SecretGen: Privacy Recovery on Pre-Trained Models via Distribution
Discrimination
- URL: http://arxiv.org/abs/2207.12263v1
- Date: Mon, 25 Jul 2022 15:35:07 GMT
- Title: SecretGen: Privacy Recovery on Pre-Trained Models via Distribution
Discrimination
- Authors: Zhuowen Yuan, Fan Wu, Yunhui Long, Chaowei Xiao, Bo Li
- Abstract summary: We propose a novel private data reconstruction framework, SecretGen, to effectively recover private information.
SecretGen does not require prior knowledge about true class prediction.
We show that SecretGen is able to recover private data with similar performance compared with the ones that leverage such prior knowledge.
- Score: 17.916489394284284
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Transfer learning through the use of pre-trained models has become a growing
trend for the machine learning community. Consequently, numerous pre-trained
models are released online to facilitate further research. However, it raises
extensive concerns on whether these pre-trained models would leak
privacy-sensitive information of their training data. Thus, in this work, we
aim to answer the following questions: "Can we effectively recover private
information from these pre-trained models? What are the sufficient conditions
to retrieve such sensitive information?" We first explore different statistical
information which can discriminate the private training distribution from other
distributions. Based on our observations, we propose a novel private data
reconstruction framework, SecretGen, to effectively recover private
information. Compared with previous methods which can recover private data with
the ground true prediction of the targeted recovery instance, SecretGen does
not require such prior knowledge, making it more practical. We conduct
extensive experiments on different datasets under diverse scenarios to compare
SecretGen with other baselines and provide a systematic benchmark to better
understand the impact of different auxiliary information and optimization
operations. We show that without prior knowledge about true class prediction,
SecretGen is able to recover private data with similar performance compared
with the ones that leverage such prior knowledge. If the prior knowledge is
given, SecretGen will significantly outperform baseline methods. We also
propose several quantitative metrics to further quantify the privacy
vulnerability of pre-trained models, which will help the model selection for
privacy-sensitive applications. Our code is available at:
https://github.com/AI-secure/SecretGen.
Related papers
- Curation Leaks: Membership Inference Attacks against Data Curation for Machine Learning [36.4616907441652]
We show that without further protection, curation pipelines can still leak private information.<n>We demonstrate that each stage reveals information about the private dataset and that even models trained exclusively on curated public data leak membership information about the private data that guided curation.
arXiv Detail & Related papers (2026-02-28T21:14:01Z) - Privacy-Preserving Model Transcription with Differentially Private Synthetic Distillation [67.76456940243294]
Deep learning models trained on private datasets may pose a privacy leakage risk.<n>We present emphprivacy-preserving model transcription, a data-free model-to-model conversion solution.
arXiv Detail & Related papers (2026-01-27T01:51:35Z) - Differentially Private Random Feature Model [52.468511541184895]
We produce a differentially private random feature model for privacy-preserving kernel machines.
We show that our method preserves privacy and derive a generalization error bound for the method.
arXiv Detail & Related papers (2024-12-06T05:31:08Z) - Pseudo-Probability Unlearning: Towards Efficient and Privacy-Preserving Machine Unlearning [59.29849532966454]
We propose PseudoProbability Unlearning (PPU), a novel method that enables models to forget data to adhere to privacy-preserving manner.
Our method achieves over 20% improvements in forgetting error compared to the state-of-the-art.
arXiv Detail & Related papers (2024-11-04T21:27:06Z) - Learning Privacy-Preserving Student Networks via Discriminative-Generative Distillation [24.868697898254368]
Deep models may pose a privacy leakage risk in practical deployment.
We propose a discriminative-generative distillation approach to learn privacy-preserving deep models.
Our approach can control query cost over private data and accuracy degradation in a unified manner.
arXiv Detail & Related papers (2024-09-04T03:06:13Z) - Forget to Flourish: Leveraging Machine-Unlearning on Pretrained Language Models for Privacy Leakage [12.892449128678516]
Fine-tuning language models on private data for downstream applications poses significant privacy risks.
Several popular community platforms now offer convenient distribution of a large variety of pre-trained models.
We introduce a novel poisoning technique that uses model-unlearning as an attack tool.
arXiv Detail & Related papers (2024-08-30T15:35:09Z) - Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models [112.48136829374741]
In this paper, we unveil a new vulnerability: the privacy backdoor attack.
When a victim fine-tunes a backdoored model, their training data will be leaked at a significantly higher rate than if they had fine-tuned a typical model.
Our findings highlight a critical privacy concern within the machine learning community and call for a reevaluation of safety protocols in the use of open-source pre-trained models.
arXiv Detail & Related papers (2024-04-01T16:50:54Z) - DEPN: Detecting and Editing Privacy Neurons in Pretrained Language
Models [46.04803661300974]
Large language models pretrained on a huge amount of data capture rich knowledge and information in the training data.
The ability of data memorization and regurgitation in pretrained language models, revealed in previous studies, brings the risk of data leakage.
We propose a framework DEPN to Detect and Edit Privacy Neurons in pretrained language models.
arXiv Detail & Related papers (2023-10-31T03:09:36Z) - Fantastic Gains and Where to Find Them: On the Existence and Prospect of
General Knowledge Transfer between Any Pretrained Model [74.62272538148245]
We show that for arbitrary pairings of pretrained models, one model extracts significant data context unavailable in the other.
We investigate if it is possible to transfer such "complementary" knowledge from one model to another without performance degradation.
arXiv Detail & Related papers (2023-10-26T17:59:46Z) - Approximate, Adapt, Anonymize (3A): a Framework for Privacy Preserving
Training Data Release for Machine Learning [3.29354893777827]
We introduce a data release framework, 3A (Approximate, Adapt, Anonymize), to maximize data utility for machine learning.
We present experimental evidence showing minimal discrepancy between performance metrics of models trained on real versus privatized datasets.
arXiv Detail & Related papers (2023-07-04T18:37:11Z) - Differentially Private Synthetic Data Generation via
Lipschitz-Regularised Variational Autoencoders [3.7463972693041274]
It is often overlooked that generative models are prone to memorising many details of individual training records.
In this paper we explore an alternative approach for privately generating data that makes direct use of the inherentity in generative models.
arXiv Detail & Related papers (2023-04-22T07:24:56Z) - Position: Considerations for Differentially Private Learning with Large-Scale Public Pretraining [75.25943383604266]
We question whether the use of large Web-scraped datasets should be viewed as differential-privacy-preserving.
We caution that publicizing these models pretrained on Web data as "private" could lead to harm and erode the public's trust in differential privacy as a meaningful definition of privacy.
We conclude by discussing potential paths forward for the field of private learning, as public pretraining becomes more popular and powerful.
arXiv Detail & Related papers (2022-12-13T10:41:12Z) - Knowledge-Enriched Distributional Model Inversion Attacks [49.43828150561947]
Model inversion (MI) attacks are aimed at reconstructing training data from model parameters.
We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data.
Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%.
arXiv Detail & Related papers (2020-10-08T16:20:48Z) - TIPRDC: Task-Independent Privacy-Respecting Data Crowdsourcing Framework
for Deep Learning with Anonymized Intermediate Representations [49.20701800683092]
We present TIPRDC, a task-independent privacy-respecting data crowdsourcing framework with anonymized intermediate representation.
The goal of this framework is to learn a feature extractor that can hide the privacy information from the intermediate representations; while maximally retaining the original information embedded in the raw data for the data collector to accomplish unknown learning tasks.
arXiv Detail & Related papers (2020-05-23T06:21:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.