ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine
Learning Models
- URL: http://arxiv.org/abs/2102.02551v1
- Date: Thu, 4 Feb 2021 11:35:13 GMT
- Title: ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine
Learning Models
- Authors: Yugeng Liu and Rui Wen and Xinlei He and Ahmed Salem and Zhikun Zhang
and Michael Backes and Emiliano De Cristofaro and Mario Fritz and Yang Zhang
- Abstract summary: Inference attacks against Machine Learning (ML) models allow adversaries to learn about training data, model parameters, etc.
We concentrate on four attacks - namely, membership inference, model inversion, attribute inference, and model stealing.
Our analysis relies on a modular re-usable software, ML-Doctor, which enables ML model owners to assess the risks of deploying their models.
- Score: 64.03398193325572
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Inference attacks against Machine Learning (ML) models allow adversaries to
learn information about training data, model parameters, etc. While researchers
have studied these attacks thoroughly, they have done so in isolation. We lack
a comprehensive picture of the risks caused by the attacks, such as the
different scenarios they can be applied to, the common factors that influence
their performance, the relationship among them, or the effectiveness of defense
techniques. In this paper, we fill this gap by presenting a first-of-its-kind
holistic risk assessment of different inference attacks against machine
learning models. We concentrate on four attacks - namely, membership inference,
model inversion, attribute inference, and model stealing - and establish a
threat model taxonomy. Our extensive experimental evaluation conducted over
five model architectures and four datasets shows that the complexity of the
training dataset plays an important role with respect to the attack's
performance, while the effectiveness of model stealing and membership inference
attacks are negatively correlated. We also show that defenses like DP-SGD and
Knowledge Distillation can only hope to mitigate some of the inference attacks.
Our analysis relies on a modular re-usable software, ML-Doctor, which enables
ML model owners to assess the risks of deploying their models, and equally
serves as a benchmark tool for researchers and practitioners.
Related papers
- SA-Attack: Improving Adversarial Transferability of Vision-Language
Pre-training Models via Self-Augmentation [56.622250514119294]
In contrast to white-box adversarial attacks, transfer attacks are more reflective of real-world scenarios.
We propose a self-augment-based transfer attack method, termed SA-Attack.
arXiv Detail & Related papers (2023-12-08T09:08:50Z) - SecurityNet: Assessing Machine Learning Vulnerabilities on Public Models [74.58014281829946]
We analyze the effectiveness of several representative attacks/defenses, including model stealing attacks, membership inference attacks, and backdoor detection on public models.
Our evaluation empirically shows the performance of these attacks/defenses can vary significantly on public models compared to self-trained models.
arXiv Detail & Related papers (2023-10-19T11:49:22Z) - Can Adversarial Examples Be Parsed to Reveal Victim Model Information? [62.814751479749695]
In this work, we ask whether it is possible to infer data-agnostic victim model (VM) information from data-specific adversarial instances.
We collect a dataset of adversarial attacks across 7 attack types generated from 135 victim models.
We show that a simple, supervised model parsing network (MPN) is able to infer VM attributes from unseen adversarial attacks.
arXiv Detail & Related papers (2023-03-13T21:21:49Z) - AUTOLYCUS: Exploiting Explainable AI (XAI) for Model Extraction Attacks against Interpretable Models [1.8752655643513647]
XAI tools can increase the vulnerability of model extraction attacks, which is a concern when model owners prefer black-box access.
We propose a novel retraining (learning) based model extraction attack framework against interpretable models under black-box settings.
We show that AUTOLYCUS is highly effective, requiring significantly fewer queries compared to state-of-the-art attacks.
arXiv Detail & Related papers (2023-02-04T13:23:39Z) - Holistic risk assessment of inference attacks in machine learning [4.493526120297708]
This paper performs a holistic risk assessment of different inference attacks against Machine Learning models.
A total of 12 target models using three model architectures, including AlexNet, ResNet18 and Simple CNN, are trained on four datasets.
arXiv Detail & Related papers (2022-12-15T08:14:18Z) - Interpretations Cannot Be Trusted: Stealthy and Effective Adversarial
Perturbations against Interpretable Deep Learning [16.13790238416691]
This work introduces two attacks, AdvEdge and AdvEdge$+$, that deceive both the target deep learning model and the coupled interpretation model.
Our analysis shows the effectiveness of our attacks in terms of deceiving the deep learning models and their interpreters.
arXiv Detail & Related papers (2022-11-29T04:45:10Z) - Enhanced Membership Inference Attacks against Machine Learning Models [9.26208227402571]
Membership inference attacks are used to quantify the private information that a model leaks about the individual data points in its training set.
We derive new attack algorithms that can achieve a high AUC score while also highlighting the different factors that affect their performance.
Our algorithms capture a very precise approximation of privacy loss in models, and can be used as a tool to perform an accurate and informed estimation of privacy risk in machine learning models.
arXiv Detail & Related papers (2021-11-18T13:31:22Z) - Learning to Attack: Towards Textual Adversarial Attacking in Real-world
Situations [81.82518920087175]
Adversarial attacking aims to fool deep neural networks with adversarial examples.
We propose a reinforcement learning based attack model, which can learn from attack history and launch attacks more efficiently.
arXiv Detail & Related papers (2020-09-19T09:12:24Z) - Improving Robustness to Model Inversion Attacks via Mutual Information
Regularization [12.079281416410227]
This paper studies defense mechanisms against model inversion (MI) attacks.
MI is a type of privacy attacks aimed at inferring information about the training data distribution given the access to a target machine learning model.
We propose the Mutual Information Regularization based Defense (MID) against MI attacks.
arXiv Detail & Related papers (2020-09-11T06:02:44Z) - Sampling Attacks: Amplification of Membership Inference Attacks by
Repeated Queries [74.59376038272661]
We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model.
We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance.
For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time.
arXiv Detail & Related papers (2020-09-01T12:54:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.