Privacy Against Inference Attacks in Vertical Federated Learning
- URL: http://arxiv.org/abs/2207.11788v1
- Date: Sun, 24 Jul 2022 18:33:52 GMT
- Title: Privacy Against Inference Attacks in Vertical Federated Learning
- Authors: Borzoo Rassouli, Morteza Varasteh and Deniz Gunduz
- Abstract summary: Vertical federated learning is considered, where an active party, having access to true class labels, wishes to build a classification model by utilizing more features from a passive party.
Several inference attack techniques are proposed that the adversary, i.e., the active party, can employ to reconstruct the passive party's features, regarded as sensitive information.
As a defense mechanism, two privacy-preserving schemes are proposed that worsen the adversary's reconstruction attacks, while preserving the full benefits that VFL brings to the active party.
- Score: 13.234975857626749
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Vertical federated learning is considered, where an active party, having
access to true class labels, wishes to build a classification model by
utilizing more features from a passive party, which has no access to the
labels, to improve the model accuracy. In the prediction phase, with logistic
regression as the classification model, several inference attack techniques are
proposed that the adversary, i.e., the active party, can employ to reconstruct
the passive party's features, regarded as sensitive information. These attacks,
which are mainly based on a classical notion of the center of a set, i.e., the
Chebyshev center, are shown to be superior to those proposed in the literature.
Moreover, several theoretical performance guarantees are provided for the
aforementioned attacks. Subsequently, we consider the minimum amount of
information that the adversary needs to fully reconstruct the passive party's
features. In particular, it is shown that when the passive party holds one
feature, and the adversary is only aware of the signs of the parameters
involved, it can perfectly reconstruct that feature when the number of
predictions is large enough. Next, as a defense mechanism, two
privacy-preserving schemes are proposed that worsen the adversary's
reconstruction attacks, while preserving the full benefits that VFL brings to
the active party. Finally, experimental results demonstrate the effectiveness
of the proposed attacks and the privacy-preserving schemes.
Related papers
- Feature Separation and Recalibration for Adversarial Robustness [18.975320671203132]
We propose a novel, easy-to- verify approach named Feature Separation and Recalibration.
It recalibrates the malicious, non-robust activations for more robust feature maps through Separation and Recalibration.
It improves the robustness of existing adversarial training methods by up to 8.57% with small computational overhead.
arXiv Detail & Related papers (2023-03-24T07:43:57Z) - Privacy Against Agnostic Inference Attack in Vertical Federated Learning [7.1577508803778045]
Two parties collaborate in training a machine learning (ML) model.
One party possesses the ground truth labels of the samples in the training phase.
The other, referred to as the passive party, only shares a separate set of features corresponding to these samples.
arXiv Detail & Related papers (2023-02-10T23:19:30Z) - Purifier: Defending Data Inference Attacks via Transforming Confidence
Scores [27.330482508047428]
We propose a method, namely PURIFIER, to defend against membership inference attacks.
Experiments show that PURIFIER helps defend membership inference attacks with high effectiveness and efficiency.
PURIFIER is also effective in defending adversarial model inversion attacks and attribute inference attacks.
arXiv Detail & Related papers (2022-12-01T16:09:50Z) - Feature Reconstruction Attacks and Countermeasures of DNN training in
Vertical Federated Learning [39.85691324350159]
Federated learning (FL) has increasingly been deployed, in its vertical form, among organizations to facilitate secure collaborative training over siloed data.
Despite the increasing adoption of VFL, it remains largely unknown if and how the active party can extract feature data from the passive party.
This paper makes the first attempt to study the feature security problem of DNN training in VFL.
arXiv Detail & Related papers (2022-10-13T06:23:47Z) - A Unified Evaluation of Textual Backdoor Learning: Frameworks and
Benchmarks [72.7373468905418]
We develop an open-source toolkit OpenBackdoor to foster the implementations and evaluations of textual backdoor learning.
We also propose CUBE, a simple yet strong clustering-based defense baseline.
arXiv Detail & Related papers (2022-06-17T02:29:23Z) - Towards A Conceptually Simple Defensive Approach for Few-shot
classifiers Against Adversarial Support Samples [107.38834819682315]
We study a conceptually simple approach to defend few-shot classifiers against adversarial attacks.
We propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering.
Our evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance.
arXiv Detail & Related papers (2021-10-24T05:46:03Z) - Learning to Separate Clusters of Adversarial Representations for Robust
Adversarial Detection [50.03939695025513]
We propose a new probabilistic adversarial detector motivated by a recently introduced non-robust feature.
In this paper, we consider the non-robust features as a common property of adversarial examples, and we deduce it is possible to find a cluster in representation space corresponding to the property.
This idea leads us to probability estimate distribution of adversarial representations in a separate cluster, and leverage the distribution for a likelihood based adversarial detector.
arXiv Detail & Related papers (2020-12-07T07:21:18Z) - Sampling Attacks: Amplification of Membership Inference Attacks by
Repeated Queries [74.59376038272661]
We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model.
We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance.
For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time.
arXiv Detail & Related papers (2020-09-01T12:54:54Z) - Revisiting Membership Inference Under Realistic Assumptions [87.13552321332988]
We study membership inference in settings where some of the assumptions typically used in previous research are relaxed.
This setting is more realistic than the balanced prior setting typically considered by researchers.
We develop a new inference attack based on the intuition that inputs corresponding to training set members will be near a local minimum in the loss function.
arXiv Detail & Related papers (2020-05-21T20:17:42Z) - Reliable evaluation of adversarial robustness with an ensemble of
diverse parameter-free attacks [65.20660287833537]
In this paper we propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function.
We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness.
arXiv Detail & Related papers (2020-03-03T18:15:55Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.