How to Combine Membership-Inference Attacks on Multiple Updated Models
- URL: http://arxiv.org/abs/2205.06369v1
- Date: Thu, 12 May 2022 21:14:11 GMT
- Title: How to Combine Membership-Inference Attacks on Multiple Updated Models
- Authors: Matthew Jagielski, Stanley Wu, Alina Oprea, Jonathan Ullman, Roxana
Geambasu
- Abstract summary: This paper proposes new attacks that take advantage of one or more model updates to improve membership inference (MI)
A key part of our approach is to leverage rich information from standalone MI attacks mounted separately against the original and updated models.
Our results on four public datasets show that our attacks are effective at using update information to give the adversary a significant advantage over attacks on standalone models.
- Score: 14.281721121930035
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: A large body of research has shown that machine learning models are
vulnerable to membership inference (MI) attacks that violate the privacy of the
participants in the training data. Most MI research focuses on the case of a
single standalone model, while production machine-learning platforms often
update models over time, on data that often shifts in distribution, giving the
attacker more information. This paper proposes new attacks that take advantage
of one or more model updates to improve MI. A key part of our approach is to
leverage rich information from standalone MI attacks mounted separately against
the original and updated models, and to combine this information in specific
ways to improve attack effectiveness. We propose a set of combination functions
and tuning methods for each, and present both analytical and quantitative
justification for various options. Our results on four public datasets show
that our attacks are effective at using update information to give the
adversary a significant advantage over attacks on standalone models, but also
compared to a prior MI attack that takes advantage of model updates in a
related machine-unlearning setting. We perform the first measurements of the
impact of distribution shift on MI attacks with model updates, and show that a
more drastic distribution shift results in significantly higher MI risk than a
gradual shift. Our code is available at
https://www.github.com/stanleykywu/model-updates.
Related papers
- Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models [112.48136829374741]
In this paper, we unveil a new vulnerability: the privacy backdoor attack.
When a victim fine-tunes a backdoored model, their training data will be leaked at a significantly higher rate than if they had fine-tuned a typical model.
Our findings highlight a critical privacy concern within the machine learning community and call for a reevaluation of safety protocols in the use of open-source pre-trained models.
arXiv Detail & Related papers (2024-04-01T16:50:54Z) - Practical Membership Inference Attacks Against Large-Scale Multi-Modal
Models: A Pilot Study [17.421886085918608]
Membership inference attacks (MIAs) aim to infer whether a data point has been used to train a machine learning model.
These attacks can be employed to identify potential privacy vulnerabilities and detect unauthorized use of personal data.
This paper takes a first step towards developing practical MIAs against large-scale multi-modal models.
arXiv Detail & Related papers (2023-09-29T19:38:40Z) - Information Leakage from Data Updates in Machine Learning Models [12.337195143722342]
We consider the setting where machine learning models are retrained on updated datasets in order to incorporate the most up-to-date information or reflect distribution shifts.
Here, the adversary has access to snapshots of the machine learning model before and after the change in the dataset occurs.
We propose attacks based on the difference in the prediction confidence of the original model and the updated model.
arXiv Detail & Related papers (2023-09-20T02:55:03Z) - RelaxLoss: Defending Membership Inference Attacks without Losing Utility [68.48117818874155]
We propose a novel training framework based on a relaxed loss with a more achievable learning target.
RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead.
Our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs.
arXiv Detail & Related papers (2022-07-12T19:34:47Z) - Delving into Data: Effectively Substitute Training for Black-box Attack [84.85798059317963]
We propose a novel perspective substitute training that focuses on designing the distribution of data used in the knowledge stealing process.
The combination of these two modules can further boost the consistency of the substitute model and target model, which greatly improves the effectiveness of adversarial attack.
arXiv Detail & Related papers (2021-04-26T07:26:29Z) - ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine
Learning Models [64.03398193325572]
Inference attacks against Machine Learning (ML) models allow adversaries to learn about training data, model parameters, etc.
We concentrate on four attacks - namely, membership inference, model inversion, attribute inference, and model stealing.
Our analysis relies on a modular re-usable software, ML-Doctor, which enables ML model owners to assess the risks of deploying their models.
arXiv Detail & Related papers (2021-02-04T11:35:13Z) - Knowledge-Enriched Distributional Model Inversion Attacks [49.43828150561947]
Model inversion (MI) attacks are aimed at reconstructing training data from model parameters.
We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data.
Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%.
arXiv Detail & Related papers (2020-10-08T16:20:48Z) - Improving Robustness to Model Inversion Attacks via Mutual Information
Regularization [12.079281416410227]
This paper studies defense mechanisms against model inversion (MI) attacks.
MI is a type of privacy attacks aimed at inferring information about the training data distribution given the access to a target machine learning model.
We propose the Mutual Information Regularization based Defense (MID) against MI attacks.
arXiv Detail & Related papers (2020-09-11T06:02:44Z) - How Does Data Augmentation Affect Privacy in Machine Learning? [94.52721115660626]
We propose new MI attacks to utilize the information of augmented data.
We establish the optimal membership inference when the model is trained with augmented data.
arXiv Detail & Related papers (2020-07-21T02:21:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.