Can Membership Inferencing be Refuted?
- URL: http://arxiv.org/abs/2303.03648v2
- Date: Wed, 8 Mar 2023 03:54:29 GMT
- Title: Can Membership Inferencing be Refuted?
- Authors: Zhifeng Kong, Amrita Roy Chowdhury, Kamalika Chaudhuri
- Abstract summary: We study the reliability of membership inference attacks in practice.
We show that a model owner can plausibly refute the result of a membership inference test on a data point $x$ by constructing a proof of repudiation.
Our results call for a re-evaluation of the implications of membership inference attacks in practice.
- Score: 31.31060116447964
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Membership inference (MI) attack is currently the most popular test for
measuring privacy leakage in machine learning models. Given a machine learning
model, a data point and some auxiliary information, the goal of an MI attack is
to determine whether the data point was used to train the model. In this work,
we study the reliability of membership inference attacks in practice.
Specifically, we show that a model owner can plausibly refute the result of a
membership inference test on a data point $x$ by constructing a proof of
repudiation that proves that the model was trained without $x$. We design
efficient algorithms to construct proofs of repudiation for all data points of
the training dataset. Our empirical evaluation demonstrates the practical
feasibility of our algorithm by constructing proofs of repudiation for popular
machine learning models on MNIST and CIFAR-10. Consequently, our results call
for a re-evaluation of the implications of membership inference attacks in
practice.
Related papers
- Membership Inference Attacks Cannot Prove that a Model Was Trained On Your Data [27.18781946018255]
Training data proofs play a key role in recent lawsuits against foundation models trained on web-scale data.
Many prior works suggest to instantiate training data proofs using membership inference attacks.
We show that data extraction attacks and membership inference on special canary data can be used to create sound training data proofs.
arXiv Detail & Related papers (2024-09-29T21:49:32Z) - Blind Baselines Beat Membership Inference Attacks for Foundation Models [24.010279957557252]
Membership inference (MI) attacks try to determine if a data sample was used to train a machine learning model.
For foundation models trained on unknown Web data, MI attacks can be used to detect copyrighted training materials, measure test set contamination, or audit machine unlearning.
We show that evaluations of MI attacks for foundation models are flawed, because they sample members and non-members from different distributions.
arXiv Detail & Related papers (2024-06-23T19:40:11Z) - Assessing Privacy Risks in Language Models: A Case Study on
Summarization Tasks [65.21536453075275]
We focus on the summarization task and investigate the membership inference (MI) attack.
We exploit text similarity and the model's resistance to document modifications as potential MI signals.
We discuss several safeguards for training summarization models to protect against MI attacks and discuss the inherent trade-off between privacy and utility.
arXiv Detail & Related papers (2023-10-20T05:44:39Z) - Canary in a Coalmine: Better Membership Inference with Ensembled
Adversarial Queries [53.222218035435006]
We use adversarial tools to optimize for queries that are discriminative and diverse.
Our improvements achieve significantly more accurate membership inference than existing methods.
arXiv Detail & Related papers (2022-10-19T17:46:50Z) - Verifiable and Provably Secure Machine Unlearning [37.353982787321385]
Machine unlearning aims to remove points from the training dataset of a machine learning model after training.
We present the first cryptographic definition of verifiable unlearning to capture the guarantees of a machine unlearning system.
We implement the protocol for three different unlearning techniques to validate its feasibility for linear regression, logistic regression, and neural networks.
arXiv Detail & Related papers (2022-10-17T14:19:52Z) - RelaxLoss: Defending Membership Inference Attacks without Losing Utility [68.48117818874155]
We propose a novel training framework based on a relaxed loss with a more achievable learning target.
RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead.
Our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs.
arXiv Detail & Related papers (2022-07-12T19:34:47Z) - Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets [53.866927712193416]
We show that an adversary who can poison a training dataset can cause models trained on this dataset to leak private details belonging to other parties.
Our attacks are effective across membership inference, attribute inference, and data extraction.
Our results cast doubts on the relevance of cryptographic privacy guarantees in multiparty protocols for machine learning.
arXiv Detail & Related papers (2022-03-31T18:06:28Z) - Explain, Edit, and Understand: Rethinking User Study Design for
Evaluating Model Explanations [97.91630330328815]
We conduct a crowdsourcing study, where participants interact with deception detection models that have been trained to distinguish between genuine and fake hotel reviews.
We observe that for a linear bag-of-words model, participants with access to the feature coefficients during training are able to cause a larger reduction in model confidence in the testing phase when compared to the no-explanation control.
arXiv Detail & Related papers (2021-12-17T18:29:56Z) - Enhanced Membership Inference Attacks against Machine Learning Models [9.26208227402571]
Membership inference attacks are used to quantify the private information that a model leaks about the individual data points in its training set.
We derive new attack algorithms that can achieve a high AUC score while also highlighting the different factors that affect their performance.
Our algorithms capture a very precise approximation of privacy loss in models, and can be used as a tool to perform an accurate and informed estimation of privacy risk in machine learning models.
arXiv Detail & Related papers (2021-11-18T13:31:22Z) - Sampling Attacks: Amplification of Membership Inference Attacks by
Repeated Queries [74.59376038272661]
We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model.
We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance.
For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time.
arXiv Detail & Related papers (2020-09-01T12:54:54Z) - Modelling and Quantifying Membership Information Leakage in Machine
Learning [14.095523601311374]
We show that complex models, such as deep neural networks, are more susceptible to membership inference attacks.
We show that the amount of the membership information leakage is reduced by $mathcalO(log1/2(delta-1)epsilon-1)$ when using Gaussian $(epsilon,delta)$-differentially-private additive noises.
arXiv Detail & Related papers (2020-01-29T00:42:08Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.