated survey study in this specific area:The survey provides a comprehensive review of the literature during the period of 2017~2021(e.g.,over 100 papers).However,due to the tremendous amount of progress(i.e.,176 papers)made in this area since 2021,the survey conducted by the one existing work has unfortunately already become very limited in the following two aspects:(1)Although the entire literature from 2017~2021 covers 18 ways to categorize(all the proposed)MI attacks,the literature during the period of 2017~2021,which was reviewed in the one existing work,only covered 5 ways to categorize MI attacks.With 13 ways missing,the survey conducted by the one existing work only covers 27%of the landscape(in terms of how to categorize MI attacks)if a retrospective view is taken.(2)Since the literature during the period of 2017~2021 only covers 27%of the landscape(in terms of how to categorize),the number of new insights(i.e.,why an MI attack could succeed)behind all the proposed MI attacks has been significantly increasing since year 2021.As a result,although none of the previous work has made the insights as a main focus of their studies,we found that the various insights leveraged in the literature can be broken down into 10 groups.Without making the insights as a main focus,a survey study could fail to help researchers gain adequate intellectual depth in this area of research.In this work,we conduct a systematic study to address these limitations.In particular,in order to address the first limitation,we make the 13 newly emerged ways to categorize MI attacks as a main focus on the study.In order to address the second limitation,we provide-to our best knowledge-the first review of the various insights leveraged in the entire literature.We found that the various insights leveraged in the literature can be broken down into 10 groups.Moreover,our survey also provides a comprehensive review of the existing defenses against MI attacks,the existing applications of MI attacks,the widely used datasets(e.g.,107 new datasets),and the eva luation metrics(e.g.,20 new evaluation metrics).展开更多
基金supported by the National Natural Science Foundation of China(61941105,61772406,U2336203,U1836210)National Key Research and Development Program of China(2023YFB3106400,2023QY1202)+1 种基金Beijing Natural Science Foundation(4242031)the Key Research and Development Science and Technology of Hainan Province(GHYF2022010).
文摘Membership inference(MI)attacks threaten user privacy through determining if a given data example has been used to train a target model.Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation.Unfortunately,using either of these two defenses alone,the defense effect can still offers an unsatisfactory trade-off between membership privacy and utility.Given that the defense method that directly combines these two defenses is still very limited(e.g.,the test accuracy of the target model is decreased by about 40%(in our experiments)),in this work,we propose a dual defense(DD)method that includes the preemptive exclusion of high-risk member samples module and the knowledge distillation module,which thwarts the access of the resulting models to the private training data twice to mitigate MI attacks.Our defense method can be divided into two steps:the preemptive exclusion of high-risk member samples(Step 1)and the knowledge distillation to obtain the protected student model(Step 2).We propose three types of exclusions:existing MI attacks-based exclusions,sample distances of members and nonmembers-based exclusions,and mutual information value-based exclusions,to preemptively exclude the high-risk member samples.During the knowledge distillation phase,we add ground-truth labeled data to the reference dataset to decrease the protected student model's dependency on soft labels,aiming to maintain or improve its test accuracy.Extensive evaluation shows that DD significantly outperforms state-of-the-art defenses and offers a better privacy-utility trade-off.For example,DD achieves∼100%test accuracy improvement over the distillation for membership privacy(DMP)defense for ResNet50 trained on CIFAR100.DD simultaneously achieves the reductions in the attack effectiveness(e.g.,the TPR@0.01%FPR of enhanced MI attacks decreased by 2.10%on the ImageNet dataset,the membership advantage(MA)of risk score-based attacks decreased by 56.30%)and improvements of the target models'test accuracies(e.g.,by 42.80%on CIFAR100).
基金supported by National Natural Science Foundation of China(61941105,61772406,and U2336203)National Key Research and Development Program of China(2023QY1202)Beijing Natural Science Foundation(4242031).
文摘Membership inference(MI)attacks mainly aim to infer whether a data record was used to train a target model or not.Due to the serious privacy risks,MI attacks have been attracting a tremendous amount of attention in the research community.One existing work conducted-to our best knowledge the first dedicated survey study in this specific area:The survey provides a comprehensive review of the literature during the period of 2017~2021(e.g.,over 100 papers).However,due to the tremendous amount of progress(i.e.,176 papers)made in this area since 2021,the survey conducted by the one existing work has unfortunately already become very limited in the following two aspects:(1)Although the entire literature from 2017~2021 covers 18 ways to categorize(all the proposed)MI attacks,the literature during the period of 2017~2021,which was reviewed in the one existing work,only covered 5 ways to categorize MI attacks.With 13 ways missing,the survey conducted by the one existing work only covers 27%of the landscape(in terms of how to categorize MI attacks)if a retrospective view is taken.(2)Since the literature during the period of 2017~2021 only covers 27%of the landscape(in terms of how to categorize),the number of new insights(i.e.,why an MI attack could succeed)behind all the proposed MI attacks has been significantly increasing since year 2021.As a result,although none of the previous work has made the insights as a main focus of their studies,we found that the various insights leveraged in the literature can be broken down into 10 groups.Without making the insights as a main focus,a survey study could fail to help researchers gain adequate intellectual depth in this area of research.In this work,we conduct a systematic study to address these limitations.In particular,in order to address the first limitation,we make the 13 newly emerged ways to categorize MI attacks as a main focus on the study.In order to address the second limitation,we provide-to our best knowledge-the first review of the various insights leveraged in the entire literature.We found that the various insights leveraged in the literature can be broken down into 10 groups.Moreover,our survey also provides a comprehensive review of the existing defenses against MI attacks,the existing applications of MI attacks,the widely used datasets(e.g.,107 new datasets),and the eva luation metrics(e.g.,20 new evaluation metrics).
