Membership Inference Attack Using Self Influence Functions
- URL: http://arxiv.org/abs/2205.13680v1
- Date: Thu, 26 May 2022 23:52:26 GMT
- Title: Membership Inference Attack Using Self Influence Functions
- Authors: Gilad Cohen, Raja Giryes
- Abstract summary: Member inference (MI) attacks aim to determine if a specific data sample was used to train a machine learning model.
We present a novel MI attack for it that employs influence functions, or more specifically the samples' self-influence scores, to perform the MI prediction.
Our attack method achieves new state-of-the-art results for both training with and without data augmentations.
- Score: 43.10140199124212
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Member inference (MI) attacks aim to determine if a specific data sample was
used to train a machine learning model. Thus, MI is a major privacy threat to
models trained on private sensitive data, such as medical records. In MI
attacks one may consider the black-box settings, where the model's parameters
and activations are hidden from the adversary, or the white-box case where they
are available to the attacker. In this work, we focus on the latter and present
a novel MI attack for it that employs influence functions, or more specifically
the samples' self-influence scores, to perform the MI prediction. We evaluate
our attack on CIFAR-10, CIFAR-100, and Tiny ImageNet datasets, using versatile
architectures such as AlexNet, ResNet, and DenseNet. Our attack method achieves
new state-of-the-art results for both training with and without data
augmentations. Code is available at
https://github.com/giladcohen/sif_mi_attack.
Related papers
- Model Inversion Robustness: Can Transfer Learning Help? [27.883074562565877]
Model Inversion (MI) attacks aim to reconstruct private training data by abusing access to machine learning models.
We propose Transfer Learning-based Defense against Model Inversion (TL-DMI) to render MI-robust models.
Our method achieves state-of-the-art (SOTA) MI robustness without bells and whistles.
arXiv Detail & Related papers (2024-05-09T07:24:28Z) - Pandora's White-Box: Precise Training Data Detection and Extraction in Large Language Models [4.081098869497239]
We develop state-of-the-art privacy attacks against Large Language Models (LLMs)
New membership inference attacks (MIAs) against pretrained LLMs perform hundreds of times better than baseline attacks.
In fine-tuning, we find that a simple attack based on the ratio of the loss between the base and fine-tuned models is able to achieve near-perfect MIA performance.
arXiv Detail & Related papers (2024-02-26T20:41:50Z) - Mitigating Adversarial Attacks in Federated Learning with Trusted
Execution Environments [1.8240624028534085]
In image-based applications, adversarial examples consist of images slightly perturbed to the human eye getting misclassified by the local model.
Pelta is a novel shielding mechanism leveraging Trusted Execution Environments (TEEs) that reduce the ability of attackers to craft adversarial samples.
We show the effectiveness of Pelta in mitigating six white-box state-of-the-art adversarial attacks.
arXiv Detail & Related papers (2023-09-13T14:19:29Z) - Membership Inference Attacks against Synthetic Data through Overfitting
Detection [84.02632160692995]
We argue for a realistic MIA setting that assumes the attacker has some knowledge of the underlying data distribution.
We propose DOMIAS, a density-based MIA model that aims to infer membership by targeting local overfitting of the generative model.
arXiv Detail & Related papers (2023-02-24T11:27:39Z) - Pseudo Label-Guided Model Inversion Attack via Conditional Generative
Adversarial Network [102.21368201494909]
Model inversion (MI) attacks have raised increasing concerns about privacy.
Recent MI attacks leverage a generative adversarial network (GAN) as an image prior to narrow the search space.
We propose Pseudo Label-Guided MI (PLG-MI) attack via conditional GAN (cGAN)
arXiv Detail & Related papers (2023-02-20T07:29:34Z) - RelaxLoss: Defending Membership Inference Attacks without Losing Utility [68.48117818874155]
We propose a novel training framework based on a relaxed loss with a more achievable learning target.
RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead.
Our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs.
arXiv Detail & Related papers (2022-07-12T19:34:47Z) - Knowledge-Enriched Distributional Model Inversion Attacks [49.43828150561947]
Model inversion (MI) attacks are aimed at reconstructing training data from model parameters.
We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data.
Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%.
arXiv Detail & Related papers (2020-10-08T16:20:48Z) - How Does Data Augmentation Affect Privacy in Machine Learning? [94.52721115660626]
We propose new MI attacks to utilize the information of augmented data.
We establish the optimal membership inference when the model is trained with augmented data.
arXiv Detail & Related papers (2020-07-21T02:21:10Z) - On the Difficulty of Membership Inference Attacks [11.172550334631921]
Recent studies propose membership inference (MI) attacks on deep models.
Despite their apparent success, these studies only report accuracy, precision, and recall of the positive class (member class)
We show that the way the MI attack performance has been reported is often misleading because they suffer from high false positive rate or false alarm rate (FAR) that has not been reported.
arXiv Detail & Related papers (2020-05-27T23:09:17Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.