MIAShield: Defending Membership Inference Attacks via Preemptive
Exclusion of Members
- URL: http://arxiv.org/abs/2203.00915v1
- Date: Wed, 2 Mar 2022 07:53:21 GMT
- Title: MIAShield: Defending Membership Inference Attacks via Preemptive
Exclusion of Members
- Authors: Ismat Jarin and Birhanu Eshete
- Abstract summary: In membership inference attacks, an adversary observes the predictions of a model to determine whether a sample is part of the model's training data.
We propose MIAShield, a new MIA defense based on preemptive exclusion of member samples instead of masking the presence of a member.
We show that MIAShield effectively mitigates membership inference for a wide range of MIAs, achieves far better privacy-utility trade-off compared with state-of-the-art defenses, and remains resilient against an adaptive adversary.
- Score: 9.301268830193072
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: In membership inference attacks (MIAs), an adversary observes the predictions
of a model to determine whether a sample is part of the model's training data.
Existing MIA defenses conceal the presence of a target sample through strong
regularization, knowledge distillation, confidence masking, or differential
privacy.
We propose MIAShield, a new MIA defense based on preemptive exclusion of
member samples instead of masking the presence of a member. The key insight in
MIAShield is weakening the strong membership signal that stems from the
presence of a target sample by preemptively excluding it at prediction time
without compromising model utility. To that end, we design and evaluate a suite
of preemptive exclusion oracles leveraging model-confidence, exact or
approximate sample signature, and learning-based exclusion of member data
points. To be practical, MIAShield splits a training data into disjoint subsets
and trains each subset to build an ensemble of models. The disjointedness of
subsets ensures that a target sample belongs to only one subset, which isolates
the sample to facilitate the preemptive exclusion goal.
We evaluate MIAShield on three benchmark image classification datasets. We
show that MIAShield effectively mitigates membership inference (near random
guess) for a wide range of MIAs, achieves far better privacy-utility trade-off
compared with state-of-the-art defenses, and remains resilient against an
adaptive adversary.
Related papers
- Inherent Challenges of Post-Hoc Membership Inference for Large Language Models [17.993892458845124]
Large Language Models (LLMs) are often trained on vast amounts of undisclosed data, motivating the development of post-hoc Membership Inference Attacks (MIAs)
We identify inherent challenges in post-hoc MIA evaluation due to potential distribution shifts between collected member and non-member datasets.
We propose a Regression Discontinuity Design (RDD) approach for post-hoc data collection, which substantially mitigates distribution shifts.
arXiv Detail & Related papers (2024-06-25T23:12:07Z) - Model Stealing Attack against Graph Classification with Authenticity,
Uncertainty and Diversity [85.1927483219819]
GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions.
We introduce three model stealing attacks to adapt to different actual scenarios.
arXiv Detail & Related papers (2023-12-18T05:42:31Z) - Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration [32.15773300068426]
Membership Inference Attacks (MIAs) aim to infer whether a target data record has been utilized for model training or not.
We propose a Membership Inference Attack based on Self-calibrated Probabilistic Variation (SPV-MIA)
Specifically, since memorization in LLMs is inevitable during the training process and occurs before overfitting, we introduce a more reliable membership signal.
arXiv Detail & Related papers (2023-11-10T13:55:05Z) - When Fairness Meets Privacy: Exploring Privacy Threats in Fair Binary
Classifiers through Membership Inference Attacks [18.27174440444256]
We propose an efficient MIA method against fairness-enhanced models based on fairness discrepancy results.
We also explore potential strategies for mitigating privacy leakages.
arXiv Detail & Related papers (2023-11-07T10:28:17Z) - Ensemble Modeling for Multimodal Visual Action Recognition [50.38638300332429]
We propose an ensemble modeling approach for multimodal action recognition.
We independently train individual modality models using a variant of focal loss tailored to handle the long-tailed distribution of the MECCANO [21] dataset.
arXiv Detail & Related papers (2023-08-10T08:43:20Z) - Membership Inference Attacks against Synthetic Data through Overfitting
Detection [84.02632160692995]
We argue for a realistic MIA setting that assumes the attacker has some knowledge of the underlying data distribution.
We propose DOMIAS, a density-based MIA model that aims to infer membership by targeting local overfitting of the generative model.
arXiv Detail & Related papers (2023-02-24T11:27:39Z) - MAPS: A Noise-Robust Progressive Learning Approach for Source-Free
Domain Adaptive Keypoint Detection [76.97324120775475]
Cross-domain keypoint detection methods always require accessing the source data during adaptation.
This paper considers source-free domain adaptive keypoint detection, where only the well-trained source model is provided to the target domain.
arXiv Detail & Related papers (2023-02-09T12:06:08Z) - RelaxLoss: Defending Membership Inference Attacks without Losing Utility [68.48117818874155]
We propose a novel training framework based on a relaxed loss with a more achievable learning target.
RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead.
Our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs.
arXiv Detail & Related papers (2022-07-12T19:34:47Z) - Holistic Approach to Measure Sample-level Adversarial Vulnerability and
its Utility in Building Trustworthy Systems [17.707594255626216]
Adversarial attack perturbs an image with an imperceptible noise, leading to incorrect model prediction.
We propose a holistic approach for quantifying adversarial vulnerability of a sample by combining different perspectives.
We demonstrate that by reliably estimating adversarial vulnerability at the sample level, it is possible to develop a trustworthy system.
arXiv Detail & Related papers (2022-05-05T12:36:17Z) - Sampling Attacks: Amplification of Membership Inference Attacks by
Repeated Queries [74.59376038272661]
We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model.
We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance.
For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time.
arXiv Detail & Related papers (2020-09-01T12:54:54Z) - Membership Leakage in Label-Only Exposures [10.875144776014533]
We propose decision-based membership inference attacks against machine learning models.
In particular, we develop two types of decision-based attacks, namely transfer attack, and boundary attack.
We also present new insights on the success of membership inference based on quantitative and qualitative analysis.
arXiv Detail & Related papers (2020-07-30T15:27:55Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.